Dr.Web Security Space - FTP Directory Listing
Contents
1. Options Dr Web Anti virus page for Microsoft Outlook 2010 in the Files Options Add ins section select Dr Web for Microsoft Outlook and click the Add in Options button and click Spam filter The Spam filter window opens The Spam filter window is available only for users with administrative privileges For Windows Vista and later operating systems after clicking Spam filter e If UAC is enabled administrator is requested to confirm program actions user without administrative privileges is requested to enter system administrator credentials e If UAC is disabled administrator can change program settings user does not have the permission to change program settings Spam Filter Settings Spam Filter Settings To configure spam filtering settings do any of the following actions e To run spam checks select the Check for spam check box e You can enable addition of special text to the spam message header by selecting the Add prefix to message header check box Text of the added prefix is specified to the right of the check box The default prefix is SPAM The checked messages can be marked as read in the message options To mark messages as read on spam check select the Mark message as read check box e You can also configure black and white lists for message filtering If spam filter defines certain messages incorrectly you are advised to forward such messages to your special email addresses for analysis an2. help v verbosity arg d data dir arg log dir arg log file arg dwupdater log r repo dir arg t trace c command arg update z zone arg Show a short help message on how to use the program Log level Can be one of following error standard info extended debug Directory where repository and settings are located Directory for storing the log file Log file name Repository directory lt data_dir gt repo by default Enable tracing Command to execute getversions getcomponents init update uninstall exec keyupdate and download Zones that are to be used instead of those specified in the configuration file init command parameters s version arg p product arg a path arg n component arg u user arg k password arg g proxy arg e exclude arg Version name Product name Product directory path This folder will be used as the default directory for all components included in the product Dr Web Updater will search for a key file in this directory Component name and installation folder specified as follows lt name gt lt install path gt Username for proxy server Password for proxy server Proxy server for updating lt address gt lt port gt Component name that will be excluded from the product during installation update command parameters p product arg n com
3. show packer name Option is disabled by default SPS display scan progress on the screen Option is enabled by default For Console Scanner only SST display object scan time Option is disabled by default TB scan boot sectors including master boot record MBR of the hard drive TM scan processes in memory including Windows system control area TR scan system restore points W lt sec gt maximum time to scan sec By default unlimited WCL drwebwcl compatible output For Console Scanner only X S R Set one of the following states for the computer to enter once scanning is complete Shutdown Reboot Suspend Hibernate The following actions can be specified for different objects C cure Q move to quarantine D delete I ignore R inform R is available for Console Scanner only R is set by default for all objects in Console Scanner e AAD lt action gt action for adware possible DQIR Ta J 1 ax Applications e AAR lt action gt action for infected archives possible DQIR e ACN lt action gt action for infected installation packages possible DQIR e ADL lt action gt action for dialers possible DQIR e AHT lt action gt action for hacktools possible DQIR e AIC lt action gt action for incurable files possible DQR e AIN lt action gt action for infected files possible CDQR e AJK lt action gt action
4. number of scanned infected and suspicious objects actions performed and so on Settings i23 Opens a window with access to the main settings protection components settings Parental Control settings and exclusions To access the component settings and open your personal webpage My Dr Web you also need to enter the password if you enabled the Protect Dr Web settings with a password option in the Settings window If you forgot your password for the product settings contact technical support Help Opens the help file Ta J 1 ax 5 Getting Started 23 5 1 Testing the Anti virus The EICAR European Institute for Computer Anti Virus Research test file helps testing performance of anti virus programs that detect viruses using signature analysis For this purpose most of the anti virus software vendors generally use a standard test com program This program was designed specially so that users could test reaction of newly installed anti virus tools to virus detection without compromising security of their computers Although the test com program is not actually a virus it is treated by the majority of anti viruses as if it were a virus On detection of this virus Dr Web Security Space reports the following EICAR Test File Not a Virus Other anti virus tools alert users in a similar way The test com program is a 68 byte COM file that prints the following line on the console when executed I CAR
5. 1 Introduction 1 3 Detection Methods Doctor Web anti virus solutions use several malicious software detection methods simultaneously which allows them to perform thorough checks on suspicious files and control software behavior Detection Methods Signature analysis The scans begin with signature analysis that is performed by comparison of file code segments to the known virus signatures A signature is a finite continuous sequence of bytes which is necessary and sufficient to identify a specific virus To reduce the size of the signature dictionary Dr Web anti virus solutions use signature checksums instead of complete signature sequences Checksums uniquely identify signatures which preserves correctness of virus detection and neutralization Dr Web virus databases are composed so that some entries can be used to detect not just specific viruses but whole classes of threats Origins Tracing On completion of signature analysis Dr Web anti virus solutions use the unique Origins Tracing method to detect new and modified viruses that use the known infection mechanisms Thus Dr Web users are protected against such threats as notorious blackmailer Trojan Encoder 18 also known as gpcode In addition to detection of new and modified viruses the Origins Tracing mechanism allows to considerably reduce the number of false triggering of the heuristic analyzer Objects detected using the Origins Tracing algorithm are indicated with the O
6. 1 Select the No restrictions mode or a user profile from the list 2 Edit the table as necessary 3 Click 4 Enter a name for the created profile and click OK Specifying time intervals If you want to specify the total number of hours when the user is allowed to work on the computer Ta J i ax 11 Parental Control 55 select the Interval time limit option Please note that this mode does not allow to set time limits on Internet use In this mode you can set time limits on computer use during the following periods e From Monday till Friday e Saturday and Sunday You can also restrict a user from accessing the computer during the night time period regardless of the total number of hours when access is allowed This option allows you to let your child manage the time spent working on the computer during the day by themselves Setting time limits for using the computer or the Internet automatically enables the Block changing of system date and time option on the Self protection page of the main settings Files and Folders By default the No restrictions mode is set for all users To configure restriction parameters enable the appropriate option and click Objects To add an object to the list click and select a file or a folder By default an added object will become read only To block access to the selected object completely click the restriction and select Blocked from the drop down list To remov
7. By default SpIDer Gate blocks suspicious programs adware and dialers Objects to block SpIDer Gate can block malformed or not checked objects This option is disabled by default Advanced settings You can configure scans of archive and installation packages By default all malicious programs are blocked and scanning of archives and installation packages is disabled You can also adjust Scan priority that determines distribution of resources depending on traffic scanning priority Internet connection speed decreases when SpIDer Gate operates with lower priority since the monitor have to wait longer for downloading and scans larger portions of data When you 68 Ta J 1 ax 13 Protection Components 69 increase the priority SpIDer Gate starts scanning data more often thus increasing speed of your Internet connection However frequent scans also increase processor load You can select the type of HTTP traffic to check By default only incoming traffic is scanned At that the specified actions the white list and the list of excluded applications also have an effect Ta J 1 ax 13 Protection Components 13 3 SpIDer Mail SpIDer Mail is an anti virus mail scanner that installs by default and monitors data exchange between mail clients and mail servers made via POP3 SMTP IMAP4 or NNTP IMAP4 stands for IMAPv4rev1 protocols The default SpIDer Mail settings are optimal for beginners provide m
8. Data Loss Prevention Anti Virus Network Quarantine Manager Support Click the Select files and directories link to specify the objects for which protected copies will be created You may change the objects list at any time You may also specify the disk to store copies and the frequency of creating copies After the chosen interval Dr Web will inspect the specified objects for changes and create a copy if any changes have been made You may also delete copies to free up some disk space deleting the copies will not affect the original files and block creating copies while working in battery mode If your files were corrupted you can restore their copies created by a certain date To do that click the Restore button in the main window In the window displayed select the required date and all copies that were available for the date will be restored to the specified folder To start creation of protected copies manually click the Create copy button in the main window In the window displayed specify the description for the new copy To create protected copies you need to have minimum 5 GB free disk space on the disk that is selected for storing protected copies 6 3 Anti virus Network This section allows to manage version 11 0 of Dr Web Anti virus for Windows Dr Web Anti virus Ta AN ax 6 Tools 26 for Windows Servers or Dr Web Security Space on other computers of your network To access Dr Web remote contro
9. In most cases the infected file becomes a virus carrier itself and the injected code does not necessarily match the original one The majority of viruses are created with a purpose to damage or destroy data in the system Doctor Web divides viruses by the type of objects they infect into the following categories 106 Ta AN ax Applications 107 e File viruses infect operating system files usually executable files and dynamic link libraries and are activated when an infected file is run e Micro viruses infect documents used by Microsoft Office or other programs supporting macro commands usually written in Visual Basic Macro commands are a type of built in programs macros that are written in a fully functional programming language and can be launched under specific circumstances for example in Microsoft Word macros can be activated upon opening closing or saving a document e Script viruses are created using script languages and mostly they infect other scripts such as OS service files By exploiting vulnerable scripts in web applications they can also infect other file types that support script execution e Boot viruses infect boot sectors of disks and partitions or master boot records of hard disks They require little memory and can perform their tasks until the operating system is rolled out restarted or shut down Most viruses have special mechanisms that protect them against detection These mec
10. In the open window fill in the required fields SMTP server Port Login Password Use SSL TLS NTLM authentication 10 Main Settings Specify the outgoing SMTP server for Dr Web to use when sending email notifications Enter the port for Dr Web to use when connecting to the mail server Enter the login for Dr Web to use when connecting to the mail server Enter the password for the login to be used when connecting to the mail server Select this check box to use SSL TLS encryption when sending messages Select this check box to use NTLM authentication when connecting to the mail server 6 Click Send a test message if you want to make sure that all the details are specified correctly The message is forwarded to the email address that will be used to send notifications 7 Click Next 8 Enter the conformation code that was sent to the email address specified at step 3 If you do not receive the message within 10 minutes click Send the code again If you do not enter the code notifications to this email address will not be sent Notification parameters 1 Click Notification parameters The window listing available notifications opens 2 Select types of notifications that you want to receive and select the corresponding check boxes To display pop up notifications select the check boxes in the Desktop column To receive mail notifications select the check boxes in the Email column If necessary configure a
11. Only incoming traffic is checked By default this option is enabled Links transmitted in messages are checked according to SpIDer Gate settings links to the websites known as infection sources are blocked automatically links to the websites that are not recommended for visiting or to URLs specified on a notice from copyright owners are blocked only if the corresponding options are enabled on the Actions page At that the white list and the list of excluded applications also have an effect Files transmitted via instant messaging clients are also checked When a threat is detected file transmission is blocked if the corresponding option is enabled on the Block programs page Viruses are blocked automatically if the Check traffic in IM clients option is enabled Blocking parameters In the Blocking parameters group you can enable automatic blocking of URLs listed due to a notice from copyright owners enable the corresponding option and blocking of unreliable websites enable the Block non recommended websites option On the Exclusions page you can specify websites access to which must be allowed regardless of other restrictions By default SpIDer Gate blocks access to websites known as infection sources At that applications from the exclusion list are not blocked Programs to block By default SpIDer Gate detects and blocks the following malicious programs e Suspicious e Riskware e Dialers e Hacktools e Adware e Jokes
12. incompatibility between Dr Web and another anti virus product and offers to remove it A J4 Aq A 3 Installing Removing or Changing the Program 14 Before the installation starts the Wizard checks if the installation file is the latest one If a newer installation file exists you will be offered to download it before the installation 2 At this step you are prompted to connect to Dr Web cloud services that allow anti virus components to use the newest information which is stored and updated on Doctor Web servers This option is enabled by default You can also specify whether Dr Web Firewall should be installed or not DrWeb Security Space Lo fe lt Dr WEB Thank you for choosing Dr Web Security Space 11 Dr Web Security Space provides multi level protection of your computer against different kinds of threats from any external source By clicking Next you accept the License agreement v I want to connect to Dr Web Cloud recommended Install Dr Web Firewall Next A Doctor Web 1992 2015 Installation parameters Privacy statement To select components you want to install specify the installation path and configure other settings click Installation parameters The option is meant for experienced users If you want to use default installation settings go to step 4 a On the first tab you can specify the components you want to install b On the second tab you can change the inst
13. objects e Objects that pose potential threat riskware Reaction of SpIDer Guard to detection of various malicious software is also set separately Set of actions available for the selection depends on the type of the virus event By default SpIDer Guard attempts to cure infected and supposedly curable files moves other most dangerous objects to Quarantine and ignores minor threats such as jokes hacktools and riskware The reactions of SpIDer Guard are similar to those of Dr Web Scanner You can select one of the following actions for detected threats Cure move to Instructs to restore the original state of the object before infection If the object is quarantine if not incurable or the attempt of curing fails this object is moved to quarantine cured The action is available only for objects infected with a known virus that can be cured except for Trojan programs and files within complex objects Cure delete if not Instructs to restore the original state of the object before infection If the object is cured incurable or the attempt of curing fails this object is deleted The action is available only for objects infected with a known virus that can be cured except for Trojan programs and files within complex objects Delete Instructs to delete the object This action is not available for boot sectors No action is performed on malicious objects for which you selected this action if they are detected in a boot sector Move
14. 6 5 Support This section provides information on the product version components the last update date and the useful links that may help you to resolve issues or solve problems encountered while using Dr Web Tools About Dr Web Security Space License Manager Version 11 0 Last update 25 09 2015 12 48 03 00 Data Loss Prevention Details Anti Virus Network Assistance in resolving problems Quarantine Manager If you encounter any difficulties with Dr Web products we recommend using the Support following tools My Dr Web Tips Dr Web forum Report for technical support In case of questions we recommend using the following tools My Dr Web Opens your personal webpage on the Doctor Web official website This page provides you with information on your license including usage period and serial number allows to renew the license contact technical support and so on Tips Opens tips on working with Dr Web Dr Web forum Opens Dr Web forum at http forum drweb com Report for technical support Launches the wizard that will help you to create a report containing important information on your system configuration and computer working If you have not found a solution for the problem you can request direct assistance from Doctor Web technical support by filling in the web from in the corresponding section of the support site at http Ta J i ax support drweb com 6 Tools For regional office
15. Access control on the application level e Filtration of packets on the network level e Fast selection of rule sets e Event logging 13 5 1 Training Firewall Once installation completes Firewall starts learning by intercepting all connection attempts from your operating system or user applications If no filtering rules have been set for the program Firewall prompts you to select the necessary action When running under limited user account Guest Dr Web Firewall does not display notifications on network access attempts Notifications are shown for the session with administrator privileges if such session is simultaneously active Application Rules 1 To make a decision consider the following information displayed in the notification Application The name of the application Ensure that the path to the application executable specified in the Application path entry field corresponds to the file location Application path The full path to the application executable file and its name Digital signature Digital signature of the application Address The used protocol and network address to which the application is trying to connect Port The network port used for the connection attempt Direction The direction of the connection 2 Once you make a decision select an appropriate action e To block this connection once select Block once e To allow this connection once select Allow once e To open a window where you can create a new ap
16. Dr Web to update parameters such as components that should be updated an updating source update period proxy server and update mirror Main Update Update frequency Notifications 30 minutes recommended Update Update source Network Doctor Web servers recommended Change Self Protection Dr Web Cloud Anti Virus Network Devices Advanced Advanced settings General update settings Update frequency Specify the frequency to check for updates The default value 30 minutes is optimal to keep information on threats up to date To select an update source click Change In the open window select one of the following update sources e Internet recommended updates are to be downloaded from Doctor Web servers e Local or network folder update from local or network folder where updates have been copied To specify the path to the folder click Browse and select the required folder or enter the address manually Enter the user name and password if necessary e Anti virus Network updates are to be downloaded from a local network computer if Dr Web product is installed and update mirror is created on it If you want to download updates via a secure protocol select the Use HTTPS connection check box To configure additional settings Updating components You can choose one of the following ways of downloading the update e All recommended when updates are downloaded both for Dr Web virus datab
17. Enable self protection recommended on Notifications Update Block user activity emulation Network gt on Self Protection gt Enable hardware virtualization if your computer s hardware and operating system support this option Dr Web Cloud Anti Virus Network Devices Date and time Advanced Block changing of system date and time When Parental Control is active recommended Block always Self protection The Enable Self protection option allows to protect Dr Web files and processes from unauthorized access It is not recommended to disable Self protection 1 If any problems occur during operation of defragmentation programs disable self protection temporary To rollback to a system restore point disable self protection The Block user activity emulation option allows to prevent any automatic changes in Dr Web operation including execution of scripts that emulate user interaction with Dr Web and are launched by the user The Enable hardware virtualization option allows to take full advantage of computer resources which makes detection and curing of threats easier and enhances self protection of Dr Web To enable this option restart the computer Date and time The Block changing of system date and time option allows to prevent manual and automatic changes of the system date and time as well as of the time zone This restriction is set for all system users The option can improve performa
18. For Scanner only AC scan installation packages Option is enabled by default AFS use forward slash to separate paths in an archive Option is disabled by default AR scan archives Option is enabled by default ARC lt compression_ratio gt maximum compression level If the compression ratio of the archive exceeds the limit Scanner neither unpacks nor scans the archive By default unlimited ARL lt nesting_level gt maximum archive nesting level By default unlimited ARS lt size gt maximum archive size in KB By default unlimited ART lt size gt minimum size of a file inside an archive beginning from which compression ratio check is performed in KB By default unlimited ARX lt size gt maximum size of a file inside an archive that is scanned in KB By default unlimited CUSTOM perform a custom scan If additional parameters are set for example objects to be scanned or TM and TB parameters only the specified objects will be scanned For Scanner only UJ show information on virus databases Option is enabled by default DR scan folders recursively scan subfolders Option is enabled by default lt number_of_threads gt perform scanning in specified number of threads FAST perform an express scan of the system If additional parameters are set for example objects to be scanned or TM and TB parameters the specified objects will also
19. STANDARD ANTIVIRUS TEST FILE The test com file contains the following character string only X50 PS AP 4 PZX54 P 7CC 7 SEICAR STANDARD ANTIVIRUS TEST FILE H H To make your own test file with the virus create a new file with this line and save it with as test com When you attempt to execute an EICAR file while SpIDer Guard is running in the Optimal mode the A operation is not terminated and the file is not processed as malicious since it does not pose any actual threat to your system However if you copy or create such a file in your system it will be detected by SpIDer Guard and moved to Quarantine by default Ta 2 N 6 Tools 24 ax 6 Tools 6 1 License Manager In this window you can view all Dr Web licenses for your computer You can also modify the current license renew it or purchase a new license and activate it Tools Current license 119598549 License Manager License type Serial number J9QL FU97 Owner Olga Activation date 13 03 2015 11 29 Expiration date 14 03 2016 11 29 Remain 171 days Data Loss Prevention Anti Virus Network Quarantine Manager Support J Buy or activate new license Renew current license My Dr Web License agreement To view information on a license that is not currently in use select it from the drop down list In the administrator mode click to delete the selec
20. and Windows 8 1 open Control Panel in any convenient way for example right click the bottom left corner and select the Control Panel item in the shortcut menu According to the selected View option for the Control Panel click Small large icons Programs and Features Category Programs Uninstall a program 2 In the open window select the program To delete the program completely click Uninstall and go to step 6 To change the configuration of Dr Web by adding or removing certain components click Change The window of the Installation Wizard opens Ta J 1 aX 3 Installing Removing or Changing the Program 17 Dr Web Security Space eee lt Dr WEB v Removing or changing Dr Web Security Space components Z227 Change components o D Restore program ly Remove program Doctor Web 1992 2015 To restore anti virus protection on your computer select Restore program 3 To change the Dr Web configuration click Change components In the open window select check boxes of the components you want to add and clear check boxes of the components you want to remove When you finish adjusting the component set click Install When removing components of Dr Web the Disabling self protection window opens Enter the displayed confirmation code and click Install 4 To delete all installed components select Remove program 5 In the Parameters window select check boxes of those co
21. applications from being monitored By default SpIDer Gate blocks all incoming malicious objects URL filtering of malicious and unreliable websites is also enabled by default You can also connect to Doctor Web cloud services that allow anti virus components to use the latest information on threats This information is stored and updated on Doctor Web servers in real time mode SpIDer Gate resides in the main memory of the computer and automatically launches upon Windows startup 13 2 1 Configuring SpIDer Gate To access SpIDer Gate settings you are prompted to enter the password if you enabled the Protect Dr Web settings with a password option in the Settings window The default settings are optimal for most cases Do not change them unnecessarily Protection Scan options Components Check traffic in IM dlients on This option enables checking of URLs and data transmitted by instant messaging clients such as Mail RU Agent ICQ and Jabber clients SpIDer Guard SpIDer Gate SpIDer Mail Blocking parameters Block URLs listed due to a notice from copyright owner on Block non recommended websites on Scanner Firewall Preventive Protection Advanced settings 67 Ta J 1 aX 13 Protection Components Check traffic in IM clients In the Scan options group you can enable checking of URLs and data transmitted by instant messaging clients Mail RU Agent ICQ and Jabber clients
22. be scanned For Scanner only FL lt file_name gt scan paths listed in the specified file EM lt mask gt scan files matching the specified mask By default all files are scanned 98 Ta J 1 aX Applications 99 ER lt regexpr gt scan files matching the specified regular expression By default all files are scanned FULL perform a full scan of all hard drives and removable data carriers including boot sectors If additional parameters are set for example objects to be scanned or TM and TB parameters an express scan will be performed and the specified objects will be scanned For Scanneronly FX lt mask gt exclude from scanning files that match the specified mask For Console Scanner only Hor show brief help For Console Scanner only HA use heuristic analysis to detect unknown threats Option is enabled by default KEY lt key_file gt specify a path to the key file It is necessary to use this parameter if your key file is stored outside of the installation folder where the scanner executables reside By default drweb32 key or another suitable file from the C Program Files DrWeb folder is used LITE perform a basic scan of random access memory and boot sectors of all disks as well as run a scan for rootkits For Scanner only LN resolve shell links Option is disabled by default LS scan using LocalSystem account right
23. checks whether filtering rules have been created for the application If there are no filtering rules you are prompted to select a temporary solution or create a rule to be applied each time this type of connection is detected Block unknown connections In this mode Firewall automatically blocks all unknown connections to network resources including the Internet When a user application or the operating system attempts to connect to a network Firewall checks whether filtering rules have been created for the application If there are no filtering rules Firewall blocks network access for the application without displaying any notification to the user If filtering rules for the application are set Firewall processes the connection according to the specified actions Allow unknown connections In this mode Firewall allows all unknown applications for which filtering rules have not been set to access network recourses including the Internet No notification on access attempt is displayed by 80 Ta J 1 ax 13 Protection Components Firewall Settings for Applications Application level filtering helps you to control access of various applications and processes to network resources as well as enable or disable applications to run other processes You can create rules for both system and user applications A Firewall allows you to create no more than one set of rules per each application This page lists all applicati
24. common part of object names at that e The asterisk character replaces any possibly empty sequence of characters e The question mark replaces any character one e Other mask characters do not replace anything and mean that in this place the name must contain this particular character Examples e C folder or C folder excludes from scanning all files stored in C folder The files stored within subfolders will be scanned e C folder excludes all files located in C folder and its subfolders e C folder txt excludes all txt files stored in C folder The txt files stored within subfolders will be scanned e C folder txt excludes all txt files stored in the first level subfolders of C folder e C folder txt excludes all txt files stored in subfolders of any level within C folder The files stored in C folder itself including txt files will be still scanned Managing listed objects Click O to access the following options e Export allows to save the created list of exclusions to be used on another computer where Dr Web is installed e Import allows to use the list of exclusions created on another computer e Clear all allows to remove all objects from the list of exclusions T ax A AN 12 Exclusions 59 12 3 Applications You can specify a list of programs and processes to be excluded from scanning by SpIDer Guard SpIDer Gate a
25. displays in the table where you can manually select a necessary action You can apply default actions to all detected threats or select the required reaction to a certain object The default settings are optimal for most cases However if necessary you can modify the suggested actions in the Dr Web Scanner settings window Please note that you can specify a custom action for each detected threat after the scan is complete but common reaction for a particular threat type should be configured beforehand You can also connect to Doctor Web cloud services that allow anti virus components to use the latest information on threats This information is stored and updated on Doctor Web servers in real time mode 8 1 Scan Modes To select the scan mode It is recommended to run Scanner under an account with administrative privileges Otherwise all folders and files that are not accessible to unprivileged user including system folder are not scanned 1 Click the SpIDer Agent icon amp and select Scanner The menu of quick access to different scan modes opens 2 Click the Custom item to scan only selected objects The Dr Web Scanner window opens 3 Click the Express or Full item to run the corresponding scan mode To launch Scanner with default settings to scan a certain file or folder select Check with Dr Web 31 8 Dr Web Scanner 32 lt j Dr WEB Scan mode Express Scan of critical system objects Full Scan of all f
26. drop down list select the required level of protection Prevent unauthorized If an attempt of a malicious object to exploit software vulnerabilities to get access to code from being executed Interactive mode critical regions of the operating system is detected it will be blocked automatically If an attempt of a malicious object to exploit software vulnerabilities to get access to critical regions of the operating system is detected Dr Web will display an appropriate message Read the information and select a suitable action Allow unauthorized code If an attempt of a malicious object to exploit software vulnerabilities to get access to to be executed critical regions of the operating system is detected it will be allowed automatically A AN v Aq A Y Applications Applications Appendix A Command Line Parameters Additional command line parameters switches are used to set parameters for programs which can be launched by opening an executable file This relates to Dr Web Scanner Console Scanner and Dr Web Updater The switches can set parameters that are either not present in the configuration file or have a higher priority than those specified in the file Switches begin with the forward slash character and are separated by spaces as other command line parameters The switches are listed alphabetically Scanner and Console Scanner Parameters AA apply actions to detected threats automatically
27. email attachments To configure virus check of email attachments and to specify program actions for detected malicious objects in the Microsoft Outlook mail application in the Tools Options Dr Web Anti virus page for Microsoft Outlook 2010 in the Files Options Add ins section select Dr Web for Microsoft Outlook then click the Add in Options button and click Check attachments The Check attachments window is available only for users with administrative privileges For Windows Vista and later operating systems after clicking Check attachments e If UAC is enabled administrator is requested to confirm program actions user without administrative privileges is requested to enter system administrator credentials e If UAC is disabled administrator can change program settings user does not have the permission to change program settings In the Check attachments window specify actions for different types of checked objects and also for the check failure You can also enable disable check of archives To set actions to be applied on threat detection use the following options e The Infected drop down list sets the reaction to the detection of a file infected with a known and presumably curable virus e The Not cured drop down list sets the reaction to the detection of a file infected with a known incurable virus and in case an attempt to cure a file failed e The Suspicious drop down list sets the reaction to the de
28. for jokes possible DQIR e AML lt action gt action for infected mail files possible QIR e ARW lt action gt action for riskware possible DQIR e ASU lt action gt action for suspicious files possible DQIR Several switches can have modifiers that explicitly enable or disable options specified by these switches For example as follows AC option is clearly disabled AC ACt option is clearly enabled These modifiers can be useful if the option was enabled or disabled by default or was set in the configuration file earlier The following switches can have modifiers AC AFS AR BI DR HA LN LS MA NB NT OK QNA REP SCC SCN SLS SEN ZSPS SST Th TM TR WCL For FL parameter modifier directs to scan the paths listed in the specified file and then delete this file For ARC ARL ARS ART ARX NI X PAL RPC W parameters 0 value means that there is no limit The following example shows how to use command line switches with Console Scanner lt path_to_program gt dwscancl AR AIN C AIC Q C scan all files on disk C excluding those in archives cure the infected files and move to quarantine those that cannot be cured To run Scanner the same way enter the dwscancl command name instead of dwscanner Ta 2 N ax Applications 102 Dr Web Updater Command line Parameters Common options h
29. information visit the Doctor Web official website at http company drweb com contacts moscow 6 5 1 Report Wizard When contacting Doctor Web technical support you can generate a report on your operating system and Dr Web operation The report will be stored as an archive in the Doctor Web subfolder of the USERPROFILE folder To generate a report click the corresponding button The report will include the following information 1 Technical information about the operating system General information about your computer Running processes Scheduled tasks Services drivers Default browser Installed applications Policies HOSTS file DNS servers System event log System directories Registry branches Winsock providers Network connections Dr Watson logs Performance index 2 Information about Dr Web anti virus solutions 3 Information about the following plug ins Dr Web for IBM Lotus Domino Dr Web for Kerio MailServer Dr Web for Kerio WinRoute Information about Dr Web anti virus solutions is located in Event Viewer in Application and Services Logs Doctor Web 29 Ta J i ax 7 Update 7 Update The anti virus solutions of Doctor Web use Dr Web virus databases to detect malicious software These databases contain details and signatures for all virus threats known at the moment of the product release With the updates Dr Web receives information required to detect and block new viruses and som
30. may compromise computer security Processes that are added to the exclusion list of SpIDer Guard are not monitored To protect your data from modification you can enable creation of protected copies that contain important data The operating system uses the HOSTS file when connecting to the Internet Changes to this file may indicate virus infection Block applications from writing on disks by sectors while avoiding the file system Block applications from loading new or unknown drivers Other options allow protection of the following registry branches from modification in the system profile as well as in all user profiles Image File Execution Options e Software Microsoft Windows NT CurrentVersion Image File Execution Options User Drivers e Software Microsoft Windows NT CurrentVersion Drivers32 e Software Microsoft Windows NT CurrentVersion Userinstallable drivers Winlogon registry keys e Software Microsoft Windows NT CurrentVersion Winlogon Userinit Shell UIHost System Taskman GinaDLL Winlogon notifiers e Software Microsoft Windows NT CurrentVersion Winlogon Notify Windows registry startup keys e Software Microsoft Windows NT CurrentVersion Windows AppInit_DLLs LoadAppInit_DLLs Load Run IconServiceLib Ta i ax 13 Protection Components 97 Executable file associations e Software Classes exe pif com bat cmd scr Ink keys e Software Classes exefile piffile comfile batfi
31. processed as malicious since it does not pose any actual threat to your system However if you copy or create such a file in your system it will be detected by SpIDer Guard and moved to Quarantine by default The Optimal mode is recommended for use after a thorough scan of all hard drives by Dr Web Scanner has been performed With this mode activated SpIDer Guard prevents penetration of new viruses and other malicious objects via removable devices into your computer while preserving performance by omitting knowingly clean objects from repeated scans The Paranoid mode ensures maximum protection but considerably reduces computer performance In any mode objects on removable media and network drives are scanned only if the corresponding options in the Additional tasks group are enabled Operating system may register some removable devices as hard drives for example portable USB hard drives Scan such devices with Dr Web Scanner when you connect them to the computer By default files within archives and mailboxes are not scanned This does not affect security of your computer when it is constantly protected by SpIDer Guard only delays the moment of detection If a file within an archive or email attachment is infected the malicious object will be detected and neutralized by SpIDer Guard immediately when you try to extract the archived files or download the attachment Advanced settings The settings of this group allow to specify
32. restrictions Block all except websites from the white list In this mode you grant access to the websites from the white list only Access to any other website is blocked Safe search In any mode except the No restrictions mode you can enable the Safe search option to manage results of the search engines This option allows to exclude unwanted webpages from search results Time On this page you can set restrictions on time spent on the Internet or working on the computer By default no time limits on computer and Internet use are set To set time limits 1 Select days of week and time when the user is restricted from using the Internet and then mark the corresponding timeslots blue e To mark one timeslot click it once e To mark several adjacent timeslots click the first slot once and select the rest of required squares while holding down the mouse button 2 Select days of week and time when the user is restricted from using the computer and then mark the corresponding timeslots red e To mark one timeslot double click it e To mark several adjacent timeslots double click the first one and select the rest of required timeslots while holding down the mouse button You can also create different setting profiles for one user This option allows you to easily switch between existing setting profiles for example you can set different time limits for the academic year and school holidays To create a setting profile
33. such as Adobe Reader Internet Explorer Firefox etc Preventive Protection At that you can configure a separate protection mode for particular applications or configure a general mode whose settings will apply to all other processes To configure the general mode select it from the Operation mode list or click Change parameters of suspicious activity blocking As a result of the second action a window opens providing you with details on each mode and editing options All changes are saved in the User mode In this window you can also create a new profile for saving necessary settings To create a new profile 1 Click 2 In the open window enter a name for the new profile 3 Look through default settings and if necessary edit them To configure preventive protection settings for particular applications click Change access parameters for applications In the open window you can add a new rule or edit or delete an existing rule To add a rule 1 Click 2 In the open window click Browse and specify the path to the application executable file 3 Look through default settings and if necessary edit them To edit an existing rule select it from the list and click To delete an existing rule select it from the list and click Ta J i ax 13 Protection Components 96 For more information about settings of each operation mode refer to the Preventive Protection Level section Pre
34. that purpose use the following command lt path_to_program gt dwscanner lt switches gt lt objects gt where e lt objects gt is a placeholder for the list of objects to be scanned e lt switches gt are command line parameters that specify settings of Scanner If no switches are defined scanning is performed with the settings specified earlier or with the default settings if you have not changed them The list of objects for scanning can be empty or contain several elements separated by spaces e FAST perform an express scan of the system e FULL perform a full scan of all hard drives and removable data carriers including boot sectors e LITE perform a basic scan of random access memory and boot sectors of all disks as well as run a check for rootkits Switches are command line parameters that specify program settings If no switches are defined scanning is performed with the settings specified earlier or with the default settings if you have not changed them Switches begin with the forward slash character and are separated by blanks as other command line parameters A AN T v A A 8 Dr Web Scanner 36 8 4 Console Scanner Dr Web includes Console Scanner which allows you to run scanning from the command line and provides advanced settings A Console Scanner moves suspicious files to Quarantine To run Console Scanner The command syntax to launch Consol
35. to Quarantine Instructs to move the object to a specific folder of Quarantine No action is performed on malicious objects for which you selected this action if they are detected in a boot sector Ignore Instructs to skip the object without performing any action or displaying a notification The action is available only for potentially dangerous files adware dialers jokes hacktools and riskware SpIDer Guard does not check complex objects No action is performed on such objects or on files within them Copies of all processed objects are stored in Quarantine 64 Ta 1 aX 13 Protection Components 65 Scan mode In this group you can set up what actions with objects require scanning on the fly with SpIDer Guard Optimal This scan mode is used by default recommended In this mode SpIDer Guard scans objects only when one of the following actions is traced e For objects on hard drives an attempt to execute a file create a new file or add a record to an existing file or boot sector e For objects on removable devices an attempt to access file or boot sectors in any way write read execute Paranoid In this mode SpIDer Guard scans files and boot sectors on hard or network drives and portable data storages at any attempt to access them create write read execute When running in the Optimal mode SpIDer Guard does not terminate execution of an EICAR test file and the file is not
36. unknown connection attempt 81 Ta J N aX 13 Protection Components 82 Launching other applications To enable or disable launch of other applications from the Launching network applications drop down list select one of the following e Allow if you want to enable the application to run other processes e Block if you want to disable the application to run other processes e Not specified if you want to use the settings specified for the selected operation mode of Firewall Access to network resources 1 Specify one of the following modes to access network resources e Allow all all connections are allowed e Block all all connections are blocked e Not specified if you want to use the settings specified for the selected operation mode of Firewall e User defined enables you to create a set of rules that allow or block different connections 2 When you select the User defined mode a table with details on the application rule set displays below Enabled Status of the rule Action The action for Dr Web Firewall to perform when an attempt to connect to the Internet is detected e Block packets block the connection e Allow packets allow the connection Rule name The rule name Direction The direction of the connection e Inbound the rule is applied when someone from the network attempts to connect to an application on your computer e Outbound the rule is applied when an application o
37. 0 On specific IP Select this parameter to exclude specific IP addresses and ports from scanning addresses and Traffic on other IP addresses and ports will be scanned unless specified ports otherwise 3 Click OK The process or program will appear on the list 4 If necessary repeat the procedure to add other programs 5 6 To edit an existing exclusion select the corresponding item from the list and click To remove a file from the list select the corresponding item and click Excluded application Websites Files and Folc Exclude from scanning by SpIDer Guard Applications Exclude from scanning by SpIDer Gate and SpIDer Mail Anti spam Cancel Managing listed objects Click Z to access the following options e Export allows to save the created list of exclusions to be used on another computer where Dr Web is installed e Import allows to use the list of exclusions created on another computer e Clear all allows to remove all objects from the list of exclusions 12 4 Anti spam In this window you can configure lists of senders whose messages are delivered or blocked by SpIDer Mail automatically that is without analyzing their contents If you add an address to the white list messages from the sender will be always delivered to recipients If you add an address to the black list all messages from the sender will be regarded as spam automatically that is without scanning By defaul
38. 00 For the Dr Web for Microsoft Outlook extension one of the following Microsoft Outlook clients from the Microsoft Office package is required e Outlook 2000 Outlook 9 e Outlook 2002 Outlook 10 or Outlook XP e Office Outlook 2003 Outlook 11 e Office Outlook 2007 e Office Outlook 2010 with Service Pack 2 e Office Outlook 2013 Other system requirements are similar to those for the corresponding operating system Ta J 1 aX 3 Installing Removing or Changing the Program 12 3 Installing Removing or Changing the Program Before installing Dr Web note the system requirements and do the following e Install all critical updates released by Microsoft for the OS version used on your computer they are available on the company update site at http windowsupdate microsoft com e Check the file system with system utilities and remove the detected defects e Close all active applications Remove any anti virus softwareand firewalls from your computer to prevent possible incompatibility of resident components Ta yan A A 3 Installing Removing or Changing the Program 13 3 1 Installation Procedure A To install Dr Web the user must have administrative privileges There are two installation modes of Dr Web anti virus software e The background mode e The usual mode Installation with command line parameters To install Dr Web with command line parameters enter the executable file na
39. 10 in the Files Options Add ins section select Dr Web for Microsoft Outlook and click the Add in Options button The Dr Web Anti virus page of Microsoft Outlook settings is active only if the user has permissions to change these settings On the Dr Web Anti virus page the current protection status is displayed enabled disabled This page also provides access to the following program functions e Log allows to configure the program logging e Check attachments allows to configure email check and to specify program actions on detection of malicious objects e Spam filter allows specifying program actions on spam detection and creating black and white lists of email addresses e Statistics allows to view the number of checked and processed objects 13 6 2 Threat Detection Infected objects are processed according to the actions defined by the user the program can cure such objects remove them or move these objects to Quarantine to isolate them from the rest of the system Malicious Objects Dr Web for Outlook detects the following malicious objects e Infected objects e Bomb viruses in files or archives e Adware e Hacktools e Dialers Ta J i ax 13 Protection Components e Jokes e Riskware e Spyware e Trojans e Computer worms and viruses Actions Dr Web for Microsoft Outlook allows to specify program reaction to detection of infected or suspicious files and malicious objects in
40. 36 Dr WEB Security Space Doctor Web 2015 All rights reserved This document is the property of Doctor Web No part of this document may be reproduced published or transmitted in any form or by any means for any purpose other than the purchaser s personal use without proper attribution TRADEMARKS Dr Web the Dr WEB logo SpIDer Mail SpIDer Guard CurelIt CureNet AV desk are trademarks and registered trademarks of Doctor Web in Russia and or other countries Other trademarks registered trademarks and company names used in this document are property of their respective owners DISCLAIMER In no event shall Doctor Web and its resellers or distributors be liable for errors or omissions or any loss of profit or any other damage caused or alleged to be caused directly or indirectly by this document the use of or inability to use information contained in this document Dr Web Security Space Version 11 0 User Manual 30 10 2015 Doctor Web Head Office 2 12A 3rd str Yamskogo polya Moscow Russia 125124 Web site www drweb com Phone 7 495 789 45 87 Refer to the official web site for regional and international office information Doctor Web Doctor Web develops and distributes Dr Web information security solutions which provide efficient protection from malicious software and spam Doctor Web customers can be found among home users from all over the world and in government enterprises small companies a
41. Attacks e Nuke tools for network attacks on known vulnerabilities of operating systems leading to abnormal shutdowns of the attacked system e DDoS agent program for performing a DDoS attack Distributed Denial Of Service e FDoS synonym Flooder Flooder Denial Of Service programs for performing malicious actions in the Internet which use the idea of DDoS attacks in contrast to DDoS when several agents on different computers are used simultaneously to attack one victim system an FDoS program operates as an independent self sufficient program Flooder Denial of Service Script Viruses Prefixes of viruses written in different scrip languages VBS Visual Basic Script JS Java Script Wscript Visual Basic Script and or Java Script Perl Perl PHP PHP BAT MS DOS command interpreter Malicious Programs Prefixes of malicious programs that are not viruses Adware an advertising program Dialer a dialer program redirecting modem calls to predefined paid numbers or paid resources Joke a joke program Program a potentially dangerous program riskware Tool a program used for hacking hacktool 113 Ta AN ax Applications 114 Miscellaneous Generic this prefix is used after another prefix describing the environment or the development method to name a typical representative of this type of viruses Such virus does not possess any characteri
42. Components Check mail for spam on SpIDer Guard Change parameters SpIDer Gate SpIDer Mail Actions Scanner Infected F Cure move to quarantine if incurable recommended irewall Suspicious Preventive Protection Move to quarantine recommended Advanced settings Anti spam By default SpIDer Mail checks emails for spam You can disable this option using the corresponding switch or change scanning parameters by clicking Change parameters Anti spam technologies and adjustable parameters are described in the Anti spam section Actions By default SpIDer Mail attempts to cure messages infected with a known and supposedly curable virus and moves incurable and suspicious messages as well as adware and dialers to Quarantine at the same time ignoring all other minor threats Other messages are transmitted unchanged by SpIDer Mail skipped The SpIDer Mail reactions are similar to those of Dr Web Scanner You can select one of the following actions to be applied by SpIDer Mail to detected threats Cure move to Instructs to restore the original state of the message before infection If the message is quarantine if not incurable or the attempt of curing fails the object is moved to quarantine cured Available only for objects infected with a known virus that can be cured except for Trojan programs which are deleted on detection This action is not applicable to files within archives Cure d
43. Der Gate will allow access to example com example test com test com example test example222 com and other similar websites To allow access to websites within a particular domain enter the domain name with a period character This allows access to all webpages located on this website If the domain name includes a forward slash the substring before the slash is considered a domain name while the substring after the slash is considered a part of address for the websites that you want to access within this domain For example if you enter example com test SpIDer Gate will allow access to such webpages as example com testil template example com test22 and so on Your input may be unified 2 Click The address will appear on the list 56 Ta ww ax 12 Exclusions 57 3 To add other addresses repeat steps 1 to 2 To remove an address from the white list select the corresponding item and click Managing listed objects Click to access the following options e Export allows to save the created list of exclusions to be used on another computer where Dr Web is installed e Import allows to use the list of exclusions created on another computer e Clear all allows to remove all objects from the list of exclusions 12 2 Files and Folders In this section you can manage the list of files and folders to be excluded from scanning by SpIDer Guard and Scanner You can exclude the anti virus quaran
44. Dr Web Cloud Ce off Anti Virus Network If an error occurs during checking SSL connections install Doctor Web certificate z manually Devices Export Advanced Ta J 1 aX 10 Main Settings Secure connections You can enable scanning of data transmitted over secure protocols To check such data select the appropriate check box If your client application that uses secure connections does not refer to the default Windows system certificate storage then you need to export the certificate Doctor Web certificate You may need to scan data transmitted in accordance with SSL protocol For instance you can configure SpIDer Gate to check encrypted data transferred over HTTPS protocol and configure SpIDer Mail to check messages sent over POP3S SMTPS or IMAPS In order for Dr Web to scan such encrypted traffic and maintain transparent integration with some browsers and mail clients that do not refer to the Windows system certificate storage it may be necessary to import Doctor Web SSL certificate into the application certificate storages To save the certificate from the system storage for future use in third party applications click Export and select a convenient folder 43 Ta yan A A 10 Main Settings 10 4 Self Protection On this page you can configure protection of Dr Web itself from unauthorized modification by anti antivirus programs or accidental damage Main Self protection
45. Install 5 If you specified a key file or received it during the installation and did not clear the Update during installation check box the wizard updates virus databases and other Dr Web components Updating starts automatically and does not require any additional actions 6 Restart your computer after the installation is complete Ta J 1 ash 3 Installing Removing or Changing the Program 16 3 2 Reinstalling or Removing the Program A After you uninstall Dr Web your computer will not be protected from viruses and other malware 1 To uninstall Dr Web or change its configuration by adding or removing individual components select depending on the operating system e For Windows XP depending on the presentation of the Start menu Start menu Start gt Control Panel Add or Remove programs s Classic Start menu Start Settings Control Panel Add or Remove programs e For Windows Vista depending on the presentation of the Start menu Start menu Start gt Control Panel then depending on the Control Panel view o Classic view Programs and Features o Control Panel Home Programs Programs and Features Classic Start menu Start gt Settings Control Panel Add or Remove programs e For Windows 7 click Start gt Control Panel then according to the Control Panel view Small large icons Programs and Features Category Programs Uninstall a program e For Windows 8
46. a J i ax 8 Dr Web Scanner 8 2 Actions upon Detection If any viruses or computer threats of other types are detected during scanning Dr Web Scanner informs you about them and recommends the most effective actions to neutralize them You can neutralize all detected threats at once by clicking Neutralize In this case Dr Web Scanner applies the most effective actions according to its configuration and threat type By clicking Neutralize you apply actions to the objects selected in the table Dr Web selects all objects by default once scanning completes When necessary you can customize selection of objects to be neutralized by using check boxes next to object names or threat categories from the drop down menu in the table header To select an action 1 Where necessary select a custom action from the drop down list in the Action field By default Dr Web Scanner selects a recommended action 2 Click Neutralize Dr Web Scanner applies actions to the selected threats There are the following limitations e For suspicious objects curing is impossible e For objects which are not files boot sectors moving and deletion is impossible e For files inside archives installation packages or attachments no actions are possible The detailed report on program operation is stored in the dwscanner log file that is located in USERPROFILE Doctor Web folder Object This table column contains the name of an infected or suspicious ob
47. add scan results and information on Dr Web version to g message headers after processing You cannot edit data format Delete modified Instructs to remove messages to which either Delete or Move to Quarantine action was messages on server applied by SpI Der Mail The messages are removed from mail servers regardless of the mail client settings Scanning optimization options You can set the condition under which SpIDer Mail should acknowledge complex messages whose scanning is time consuming as unchecked To do that enable the Message scan timeout option and set the maximum message scanning time After the expiry of the specified period by default 250 sec SpIDer Mail stops check of the message Scanning archives Enable the Scan archives option if you want SpIDer Mail to scan archived files transferred via email You can configure the following parameters e Maximum file size to extract If an archive size exceeds the specified value by default 30 720 KB SpIDer Mail does not unpack and check the archive e Maximum compression ratio If an archive compression ratio exceeds the specified value by default 0 SpIDer Mai does not unpack and check the archive e Maximum archive nesting level If a nesting level is greater than the specified value by default 64 SpIDer Mail proceeds unpacking and scanning the archive until this limit is exceeded You can enable one or more options Ta N ys 13 Protection Componen
48. age is sent to the mail serve Dr Web for Outlook is a plug in that checks Microsoft Outlook mail boxes for threats and spam SpIDer Gate an HTTP monitor which by default automatically checks incoming HTTP traffic and blocks all malicious objects The component is used only in Dr Web Security Space URL filtering of malicious and unreliable websites is also enabled by default You can also connect to Doctor Web cloud services which allow anti virus components to use the latest information on threats This information is stored and updated on Doctor Web servers in real time mode Parental Control a component that restricts access to websites files and folders and allows to set custom time limits on using your computer and the Internet for different Windows accounts The component is used only in Dr Web Security Space You can also connect to Doctor Web cloud services which allow anti virus components to use the latest information on threats This information is stored and updated on Doctor Web servers in real time mode Dr Web Firewall a personal firewall that protects your computer from unauthorized access and prevents leak of vital data through networks Dr Web Updater allows registered users to receive updates of the virus database and other program files as well as automatically install them SpIDer Agent is a utility that lets you set up and manage Dr Web components 7 Ta 1 ax 1 Introduction 8 1 1 Abo
49. allation path c The last tab of the window allows you to select the Update during installation check box to download updates to virus databases and other program components The tab also prompts you to create shortcuts to Dr Web d If necessary specify proxy server parameters To save the changes click OK To close the window without saving the changes click Cancel 3 Click Next Please note that by clicking the Next button you accept the terms of the License agreement 4 The Registration Wizard informs you that a license is required for Dr Web operation Do one of the following e If a key file is present on the hard drive or removable media click Specify path to an available valid key file and select the file in the open window To change the path click Browse and select another key file e If you want to receive a key file during the installation select Receive license during installation e To continue installation without a license select Receive license later Updates are not available until you specify or obtain a key file 3 Installing Removing or Changing the Program 15 lt Dr WEB Registration Wizard To take full advantage of Dr Web Security Space license is required Receive license during installation Receive license later Specify path to an available valid key file Browse Owner Olga Activation date 2015 03 13 08 29 UTC Expiration date 2016 03 14 08 29 UTC Click
50. arameters of program modules scanner engine virus databases information is logged on program startup and module update License errors the key file is absent permission for program module usage is absent in the key file the license is blocked the key file is corrupted information is logged on program startup and while the program is running Information on threat detection License expiration notifications a message is registered in 30 15 7 3 2 and 1 days before expiration To view Windows Event Log 1 2 3 Open Control Panel of the operating system Select Administrative Tools Event Viewer In the tree view select Application The list of events registered in the log file by user applications opens The source of Dr Web for Microsoft Outlook messages is the Dr Web for Microsoft Outlook application 92 Ta yan A A 13 Protection Components Debug Text Log The following information is registered in the debug log e License validity status e Information on threat detection Read write errors or errors occurred while scanning archives or password protected files Parameters of program modules scanner engine virus databases Core failures License expiration notifications a message is registered in 30 15 7 3 2 and 1 days before expiration Configure logging 1 On the Dr Web Anti virus tab click Log The window with logging settings opens 2 To set the maximum detalization for t
51. ases and anti virus engine and for other program components of the Dr Web e Only virus databases when only the updates for Dr Web virus databases and the anti virus engine are downloaded other components of Dr Web are not updating 1 ax A AN 10 Main Settings 42 Creating update mirror To allow other local network computers with installed Dr Web products to use your computer as an update source open Advanced settings and enable the appropriate option Click Change to specify the path to the folder where updates will be copied If your computer is connected to several subnets you can specify IP address available to computers of only one subnet You can also specify the port for HTTP connections 10 3 Network Proxy server By default all components use direct connection mode If necessary you can enable use of a proxy server and specify its connection settings Click Change to specify the following proxy server parameters Address Specify the address of the proxy server Port Specify the port of the proxy server User Specify the username to use when connecting to the proxy server Password Specify the password to use when connecting to the proxy server under the provided username Authorization type Select an authorization type required to connect to the proxy server ORNES Proxy server Use proxy server CI orf Notifications Update Secure connections Self Protection Check encrypted traffic
52. aximum protection and require minimum user interference However by default SpIDer Mail may block some options of mail programs for example sending a message to multiple addresses might be considered as mass distribution incoming mail is not scanned for spam useful information from safe text part of infected messages becomes unavailable in case of automatically deletion Advanced users can configure mail scanning settings and reaction of SpIDer Mail to various virus events Mail processing Any incoming messages are intercepted by SpIDer Mail before they are received by mail clients Messages are scanned for viruses with the maximum possible level of detail If no viruses or suspicious objects are found messages are passed on to the mail program in a transparent mode as if they were received directly from the server Similar procedure is applied to outgoing messages before they are sent to servers By default SpIDer Mail reacts to detection of infected incoming messages as well as messages that were not scanned for example due to complicated structure as follows for details on how to modify the reaction refer to Configuring SpIDer Mail e Malicious code is removed from infected messages then messages are delivered as usual This action is called curing the message e Messages with suspicious objects are moved to Quarantine as separate files the mail client receives a notification about this This action is called moving the
53. cation on your computer e Outbound the rule is applied when an application on your computer attempts to connect to the network e Any the rule is applied regardless of packet transfer direction Logging Logging mode e Enabled register events e Disabled no information is logged Rule Settings Protocol The network and transport level protocols used for the connection attempt Local address Remote Address Local port Remote port The following protocols of the network level are supported e IPv4 e IPv6 e IP all any version of the IP protocol The following protocols of the transport level are supported e TCP e UDP e TCP amp UDP TCP or UDP protocol e RAW The IP address of the remote host You can specify either a certain address Equals or several IP addresses using a range In range specific subnet mask Mask or masks of all subnets in which your computer has a network address MY_NETWORK To apply the rule for all remote hosts select Any The port used for the connection You can specify either a specific port number Equals or a port range In range To apply the rule for all ports select Any Ta J i ax 13 Protection Components Settings for Networks On the Network page you can select a rule set to be used for filtering packets transmitted through a certain network interface installed on your computer To set rule sets for network interfaces 1 To create a set of rules for filteri
54. ck New The new rule is added to the beginning of the list e To modify a rule select it and click Edit Ta 1 13 Protection Components 86 ax e To copy the selected rule to the list click Copy The copy is added after the selected rule e To remove the selected rule click Delete 3 If you selected to create or edit a rule configure the rule settings in the open window 4 Use the arrows next to the list to change the order of rules The rules are applied according to their order in the set 5 When you finish adjusting the settings click OK to save changes or Cancel to cancel them Packets with no rules in a rule set are blocked automatically except packets allowed by Application Filter rules Packet Filter Rule Sets To add or edit a rule 1 In the packet filter rule set creation or modification window click Create or Edit This opens a rule creation or rule modification window 2 Configure the following parameters Rule name The name of the created edited rule Description The rule description Action The action for Firewall to perform when a packet is intercepted e Block packets e Allow packets Direction The direction of the connection e Inbound the rule is applied when a packet is received from the network e Outbound the rule is applied when a packet is sent into the network from your computer e Any the rule is applied regardless of packet transfer direction Logging mode The loggi
55. cording to the specified settings You can change settings to configure automatic reaction to different virus events You can also connect to Doctor Web cloud services that allow anti virus components to use the latest information on threats This information is stored and updated on Doctor Web servers in real time mode By default SpIDer Guard loads automatically when Windows starts and cannot be unloaded during the current Windows session 13 1 1 Configuring SpIDer Guard To access SpIDer Guard settings you are prompted to enter the password if you enabled the Protect Dr Web settings with a password option in the Settings window The default settings are optimal for most cases Do not change them unnecessarily 62 13 Protection Components Protection Scan options Components Scan removable media on Block autoruns from removable media SpIDer Gate a On SpIDer Mail SpIDer Guard Actions Scanner Infected Firewall Cure move to quarantine if incurable recommended Preventive Protection Suspicious Move to quarantine recommended O Advanced settings Scan options Heuristic analysis By default SpIDer Guard performs scan using heuristic analysis If this option is disabled SpIDer Guard will use signature analysis only Background rootkit scanning Anti rootkit component included in Dr Web provides options for background scanning of the operating system for complex threats and curing of det
56. d contents of scanned archives It is recommended to use this mode for reception of more detailed information on the checked objects and work of the HTTP watchman Firewall Firewall does not log its operation in the standard mode When you enable detailed logging the component collects data on network packets pcap logs Dr Web List of updated Dr Web files and their download status date and time of updates Update and details on auxiliary script execution and Dr Web component restart Dr Web Information on Dr Web components changes in their settings component starts and stops Service preventive protection events connections to anti virus network Memory dump creation The Create memory dumps at scan errors option allows to save useful information on operation of several Dr Web components This helps Doctor Web technical support specialists analyze an occurred problem in detail and find a solution It is recommended to enable this option on request of Doctor Web technical support specialists or when errors of scanning or neutralizing occur Memory dump is saved to dmp file located in the PROGRAMFILES Common Files Doctor Web Scanning Engine folder Enabling detailed logging Upon logging detailed data on Dr Web operation the maximum amount of information is recorded This A will result in disabling of log file size limitations and will have an impact on system and Dr Web performance It is recommended to use this mode only when erro
57. d improvement of filtering methods e Messages that are wrongly regarded as spam should be forwarded to vrnonspam drweb com e Unblocked spam messages should be forwarded to vrspam drweb com Forward messages as attachments that is do not include them in the message body Black and White Lists Black and white lists are used for message filtration To review and to edit the black and white lists in the spam filter window click Black list or White list respectively To add addresses 1 Click Add 2 In the Edit list window enter the address see white and black lists filling methods Ta 2 i ax 13 Protection Components 91 3 Click OK To change addresses 1 Select the address you want to change and click Edit 2 Change the address 3 Click OK To delete addresses 1 Select the address you want to delete from the list 2 Click Delete In the Black and White lists window click OK to save changes White list However if the domain names in the receiver s and sender s addresses are similar and this domain name is specified in the white list using the character this message is checked for spam Details e To add a specific sender enter the full email address for example friend mail com This ensures delivery of all messages from this sender Each list item can contain only one address or address mask To add a group of sender addresses enter the mask that determines their names Th
58. d to have administrative privileges The SpIDer Agent menu allows to perform the main management and setting functions of Dr Web My Dr Web Opens your personal webpage on the Doctor Web official website This page provides you with information on your license including usage period and serial number allows to renew the license contact technical support and so on License Opens License Manager Tools Opens a submenu providing access to e Data loss prevention e Anti virus Network e Quarantine Manager e Support section Protection components Quick access to the protection components list where you can enable or disable each of the components Update Information about actuality of the components or virus databases Launches the update Scanner Quick access to launching different kinds of scanning Working mode E Allows to switch between user mode and administrator mode By default Dr Web starts in restricted user mode which does not provide access to Settings and settings of Protection components To switch to another mode click the lock If UAC is enabled operating system will prompt a request for administrative privileges Besides you also need to enter the password to change the mode if you set Protect Dr Web settings by password option on the Settings window Statistics all Opens statistics on the components operations in the current session including the Ta 2 i ax 5 Getting Started 22
59. dditional parameters Notify on new tips Select this check box to receive notifications about new tips on working with 3 4 Do not show notifications in full screen mode Display Firewall notifications on separate desktop in full screen mode Dr Web Select this check box to hide notifications when an application is running in full screen mode on your computer e g a game or a movie Clear this check box to display notifications regardless of the mode Select this check box to display notifications from Firewall on a separate desktop when an application is running in full screen mode on your computer a game or a movie Clear this check box to display notifications on the same desktop where an application is running in full screen mode If you selected one or more email notifications configure sending emails from your computer Ta 2 ww ax 10 Main Settings 40 Threat notifications Critical notifications Major notifications Minor notifications License Select to be notified on threats detected by SpIDer Gate and SpIDer Guard Clear if you do not want to be notified By default these notifications are enabled Select to be notified on the following critical issues e Failures to make a protected copy e Detection of connections waiting for Firewall to reply Clear if you do not want to be notified on the issues listed above By default these notifications are enabled Select to be not
60. e Scanner is as follows lt path_to_program gt dwscancl lt switches gt lt objects gt where e lt objects gt is a placeholder for the list of objects to be scanned e lt switches gt is a placeholder for command line parameters that configure Console Scanner operation Switch begins with the forward slash character several switches are separated by spaces The list of objects for scanning can be empty or contain several elements separated by spaces All Console Scanner switches are listed in Appendix A After the operation is complete Console Scanner returns one of the following codes 0 scanning completed successfully infected objects were not found 1 scanning completed successfully infected objects were detected 10 invalid keys are specified 11 key file is not found or does not support Console Scanner 12 Scanning Engine did not start 255 scanning was aborted by user request 8 5 Automatic Launch of Scanning During Dr Web installation an anti virus scan task is automatically created in the Task Scheduler the task is disabled by default To view task settings open Control Panel extended view Administrative Tools Task Scheduler From the task list select the scan task You can enable the task adjust trigger time and set required parameters On the General page you can review general information and security options on a certain task On the Triggers and Conditions pages vari
61. e an object from the list select it and click Please note that access blocking is not guaranteed when loading the computer from portable media or addressing the objects from other operating systems installed on your computer Ta N Ws 12 Exclusions 12 Exclusions 12 1 Websites If you want to have access to the websites that are not recommended to visit by Doctor Web add them to the exclusions The access to the listed websites will be allowed but the sites will be still checked for viruses By default the list is empty If you add a website to the white list users will be able to access it regardless of other SpIDer Gate settings Please note that if the site is added both to the black list of Parental Control and to the exclusions access will be blocked Excl u sions You can ney nens to websites which are not recommended by Dr Web These sites will be still checked for viruses Websites Files and Folder iles and Folders Objects SpIDer Gate Applications Anti spam To configure black and white lists 1 Enter a domain name or a part of a domain name for the website that you want to access regardless of other restrictions e To add a certain website enter its name for example www example com This allows access to all webpages located on this website To allow access to websites with similar names enter the common part of their domain names For example if you enter example then SpI
62. e computer where the registration procedure was run Ta J 1 ax 4 Licensing 4 1 Activation Methods You can activate your license or a trial version in one of the following ways e Using the Registration Wizard during installation or later e Obtaining the key file during registration on the official website of Doctor Web e Specifying the path to the valid key file residing on your computer during installation or in the Registration Wizard window Reactivating license You may need to reactivate a license or a trial version if the key file is lost h When reactivating a license or a trial version you receive the same key file as during the previous registration providing that the validity period is not expired A 3 month trial version can be reactivated only on the computer where the registration procedure was run When you reinstall the product or install it on several computers if the license allows for that you will be able to use the previously registered key file Reactivation of the key file is not required The number of requests for a key file receipt is limited One serial number can be registered not more than 25 times If more requests are sent the key file will not be delivered In this case to receive a lost key file contact your technical support describing your problem in detail stating your personal data input during the registration and the serial number The key file will be sent by technica
63. e mask defines a template for an object definition It may contain regular characters from email addresses and a special asterisk character which replaces any including an empty one sequence of characters For example the following variations are possible e mailbox domain com e box domain com e mailbox dom e box dom The asterisk can be specified at the start or at the end of an address only The at sign is mandatory To ensure delivery of messages sent from any email address within a certain domain use an asterisk instead of the username in the address For example if you enter example net messages from all senders within the example net domain will be delivered without scanning To ensure delivery of messages sent from email address with a certain user name from any domain use an asterisk instead of the domain name in the address For example if you want to receive messages from all senders with the someone mailbox enter name Black list If the sender s address is on the black list the message will be automatically regarded as spam Details e To add a specific sender enter the full email address for example spam spam com All messages received from these addresses will be automatically regarded as spam Ta J i ax 13 Protection Components Each list item can contain only one address or address mask To add a group of sender addresses enter the mask that dete
64. ected active infections when necessary If this option is enabled Dr Web Anti rootkit constantly resides in memory In contrast to the on the fly scanning of files by SpIDer Guard scanning for rootkits includes checking of autorun objects running processes and modules Random Access Memory RAM MBR VBR disks computer BIOS system and other system objects One of the key features of Dr Web Anti rootkit is delicate attitude towards consumption of system resources processor time free RAM and others as well as consideration of hardware capacity When Dr Web Anti rootkit detects a threat it notifies you on the detection and neutralizes the malicious activity During background rootkit scanning files and folders specified on the Excluded files page are excluded from scanning To enable background scanning enable the Scan computer for rootkits recommended option Disabling of SpIDer Guard does not affect background scanning If the option is enabled background scanning is performed regardless of whether SpIDer Guard is running or not 63 Ta J i ax 13 Protection Components Actions On this page you can configure reactions of SpIDer Guard to detection of infected or suspicious files and malware For different types of compromised objects actions are assigned separately from the respective drop down lists e Objects infected with a known and supposedly curable virus e Supposedly infected suspicious
65. ection of various malicious software is also set separately Set of actions available for the selection depends on the threat type By default Scanner attempts to cure the infected and supposedly curable files moves other most dangerous objects to Quarantine You can select one of the following actions for detected threats Threats within complex objects cannot be processed individually For such threats Dr Web Scanner applies an action selected for this type of a complex object Advanced settings You can disable check of installation packages archives and email files This option is enabled by default You can also select one of the following actions for Scanner to perform once scanning is complete 1 Do not apply action Scanner will display the list of detected threats 2 Neutralize detected threats Scanner will neutralize threats automatically 3 Neutralize detected threats and shut down computer Scanner will shut down the computer once threats are automatically neutralized Ta 1 ax 13 Protection Components 77 13 5 Dr Web Firewall Dr Web Firewall protects your computer from unauthorized access and prevents leak of vital data through networks It monitors connection attempts and data transfer and helps you block unwanted or suspicious connections both on network and application levels Firewall provides you with the following features e Control and filtration of all incoming and outgoing traffic e
66. ed no other virus events occurred during scanning 105 Ta AN aX Applications Appendix B Computer Threats and Neutralization Methods With the development of computer technologies and network solutions malicious programs malware of different kinds meant to strafe users become more and more widespread Their development began together with computer science and facilities of protection against them progressed alongside Nevertheless there is still no common classification for all possible threats due to their unpredictable development character and constant improvement of applicable technologies Malicious programs can be distributed through the Internet local area networks email and portable data mediums Some of them rely on the user s carelessness and lack of experience and can be run in completely automatic mode Others are tools controlled by a computer cracker and they can harm even the most secure systems This chapter describes all of the most common and widespread types of malware against which products of Doctor Web are aimed Classification of Computer Threats Herein the term threat defines any kind of software that can potentially or directly inflict damage on a computer or network or compromise the user s information or rights in other words malicious and other unwanted programs However generally speaking the term threat may be used to indicate any potential danger to computer or ne
67. elete if not Instructs to restore the original state of the message before infection If the message is cured incurable or the attempt of curing fails the object is deleted Delete Instructs to delete the message The message is not sent to recipient the mail client receives a notification about this 71 Ta yan A A Y 13 Protection Components 72 Move to Quarantine Instructs to move the message to the special Quarantine folder The message is not sent to the recipient the mail client receives a notification about this Ignore Instructs to pass the message to the mail client as usual that is without performing any action If an email contains a malicious object any reaction except Ignore results in failure to send the message to a mail server or recipient To increase security above the default level you may select the Move to quarantine action for Unchecked messages and then scan the moved file with Dr Web Scanner d If you want to disable scans of email by SpIDer Mail ensure that SpIDer Guard monitors your computer constantly After performing reaction you configured SpIDer Mail can display a notification in the notification area If necessary you can configure desktop and email notifications Actions on messages In this group you can configure additional actions to be applied when SpIDer Mail processes messages Insert X AntiVirus This option is enabled by default ee ae Instructs SpIDer Mail to
68. en the SpIDer Agent menu 8 in administrator mode run Settings o and go to Main To access the main Dr Web settings you are prompted to enter the password if you enabled the Protect Dr Web settings with a password option in the Settings window Centralized settings adjustment allows you to configure main settings of the whole anti virus package 10 1 Notifications Pop up notifications Enable the appropriate option to get pop up notifications above the SpIDer Agent icon amp in the Windows notification area Main Desktop Show notifications on the desktop Notifications EO on Update Email Network Send notifications to email Cw of Self Protection DARET Anti Virus Network Notification parameters Devices Advanced Email notifications To configure email notifications enable the Send notifications to email option 1 Make sure that all the necessary email notifications in the Notification parameters window are selected 2 Click Change The window with email parameters opens 3 Specify the email address that you want to use for receiving notifications You will need to confirm this email address at step 8 Ta 1 ax 4 Click Next 5 Specify details for the account to be used when sending email notifications 5 1 Select the mail server from the list and enter your account login and password 5 2 If the required mail server is not on the list select Set manually
69. en this option is enabled the rule selected for the first fragment of a large IP packet is applied to all other fragments Clear this check box to process fragmented packets independently Rule Sets The Edit rule set window lists packet filtering rules for the selected rule set You can configure the list by adding new rules or modifying existing rules and the order of their execution The rules are applied according to their order in the set For each rule in the set the following information is displayed Enabled Status of the rule Action The action for Firewall to perform when a packet is intercepted e Block packets e Allow packets Rule name The rule name Direction The direction of the connection e the rule is applied when the packet is received from the network e E the rule is applied when a packet is sent into the network from your computer e the rule is applied regardless of packet transfer direction Logging The logging mode for the rule This parameter defines which information should be stored in the log e Headers only log the packet header only e Entire packet log the whole packet e Disabled no information is logged Description The rule description Edit rule set 1 If you selected to create or edit an existing rule set on the Packet filtering settings page in the open window specify the name for the rule set 2 Use the following options to create filtering rules e To add a new rule cli
70. er than lt p gt number days If lt d gt and lt p gt are not specified all quarantined files on all drives are deleted For Console Scanner only QUIT terminate Scanner once scanning is complete regardless of whether or not any actions have been applied to the detected threats For Scanner only RA lt file_name gt append the specified file with the report on program operation By default logging s disabled REP follow symbolic links while scanning Option is disabled by default RP lt file_name gt append the specified file with the report on program operation By default logging s disabled RPC lt sec gt Scanning Engine connection timeout Timeout is 30 seconds by default For Console canner only x RPCD use dynamic RPC identification For Console Scanner only RPCE use dynamic RPC endpoint For Console Scanner only RPCE lt target_address gt use specified RPC endpoint For Console Scanner only RPCH lt host_name gt use specified host name for remote call For Console Scanner only RPCP lt protoco gt use specified RPC protocol Possible protocols are as follows Ipc np tcp For Console Scanner only SCC show content of complex objects Option is disabled by default SCN show installation package name Option is disabled by default SLS show logs on the screen Option is enabled by default For Console Scanner only SPN
71. es the probability of unknown virus infection If the threshold is exceeded the heuristic analyzer generates the conclusion that the analyzed object is probably infected with an unknown virus The heuristic analyzer also uses the FLY CODE technology which is a versatile algorithm for extracting files The technology allows making heuristic assumptions about the presence of malicious objects in files compressed not only by packagers Dr Web is aware of but also by new previously unexplored programs While checking packed objects Dr Web anti virus solutions also use structural entropy analysis The technology detects threats by arranging pieces of code thus one database entry allows identification of a substantial portion of threats packed with the same polymorphous packager As any system of hypothesis testing under uncertainty the heuristic analyzer may commit type I or type II errors omit viruses or raise false alarms Thus objects detected by the heuristic analyzer 9 Ta J N ax 1 Introduction are treated as suspicious While performing any of the abovementioned checks Dr Web anti virus solutions use the most recent information about known malicious software As soon as experts of Doctor Web Virus Laboratory discover new threats the update for virus signatures behavior characteristics and attributes is issued In some cases updates can be issued several times per hour Therefore even if a brand new virus pas
72. et time limits on computer and Internet use Off Change Files and folders Block use of specific files and folders On Change Configuring Parental Control parameters for different users To configure access restriction for a user select the user name in the left pane In the main part of the window you can view the settings specified for this user By default access to the Internet and to local resources is not restricted for all users of the computer no time limits are set To change these settings click Change next to the desired option A If necessary you can configure desktop and email notifications on Parental Control actions Quick setup By clicking you can access the menu that allows you to e Copy restriction settings configured for one user and apply them to another user profile For that select Copy settings and Use copied settings e Disable Parental Control for the selected user For that select Disable Parental Control Using this menu you can enable Parental Control with the same settings again Ta AN ax 11 Parental Control 54 Internet By default the No restrictions mode is set for every user To change these settings select another mode from the drop down list Block by categories In this mode you can select categories of websites to block You can also add websites to the manually populated black and while lists to block or allow access to the resources regardless of other
73. etimes to cure the infected files that were considered unrecoverable before From time to time updates include enhancements to anti virus algorithms in the form of executable files and libraries The experience of Dr Web anti virus protection helps to fix any bugs in software and to update support service and documentation To ensure the virus databases and software algorithms being most up to date Doctor Web provides you with regular updates to virus databases and product components which are distributed via the Internet Dr Web Update helps you download and install updates during the licensed period Update start During update Dr Web downloads and installs all updated files that correspond to your version of Dr Web and upgrades Dr Web when a newer version is released For Dr Web to update you need a connection to the Internet to the update mirror local or network folder or to the Anti virus network with at least one computer that has an update mirror set All necessary parameters can be defined on the Update page of Dr Web Main settings Start from the SpIDer Agent menu Click the SpIDer Agent icon amp and select Update This opens information on relevance of Dr Web virus databases and other components as well as the date of their last update Start updating by clicking Update Start from the command line Open the Dr Web installation folder YPROGRAMFILES Common Files Doctor Web Updater and run the drwupsrv exe file The l
74. figure Parental Control open the SpIDer Agent menu in administrator mode run Settings and go to Parental Control The Parental Control component allows you to restrict access to websites files and folders You can also set time limits on using the Internet and computerfor certain Windows accounts By restricting access to the local file system you can maintain integrity of important files protect them from viruses and secure confidentiality of stored data You can limit access to separate files or folders on local drives and external data carriers By controlling access to web resources you can restrict a user from viewing undesirable websites for example pages on violence gambling adult content etc or allow access to certain websites only that are specified in the Parental Control settings You can also connect to Doctor Web cloud services that allow anti virus components to use the latest information on threats This information is stored and updated on Doctor Web servers in real time mode 52 Ta N Ws 11 Parental Control 53 11 1 Configuring Parental Control To manage Parental Control the password is required if you enabled the Protect Dr Web settings with a password option on the Settings page Parental Control 3 a antonov 3 o usmanova 3 Olga 3 Administrator Internet Configure access to websites and set black and white lists No restrictions Change Time S
75. g listed objects Click to access the following options e Export allows to save the created list of exclusions to be used on another computer where Dr Web is installed e Import allows to use the list of exclusions created on another computer e Clear all allows to remove all objects from the list of exclusions 61 Ta J i ax 13 Protection Components 13 Protection Components 13 1 SpIDer Guard SpIDer Guard is an on access anti virus scanner that constantly resides in memory while scanning files and RAM on the fly and instantly detects any malicious activity With the default settings the component performs on access scans of files that are being created or changed on the hard drives and all files that are opened on removable media Moreover SpIDer Guard constantly monitors running processes for virus like activity and if such is detected blocks malicious processes and reports on the event On detection of an infected object SpIDer Guard processes it according to the specified settings Files within archives and mailboxes are not scanned If a file within an archive or email attachment is infected the malicious object will be detected and neutralized by SpIDer Guard immediately when you try to extract the archived files or download the attachment To prevent spread of viruses and other malicious objects with email use SpIDer Mail On detection of an infected object SpIDer Guard applies actions to them ac
76. gs Self Protection Quarantine Dr Web Cloud Default settings Anti Virus Network Devices Advanced Aavancead Log settings To configure log settings click the corresponding Change button By default size of a log file is restricted to 10 MB If the log file size exceeds the limit the content is reduced to e Specified size if the current session information does not exceed the limit e Size of the current session if the session information exceeds the limit By default the standard logging mode is enabled and the following information is logged SpIDer Guard Time of updates and SpIDer Guard starts and stops virus events names of scanned files names of packers and contents of scanned complex objects archives email attachments file containers It is recommended to use this mode to determine the most frequent objects scanned by SpIDer Guard If necessary you can add these objects to the list of exclusions in order to increase computer performance Ta yan A A 10 Main Settings 50 SpIDer Mail Time of updates and SpIDer Mail starts and stops virus events connection interception settings names of scanned files names of packers and contents of scanned archives It is recommended to use this mode when testing mail interception settings SpIDer Gate Time of updates starts and stops of SpIDer Gate virus events connection interception settings names of scanned files names of packers an
77. hanisms are constantly improved and ways to overcome them are constantly developed According to the type of protection they use all viruses can be divided into two following groups e Encrypted viruses self encrypt their malicious code upon every infection to make its detection in a file boot sector or memory more difficult Each sample of such viruses contains only a short common code fragment decryption procedure that can be used as a virus signature e Polymorphic viruses use a special decryption procedure in addition to code encryption This procedure is different in every new virus copy This means that such viruses do not have byte signatures Viruses can also be classified according to the language they are written in most viruses are written in Assembly high level programming languages script languages and so on and operating systems that can be infected by these viruses Computer worms Recently worms have become much more widespread than viruses and other malicious programs Like viruses these malicious programs can replicate themselves A worm infiltrates a computer from a network usually as an email attachment and spreads its functional copies among other computers Distribution can be triggered by some user action or automatically Worms do not necessarily consist of only one file the worm s body Many of them have a so called infectious part shellcode that is loaded into the main memory After that it downloads t
78. he logging select the Detailed logging check box By default logging is set to regular mode The maximum detalization for the logging decreases server performance therefore it is recommended to enable detailed logging only in case an error in operation of Dr Web for Microsoft Outlook occurs 3 Click OK to save changes The Log window is available only for users with administrative privileges For Windows Vista and later operating systems after clicking Log e If UAC is enabled administrator is requested to confirm program actions user without administrative privileges is requested to enter system administrator credentials e If UAC is disabled administrator can change program settings user does not have the permission to change program settings To view program log To open the text log click Show in folder The folder with the log opens 13 6 5 Statistics In the Microsoft Outlook mail application in the Tools gt Options Dr Web Anti virus page for Microsoft Outlook 2010 on the Files Options Add ins section select Dr Web for Microsoft Outlook and click the Add in Options button statistic information about total number of objects which have been checked and processed by the program is listed These scanned objects are classified as follows e Checked total number of checked messages e Infected number of messages with viruses e Suspicious number of messages presumably infected with a virus
79. he worm s body as an executable file via the network If only the shellcode is present in the system the worm can be easily removed by restarting the system at that RAM is reset However if the worm s body infiltrates the computer only an anti virus program can fight it Even if worms do not bear any payload do not cause direct damage to a system they can still cripple entire networks because of how intensely they spread Doctor Web classifies worms in accordance with their distribution methods as follows e Network worms spread via various network and file sharing protocols e Mail worms spread via mail protocols POP3 SMTP and others Ta AN aX Applications Trojan programs Trojans These programs cannot replicate themselves However they can perform malicious actions on their own damage or delete data forward confidential information and others or provide cybercriminals with authorized access to a computer to harm a third party Like viruses these programs can perform various malicious activities hide their presence from the user and even be a virus component However usually Trojans are distributed as separate executable files through file exchange servers data carriers or email attachments that are run by users themselves or by some specific system process Here are some Trojan types divided by Doctor Web into separate categories as follows e Backdoors are Trojans that allow an intruder to get pr
80. ified on the following major issues Expiration of the time limit set for working on the computer Device is blocked Attempt to change system date e New version is available e Virus databases are out of date Clear if you do not want to be notified on the issues listed above By default these notifications are enabled Select to be notified on the following minor issues e Successful update e Update failures e Expiration of the time limit set for Internet use e URL is blocked by Parental Control e URL is blocked by SpIDer Gate e An attempt to access a protected object is blocked by Parental Control e An attempt to access a protected object is blocked by Preventive Protection Clear if you do not want to be notified on the issues listed above By default these notifications are disabled Select to be notified on the following issues e Expiration of your license period e Valid license is not found e The current license is blocked Notifications on the following issues are not included in any of the specified groups and are always displayed to the user e Priority updates installed and restart is required e Request for allowing a process to modify an object e Successful connection to a remote computer in the Anti virus Network e You activated a trial version It is recommended to obtain a license e The current license is blocked Ta N ax 10 Main Settings 41 10 2 Update On this page you can configure
81. iles on logical drives and removable media M Custom O scan of specific objects Doctor Web 1992 2015 Configuring Dr Web Scanner To configure Dr Web Scanner and its reactions to detected threats go to Settings gt Protection Components Scanner Scan modes Express scan In this mode Scanner checks the following e Boot sectors of all disks e Random access memory Boot disk root folder Windows system folder User documents folder My Documents Temporary files System restore points Presence of rootkits if the process is run with administrative privileges A Scanner does not check archives and email files in this mode Full scan In this mode random access memory and all hard drives including boot sectors of all disks are scanned Moreover Dr Web Scanner runs a check for rootkits Ta J i ax 8 Dr Web Scanner Custom scan In this mode you can select objects to be scanned for example any files and folders and such objects as random access memory boot sectors and so on To start scanning selected objects click Start scanning To select objects click Scan process When scanning starts the Pause and Stop buttons become available During scanning you can do the following e To pause scanning click Pause To resume scanning after pause click Resume e To stop scanning click Stop A The Pause button is not available while processes and RAM are scanned 33 T
82. inciples and reflect a threat s design classes of vulnerable objects distribution environment OS and applications and some other features Knowing these principles may be useful for understanding software and organizational vulnerabilities of the protected system The full and constantly updated version of this classification is available at http vms drweb com classification In certain cases this classification is conventional as some viruses can possess several features at the same time Besides it should not be considered exhaustive as new types of viruses constantly appear and the classification is made more precise The full name of a virus consists of several elements separated with full stops Some elements at the beginning of the full name prefixes and at the end of it suffixes are standard for the accepted classification Prefixes Affected Operating Systems The prefixes listed below are used for naming viruses infecting executable files of certain operating systems e Win 16 bit Windows 3 1 programs e Win95 32 bit Windows 95 98 Me programs e WinNT 32 bit Windows NT 2000 XP Vista programs e Win32 32 bit Windows 95 98 Me and NT 2000 XP Vista programs e Win32 NET programs in Microsoft NET Framework operating system e OS2 OS 2 programs e Unix programs in various Unix based systems e Linux Linux programs e FreeBSD FreeBSD programs e SunOS SunOS Solaris programs e Symbian Symbia
83. ing of the key file to the console download com mand parameters zones arg key dir arg Zone description file Directory where the key file is located progress to console Print information about command execution to the console g proxy arg u user arg Proxy server for updating lt address gt lt port gt Username for proxy server k password arg Password for proxy server s version arg Version name p product arg Name of the product to download Return Codes The values of the return code and corresponding events are as follows 64 128 OK no virus found Known virus detected Modification of known virus detected Suspicious object found Known virus detected in file archive mail archive or container Modification of known virus detected in file archive mail archive or container Suspicious file found in file archive mail archive or container At least one infected object successfully cured At least one infected or suspicious file deleted renamed moved The actual value returned by the program is equal to the sum of codes for the events that occurred Ta J i ax Applications during scanning Obviously the sum can be easily decomposed into separate event codes For example return code 9 1 8 means that known viruses were detected including viruses in archives mail archives or containers curing and others actions were not execut
84. ist of command line parameters can be found in Appendix A Automatic start If launched automatically Dr Web installs updates silently and logs all changes into the dwupdater log file located in the allusersprofile Doctor Web Logs folder After an update of executable files drivers or libraries a program restart may be required In such cases an appropriate warning displays 30 A kyd 8 Dr Web Scanner 8 Dr Web Scanner Dr Web Scanner for Windows allows you to run anti virus scans of disk boot sectors random access memory RAM and both separate files and objects enclosed within complex structures archives containers or email attachments detection methods threat By default Dr Web Scanner checks all files for viruses using both the virus database and the heuristic analyzer a method based on the general algorithms of virus developing allowing to detect the viruses unknown to the program with a high probability Executable files compressed with special packers are unpacked when scanned Files in archives of all commonly used types ACE ALZIP AR ARJ BGA 7 ZIP BZIP2 CAB GZIP DZ HA HKI LHA RAR TAR ZIP etc in containers 1C CHM MSI RTF ISO CPIO DEB RPM etc and in mailboxes of mail programs the format of mail messages should conform to RFC822 are also checked On detection of a malicious object Dr Web Scanner only informs you about it Information on all infected or suspicious objects
85. ivileged access to the system bypassing any existing protection mechanisms Backdoors do not infect files they register themselves in the registry modifying registry keys e Droppers are file carriers that contain malicious programs in their bodies Once launched a dropper copies malicious files to a hard disk without user consent and runs them Keyloggers can log data that users enter by means of a keyboard These malicious programs can steal varies confidential information including network passwords logins bank card data and so on Clickers redirect users to specified Internet resources may be malicious in order to increase traffic to those websites or to perform DoS attacks e Proxy Trojans provide cybercriminals with anonymous Internet access via the victim s computer Rootkits are used to intercept operating system functions in order to hide their presence Moreover a rootkit can conceal processes of other programs registry keys folders and files It can be distributed either as an independent program or as a component of another malicious application Based on the operation mode rootkits can be divided into two following categories User Mode Rootkits UMR that operate in user mode intercept functions of user mode libraries and Kernel Mode Rootkits KMR that operate in kernel mode intercept functions at the system kernel level which makes these malicious programs hard to detect Trojans can also perform other maliciou
86. ject either a file name if a file is infected or Boot sector if a boot sector is infected or Master Boot Record if an MBR of the hard drive is infected Threat The names of viruses or virus modifications as per the internal classification of Doctor Web modification of a known virus is a code resulting from such alteration of a known virus which can still be detected but cannot be cured with the algorithms applied to the initial virus For suspicious objects the following is displayed indication that the object is possibly infected and the type of a possible virus according to the classification used by the heuristic analyzer Action Click an arrow on this button to select a custom action for a detected threat by default Dr Web Scanner offers the most effective action You can apply the displayed action separately to each threat by clicking this button Path The full paths to the corresponding files If you selected the Automatically apply actions to threats check box on the Main page Dr Web Scanner will neutralize threats automatically 34 Ta J 1 ax 8 Dr Web Scanner 35 8 3 Command Line Scanning Mode You can run Dr Web Scanner in the command line mode that allows to specify settings of the current scanning session and the list of objects for scanning as additional parameters Automatic activation of the Scanner according to schedule is performed in this mode To run scanning from command line For
87. l click the SpIDer Agent E select Tools and then selectAnti virus Network Tools Found computers You can review summary information about Dr Web product on selected computer License Manager If you have remote access to a computer you can manage settings and enable or disable Dr Web components Data Loss Prevention Anti Virus Network MAC W8 IP address 10 3 0 195 Quarantine Manager Support To access a remote anti virus select the computer from the list and click Connect Enter the password specified in the settings of the remote anti virus An icon for the remote SpIDer Agent appears in the notification area Remote SpIDer Agent and the notification about established connection will be displayed You can view settings enable or disable components and configure their settings Anti virus Network Quarantine Manager and Scanner are not available Dr Web Firewall settings and statistics are not available as well but you can enable or disable this component if you accessed Dr Web Anti virus for Windows or Dr Web Security Space Also you can select the Disconnect item to terminate the remote connection If the required computer is not on the list you can try to add it manually For this TOT and enter an IP address You can establish only one connection with a remote Dr Web product If one connection is already established the Connect button is disabled Computers are listed if Dr Web products installed on the
88. l support to your email address 4 2 Renewing License In some situations for example when the license expires or characteristics of the protected system change you may need to renew or extend the Dr Web license If so you should change the current key file Dr Web supports hot license update without stopping or reinstalling the product To change a key file 1 Open Registration Wizard You can also purchase a new license or renew an existing one on your personal page on the Doctor Web official site To visit the webpage use the My Dr Web option in the License Manager window or on the SpIDer Agent menu amp 4 3 Registration Wizard SpIDer Agent checks whether you have a key file If no key file is found you are prompted to obtain a key file on the Internet A key file can be obtained during the installation procedure For this select the Receive license during installation option at step 5 of the installation procedure and activation of a license or a trial version will start You can also obtain a key file by starting activation of the license or demo period after the product is installed on your system 19 Ta J 1 ax 4 Licensing 20 1 Click the SpIDer Agent icon amp in the notification area and select License The License Manager window opens 2 Click Buy or activate new license The Registration Wizard window opens To activate the license you need to enter the registration serial number sup
89. le cmdfile scrfile Inkfile keys Software Restriction Policies SRP e Software Policies Microsoft Windows Safer Browser Helper Objects for Internet Explorer BHO e Software Microsoft Windows CurrentVersion Explorer Browser Helper Objects Autorun of programs e Software Microsoft Windows CurrentVersion Run e Software Microsoft Windows CurrentVersion RunOnce e Software Microsoft Windows CurrentVersion RunOnceEx e Software Microsoft Windows CurrentVersion RunOnce Setup e Software Microsoft Windows CurrentVersion RunOnceEx Setup e Software Microsoft Windows CurrentVersion RunServices e Software Microsoft Windows CurrentVersion RunServicesOnce Autorun of policies e Software Microsoft Windows CurrentVersion Policies Explorer Run Safe mode configuration e SYSTEM ControlSetXxx Control SafeBoot Minimal e SYSTEM ControlSetXxXx Control SafeBoot Network Session Manager parameters e System ControlSetXxx Control Session Manager SubSystems Windows System services e System CurrentControlXxX Services d If any problems occur during installation of important Microsoft updates or installation and operation of programs including defragmentation programs temporarily disable Preventive Protection A If necessary you can configure desktop and email notifications on Preventive Protection actions Exploit prevention This option allows to block malicious programs that use vulnerabilities of well known applications From the corresponding
90. loan scams lottery and casino scams and false messages from banks and credit organizations A special module is used to filter scams Technical spam Bounces are delivery failure messages sent by a mail server Such messages are also sent by a mail worm Therefore bounces are as unwanted as spam You can configure the following Anti spam options Allow Cyrillic This option is enabled by default text Select this check box to prevent SpIDer Mail from marking Cyrillic emails as spam without prior analysis Otherwise such emails are most likely to be marked as spam Allow Asian This option is enabled by default tos Select this check box to prevent SpIDer Mail from marking Asian emails as spam without prior analysis Otherwise such emails are most likely to be marked as spam Add the By default this option is enabled and SpIDer Mail adds the SPAM prefix to the Subject field prefix to of all spam messages subjects of Instructs SpIDer Mail to add a special prefix to subjects of spam messages spam messages Using a prefix allows you to create filter rules for spam in those mail clients for example Microsoft Outlook Express where it is not possible to enable filtering by headers 73 Ta 2 1 ax 13 Protection Components Processing mail by spam filter SpIDer Mail adds the following header to the processed messages e X DrWeb SpamState lt value gt where lt value gt indicates whether the message is c
91. me with necessary parameters in the command line the parameters affect installation in background mode installation language restart after installation completes and installation of Firewall installFirewall Install Dr Web Firewall lang Language used for the installation The value of this parameter is language in ISO 639 1 format reboot Restart the computer automatically after installation is complete silent Installation in the background mode For example to start background installation of Dr Web with reboot after the process completes execute the following command drweb 11 0 ss win exe silent yes reboot yes Usual installation To start usual installation do one of the following e Run the file if the installation kit is supplied as a single executable file e Insert the company disk into the CD DVD drive if the installation kit is supplied on the disk If autorun is enabled the installation will start automatically If autorun is disabled run the autorun exe file of the installation kit manually The window opens and displays the autorun menu Click Install At any installation step before the wizard starts copying files to your computer you can do the following e Return to the previous step by clicking Back e Go to the next step by clicking Next e Abort installation by clicking Exit Installing Dr Web 1 If other anti virus software is installed on your computer the Installation Wizard informs you on
92. message All moved messages are deleted from the POP3 or IMAP4 mail servers e Messages that have not been scanned and safe messages are passed on to the mail client Infected or suspicious outgoing messages are not sent to the server a user is notified that the message will not be sent usually the mail program will save such a message Dr Web Scanner can also detect viruses in mailboxes of several formats but SpIDer Mail has several advantages e Not all formats of popular mailboxes are supported by Scanner When using SpIDer Mail the infected messages are even not delivered to mailboxes e Scanner does not check the mailboxes at the moment of the mail receipt but either on user demand or according to schedule Furthermore this action is resource consuming and takes a lot of time Thus when all anti virus components operate with their default settings SpIDer Mail detects viruses and suspicious objects distributed via email first and prevents them from infiltrating your computer SpIDer Mail operation is rather resource sparing Scanning of email files can be performed without other components 13 3 1 Configuring SpIDer Mail To access SpIDer Mail settings you are prompted to enter the password if you enabled the Protect Dr Web settings with a password option in the Settings window 70 13 Protection Components The default settings are optimal for most cases Do not change them unnecessarily Protection Anti spam
93. mponents that you do not want to remove from your system Saved objects and settings can be used by the program if it is installed again By default all options Quarantine Dr WebSecurity Space settings and Protected copies of files are selected Click Next 6 In the next window confirm deletion of Dr Webby entering the displayed code and then click Remove program 7 When prompted restart the computer to complete the procedure of Dr Web components deletion or modification Ta yan A A 4 Licensing 18 4 Licensing To use Dr Web for a long period of time activate a license You can purchase a license with the product or on the Doctor Web official website A license allows to take advantage of all product features during the whole period Parameters of the license are set in accordance with the software license agreement If you want to evaluate the product before purchasing it you can activate a trial version It provides you with full functionality of the main components but the period of validity is considerably restricted A You can activate a trial version for the same computer no more than once a year A trial version may be valid for e 3 months For that register on the Doctor Web official website and receive a serial number e For 1 month For that purpose no serial number is required and no registration data is requested Key file The use rights for the Dr Web are specified in the key file The ke
94. ms have a signed certificate and inform the user about all their actions Riskware These programs are not intended to be computer threats However they can still cripple system security due to certain features and therefore are classified as minor threats This type of threats includes not only programs that can accidentally damage or delete data but also programs that can be used by hackers or some malicious applications to harm the system Among such programs are various remote chat and administrative tools FTP servers and so on Suspicious objects These are potential computer threats detected by the heuristic analyzer Such objects can be any type of threat even unknown to information security specialists or turn out safe in case of a false detection It is strongly recommended to move files containing suspicious objects to quarantine and send them for analysis to Doctor Web anti virus laboratory 109 Ta J i ax Applications Actions Applied to Threats There are many methods of neutralizing computer threats Products of Doctor Web combine these methods for the most reliable protection of computers and networks using flexible user friendly settings and a comprehensive approach to security assurance The main actions for neutralizing malicious programs are 1 Cure an action applied to viruses worms and Trojans It implies deletion of malicious code from infected files or deletion of a malicious program s functio
95. n OS mobile OS programs Note that some viruses can infect programs of one system even if they are designed to operate in another system Macrovirus Prefixes The list of prefixes for viruses which infect MS Office objects the language of the macros infected by such type of virus is specified e WM Word Basic MS Word 6 0 7 0 e XM VBA3 MS Excel 5 0 7 0 e W97M VBA5 MS Word 8 0 VBA6 MS Word 9 0 e X97M VBA5 MS Excel 8 0 VBA6 MS Excel 9 0 e A97M databases of MS Access 97 2000 111 Ta AN ax Applications PP97M MS PowerPoint presentations 097M VBA5 MS Office 97 VBA6 MS Office 2000 this virus infects files of more than one component of MS Office Development Languages The HLL group is used to name viruses written in high level programming languages such as C C Pascal Basic and others To specify functioning algorithms the following modifiers can be used HLLW worms LLM mail worms LO viruses overwriting the code of the victim program LP parasitic viruses LC companion viruses ie eat The following prefix also refers to development language Java viruses designed for the Java virtual machine Trojan programs Trojans Trojan a general name for different Trojan horses Trojans In many cases the prefixes of this group are used with the Trojan prefix PWS password stealing Trojan Backdo
96. n this page you can e Configure sets of filtering rules by adding new rules modifying existing ones or deleting them e Configure additional filtering settings To configure rule sets Do one of the following e To add a new set of rules click New e To edit an existing set of rules select the rule set in the list and click Edit e To add a copy of an existing set of rules select the rule set and click Copy The copy is added after the selected rule set e To delete a selected rule set click Delete 84 Aq P 2 a 13 Protection Components 85 A To configure additional settings In the Packet filter settings window use the following options Use TCP stateful Select this check box to filter packets according to the state of existing TCP packet filtering connections Firewall will block packets that do not match the TCP protocol specification This option helps to protect your computer from DoS attacks denial of service resource scanning data injection and other malicious operations It is also recommended to enable stateful packet filtering when using complex data transfer protocols FTP SIP etc Clear this check box to filter packets without regard to the TCP session state Management of Select this check box to ensure correct processing of large amounts of data The fragmented IP packets maximum transmission unit MTU may vary for different networks therefore large IP packets may be fragmented Wh
97. n your computer attempts to connect to the network e Any the rule is applied regardless of packet transfer direction Description User description of the rule 3 If necessary edit the predefined rule set or create a new one e To add a new rule click New The rule will be added to the end of the list e To modify a rule select it and click Edit e To copy the selected rule to the list click Copy The copy is added after the selected rule e To remove the selected rule click Delete 4 If you selected to create a new rule set or edit an existing one adjust the settings in the open window 5 When you finish adjusting the settings click OK to save changes or Cancel to cancel them Ta yan A A 13 Protection Components 83 Application filtering rules control interaction of a particular application with certain network hosts To create a rule Configure the following parameters General Rule name The name of the created edited rule Description The rule description Action The action for Dr Web Firewall to perform when an attempt to connect to the Internet is detected e Block packets block the connection e Allow packets allow the connection State Rule status e Enabled the rule is applied for all matching connections e Disabled the rule is temporary not applied Direction The direction of the connection e Inbound the rule is applied when someone from the network attempts to connect to an appli
98. nal copies as well as the recovery of affected objects that is return of the object s structure and operability to the state which was before the infection if it is possible Not all malicious programs can be cured However products of Doctor Web are based on most effective curing and file recovery algorithms Move to quarantine an action when the malicious object is moved to a special folder and isolated from the rest of the system This action is preferable in cases when curing is impossible and for all suspicious objects It is recommended to send copies of such files to Doctor Web anti virus laboratory Delete the most effective action for neutralizing computer threats It can be applied to any type of malicious objects Note that deletion will sometimes be applied to certain files for which curing was selected This will happen if the file contains only malicious code and no useful information For example curing of a computer worm implies deletion of all its functional copies Block rename these actions can also be used for neutralizing malicious programs In the former case all access attempts to or from the file are blocked In the latter case the extension of the file is renamed which makes it inoperative 110 Ta AN ax Applications Appendix C Naming of Viruses Specialists of the Dr Web Virus Laboratory give names to all collected samples of computer threats These names are formed according to certain pr
99. nce of the time limitfunction implemented in Parental Control If Internet or computer usage limits are set in Parental Control this option is automatically enabled You can configure notification parameters so that to be informed on attempt to change the system time 44 Ta J AN ax 10 Main Settings 45 10 5 Dr Web Cloud On this page you can connect to Doctor Web cloud services and take part in Dr Web quality improvement program Main Dr Web Cloud You can connect to cloud services to allow Dr Web anti virus components to use Notifications real time information on threats This information is stored and updated on Doctor Web servers In turn data about Dr Web operation on your computer will be Update automatically sent to Doctor Web servers Network The information obtained from your computer will not be used for your identification or to contact you Self Protection I want to connect to services recommended I will decide later Anti Virus Network Devices Advanced Privacy statement by Doctor Web Cloud services Dr Web Cloud provides most recent information on threats which is updated on Doctor Web servers in real time mode and used for anti virus protection Depending on update settings information on threats used by anti virus components may become out of date Cloud services can reliably prevent users from viewing unwanted websites and protect your system from infected files f
100. nd SpIDer Mail By default the list is empty Excl US j ons You can exclude specific programs and processes from scan It can increase a scan j F speed but computer security might be at risk Websites E Files and Folders SpIDer Guard SpIDer Gate SpIDer Mail Applications Anti spam Configuring list of exclusions 1 To add a program or a process to the exclusion list click In the open window click Browse and select a file in the standard dialog window 2 In the configuration window specify the components that must not scan this file For objects excluded from scanning by SpIDer Gate and SpIDer Mail specify additional parameters Regardless of Select this parameter to exclude the application from scanning regardless of whether the whether it has a valid digital signature or not application has a digital signature If the application Select this parameter to exclude the application from scanning only if it has a has a valid digital valid digital signature Otherwise the application will be scanned by the signature components Any traffic Select this parameter to exclude encrypted and non encrypted application traffic from scanning Encrypted traffic Select this parameter to exclude only encrypted application traffic from scanning On all IP Select this parameter to exclude traffic on all IP addresses and ports from addresses and scanning ports Ta yan A A 12 Exclusions 6
101. nd nationwide corporations Dr Web antivirus solutions are well known since 1992 for continuing excellence in malware detection and compliance with international information security standards State certificates and awards received by the Dr Web solutions as well as the globally widespread use of our products are the best evidence of exceptional trust to the company products We thank all our customers for their support and devotion to the Dr Web products y AN ax Table of Contents 1 Introduction 1 1 About This Manual 1 2 Document Conventions 1 3 Detection Methods 2 System Requirements 3 Installing Removing or Changing the Program 3 1 Installation Procedure 3 2 Reinstalling or Removing the Program 4 Licensing 4 1 Activation Methods 4 2 Renewing License 4 3 Registration Wizard 5 Getting Started 5 1 Testing the Anti virus 6 Tools 6 1 License Manager 6 2 Data Loss Prevention 6 3 Anti virus Network 6 4 Quarantine Manager 6 5 Support 6 5 1 Report Wizard 7 Update 8 Dr Web Scanner 8 1 Scan Modes 8 2 Actions upon Detection 8 3 Command Line Scanning Mode 8 4 Console Scanner 8 5 Automatic Launch of Scanning 9 Settings 10 Main Settings Oo oo N 11 12 13 16 18 19 19 19 21 23 24 24 25 25 27 28 29 30 31 31 34 35 36 36 37 38 y AN ax 10 1 Notifications 10 2 Update 10 3 Network 10 4 Self Protection 10 5 Dr Web Cloud 10 6 Anti
102. ng mode for the rule This parameter defines which information should be stored in the log e Entire packet log the whole packet e Headers only log the packet header only e Disabled no information is logged Criterion Filtering criterion For example transport or network protocol To add a filtering criterion select it from the list and click Add You can add any number of filtering criteria For certain headers there are additional criteria available d If you do not add any criterion the rule will allow or block all packets depending on the setting specified in the Action field If you select Any for the Local IP address and Remote IP address fields the rule is applied for any packet which contains an IPv4 header and was sent from a physical address of the local computer Ta 2 ww ax 13 Protection Components 87 13 6 Dr Web for Microsoft Outlook Main functions Dr Web for Microsoft Outlook plug in performs the following functions e Anti virus check of incoming email attachments e Check of email attachments transferred over encrypted SSL connections e Spam check e Detection and neutralization of malware e Heuristic analysis for additional protection against unknown viruses 13 6 1 Configuring Dr Web for Microsoft Outlook You can set up parameters of plug in operation and view statistics on Microsoft Outlook mail application in the Tools Options Dr Web Anti virus page for Microsoft Outlook 20
103. ng the packets transmitted through a certain interface select Change working parameters for the known networks in the Firewall settings window 2 For the required interface select the appropriate rule set If the appropriate rule set does not exist you can create a new set of packet filtering rules 3 Click OK to save the changes To list all available interfaces click and select Show all This opens a window where you can select interfaces that are to be permanently listed in the table Active interfaces are listed in the table automatically To configure rules for interfaces click Configure Packet filtering allows you to control access to network regardless of what program initiates the connection These rules are applied to all network packets transmitted through a network interface of your computer Thus packet filtering provides you with more general mechanisms to control access to network than the application level filtering Firewall uses the following predefined rule sets e Default Rule this rule set is used by default for new network interfaces e Allow All this rule set configures the component to pass through all packets e Block All this rule set configures the component to block all packets For fast switching between filtering modes you can create custom sets of filtering rules To set rule sets for network interfaces In the Firewall settings window select Interfaces and click Configure O
104. o the folder on this data carrier without being encrypted The Quarantine folder is created only when the data carrier is accessible for writing The use of separate folders and omission of encryption on portable data carriers prevents possible data loss To open this window click the SpIDer Agent icon amp in the notification area select Tools and then select Quarantine Manager The central table lists the following information on quarantined objects e Object name of the quarantined object e Threat malware class of the object which is assigned by Dr Web when the object is moved to Quarantine e Date added date and time when the object was moved to Quarantine e Path full path to the object before it was quarantined Quarantine displays objects that can be accessed by your user account To view hidden objects you need to have administrator privileges In the objects context menu the following buttons are available e Restore remove file to the selected folder and specify a new file name Ta N ax 6 Tools 28 A Use this option only when you are sure that the selected object is not harmful e Rescan scan the file in quarantine again e Delete delete the file from Quarantine and from the system You can also access these settings by right clicking the selected object or several selected objects To delete all objects from Quarantine click and select Delete all from the drop down list
105. odules Enable remote control Cw orf For remote access to Dr Web settings on your computer the password is required You may use the password that is automatically generated when the option is enabled or set a new one Ta N ax 10 Main Settings 10 7 Devices A Access control configurations are applied to all Windows accounts Main Devices Restrict access to the removable media Notifications Block sending jobs to printers Update Block data transfer over network LAN and the Internet shai Restrictions Self Protection Block the usage of specified devices for all users Dr Web Cloud C of Anti Virus Network Devices Advanced Devices To block access to data on removable media USB flash floppy CD DVD ZIP drives etc enable the appropriate option To block sending jobs to printers select the Block sending jobs to printers check box This option is disabled by default You can also block data transfer over network LAN and the Internet Device and bus classes To block access to specified device or bus classes enable the appropriate option Click the Change button to make a list of such objects In the open window select device or bus classes that you want to restrict access to Click OK to save the changes To close the window without saving the changes click Cancel White list of devices After you restricted access to some device or bus classes you can allow acces
106. on mode Select one of the following operation modes e Allow unknown connections free access mode when all unknown applications are permitted to access networks e Create rules for known applications automatically operation mode when rules for known applications are created automatically set by default e Interactive learning mode learning mode when the user is provided with full control over Firewall reaction e Block unknown connections restricted access mode when all unknown connections are blocked For known connections Firewall applies the appropriate rules Create rules for known applications automatically In this mode rules for known applications are created automatically For unknown applications Firewall gives you the opportunity to manually allow or block connections or create new rules When a user application or the operating system attempts to connect to a network Firewall checks whether filtering rules have been created for the application If there are no filtering rules you are prompted to select a temporary solution or create a rule to be applied each time this type of connection is detected This mode is used by default Interactive learning mode In this mode you have total control over Firewall reaction to the detection of unknown connections Thus the program is trained while you work on your computer When a user application or the operating system attempts to connect to a network Firewall
107. ons and processes for which you can modify application filter rule sets by creating new rules editing existing ones or deleting those that are no longer needed Each application is explicitly identified by the path to its executable file Firewall uses the SYSTEM name to indicate the rule set applied to the operating system kernel the system process for which there is no unique executable file If the file of an application for which the rule had been created was changed for example an update was installed Firewall prompts to confirm that the application is still allowed to access network resources If you created a blocking rule for a process or set Block unknown connections mode and then disabled the rule or changed the work mode the process will be blocked till its next attempt to establish connection When an application is deleted from your computer the related rules are not automatically deleted You can delete them manually by clicking Remove unused rules in the shortcut menu of the list In the New application rule set or Edit rule set window you can configure access to network resources as well as enable or disable launch of other applications To open this window in the Firewall settings window select Change network access for the applications and click or select an application and click When Firewall is operating in training mode you can start creating a new rule directly from the windows with notification on an
108. onsidered by SpIDer Mail as spam Yes or not No e X DrWeb SpamVersion lt version gt where lt version gt indicates Dr Web Anti spam version e X DrWeb SpamReason lt spam rate gt where lt spam rate gt includes list of evaluations on various spam criteria You can use these headers and the prefix in the Subject field if selected to configure email filtering for your mail client 1 If you use IMAP NNTP protocols configure your mail client to download complete messages from mail server at once i e without previewing their headers This is required for correct operation of the spam filter To improve performance of the spam filter you can report errors in spam detection To report spam detection errors 1 Create a new email and attach the message that was processed incorrectly by the spam filter Messages included within the email body are not analyzed 2 Send the message with the attachment to one of the following addresses e If the attached message is detected as spam incorrectly send the email to vrnonspam drweb com e If the attached messages is an undetected spam send it to vrspam drweb com 74 Ta yan A A 13 Protection Components 75 13 4 Scanner To access the Scanner settings you are prompted to enter the password if you enabled the Protect Dr Web settings with a password option in the Settings window The default settings are optimal for most cases Do not change them unnece
109. or Trojan with RAT function Remote Administration Tool a utility for remote administration IRC Trojan which uses Internet Relay Chat channels DownLoader Trojan which secretly downloads different malicious programs from the Internet MulDrop Trojan which secretly downloads different viruses contained in its body Proxy Trojan which allows a third party user to work anonymously in the Internet via the infected computer StartPage synonym Seeker Trojan which makes unauthorized replacement of the browser s home page address start page Click Trojan which redirects a user s browser to a certain website or websites KeyLogger a spyware Trojan which logs key strokes it may send collected data to a malefactor AVKil1 terminates or deletes anti virus programs firewalls etc KillFiles KillDisk DiskEraser deletes certain files all files on drives files in certain directories files by certain mask etc DelWin deletes files vital for the operation of Windows OS FormatcC formats drive C synonym FormatAl11 formats all drives Kil1MBR corrupts or deletes master boot records MBR Kil1CMOS corrupts or deletes CMOS memory Tool for Attacking Vulnerabilities Exploit a tool exploiting known vulnerabilities of an OS or application to implant malicious code or perform unauthorized actions 112 Ta AN ax Applications Tools for Network
110. ous conditions for task launching are specified To review event log open the History page You can also create your own anti virus scan tasks For details on the system scheduler operation please refer to the Help system and Windows documentation If installed components include Dr Web Firewall after Dr Web installation and the first system restart Task Scheduler will be blocked by Firewall Scheduled tasks will operate only after a second restart when a new rule is already created A AN T v A A 9 Settings 37 9 Settings Open the SpIDer Agent menu G in administrator mode and run Settings oP Password protection To restrict access to Dr Web settings on your computer enable the Protect Dr Web settings with a password option In the open window specify the password that will be required for configuring Dr Web confirm it and click OK A If you forgot your password for the product settings contact technical support Manage settings To restore default settings select Reset settings from the drop down list If you want to use settings of Dr Web Anti virus for Windows that you already configured on another computer select Import from the drop down list If you want to use your settings on other computers select Export from the drop down list Then apply them on the same page of another anti virus Ta AN ax 10 Main Settings 38 10 Main Settings To access the main Dr Web settings op
111. parameters for scanning objects on the fly and are always applied regardless of the selected SpIDer Guard operation mode In this group you can configure SpIDer Guard parameters to scan the following objects e Executables of running processes regardless of their location this option is enabled by default e Installation packages e Files on network drives e Files and boot sectors on removable media this option is enabled by default By default SpIDer Guard blocks autoruns from removable media such as CD DVD flash memory and Ta ww aX 13 Protection Components so on This option helps to protect your computer from viruses transmitted via removable media If any problem occurs during installation with the autorun option it is recommended to temporary disable the Block autoruns from removable media option 66 Ta N ax 13 Protection Components 13 2 SpIDer Gate SpIDer Gate is an anti virus HTTP monitor By default SpIDer Gate automatically checks incoming HTTP traffic and blocks all malicious objects HTTP is used by Web browsers download managers and other applications which exchange data with web servers that is which work with the Internet By default SpIDer Gate blocks all incoming malicious objects You can configure SpIDer Gate to completely disable monitoring of incoming or outgoing traffic compose a list of applications whose HTTP traffic should always be checked or exclude certain
112. password if you enabled the Protect Dr Web settings with a password option in the Settings window Protection Components SpIDer Guard SpIDer Gate SpIDer Mail Scanner Firewall Preventive Protection Operation mode Interactive learning mode Allow local connections on Change network access for the applications Change working parameters for the known networks To start using Firewall do the following e Select the operation mode e List authorized applications e Configure parameters for known networks By default Firewall automatically creates rules for known applications Regardless of the operation mode events are logged The default settings are optimal for most cases Do not change them unnecessarily The Allow local connections option allows all applications on you computer to interconnect i e allow unlimited connections between applications installed on your computer For this type of connection no rules are applied Disable this option to apply filtering rules to connections carried out both through the network and within your computer After a session under a limited user account Guest is open Firewall displays an access error message Firewall status is then displayed as inactive in SpIDer Agent However Firewall is enabled and operates with default settings or settings set earlier in Administrative mode A T 4 Y A vA 13 Protection Components To set operati
113. plication filter rule select Create rule In the open window you can either choose one of the predefined rules or create your rule for the application 3 Click OK Firewall executes the selected action and closes the notification window A You need administrative privileges to create a rule Ta 2 1 ax 13 Protection Components 78 In cases when a connection is initiated by a trusted application an application with existing rules but this application is run by an unknown parent process Firewall displays the corresponding notification To set parent process rules 1 Consider information about the parent process in the notification displayed on a connection attempt 2 Once you make a decision about what action to perform select one of the following e To block this connection once select Block e To allow this connection click Allow e To create a rule for the parent process click Create rule and in the open window specify required settings 3 Click OK Firewall executes the selected action and closes the notification window When an unknown process is run by another unknown process a notification displays the corresponding details If you click Create rule a new window appears allowing you to create new rules for this application and its parent process Ta J AN ax 13 Protection Components 79 13 5 2 Configuring Firewall To access the Firewall settings you are prompted to enter the
114. plied to you when purchasing Dr Web License activation If you have a serial number for activation of a license or a trial version for 3 months click Activate If you have already activated a license or a trial version specify a valid key file or e If you enter a serial number for activation of a trial version for 3 months the window with activation results opens e If you enter a serial number for activation of a license the registration data entry window opens If you have already been a user of Dr Web you are eligible for extension of your new license for another 150 days To enable the bonus enter your serial number and specify the path to the previous key file in the open window New license To purchase a license from Doctor Web online store click Purchase Trial version You can activate a trial version to evaluate operation of Dr Web Security Space e For 3 months For that register on the website and receive a serial number After you complete the questionnaire a serial number required to activate the trial version for 3 months is sent to the specified email address e For 1 month For that purpose no serial number is required and no registration data is requested Registration data entry To register a license enter personal data your registration name and email address and select the country All the listed fields are obligatory and must be filled in Click Next Activation results If the ac
115. ponent arg x selfrestart arg yes geo update type arg normal Product name If specified only this product will be updated If neither a product nor certain components are specified all products will be updated If certain components are specified only they will be updated Components that should be updated to the specified version lt Name gt lt target revision gt Reboot after an update of Dr Web Updater Default value is yes If the value is set to no notification that reboot is required will appear Get the list of IP addresses from update drweb com before updating Can be one of the following e Reset all forced update of all components Ta yan A A Applications 103 Reset failed reset revision for damaged components Normal failed try to update all components including damaged from the current revision to the newest or specified update revision try to update all components of the current revision to the newest if exists e Normal update all components g proxy arg Proxy server for updating lt address gt lt port gt u user arg Username for proxy server k password arg Password for proxy server param arg Pass additional parameters to the script lt Name gt lt value gt progress to console Print information about downloading and script execution to the console exec command parameters s script arg Execute this
116. rigin extension added to their names Execution emulation The technology of program code emulation is used for detection of polymorphic and encrypted viruses when the search against checksums cannot be applied directly or is very difficult to be performed due to the impossibility of building secure signatures The method implies simulating the execution of an analyzed code by an emulator a programming model of the processor and runtime environment The emulator operates with protected memory area emulation buffer in which execution of the analyzed program is modelled instruction by instruction However none of these instructions is actually executed by the CPU When the emulator receives a file infected with a polymorphic virus the result of the emulation is a decrypted virus body which is then easily determined by searching against signature checksums Heuristic analysis The detection method used by the heuristic analyzer is based on certain knowledge heuristics about certain features attributes that might be typical for the virus code itself and vice versa that are extremely rare in viruses Each attribute has a weight coefficient which determines the level of its severity and reliability The weight coefficient can be positive if the corresponding attribute is indicative of a malicious code or negative if the attribute is uncharacteristic of a computer threat Depending on the sum weight of a file the heuristic analyzer calculat
117. rmines their names The mask defines a template for an object definition It may contain regular characters from email addresses and a special asterisk character which replaces any including an empty one sequence of characters To regard messages sent from any email address within a domain as spam use an asterisk character instead of the username in the address For example if you enter spam com all messages from addresses within the spam com domain will be regarded as spam automatically To regard messages sent from an email address with a certain user name from any domain as spam enter an asterisk character instead of the domain name in the address For example if you enter name all messages from all senders with the someone mailbox name will be regarded as spam automatically Addresses from the recipient domain are not processed For example if the recipient mailbox your mailbox is in the mail com domain then messages from mail com domain will not be processed with the anti spam filter 13 6 4 Event Logging Dr Web for Microsoft Outlook registers errors and application events in the following logs Windows Event Log Debug Text Log Event Log The following information is registered in the Windows Event Log Program starts and stops Key file parameters license validation license expiration date information is logged on program startup while the program is running and when the key file is changed P
118. rom and from Software quality improvement program If you participate in the software quality improvement program impersonal data about Dr Web operation on your computer will be periodically sent to Doctor Web servers for example information on created rule sets for Dr Web Firewall Received information is not used to identify or contact you Click the Privacy statement by Doctor Web link to look through a privacy statement on the Doctor Web official website Ta AN ax 10 6 Anti virus Network 10 Main Settings 46 On this page you can enable remote control of your anti virus from other local network computers by Anti virus Network If your computer is connected to an anti virus network you can control anti virus protection state remotely view statistics enable or disable Dr Web components and adjust their settings and download updates from a local network computer To allow local network computers with installed Dr Web products to use a computer as an update source configure an update mirror on it Main Notifications Update Network Self Protection Dr Web Cloud Devices Advanced Anti Virus Network Anti virus Network You can enable remote control of Dr Web product on your computer from other Dr Web products installed on the local area network Users who remotely access your anti virus will be able to view statistics enable or disable components and modify the settings of certain m
119. rs occur in component operation or by request of Doctor Web technical support 1 To enable detailed logging for a Dr Web component select the corresponding check box By default detailed logging is enabled until the first restart of the operating system If it is necessary to log component activity before and after the restart select the Continue detailed logging after restart not recommended check box 3 Save the changes Quarantine settings To configure Quarantine settings click the corresponding Change button You can configure Dr Web Quarantine estimate its size and delete isolated files from a specified logical drive Folders of Quarantine are created separately on each logical drive where suspicious files are found To empty Quarantine 1 To remove all quarantined files on a particular drive select the drive from the list 2 Click Clear and confirm the deletion when prompted You can also select the isolation mode for infected objects detected on portable data carriers When this option is enabled detected threats are moved to the folder on this data carrier without being encrypted Ta J 1 ax 10 Main Settings The Quarantine folder is created on portable data carriers only when they are accessible for writing The use of separate folders and omission of encryption on portable data carriers prevents possible data loss 51 Ta J N ax 11 Parental Control 11 Parental Control To con
120. s Option is disabled by default MA scan mail files Option is enabled by default MC lt number_of_attempts gt set the maximum number of cure attempts By default unlimited NB do not backup cured or deleted files Option is disabled by default NI X limits usage of system resources at scanning defines the amount of memory required for scanning and the priority of scanning process By default unlimited NOREBOOT cancel system reboot or shutdown after scanning For Scanner only NT scan NTFS streams Option is enabled by default OK show the full list of scanned objects and mark clean files with Ok Option is disabled by default P lt priority gt priority of the current scanning task Can be as follows 0 the lowest L low N normal default priority H high M maximal PAL lt nesting_level gt maximum nesting level for executable packers If a nesting level is greater than the specified value scanning proceeds until this limit is reached The nesting level is 1 000 by default QL show the list of files quarantined on all disks For Console Scanner only QL lt logical_drive_letter gt show the list of files quarantined on the specified logical drive For Console Scanner only QNA double quote paths Ta J 1 aX Applications 100 QR d p delete quarantined files on drive lt d gt logical_drive_letter that are old
121. s actions besides those listed above For example they can change the browser home page or delete certain files However such actions can also be performed by threats of other types viruses or worms Minor threats Hacktools Hacktools are designed to assist intruders with hacking The most common among these programs are port scanners that detect vulnerabilities in firewalls and other components of computer protection system Such tools can be used not only by hackers but also by administrators to check security of their networks Sometimes various programs that use social engineering techniques are designated as hacktools too 108 Ta J 1 aX Applications Adware Usually this term refers to a program code incorporated into freeware programs that forcefully display advertisements to users However sometimes such codes can be distributed via other malicious programs and show advertisements for example in web browsers Many adware programs operate based on data collected by spyware Jokes Like adware this type of minor threats cannot be used to inflict any direct damage on the system Joke programs usually just generate messages about allegedly detected errors and threaten to perform actions that may lead to data loss Their purpose is to frighten or annoy users Dialers These are special programs that after asking for user s permission employ Internet connection to access specific websites Usually these progra
122. s objects from any external source At present in addition to Dr Web products for Windows there are versions of anti virus software for IBM OS 2 Novell NetWare Macintosh Microsoft Windows Mobile Android Symbian and several Unix based systems Linux FreeBSD Solaris Dr Web uses a convenient and efficient procedure for updating virus databases and program components via the Internet Dr Web can detect and remove undesirable programs adware dialers jokes riskware and hacktools from your computer To detect undesirable programs and perform actions with the files contained in the programs anti virus components of Dr Web are used Each of Dr Web anti virus solutions for Microsoft Windows operating systems includes a set of the following components Dr Web Scanner is an anti virus scanner with graphical interface The program runs on user demand or as scheduled and checks the computer for viruses Dr Web Console Scanner a command line version of Dr Web Scanner SpIDer Guard an on access anti virus scanner that constantly resides in memory while scanning processes and files on start or creation or upon detection of malicious activity SpIDer Mail the program intercepts calls sent from mail clients to mail servers through POP3 SMTP IMAP4 NNTP protocols IMAP4 stands for IMAPv4revi and detects and neutralizes mail viruses before a mail message is received by the mail client or before a mail mess
123. s to certain devices by adding them to the white list For that do the following 1 Click the Change button next to White list of devices the button becomes available if restrictions are set 2 Make sure that the device is connected to the computer 47 Ta J i ax 10 Main Settings Click In the open window click Browse and select the device You can use a filter to view only connected or only disconnected devices Click OK You can configure access rules for devices with file systems For that from the Rule column select one of the following modes Allow all or Read only To add a new rule for a specific user click To delete a rule click To save the changes click OK To close the window without saving the changes click Cancel The white list of devices opens To edit a rule set select it from the list and click To remove a rule set select it from the list and click 48 Ta AN ax 10 Main Settings 49 10 8 Advanced On this page you can select a language for the settings configure logging options and Quarantine settings To set another program language select it from the corresponding drop down list New languages are automatically added to the list Thus it contains all localization languages that are currently available for the Dr Web graphical interface Main Advanced Language Notifications English Update Network Log Default settin
124. script f func arg Execute this function in the script p param arg Pass additional parameters to the script lt Name gt lt value gt progress to console Print information about script execution to the console getcomponents command parameters s version arg Version name p product arg Specify the product to get the list of components that are included in this product If the product is not specified all components of this version will be listed getrevisions command parameters s version arg Version name n component arg Component name uninstall command parameters n component arg Name of the component that is to be uninstalled progress to console Print information about command execution to the console param arg Pass additional parameters to the script lt Name gt lt value gt Ta N ax Applications 104 e add to exclude Components to be deleted Update of this components will not be performed keyupdate command parameters m md5 arg MD5 hash of the previous key file o output arg Output file name to store new key b backup Backup of an old key file if exists g proxy arg Proxy server for updating lt address gt lt port gt u user arg k password Username for proxy server arg Password for proxy server progress to console Print information about download
125. se computers allow remote connection You can allow connection to your Dr Web on the Anti virus Network page in Main settings Ta 2 ww 6 Tools 27 ax 6 4 Quarantine Manager This window contains information on the Quarantine component of Dr Web which serves for isolation of files that are suspected to be malicious Quarantine also stores backup copies of files processed by Dr Web Tools License Manager Data Loss Prevention Anti Virus Network Quarantine Manager Support Quarantine Manager Objects Threat Date added Path B totalcmd exe B 170b7c17 5 H eicar com E 10374dc5 E emn zoge e H eicar com B 5yku5xnl exe E bb87qkol exe E 763820d4 5 Trojan PWS Sigg Java Siggen 45 EICAR Test File Java Downloader Trojan InstallMon EICAR Test File Trojan Zadved 8 Trojan InstallMon Java Siggen 45 00 08 20 01 2015 19 32 04 09 2015 15 21 11 01 2014 19 32 04 09 2015 17 11 02 10 2014 19 32 04 09 2015 17 11 02 10 2014 17 34 02 10 2014 19 32 04 09 2015 C totalcmd total C Users o usma C users o usman C Users o usma C users o usman C Program Files C users o usman C users o usman C Users o usma Use Quarantine Manager settings to select the isolation mode for infected objects detected on portable data carriers When this option is enabled detected threats are moved t
126. ses through the Dr Web resident guards and penetrates the system after an update it is detected on the list of processes and neutralized 10 Ta J i ax 2 System Requirements 11 2 System Requirements Before installing Dr Web e Remove any anti virus software from your computer to prevent possible incompatibility of resident Dr Web components e If you install Dr Web Firewall uninstall all other firewalls from your computer e Install all critical updates recommended by the operating system developer If the operating system is no longer supported then upgrade to a newer operating system Dr Web can be installed and run on a computer which meets the following minimum requirements CPU Operating system Free RAM Hard disk space Resolution Other An i686 compatible processor For 32 bit platforms e Windows XP with Service Pack 2 or higher e Windows Vista with Service Pack 2 or higher e Windows 7 e Windows 8 e Windows 8 1 e Windows 10 For 64 bit platforms e Windows Vista with Service Pack 2 or higher e Windows 7 e Windows 8 e Windows 8 1 e Windows 10 You may need to download and install certain system components from the Microsoft official website If necessary Dr Web will notify you about the required components and provide download links Minimum 512 MB 1 GB for Dr Web components Files created during installation will require additional space Minimum recommended screen resolution is 800x6
127. ssarily Protection Scan options Components Interrupt scanning when switching to battery mode Cow of Use sound alerts SpIDer Gate CoD of SpIDer Mail SpIDer Guard Use of computer resources Scanner Optimal recommended Firewall Actions Preventive Protection idal Cure move to quarantine if incurable recommended Suspicious Move to quarantine recommended Advanced settings Scan options In this group you can configure general parameters of Dr Web Scanner operation e Interrupt scanning when switching to battery mode Enable this option to interrupt scanning when switching to battery mode Option is disabled by default e Use sound alerts Enable this option for Dr Web Scanner to use sound alerts for every event Option is disabled by default e Limits on use of computer resources This option limits the use of computer resources by Dr Web Scanner The default value is optimal for most cases Actions On this page you can configure reaction of Scanner on detection of infected or suspicious files and archives or other malicious objects For different types of compromised objects actions are assigned separately from the respective drop down lists e Objects infected with a known and supposedly curable virus Ta J i ax 13 Protection Components 76 e Supposedly infected suspicious objects e Objects that pose potential threat riskware Reaction of Scanner to det
128. stic features such as text strings special effects etc which could be used to assign it some specific name Silly this prefix was used to name simple featureless viruses the with different modifiers in the past Suffixes Suffixes are used to name some specific virus objects e generator an object which is not a virus but a virus generator e based a virus which is developed with the help of the specified generator or a modified virus In both cases the names of this type are generic and can define hundreds and sometimes even thousands of viruses e dropper an object which is not a virus but an installer of the given virus Doctor Web 2015
129. t both lists are empty 12 Exclusions Excl US j ons You can use black and white lists to specify senders whose messages will be processed without analyzing Websites White list Black list Files and Folders Applications Anti spam To configure anti spam lists 1 Enter an address or a mask for addresses of senders whose email messages you want to process automatically without analysis To add a certain sender enter the full email address for example name mail com This ensures automatic processing of all messages from this sender without analysis To add senders with similar usernames replace the differing part of their addresses with an asterisk and a question mark Use an asterisk to substitute any character sequence or a question mark to substitute any single character For example if you enter name mail com SpIDer Mail will process automatically messages from name mail com namei mail com name_of_name mail com and senders with other similar usernames To process automatically all messages sent from any email address within a domain use an asterisk instead of the username in the address For example to specify all messages sent from any email address within the mail com domain enter mail com 2 To add the entered address to the list click 3 To add other addresses repeat steps 1 to 2 To remove an address from the list select the corresponding item and click Managin
130. tection of a file presumably infected with a virus upon reaction of the heuristic analyzer In the Malware section set a reaction to detection of unsolicited software of the following types e Adware e Dialers e Jokes e Hacktools e Riskware e The If check failed drop down list allows to configure actions if the attachment cannot be checked that is if the attached file is corrupted or password protected The Check archives recommended check box allows to enable or disable check of attached archived files Select this check box to enable checking clear this check box to disable the option For different types of objects actions are specified separately The following actions for detected virus threats are available e Cure only for infected objects instructs to try to restore the original state of an object before infection 88 Ta J g ax 13 Protection Components As incurable only for infected objects instructs to apply the action specified for incurable objects Delete delete the object Move to quarantine move the object to the special Quarantine folder Skip skip the object without performing any action or displaying a notification 89 Ta 2 1 ax 13 Protection Components 90 13 6 3 Spam Check Dr Web for Microsoft Outlook checks emails for spam by means of Dr Web Anti spam and filters messages according to the user defined settings To configure spam check go to the Tools
131. ted license or click to set it as current Please note that the current license cannot be deleted Once you click Buy or activate new license the Registration Wizard window opens providing you with necessary instructions on how to proceed Once you click Renew current license the program will open the page on the Doctor Web website where all parameters of the current license will be transmitted Advanced The My Dr Web link opens your personal page of the Doctor Web official website in the default Internet browser This page provides you with information on your license including usage period and serial number and allows to renew the license contact technical support and so on The License agreement link opens the license agreement on the Doctor Web official website Ta N ax 6 Tools 25 6 2 Data Loss Prevention You cannot change data loss prevention parameters or restore files from copies in user mode For this actions switch to administrator mode To protect important files from being changed by malicious software enable the Data Loss Prevention function With this function you can make copies of files that reside in the specified folders Tools Data loss prevention Enable the option to automatically create copies of your files to prevent their License Manager unwanted modification If any threat causes corruption of your files you will be able to restore information from their protected copies
132. tine folders working folders of some programs temporary files paging file and so on The default list is empty Add particular files and folders to exclusions or use masks to disable scanning of a certain group of files Any added object can be excluded from the scanning of both components or from scanning of each component separately EXC l usions You can exclude specific files and folders from scan Websites SpIDer Guard Scanner Files and Folders Applications Anti spam Configuring list of exclusions 1 To add a file or folder to the exclusion list do one of the following e To add an existing file or folder click In the open window click Browse and select the item in the standard dialog window You can enter the full path to the file or folder or edit the path in the field before adding it to the list e To exclude all files or folders with a particular name enter the name without path e To exclude a group of files or folders enter the mask of their names Ta J i ax 12 Exclusions 58 In the configuration window specify the components that must not scan this file Click OK The file or folder will appear on the list To edit an existing exclusion select the corresponding item from the list and click To list other files and folders repeat steps 1 to 2 To remove a file or folder from the list select oe oN the corresponding item and click A mask denotes the
133. tivation procedure completes successfully the corresponding message is displayed Click Finish to proceed to updating the virus databases and other package files This procedure does not require user intervention Click Connection parameters to adjust Internet connection parameters or click Repeat to correct invalid data Ta J 1 ax 5 Getting Started 21 5 Getting Started After Dr Web is installed the SpIDer Agent icon is added to the notification area If SpIDer Agent is not running select the Dr Web application group on the Windows Start menu and then select SpIDer Agent The SpIDer Agent icon indicates the status of Dr Web e all necessary components are running and protect your computer e B Dr Web self protection or at least one component is disabled which compromises security of Dr Web and your computer Enable self protection or the component E components are expected to start after the operating system startup process is complete thus wait until the components start or an error occurred while starting one of the main Dr Web components and your computer is at risk of virus infection Check that you have a valid key file and if required install it Various notifications may appear over the SpIDer Agent icon E it configured To open the menu click the SpIDer Agent icon E in the Windows notification area To access the protection components and settings and to disable components you nee
134. ts A There is no restrictions for a parameter if the value is set to 0 Advanced settings The following settings allow you to configure additional mail scanning parameters Use heuristic analysis in this mode special methods are used to detect suspicious objects that are most likely infected with unknown viruses To disable the analyzer disable the Use heuristic analysis recommended option Scan installation packages This option is disabled by default 13 3 2 Anti spam Dr Web Anti spam technologies consist of several thousand rules that can be divided into several groups Heuristic analysis A highly intelligent technology that empirically analyzes all parts of a message header message body and attachments if any Detection of evasion techniques This advanced anti spam technology allows detecting evasion techniques adopted by spammers to bypass anti spam filters HTML signature analysis Messages containing HTML code are compared with a list of known patterns from the anti spam library Such comparison in combination with the data on sizes of images typically used by spammers helps to protect users against spam messages with HTML code linked to online content Semantic analysis The words and phrases of a message both visible to the human eye and hidden are compared with words and phrases typical of spam using a special dictionary Anti scamming Scam and pharming messages include so called Nigerian scams
135. twork security that is vulnerabilities that can be exploited to launch attacks All program types described below have the ability to endanger the user s data or confidentiality Programs that do not hide their presence from the user for example spam sending software or traffic analyzers usually are not considered to be computer threats although they can become threats under certain circumstances In the documentation and products by Doctor Web threats are divided into two categories in accordance with the severity of danger they pose e Major threats are classic computer threats that can perform destructive or illegal actions in the system on their own erase or steal important data crash networks and so on To this type of computer threats belong programs that are traditionally referred to as malicious viruses worms and Trojans Minor threats are less dangerous than major threats but may be used by a third party to carry out malicious activities Moreover mere presence of minor threats in the system indicates its low protection level Information security specialists sometimes refer to this type of threats as grayware or potentially unwanted programs This category consists of adware dialers jokes riskware and hacktools Major threats Computer viruses This type of computer threats is characterized by their ability to inject malicious code into running processes of other programs This action is called infection
136. upon a reaction of the heuristic analyzer e Cured number of objects successfully cured by the program Not checked number of objects which cannot be checked or check of which failed due to an error e Clear number of messages which are not infected 93 Ta J 1 aX 13 Protection Components 94 Then the number of processed objects is specified e Moved to quarantine number of objects moved to Quarantine e Deleted number of objects removed from the system e Skipped number of objects skipped without changes e Spam messages number of objects detected as spam By default statistics is saved to the drwebforoutlook stat file located in the USERPROFILE Doctor Web folder A The drwebforoutlook stat statistics file is individual for each system user Ta N ax 13 Protection Components 95 13 7 Preventive Protection On this page you can configure Dr Web reaction to such actions of other programs that can compromise security of your computer and select protection level against exploits Protection Operation mode Components Optimal recommended SpIDer Guard Change parameters of suspicious activity blocking SpIDer Gate Change access parameters for applications SpIDer Mail Exploit prevention Scanner Prevent unauthorized code from running v Firewall n me This option allows to block malicious programs that use vulnerabilities of well Dee oad known applications
137. ut This Manual This User Manual describes installation and effective utilization of Dr Web You can find detailed descriptions of all graphical user interface GUI elements in the Help system which can be accessed from any component This User Manual describes how to install the program and contains some words of advice on how to use it and solve typical problems caused by virus threats Mostly it describes the standard operating modes of the Dr Web components with default settings The Appendices contain detailed information for experienced users on how to set up Dr Web Due to constant development program interface of your installation can mismatch the images given in this document 1 2 Document Conventions The following symbols and text conventions are used in this guide Bold Names of buttons and other elements of the graphical user interface GUI and required user input that must be entered exactly as given in the guide Green and bold Names of Doctor Web products and components Green and Hyperlinks to topics and webpages underlined bold Monospace Code examples input to the command line and application output Italic For command line input it indicates parameter values CAPITAL LETTERS Names of keys and key sequences Plus sign For example ALT F1 means to hold down the ALT key while pressing the F1 KEY Exclamation mark A warning about potential errors or any other important comment Ta J N aX
138. ventive protection level In the default Optimal mode Dr Web disables automatic changes of system objects whose modification explicitly signifies a malicious attempt to harm the operating system It also blocks low level access to disk and protects the HOSTS file from modification If there is a high risk of you computer getting infected you can increase protection by selecting the Medium mode In this mode access to the critical objects which can be potentially used by malicious software is blocked Using this mode may lead to compatibility problems with legitimate software that uses the protected registry branches When required to have total control of access to critical Windows objects you can select the Paranoid mode In this mode Dr Web also provides you with interactive control over loading of drivers and automatic running of programs With the User defined mode you can set a custom protection level for various objects Integrity of running applications Integrity of user files HOSTS file Low level disk access Drivers loading Critical Windows objects This option allows detection of processes that inject their code into running applications It indicates that the process may compromise computer security Processes that are added to the exclusion list of SpIDer Guard are not monitored This option allows detection of processes that modify user files with the known algorithm which indicates that the process
139. virus Network 10 7 Devices 10 8 Advanced 11 Parental Control 11 1 Configuring Parental Control 12 Exclusions 12 1 Websites 12 2 Files and Folders 12 3 Applications 12 4 Anti spam 13 Protection Components 13 1 SpIDer Guard 13 1 1 Configuring SpIDer Guard 13 2 SpIDer Gate 13 2 1 Configuring SpIDer Gate 13 3 SpIDer Mail 13 3 1 Configuring SpIDer Mail 13 3 2 Anti spam 13 4 Scanner 13 5 Dr Web Firewall 13 5 1 Training Firewall 13 5 2 Configuring Firewall 13 6 Dr Web for Microsoft Outlook 13 6 1 Configuring Dr Web for Microsoft Outlook 13 6 2 Threat Detection 13 6 3 Spam Check 13 6 4 Event Logging 13 6 5 Statistics 13 7 Preventive Protection 38 41 42 44 45 46 47 49 52 53 56 56 57 59 60 62 62 62 67 67 70 70 73 75 77 77 79 87 87 87 90 92 93 95 y AN ax Applications Appendix A Command Line Parameters Scanner and Console Scanner Parameters Dr Web Updater Command line Parameters Return Codes Appendix B Computer Threats and Neutralization Methods Classification of Computer Threats Actions Applied to Threats Appendix C Naming of Viruses 98 98 98 102 104 106 106 110 111 Ta J 1 aX 1 Introduction 1 Introduction Dr Web Security Space provides multilevel protection of RAM hard disks and removable devices against any kind of viruses rootkits Trojans spyware adware hacktools and all possible types of maliciou
140. y files received during installation or within the product distribution kit are installed automatically The key file has the key extension and contains the following information e List of licensed anti virus components e Licensed period for the product e Availability of technical support for the user e Other restrictions for example the number of remote computers allowed for simultaneous anti virus check By default the key file is located in the Dr Web installation folder Dr Web verifies the file regularly Do not edit or modify the key file to avoid its corruption If no valid key file is found Dr Web components are blocked A valid license key file satisfies the following criteria e License is not expired e Integrity of the key file is not violated If any of the conditions is violated the key file becomes invalid and Dr Web stops detecting and neutralizing malicious programs in files memory and email messages If during Dr Web installation a key file was not received and no path to it was specified a temporary key file is used Such a key file provides full functionality of Dr Web However on the SpIDer Agent menu My Dr Web and Update items are not available until you either activate a license or a trial version or specify a path to the valid key file via License Manager It is recommended to keep the key file until the license or a demo period expires A key file for a trial version activation can be used only on th
Download Pdf Manuals
Related Search