Installing Dr.Web Anti
Contents
1. When running under limited user account Guest Firewall does not prompt requests for network access attempts Notifications are then forwarded to the session with administrator privileges if such session is simultaneously active To process connection attempts 1 To make a decision consider the following information displayed in the notification Application name The name of the application Ensure that the Path to the application executable file corresponds to its usual location Application path The full path to the application executable file and its name Digital signature Digital signature of the application Ta 2 rg Getting Started 90 ax Endpoint The protocol used and the network address the application is trying to connect to Port The network ports used for the connection attempt Direction Connection type Ta 1 ax Getting Started 2 Once you make a decision select an appropriate action e To block this connection once select Block e To allow this connection once select Allow e To open a window where you can create a new application filter rule select Create new rule In the opened window you can either choose one of the predefined rules or create your rule for application e Internet Explorer The following network access problems were detected There are no rules for this application You can allow block or customize application network access You can cho2. Action Rule name Connection type Execution states for the rule The action for Dr Web Firewall to perform when the connection attempt is detected e Block packets e Allow packets The rule name The party which initiates the connection e Inbound the rule is applied when someone from the network attempts to connect to the application on your computer e Outbound the rule is applied when the application on your computer attempt to connect to the network 100 Ta 1 ax Getting Started 101 e Any the rule is applied regardless of who initiate the connection Description The rule description To configure rules 1 If you select to create a new or edit an existing set of application filter rules on the Application filter settings page in the opened window specify the application for which you want the rules to apply e to add a set of rules for a user program click lL lx and select the application executable file e to add a set of rules for a process click arrow on the lL lv button choose running application and select the process 2 Specify rule type e Allow all all connections will be allowed e Block all all connections will be blocked e Custom in this mode you can create a set of rules that will allow or block different connections 3 If you chose Custom type create filtering rules using the following options e to add a new rule click New The
3. Getting Started 96 ax Settings Access adjustable Dr Web Firewall settings On the Restore Defaults page you can restore all settings to their default values Disable Suspend Dr Web Firewall operation This operation is available for users with administrative privileges only Enable Resume Dr Web Firewall operation This item is available when Dr Web Firewall is disabled only To disable Dr Web Firewall enter confirmation code Settings and Disable Enable items are not available in User mode Ta 1 ax Getting Started 97 Firewall settings A You need administrative rights to access Dr Web Firewall settings To start using Dr Web Firewall do the following e Select operation mode e List authorized applications Dr Web Firewall always loads on Windows startup and starts logging events By default Dr Web Firewall operates in learning mode If any problems occur with Internet Connection Sharing i e access A to the Internet is blocked for computers that are connected to a host computer on the host computer specify packet filter rule that allows all packets from the subnet according to your local configuration x ENA 19 7 ca Getting Started Application Filter Application level filtering helps you control access of various application and processes to network resources You can create rules for both system and user applications Applications Application filter set
4. InfectedFiles Yes No Yes No PR 2 infected vdb TMP TEMP install directory Report MW Report CU Cure Delete Rename Move Lock guard Shutdown guard Ta N ax Appendices 156 Incurable objects Suspicious objects Infected archives Infected mail files Scanner Scanner Scanner Scanner IncurableFiles SuspiciousFiles ActionInfected Archive ActionInfected Mail Report Delete Rename Move Lock guard Shutdown guard Report SP Delete Rename Move Lock guard Ignore guard Shutdown guard Report AR Delete Rename Move Lock guard Ignore guard Shutdown guard Report ML Delete Rename Move Lock guard Ignore guard Shutdown guard Ta N ak Adware programs Dialer programs Joke programs Riskware Scanner Scanner Scanner Scanner ActionAdware ActionDialers ActionJokes ActionRiskware Appendices 157 Report Delete Rename Move Ignore Lock guard Shutdown guard Report Delete Rename Move Ignore Lock guard Shutdown guard Report Delete Rename Move Ignore Lock guard Shutdown guard Report Delete Rename Move Ignore Lock guard Shutdown guard ADW DLS JOK RSK Ta N ax Appendices 158 Hacktools Permit archives deletion without a prompt Log to file Log fi
5. Ta 1 ax Installing Dr Web Anti virus Installation in the usual mode 1 2 Select the language for the installation wizard Regardless of your choice English language will be installed in addition In the next window you will be offered to read the License agreement You should accept it and click Next in order to continue installation The installation wizard will inform on possible incompatibility of Dr Web with other anti viruses installed on your computer and offer to uninstall or disable them If other anti viruses are installed on your computer it is recommended to click Cancel and terminate installation delete or deactivate other anti viruses and after that continue installation To continue installation select the I confirm that no other anti virus software is installed on this computer check box and click Next Please read the following important information Installing Dr Web anti virus for Windows 6 0 x86 on a computer with another anti virus Program may lead to unpredictable consequences induding security system failure Please use the Windows Add or Remove Programs utility and Windows Security Center to make sure that no other anti virus programs are installed on your computer before continuing If there is another anti virus program installed click Cancel to abort the installation remove the anti virus and run the Dr Web anti virus for Windows 6 0 x86 Installation Wizard again If you are s
6. 1 ax Getting Started Quarantine Special Quarantine section of Dr Web Anti virus serves for isolation of files that are suspicious as malware The Quarantine folder is created separately on each logic disk where suspicious files have been found When infected objects are detected at the portable data carrier accessible for writing the Quarantine folder will be created on the data carrier and infected objects will be moved to this folder To view and edit the quarantine select Quarantine in the Tools submenu of the SpIDer Agent context menu A new window with table that contains quarantine current state opens All threats Files 1 Files EICAR Test File NOT a Virus virus infection _ C Use Mail Web Other add Restore e Rescan pate eicar_com zip ed 06 04 2010 15 41 C Owner BUILTIN AgMnanctparopet i ed 06 04 2010 15 41 Moved by NT AUTHORITY SYSTEM if e 06 04 2010 15 41 A 184 Bytes ime ed 06 04 2010 15 41 184 Bytes f reat EICAR Test File NOT a Virus ii In the center of the window the table with the quarantine state is displayed The following columns are included e Name name list of the objects in the quarantine e Threat malware classification which is assigned by Dr Web Anti virus during automatic moving to the quarantine e Path full path of the object before moving to the quarantine 46 Ta J i ys Getting Started The bottom p
7. Firefox The following network access problems were detected The network application was launched by unknown process If you are not sure that the application should be allowed to start network processes you should block this action application Description Allow Block Publisher Path Windows Explorer Wrico C windows explorer exe Z userinit Logon Application Wrico C windows system32 userinit exe Windows Logon Application Wrico C windows system32 winlogon exe C windows Session Manager a Wrhico C windows system32 smss exe Z system na system 2 Click OK Dr Web Firewall executes the selected action and closes the notification window When unknown process was run by another unknown process a notification will display corresponding details If you click Create new rule the new window will appear allowing you to create new rules for this application and it s parent process Getting Started 94 F Windows host process Rundll32 The following network access problems were detected There are no rules for this application You can allow block or customize application network access You can choose either one of predefined rules or create your own application rule Apply predefined rule Allow network connection for application on port 389 dap Create custom rule The network application was launched by unknown process If you are not sure that t
8. For INI and RP parameters the negative form is written as NI 149 Ta ww ys and NR accordingly Appendices 150 If several alternative parameters are found in the command line the last of them takes effect Return codes The values of the return code and corresponding events are as follows 0 il 2 4 8 16 32 64 128 OK no virus found known virus detected modification of known virus detected suspicious object found known virus detected in file archive mail archive or container modification of known virus detected in file archive mail archive or container suspicious file found in file archive mail archive or container at least one infected object successfully cured at least one infected or suspicious file deleted renamed moved The actual value returned by the program is equal to the sum of codes for the events that occurred during scanning Obviously the sum can be easily decomposed into separate event codes For example return code 9 1 8 means that known viruses were detected including viruses in archives mail archives or containers curing and others actions were not executed no other virus events occurred during scanning A AN T v A A Appendices 151 Appendix B Adjustable Parameters of Dr Web Components Introduction Adjustable parameters of the program components except SpIDer Guard are stored mainly in the program s configuration
9. New Edit Advanced packet filter settings F Use TCP stateful packet filtering V Management of fragmented IP packets To configure sets of filtering rules Do one of the following e to add a new rule set click New The new rule set is added to the beginning of the list e to edit an existing set of rules select the rule set in the list and click Edit e to add a copy of existing set of rules select the rule set and click Copy The copy is added after the selected rule set e to delete a selected rule set click Delete To set default rules In the list select the ruleset you want to use for new network interfaces installed on your computer and click Set as default 107 Ta 1 ax Getting Started To configure general settings On the Packet Filter settings use the following options Use TOP stateful packet filtering Management of fragmented IP packets Select this checkbox to filter packets according to the state of existing TCP connections Dr Web Firewall will block packets that do not match active connections according to the TCP protocol specification This option helps protect your computer from DoS attacks denial of service resource scanning data injection and other malicious operations It is also recommended to enable stateful packet filtering when using complex data transfer protocols such as FTP SIP etc Clear this checkbox to filter packets without regard
10. Yes No UVB Yes No UA prompt URM noprompt force disable On Off DBG By default the list of file extensions the FilesTypes parameter value contains the following extensions EXE COM DLL SYS VXD OV BAT BIN DRV PRG BOO SCR CMD 386 FON DO XL WIZ RTF CL HT VB JS INF PP OBJ LIB PIF AR ZIP R GZ Z TGZ TAR TAZ CAB HLP MD INI MBR IMG CSC CPL MBP SH SHB SHS SHT MSG CHM XML PRC ASP LSP MSO OBD THE EML NWS SWF MPP TBB By default the list of selected masks the UserMasks parameter value of the configuration file contains the values formed by adding Ta J 1 ax Appendices the asterisk symbol and a full stop before an extension from the list of file extensions for example exe 162 Ta N ys Parameters of SpIDer Mail Appendices 163 Parameters of SpIDer Mail are described in the table below The layout of this table is similar to that of the table above In the list of admissible parameter values the default values for SpIDer Mail are given in italics Use alternative configuration file Use alternative user key file Language Heuristic analysis Check archive files Virus activity control Message scan timeout s Max file size to extract KB Max compression ratio Max archive level Show virus alerts for outgoing mail Infected messages Suspicious messages LngFileName Heuristic
11. a program used for hacking hacktool Miscellaneous Exploit a tool exploiting known vulnerabilities of an O S or application to implant malicious code or perform unauthorized actions Generic this prefix is used after another prefix describing the environment or the development method to name a typical representative of this type of viruses Such virus does not possess any characteristic features such as text strings special effects etc which could be used to assign it some specific name 178 Ta J i ash Appendices 179 e Silly this prefix was used to name simple featureless viruses the with different modifiers in the past Suffixes Suffixes are used to name some specific virus objects e Origin this suffix is added to names of objects detected using the Origins Tracing algorithm e generator an object which is not a virus but a virus generator e based a virus which is developed with the help of the specified generator or a modified virus In both cases the names of this type are generic and can define hundreds and sometimes even thousands of viruses e dropper an object which is not a virus but an installer of the given virus Ta J 1 ax Appendices Appendix E Corporate network protection by Dr Web Enterprise Suite Dr Web provides reliable flexible and easy customized protection against viruses and other unsolicited programs The versions of the pr
12. e check the file system with the system utilities and remove the detected defects e close all active applications Dr Web Anti virus is not compatible with other anti virus A software Installing two anti virus programs on one computer may lead to system crash and loss of important data To begin the installation of Dr Web Anti virus on your computer do one of the following e Execute the file if supplied as a single executable file e Insert the company disk into the CD DVD drive If autorun is enabled installation procedure will start automatically If autorun is disabled run the executable file of the distribution kit manually Follow the dialog windows of the installation wizard At any stage of the installation before the files are copied onto the computer you can return to previous stage by clicking Back To continue installation click Next To abort installation click Cancel Ta 2 1 ax Installing Dr Web Anti virus 21 Installation procedure Only a user with administrator privileges can install Dr Web Anti virus There are two modes of the installation of Dr Web Anti virus 1 The background mode 2 The usual mode Installation in the background mode To install Dr Web Anti virus in the background mode in the command line enter the executable file name with necessary parameters these parameters affects logging reboot after installation and Dr Web Firewall installation No reboot
13. riskware and hacktools are included into the drwrisky vdb virus database From time to time cumulative add ons for malicious programs database are released Hot add ons of these databases can be released much more rarely than for the main virus base From time to time the updates of other files are released independently to the virus database updates From time to time fundamental updates of the anti virus protection programs are released This is a new anti virus version release All the virus records known up to this moment are included into the new main virus database Old virus databases are deleted when the new version is installed the structure of the virus databases will be as follows the main virus database drwebase vdb extensions of the main virus database drw50000 vdb drw50001 vdb drw50002 vdb drw50003 vdb and drw50004 vdb weekly add ons drw50005 vdb drw50006 vdb etc hot add on drwtoday vdb accumulative add on drwdaily vdb additional databases of malicious programs drwnasty vdb and drwrisky vdb cumulative add ons to malicious programs database dwn50001 vdb dwn50002 vdb etc and dwr50001 vdb 131 Ta J 1 ax Automatic Updating 132 dwr50002 vdb etc e hot add ons of the additional databases of malicious programs dwntoday vdb and dwrtoday vdb The most convenient way to receive and install the updates of the virus databases and the program is to use the Updater
14. No logging Reboot No logging No reboot Logging Reboot Logging Dr Web Firewall installation Reboot MS IUe S V qn REBOOT Force or S V qn REBOOT E S V qn 1lv lt path gt drweb setup logy S V qn lv lt path gt drweb setup log REBOOT E or S V qn lv lt path gt drweb setup log REBOOT Force S V qn INSTALL FIREWALL 1 REBOOT E or S VW qn INSTALL FIREWALL 1 REBOOT Force Ta 1 ax For example to perform Installing Dr Web Anti virus 22 installation of Dr Web Anti virus with logging and reboot after installation execute the following command C Documents and Settings drweb 600 win x86 exe S V qn log REBOOT F lv temp drweb setup If particular language of the installation is required use the following additional parameter L lt language_code gt For example L1049 S V qn RI The list of languages EBOOT Force 1026 Bulgarian 2052 Chinese Simplified 1028 Chinese Traditional 1033 English 1061 Estonian 1036 French France 1031 German 1032 Greek 1038 Hungarian 1040 Italian 1062 Latvian 1063 Lithuanian 1045 Polish 2070 Portuguese 1049 Russian 1051 Slovak ay Installing Dr Web Anti virus 23 1034 Spanish Traditional Sort 1055 Turkish 1058 Ukrainian A Regardless of your choice English language will be installed in addition User Manual
15. Suspicious messages Not checked messages Malformed messages Adware Dialers Jokes Hacktools Riskware Cure recommended Move to quarantine recommended Move to quarantine recommended Ignore recommended Ignore recommended Move to quarantine recommended Move to quarantine recommended Ignore recommended Ignore recommended Ignore recommended To change the default actions in SpIDer Mail 1 In the Infected messages drop down list choose the program s action upon detection of an infected message Cure action is recommended 2 In the Incurable messages drop down list choose the program s action upon detection of an incurable 75 Ta J 1 ax Getting Started 76 message Move to quarantine action is recommended Other actions with moved files are described in Actions Upon Detection of a Virus 3 In the Suspicious messages drop down list choose the program s action upon detection of a suspicious message Move to quarantine action is recommended 4 In the Non checked messages and Malformed messages drop down lists choose the program s action upon detection of a non checked or malformed message Ignore action is recommended 5 In the Adware and Dialers drop down lists choose the program s action upon detection of adware and dilers Move to quarantine action is recommended 6 The same procedure is used when
16. Use alternative configuration file Do not use any configuration file Use own swap file Display progress bar Sounds Alert sound Cured sound Deleted sound Renamed sound Moved sound Finish sound Error sound Autosave settings Scanner GUI Scanner Updating module Scanner Scanner Scanner Updating module Scanner Scanner Scanner Scanner Scanner Scanner Scanner Updating module Scanner UseDiskForSwap ShowProgress Bar PlaySounds AlertWav CuredWav DeletedWav RenamedWav MovedWav FinishWav ErrorWav AutoSave Settings On Off ST On Off INI NI Yes No Yes No Yes No SO alert wav cured wav deleted wav renamed wav moved wav finish wav error wav Yes No SS A AN 1 v A A Y Appendices 161 Use registry settings Scan priority Language Proxy mode Update the virus databases and drweb32 dil kernel only Download all files from the update list Reboot mode at updating Log details Scanner GUI Scanner Scanner Updating module Scanner GUI the module settings updating Updating module Updating module Updating module Updating module ScanPriority LngFileName UpdateProxy Mode UpdateVirus BasesOnly UpdateAllFiles UpdateReboot Mode On Off 25 50 ru drweb LNG dwl direct ieproxy userproxy UPM
17. company drweb com contacts moscow 192 Doctor Web 2003 2011
18. disable enable update FOXit A N T A A v 4 Y Appendices 168 Appendix C Malicious Programs and Methods of Neutralizing Them With the development of computer technologies and network solutions malicious programs malware of different kinds meant to strafe users become more and more widespread Their development began together with computer science and facilities of protection against them progressed alongside Nevertheless there is still no common Classification for all possible threats due to their unpredictable development character and constant improvement of applicable technologies Malicious programs can be distributed through the Internet local area networks e mail and portable data mediums Some of them rely on the user s carelessness and lack of experience and can be run in completely automatic mode Others are tools controlled by a computer cracker and they can harm even the most secure systems This chapter describes all of the most common and widespread types of malware against which products of Doctor Web Ltd are aimed Classification of malicious programs and other computer threats Computer viruses This type of malicious programs is characterized by the ability to implement its code into the executable code of other programs Such implementation is called infection In most cases the infected file becomes a virus carrier itself and the implemented code does not necessarily match the or
19. drwebase vdb and its extensions files drw50000 vdb drw50001 vdb drw50002 vdb drw50003 vdb and drw50004 vdb They all contain virus signatures known at the moment of the release of the given version of the program for more details on the version read below e Once in a week the weekly add ons are released these are files with the virus records for detection and neutralization of viruses detected since the previous week s add on s release The weekly add ons are files which look like this drwXXXYY vdb where XXX 130 Ta J i ys Thus Automatic Updating is the current anti virus version number without a separating full stop and YY is the number of the weekly add on The weekly add ons are numbered beginning from 05 i e the first add on of the database is called drw50005 vdb If necessary usually several times per day hot add ons with virus records for detection and neutralization of viruses detected since the last weekly add ons are released This add on is the file called drwtoday vdb In the end of a day all the virus records from this file are included in drwdaily vdb accumulative add on In the end of a weekend drwdaily vdb contents are issued as the next weekly add on The program includes additional databases of malicious programs drwnasty vdb and drwrisky vdb The records for detection of adware and dialers are included into the drwnasty vdb virus database The records for detection of joke programs
20. server system ensures for complete and reliable anti virus protection of clients workstations of companies specialized in providing various Internet services Internet providers ISP application services providers ASP online banking vendors etc provided that the computers are occasionally connected to the Internet AV Desk allows to install Dr Web anti virus packages for Windows on the workstations of the company s clients manage their operation updating follow up and promptly solve problems which occur on clients computers without the necessity to physically access the workstation or provide support and instructions to the user Creating such anti virus network solves a number of problems which both corporate clients and individual users often have to face e in companies the software is usually installed onto computers by a company network administrator The installation of anti virus programs their timely updating is an additional work for the administrator and requires physical access to computers e at home users do not always follow up virus events on their computers or may even not install any anti virus at all e semiskilled users can make changes in the settings of the anti virus including its disabling because of the seeming inconveniences which incurs holes in protection and thus substantially degrade the level of security e anti virus protection can be fully efficient if its operation is analyzed by
21. some options of mail programs are blocked for example sending a message to many addresses might be considered as mass distribution and mail will not be scanned for spam useful information from their safe text part becomes unavailable if messages are automatically destroyed Advanced users can modify mail scanning parameters and the program s reactions to virus events In certain cases automatic interception of POP3 SMTP IMAP4 and NNTP connections is impossible in such situation the program allows to set up manual interception of connections Dr Web Scanner can also detect viruses in mailboxes of several formats but SpIDer Mail has several advantages e Not all formats of popular mailboxes are supported by Dr Web Scanner In this case when using SpIDer Mail the infected messages are not even delivered to mailboxes e The Scanner does not check the mailboxes at the moment of the mail receipt but either on user demand or according to schedule Furthermore this action is rather resource consuming and takes a lot of time Thus with all the components in their default settings SpIDer Mail detects viruses and suspicious objects distributed via e mail first and does not let them infiltrate into your computer Its operation is rather resource sparing scanning of e mail files can be performed without other components 73 Ta J 1 ax Getting Started 74 Managing SpIDer Mail SpIDer Mail can be managed via the S
22. the switch instructs to inform a user if an infected or suspicious object is detected in a mail archive If the switch is supplemented with the D M or R modifier other actions are taken MLD delete MLM move by default to the infected directory MLR rename by default the first character of extension is replaced by the character The switch may end with the N modifier In this case the Mail archive message will not be displayed MW actions with all types of unsolicited programs As it is specified MW the switch instructs to inform a user If the switch is supplemented with the D M R or I modifier other actions are taken MWD delete MWM move by default to the infected directory MWR rename by default the first character of extension is replaced by the character MWI ignore Actions with some types of unsolicited programs are specified by the ADW DLS JOK RSK HCK switches NI not to use parameters specified in drweb32 ini configuration file NR do not create a log file NS disable interrupting of a computer scanning With this switch specified a user will not be able to interrupt scanning by pressing ESC OK display full list of scanned objects and mark the uninfected with Ok PF prompt on if multiple floppies are scanned PR prompt for confirmation before action QU the scanner checks the objects specified in the command line files disks d
23. unlike DoS attacks when requests are sent from one IP address e Mail bombs a simple network attack when a big e mail or thousands of small ones is sent to a computer or a company s mail server which leads to a system breakdown There is a special method of protection against such attacks used in the Dr Web products for mail servers e Sniffing a type of network attack also called passive tapping of network It is unauthorized monitoring of data and traffic flow performed by a packet sniffer a special type of non malicious program which intercepts all the network packets of the monitored domain e Spoofing a type of network attack when access to the network is gained by fraudulent imitation of connection e Phishing an Internet fraud technique which is used for stealing personal confidential data such as access passwords bank and identification cards data etc Fictitious letters supposedly from legitimate organizations are sent to potential victims via spam mailing or mail worms In these letters victims are offered to visit phony web sites of such organizations and confirm the passwords PIN codes and other personal information which is then used for stealing money from the victim s account and for other crimes e Vishing a type of Phishing technique in which war dialers or VoIP is used instead of e mails Ta J 1 ah Appendices Actions applied to malicious programs There are
24. 133 Automatic Updating Settings To adjust update settings press the Settings button ELE General Network access Update source settings Download updates from Doctor Web servers recommended Use update mirror servers Update mode Update All recommended 5 Update virus databases only Appearance F Show icon in notification area On the General page you can set the following parameters e Update source Dr Web Updater can download updates from Doctor Web servers recommended or mirror servers If you use mirrors set up necessary parameters e Update mode You can choose one of the following e Update all recommended In this mode all Dr Web Anti virus components virus databases and anti virus engine will be updated e Update virus databases only In this mode Dr Web Anti virus components will not be updated e Appearance By default notifications are displayed when update is finished You can disable this option In the Network access settings page you can set up network access General Network access sett Automatic Updating 135 Network access settings Connection mode Direct connection Use Intemet Explorer settings 5 User defined If you do not use a proxy server choose Direct connection If you use current settings for proxy server choose Use Internet Explorer settings If you want to specify settings for proxy server choose User defined and set up
25. Dialers Jokes Hacktools Riskware If check failed Cure Move to quarantine Move to quarantine Move to quarantine Move to quarantine Move to quarantine Move to quarantine Move to quarantine Move to quarantine Z Check archives recommended Cancel Apply In the Check attachments window specify the actions for different types of checked objects and also for the check failure You can also enable disable checking the archives To set actions on virus threats detection use the following options e The Infected drop down list sets the reaction to the detection of a file infected with a known virus e The Not cured drop down list sets the reaction to the detection of a file infected with a known incurable virus and in case an attempt to cure a file failed e The Suspicious drop down list sets the reaction to the detection of a file presumably infected with a virus upon a reaction of the heuristic analyzer Ta J i ys e In the Malware section set the reaction to the detection of Getting Started types of unsolicited software such as e Dialers e Jokes e Riskware e Hakctools The If checked failed drop down list allows to configure actions if attachment can not be checked e g if attached file is corrupted of password protected The Check archives recommended flag allows to enable or disable checking of attach
26. Protocol Protocol Select one of the following network level protocols IPv4 Internet Protocol version 4 IPv6 Internet Protocol version 6 IP all Internet Protocol of any version ARP Address Resolution Protocol EAPoL 802 1x Extensible Authentication Protocol the IEEE 802 1X standard PPPoE Discovery PPPoE Session To apply the rule for all protocols select Unspecified Local IP Available for IPv4 IPv6 or IP all protocols only Select the comparison method and enter the IP address of your computer Remote IP Available for IPv4 or IPv6 protocols only Select the comparison method and enter the IP address of the remote host Available for IP all protocol only Click to view the IP Change n protocols configuration window Ta N ax Getting Started 113 Remote IPv4 address ye Local IPv6 address Remote IPv6 address fy Configure the following parameters Local IPv4 address select the comparison method and enter your IPv4 address Remote IPv4 address select the comparison method and enter the IPv4 address of the remote host Local IPv6 address select the comparison method and enter your IPv6 address Remote IPv6 address select the comparison method and enter the IPv6 address of the remote host Transport Level Protocol Protocol Select one of the following transport level protocols TCP UDP ICMPv4 available for the IPv4 network level protocol only ICMP
27. Rule name The rule name Direction The packet sender e the rule is applied when packet is received from the network e the rule is applied when packet is sent into the network from your computer e the rule is applied regardless of packet transfer direction Log The logging mode for the rule This parameter defines which information is stored in the Dr Web Firewall log 109 Ta ww ys Getting Started 110 e Log headers the packet header only e Entire packet the whole packet e No logging no information is logged Description The rule description You can configure the list by adding new rules for the application or modifying existing rules and the order of their execution The rules are applied according to their order in the set To configure rulesets 1 If you select to create or edit an existing rule set on the Packet filtering settings page in the opened window specify the name for the rule set 2 Use the following options to create filtering rules e to add a new rule click New The new rules is added to the beginning of the list e to modify a rule select it and click Edit e to add a copy of a rule select the rule and click Copy The copy is added after the selected rule e to delete a rule select it and click Delete 3 If you selected to create or edit a rule configure rule settings in the opened window 4 Use the arrows next to the list to change the ord
28. a list of all prefixes and suffixes used in Dr Web divided into groups Prefixes Affected operating systems The prefixes listed below are used for naming viruses infecting executable files of certain OS s e Win 16 bit Windows 3 1 programs e Win95 32 bit Windows 95 98 Me programs e WinNT 32 bit Windows NT 2000 XP Vista programs e Win32 32 bit Windows 95 98 Me and NT 2000 XP Vista programs e Win32 NET programs in Microsoft NET Framework operating system e OS2 OS 2 programs 175 Ta J N ah Appendices 176 e Unix programs in various Unix based systems e Linux Linux programs e FreeBSD FreeBSD programs e SunOS SunOS Solaris programs e Symbian Symbian OS mobile OS programs Note that some viruses can infect programs of one system even if they are designed to operate in another system Macrovirus prefixes The list of prefixes for viruses which infect MS Office objects the language of the macros infected by such type of virus is specified e WM Word Basic MS Word 6 0 7 0 e XM VBA3 MS Excel 5 0 7 0 e W97M VBAS MS Word 8 0 VBA6 MS Word 9 0 e X97M VBA5 MS Excel 8 0 VBA6 MS Excel 9 0 e A97M databases of MS Access 97 2000 e PP97M MS PowerPoint presentations e 097M VBA5 MS Office 97 VBA6 MS Office 2000 this virus infects files of more than one component of MS Office Development languages The HLL group is used to nam
29. a user s browser to a certain web site or sites KeyLogger a spyware Trojan which logs key strokes it may send collected data to a malefactor AVKill terminates or deletes anti virus programs firewalls etc KillFiles KillDisk DiskEraser deletes certain files all files on drives files in certain directories files by certain mask etc DelWin deletes files vital for the operation of Windows OS 177 Ta J 1 ys Appendices FormatC formats drive C FormatAll formats all drives KillIMBR corrupts or deletes master boot records MBR KillCMOS corrupts or deletes CMOS memory Tools for network attacks Nuke tools for attacking certain known vulnerabilities of operating systems leading to abnormal shutdowns of the attacked system DDoS agent program for performing a DDoS attack Distributed Denial Of Service FDoS synonym Flooder programs for performing malicious actions in the Internet which use the idea of DDoS attacks in contrast to DDoS when several agents on different computers are used simultaneously to attack one victim system an FDoS program operates as an independent self sufficient program Flooder Denial of Service Malicious programs Adware an advertising program Dialer a dialer program redirecting modem calls to predefined paid numbers or paid resources Joke a joke program Program a potentially dangerous program riskware Tool
30. analyser 3 The detection method used by the heuristics analyser is based on certain knowledge about attributes that characterize malicious code Each attribute or characteristic has weight coefficient which determines the level of its severity and reliability Depending on the sum weight of a file the heuristics analyzer calculates the probability of unknown virus infection As any system of hypothesis testing under uncertainty the heuristics analyser may commit type I or type II errors omit viruses or raise false alarms While performing any of the abovementioned checks the Dr Web anti virus solutions use the most recent information about known malicious software As soon as experts of Doctor Web Virus Ta J 1 ax Introduction Laboratory discover new threats the update for virus signatures behaviour characteristics and attributes is issued In some cases updates can be issued several times per hour Therefore even if a brand new virus passes through the Dr Web resident guards and penetrates the system then after update the virus is detected in the list of processes and neutralized 19 Ta J 1 aX Installing Dr Web Anti virus 20 Installing Dr Web Anti virus Before installing the program we strongly recommend to e install all critical updates released by Microsoft for the OS version used on your computer they are available at the company s updating web site at http windowsupdate microsoft com
31. and modules update Information on threats detection License expiration notifications a message is registered in 30 15 7 3 2 and 1 days before expiration To view Event Log 1 2 On the Control Panel select Administrative Tools Event Viewer In the tree view select Application The list of events registered in the log by user applications will be opened The source of Dr Web for Outlook messages is the Dr Web for Outlook application 85 onl 5G Getting Started 86 Debug Text Log The following information can be registered in the Dr Web for Outlook text log e License validity status e Malware detection reports per each detected malicious object e Read write errors or errors while scanning for archives or password protected files e parameters of program modules Scanner engine virus bases e Core failures e License expiration notifications A message is registered in 30 15 7 3 2 and 1 days before expiration Enabling the program logging in the Log file decreases server performance therefore it is recommended to enable logging only in case of errors occurrence in operation of Dr Web for Outlook Configure logging 1 On Dr Web Anti virus tab click Log The window of log settings will open 2 Specify the detailing level 0 5 for logging e level O corresponds to disable logging e level 5 means the maximum level of details for the program logging By default logging is di
32. components on system startup recommended e Custom components not recommended In this mode you can disable automatic launch of some components Settings Components Components Launch the following anti virus components on system startup Extended Custom components not recommended SplDer Mail Getting Started 43 Extended Prevent suspicious actions x Block applications from writing to disk using low4evel functions Self protection parameters Block user activity emulation This option prevents any changes in Dr Web operation except those made by user manually On this page you can specify self protection parameters and disable miscellaneous operations that may compromise security of your computer updates or installation and operation of programs including defragmentation programs disable the corresponding options in this group If any problems occur during installation of important Microsoft User Manual Ta yas A A Getting Started License Manager License Manager shows information from the Dr Web Anti virus key files in an understandable form Dr Web antivirus license presented in the list Selected license 13524586 M Serial number 6HMS EP37 736V J8BU Owner Internal development Activation date 4 14 2011 Expiration date 5 15 2011 License file name C Program Files DrWeb drweb86 key E Please note that you can own several li
33. connections setup radio buttons Test interception functionality on every starting aut mode Address Port the first element of the list aut mode Address Port continuation of the list aut mode SpIDerMail port Server address Server port manual mode first element of the list EnableIconAnimation HideIcon NoBalloons HookModeAuto HookCheck Hook1 Hook2 Hook3 HookManual1 Yes No Yes No Yes No Yes No Yes No 143 address port address port address port 7000 address POP3 SMTP IMAP4 NNTP port Ta N Ws Appendices 166 SpIDerMail port Server Address Server Port manual mode continuation of the list Enable the Disable menu item Enable the Exit menu item Enable the Settings menu item Enable the Reinitialize menu item Max simultaneously processed queries at one local port manual mode A string added to message Path to temporary files directory of the component HookManual2 HookManual3 AllowDisable AllowExit AllowSettings AllowReinitialize MaximumChildConnection s Xbanner TempPath 7001 gt address POP3 SMTP IMAP4 NNTP port 7002 gt address POP3 SMTP IMAP4 NNTP port Yes No Yes No Yes No Yes No 20 empty TMP TEMP install directory Ta ax Appendices 167 Reinitialize Disable Enable Update Exit reinit
34. contain only a small common code fragment the decryption procedure which can be used as a virus signature Polymorphic viruses also encrypt there code but besides that they generate a special decryption procedure which is different in every copy of the virus This means that such viruses do not have byte signatures Stealth viruses perform certain actions to disguise their activity and thus conceal their presence in an infected object Such viruses gather the characteristics of a program before infecting it and then plant these dummy characteristics which mislead the scanner searching for modified files Viruses can also be classified according to the programming language in which they are written in most cases it is assembler high level programming languages scripting languages etc or according to the affected operating systems 169 Ta J N ah Appendices Computer worms Worms have become a lot more widespread than viruses and other malicious programs recently Like viruses they are able to reproduce themselves and spread their copies but they do not infect other programs A worm infiltrates the computer from the worldwide or local network usually via an attachment to an e mail and distributes its functional copies to other computers in the network It can begin distributing itself either upon a user s action or in an automatic mode choosing which computers to attack Worms do not necessarily consist of on
35. data and statistics in the anti virus network always goes through the Enterprise Server Dr Web Control Center exchange information only with Servers Based on Dr Web Control Center commands Servers transfer instructions to Enterprise Agents and change the configuration of workstations Thus the logical structure of the fragment of the anti virus network looks as in the illustration below 183 Appendices 184 a a Dr Web Enterprise HTTP HTTPS Server Dr Web Control TCP IPX NetBIOS i Center network Transfer of updates via wm Protected computer TTP 5 Dr Web GUS Between the Server and workstations a thin firm line in the illustration transferring the following information through one of the supported network protocols TCP IPX or NetBIOS e Agents requests for the centralized schedule and the centralized schedule of workstations Ta J 1 aX Appendices settings of the Agent and the anti virus package requests for scheduled tasks to be performed scanning updating of virus databases etc files of anti virus packages when the Agent receives a task to install them software and virus databases updates when an updating task is performed Agent s messages on the configuration of the workstation statistics to be added to the centralized log on the operation of Agents and anti virus packages messages on virus events and other events which should be logged The vo
36. mode when rules for known applications are created automatically e Block unknown connections restricted access mode when all unknown connections are blocked For known connections Dr Web Firewall applies the appropriate rules e Allow unknown connections free access mode when all unknown applications are permitted to access networks Ta J i ax Getting Started 3 Click OK to save changes or click Cancel to close the window without saving changes Learning Mode In this mode you have total control over Dr Web Firewall reaction on unknown connection detection thus training the program while you working on computer When a user application or operating system attempts to connect to a network Dr Web Firewall checks if there is a filtering rule set for the application If there are no filtering rules Dr Web Firewall prompts you to select a temporary solution or create a rule which will be applied each time Dr Web Firewall detects this type of connection Training Mode In this mode rules for known applications are created automatically For other apllications you have control over Dr Web Firewall reaction When a user application or operating system attempts to connect to a network Dr Web Firewall checks if there is a filtering rule set for the application If there are no filtering rules Dr Web Firewall prompts you to select a temporary solution or create a rule which will be applied each time Dr Web F
37. plug in performs the following functions Anti virus check of e mail attachments transferred via SMTP POP3 and HTTP protocols Check of e mail attachments transferred via SSL encrypted connections Detection and neutralizing of malicious objects Malware detection Heuristic analysis for additional protection against unknown viruses Dr Web for Outlook Plug In Configuring You can set up the parameters of the plug in operation and review the statistics at the Microsoft Outlook mail application in the Service Parameters Dr Web Anti virus tab in the Tools Options gt Dr Web Anti virus tab for Microsoft Outlook 2007 d The Dr Web Anti virus tab of Microsoft Outlook parameters are active only if user has permissions to change these settings Getting Started Preferences Mail Setup Mail Format Spelling Other Dr Web Anti virus General e Dr Web Anti virus is enabled Anti virus and anti spam check g gt Infected attachments may present a threat to your information security Check attachments Anti spam filter Statistics T Checked Clear on Infected Moved to quarantine Suspicious Deleted Cured Ignored Not checked Spam messages On Dr Web Anti Virus tab the current protection status is displayed enabled disabled and it provided the access to the following program functions e Log allows to configure the program loggi
38. qualified specialists which includes analysis of protocols files moved to the quarantine etc In companies this work is hampered by the fact that such data is stored in dozens or hundreds computers At home operation of the anti virus once installed is rarely analyzed Dr Web AV Desk was developed to solve these problems It provides a reliable flexible and easy customized anti virus protection for workstations saves administrators time and efforts and relieves users 187 Ta J N ax Appendices of the necessity to worry about anti virus protection while maintaining a high level of security Program solutions used in Dr Web lt PRODUCT gt provides for e simple installation of software components and prompt arrangement of anti virus protection e creation of distribution files with unique identifiers and their transfer to the users for installation e centralized setup of the anti virus packages e centralized virus databases and program files updates on protected computers e monitoring of virus events and the state of the anti virus packages and OS s on all protected computers Dr Web AV Desk has a client server architecture Dr Web AV Desk components are installed on the computers of users and administrators and the computer s to function as the AV Desk Server s and exchange information through network protocols TCP IP IPX SPX NetBIOS An aggregate of computers on which Dr Web AV Desk cooperating co
39. recommended to disable self protection If any problems occur during operation of defragmentation programs disable self protection temporary The Tools item opens a submenu which contains following items e License Manager see License Manager e Settings This command displays SpIDer Agent settings e Scheduler This command displays the standard Windows Scheduler task which determines the Dr Web Anti virus For Windows updating schedule e Quarantine see Quarantine e to report generation Before contacting Doctor Web technical support generate the report on your OS and Dr Web operation For parameters adjustment in the opened window click Report settings The report will be stored as an archive in the DoctorWeb subfolder of Ta 1 ax Getting Started the USERPROFILE directory The Administrative User mode item allows you to switch between full function Administrative mode and restricted User mode In User mode access to settings of components and Updater is forbidden and the Scheduler item is also inaccessible as well as disabling of SpIDer Guard Dr Web Firewall or self protection You need administrative rights to switch to Administrative mode This item displays when you do not have administrative privileges A For instance this item displays when you log into Microsoft Windows 2000 or Windows XP operating systems as a non privileged user or when User Account Control of Windows Vista or Micro
40. set up appropriate rules on Parent processes page Applications Parent application settings Parent processes Application Allow Block Path Windows Explorer C windows explorer exe Z Userinit Logon Application C windows system32 userinit exe Firefox C program files mozilla firefox firefox exe S Java T Web Start Launcher C program files java jre6 bin javaws exe Z System process SYSTEM Java TM Update Scheduler C program files common files java java upc TC Windows Start Up Application C windows system32 wininit exe Z Host Process for Windows Services C windows system32 svchost exe Z Task Scheduler Engine C windows system32 taskeng exe G iTunesHelper gt C program files jtunes tuneshelper exe Miranda IM C program files niranda im miranda32 exe BB adobe Reader 8 0 C program files adobelyeader 8 0 yeader a a Windows Logon Application G C windows system32 winlogon exe gt T J gt Restore defaults 0000 New v Cx Cc Coa To add rule for parent process 1 Choose parent process e to add new rule for an application click New and browse for program executable e to add new rule for an already running process click arrow on New choose running application and select process 2 Set appropriate action e Block to prevent application from running other processes e Allow to permit application to run other processes New process
41. setting the program s actions upon detection of messages containing jokes riskware and hacktools Ignore action is recommended 7 Click OK to apply changes and close the SpIDer Mail Settings window Protection against suspicious messages can be disabled if a PC is additionally protected by a constantly loaded SpIDer Guard component Additionally you can increase the default level of reliability of anti virus protection by selecting the Move to quarantine option in the Not checked messages drop down list Files with moved messages should be checked by the scanner Experienced users can disable the mode when the deleted or moved messages are immediately deleted from the POP3 IMAP4 server and delete such messages manually or using more advanced settings of the mail program For this clear the Delete modified messages on server check box in advanced settings To get access to advanced settings click the Options button Ta 2 AN ax Getting Started 77 Scan options W Heuristic analysis W Virus activity control V Check archives iditional actions on messages Insert X AntiVirus header into messages V Delete modified messages on server Scanning optimization options Message scan timeout Max file size to extract Max compression ratio Max archive nesting level Interception Page By default SpIDer Mail automatically intercepts e mail traff
42. used operating system and the installed components The mode is designed for receipt of the full local copy of the Dr Web server updating area this mode cannot be used for updating the anti virus installed on a computer UPD usual updating it is used together with the REG switch to run the updating session itself during the registration UPM lt proxy mode gt mode of using a proxy server it can have the following values e direct do not use proxy server e ieproxy use system settings e userproxy use settings specified by a user in the Update pane of the Dr Web toolbar or by the PURL PUSER PPASS URL lt url of the updating server gt only UNC paths are accepted URM lt mode gt to restart after the updating is finished It can have the following values e prompt prompt if a reboot is needed after the updating session is finished noprompt if necessary reboot without prompting e force reboot always regardless whether it is required for the updating or not disable disable reboot USER lt user name of http server gt user name for the updating server UVB update the virus databases and drweb32 dll kernel only disables UA if it is set SO parameter allows the character at the end In such negative form the parameter means cancellation of the mode This option can be useful if the mode is enabled with the settings specified earlier in the configuration file
43. you to select the components to be installed destination folder and additional installation parameters When you choose the type of installation click Next If you chose default installation type go to step 12 In case of custom installation a window for selecting the program components which you wish to install will open In the hierarchical list select the components you wish to install You can also change the installation folder if necessary Installing Dr Web Anti virus 28 Select components which you wish to be installed Click on an icon in the list below to change how a feature is installed Feature Description A comprehensive solution for protection of computers running under Windows OS from viruses SpIDer Guard and other types of computer Mail protection threats amp SplDer Mail This feature requires 52MB on J Dr Web for Microsoft Outiook your hard drive It has 4 of 4 subfeatures selected The subfeatures require 24MB on your hard drive Install to C Program Files DrWeb Help Space Click Next when you finish selecting the necessary components 9 The window for selecting which shortcuts to Dr Web Anti virus should be created will open Select the necessary options and click Next 10 The window for adjusting proxy server settings will open If you do not use a proxy server choose Do not use proxy server If you use current settings f
44. Analysis CheckArchives VirusActivityControl ScanTimeout MaxFileSizeToExtract MaxCompressionRatio MaxArchiveLevel ShowAlerts ActionInfected ActionSuspicious On Off On Off ru drweb dwl Yes No Yes No Yes No 250 30720 Infinite 64 Yes No Delete Move Delete Move Skip ini file_name key file_name Ing file_name Ta N aX Appendices 164 Not checked messages Delete modified messages on the server Insert X AntiVirus header into messages Path to quarantine Path to Dr Web engine Path to Dr Web virus database Flag file to detection update Period to check flag file s Maximum load engines Preload engines Unused engine unload timeout s Enable logging Enable logging scan info Log to file Maximum log file size KB ActionNotChecked DeleteMessagesOnServer InsertXAntiVirus PathForMovedFiles EnginePath VirusBasesPath UpdateFlag UpdatePeriod MaximumLoadEngines PreloadEngines UnusedEngineUnloadTime out EnableLog EnableLogScanInfo LogFileName MaximumLogSize Delete Move Skip Yes No Yes No infected empty empty drwtoday vdb 300 10 1 420 Yes No Yes No spiderml log 500 1 ax A AN Appendices 165 Enable icon animation Enable tray icon Show notifications Intercept connections automatically or Manual
45. Anti virus for Windows Doctor Web 2003 2011 All rights reserved This document is the property of Doctor Web No part of this document may be reproduced published or transmitted in any form or by any means for any purpose other than the purchaser s personal use without proper attribution TRADEMARKS Dr Web the Dr WEB logo SpIDer Mail SpIDer Guard CureIt CureNet AV desk are trademarks and registered trademarks of Doctor Web in Russia and or other countries Other trademarks registered trademarks and company names used in this document are property of their respective owners DISCLAIMER In no event shall Doctor Web and its resellers or distributors be liable for errors or omissions or any loss of profit or any other damage caused or alleged to be caused directly or indirectly by this document the use of or inability to use information contained in this document Dr Web Anti virus For Windows Version 6 0 User Manual 11 08 2011 Doctor Web Head Office 2 12A 3rd str Yamskogo polya Moscow Russia 125124 Web site www drweb com Phone 7 495 789 45 87 Refer to the official web site for regional and international office information Doctor Web Doctor Web develops and distributes Dr Web information security solutions which provide efficient protection from malicious software and spam Doctor Web customers can be found among home users from all over the world and in government enterprises small co
46. D M or R modifiers are added to the switch a different action is applied CND delete CNM move by default to the infected directory CNR rename by default the first character of extension is replaced by the character The switch may end with the N modifier and in such case a message with the container type will not be printed CU actions with infected files and boot sectors of drives The curable objects are cured and the incurable files are deleted without additional D M or R modifiers if different action is not specified by the IC parameter Other actions taken towards infected files CUD delete CUM move by default to the infected directory CUR rename by default the first character of extension is replaced by the character DA to scan the computer once a day The next check date is logged into the configuration file and that is why it should be accessible for writing and subsequent rewriting EX to scan files with extensions listed in the configuration file by default or if unavailable these are EXE COM DLL SYS VXD OV 138 Ta J 1 aX Appendices BAT BIN DRV PRG BOO SCR CMD 386 FON DO XL WIZ RTF CL HT VB JS INF PP OBJ LIB PIF AR ZIP R GZ Z TGZ TAR TAZ CAB HLP MD INI MBR IMG CSC CPL MBP SH SHB SHS SHT MSG CHM XML PRC ASP LSP MSO OBD THE EML NWS SWF MPP TBB If an element of the
47. J i aX Getting Started Dr Web Scanner settings mE Scanning File types Actions Log file General 7 Log to file 9 4USERPROFILE Doctor Web DrWeb32w log Log mode Encoding Append ANSI Overwrite OEM Limit log file size Details T7 Maximum log file size 4096 KB Scanned objects F Names of file packers E Names of archivers F Statistics Most parameters set by default should be left unchanged However you can change the details of logging by default the information on infected or suspicious objects is always logged the information on the scanned packed files and archives and on successful scanning of other files is omitted You can instruct to log the results of scanning of all files regardless the result For this select the Scanned objects check box this will considerably increase the size of the log file You can instruct to log the names of archivers select the Archivers names check box and executable file packers select the File packers names check box You can cancel the default restriction set for the maximum size of the log file clear the Maximum log file size check box or specify your own log file size limit in the entry field next to the check box Ta J 1 ax Getting Started Command Line Scanning Mode You can run Dr Web Scanner for Windows in the command line mode which allows to specify settings of the current scanning session and the list of objects
48. Threshold FilesTypes Yes No Yes No Yes No Yes No Yes No Yes No Yes No Yes No empty empty empty see below the Table SCP HA TS TB SD PF AR ML 1 ax A AN Appendices 154 List of masks Locations of excluded folders Excluded files Scan hard drives if scanned with the command line parameter and when the Select drives button is pressed Scan floppies if scanned with the command line parameter and when the Select drives button is pressed Scan compact disks if scanned with the command line parameter and when the Select drives button is pressed Scanner Scanner Scanner Scanner Scanner Scanner UserMasks ExcludePaths ExcludeFiles ScanHDD ScanFDD ScanCD see below the Table empty empty Yes No Yes No Yes No Ta 5 N Ws Appendices 155 Scan network disks if scanned with the command line parameter and when the Select drives button is pressed Prompt on action Rename extension Move path Location of virus databases Path to the folder with temporary files of the component Actions with all types of malicious programs Infected objects Scanner Scanner Scanner Scanner Scanner Scanner Scanner Scanner ScanNet PromptOnAction RenameFilesTo MoveFilesTo VirusBase TempPath
49. Time The date and time when the packet was processed Direction The packet sender e the packet was transmitted from the network to your computer e the packet was transmitted from your computer to the network e the packet sent from the network to your computer was blocked e the packet sent from your computer to the network was blocked Rule name The name of the applied rule Ta 1 ax Getting Started 126 Interface The interface used to transmit the packet Packet data Packet details The Logging mode setting of the rule determines the amount of stored data On this page you can save the information to a file or clear the log To save packet filter log Click Save then enter the file name where to store the log To clear packet filter log Click Clear All information will be deleted from the log Ta J i ax Getting Started 127 Automatic Launch of Tasks for Scanning and Updating in Dr Web During Dr Web Anti virus installation a task to update the virus databases and other files of the package is automatically created in the system scheduler the Scheduled Tasks directory To view the parameters of this task select Scheduler in the Tools submenu of SpIDer Agent context menu Settings for Windows XP are described below A In Windows Vista 7 the Scheduler item will open Task Scheduler Dr Web Update Task Schedule Settings A CAWINDOWS Tasks Dr
50. Web Update job 5 Run Start in Comments C Program Files Dhweb DrwebUpw exe go st qu C Program Files Driweb NT AUTHORITYSSYSTEM Set password C Run only if logged on Enabled scheduled task runs at specified time In the Task tab the full name of the executable file and the command line parameters of the task are specified The Enabled check box instructs to perform the task if the check box is cleared the task is saved to the folder but is not performed Xen EANA wy Getting Started 128 In the Schedule tab the schedule according to which a task will be run automatically is made Dr Web Update Task Schedule Settings me Every 30 minute s from 16 14 for 24 hour s every day starting 09 03 2010 Schedule Task Start time E Y 1614 Schedule Task Daily Every 1 a dafs Show multiple schedules Click Advanced The Advanced Schedule Options window will open Advanced Schedule Options Start Date E mapra 200r End Date V Repeat task Every 30 minutes v Unti Time Duration 24 hour s 0 minute s If the task is still running stop it at this time Ta 2 1 aX Getting Started 129 Scheduler item will be blocked by Firewall after Dr Web Anti virus installation and the first system reboot Scheduled tasks will operate only after second r
51. address is not intercepted if the asterisk is specified If necessary this address should be specified in the interception list explicitly To set up manual interception 1 On the previously mentioned Interception page for setting up the mode of interception select the Manual connections setup radio button and click the Parameters button A window for setting up manual connections will open 78 Ta 1 ax Getting Started 79 SpIDer Mail port Server address Server port 7000 SplDer Mail port Server address Server port 2 Make up a list of resources POP3 SMTP IMAP4 NNTP servers connections to which should be intercepted Number them one after another starting from 7000 Hereinafter these numbers will be called SpIDer Mail ports 3 For every resource input the appropriate number into the SpIDer Mail port entry field a domain name or IP address of the server into the Server address entry field and the port number to which a connection is made into the Server port entry field and click the Add button Repeat these actions for each resource 5 Click OK In the settings of the mail client instead of the address and port of A POP3 SMTP IMAP4 NNTP server specify the address localhost port_SpIDer_Mail where port_SpIDer_Mail is the address assigned to an appropriate POP3 SMTP IMAP4 NNTP server Ta J 1 ax Getting Started 80 Dr Web for Outlook General Functions Dr Web for Outlook
52. and advertisements scam agencies marketing agencies criminal organizations industrial espionage agents etc Spyware is secretly loaded to your system together with some other software or when browsing certain HTML pages and advertising windows It then installs itself without the user s permission Unstable browser operation and decrease in system performance are common side effects of spyware presence 171 Ta J i ys Appendices Adware Usually this term is referred to a program code implemented into freeware programs which perform forced display of advertisements to a user However sometimes such codes can be distributed via other malicious programs and show advertisements in internet browsers Many adware programs operate with data collected by spyware Joke programs Like adware this type of malicious programs does not deal any direct damage to the system Joke programs usually just generate message boxes about errors that never occurred and threaten to perform actions which will lead to data loss Their purpose is to frighten or annoy a user Dialers These are special programs which are designed to scan a range of telephone numbers and find those where a modem answers These numbers are then used to mark up the price of telephoning facilities or to connect the user to expensive telephone services All the above programs are considered malicious because they pose a threat to the user s data or his right of conf
53. and go to the site specified on the product registration card supplied with your copy of the product 2 Fill in the registration form Enter the serial number which is typed on the registration card 4 The license key file is archived and sent to the e mail address you specified in the registration form After registration you can also download the license key file from the registration page Windows operating systems extract files from ZIP archives automatically You do not need to purchase or install additional software 5 Install the key file w To acquire key files during installation The key file can be delivered as a key file or an archive containing such file A user can receive the key file via the Dr Web Updater after registration during installation or the first update The utility registers the program after providing the serial number on the official web site and receives the key file This procedure is available only for Dr Web programs which protect individual workstations Without a serial number the user can only receive a demo key file See Receiving key file A It is required to reboot system after key file is received It is recommended to keep the key file until it expires If you re install 14 Ta J 1 ax Introduction 15 a product or install it on several computers additional registration of the serial number will not be required because the key file received during the first registra
54. and line TB scan boot sectors and master boot records MBR of the hard drive TM search for viruses in main memory including Windows system area available for scanners for Windows only TS search for viruses in autorun files in Autorun directory system ini files Windows registry It is used only in scanners for Windows UPN disable the output of names of file packers used for packing the scanned executable files to the log file 141 Ta AN ys Appendices WA do not terminate the program until any key is pressed if viruses or suspicious objects are found for console scanners only Certain parameters allow the character to be used at the end In such negative form the parameter means cancellation of the mode Such option can be useful if this mode is enabled by default or with the settings specified earlier in the configuration file Here is the list of the command line parameters allowing negative form ADW AR CU DLS FAST FULL HA HCK IC JOK ML MW OK PF PR RSK SD SL SO SP SS TB TM TS WA For CU IC and SP parameters the negative form cancels any actions specified in the description of these parameters This means that infected and suspicious objects will be reported but no actions will be applied For INI and RP parameters the negative form is written as NI and NR accordingly For AL and EX the negative form is not allow
55. ane of the window displays detailed information about the selected objects You can also display this information in the table To configure table view 1 Right click the header of the table and select Customize columns In the opened window set the checkboxes next to those items that you want to display in the table or clear the checkboxes next to those items that you want to hide You can also do one of the following e To select checkboxes for all items click Check all e To clear all checkboxes click Uncheck all Use Move up and Move down to change position of a column in the table After editing click OK to save the changes or Cancel to cancel them The left pane serves to filter the quarantine objects to display Click the corresponding option to display all quarantine objects or just specified groups files mail objects web pages or all other objects not classified In the quarantine window only the users with access rights to the files can see these that files Use the following buttons to manage the quarantine Add add the file to the quarantine Select the necessary file in the opened file system browser Restore remove the file from the quarantine and restore the original location of the file i e restore the file to the folder where it had resided before it was moved to the quarantine 47 Ta J 1 ax Getting Started d Use this option only when you are sure that the objects are not ha
56. b Firewall Managing Dr Web Firewall Firewall settings Event Logging Automatic Launch of Tasks for Scanning and Updating in Dr Web Automatic Updating General Information Launching and Using the Automatic Updating Utility Appendices Appendix A Additional Command Line Parameters of the Anti virus Appendix B Adjustable Parameters of Dr Web Components 62 64 65 66 67 72 74 75 80 82 85 87 88 88 95 97 121 127 130 130 133 137 137 151 5 y AN aX Appendix C Malicious Programs and Methods of Neutralizing Them Appendix D Naming of Viruses Appendix E Corporate network protection by Dr Web Enterprise Suite Appendix F Dr Web AV Desk for Internet services providers Appendix G Technical Support 168 175 180 187 192 6 Ta i ax Introduction Introduction Dr Web Anti virus For Windows provides multi level protection of RAM hard disks and removable devices against viruses rootkits Trojans spyware adware hack tools and other malicious programs The module architecture of Dr Web Anti virus is its significant feature Dr Web uses the anti virus engine and virus databases which are common for all its components and different operating environments At present in addition to Dr Web Anti virus there are versions of the anti virus for IBM OS 2 Novell NetWare Macintosh Microsoft Windows Mobile Andorid Symbian and several Unix ba
57. cence or demo key file during installation This key file provides full functionality of Dr Web Anti virus components however updating is not available until you install licence or demo key file A valid license key file satisfies the following criteria e License is not expired e All anti virus components required by Dr Web Anti virus are licensed e Integrity of the license key file is not violated If any of the conditions are violated the license key file becomes invalid and Dr Web Anti virus stops detecting and neutralizing malicious programs and transmits Get Key File The key file can be delivered as a key file or an archive containing such file You can receive key files in one of the following ways e During installation first update or later e Via manual product registration on the official Doctor Web website e Within the product distribution kit e Ona separate data carrier provided by the seller Key files received during installation or within installation kit are installed automatically You need to install key files received in another way 13 A AN T v A A Introduction To acquire key files via manual registration To register and download key files a valid Internet connection is required To receive a license key file a product serial number is required Without a serial number you can only receive a demo key file during installation 1 Launch an Internet browser
58. cences for Dr Web Antivirus All accessible licences are Dr Web antivirus components accessible under the licence 13524586 SpIDer Mail Scanner G SplDer Guard Updater G 5pIDer Guard for servers Anti spa Firewall Get new license v l Online service My Dr Web l Delete current license Selected Dr Web Anti virus components for your license are specified in the Dr Web antivirus components group box The Online service My Dr Web item opens your personal web page on the official Doctor Web web site This page gives information about your license period of usage serial number allows to renew your license contact Technical Support etc To start the registration procedure for receiving the key file from the Doctor Web server click the Get new licence button and choose from Internet in the drop down menu That will launch receiving the key file procedure 44 Ta J i ax Getting Started To add a key file 1 Press the Get new licence button Choose from file in the drop down menu 2 Select the file in a standard window 3 Dr Web Anti virus will automatically start to use a key file If you received a key file during installation or in the distribution kit complete set installation of a key file is made automatically and does not demand any additional actions To delete a key file from a list select it and click the Delete current licence button Last used key cannot be removed 45 Ta
59. cious program used to intercept system functions of an operating system in order to conceal itself Besides a rootkit can conceal tasks of other programs registry keys folders and files It can be distributed either as an independent program or a component of another malicious program A rootkit is basically a set of utilities which a cracker installs on a system to which she had just gained access There are two kinds of rootkits according to the mode of operation User Mode Rootkits UMR which operate in user mode intercept functions of the user mode libraries and Kernel Mode Rootkits KMR which operate in kernel mode intercept functions on the level of the system kernel which makes it harder to detect Hacktools Hacktools are programs designed to assist the intruder with hacking The most common among them are port scanners which detect vulnerabilities in firewalls and other components of the computer s protection system Besides hackers such tools are used by administrators to check the security of their networks Occasionally common software which can be used for hacking and various programs that use social engineering techniques are designated as among hacktools as well Spyware This type of malicious programs is designed to perform monitoring of the system and send the gathered information to a third party creator of the program or some other person concerned Among those who may be concerned are distributors of spam
60. described below h To use the Updater you should have an Internet connection User should have administrator rights to update components of Dr Web Ta J 1 ax Automatic Updating Launching and Using the Automatic Updating Utility The Automatic Updating Utility Updater can be launched in one of the following ways automatically according to schedule read Automatic Launch of Tasks for Scanning and Updating in Dr Web from the command line by activating the drwebupw exe executable file from the program s installation folder by selecting the Update item in the context menu of the SpIDer Agent icon by selecting the Update item of the File menu in the main window of the Scanner read Using Dr Web Scanner for Windows by pressing F8 in the active Scanner window If you launch Dr Web Updater from SpIDer Agent menu or from the command line the dialog window will open You can launch update or set necessary parameters Also you can set the Log details flag to increase change log detail level All changes are logged into drwebupw log file that is located in USERPROFILE DoctorWeb folder in Windows 7 C Users lt username gt DoctorWeb t If launching Dr Web Updater automatically changes are logged into drwebupw log file that is located in the installation folder Dr Web Updater Dr Web Updates helps you download latest Dr Web virus RA databases and program modules E Log details
61. e logs of the network both of separate Servers and the summary log of the whole anti virus network In large networks Dr Web AV Desk increases reliability of anti virus protection and cuts costs for its administration compared personal anti virus programs Dr Web AV Desk has several advantages in comparison to other similar products high reliability and security of applied solutions easy administration multiplatform structure of all components excellent scalability 191 Ta 1 ax Appendices Appendix G Technical Support Support is available to customers who have purchased a commercial version of Dr Web products Visit Doctor Web Technical Support website at http support drweb com If you encounter any issues installing or using company products take advantage of the following Doctor Web support options e Download and review the latest manuals and guides at http download drweb com Read the frequently asked questions at http support drweb com e Look for the answer in Dr Web knowledge database at http wiki drweb com e Browse Dr Web official forum at http forum drweb com If you have not found solution for the problem you can request direct assistance from Doctor Web Technical Support by filling in the web from in the corresponding section of the support site at http support drweb com For regional office information visit the official Doctor Web website at http
62. e viruses written in high level programming languages such as C C Pascal Basic and others e HLLW worms e HLLM mail worms e HLLO viruses overwriting the code of the victim program e HLLP parasitic viruses e HLLC companion viruses The following prefix also refers to development language e Java viruses designed for the Java virtual machine Ta J i ash Appendices Script viruses Prefixes of viruses written in different scrip languages VBS Visual Basic Script JS Java Script Wscript Visual Basic Script and or Java Script Perl Perl PHP PHP BAT MS DOS command interpreter Trojan horses Trojan a general name for different Trojan horses Trojans In many cases the prefixes of this group are used with the Trojan prefix PWS password stealing Trojan Backdoor Trojan with RAT function Remote Administration Tool a _ utility for remote administration IRC Trojan which uses Internet Relay Chat channels DownLoader Trojan which secretly downloads different malicious programs from the Internet MulDrop Trojan which secretly downloads different viruses contained in its body Proxy Trojan which allows a third party user to work anonymously in the Internet via the infected computer StartPage synonym Seeker Trojan which makes unauthorized replacement of the browser s home page address start page Click Trojan which redirects
63. eb option in the License Manager or SpIDer Agent menu 2 If current key file is invalid Dr Web Anti virus automatically switches to using the new license 16 Ta J 1 aX Introduction How to Test Anti virus The EICAR European Institute for Computer Anti Virus Research Test File helps testing performance of anti virus programs that detect viruses using signatures For this purpose most of the anti virus software vendors generally use a standard test com program This program was designed specially so that users could test reaction of newly installed anti virus tools to detection of viruses without compromising security of their computers Although the test com program is not actually a virus it is treated by the majority of anti viruses as if it were a virus On detection of this virus Dr Web Anti virus For Windows reports the following EICAR Test File Not a Virus Other anti virus tools alert users in a similar way The test com program is a 68 byte COM file that prints the following line on the console when executed EICAR STANDARD ANTIVIRUS TEST FILE The test com file contains the following character string only X50 P AP 4 PZX54 P 7CC 7 EICAR STANDARD ANTIVIRUS TEST FILE H H To create your own test file with the virus you may create a new file with this line and save it with as test com malicious software because this file is a DOS application and does In optimal mode SpIDer Guard d
64. ed However specifying one of them cancels the other If several alternative parameters are found in the command line the last of them takes effect For CU IC and SP parameters the negative form cancels any actions specified in the description of these parameters This means that infected and suspicious objects will be reported but no actions will be applied For INI and RP parameters the negative form is written as NI and NR accordingly For AL and EX the negative form is not allowed However specifying one of them cancels the other If several alternative parameters are found in the command line the last of them takes effect 142 Ta J 1 ax Appendices 143 The DWScancl Console Scanner parameters AR test archive files Option is enabled by default AC test containers Option is enabled by default AFS use forward slash to separate paths in archive Option is disabled by default ARC lt ratio gt maximum archive object compression If the compression rate of the archive exceed the limit Console Scanner neither unpacks not scans the archive unlimited ARL lt eve gt maximum archive level unlimited ARS lt size gt maximum archive size if the archive size exceed the limit Scanner neither unpacks nor scans the archive unlimited KB ART lt size gt minimim archive object matched by ARC minimum size of file inside archive beginning from which co
65. ed archived files Set this flag to enable checking clear to disable For different types of objects actions are assigned separately The following actions for detected virus threats are provided Cure only for infected objects instructs to try to restore the original state of an object before infection As incurable only for infected objects means that the action specified for incurable objects will be performed Delete delete the object Move to quarantine move the object to the special Quarantine folder Skip skip the object without performing any action or displaying a notification 84 Ta J N ax Getting Started Logging Dr Web for Outlook registers errors and application events in the following logs e Windows Event Log e Text Dr Web debug log Event Log Dr Web for Outlook registers the following information in the Windows Event Log Plug in starts and stops License key file parameters license validation license expiration date information is written during program launch during program operating and when key file is changed License errors the key file is absent permissions for usage of program modules is absent in the key file licence is blocked the key file is corrupted information is written during program launch and during program operating Parameters of program modules Scanner engine virus bases information is written during program launch
66. emove an installed version of Dr Web Anti virus start the installation wizard After selecting the language for the installation wizard the following window will open Program Maintenance Modify repair or remove the program Change which program features are installed This option displays the Custom Selection dialog in which you can change the way features are installed Remove Dr Web anti virus for Windows 6 0 x86 from your computer In this window 1 To change the set of installed components select Modify and click Next The Custom Installation window will open To remove all the components select Remove 2 During removal of Dr Web Anti virus or changing the set of installed components it is necessary to disable Self Protection To do this enter the digits shown on the picture Ta J 1 ah Installing Dr Web Anti virus 3 At the end of the installation reboot the computer when prompted You can start the modification repair or removal procedure via the standard Windows utility Add Remove Programs 33 At A O Fa Receiving the Key File 34 A Receiving the Key File At the first step of the procedure you will be offered to choose what type of key file you would like to obtain either license or demo Dear User Alicense key file is needed for the operation of Dr Web Anti Virus To continue you need to register and to obtain either a license key file or a demo key file fro
67. en Scanner settings do one of the following e Select the Options item in the menu located at the top of the main window and then choose Change settings in the opened submenu e Make sure that Scanner window is active and press F9 This will open the Scanner settings window which contains several tabs Scanning File types F Heuristic analysis Exduded paths C sers Olga Pictures Exduded files 2 Make the necessary changes and click Apply when switching to another pane Ta J i ax Getting Started 3 For more detailed information on the settings specified in each tab use the Help button Also for the majority of settings specified in the panes a context help feature is available which is activated by right clicking an element of the interface 4 When editing is finished click OK to save the changes made or Cancel to cancel the changes The most frequent changes in default settings are described below The default settings of Dr Web Anti virus are optimal for scanning on user demand The program performs full and detailed scanning of the selected objects and informs the user on all infected or suspicious objects leaving him with the right to decide what action should be taken upon their detection The objects containing joke programs riskware or hacktools are excluded for them the Ignore action is specified by default However when scanning is performed without the
68. er 12 Scanning Engine did not start 255 scanning was aborted by user request 64 Ta 1 ax Getting Started SpIDer Guard for Windows By default SpIDer Guard is loaded automatically at every Windows startup and cannot be unloaded during the current Windows session If it is necessary to temporarily disable SpIDer Guard for example when a task consuming too much processor resources is performed in real time mode select the Disable item in the menu of SpIDer Guard item read SpIDer Agent d Only the user with administrator rights can temporarily disable SpIDer Guard By default SpIDer Guard performs on access scanning of files that are being created or changed on the HDD and all files that are opened on removable media It scans these files in the same way as the Scanner but with milder options Besides SpIDer Guard constantly monitors running processes for virus like activity and if they are detected blocks these processes By default upon detection of infected objects SpIDer Guard supplied with Dr Web Anti virus acts according to actions set on Actions tab You can set the program s reaction to virus events by adjusting the corresponding settings A user can control it with the help of the Statistics window and the log file 65 Ta J ax N Getting Started 66 Managing the Guard Main tools for setting and managing in SpIDer Guard reside in its menu About Reg
69. er documents folder My documents System temporary folder User temporary folder um Object Path Status Action a Process in memory C 2 svchost exe 956 0 18 2011 07 13 18 59 2371525 There are 3 scanning modes Express scan Complete scan and Custom scan Depending on the selected mode either a list of objects which will be scanned or a file system tree is displayed at the center of the window In Express scan mode the following objects are scanned e Random access memory e Boot sectors of all disks e Autorun objects e Boot disk root directory e Windows installation disk root directory e Windows system folder e User documents folder My documents e System temporary folder e User temporary folder If Complete scan mode is selected random access memory all hard drives and removable media including boot sectors of all disks are scanned Ta 1 ax Getting Started 52 Custom scan mode allows you to select folders and files for scanning When this mode is selected a file system tree will appear in the center of the Scan pane If necessary you can expand objects in the file system tree down to the level of any folder or file Select the necessary objects for scanning in the file system tree The illustration below shows the situation when the Documents and Settings folder on the C logical disk is selected for scanning S Dr Web Scanner for Windows registered to User File Setting
70. er of rules The rules are applied according to their order in the set 5 When you finish adjusting the settings click OK to save changes or Cancel to reject them Ta 3 iw ax Getting Started 111 To add or edit a rule 1 In the packet filter rule set creation or modification window click New or Edit This opens a rule creation or rule modification window Direction Logging mode Log headers Network protocol Remote IP address Transport protocol Unspecified E2 2 Configure the following parameters General Rule name The rule name Description The rule description State One of the following execution states for the rule e Enabled apply the rule for all matching packets e Disabled do not apply the rule yet Direction The packet sender e Inbound apply the rule when packet is received from the network Ta 1 ax Getting Started 112 e Outbound apply the rule when packet is sent into the network from your computer e Any apply the rule regardless of packet transfer direction Action The action for Dr Web Firewall to perform when the packet is intercepted e Block packets e Allow packets Logging The logging mode for the rule This parameter defines mode which information is stored in the Dr Web Firewall log Log headers log packet headers only Entire packet log whole packets No logging do not log any information Network Level
71. er or automatically see Automatic Launch of Tasks for Scanning and Updating in Dr Web It is recommended for the scanner to be run by a user with administrator rights because files to which unprivileged users have no access including system folders are not scanned To launch the Scanner do one of the following e Click the Dr Web Scanner icon on the Desktop e Click the Scanner item in the context menu of the SpIDer Agent icon in the taskbar notification area see SpIDer Agent chapter e Click the Dr Web Scanner item in All Programs gt Dr Web directory of the Windows Start menu e Run the corresponding command in the Windows command line read Command Line Scanning Mode You can also run Scanner with default settings to scan a certain file or folder immediately e Select Check by Dr Web in the context menu of the file or folder icon on the Desktop or in Windows Explorer e Drag and drop the icon of the file or folder onto the Scanner icon or to the main window of Scanner see illustration below When Scanner launches its main window opens Getting Started 51 S Dr Web Scanner for Windows registered to User bodka File Settings Help Scan Statistics In this mode the following objects are scanned Random access memory Boot sectors of all disks Startup objects Boot disk root directory Root directory of Windows installation disk eee Windows system folder Us
72. erface corresponds to it printed in light type In the Table Scanner is used for both versions of the Scanner Scanner GUI and Console scanner If a correspondent parameter of the configuration file is missing for some mode the values of parameters are specified in brackets and relate to the interface dialog element or to the specified command line switch The command line switches corresponding to the given parameter are described shortly without the majority of modifiers Detailed information on switches is given in Appendix A Scan mode Scanner ScanFiles All AL ByType EX ByMasks Express scan of Scanner FAST the system Full scan of the Scanner FULL system Ta N ax Appendices 153 Priority of the scanning process from 1 to 50 Heuristic analysis Scan memory Scan autorun files Scan boot sectors Scan subfolders Prompt on multiple floppies Archives Mail files Max size of unpacked archive to check KB Max compression ratio for archive Threshold for MaxCompressio nRatio KB List of extensions Scanner Scanner Scanner Scanner Scanner Scanner Scanner Scanner Scanner Console Scanner Console Scanner Console scanner Scanner HeuristicAnalysis TestMemory TestStartup TestBootSectors ScanSub Directories PromptFloppy CheckArchives CheckEMailFiles MaxFileSizeTo Extract MaxCompressio nRatio Compression Check
73. eries 3 1 2010 2 12 0 C windows system32 svchost exe Block SSDP queries 3 1 2010 2 12 0 _C windows system32 svchost exe Block SSDP queries lll Pe PeeeePeePrr Fels Time The date and time of the connection attempt Application The full path to the application executable file its name and process identification number PID Rule name The name of the rule applied Direction The party which initiated the connection e Inbound someone from the network attempted to connect to the application on you computer e Outbound the application on your computer attempted to connect to the network e Any the rule was applied regardless of who initiated the connection Action The action Dr Web Firewall performed when the connection attempt was detected Ta 1 aX Getting Started 124 e Block packets e Allow packets Endpoint The protocol IP address and the port used for the connection On this page you can save the information to a file or clear the log To save application filter log Click Save then enter the file name where to store the log To clear application filter log Click Clear All information will be deleted from the log Ta 2 ww Getting Started 125 ax Packet Filter Log The packet filter log stores information on packets transmitted through all network interfaces installed on you computer if Log headers or Entire packet logging
74. ers can be useful if option was enabled or disabled by default or was set in configuration file earlier Keys with modifiers are listed below AR AC AFS BI DR HA LN LS MA NB NT OK QNA REP SCC SCN SPN SLS SPS SST TB TM TS TR WCL For FL parameter modifier directs to scan paths listed in specified file and then delete this file For ARC ARL ARS ART ARX NI X PAL RPC and W parameters 0 value means that there is no limit Example of using command line parameters with DWScanc Console Scanner lt path_to_file gt dwscancl AR AIN C AIC Q C scan all files on disk C excluding those in archives cure the infected files and move to quarantine those that cannot be cured Automatic Updating Module command line parameters If the Updater is run automatically or in the command line mode you can input the following command line parameters DBG detailed log The modes specified by default if no configuration file is available or used are described in the table in Appendix B Adjustable parameters of Dr Web components DIR lt directory gt change of the name of the folder where the updated files are placed by default the folder from which the Updater was launched is used INI lt path gt use alternative configuration file with specified name or path 147 Ta J N ah Appendices GO package operation mode without dia
75. est M maximal PAL lt evel gt maximum pack level Value is 1000 by default RA lt file log gt add report into file log No report by default RP lt file log gt write report into file log No report by default RPC lt secs gt Dr Web Scanning Engine connection timeout Timeout is 30 seconds by default RPCD use dynamic RPC identification Ta J 1 ys Appendices 145 RPCE use dynamic RPC endpoint RPCE lt name gt use specified RPC endpoint RPCH lt name gt use specified host name for remote call RPCP lt name gt use specified RPC protocol Possible protocols Ipc np tcp QL list quarantined files on all disks QL lt drive gt list quarantined files on drive drive etter QRI d p delete quarantined files on drive d letter older than p days number Unspecified d all drives unspecified p 0 days QNA double quote file names always REP go follow reparse points Option is disabled by default SCC show content of compound objects Option is disabled by default SCN show container name Option is disabled by default SPN show packer name Option is disabled by default SLS show log on screen Option is enabled by default SPS show progress on screen Option is enabled by default SST show file scan time Option is disabled by default TB test boot sectors Option is d
76. estart when new rule is already created 1 If installed components include Dr Web Firewall Task Scheduler You can set your own tasks for anti virus updating and scanning delete or edit tasks Consult the Help system and Windows documentation for more details on the system scheduler operation Ta J i ax Automatic Updating Automatic Updating Modern computer viruses are characterized by the high speed distribution Within several days and sometimes hours a newly emerged virus can infect millions of computers around the world Developers of the anti virus constantly supplement the virus databases with new records When such updates are installed the anti virus can detect new viruses block their distribution and in some cases cure the infected files From time to time the anti virus algorithms implemented as executable files and program libraries are being updated The field experience of the anti virus helps to correct the detected program errors the help system and documentation are being improved To speed up and facilitate the receipt and installation of the virus database updates and other files a special component Dr Web Automatic Updating Utility for Windows Updater was created General Information The operation of the Updater is governed by the structure of the virus databases and by the method of updating the virus databases and the program on the whole e The program includes the main virus database
77. ey file which regulates your rights to use the software Specify the path to an available valid key file Path to key file C Users TestLab Desktop drweb32_x86 beta key Receive key file during installation Select this option to run the registration procedure during installation if you have a serial number or would like to receive a demonstration key file Receive key file later If you select this option Dr Web anti virus for Windows 6 0 x86 will not be updated until you get a valid key file Cancel If no key file is available but you have a serial number select Receive key file during installation Otherwise select Receive key file later updating is not available in this mode and click Next Use only Dr Web Anti virus key file The key file should have the key extension If the key file is inside an archive use an archiver to extract it The installation wizard will let you choose the type of installation Default Installation implies installation of all components and all secondary programs automatically up to step 12 Custom Installation is meant for experienced users During custom installation you will be asked to select which components should be installed adjust proxy server settings and some additional installation parameters Installing Dr Web Anti virus 27 All the program components will be installed with default settings and installation Parameters D Custom installation Allows
78. f a computer worm implies deletion of all its functional copies Block rename these actions can also be used for neutralizing malicious programs However fully operable copies of these programs remain in the file system In case of the Block action all access attempts to or from the file are blocked The Rename action means that the extension of the file is renamed which makes it inoperative 174 Ta J N ah Appendices Appendix D Naming of Viruses Specialists of the Dr Web Virus Laboratory give names to all collected samples of computer threats These names are formed according to certain principles and reflect a threat s design classes of vulnerable objects distribution environment OS and applications and some other features Knowing these principles may be useful for understanding software and organizational vulnerabilities of the protected system In certain cases this classification is conventional as some viruses can possess several features at the same time Besides it should not be considered exhaustive as new types of viruses constantly appear and the classification is made more precise The full and constantly updated version of this classification is available at the Dr Web web site The full name of a virus consists of several elements separated with full stops Some elements at the beginning of the full name prefixes and at the end of it suffixes are standard for the accepted classification Below is
79. file drweb32 ini resides in the installation folder This is a text file and has separate sections for different components Each parameter of any component is specified in the correspondent section as a string parameter value The values of parameters can be changed in one of the following ways e via the interface of the corresponding program Scanner SpIDer Mail The most important of such settings are described above read Adjusting the Scanner Settings Adjusting Certain Program Settings e by setting command line parameters when calling programs from the command line or according to schedule for the Scanner of different versions Read Appendix A for more details on this option e by editing the configuration file via any text editor option without clear understanding of the anti virus structure may degrade the reliability of the anti virus protection or even result in failure of some programs Only experienced users should edit the configuration file Using this Ta i ax Appendices The parameters of the Windows versions of the Scanner and Updater The following data for every parameter is displayed in columns of the table parameter name name of components using the parameter parameter name in the configuration file parameter values command line keys The parameter name is either printed in conformity with the interface printed in bold or as a conventional name if no parameter in the int
80. for Outlook is a plug in that checks Microsoft Outlook mail boxes for viruses e Dr Web Firewall protects your computer from unauthorized access and prevents leak of vital data through networks e Dr Web Automatic Updating Utility for Windows Updater allows registered users to receive updates of the virus database and other files of the program as well as automatically install them Moreover the Updater lets registered users renew their license serial number is required For unregistered users it allows to register and receive a license or demo key file see Receiving the Key File chapter e SpIDer Agent is a utility which lets you set up and manage components of Dr Web To centralize the management of the anti virus protection at an enterprise level a special program Dr Web Enterprise Suite is supplied For more details on this program read Appendix E Internet service providers can organize anti virus and anti spam protection of their clients using Dr Web AV Desk For more information on this software see Appendix F Ta 1 ax Introduction What is This Manual About This User Manual describes installation and effective utilization of Dr Web Anti virus You can find detailed description of all the GUI elements in the Help system of Dr Web Anti virus which can be accessed from any component This User Manual describes installation of Dr Web Anti virus and contains some words of advice on how to use the
81. for scanning as additional parameters This mode provides automatic activation of Scanner according to schedule The launching command syntax is as follows path_to_program drweb32w objects keys The list of objects for scanning can be empty or contain several elements separated with blanks The most commonly used examples of specifying the objects for scanning are given below e scan all hard drives e C scan drive C e D games scan files in the specified folder e C games scan all files and subfolders of the specified directory Switches are command line parameters which specify the program s settings If no switches are defined scanning is performed with the settings specified earlier or with the default settings if you have not changed them Each switch begins with a forward slash character and is separated with a blank from other switches Several most frequently used switches are listed below For their full list refer to Appendix A cu cure infected objects icm move incurable files to the default folder icr rename by default qu close the scanner window after session is finished go no prompts on actions should be generated 62 Ta 1 ax Getting Started Two last parameters are especially useful for automatic launch of Scanner according to schedule DrWebWcl Console Scanner can be used with the same parameters To do this type the d
82. gents are located in different networks which do not have packet routing between them At the expense of using caching function reducing of network traffic and time of receiving Agent updates can be provided The following illustration describes the general scheme of the fragment of the local network where the protecting anti virus network is organized Ta AN Ws Appendices e ps i Y A AN lt AF a Ge q Poctor Web 2 providers 3 clients Ltd Dr Web AV Desk TCP IPX NetBIOS Server network Transfer of updates via ma Protected computer TTP Sending information on TS Dr Web GUS events AV Desk Control lt Interserver transfer of PA Center updates HTTP HTTPS The whole stream of instructions data and statistics in the anti virus network always goes through the AV Desk Server AV Desk Control Center exchange information only with Servers Based on AV Desk Control Center commands Servers transfer instructions to AV Desk Agents and change the configuration of workstations In large networks with hundreds or thousands computers it is Ta J 1 aX Appendices advisable to create the Dr Web AV Desk anti virus network with several Servers The hierarchy connection between the Servers allows to simplify the updating of the virus databases and the SW of the workstations and the receipt of the information on the virus events from them The administrator can analyze th
83. he application should be allowed to start network processes you should block this action for the application Description Allow Block Publisher Path C Print driver host for 32bit applications amp mico C windows splwow64 exe EF Microsoft Office Word Miro C program files x86 microsoft office office 11 A You need administrative rights to create rules User Manual Aq YP Getting Started 95 A Managing Dr Web Firewall Dr Web Firewall installs as a network component and loads on Windows startup If necessary you can suspend Dr Web Firewall operation review its statistics or change settings After a session under limited user account Guest is open Firewall displays an access error message Firewall status is then displayed A as inactive in SpIDer Agent However Firewall is enabled and operates with default settings or settings set earlier in administrative mode You can configure and manage Dr Web Firewall using SpIDer Agent About Register license My Dr Web Help SplDer Guard amp SplDer Mail gt Firewall Updater Scanner amp Disable Self protection Tools gt Statistics Settings Disable User mode To manage Dr Web Firewall 1 Right click the SpIDer Agent icon 2 Select Firewall then select a required item Statistics Display information on events which Dr Web Firewall handled Ta 2 ww
84. he network attempts to connect to the application on your computer e Outbound apply the rule when the application on your computer attempt to connect to the network e Any apply the rule regardless of who initiate the connection The action for Dr Web Firewall to perform when the connection attempt is detected e Block packets e Allow packets The network and transport level protocols used for the connection attempt Dr Web Firewall supports the following network level protocols e IPv4 e IPv6 e IP all any version of IP protocol Dr Web Firewall supports the following transport level protocols e TCP e UDP e TCP amp UDP TCP or UDP protocol The IP address of the remote host You can specify either a specific address Equals or several IP addresses using a range In range specific subnetwork mask Mask or masks of all subnetworks in which your computer has network addresses MY_NETWORK To apply the rule for all remote hosts select Any Ta ww BANA Oo Getting Started 104 Inbound Outbound The port used for connection You can specify port either a specific port number Equals or a port range In range To apply the rule for all ports select Any 2 When you finish adjusting the settings click OK to save changes or Cancel to reject them saz os Getting Started 105 Parent processes To allow or forbid processes or applications to run other applications you have to
85. his page you can select the mode of keeping records in the log file e Standard in this mode SpIDer Guard logs the following most important actions only e Time of updates e Time of SpIDer Guard starts and stops e Detected errors and infections e Extended in this mode SpIDer Guard logs the most important actions and the following additional data e Names of scanned objects e Names of packers e Contents of scanned complex objects archives mail boxes and file containers It is recommended to use this mode when determining objects that SpIDer Guard checks most often e Debugging in this mode SpIDer Guard logs all details on its activity This may result in considerable log growth Ta J 1 ax Getting Started SpIDer Mail By default SpIDer Mail for Windows is included into the set of installed components constantly resides in the memory and automatically reloads at Windows startup You can disable the automatic launch mode in SpIDer Agent settings By default the program automatically intercepts all calls of any mail programs on your computer to POP3 servers on port 110 to SMTP servers on port 25 to IMAP4 servers on port 143 and to NNTP servers on port 119 Any incoming messages are intercepted by SpIDer Mail before they are received by the mail client They are scanned for viruses with the maximum possible level of detail If no viruses or suspicious objects are found they are passed on to the ma
86. ia In Paranoid mode SpIDer Guard scans files that are being opened created or changed on the hard drives on removable media and network drives Selecting the Use heuristic analysis checkbox enables the heuristic analyser mode a method of virus detection based on the analysis of actions specific for viruses 67 Actions Log Getting Started Scanning Scan mode ip V Use heuristic analysis recommended Additional tasks F Scan running programs and modules BS Scan install packages E Scan objects on the LAN not recommended Scan the removable media Block autoruns from removable media Certain external devices e g mobile drives with USB interface can be identified by the system as hard drives That is why such devices should be used with utmost care and checked for viruses by the Scanner when connected to a computer Disabled scanning of archives even if SpIDer Guard is constantly active means that viruses can still easily penetrate a PC but their detection will be postponed When the infected archive is unpacked or an infected message is opened an attempt to write the infected object on the hard drive will be taken and SpIDer Guard will inevitably detect it In Additional tasks group you can configure SpIDer Guard parameters to check the following objects e Executables of running processes regardless of their location e Installation files e Files on netwo
87. ic of all user applications on your computer You can disable mail traffic scanning for certain programs on the Exclusions page For this add the necessary applications to the list of exclusions The interception parameters of connections are set up on the Interception page Scanning Interception Exclusions Connection interception options Intercept connections automatically e Interception Interception of standard ports and protocols used by the most of mail cients Manual connections setup Interceptio andard ports if non standard mail client is being used or specific o ec Connection Settings User Manual A AN T v A A Getting Started By default interception is carried out automatically The list of intercepted addresses can be viewed in an additional window To open it click the Parameters button wey Address Server address Server port 25 110 119 By default the list of automatically intercepted messages includes all IP addresses specified by the asterisk symbol and the following ports 143 standard IMAP4 port 119 standard NNTP port 110 standard POP3 port and 25 standard SMTP port To remove an element from the list select it and click the Delete button To add a server or a group of servers to the list specify its address IP address or domain name in the Address field and the called port number into the Port field and click Add The localhost
88. identiality Programs that do not conceal their presence distribute spam and different traffic analyzers are usually not considered malicious although they can become a threat under certain circumstances Among other programs there is also a class of riskware programs These were not intended as malicious but can potentially be a threat to the system s security due to their certain features Riskware programs are not only those which can accidentally damage or delete data but also ones which can be used by crackers or some malicious programs to do harm to the system Among such programs are various remote chat and administrative tools FTP servers etc 172 A AN T v A A Y Appendices 173 Below is a list of various hacker attacks and internet fraud e Brute force attack performed by a special Trojan horse program which uses its inbuilt password dictionary or generates random symbol strings in order to figure out the network access password by trial and error e DoS attack denial of service or DDoS attack distributed denial of service a type of network attack which verges on terrorism It is carried out via a huge number of service requests sent to a server When a certain number of requests is received depending on the server s hardware capabilities the server becomes unable to cope with them and a denial of service occurs DDoS attacks are carried out from many different IP addresses at the same time
89. iginal Most viruses are intended to damage or destroy data on the system Viruses which infect files of the operating system usually executable files and dynamic libraries and activate upon launching of the infected file are called file viruses Some viruses infect boot records of diskettes and partitions or master boot records of fixed disks Such viruses are called boot viruses They Ta J i ys Appendices take very little memory and remain ready to continue performing their tasks until a system roll out restart or shut down occurs Macroviruses are viruses which infect documents used by the Microsoft Office and some other applications which allow macro commands usually written in Visual Basic Macro commands are a type of implemented programs macros written in a fully functional programming language For instance in Microsoft Word macros can automatically initiate upon opening closing saving etc a document A virus which has the ability to activate and perform the tasks assigned by the virus writer only when the computer reaches a certain state e g a certain date and time is called a memory resident virus Most viruses have some kind of protection against detection Protection methods are being constantly improved and ways to overcome them are developed Encrypted viruses for instance cipher their code upon every infection to hamper their detection in a file boot sector or memory All copies of such viruses
90. il program in a transparent mode as if it was received immediately from the server Similar procedure is applied for outgoing messages before they are sent to servers By default the program s reaction upon detection of infected incoming messages as well as messages that were not scanned e g due to their complicated structure is as follows e Messages infected with a virus are not delivered the mail program receives an instructions to delete this message the server receives a notification that the message had been received this action is called deletion of the message e Messages with suspicious objects are moved to the quarantine folder as separate files the mail program receives a notification about this this action is called moving the message e Messages that were not scanned and safe messages are passed on e All deleted or moved messages are also deleted from the POP3 or IMAP4 server Infected or suspicious outgoing messages are not sent to the server a user is notified that a message will not be sent usually the mail program will save it 72 Ta J i ax Getting Started If an unknown virus distributing through e mail is detected on the computer the program can detect signs of a typical behavior for such viruses mass distribution By default this option is enabled The default program settings are optimal for a beginner provide maximum protection level and require minimum user interference But
91. ing The use rights for the Dr Web Anti virus are specified in the key file To use Dr Web Anti virus obtain and install a key file For more information on licensing and types of key files visit the official Doctor Web website Key File The key file contains the following information e list of components a user is allowed to use e duration of the license e other restrictions for example the number of computers on which a program is allowed to be used on The key file has the key extension and by default should reside in the installation folder of the program The key file has a write protected format and must not be edited A Editing the key file makes it invalid Therefore it is not recommended to open your key file with a text editor which may accidentally corrupt it There are three types of key files e License key file is purchased with the Dr Web software and allows a user to use it and receive technical support Parameters of the license key file are set in accordance with the software s license agreement It also contains information about the user and seller e Demo key file is used for evaluation of Dr Web products It is completely free provides full functionality of the software but Ta 1 aX Introduction has a limited duration 30 days Demo key files for the same computer cannot be received more often then once in 4 months e Temporary key file is used if you do not install li
92. irectories and then automatically terminates for the GUI version of the scanner only RP lt file_name gt or RP lt file_name gt log to a file the name of which is specified in the switch If no name is specified log to a default file If the character is present the file is appended If there 140 Ta J 1 ax Appendices is no character a new one is created SCP lt n gt sets the priority of the scanning process where lt n gt is a number ranging from 1 to 50 SD scan subdirectories SHELL for the GUI version of the scanner The switch disables the splash screen display scanning of the memory and autorun files This mode allows to use the GUI version of the scanner instead of the console version to scan only those objects which are listed in the command line parameters SL scan symbolic links for Console Scanner only SO enables sounds SPR SPD or SPM what to do with suspicious files SPR rename SPD delete SPM move SS save the mode specified during the current program launch in the configuration file when the program terminates ST sets stealth mode of the GUI version of the scanner The program operates without any windows opened and self terminates But if during scanning virus objects were detected the scanner window will be opened after the scanning made Such scanner mode presupposes that the list of the scanned objects is specified in the comm
93. irewall detects this type of connection This mode is used by default Restricted Access Mode In this mode Dr Web Firewall blocks all unknown connections to network resources including the Internet automatically When a user application or operating system attempts to connect to a network Dr Web Firewall checks if there is a filtering ruleset for the 117 Ta J i ax Getting Started application If there are no filtering rules Dr Web Firewall blocks network access for the application without displaying any notification to the user If there are filtering rules for the application Dr Web Firewall processes the connection according to the specified actions Free Access Mode In this mode Dr Web Firewall allows all unknown applications to access network recourses including the Internet No notification on access attempt is displayed To configure advanced settings On the Application filter settings page use the following option Allow loopback Select this checkbox to allow all applications on you interface computer to interconnect i e allow unlimited connections between application installed on your computer For this type of connection no rules will be applied Clear this checkbox to apply rules for connections carried out both through the network and within your computer 118 Ta AN ax Getting Started 119 Database of trusted applications You can participate in expansion of trusted a
94. is blocked by default T x A aX Getting Started Packet Filter Packet filtering allows you to control access to network regardless of which program initiates connection Dr Web Firewall applies these rules to network packets transmitted through network interfaces of your computer Packet filtering allows you to control access to networks on a lower level than the application filter thus providing you with more flexible options Dr Web Firewall provides you the following default filtering rule sets e Allow all this rule set configures Dr Web Firewall to pass through all packets e Deny all this rule set configures Dr Web Firewall to block all packets e Default rule this set includes rules describing the most popular system configurations and preventing common network attacks This rule set is used by default for new network interfaces For fast switching between filtering modes you can create custom sets of filtering rules To set rulesets for network interfaces In the Dr Web Firewall settings window select Packet filter page On this page you can e Configure sets of filtering rules by adding new rules modifying or deleting existing ones or changing order of rules execution e Select a default filtering rule e Configure general filtering settings 106 Getting Started Packet filter settings Name Property Allow all Default rule used for new interfaces Deny all
95. isabled by default TM test processes in memory Option is disabled by default TS test system startup processes Option is disabled by default TR test system restore points directories Option is disabled by Ta AN ys Appendices 146 default W lt sec gt maximum time to scan unlimited sec WCL drwebwcl compatible output X S R set power state shutDown Reboot Suspend Hibernate with reason R for shutdown reboot Action for different objects C cure Q move to quarantine D delete I ignore R inform R is set by default for all objects AAD X action for adware R possible DQIR AAR X action for infected archive files R possible DQIR ACN X action for infected container files R possible DQIR ADL X action for dialers R possible DQIR AHT X action for hacktools R possible DQIR AIC X action for incurable files R possible DQR AIN X action for infected files R possible CDQR AJK X action for jokes R possible DQIR AML X action for infected e mail files R possible QIR ARW X action for riskware R possible DQIR ASU X action for suspicious files R possible DQIR Several parameters can have modifiers that clearly enable or disable options specified by these keys For example AC option is clearly disabled AC AC option is clearly enabled Ta J i ax Appendices These modifi
96. ister license My Dr Web Help SplDer Guard Statistics splDer Mail gt Settings Firewall gt Updater Disable G Scanner amp Disable Self protection Tools gt User mode The Statistics menu item allows to open the Statistics window where the information on the operation of SpIDer Guard during the current session is displayed the number of scanned infected or suspicious objects virus like activities and actions taken The Settings menu item gives access to the main part of the program parameters for details see Main Parameters of SpIDer Guard The Disable item allows to temporary disable program functions for users with administrator rights only Access to the SpIDer Guard settings is possible only for the user with administrator rights To disable SpIDer Guard enter confirmation code Ta yan A A Getting Started Main Parameters of the SpIDer Guard The main adjustable parameters of SpIDer Guard are in the Settings panel To receive help on parameters specified on a page select that page and click Help When you finish editing the parameters click OK to save changes or Cancel to cancel the changes made Some of the most frequently changed settings of the program are described below Scanning Page By default SpIDer Guard is set in Optimal mode to scan files that are being executed created or changed on the hard drives and all files that are opened on removable med
97. iving the license key will start The protocol of its operation will be displayed in the information message box If the license key is successfully downloaded the location of the file will be indicated Otherwise an error message will appear 35 Ta J i ax Getting Started Getting Started The installation program allows to install the following components of Dr Web Anti virus on the computer e Scanner GUI and console versions e SpIDer Guard e SpIDer Mail e Dr Web for Outlook e Firewall e Automatic Updating Utility e SpIDer Agent The components of Dr Web Anti virus use common virus databases and anti virus engine Also uniform algorithms for detection and neutralization of viruses in scanned objects are implemented However the methods of selecting the objects for scanning differ greatly allowing to use these components for absolutely different and mutually supplementary PC protection policies For example Scanner for Windows scans on user demand or according to schedule certain files all files selected logical disks directories etc By default the main memory and startup files are scanned too Since it is the user who decides when to launch a task there is no need to worry about the sufficiency of computational resources needed for other important processes SpIDer Guard constantly resides in the main memory of the PC and intercepts calls made to the objects of the file system The program checks fo
98. k to change any of the installation parameters If in step 6 you selected the Receive key file during installation option the Updater will launch the registration procedure To receive the key file your computer should be connected to the Internet If in step 11 you selected the Update during installation check box or during default installation after receiving the key file virus databases and components of Dr Web Anti virus will be updated automatically After installation is complete the Scanner will perform express scan Avert any detected threats and close the Scanner after the scanning process 30 Ta 1 aX A Installing Dr Web Anti virus 31 Scanner is not compatible with Windows Blinds an application for adjusting Windows GUI For correct operation of Dr Web Anti virus it is necessary to disable changing of the Dr Web interface in the Windows Blinds settings To do this add drweb32w exe to the list of excluded applications 16 The program will ask for a computer reboot which is required to complete the installation If you install Firewall among other Dr Web Anti virus components under Windows Vista or Windows 7 the operating system will request the permission to install firewall drivers For successful installation it is recommended to permit drivers installation Ta 2 1 Installing Dr Web Anti virus 32 ax Reinstalling and Removing Dr Web Anti virus To modify repair or r
99. le name Log file name Log mode Log encoding Scanned objects in log file Names of file packers in log file Scanner Scanner Scanner Updating module Scanner Updating module Scanner Updating module Scanner Updating module Scanner Scanner ActionHacktools EnableDelete ArchiveAction LogToFile LogFileName OverwriteLog LogFormat LogScanned LogPacked Report HCK Delete Rename Move Ignore Lock guard Shutdown guard Yes No Yes No RP NR drweb32 RP w log spiderg3 log drwebup RP w log Yes No RP ANSI OEM Yes No OK Yes No Ta yan A A Appendices 159 Names of Scanner LogArchived Yes No archivers in report Statistics in log Scanner LogStatistics Yes No file Maximum log Scanner LimitLog Yes No file size Updating module Log size limit Scanner MaxLogSize S12 KB Updating 8192 module Close the Scanner Yes No QU window after Updating sessions module Wait for a key Console WaitAfterScan On Off WA to be pressed scanner as soon as scanning is complete in case a virus is detected Operate in Scanner On Off GO packet mode Updating module Prohibit Scanner On Off NS interruption by a user Scan once a Scanner On Off DA day Scan the Scanner GUI On Off explicitly SHELL selected objects only Ta yas A A Appendices 160 Do not open windows stealth mode
100. lete this file d drwebforoutlook stat statistics file is individual for each system user 87 Ta 2 1 aX Getting Started 88 Dr Web Firewall Dr Web Firewall protects your computer from unauthorized access and prevents leak of vital data through networks Dr Web Firewall monitors connection attempts and data transfer and helps you block unwanted or suspicious connections both on network and application levels Main Features Dr Web Firewall provides you with the following features e Control and filtration of all incoming and outgoing traffic Access control on application level Network level packet filtering Fast selection of rule sets Event logging Training Dr Web Firewall By default once installation completes Dr Web Firewall starts learning usual behaviour of your operating system by intercepting all new unknown to the firewall connection attempts and prompting you to select the necessary action Getting Started 89 Internet Explorer Dr Web Firewall has detected network activity Application name Ee Internet Explorer Application path C program files internet explorer jexplore exe Digital signature Microsoft Corporation Endpoint tep 65 55 17 26 Port 80 www http Direction Outbound There are no rules for this application You can either select a temporary solution or create a rule which will be applied each time Dr Web Firewall detects this type of connection
101. list of scanned objects contains the explicit file A extension and it is used with special characters and all files specified in this element of the list and not only those matching this list of extensions will be scanned FAST perform an express scan of the system for more information on the express scan mode see Launching the Scanner General Information FULL perform a full scan of all hard drives and removable data carriers including boot sectors GO batch mode of the program All questions implying answers from a user are skipped solutions implying a choice are taken automatically This mode is useful for automatic scanning of files for example during a daily or weekly check of the hard disk HA to perform heuristic scanning of files and search for unknown viruses in them ICR ICD or ICM what to do with infected files which cannot be cured ICR rename ICD delete ICM move INI lt path gt use alternative configuration file with specified name or path LITE perform a basic scan of random access memory boot sectors of all disks and startup objects LNG lt file_name gt or LNG use alternative language resources file DWL file with specified name or path and if the path is not specified the inbuilt English language ML scan files of e mail format UUENCODE XXENCODE BINHEX 139 Ta AN ys Appendices and MIME As it is specified ML
102. logs LNG lt file_name gt language resources file name if not specified English is used NI do not use parameters specified in drweb32 ini configuration file NR do not create a log file PASS lt user password of http server gt user password of the updating server PPASS lt proxy user password gt user password for the proxy server PUSER lt proxy user name gt user name for the proxy server PURL lt proxy address gt address of a proxy server QU to compulsory close the automatic utility after the updating is finished regardless whether it was successful or not The success of the updating can be checked via the drwebupw exe return code for example from the bat file by the errorlevel variable value 0 successful other values unsuccessful REG launch of the updating module for registration and receipt of a registration key file RP lt file_name gt or RP lt file_name gt log to a file the name of which is specified in the switch If no name is specified log to a file with the default name If the character is present the file is appended if there is no character a new one is created SETTINGS display the Updater settings SO enables sounds only when errors occur ST run the automatic utility in invisible mode stealth mode UA download all files specified in the updating list regardless the 148 Ta J 1 ax Appendices
103. low may appear above the SpIDer Agent icon The context menu of the icon allows to perform the main management and settings functions of Dr Web Anti virus About Register license My Dr Web Help SplDer Guard gt e SpIDer Mail gt a Firewall gt Updater GS Scanner eS Disable Self protection Tools gt User mode The About item opens a window with information about the version of Dr Web Anti virus The Register license item starts the registration procedure for receiving the key file from the Doctor Web Ltd server The My Dr Web item opens your personal web page on the Doctor Web Ltd web site This page gives information about your license 38 Ta i ax Getting Started 39 period of usage serial number allows to renew your license contact Technical Support etc The Help item opens Dr Web Anti virus help system The SpIDer Guard SpIDer Mail and Update items allow you to access the management and settings features of the corresponding components Scanner item runs Dr Web Scanner The Disable Enable Self protection item allows to disable enable protection of Dr Web Anti virus files registry keys and processes from damage and deletion To disable self protection e select Disable self protection in the SpIDer Agent menu e enter text displayed on the picture The Enable self protection item will appear You cannot disable self protection in User mode It is not
104. lume of traffic between the workstations and the Server can be quite sizeable subject to the settings and the number of the workstations Therefore the Dr Web ES provides for the possibility to compress traffic Traffic between the Enterprise Server and Enterprise Agent can be encrypted This allows to avoid disclosure of data transferred via the described channel as well as to avoid substitution of software downloaded onto workstations Thus Dr Web ES provides easy centralized installation of the anti virus SW on protected computers and in most cases for computers operated by Windows 2000 XP Vista the installation can be done without physical access to a computer centralized set up of the anti virus SW and update with minimum man hour spent control of the state of the anti virus protection centralized launch or termination of tasks of the anti virus SW on computers if necessary collection and analysis of information on virus events in all protected computers the option to give some users right to set up the anti virus SW if necessary 185 Ta J 1 ys Appendices e management of the anti virus network and receipt of information about it by the administrator of the anti virus protection both from workstations of the corporate network and remotely from the Internet In large corporate networks with hundreds or thousands computers it is advisable to create the Dr Web ES anti virus network with several Se
105. ly one file the worm s body Many of them have an infectious part the shellcode which loads into the main memory RAM and then downloads the worm s body as an executable file via the network If only the shellcode is present in the system the worm can be rid of by simply restarting the system at which the RAM is erased and reset However if the worm s body infiltrates the computer then only an anti virus program can cope with it Worms have the ability to cripple entire networks even if they do not bear any payload i e do not cause any direct damage due to their intensive distribution Trojan horses Trojans This type of malicious program cannot reproduce or infect other programs A Trojan substitutes a high usage program and performs its functions or imitates the programs operation At the same time it performs some malicious actions in the system damages or deletes data sends confidential information etc or makes it possible for another person to access the computer without permission e g to harm the computer of a third party A Trojan s masking and malicious facilities are similar to those of a virus and it can even be a component of a virus However most Trojans are distributed as separate executable files through file exchange servers removable data carriers or e mail attachments which are launched by a user or a system task 170 Ta J i ys Appendices Rootkits It is a type of mali
106. m a Doctor Web server Obtain a license key file To get a license key file please type your registration serial number supplied to you when purchasing Dr Web Anti Virus license Obtain a demo key file To get a free 30 day demo key file no registration serial number is required Please note that the same user can receive a demo key file no more than once in 4 months You need an Intemet connection to register and to obtain the key file If you have a serial number click the Obtain a license key file button In the opened window enter your serial number and click Next Receiving the Key File JZ Type the serial number you have purchased or the OEM serial number Your license for Dr Web Anti Virus will become valid once your registration has been completed The license key file will be downloaded and installed automatically If you have been a user of Dr Web Anti virus For Windows in the past you may be eligible for extension of your new license for another 150 days To enable the bonus enter your registered serial number or provide the license key file Click Next A window for entering personal data necessary to receive a key file will open The registration procedure for receiving the demo key file starts from this step Fill in the fields of this window and click Next When the window with the specified information opens check that all the data is correct and click Next The procedure of rece
107. many methods of neutralizing computer threats Products of Doctor Web Ltd combine these methods for the most reliable protection of computers and networks using flexible user friendly settings and a comprehensive approach to security assurance The main actions for neutralizing malicious programs are Cure an action applied to viruses worms and trojans It implies deletion of malicious code from infected files or deletion of a malicious program s functional copies as well as the recovery of affected objects i e return of the object s structure and operability to the state which was before the infection if it is possible Not all malicious programs can be cured However products of Doctor Web Ltd are based on more effective curing and file recovery algorithms compared to other anti virus manufacturers Move to quarantine an action when the malicious object is moved to a special folder and isolated from the rest of the system This action is preferable in cases when curing is impossible and for all suspicious objects It is recommended to send copies of such files to the virus laboratory of Doctor Web Ltd for analysis Delete the most effective action for neutralizing computer threats It can be applied to any type of malicious objects Note that deletion will sometimes be applied to certain files for which curing was selected This will happen if the file contains only malicious code and no useful information E g curing o
108. mode was set for these packets If No logging mode was set for a packet no information is stored Packet Filter journal Application Time Direction Rule name Interface journal 3 1 2010 2 23 5 PC lt Inet ICMPv4 Ping other Local Area Connection 74bytes Packet Filter 3 1 2010 2 23 5 pPC gt Inet ICMPv4 Ping other Local Area Connection 74bytes journal 3 1 2010 2 23 5 PC lt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 5 PC gt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 5 PC lt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 5 pPC gt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 5 PC lt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 5 pPC gt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 4 PC lt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 4 PC gt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 4 PC lt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 4 PC gt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 4 PC lt Inet ICMPv4 Ping other Local Area Connection 74bytes 3 1 2010 2 23 4 PC gt Inet ICMPv4 Ping other Local Area Connection 74bytes
109. mpanies and nationwide corporations Dr Web antivirus solutions are well known since 1992 for continuing excellence in malware detection and compliance with international information security standards State certificates and awards received by the Dr Web solutions as well as the globally widespread use of our products are the best evidence of exceptional trust to the company products We thank all our customers for their support and devotion to the Dr Web products Ta 2 AN aX Table of Contents Introduction What is This Manual About Document Conventions and Abbreviations System Requirements Licensing Key File Get Key File Renewing registration How to Test Anti virus Detection Methods Installing Dr Web Anti virus Installation procedure Reinstalling and Removing Dr Web Anti virus Receiving the Key File Getting Started SpIDer Agent SpIDer Agent Settings License Manager Quarantine Using Dr Web Scanner for Windows Launching Scanner General Information Actions Upon Detection of a Virus Adjusting Scanner Settings 10 11 12 12 13 15 17 18 20 21 32 34 36 38 41 44 46 49 50 54 57 4 y AN A Command Line Scanning Mode DWScancl Console Scanner SpIDer Guard for Windows Managing the Guard Main Parameters of the SpIDer Guard SpIDer Mail Managing SpIDer Mail Adjusting Certain Program Settings Dr Web for Outlook Virus Check Logging Statistics Dr Web Firewall Training Dr We
110. mple on purpose to redirect the user on a certain web site In case the HOSTS file has been changed Scanner will suggest to restore its initial condition It will allow to eliminate unapproved change of the file by malicious software 53 Ta J i aX Getting Started 54 Actions Upon Detection of a Virus By default if a known virus or a suspicious object is detected Scanner informs you about it in the report field located at the bottom of the Scan tab Infected processed in computer memory are terminated automatically Trojan programs are deleted upon detection To apply actions to detected objects 1 Right click the line of the report list with the description of the infected object Web Scanner for Windows registere File Settings Help Scan Statistics s fy Local Disk C Express scan 6 Recyde Bin b 556cd65ad 1d6a24d9ff2acbd9a41 Documents and Settings Ej All Users E Default 2p Default User nj AppData E Application Data 5 Complete scan z Custom scan eicar com SBeicar rar Li test tet Rename incurable Move incurable Rename Move Select all Move Delete Check selected te z z Select all Done viruses found scant B 2011 07 13 20 11 2371662 Ta 2 1 ax Getting Started 55 You can specify an action either for all objects or for A specific objects in the report list To select all objects click the Select All b
111. mponents are installed is called an anti virus network An anti virus network includes the following components Core components e Dr Web AV Desk Server AV Desk Server stores distribution kits of anti virus packages for different OS s of protected computers updates of virus databases anti virus packages and AV Desk Agents user keys and package settings of protected computers AV Desk Server sends necessary information to the correspondent computers on Agents requests and keeps a general log of events of the whole anti virus network e AV Desk Control Center is automatically installed with AV Desk Server It is a certain extension of a web page and allows to administrate the anti virus network by means of editing the settings of AV Desk Server and protected computers stored on AV Desk Server and protected computers 188 A AN v Aq A Appendices 189 e Dr Web AV Desk Agent AV Desk Agent is installed on protected computers It installs updates and controls the anti virus package as instructed by AV Desk Server AV Desk Agent reports virus events and other necessary information about the protected computer to AV Desk Server Optional components e Proxy server This component can optionally be included into the anti virus network The main function of the proxy server is to provide connection between AV Desk Server and AV Desk Agents in cases when direct connection is impossible E g if the Server and A
112. mpression ratio check will be performed unlimited KB ARX lt size gt maximum archive object size unlimited KB BI show virus bases info Option is enabled by default DR recursive scan directory Option is enabled by default E lt engines gt maximum Dr Web engines to use FL lt path gt scan files listed in the specified file FM lt masks gt scan files matched masks By default all files are scanned FR lt regexpr gt scan files matched expression By default all files are scanned H or show this message Ta J 1 ax Appendices 144 HA use heuristic analysis Option is enabled by default KEY lt keyfile gt use keyfile as activation key by default drweb32 key or other suitable from C Program Files DrWeb LN resolve shell links Option is disabled by default LS use LocalSystem account rights Option is disabled by default MA test e mail like files Option is enabled by default MC lt imit gt set maximum cure attempts number to limit unlimited by default NB don t backup curing deleting files Option is disabled by default NI X nice mode 0 100 low resource usage unlimited NT test NTFS streams Option is enabled by default OK show OK for clean files Option is disabled by default P lt prio gt test priority 0 the lowest L low N general Priority by default H the high
113. n the list and click Edit e to add a copy of existing set of rules select the rule set and click Copy The copy is added after the selected rule set e to delete all rules for an application select the appropriate rule set and click Delete If the application file for which the rule was created changes e g due to update installation then Dr Web Firewall asks to confirm that the application is still allowed to access network resources Application Rules The New application rule set or Edit rule set window lists types of the filtering rule for application or process and also a rule set if the Custom type is selected You can change rule type configure the list by adding new rules for the application or modifying existing rules and the order of their execution The rules are applied according to their order in the set 99 Getting Started Specify application or process to create rule for C Windows system32 services exe Specify rule type Allow all Block all Custom Allow packets Allow packets Allow packets Allow packets Rule name Allow services exe outbound 127 0 Allow services exe inbound 127 0 0 Allow services exe outbound fe80 Allow services exe inbound fe80 Description Autogenerated rule Autogenerated rule Autogenerated rule Autogenerated rule For each rule in the set the following information displays Enabled
114. ndow select the Actions tab Actions Actions for detected objects Infected files Cure recommended 7 Incurable Move to quarantine recommended Suspicious Move to quarantine recommended Potentially dangerous fies Adware Move to quarantine recommended Dialers Move to quarantine recommended Jokes Ignore recommended Hacktools Ignore recommended Riskware Ignore recommended 2 In the Infected objects drop down list choose the program s action upon detection of an infected object Cure action is recommended 3 In the Incurable objects drop down list choose the program s action upon detection of an incurable object Move to quarantine action is recommended Other actions with moved files are described in Actions Upon Detection of a Virus chapter 4 In the Suspicious objects drop down list choose the program s action upon detection of a suspicious object Move to quarantine action is recommended 5 In the Adware and Dialers drop down lists choose the program s action upon detection of dangerous files Move to quarantine action is recommended 6 The same procedure is used when setting the program s actions upon detection of objects containing jokes riskware and hacktools Ignore action is recommended 7 Click OK to apply changes and close the SpIDer Guard Settings window Ta J 1 Getting Started 71 ax Log Page On t
115. necessary parameters When Dr Web Updater starts automatically direct connection to A Internet is used so Internet Explorer settings cannot be used If you need to connect using proxy server specify required parameters in scheduled updating settings Launching Update When launching update the program checks the presence of the license key file in the installation folder and if it fails to find it it tries to receive it via the Internet at www drweb com this is described at the end of the License Key File section If no key file is found the updating is impossible Ta i ax Automatic Updating 136 If the key file is found the program checks its validity at www drweb com the file can be blocked if discredited i e its illegal distribution is uncovered If the key file is blocked the updating is not done a correspondent message is generated to a user If the key is blocked contact the dealer you have purchased Dr Web Anti virus After the key file is successfully checked the updating is performed The program automatically downloads all updated files according to your version of Dr Web Anti virus and if your subscription terms allow the new program version if it is released The Scanner can use the updated databases after the next d restart SpIDer Guard and SpIDer Mail periodically check the state of the databases and start to use updated databases automatically When the Updater is launched fr
116. new rules is added to the end of the list e to modify a rule select it and click Edit e to add a copy of a rule select the rule and click Copy The copy is added after the selected rule e to delete a rule select it and click Delete 4 If you selected to create or edit a rule configure rule settings in the opened window 5 Use the arrows next to the list to change the order of rules The rules are applied according to their order in the set 6 When you finish adjusting the settings click OK to save changes or Cancel to reject them Ta N ax Getting Started 102 Rule Settings Application filtering rules control interaction of a particular application with certain network hosts General Rule name DrWEB Firewall Settings Application http Description Allows to connect to CRL distribution points via http This is used to verify securit comectontme Sd Allow packets B To add or edit a rule 1 Configure the following parameters General Rule name The rule name Description The rule description State One of the following execution states for the rule e Enabled apply rule for all matching connection attempts e Disabled do not apply the rule yet Connection type The party which initiates the connection Ta 1 ax Getting Started 103 Action Rule Settings Protocol Inbound Outbound address e Inbound apply the rule when someone from t
117. ng e Check attachments allows to configure the e mails check and to specify the program actions for the detected malicious objects e Statistics allows to review the number of checked and processed objects 81 T aX A A Getting Started Virus Check Dr Web for Outlook uses different detection methods The infected objects are processed according to the actions defined by user the program can cure the infected objects remove them or move them to Quarantine to isolate them from the rest of the system Malicious Objects Dr Web for Outlook detects the following malicious objects e Infected objects e Bomb viruses in files or archives e Adware e Hacktools e Dialer programs e Joke programs e Riskware e Spyware e Trojan horses Trojans e Computer worms and viruses Actions Dr Web for Outlook allows to specify the program reaction to detection of infected or suspicious files and malicious objects during e mail attachments check To configure the virus check of e mail attachments and to specify the program actions for the detected malicious objects in the Microsoft Outlook mail application in the Service Parameters Dr Web Anti virus tab in the Tools Options Dr Web Anti virus tab for Microsoft Outlook 2007 click Check attachments 82 Getting Started 83 Check attachments Scan settings Infected Not cured Suspicious Malware Adware
118. oes not detect EICAR file as not compromise security of computer 17 A AN T v A A Introduction 18 Detection Methods The Dr Web anti virus solutions use several malicious software detection methods simultaneously and that allows them to perform thorough checks on suspicious files and control software behaviour 1 The scans begin with signature analysis which is performed by comparison of file code segments to the known virus signatures A signature is a finite continuous sequence of bytes which is necessary and sufficient to identify a specific virus To reduce the size of the signature dictionary the Dr Web anti virus solutions use signature checksums instead of using complete signature sequences Checksums uniquely identify signatures which preserves correctness of virus detection and neutralization The Dr Web virus databases are composed so that some entries can be used to detect not just specific viruses but whole classes of threats 2 On completion of signature analysis the Dr Web anti virus solutions use the unique Origins Tracing method to detect new and modified viruses which use the known infection mechanisms Thus the Dr Web users are protected against such viruses as notorious blackmailer Trojan Encoder 18 also known as gpcode In addition to detection of new and modified viruses the Origins Tracing mechanism allowed to considerably reduce the number of false triggering of the Dr Web heuristics
119. ogram designed for Windows as well as versions for other platforms provide reliable computer protection in a company Still the functioning of computers within a corporate network has certain problems for the anti virus protection e usually the software is installed onto computers by a company network administrator The installation of anti virus programs their timely updating is an additional work for the administrator and requires physical access to computers e any changes made in the settings of the anti virus by an inexperienced user including its disabling because of the seeming inconveniences generate holes in protection the viruses begin to penetrate inside the corporate network and their disinfection becomes a much more complicated task e the anti virus protection can be fully efficient if its operation is analyzed by qualified specialists which includes analysis of protocols files moved to the quarantine etc This work may be difficult in conditions when this data is kept in dozens or hundreds computers To solve these problems Dr Web Enterprise Suite Dr Web ES was developed Dr Web Enterprise provides for e centralized without user intervention installation of the anti virus packages on computers e centralized setup of the anti virus packages e centralized virus databases and program files updates on protected computers e monitoring of virus events and the state of the anti virus packages and OS s
120. om the Scheduler or in the command line mode the command line parameters can be used see Appendix A Ta J 1 ax Appendices Appendices Appendix A Additional Command Line Parameters of the Anti virus Introduction Additional command line parameters switches are used to set parameters for programs which can be launched by opening an executable file This relates to scanners of all versions read Using Dr Web Scanner for Windows and Command Line Scanning Mode and to the Updater read Automatic Updating of the Virus Databases and Other Files of the Program The switches can set the parameters unavailable in the configuration file and have a higher priority then the parameters which are specified in it Switches begin with the forward slash character and are separated with blanks as other command line parameters The command line parameters for the scanner and for the automatic updating module are listed below If a switch has modifications then they are specified as well The Scanner command line parameters display short help on the program and launch scanning lt file_name gt or lt file_name gt instructs to scan objects listed in the specified file Each object is specified in a separate line of the list file It can be either a full path with the file name or the boot string which means that scanning of boot sectors should be performed For the GUI version of the scanner the file name
121. on all protected computers 180 Ta J i ax Appendices Dr Web ES allows both to grant the users of the protected computers with the permissions to set up and administer the anti virus packages on their computers or flexibly limit their rights including absolute prohibition Dr Web ES has a client server architecture Dr Web ES components are installed on the computers of users and administrators and the computer s to function as the Enterprise Server s and exchange information through network protocols TCP IP IPX SPX NetBIOS An aggregate of computers on which Dr Web ES cooperating components are installed is called an anti virus network An anti virus network includes the following components Core components e Dr Web Enterprise Server Enterprise Server stores distribution kits of anti virus packages for different OS s of protected computers updates of virus databases anti virus packages and Enterprise Agents user keys and package settings of protected computers Enterprise Server sends necessary information to the correspondent computers on Agents requests and keeps a general log of events of the whole anti virus network e Dr Web Control Center is automatically installed with Enterprise Server It is a certain extension of a web page and allows to administrate the anti virus network by means of editing the settings of Enterprise Server and protected computers stored on Enterprise Server and protected com
122. or proxy server choose Use system settings for proxy server IP and Port If you want to specify settings for proxy server choose Specify proxy server IP and Port manually Installing Dr Web Anti virus 29 Specify the settings of the proxy server if necessary If you use a proxy server to access the Internet it is necessary to specify your settings in order for Dr Web anti virus for Windows 6 0 x86 to operate correctly Do not use proxy server Specify proxy server IP and Port manually Proxy settings IP address Port User name Password Ce Click Next 11 The window for adjusting some additional parameters of installation will open Select the Update during installation check box to download the latest virus databases during installation Installing Dr Web Anti virus Additional Installation Parameters Choose some additional installation parameters Updating virus databases and program components during installation ensures that your protection environment is up to date from the first express scan which is performed during installation 12 13 14 15 V Update during installation A window informing that the program is ready to be installed will open Select the Perform full scan after installation check box to check the file system after your computer is rebooted at the end of the installation Then click the Install button to start the installation process or Bac
123. ose either one of predefined rules or create your own application rule Application name internet Explorer Application path C program files internet explorer jexplore exe Digital signature Microsoft Corporation Address tep 207 46 16 233 Port 80 www http Direction Outbound Apply predefined rule Allow network connection for application on port 80 www http Create custom rule 3 Click OK Dr Web Firewall executes the selected action and closes the notification window In cases when connection was initiated by a trusted application an application with existing rules but this application was run by an unknown parent process a corresponding notification will be prompted 91 7 os Getting Started 92 nslookup Dr Web Firewall has detected network activity Application name nslookup Application path C windows system32 nslookup exe Digital signature Microsoft Corporation Endpoint udp 192 168 109 2 Port 53 domain Direction Outbound To set parent processes rules 1 Consider the information about parent process displayed in the notification e To block this connection once select Block e To allow this connection once select Allow e To open a window where you can create a new application filter rule select Create new rule In the opened window you can either choose one of the predefined rules or create your rule for parent process Getting Started 93
124. owing abbreviations are used in this User Manual e GUI Graphical User Interface GUI version of program a version which utilizes the GUI e OS operating system e PC personal computer e RAM Random Access Memory 10 Ta J i ax Introduction 11 System Requirements 1 Before installing Dr Web Anti virus you should install all critical updates recommended by the OS developer uninstall all other anti virus packages from the computer to avoid possible incompatibility with their resident components if you install Dr Web Firewall uninstall all other firewalls OS Hard disk space CPU RAM Other One of the following e Microsoft Windows 2000 Workstation SP4 with Update Rollup 1 e Windows XP SP2 e Windows Vista e Microsoft Windows 7 Both 32 bit and 64 bit versions of operating systems are supported You may need to download and install certain system components from the official Microsoft Web site If necessary the program will notify you about the components required and provide download links Minimum 250 MB of disk space for a full installation which includes e Up to 70 MB of installation files e Up to 90 MB of temporary setup files that are removed automatically at completion of install i686 compatible 512 MB and more Internet connection for updating of virus databases and Dr Web Anti virus components Ta 1 ax Introduction 12 Licens
125. pIDer Mail item in the context menu of the SpIDer Agent icon see SpIDer Agent About Register license My Dr Web Help SplDer Guard gt ge SplDer Mail Statistics Firewall gt Settings Updater G Scanner Disable amp Disable Self protection Tools gt User mode If the Settings menu item is selected a window with SpIDer Mail settings will open read Adjusting Certain Program Settings A User should have administrator rights to change settings of the SpIDer Mail interface If the Statistics menu item is selected a window with information on the program s operation during current session the number of scanned infected suspicious objects and taken actions will open The Disable Enable item allows to start stop SpIDer Mail A AN 1 v A A Getting Started Adjusting Certain Program Settings To modify SpIDer Mail settings open the settings window as described in Managing SpIDer Mail When editing the settings use the program s help system general help for each page is generated by pressing the Help button there is also a context prompt for certain elements of the interface When adjusting is finished click OK Most default settings are optimal for the majority of situations The most frequently used parameters except the default ones are described below Scanning Supposed actions on messages in case of threat detection ya Infected messages E Incurable messages
126. pplications database for Dr Web Firewall Select the Send new rules to Doctor Web checkbox to allow Dr Web Firewall to send created rules to Doctor Web Click the Privacy statement by Doctor Web link to look through a privacy statement on Doctor Web website Database of trusted applications You can participate in expansion of trusted applications database for Dr Web Firewall Doctor Web will receive your new rules automatically Privacy statement by Doctor Web Database of e trusted applications 4 NA wy Getting Started Restoring Defaults On the Restore default settings page you can restore Dr Web Firewall settings to their default values recommended by Doctor Web Restore default settings Application filter settings Replace existing application rules with default application filter rules Packet filter settings Replace existing packet filter rules with default packet filter rules and propagate default rule to all interfaces Remove all ICMP user tags Advanced settings Restore default operating mode and advanced settings OK cance apy To restore default settings 1 In the Dr Web Firewall settings window select Restore defaults 2 Do one of the following e To restore default application filter settings in the Application filter settings section click Restore defaults e To restore default packet filter settings in the Packet filter settings section click Restore defa
127. program and solve typical problems caused by virus threats Mostly it describes standard operating modes of the program s components with default settings The Appendices contain detailed information for experienced users on how to set up Dr Web Anti virus A In connection with constant development the program interface can mismatch the images given in this document You can always find the actual help information on http products drweb com 9 Ta 2 N ys Introduction Document Conventions and Abbreviations The following symbols and text conventions are used in this guide Bold Green and bold Green and underlined Monospace Italic CAPITAL LETTERS Plus sign Exclamation mark Names of buttons and other elements of the graphical user interface GUI and required user input that must be entered exactly as given in the guide Names of Dr Web products and components Hyperlinks to topics and web pages Code examples input to the command line and application output Placeholders which represent information that must be supplied by the user For command line input it indicates parameter values In addition it may indicate a term in position of a definition Names of keys and key sequences Indicates a combination of keys For example ALT F1 means to hold down the ALT key while pressing the F1 key A warning about potential errors or any other important comment The foll
128. puters e Dr Web Enterprise Agent Enterprise Agent is installed on protected computers It installs updates and controls the anti virus package as instructed by Enterprise Server Enterprise Agent reports virus events and other necessary information about the protected computer to Enterprise Server 181 Ta ww ys Appendices Optional components e Proxy server This component can optionally be included into the anti virus network The main function of the proxy server is to provide connection between Enterprise Server and Enterprise Agents in cases when direct connection is impossible E g if the Server and Agents are located in different networks which do not have packet routing between them At the expense of using caching function reducing of network traffic and time of receiving Agent updates can be provided NAP Validator Allows to use Microsoft Network Access Protection NAP technology to check health of Dr Web anti virus software on protected workstations by enforcing compliance with system health requirements The illustration below describes the general scheme of the fragment of the local network where the protecting anti virus network is organized OON N a Server AAA S Dr Web Enterprise HTTP HTTPS Dr Web Control TCP IPX NetBIOS Center network Protected local computer Unprotected local computer 182 Ta i ax Appendices The whole stream of instructions
129. r viruses files that are being launched created or changed on the hard drives and all files that are opened on removable media and network drives Due to a balanced approach to the level of the file system scanning details the program hardly disturbs other processes on the PC However this results in insignificant decrease of virus detection reliability An advantage of the program is uninterrupted control of the virus situation during the whole PC runtime Besides some viruses can only 36 Ta 1 ax Getting Started be detected by the guard through their specific activity SpIDer Mail also constantly resides in the memory The program intercepts all calls from your mail clients to mail servers via POP3 SMTP IMAP4 NNTP protocols and scans incoming and outgoing e mail messages before they are received or sent by the mail client SpIDer Mail is designed to check all current mail traffic going through a computer As a result scanning of mailboxes becomes more efficient and less resource consuming For example it allows to control attempts at mass distribution a mail worm s functional copies to the addresses specified in the user address book which is performed via the worm s own mail clients This also allows to disable scanning of e mail files for SpIDer Guard which considerably reduces consumption of computer resources Dr Web Firewall protects your computer from unauthorized access and prevents leak of vital data thro
130. rk drives e Files and boot sectors on removable devices These parameters are applied in any scan mode Also you can select Block autoruns from removable media check 68 Ta J 1 aX Getting Started 69 box to disable autoplay option for portable data storages such as CD DVD flash memory etc This option helps to protect you computer from viruses transmitted via removable media If any problem occur during installation with autorun option it is recommended to remove Block autoruns from removable media flag Exclusions Page On this page folders and files to be excluded from checking are specified In the Exluded folders and files field the list of folders and files to be excluded from scanning can be set These can be the quarantine folder of the anti virus some program folders temporary files swap files etc To add a file folder or mask to the list type its name into the entry field and click Add To enter an existing file name or folder you can click the Browse button to the right and select the object in a standard file browsing window To remove a file or folder from the list select it in the list and click Remove Actions Page On this page you can adjust SpIDer Guard reaction to infected objects The Cure Ignore Delete and Move to quarantine actions are similar to those of the Scanner Getting Started 70 To change the default actions in SpIDer Guard 1 In the SpIDer Guard Settings wi
131. rmful In the drop down menu you can choose Restore to restore the file to the folder specified by the user e Rescan scan the file one more time e Remove delete the file from the quarantine and from the system e Submit file s to Doctor Web Laboratory send file to Doctor Web Virus Laboratory for checking To manage several objects simultaneously select necessary objects in the quarantine window and select necessary action in the drop down menu In the bottom of the quarantine window the detailed information about selected items is displayed To configure Quarantine parameters click the button in the Quarantine window The Quarantine properties window will be opened In this window you can change the following parameters e In the Set quarantine size section you can configure the amount of disk space for Quarantine folder e In the View section you can set the Show backup files flag to display backup copies of Quarantine files in the object s table Backup copies are created automatically during moving files to the Quarantine Even if Quarantine files are kept permanently their backup copies are kept temporarily 48 A AN T v A A Getting Started Using Dr Web Scanner for Windows By default the program scans all files for viruses using both the virus database and the heuristic analyzer a method based on the general algorithms of virus developing allowing to detect the viruses unknown
132. rogram generates a warning message that the data might be lost After the required action is applied the report with the operation result will be generated in the Action column of the report field In some cases the specified action cannot be immediately applied A to selected files The Will be cured after reboot or Will be deleted after reboot text string depending on the action specified will appear in the Action column of the Scanner main window report field The necessary action will be taken at the next reboot i e it will be a postponed action That is why if such objects are found it is recommended to reboot the system immediately after the scanning process You can also set up automatic reboot if necessary for more information see Adjusting the Scanner Settings The detailed report on the program s operation is saved as a log file By default the log file resides in the program s installation folder in the DoctorWeb subfolder of the USERPROFILE directory The name of the log file is drweb32w log Ta J 1 ax Getting Started 57 Adjusting Scanner Settings It is recommended for Scanner to be run by a user with administrator privileges because files to which unprivileged users have no access including system folders are not scanned Default program settings are optimal for most applications and they should not be modified if there is no special need for it To modify the Scanner settings 1 To op
133. rvers The hierarchy connection between the Servers allows to simplify the updating of the virus databases and the SW of the workstations and the receipt of the information on the virus events from them The administrator can analyze the logs of the network both of separate Servers and the summary log of the whole anti virus network Dr Web ES in corporate networks increases reliability of the anti virus protection and cuts costs for its administration comparing to installation of personal anti virus programs on protected computers Dr Web Enterprise Suite has several advantages in comparison to other similar products e high reliability and security of applied solutions e easy administration e multiplatform structure of all components e excellent scalability We recommend to purchase and install Dr Web ES if e your corporate network has significant size several dozens of computers or more e your network is small but due to some reasons determined by the specific SW equipment or professional skill of the personnel you already apply the policy of strict administration of installation and set up of a software For computers not included into the corporate network use personal anti viruses Dr Web for Windows and the Dr Web versions for other platforms 186 Ta J 1 ax Appendices Appendix F Dr Web AV Desk for Internet services providers Dr Web AV Desk service is designed on the software based client
134. rwebwcl command name instead of drweb32w By default the console version of Scanner for Windows uses the same settings as the GUI version of Scanner The parameters set via the graphical interface of Scanner for more information see Adjusting the Scanner Settings are used for scanning in command line mode unless different parameters were set as switches Some settings of Scanner can only be specified in the program s configuration file read Appendix B for more details 63 A AN T v A A Getting Started DWScancl Console Scanner Dr Web Anti virus also includes DWScancl Console Scanner In contrast to DrWebWcl Console Scanner DWScancl Console Scanner is designed for multiprocessors and provides advanced settings larger amout of switches DWScancl Console Scanner moves suspicious files not to the infected folder but to Quarantine The launching command syntax is as follows path_to_program dwscancl keys objects The list of objects for scanning can be empty or contain several elements separated with blanks Parameter starts with symbol several parameters are divided by spaces All parameters are listed in Appendix A Return codes 0 scanning was completed successfully infected objects were not found 1 scanning was completed successfully infected objects were detected 10 invalid keys are specified 11 key file is not found or does not support DWScancl Console Scann
135. s The same way the automatic actions of the program upon detection of viruses or suspicious codes in file archives containers and mailboxes applied to these objects as a whole are set up The Report action is specified by default Clear the Prompt on action check box to enable the specified program s action without prior inquiry When Rename is set as the program s action the program by default will replace the first character of a file name extension with the symbol If necessary you can change the renaming mask for file extensions For this insert the necessary value into the Rename extension entry field When Move to is set as the program s action the program by default will move the file to the infected subfolder of the program s installation directory If necessary you can specify a different name of the folder in the Move path entry field To cure some infected files it is necessary to reboot Windows You can adjust parameters of rebooting in the Cure settings window To open this window click the Advanced button in the bottom right of the Actions pane You can choose one of the following e Restart automatically if necessary It can lead to loss of unsaved data e Do not restart automatically If you choose this mode it is recommended to select the Prompt restart when necessary checkbox to restart at any time convenient to you In the Log file tab you can set up the parameters of the log file Ta
136. s Help Scan Statistics Express scan Recyde Bin 556cd65ad 1d6a24d9ff2achd9a41 E Documents and Settings f Local Disk C Complete scan Custom scan All Users Default 5 4 Default User a AppData 8 Application Data m D a Done no viruses found 2011 07 13 18 59 2371525 To launch scanning of the selected objects click the P button in the right part of the main window When launching Scanner on a portable computer running on A battery a message on the battery state will appear You can disable this option in the General tab of the Settings window for more information see Adjusting the Scanner Settings As soon as scanning starts the 0 button in the right part of the window becomes available Click this button to pause the scanning process To resume scanning click the button To stop scanning click the button Ta 1 aX Getting Started By default subfolders in the selected directories and logical drives as well as boot sectors of all logical drives on which at least one folder or file is selected and also the main boot sectors of respective physical drives are scanned too If express or complete scanning mode is set Scanner will define whether the HOSTS file the text file which contains a database of domain names and is used at their translation in network addresses has been changed The HOSTS file can be changed by malicious software for exa
137. s with mask and directory names should be specified there The list file can be prepared manually in any text editor it can also be made automatically by applications using the scanner to check certain files After the scanning is made 137 Ta AN ys Appendices the scanner deletes the list file if used without the character AL to scan all files in the given device or in the given folder regardless the extensions or the internal format AR to scan files inside the archives At present the scanning of archives without curing created by the ARJ ZIP PKZIP ALZIP RAR LHA GZIP TAR BZIP2 7 ZIP ACE etc archivers as well as of MS CAB archives Windows Cabinet Files and ISO images of optical disks CD and DVD is available As it is specified AR the switch instructs to inform a user if an archive with infected or suspicious files is detected If the switch is supplemented with the D M or R modifier other actions are taken ARD delete ARM move by default to the infected directory ARR rename by default the first character of extension is replaced by the character The switch may end with the N modifier and in this case the name of the archiver after the name of the archived file will not be printed CN to set action for containers HTML RTF PowerPoint with infected or suspicious objects As specified CN the switch instructs to report such containers to a user If
138. sabled 3 Specify the maximum log file size in kilobytes 4 Click OK to save changes View program log To open the text log click Show in folder Ta J rQ ax Getting Started Statistics In the Microsoft Outlook mail application in the Service Parameters Dr Web Anti virus tab in the Tools Options gt Dr Web Anti virus tab for Microsoft Outlook 2007 statistic information about total number of objects which have been checked and treated by the program is listed These scanned objects are classified as follows e Checked total number of checked messages e Infected number of messages with viruses e Suspicious number of messages presumably infected with a virus upon a reaction of the heuristic analyzer e Cured number of objects successfully cured by the program e Not checked number of objects which can not be checked or error has occurred during scan e Clear number of messages which are not infected Then the number of the following categories of treated objects is specified e Moved to quarantine number of objects which have been moved to Quarantine e Deleted number of objects deleted from the system e Skipped number of objects skipped without changes By default statistics file is dcwebforoutlook stat file that is located in the USERPROFILE DoctorWeb folder for Windows 7 C Users lt username gt DoctorWeb To clear statistics de
139. sed systems Linux FreeBSD Solaris Dr Web is designed as a powerful anti virus program and regularly shows the best results in independent comparative reviews Dr Web uses a convenient and efficient procedure for updating the virus database and program components via the Internet Dr Web can detect and remove undesirable programs adware dialers jokes riskware and hacktools from your computer For detection of undesirable programs and actions with the files contained in them standard anti virus components of Dr Web are used Dr Web Anti virus includes the following components e Dr Web Scanner for Windows Scanner is an anti virus scanner with graphical interface The program is run on user demand or according to schedule and checks the computer for viruses There is also a command line version Dr Web Console scanner for Windows e SpIDer Guard for Windows also called Monitor or Guard is an anti virus guard The program resides in main memory checks files and memory on the fly and detects virus like activity e SpIDer Mail for Windows Mail Guard is a mail anti virus guard The program intercepts calls sent from mail clients to mail servers through POP3 SMTP IMAP4 NNTP_ protocols IMAP4 stands for IMAPv4rev1 detects and neutralizes mail 7 Ta 1 ax Introduction viruses before a mail message is received by the mail client or before a mail message is sent to the mail server e Dr Web
140. soft Windows 7 operating system is enabled Otherwise the item is hidden and Dr Web Anti virus operates in full function mode all the time 40 Getting Started 41 SpIDer Agent Settings Settings Page Settings Language Extended Notification English n of virus bases F Start to remind me about outdated virus bases after day recommended Repeat tooltip notifications every z 1 v 3 hours recommended Zz types Updater notification Z SpIDer Guard SplDer Mail F SpIDer Gate V Parental Control V Security issue notifications Do not show notifications in fullscreen mode On the Dr Web Settings page you can specify the language of the Dr Web Anti virus GUI by selecting the necessary language in the Language list If you choose language that hasn t been installed Dr Web will suggest to install it Also in this window you can select the types of pop up notifications which appear above the SpIDer Agent icon in the taskbar notification area Components send notifications when a corresponding event happens i e when a threat is detected or an update is performed Also if your system hasn t been scanned for 7 days a corresponding notification appears Security issue notifications checkbox Ta ww ax Getting Started 42 Components page On the Components page you can choose one of the following e Launch all installed anti virus
141. system32 svchost exe Application The application description if available in the operating system PID The identification number of the application process Path The full path to the application executable file If necessary use the process PID to terminate the application manually 122 a7 rae wy Getting Started 123 4 Application Filter Log The application filter log stores information on all attempts of applications installed on your computer to connect to a network Network applications activity journal fio Time Application Rule name journal 3 1 2010 2 11 5 C windows system32 svchost exe Allow svchost exe inb Packet Filter 3 1 2010 2 11 5 C windows system32 svchost exe Allow svchost exe inb journal 3 1 2010 2 11 5 C windows system32 svchost exe Block listening on SSDP 3 1 2010 2 11 5 _C windows system32 svchost exe Allow svchost exe inb 3 1 2010 2 11 5 _C windows system32 svchost exe Block SSDP queries 3 1 2010 2 11 5 _C windows system32 svchost exe Block SSDP queries 3 1 2010 2 11 5 C windows system32 svchost exe Block SSDP queries 3 1 2010 2 11 5 _C windows system32 svchost exe Block SSDP queries 3 1 2010 2 12 0 _C windows system32 svchost exe Allow svchost exe ou 3 1 2010 2 12 0 _C windows system32 svchost exe Allow svchost exe ou 3 1 2010 2 12 0 _C windows system32 svchost exe Block SSDP qu
142. t rule z aill Wireless Network Connection Broadcom 802 11g Network Adapter Default rule CUE All WAN connections All WAN connections Default rule X On the Packet rules for interfaces page you can select a packet filtering ruleset to use for each network interface installed on your computer To set rulesets for network interfaces 1 Inthe Dr Web Firewall settings window select Interfaces 2 For an interface of interest select the appropriate ruleset If a ruleset does not exist you can create a new set of packet filtering rules 3 Click OK to save changes or click Cancel to close the window without saving changes 115 AT AN A v Getting Started Advanced settings On the Advanced settings page you can select a default action which Dr Web Firewall should execute when it detects a new unknown to the firewall connection attempt and configure advanced settings These rules are applied on the application level Advanced settings Dr Web Firewall operation mode Q Allow unknown connections 5 og Packetfilter O osig gt Interactive learning mode Advanced D I Block unknown connections F Allow loopback interface To set operation mode 1 In the Dr Web Firewall settings window select Mode 2 Select one of the following operation modes e Interactive learning mode e Default Training mode create rules for known applications automatically learning
143. tings windows explorer exe C program files common files adobe updater C program files mozilla firefox firefox exe spooler SubSystem App C windows system32 spoolsv exe system process SYSTEM Java TM Update Scheduler C program files common files java java upda C Host Process for Windows Tasks C windows system32 taskhost exe windows Start Up Application C windows system32 wininit exe Windows Media Player C program files windows media player wmple winamp C program files winamp winamp exe Host Process for Windows Services C windows system32 svchost exe custom C Plugin Container for Firefox C program files mozilla firefox plugin contain _ i m edit copy The Application filter settings page lists all applications and processes for which there is an application filter rule set Each application is explicitly identified by the path to its executable file Dr Web Firewall uses the SYSTEM name to indicate the rule set applied to the operating system kernel the system process for which there is no unique executable file d Dr Web Firewall allows you to create no more than one set of rules per each application 98 Ta 2 1 aX Getting Started To configure rule sets In the Dr Web Firewall settings window select the Applications page and do one of the following e to add a new set of rules click New e to edit an existing set of rules select the rule set i
144. tion can be used d Demo key file can be used only on that computer where it was registered Subsequent Registration If a key file is lost you should register again In this case input the personal data which you provided during the previous registration You may use a different e mail address In this case the key file will be sent to the address specified When recovering demo key file you will receive the same key file as you received during the previous registration The number of requests for a key file receipt is limited One serial number can be registered not more than 25 times If more requests are sent the key file will not be delivered In this case to receive a lost key file contact Technical Support describing your problem in detail stating your personal data input during the registration and the serial number d If no valid key file is found license or demo the functionality of the program is blocked Renewing registration When license expires or security of your system is reinforced you may need to update the license The new license then should be registered with the product Dr Web Anti virus supports hot license update without stopping or reinstalling the product Ta i ax Introduction To renew license key files 1 Open License Manager To purchase a new license or renew an existing one you can also use your personal web page on the Doctor Web web site To visit your page use My Dr W
145. to state of TCP sessions Select this checkbox to ensure correct processing of large amounts of data The maximum transmission unit MTU may vary for different networks therefore large IP packets may be received fragmented When this option is enabled Dr Web Firewall applies the rule selected for the first fragment of a large IP packet to all other fragments Clear this checkbox to process fragmented packets independently The New packet ruleset or Edit ruleset window lists packet filtering rules for the selected rule set You can configure the list by adding new rules for the application or modifying existing rules and the order of their execution The rules are applied according to their order in the set 108 Getting Started Rule name EAPol Authenticate via EAPoL 802 1x PPPoE Discovery Stage PPPoE Session Stage GRE Allow to establish VPN connections using GRE protocol TCP Authorize Identification Authorize most common Internet services Authorize name resolution DNS KB951748 Authorize name resolution DNS Allow NetBIOS BOOTP DHCP s teavmn VIE JE JE 1E JE JE JE ITTF vr For each rule in the set the following information displays Enabled Execution states for the rule Action The action for Dr Web Firewall to perform when the packet is intercepted e Block packets e Allow packets
146. to the program with a high probability Executable files compressed with special packers are unpacked when scanned Files in archives of all commonly used types ACE ALZIP AR ARJ BGA 7 ZIP BZIP2 CAB GZIP DZ HA HKI LHA RAR TAR ZIP in containers 1C CHM MSI RTF ISO CPIO DEB RPM and in mailboxes of mail programs the format of mail messages should conform to RFC822 are also checked By default Dr Web Anti virus informs a user about any infected or suspicious objects in a special report field generated at the bottom of the Scanner main window see illustration below For more information see Adjusting the Scanner Settings A Dr Web Scanner for Windows registered to User fate File Settings Help Scan Statistics S E Local Disk C Express scan H Recyde Bin Complete scan l 556cd65ad1d6a24d9ff2acbd9a41 Ana Ji Documents and Settings f J All Users di Default Sp Default User n AppData iz Application Data a EE om Iam Object Path Status Action test bxt C Documents and Settings EICAR Test File NOT a Virus _ Select all Done viruses found 1 11268 2011 07 13 18 59 2371525 49 Ta 1 ax G Getting Started 50 Launching Scanner General Information A If your system hasn t been scanned for 7 days a corresponding notification appears see SpIDer Agent Scanner is installed as a usual Windows application and can be launched by the us
147. ugh networks Firewall monitors connection attempts and data transfer and helps you block unwanted or suspicious connections both on network and application levels To secure comprehensive anti virus protection we advise you to use the Dr Web Anti virus components as follows e scan the PC s file system with the default maximum scanning detail settings e keep default settings of SpIDer Guard e perform complete e mail scanning with SpIDer Mail e block all unknown connections with Dr Web Firewall e perform a periodic complete scan of the PC coordinated with the time of the virus database updates at least once a week e immediately perform a complete scan in case SpIDer Guard was temporary disabled and the PC was connected to the Internet or files were downloaded from removable media Anti virus protection can only be effective if you update the virus d databases and other files of the program regularly preferably every hour For more information read Automatic Updating of the Virus Databases and Other Files of the Program 37 Ta 1 ax Getting Started SpIDer Agent After installing Dr Web Anti virus a SpIDer Agent icon is added to the taskbar notification area If you hover the mouse cursor over the icon a pop up appears with information about running components date of last update and amount of virus signatures in the virus databases Also notifications which are adjusted in the settings see be
148. ults e To set the default Dr Web Firewall operation mode in the Advanced settings section click Restore defaults 3 Click OK to save changes or click Cancel to close the window without saving changes Ta J i ax Getting Started Event Logging Dr Web Firewall registers connection attempts and network packets in the following logs e Application Filter Log Application journal which contains information on network connection attempts from various applications and rules applied to process each attempt e Packet Filter Log Packet Filter journal which contains information on network packets processed by Firewall rules applied to process the packets and network interfaces used to transmit the packets Details level depends on settings of each packet application rule The Active applications page displays applications currently connected to a network To open journals 1 Click the SpIDer Agent icon S 2 Select Firewall then select Statistics 121 SAY TE A Getting Started 19 Active Applications The list of active applications displays information on programs accessing network resources at the moment Active network enabled applications list Application PID Path SYSTEM 4 SYSTEM Packet Filter E Host Process for Windows Services 680 C windows system32 svchost exe journal E Host Process for Windows Services 1096 C windows system32 svchost exe Host Process for Windows Services C windows
149. ure that no other anti virus software is installed select the check box below and dick Next 24 Installing Dr Web Anti virus 25 4 In the next window you will be offered to install Dr Web Firewall EE Dr Web anti virus for Windows 6 0 x86 Firewall installation Select the option which best suits your situation Dr Web Firewall protects your computer from unauthorized access and prevents leak of vital data through networks Install Dr Web Firewall 5 If in the previous step you selected the Install Dr Web Firewall check box the installation wizard will inform on possible incompatibility of Dr Web with other firewalls installed on your computer and offer to uninstall or disable them If other firewalls are installed on your computer it is recommended to click Cancel and terminate installation delete or deactivate other firewalls and after that continue installation To continue installation select the I confirm that no other firewall is installed on this computer check box and click Next 6 The installation program will bring up a warning window requesting a key file license or demo required for the program s operation If a key file is present on your hard drive or on removable media click Browse select the key file and click Next Installing Dr Web Anti virus 26 Select the option which best suits your situation Dr Web anti virus for Windows 6 0 x86 can only be used if you have a valid k
150. user s assistance settings for automatic reaction of the program upon detection of infected objects can be applied 58 Ta 2 i ax Getting Started 59 To set the program s reaction upon detection of infected objects 1 Select the Actions tab in the Scanner settings window Actions Log file General Malware Infected objects Report i Adware Incurable objects Report X Suspicious objects Report x Infected packages Archives Report Z Dialers Jokes Riskware E mails Report X Hacktools Containers Rename extension Move path infected E Prompt on action oc cones 2 In the Infected objects drop down list select the program s action upon detection of an infected object A The Cure action is the best for automatic mode 3 Select the program s action upon detection of an incurable object in the Incurable objects drop down list The range of actions is the same as those described above but the Cure action is not available A The Move to action is the best in most cases Ta J 1 ax 10 Getting Started 60 In the Suspicious objects drop down list select the program s action upon detection of a suspicious object fully similar to the previous paragraph A It is recommended to keep the default Report action Similar actions should be specified for detection of objects containing Adware Dialers Jokes Riskware and Hacktool
151. utton To select objects in the report list the following keys and combinations of keys are additionally used e Insert to select an object e CTRL A to select all objects e the asterisk button on numeric keyboard to select or deselect all 2 Select the action you want to apply in the opened context menu or click the corresponding button at the bottom of the report field 3 If the Cure action is selected choose another action which should be applied in case curing fails The Rename action means replacement of a file extension By default the first character of the extension is replaced with the symbol The Move action means that the object is moved to a folder specified in the program s settings By default it is the infected subfolder of the program s installation directory The Delete action means that the infected object is deleted Suspicious objects are moved to infected folder and should be A sent for analysis to the anti virus laboratory of Doctor Web Ltd through a specially designed web form at http support drweb com sendnew For suspicious objects curing is impossible For objects which are not files boot sectors moving renaming and Ta i ax Getting Started 56 deletion is impossible For files inside archives containers or attachments no actions are possible By default when the Delete action is applied to file archives containers or mailboxes the p
152. v6 available for the IPv6 network level protocol only IGMP available for the IPv4 network level protocol only GRE available for the IPv4 network level protocol only SIPP ESP To apply the rule for all protocols select Unspecified Ta AN Ws Getting Started 114 For ARP or EAPoL 802 1x protocols you cannot select a transport level protocol Unspecified MAC Click to view MAC address filtering options Settings Local MAC adress Remote MAC adress Configure the following parameters e Local MAC address the MAC address of your network card e Remote MAC address the MAC address of the remote computer 3 When you finish adjusting the settings click OK to save changes or Cancel to reject them x NA 19 7 ca Getting Started Network Interfaces On the Interfaces page you can select a rule set to use for filtering packets transmitted through different network interfaces Applications Interfaces Packet filter Restore defaults Packet rules for interfaces Interfaces represent physical or logical devices which provide connectivity between your computer and networks or mobile devices Through connection interfaces you gain access to remote resources or access your computer from mobile devices With Dr Web Firewall you can designate filters or rules to each interface separately Network interface Adapter Rule al Marvell Y Gigabit a Local Area Connection en oe Defaul
Download Pdf Manuals
Related Search