Dr.Web Security Space
Contents
1. e SpIDer Guard is an anti virus guard The program resides in the main memory checks files and memory on the fly and detects virus like activity 8 Ta ax 1 Introduction SpIDer Mail is an anti virus guard for email The program intercepts calls sent from mail clients to mail servers through POP3 SMTP IMAP4 NNTP protocols IMAP4 stands for IMAPv4rev1 and detects and neutralizes mail viruses before a mail message is received by the mail client or before a mail message is sent to the mail server SpIDer Mai uses Anti spam to scan mail for spam messages Dr Web for Outlook is a plug in that checks Microsoft Outlook mail boxes for viruses and spam SpIDer Gate is an HTTP monitor By default SpIDer Gate automatically checks incoming HTTP traffic and blocks all malware objects The Parental Control component is used to restrict access to devices various local and network resources and allows to set custom time limits on using your computer and the Internet for different Windows accounts Dr Web Firewall protects your computer from unauthorized access and prevents vital data from leaking through networks Dr Web Updater allows registered users to receive updates of the virus database and other program files as well as automatically install them SpIDer Agent is a utility that lets you set up and manage Dr Web Security Space components 9 Ta ax 1 Introduction 1 1 About2. ASU lt action gt action for suspicious files R possible DQIR Several parameters can have modifiers that clearly enable or disable options specified by these keys For example AC option is clearly disabled AC AC option is clearly enabled These modifiers can be useful if option was enabled or disabled by default or was set in configuration file earlier Keys with modifiers are listed below AC AFS AR BI DR HA LN LS MA NB NT OK QNA REP SCC SCN SLS SPN SPS SST TB TM TR WCL For FL parameter modifier directs to scan paths listed in specified file and then delete this file For ARC ARL ARS ART ARX NI X PAL RPC and W parameters 0 value means that there is no limit 178 Ta BY ax Appendices Example of using command line parameters with Console Scanner lt path_to_fie gt dawscancl AR AIN C AIC Q C scan all files on disk C excluding those in archives cure the infected files and move to quarantine those that cannot be cured To run Scanner the same way type the dwscanner command name instead of dwscancl Dr Web Updater Command Line Parameters Common options h help v verbosity arg d data dir arg log dir arg log file arg dwupdater log r repo dir arg t trace c command arg update z zone arg Show this message Log lev
3. TB check boot sectors including master boot record MBR of the hard drive TM check processes in memory including Windows system control area TR check system restore points W lt sec gt maximum time to scan unlimited sec WCL drwebwcl compatible output For Console Scanner only X S R set power state shutDown Reboot Suspend Hibernate with reason R for shutdown reboot QA On WN A 20 5 fe fal e A AN T v A A yy Appendices Action for different objects C cure Q move to quarantine D delete T ignore R inform R is available for Console Scanner only R is set by default for all objects in Console Scanner AAD lt action gt action for adware R possible DQIR AAR lt action gt action for infected archives R possible DQIR ACN lt action gt action for infected installation packages R possible DQIR ADL lt action gt action for dialers R possible DQIR AHT lt action gt action for hacktools R possible DQIR AIC lt action gt action for incurable files R possible DQR AIN lt action gt action for infected files R possible CDQR AJK lt action gt action for jokes R possible DQIR AML lt action gt action for infected email files R possible QIR ARW lt action gt action for riskware R possible DQIR
4. 8 SpIDer Gate Main Parental Control SplDer Gate SplDer Mail SplDer Guard Firewall Scanning Blocking parameters Block URLs listed due to a notice from copyright owner E Block not recommended sites Excluded applications White list 0 Block malicious programs e Actions E Suspicious Riskware Dialers E Hacktools v Adware F Jokes Block objects E Not checked E Malformed Help OK In the Blocking parameters group you can enable automatic block of URLs due to a notice from copyright owner for that select the corresponding checkbox and block of unreliable websites select Block not recommended sites To specify sites that should be allowed for access regardless to other restrictions click White list You can also configure blocking of malicious programs and objects By default all malicious programs are blocked Excluded Applications Page By default SpIDer Gate checks incoming and outgoing HTTP traffic on any port On the Excluded Applications page you can set up which applications to include or exclude from monitoring Add applications whose network activity should not be checked at all to the Excluded applications list You should only add 124 Ta AN ax 8 SpIDer Gate 125 applications which you trust to this list To add an application to a list click Browse and select the application in a standard window To delete an application from a list select it and click De
5. do not backup cured or deleted files Option is disabled by default NI X limits usage of system resources at scanning and priority of the scanning process unlimited NOREBOOT cancel system reboot or shut down after scanning For Scanner only NT check NTFS streams Option is enabled by default OK display the full list of scanned objects showing Ok for clean files Option is disabled by default P lt prio gt priority of the current scanning task 0 the lowest L low N general Priority by default H high M maximal PAL lt level gt maximum pack level Value is 1000 by default QL list quarantined files on all disks For Console Scanner only QL lt logical_drive_name gt list quarantined files on the specified drive letter For Console Scanner only QNA double quote file names QR d p delete quarantined files on drive lt d gt letter that are older than lt p gt days number If lt d gt is not specified then files are deleted on all drives if lt d gt is not specified then all quarantined files are deleted regarding of their age 0 days For Console Scanner only QUIT terminate Dr Web Scanner once scanning completes whenever or not the detected threats are neutralized For Scanner only RA lt file log gt append the specified file with the current scanning report By default report is not generated REP
6. preventive protection events connections to anti virus network To view log files To view log files click on View log files Memory dump creation The Create memory dumps at scan errors option allows to save maximum of useful information on reasons behind failures of Dr Web Security Space components This helps Doctor Web Technical Support specialists analyze an occurred problem in detail and find a solution It is recommended to enable this option when operational errors occur Ta ax 3 Getting Started 52 To enable detailed logging result in considerable log growth and increase in process load It is recommended to use this mode only when errors occur or by request of Doctor Web Technical Support Logging detailed data on Dr Web Security Space operation may 1 To enable detailed logging for a Dr Web Security Space component set the corresponding checkbox 2 By default detailed logging mode is used before the first restart of the operating system If it is necessary to log component activity before and after the restart set the Continue detailed logging after reboot not recommended checkbox 3 Save the changes A By default size of log files are restricted to 10 MB Quarantine settings To configure Quarantine settings click the corresponding Change button You can configure Dr Web Security Space Quarantine estimate its size and delete isolated files from a specified logical drive
7. the packet sent from the network to your computer was blocked e the packet sent from your computer to the network was blocked 1 ax A J AN 10 Dr Web Firewall 170 Rule name The name of the applied rule Interface The interface used to transmit the packet Packet data Packet details The Logging mode setting of the rule determines the amount of stored data On this page you can save the information to a file or clear the log To save packet filter log Click Save then enter the file name where to store the log To clear packet filter log Click Clear All information will be deleted from the log Ta AN A 11 Automatic Updating 11 Automatic Updating Anti virus solutions of Doctor Web use Dr Web virus databases to detect computer threats These databases contain details and signatures for all virus threats known at the moment of the product release However modern virus threats are characterized by high speed evolvement and modification Within several days and sometimes hours new viruses and malicious programs emerge To mitigate the risk of infection during the licensed period Doctor Web provides you with regular updates to virus databases and product components which are distributed via the Internet With the updates Dr Web Security Space receives information required to detect new viruses block their spreading and sometimes cure infected files which were incurable before From ti
8. AN ax 3 Getting Started 49 3 2 7 Advanced Page On this page you can select a language for the settings configure report and Quarantine options and enable check of encrypted traffic Parental Control SpiDer Gate SplDer Mail SpiDer Guard Firewall Notifications Language Update English oa Anti virus Network a Report default settings Preventive Protection C Change Dr Web Cloud Self protection Quarantine default settings Change e Advanced png Restore defaults Secure connections Check encrypted traffic If error occurs during checking SSL connections install Doctor Web certificate Export In the drop down list you can select the language to use in the Dr Web Security Space graphical interface All available languages are listed automatically 3 Getting Started 50 Report Settings To configure report settings click the corresponding Change button Detailed logging this option is enabled till reboot SplDer Guard SplDer Gate SplDer Mail E Firewall Dr Web Updater Dr Web Services Advanced Create memory dumps at scan errors Continue detailed logging after reboot not recommended View log files Help OK Cancel By default reports are kept in the standard mode and the following information is logged SpIDer Time of updates and SpIDer Guard starts and stops virus Guard events names of scanned
9. Scan installation packages E Scan objects on the LAN not recommended E Scan removable media Block autoruns from removable media Ta ax 5 SpIDer Guard 87 1 When you attempt to execute an EICAR test file while SpIDer Guard is running in the Optimal mode the operation is not terminated and the file is not processed as malicious since it does not pose any actual threat to your system However if you copy or create such a file in your system then it is detected by SpIDer Guard and moved to Quarantine by default In Paranoid mode SpIDer Guard scans files that are being opened created or changed on the hard drives on removable media and network drives Selecting the Use heuristic analysis checkbox enables the heuristic analyser mode a method of virus detection based on the analysis of actions specific for viruses You can also enable background scanning of your operating system for rootkits i e malicious programs that are used for hiding changes to operating system such as running of particular processes registry changes modifications to files and folders Anti rootkit component included in Dr Web Security Space provide options for background scanning of the operating system for complex threats and curing of detected active infections when necessary If this option is enabled Dr Web Anti rootkit constantly resides in memory In contrast to on the fly scanning of files by SpIDer Guard scanning fo
10. follow symbolic links while scanning Option is disabled by default RP lt file log gt rewrite the specified file with the current scanning report By default report is not generated Ta ax Appendices 177 RPC lt secs gt Dr Web Scanning Engine connection timeout imeout is 30 seconds by default For Console Scanner only RPCD use dynamic RPC identification For Console canner only PCE use dynamic RPC endpoint For Console Scanner y RPCE lt target_address gt use specified RPC endpoint For onsole Scanner only RPCH lt target_address gt use specified host name for remote ll For Console Scanner only RPCP lt target_address gt use specified RPC protocol Possible protocols Ipc np tcp For Console Scanner only SCC show content of complex objects Option is disabled by default SCN show name of installation package Option is disabled by default SILENTMODE perform a background scan On threat detection the Dr Web Scanner window opens and displays the list of detected threats Otherwise the window does not display For Scanner only SLS show log on the screen Option is enabled by default For Console Scanner only SPN show names of packers Option is disabled by default SPS display scan progress on the screen Option is enabled by default For Console Scanner only SST display object scan time Option is disabled by default
11. recommended h Adware Move to quarantine recommended Dialers Move to quarantine recommended pA Jokes Move to quarantine recommended Z Riskware Move to quarantine recommended K Hacktools Move to quarantine recommended A Containers Move to quarantine recommended X 2 x 2 Inthe Infected objects drop down list select the program s action upon detection of an infected object A The Cure action is the best in most cases 3 Select the program s action upon detection of an incurable object in the Incurable objects drop down list The range of actions is the same as for infected objects but the Cure action is not available A The Move to quarantine action is the best in most cases 4 In the Suspicious objects drop down list select the program s action upon detection of a suspicious object fully similar to the previous paragraph A AN T v A 4 yy 4 Dr Web Scanner 78 5 Similar actions should be specified for detection of objects containing Adware Dialers Jokes Riskware and Hacktools 6 The same way the automatic actions of the program upon detection of viruses or suspicious codes in file archives installation packages and mailboxes applied to these objects as a whole are set up 7 To cure some infected files it is necessary to reboot Windows You can choose one of the following e Restart computer automatically It can lead to loss of unsaved data e Prompt restart Ex
12. scanning is performed with the settings specified earlier or with the default settings if you have not changed them Each switch begins with a forward slash character and is separated with a blank from other switches Ta 4 Dr Web Scanner 82 ax 4 5 Console Scanner Dr Web Security Space also includes Console Scanner that provides advanced settings A Console Scanner moves suspicious files to Quarantine To run Console Scanner Enter the following command lt path_to_program gt dwscancl lt switches gt lt objects gt The list of objects for scanning can be empty or contain several elements separated with blanks Switches are command line parameters that specify program settings Several parameters are divided by spaces For the full list of available switches refer to Appendix A Return codes e 0 Scanning was completed successfully infected objects were not found e 1 Scanning was completed successfully infected objects were detected 10 Invalid keys are specified e 11 Key file is not found or does not license Console Scanner e 12 Scanning Engine did not start e 255 Scanning was aborted by user A AN T v A A 4 Dr Web Scanner 4 6 Automatic Launch of Scanning During Dr Web Security Space installation an anti virus scanning task is automatically created in the Task Scheduler the task is disabled by default To view the parameters of
13. 68 byte COM file that prints the following line on the console when executed EICAR STANDARD ANTIVIRUS TEST FILE The test com file contains the following character string only X50 PS AP 4 PZX54 P 7CC 7 SEICAR STANDARD ANTIVIRUS TEST FILE H H To create your own test file with the virus you can create a new file with this line and save it as test com When you attempt to execute an EICAR file while SpIDer Guard is running in the optimal mode the operation is not terminated and the file is not processed as malicious since it does not pose any actual threat to your system However if you copy or create such a file in your system then it is detected by SpIDer Guard and moved to Quarantine by default 16 Ta 2 Installing the program 17 ax 2 Installing the program Before installing Dr Web Security Space note the system requirements and do the following e install all critical updates released by Microsoft for the OS version used on your computer they are available on the company s updating web site at http windowsupdate microsoft com e check the file system with the system utilities and remove the detected defects e close all active applications Remove any anti virus softwareand firewalls from your computer to prevent possible incompatibility of resident components 2 1 Installation Procedure L Only a user with administrative privileges can i
14. Firewall Scanning Do not check mail for spam Check mail for spam Actions f E Allow Cyrillic text e Anti spam Allow Asian text Excluded applications F Add the following prefix to subjects of spam messages SPAM Note SplDer Mail adds the X DrWeb SpamState header to each checked message Use White and Black lists to ensure acceptance or blocking of messages from specific addresses Black and white lists The following headers will be added to all scanned messages e X DrWeb SpamState Yes No Yes shows that the message is spam No means that SpIDer Mail does not regard the message as spam e X DrWeb SpamVersion version version is the version of Anti spam library e X DrWeb SpamReason spam rate Spam rate includes list of evaluations on various spam criteria 101 Ta ax 6 SpIDer Mail 1 If you use IMAP or NNTP configure your e mail client to download complete messages from the email server at once without previewing their headers This is important for correct operation of the spam filter Selecting the Add a prefix to the subjects of spam messages check box instructs SpIDer Mail to add a special prefix to subjects of spam messages This prefix can be specified in the field below Use of the prefix will allow you to create filter rules for spam in email clients which do not support filtering by headers e g MS Outlook Express Selecting the Allow Cyrillic text
15. Infected number of messages with viruses e Suspicious number of messages presumably infected with a virus upon a reaction of the heuristic analyzer e Cured number of objects successfully cured by the program Not checked number of objects which can not be checked or error has occurred during scan e Clear number of messages which are not infected Then the number of the following categories of treated objects is specified e Moved to quarantine number of objects which have been moved to Quarantine e Deleted number of objects deleted from the system e Skipped number of objects skipped without changes e Spam messages number of objects detected as spam By default statistics file is drwebforoutlook stat file that is located in the USERPROFILE DoctorWeb folder for Windows 7 C Users lt username gt DoctorWeb To clear statistics delete this file A drwebforoutlook stat statistics file is individual for each system user 118 Ta AN sS 8 SpIDer Gate 8 SpIDer Gate SpIDer Gate is an anti virus HTTP monitor By default SpIDer Gate automatically checks incoming HTTP traffic and blocks all malware objects HTTP is used by web browsers download managers and other applications which exchange data with web servers i e which work with the Internet You can configure SpIDer Gate to completely disable monitoring of incoming or outgoing traffic compose a list o
16. Mail Main Parental Control SpiDer Gate SplDer Mail SpiDer Guard Firewall Scanning You can exclude specific applications from a scan Actions Excluded applications Anti spam Browse Excluded applications Delete To add a file folder or mask to the list type its name into the entry field and click Add To enter an existing file name or folder you can click Add to the right and select the object in a standard file browsing window To remove a file or folder from the list select it in the list and click Remove 103 A N 1 J A A 7 Dr Web for Outlook 104 7 Dr Web for Outlook Dr Web for Outlook plug in performs the following functions 7 1 Anti virus check of email attachments transferred via SMTP POP3 and HTTP protocols Check of email attachments transferred via SSL encrypted connections Spam check Detection and neutralizing of malicious objects Malware detection Heuristic analysis for additional protection against unknown viruses Configuring Dr Web for Outlook You can configure Dr Web for Outlook plug in operation and review statistics at the Microsoft Outlook mail application in the Tools Options Dr Web Anti virus tab in the Files Options select Dr Web for Outlook and click Add in Options button for Microsoft Outlook 2010 d The Dr Web Anti virus tab of Microsoft Outlook parameters are active only if user has permissions to change these
17. anti K virus An icon for the remote SpIDer Agent appears in the Windows notification area The user of the remote anti virus will be notified about remote connection The following items to configure and manage remote Dr Web Security Space are available set of components depends on which Dr Web product is installed e About e Register license e My Dr Web Ta ax 3 Getting Started 68 e Help e SpIDer Guard e SpIDer Mail e SpIDer Gate e Parental Control e Firewall e Tools e Updater The Tools item opens a submenu that provides access to e License Manager e Dr Web Security Space settings e Report generation wizard You can manage settings enable or disable components and look through statistics Anti virus Network Quarantine Manager and Scanner are not available Firewall settings and statistics are not available as well but you can enable or disable Firewall if you accessed Dr Web Anti virus or Dr Web Security Space Also you can select the Disconnect item to terminate remote connection If required computer is not on the list you can try to add it manually For this click Add button and enter IP address You can establish only one connection with remote Dr Web product If one connection is already established the Connect button is disabled Computers are listed in Anti virus Network if Dr Web products installed on these computers allow remote connection You can allow connection
18. b b b Tools gt User mode If the Statistics menu item is selected a window with information on the program s operation during current session the number of blocked resources of different types last allowed or restricted URLs will open The Settings menu item gives access to the main part of the program parameters for details see Parental Control Settings Settings item is not available in User mode You can restore settings to their default values on the Restore defaults page of Dr Web Security Space Main settings Ta J AN ax 9 Parental Control 128 9 2 Parental Control Settings The default settings are optimal for most cases They should not be changed without necessity To change the settings of the Parental Control 1 Make necessary changes on the pages of the Parental Control Settings window 2 For more information about settings on a page click the Help 3 When you finish adjusting the settings click OK to save changes or Cancel to reject them Users Page On this page you can set restrictions on Web access as well as the time spent in the Internet on working on the computer 9 Parental Control Parental Control SpiDer Gate SplDer Mail SplDer Guard Firewall Users tester re c i Web filtering No restrictions capes ens Time limits Off For different Windows accounts restrictions are assigned separately and display next to the corresponding account Acc
19. check box instructs the spam filter to analyze messages with Cyrillic encoding If the check box is not selected it is highly possible that messages with Cyrillic encoding will be regarded as spam Functioning of the Allow Asian text check box is the same as the one described above but for East Asian encodings In the White list and Black list fields white and black lists of senders addresses are specified e If a sender s address is on the white list the message is not scanned for spam e If a sender s address is on the black list the message will be automatically regarded as spam The asterisk symbol can stand for a part of address e g domain org denotes all addresses with the domain org domain name Addresses must be divided by a semicolon are advised to forward such messages to special email addresses for analysis Messages which are wrongly regarded as spam should be forwarded to vrnonspam drweb com and unblocked spam messages should be forwarded to vrspam drweb com Forward messages as attachments do not include them to the message body If the spam filter regards certain messages as spam by mistake you 102 7 ax A 2 x 6 SpIDer Mail Excluded Applications Page By default SpIDer Mail intercepts email traffic of all applications running on your computer automatically On this page you can list applications whose mail traffic you want to exclude from monitoring with SpIDer
20. e box domain com e mailbox dom e box dom The symbol can be set at the start or at the end of an A address only The symbol is obligatory e To regard as spam messages sent from any email address within a domain use the character instead of the username in the address For example if you enter spam com SpIDer Mail will regard as spam messages from all senders within the spam com domain e To regard as spam messages sent from email address with a certain user name from any domain use the character instead of the domain name in the address For example if you enter ivanov SpIDer Mail will regard as spam messages from all senders with the ivanov mailbox name e Addresses from the recipient domain are not processed For example if the recipient mailbox your mailbox is in the mail com domain then messages from mail com domain will not be processed with the anti spam filter Ta AN ak 7 4 7 Dr Web for Outlook Logging Dr Web for Outlook registers errors and application events in the following logs Windows Event Log Text Dr Web debug log 7 4 1 Event Log Dr Web for Outlook registers the following information in the Windows Event Log Plug in starts and stops Key file parameters license validation license expiration date information is written during program launch during program operating and when key file is changed License errors the key file is absent permi
21. either choose one of the predefined rules or create your rule for parent process Google Chrome The following network access problems were detected The network application was launched by unknown process teal If you are not sure that the application should be allowed to start network processes you should block this action for the application Description Allow Block Publisher Path E Microsoft Office Excel WMicro C Program Files Microsoft Office OFFICE11 EXCEL EXE 2 Click OK Firewall executes the selected action and closes the notification window Ta AN ax 10 Dr Web Firewall 142 When unknown process was run by another unknown process a notification will display corresponding details If you click Create new rule the new window will appear allowing you to create new rules for this application and it s parent process Adobe Reader The following network access problems were detected There is no appropriate rule for this application 5 You can allow block or customize application network access You can choose one of predefined rules or create your own application rule Apply predefined rule Allow network connections for application on port 80 www http x Create custom rule The network application was launched by unknown process if you are not sure that the application should be allowed to start network processes you should block this action for the
22. express scan of the system For Scanner only FL lt path gt scan files listed in the specified file FM lt masks gt scan files matching the specified masks By default all files are scanned FR lt regexpr gt scan files matching the specified regular expression By default all files are scanned FULL perform a full scan of all hard drives and removable data carriers including boot sectors For Scanner only FX lt masks gt exclude from scanning files that match the mask For Console Scanner only Hor show brief help For Console Scanner only HA use heuristic analysis to detect unknown threats Option is enabled by default KEY lt keyfile gt specify a license key It is necessary to use this parameter if your key file is stored outside of the Dr Web installation folder where the scanner executables reside by default the drweb32 key or another suitable file from the C Program Files DrWeb folder is used LITE perform a basic scan of random access memory boot sectors of all disks Scanner also runs a check on rootkits For Scanner only LN resolve shell links Option is disabled by default LS use LocalSystem account rights Option is disabled by default MA check email Option is enabled by default MC lt limit gt set maximum number of cure attempts to limit unlimited by default 175 Ta AN sS Appendices NB
23. full screen mode Display Firewall notification on separate desktop in full screen mode Select this checkbox to hide notifications when an application is running in full screen mode on your computer e g a game or a movie Clear this checkbox to display notification regardless on the mode Select this checkbox to display notifications from Firewall on a separate desktop when some application is running in full screen mode on your computer a game or a movie Clear this checkbox to display notification on the same desktop where an application is running in the full screen mode 5 If you selected one or more email notifications configure sending emails from your computer 6 After editing click OK to save the changes or Cancel to cancel them Ta 3 Getting Started 34 A To configure email notifications 1 Make sure that the Enable notifications checkbox and all the necessary email notifications are selected in the Notification parameters window are selected 2 Select the Send notifications by email checkbox 3 Click Email settings The window with email parameters opens amp E mail settings E mail address SMTP Server Port 2 25 Login Password Security None Z Authentication Basic Z Test Send test message Help OK Cancel Ta J 1 3 Getting Started 35 ax 4 Specify the following parameters Email address Enter an email
24. heuristics about certain features attributes than might be typical for the virus code itself and vice versa that are extremely rare in viruses Each attribute has a weight coefficient which determines the level of its severity and reliability The weight coefficient can be positive if the corresponding attribute is indicative of a malicious code or negative if the attribute is uncharacteristic of a computer threat Depending on the sum weight of a file the heuristics analyzer calculates the probability of unknown virus infection If the threshold is exceeded the heuristic analyzer generates the conclusion that the analyzed object is probably infected with an unknown virus The heuristics analyzer also uses the FLY CODE technology which is a versatile algorithm for extracting files The technology allows making heuristic assumptions about the presence of malicious objects in files compressed not only by packagers Dr Web is aware of but by also new previously unexplored programs While checking packed objects Dr Web Anti virus solutions also use structural entropy analysis The technology detects threats by arranging pieces of code thus one database entry allows identification of a substantial portion of threats packed with the same polymorphous packager 14 T y A ax 1 Introduction 15 As any system of hypothesis testing under uncertainty the heuristics analyzer may commit type I or type II errors omit viruses
25. included into the white list are skipped without check for spam box domain Ta AN ax 7 Dr Web for Outlook To add addresses 1 2 Click Add In the Edit list window enter the address see white and black lists filling methods Click OK To change addresses 1 2 3 Select the address you want to change and click Edit Change the address Click OK To delete addresses 1 2 Select the address in the list Click Delete In the Black and White lists window click OK to save changes White List If the sender s address is on the white list the message is not scanned for spam But if domain name of receiver and sender addresses are matched and this domain name is specified in the white list using the symbol this letter will be checked for spam To add a definite sender enter the full email address for example friend mail com This ensures delivery of all messages from this sender Addresses must be divided by the symbol To add a group of sender addresses enter the mask that determines their names The mask defines template for an object definition It may contain regular characters from the email addresses and special character replaces any including the empty one sequence of any symbols Ta AN 7 Dr Web for Outlook ax For example the following addresses are available e mailbox domain com e box domain com e mail
26. information that must be supplied by the user For command line input it indicates parameter values In addition it may indicate a term in position of a definition Names of keys and key sequences Indicates a combination of keys For example ALT F1 means to hold down the ALT key while pressing the F1 key A warning about potential errors or any other important comment The following abbreviations are used in this User Manual e GUI Graphical User Interface GUI version of a program a version that utilizes the GUI e OS operating system e PC personal computer e RAM Random Access Memory 11 Ta J AN ax 1 Introduction 12 1 3 System Requirements Before installing Dr Web Security Space Install all critical updates recommended by the operating system developer Uninstall all other anti virus packages from the computer to avoid possible incompatibility with their resident components If you install Dr Web Firewall uninstall all other firewalls OS Hard disk space CPU Resolution Free RAM Other For 32 bit platforms e Windows XP with Service Pack 2 or 3 e Windows Vista e Microsoft Windows 7 e Microsoft Windows 8 Microsoft Windows 8 1 For 64 bit platforms e Windows Vista e Microsoft Windows 7 e Microsoft Windows 8 e Microsoft Windows 8 1 You may need to download and install certain system components from the official Microsoft websit
27. installation wizard At any installation step before the wizard starts copying files to your computer you can do the following e return to the previous step by clicking Back e go to the next step by clicking Next e abort installation by clicking Exit Ta 2 AN ax 2 Installing the program 19 Installation procedure 1 If other anti virus software is installed on your computer the installation wizard informs you on incompatibility between Dr Web Security Space and other anti virus products and offers to remove it Installation Wizard checks if the installation file is the latest one If newer installation file exists you will be offered to download it before the installation 2 Read the license agreement To continue installation you must accept its terms and click Next Dr WEB English Thank you for choosing Dr Web Security Space 9 0 Dr Web Security Space provides multi level protection of RAM hard disks and removable devices against viruses rootkits Trojans spyware adware hack tools and other malicious programs To continue installation you must accept the License agreement and click Next E I accept the terms of License agreement Doctor Web Ltd 1992 2014 ia Exit i 3 In the next window you will be offered to install Dr Web Firewall 2 Installing the program 20 lt 6 Dr WEB SD f English Firewall Dr Web Firewall protects your computer from unauthorize
28. not expired e All anti virus components required by Dr Web are licensed e Integrity of the license key file is not violated If any of the conditions is violated the key file becomes invalid and Dr Web Security Space stops detecting and neutralizing malicious programs in files memory and email messages If during Dr Web Security Space installation a key file was not received and no path to it was specified a temporary key file is used Such a key file provides full functionality of Dr Web Security Space However on the SpIDer Agent menu My Dr Web and Updater items are not available until you either activate a license or demo period or specify a path to the valid key file via License Manager It is recommended to keep the key file until the license or demo period expires A key file for a demo period activation can be used only on the computer where the registration procedure was run A wy 3 Getting Started 58 3 3 1 Activation method You can activate your license or a demo period in one of the following ways e Using the Registration Wizard during installation or later e Obtaining the key file during registration on the official Doctor Web website e Specifying the path to the valid key file residing on your computer during installation or in the License Manager window Reactivating License You may need to reactivate a license or demo period if the key file is lost key file as during the previous regis
29. or raise false alarms Thus objects detected by the heuristics analyzer are treated as suspicious While performing any of the abovementioned checks the Dr Web Anti virus solutions use the most recent information about known malicious software As soon as experts of Doctor Web Virus Laboratory discover new threats the update for virus signatures behavior characteristics and attributes is issued In some cases updates can be issued several times per hour Therefore even if a brand new virus passes through the Dr Web resident guards and penetrates the system then after an update the virus is detected in the list of processes and neutralized Ta ax 1 Introduction 1 5 How to Test Anti virus The European Institute for Computer Anti Virus Research EICAR Test File helps test the performance of anti virus programs that detect viruses using signatures For this purpose most anti virus software vendors generally use a standard test com program This program was specially designed to let user test the reaction of newly installed anti virus tools that detect viruses without compromising the security of their computers Although the test com program is not actually a virus it is treated by the majority of anti viruses as if it were one Upon detecting this virus Dr Web Security Space reports the following EICAR Test File Not a Virus Other anti virus tools alert users in a similar way The test com program is a
30. p Lad This option prevents manual and automatic change of system time settings Advanced E Protect Dr Web settings with a password Restore defaults Change Password The Enable Self protection option allows to protect Dr Web Security Space files registry keys and processes from damage and deletion It is not recommended to disable self protection If any problems occur during operation of defragmentation A programs disable self protection temporary To rollback to a system restore point disable self protection The Block user activity emulation option allows to prevent any automatic changes in Dr Web Security Space operation including execution of scripts that emulate user interaction with Dr Web Security Space and are launched by the user 47 Ta AN A 3 Getting Started 48 The Block changing of system date and time option allows to prevent manual and automatic changes of the system date and time as well as of the time zone This restriction is set for all system users The option can improve the performance of the time limit function of Parental Control If Internet or computer usage limits are set in Parental Control this option is automatically enabled You can configure notification parameters so that to be informed on attempt to change the system time The Protect Dr Web settings with a password option allows to set a password that will be required to access settings of Dr Web Security Space x
31. real time mode and used for anti virus protection Depending on update settings information used by anti virus components may become out of date Cloud services can reliably prevent users from viewing unwanted websites and protect your system from infected files Ta AN ax 3 Getting Started 46 Software Quality Improvement Program If you participate in the software quality improvement program impersonal data about Dr Web Security Space operation on your computer will be periodically sent to the company servers for example information on created rule sets for Dr Web Firewall Received information is not used to identify or contact you Click the Privacy statement by Doctor Web link to look through a privacy statement on Doctor Web website Ta AN ax 3 Getting Started 3 2 6 Self protection Page On this page you can configure protection of Dr Web Security Space itselft from unauthorized modification by anti antivirus programs or accidental damage Parental Control SplDerGate SplDer Mail SplDer Guard Firewall Notifications 7 Enable Self protection Update This option protects Dr Web files and processes from unauthorized changes Anti virus Network Block user activity emulation s events any s Ne e exce e em I Piene Patecion ata prevents any changes in Dr Web operation except those made manually y use Dr Web Cloud a ee E Block changing of system date and time elf protection
32. settings Ta J N ax 7 Dr Web for Outlook 105 On Dr Web Anti virus tab the current protection status is displayed enabled disabled The tab provides access to the following program functions Log allows to configure the program logging Check attachments allows to configure the emails check and to specify the program actions for the detected malicious objects Spam filter allows to specify the program actions for spam and to create black and white lists of email addresses Statistics allows to review the number of checked and processed objects Preferences L Mail Format Security Dr Web Anti virus General e Dr Web Anti virus enabled Loa Anti virus and anti spam check g gt Infected attachments may present a threat to your information security Check attachments Spam messages are unsolicited bulk e mails Spam filter Statistics Checked Clear da Infected Moved to quarantine Suspicious Deleted Cured Skipped Not checked Spam messages Ta AN ax 7 2 7 Dr Web for Outlook Threat Detection Dr Web for Outlook uses different detection methods The infected objects are processed according to the actions defined by user the program can cure the infected objects remove them or move these objects to Quarantine to isolate them from the rest of the system 7 2 1 Types of Threats Dr Web for Outlook detects th
33. the executable code of other programs Such implementation is called infection In most cases the infected file becomes a virus carrier itself and the implemented code does not necessarily match the original Most viruses are intended to damage or destroy data on the system Viruses which infect files of the operating system usually executable files and dynamic libraries and activate upon launching of the infected file are called file viruses 184 Ta AN ax Appendices Some viruses infect boot records of diskettes and partitions or master boot records of fixed disks Such viruses are called boot viruses They take very little memory and remain ready to continue performing their tasks until a system roll out restart or shut down occurs Macroviruses are viruses which infect documents used by the Microsoft Office and some other applications which allow macro commands usually written in Visual Basic Macro commands are a type of implemented programs macros written in a fully functional programming language For instance in Microsoft Word macros can automatically initiate upon opening closing saving etc a document A virus which has the ability to activate and perform the tasks assigned by the virus writer only when the computer reaches a certain state e g a certain date and time is called a memory resident virus Most viruses have some kind of protection against detection Protection methods are being constantly
34. the task open Control Panel Administrative Tools Task Scheduler In the task list select the Dr Web Daily scan task You can enable the task adjust trigger time and set required parameters On the General tab you can review general information and security options on a certain task On the Triggers and Conditions tabs various conditions for task launching are specified To review event log select the History tab You can also create your own anti virus scanning tasks Please refer to the Help system and Windows documentation for more details on the system scheduler operation If installed components include Dr Web Firewall Task Scheduler will be blocked by Firewall after Dr Web Security Space installation and the first system reboot Scheduled tasks will operate only after second restart when new rule is already created 83 Ta ax 5 SpIDer Guard 84 5 SpIDer Guard SpIDer Guard is an anti virus monitor that resides in main memory checks files and memory on the fly and detects virus like activity By default SpIDer Guard is loaded automatically at every Windows startup and cannot be unloaded during the current Windows session Only the user with administrator rights can temporarily disable SpIDer Guard By default Sp Der Guard performs on access scanning of files that are being created or changed on the HDD and all files that are opened on removable media It scans these files in the same w
35. to add a copy of a rule select the rule and click Copy The copy is added after the selected rule e to delete a rule select it and click Delete 3 If you selected to create or edit a rule configure rule settings in the open window 4 Use the arrows next to the list to change the order of rules The rules are applied according to their order in the set 5 When you finish adjusting the settings click OK to save changes or Cancel to reject them Packets with no rules in a rule set are blocked automatically except packets allowed by Application Filter rules Packet Filter Rules To add or edit a rule 1 In the packet filter rule set creation or modification window click New or Edit This opens a rule creation or rule modification window Add packet rule Rule name New rule Description Rule description Action Allow packets hd Direction Inbound a Logging mode No logging Md Criterion ARP hg Add 158 Ta J 1 ax 10 Dr Web Firewall 159 2 Configure the following parameters Rule name The rule name Description The rule description Action The action for Firewall to perform when the packet is intercepted e Block packets e Allow packets Direction The packet sender e Inbound apply the rule when packet is received from the network e Outbound apply the rule when packet is sent into the network from your computer e Any apply the rule regardless of packet transfer direc
36. to your Dr Web Security Space on the Anti virus Network page in Main settings A This option is not available in User mode Ta AN ax 4 Dr Web Scanner 4 Dr Web Scanner By default the program scans all files for viruses using both the virus database and the heuristic analyzer a method based on the general algorithms of virus developing allowing to detect the viruses unknown to the program with a high probability Executable files compressed with special packers are unpacked when scanned Files in archives of all commonly used types ACE ALZIP AR ARJ BGA 7 ZIP BZIP2 CAB GZIP DZ HA HKI LHA RAR TAR ZIP etc in containers 1C CHM MSI RTF ISO CPIO DEB RPM etc and in mailboxes of mail programs the format of mail messages should conform to RFC822 are also checked By default Dr Web Scanner uses all detection methods to detect viruses and other malicious software Information on all infected or suspicious objects displays in the table where you can manually select a necessary action The default settings are optimal for most cases However if necessary you can modify actions suggested upon threat detection by using Dr Web Scanner settings window Please note that you can set custom action for each detected threat after scan is completed but common reaction for a particular threat type should be configured beforehand 69 Ta 2 N 4 Dr Web Scanner 70 ax 4 1 Scanning Your Sy
37. use a temporary key file select Receive license later Updating is not available until you have installed key file Click Next 3 Dr WEB Registration Wizard To take full advantage of Dr Web Security Space license is required Receive license during installation Receive license later Specify path to an available valid key file Browse Doctor Web Ltd 1992 2014 Use only a Dr Web Security Space key file Key files of this type have the key extension Ta J i ax 6 7 2 Installing the program The window displays informing you that the program is ready to be installed To start installation with the default parameters click Install To select components to be installed specify the installation path and other additional parameters click Installation parameters The option is meant for experienced users 3 Dr WEB English X System is ready for Dr Web Security Space 9 0 installation Installing Dr Web Security Space 9 0 on a computer with another anti virus program or firewall may lead to unpredictable consequences including security system failure If such program is installed click Cancel to interrupt the installation remove the anti virus or firewall and run the Dr Web Security Space 9 0 Installation Wizard again If you are sure that no other anti virus software is installed click Install Installation parameters Doctor Web Ltd 1992 2014 Back install If you cli
38. via the infected computer StartPage synonym Seeker Trojan which makes unauthorized replacement of the browser s home page address start page Click Trojan which redirects a user s browser to a certain web site or sites KeyLogger a spyware Trojan which logs key strokes it may send collected data to a malefactor AVKill terminates or deletes anti virus programs firewalls etc KillFiles KillDisk DiskEraser deletes certain files all files on drives files in certain directories files by certain mask etc DelWin deletes files vital for the operation of Windows OS 194 Ta AN ax Appendices FormatC formats drive C FormatAll formats all drives KillIMBR corrupts or deletes master boot records MBR KillCMOS corrupts or deletes CMOS memory Tools for network attacks Nuke tools for attacking certain known vulnerabilities of operating systems leading to abnormal shutdowns of the attacked system DDoS agent program for performing a DDoS attack Distributed Denial Of Service FDoS synonym Flooder programs for performing malicious actions in the Internet which use the idea of DDoS attacks in contrast to DDoS when several agents on different computers are used simultaneously to attack one victim system an FDoS program operates as an independent self sufficient program Flooder Denial of Service Malicious programs Adware an advertising program Dial
39. while you working on the computer When a user application or operating system attempts to connect to a network Firewall checks if there is a filtering rule set for the application If there are no filtering rules Firewall prompts you to select a temporary solution or create a rule which will be applied each time Firewall detects this type of connection This mode is used by default Training Mode In this mode rules for known applications are created automatically For other apllications you have control over Firewall reaction When a user application or operating system attempts to connect to a network Firewall checks if there is a filtering rule set for the application If there are no filtering rules Firewall prompts you to select a temporary solution or create a rule which will be applied each time Firewall detects this type of connection 162 Ta AN ax 10 Dr Web Firewall Restricted Access Mode In this mode Firewall blocks all unknown connections to network resources including the Internet automatically When a user application or operating system attempts to connect to a network Firewall checks if there is a filtering ruleset for the application If there are no filtering rules Firewall blocks network access for the application without displaying any notification to the user If there are filtering rules for the application Firewall processes the connection according to the specified actions Free
40. you can restore the Scanner settings to their default values recommended by Doctor Web For this click Restore defaults x A Main Actions Exclusions Log Restore defaults Restoring defaults will delete all Dr Web Scanner settings specified by the user Ta AN ax 4 Dr Web Scanner 81 4 4 Scanning in Command Line Mode You can run Scanner in the command line mode then you can specify settings of the current scanning session and list objects for scanning as additional parameters This mode provides automatic activation of Scanner according to schedule Automatic activation of the Scanner according to schedule is performed in this mode To run scanning from command line Enter a command in the following format lt path_to_program gt drweb32w lt switches gt lt objects gt The list of objects for scanning can be empty or contain several elements separated with blanks The most commonly used examples of specifying the objects for scanning are given below e FAST perform an express scan of the system for more information on the express scan mode see Scan Modes e FULL perform a full scan of all hard drives and removable data carriers including boot sectors e LITE perform a basic scan of random access memory and boot sectors of all disks as well as run a check for rootkits Switches are command line parameters that specify program settings If no switches are defined
41. 0 4 1 Active Applications The list of active applications displays information on programs accessing network resources at the moment Parental Control E DEEE CE Ea E TE ERENER Firewall Active applications Name Direction Protocol Local Address Remote Add Sent Received s Application journal 0 0 0 0 49181 O bytes gt Packet Filter UDPv4 0 0 0 0 55566 O bytes O bytes journal TCPV6 O bytes O bytes Listening UDPv6 0 bytes 0 bytes 4 frefox exe 4156 E Outbound TCPv4 127 0 0 1 55813 127 0 0 1 1380 937 bytes Obytes Outbound TCPv4 0 0 0 0 54640 cebook com 80 360 KB 455 KB Outbound TCPv4 0 0 0 0 54597 cebook com 80 175KB 149KB Outbound TCPv4 10 3 0 85 54621 joogle com 443 327 KB 262KB Listening TCPv4 127 0 0 1 49261 0 0 0 0 0 0 bytes 0 bytes Inbound TCPv4 127 0 0 1 49261 27 0 0 1 49262 46 5 KB O bytes Outbound TCPv4 127 0 0 1 49262 27 0 0 1 49261 Obytes 46 5 KB Outbound TePv4 127 0 0 1 55354 127 0 0 1 1380 91 4KB 36 5KB 4 Tunes exe 7896 Outbound TCPv4 10 3 0 85 55726 apple com 443 1 63 KB 6 23 KB x l lictaninn 1IDPw4 1770AN EEREN annnn OD hvtec abris ii Help Close For each application the following information on active connection is available Name The name of the application Direction The party which initiated the connection e Inbound the rule is applied when someone from the network attempted to connect to the application on you computer e Outbound the rule is appli
42. 2 201 C ProgramF Allow outg Outbound Allowed tep 17 172 232 13 Pi i 12 12 201 C ProgramF Allow outg Outbound Allowed tep 17 172 232 11 ric Filter 12 12 201 C Program F Allow outg Outbound Allowed tep 17 172 232 10 12 12 201 C ProgramF Allow outg Outbound Allowed tep 17 172 232 59 12 12 201 C ProgramF Allow outg Outbound Allowed tep 17 172 232 10 12 12 201 C ProgramF Allow outg Outbound Allowed tep 17 172 232 97 12 12 201 C ProgramF Allow outg Outbound Allowed tep 17 172 232 11 12 12 201 C ProgramF Allow outg Outbound Allowed top 17 172 232 10 12 12 201 C ProgramF Allow outg Outbound Allowed tep 17 172 233 13 12 12 201 C ProgramF Allow outg Outbound Allowed tep 17 172 233 11 12 12 201 C ProgramF Allow outg Outbound Allowed tep 17 172 233 11 12 12 201 C ProgramF Allow outg Outbound Allowed tep 17 172 232 17 12 12 201 C Windows 00000000 Outbound Allowed tep 217 212 252 1 o Help Close Time The date and time of the connection attempt Application The full path to the application executable file its name and process identification number PID Rule name The name of the rule applied Direction The party which initiated the connection e Inbound someone from the network attempted to connect to the application on you computer e O
43. AN ax 7 Dr Web for Outlook To set actions on virus threats detection use the following options The Infected drop down list sets the reaction to the detection of a file infected with a known virus The Not cured drop down list sets the reaction to the detection of a file infected with a known incurable virus and in case an attempt to cure a file failed The Suspicious drop down list sets the reaction to the detection of a file presumably infected with a virus upon a reaction of the heuristic analyzer In the Malware section set the reaction to the detection of types of unsolicited software such as e Dialers e Jokes e Riskware e Hakctools The If checked failed drop down list allows to configure actions if attachment can not be checked e g if attached file is corrupted or password protected The Check archives recommended check box allows to enable or disable checking of attached archived files Select this check box to enable checking clear to disable For different types of objects actions are assigned separately The following actions for detected virus threats are provided Cure only for infected objects instructs to try to restore the original state of an object before infection As incurable only for infected objects means that the action specified for incurable objects will be performed Delete delete the object Move to quarantine move the object to the special Quarantine fo
44. Access Mode In this mode Firewall allows all unknown applications to access network recourses including the Internet No notification on access attempt is displayed Advanced Settings Select the Allow loopback interface checkbox to allow all applications on you computer to interconnect i e allow unlimited connections between application installed on your computer For this type of connection no rules will be applied Clear this checkbox to apply rules for connections carried out both through the network and within your computer 163 Ta 2 AN 10 Dr Web Firewall ax 10 4 Event Logging Firewall registers connection attempts and network packets The statistics windows provides access to the following logs e Application Filter Log Application journal which contains information on network connection attempts from various applications and rules applied to process each attempt e Packet Filter Log Packet Filter journal which contains information on network packets processed by Firewall rules applied to process the packets and network interfaces used to transmit the packets Details level depends on settings of each packet application rule The Active applications page displays applications currently connected to a network To open this window Click the SpIDer Agent icon in the notification area select Firewall and then select Statistics 164 Ta 3 AN ax 10 Dr Web Firewall 165 1
45. Der Agent icon in the taskbar notification area Parental Control SpiDerGate SplDer Mail SplDer Guard Firewall Notifications Notifications allow you to promptly receive information on importnant events of Dr Web operation for example threats detection or required updates Update Anti virus Network Enable notifications Preventive Protection Dr Web Cloud E Send notifications by e mail e mail is not set Self protection E mail settings Advanced Restore defaults To configure notifications 1 To receive notifications of any kind select the Enable notifications checkbox 2 Click Notification parameters The windows listing available notifications opens 3 Getting Started 33 Notification type SplDer Guard Threat detected SplDer Gate URL is blocked Threat detected Parental Control Access to URL is blocked _ i p 2 Desktop Email call v v Display Firewall notifi Help Do not show notifications in full screen mode ications on separate desktop in full screen mode OK Cancel 3 Locate types of notification that you want to receive and select the corresponding checkboxes To display pop up notifications select checkboxes in the Desktop column To receive notification in you mailbox select checkboxes in the Email column 4 If necessary configure additional parameters Do not show notifications in
46. Dr Web for Outlook To configure logging 1 On Dr Web Anti virus tab click Log The window of log settings will open Specify the detailing level 0 5 for logging e level 0 corresponds to disable logging e level 5 means the maximum level of details for the program logging By default logging is disabled Specify the maximum log file size in kilobytes Click OK to save changes Ta 2 i 7 Dr Web for Outlook 117 ax The Log window will be available only for users with administrative A rights For Windows Vista and later operating systems after clicking Log e if UAC is enabled administrator is requested to confirm program actions user without administrative rights is requested to enter accounting data of system administrator e if UAC is disabled administrator can change program settings user does not have the access to change program settings To view program log To open the text log click Show in folder A AN T v A A yy 7 Dr Web for Outlook 7 5 Statistics In the Microsoft Outlook mail application in the Tools gt Options Dr Web Anti virus tab in the Files Options select Dr Web for Outlook and click Add in Options button for Microsoft Outlook 2010 statistic information about total number of objects which have been checked and treated by the program is listed These scanned objects are classified as follows e Checked total number of checked messages e
47. Edit to add a copy of existing set of rules select the rule set and click Copy The copy is added after the selected rule set to delete all rules for an application select the appropriate rule set and click Delete connections mode on Advanced page and then disabled the rule or 1 If you created a blocking rule for a process or set Block unknown changed the work mode the process will be blocked till it s next attempt to establish connection Ta ax 10 Dr Web Firewall 148 Application Rules In the New application rule set or Edit application rule set window you can configure access to network resources as well as enable or disable launching of other applications To open this window In the Firewall settings window select the Applications page and click New or select an application and click Edit Edit rule set for C Program Files x86 Adobe Reader 11 0 Reader AcroRd32 exe Specify application or process to create rule set for C Program Files x86 Adobe Reader 11 0 Reader AcroRd32 exe E Require confirmation on object change recommended Launching network applications Allow X Access to network resources Custom X Enabled Action Rule name Connecti Description T Allow pack tcp4 gt Outbound Auto rule E Allow pack tcp4 gt Outbound Auto rule Edit Copy Delete When Firewall is operating in learning mode you can start creating a new rule di
48. Folders of Quarantine are created separately on each logical drive where suspicious files are found Ta AN A 3 Getting Started 53 r Quarantine properties Available disks Quarantine size MB CA 0 00 You can permanently clear quarantine on selected disk Clear Advanced _ If any threats were found on a portable data storage create quarantine on this data storage recommended Help OK Cancel To empty Quarantine 1 To remove all quarantined files on a particular drive select the drive in the list 2 Click Clear and confirm the deletion when prompted Use Advanced settings to select the mode of isolating infected objects detected at portable data carriers By default detected threats are moved to the Quarantine folder on this data carrier without being encrypted The Quarantine folder is created on portable data carriers only when they are accessible for writing The use of separate folders and omission of encryption on portable data carriers prevents possible data loss Secure Connections You can enable scanning of data transmitted via secure protocols To check such data select the Check encrypted traffic checkbox If your client application that uses secure connections does not refer to the default Windows system certificate storage then you need to export certificate Ta AN A 3 Getting Started 54 Doctor Web Certificate You may need to scan data transmitted
49. Help Back Next J Cancel e If you enter a serial number for activation of a demo period for 3 months a window with activation results opens e If you enter a serial number for activation of a license the Registration data entry window opens If you do not have a serial number and want to evaluate functionality of the product you can activate a demo period for 1 month by selecting Get demo Click Next A window with activation results opens Ta AN ax 3 Getting Started 61 Registration data entry To register a license enter personal data your registration name and email address select the country and enter the city name All the fields listed are obligatory and must be filled in If you want to receive news of Doctor Web by email select the corresponding checkbox Click Next Activation results If the activation procedure completed successfully the corresponding message displays where the license validity period or demo period is specified Click Finish to proceed to updating the virus databases and other package files This procedure does not require user intervention If activation failed an error message displays Click Network settings to adjust Internet connection parameters or click Repeat to correct invalid data A AN T y A y 3 Getting Started 3 3 3 License Manager License Manager helps you license the use of Dr Web Security Space This window also dis
50. Security Space Doctor Web 1992 2014 All rights reserved This document is the property of Doctor Web No part of this document may be reproduced published or transmitted in any form or by any means for any purpose other than the purchaser s personal use without proper attribution TRADEMARKS Dr Web the Dr WEB logo SpIDer Mail SpIDer Guard Curelt CureNet AV desk are trademarks and registered trademarks of Doctor Web in Russia and or other countries Other trademarks registered trademarks and company names used in this document are property of their respective owners DISCLAIMER In no event shall Doctor Web and its resellers or distributors be liable for errors or omissions or any loss of profit or any other damage caused or alleged to be caused directly or indirectly by this document the use of or inability to use information contained in this document Dr Web Security Space Version 9 0 User Manual 08 04 2014 Doctor Web Head Office 2 12A 3rd str Yamskogo polya Moscow Russia 125124 Web site www drweb com Phone 7 495 789 45 87 Refer to the official web site for regional and international office information Doctor Web Doctor Web develops and distributes Dr Web information security solutions which provide efficient protection from malicious software and spam Doctor Web customers can be found among home users from all over the world and in government enterprises small companies and nation
51. The Enable option displays in the menu only when operation was temporary suspended Temporal Suspension You can temporary disable the firewall This option is not available in User mode Be cautious when using this option To disable Firewall Click the SpIDer Agent icon amp in the notification area select Firewall and then select Disable To disable Firewall enter confirmation code or password if you set Protect Dr Web settings by password checkbox on the Self protection page in Dr Web Security Space Main settings To enable Firewall Click the SpIDer Agent icon amp in the notification area select Firewall and then select Enable Ta BY ax 10 Dr Web Firewall 10 3 Firewall Settings A You need administrative rights to access Dr Web Firewall settings To start using Firewall do the following e Select operation mode e List authorized applications Dr Web Firewall loads on Windows startup and starts logging events By default Firewall operates in training mode to the Internet is blocked for computers that are connected to a host computer on the host computer specify packet filter rule that allows all packets from the subnet according to your local configuration If any problems occur with Internet Connection Sharing i e access SpIDer Agent provides you with the main Firewall management and configuration features To access them select the Firewall submenu in the SpIDer Agent menu T
52. This Manual This User Manual describes installation and effective utilization of Dr Web Security Space You can find detailed descriptions of all graphical user interface GUI elements in the Help system of Dr Web Security Space which can be accessed from any component This User Manual describes how to install Dr Web Security Space and contains some words of advice on how to use the program and solve typical problems caused by virus threats Mostly it describes the standard operating modes of the program s components with default settings The Appendices contain detailed information for experienced users on how to set up Dr Web Security Space Due to constant development program interface of your installation A can mismatch the images given in this document You can always find the actual documentation at http download drweb com doc 10 Ta 2 i ax 1 Introduction 1 2 Document Conventions The following symbols and text conventions are used in this guide Bold Green and bold Green and underlined Monospace Italic CAPITAL LETTERS Plus sign Exclamation mark Names of buttons and other elements of the graphical user interface GUI and required user input that must be entered exactly as given in the guide Names of Dr Web products and components Hyperlinks to topics and web pages Code examples input to the command line and application output Placeholders which represent
53. Users will be able to access the object again 136 Ta AN ax 10 Dr Web Firewall 137 10 Dr Web Firewall Dr Web Firewall protects your computer from unauthorized access and prevents leak of vital data through networks Firewall monitors connection attempts and data transfer and helps you block unwanted or suspicious connections both on network and application levels Main Features Firewall provides you with the following features e Control and filtration of all incoming and outgoing traffic e Access control on application level e Network level packet filtering e Fast selection of rule sets e Event logging Ta AN ax 10 Dr Web Firewall 10 1 Training Firewall By default once installation completes Firewall starts learning usual behaviour of your operating system by intercepting all new unknown to the firewall connection attempts and prompting you to select the necessary action You can either select a temporary solution or create a rule which will be applied each time Firewall detects this type of connection When running under limited user account Guest Firewall does not A prompt requests for network access attempts Notifications are then forwarded to the session with administrator privileges if such session is simultaneously active a Microsoft Office Excel Dr Web Firewall has detected network activity Application name E Microsoft Office Excel Application path C Pro
54. a ax 4 Dr Web Scanner If Complete scan mode is selected random access memory and all hard drives including boot sectors of all disks are scanned Scanner also runs a check on rootkits Custom scan mode allows you to select objects for scanning any folders and files and such objects as random access memory boot sectors etc To start scanning selected objects click Start scanning Custom scan E Scanning objects e Run scanning process with Boot sectors of all disks administrative rights a Ge Random access memory E amp Boot disk root folder ES windows system folder 5 a User documents folder My Documents ne Temporary files ES system restore points E amp Rootkits Click to select files and folders Start scanning When scanning starts Pause and Stop buttons become available You can do the following e to pause scanning click Pause button To resume scanning after pause click Resume button e to stop scanning click Stop button A The Pause button is not available at scanning processes and RAM 72 Ta ax 4 Dr Web Scanner 4 2 Neutralizing Detected Threats By default if known viruses or computer threats of other types are detected during scanning Dr Web Scanner informs you about them You can neutralize all detected threats at once by clicking Neutralize In this case Dr Web Scanner applies the most effective actions according its configu
55. address where to send the notifications SMTP Server Enter the outgoing SMTP server for Dr Web Security Space to use when sending email notifications Port Enter the port for Dr Web Security Space to use when connecting to the email server Login Enter the login for Dr Web Security Space to use when connecting to the email server Password Enter the password to the login that should be used when connecting to the email server Security Select the security level for the connection Authentication Select the authentication method that should be used when connecting to the email server 5 Click Test to send a test message using the provided parameters If you do not receive the message within several minutes check the provided connection details 6 After editing click OK to save the changes or Cancel to cancel them To suspend notifications temporary To disable sending email notifications clear the Send notifications by email checkbox To disable all types of notifications clear the Enable notifications checkbox Ta AN ax 3 Getting Started 36 3 2 2 Update Page On this page you can configure Dr Web Security Space update parameters such as components that should be updated an updating source update period proxy server and update mirror Notifications Update Anti virus Network Preventive Protection Dr Web Cloud Self protection Advanced Restore defaults Help Parental Control Sp
56. ay as the Scanner but with milder options Besides SpIDer Guard constantly monitors running processes for virus like activity and if they are detected blocks these processes By default upon detection of infected objects SpIDer Guard supplied with Dr Web Security Space acts according to actions set on the Actions tab You can set the program s reaction to virus events by adjusting the corresponding settings A user can control it with the help of the Statistics window and the log file Ta J i 5 SpIDer Guard 85 ax 5 1 Managing SpIDer Guard Main tools for setting and managing in SpIDer Guard reside in its menu About Register license My Dr Web Help SpIDer Mail gt oS SplDer Gate gt C Parental Control gt Firewall rl G Updater Go Scanner Statistics Settings Disable Tools gt User mode The Statistics menu item allows to open the Statistics window where the information on the operation of SpIDer Guard during the current session is displayed the number of scanned infected or suspicious objects virus like activities and actions taken The Settings menu item opens SpIDer Guard settings window for details see SpIDer Guard Settings The Disable item allows to temporary disable program functions for users with administrator rights only Settings and Disable Enable items are not available in User A mode To disable SpIDer Guard enter confirmation cod
57. be updated Components that should be updated to specified version lt Name gt lt target revision gt Reboot after updating of Dr Web Updater Default value is yes If value is set to no reboot required notification will appear Attempt to get list of IP addresses from update drweb com before updating Ta 2 AN ax Appendices 181 type arg normal g proxy arg u user arg k password arg param arg l progress to console exec command parameters One of the following e reset all reset revision to O for all components e reset failed reset revision to O for failed components e normal failed try to update all components including failed from current revision to newest or specified e update revision try to update all components of current revision to newest if exists e normal update all components Proxy server for updating lt Address gt lt port gt Username for proxy server Password for proxy server Pass additional parameters to the script lt Name gt lt value gt Print information about downloading and script execution to console s script arg f func arg p param arg l progress to console Execute this script If specified execute this function in the script Pass additional parameters to the script lt Name gt lt value gt Print information about script execution to consol
58. box dom e box dom The symbol can be set at the start or at the end of an A address only The symbol is obligatory e To ensure delivery of messages sent from any email address within a domain use the character instead of the username in the address For example if you enter example net SpIDer Mail will deliver without scanning the messages from all senders within the example net domain e To ensure delivery of messages sent from email address with a certain user name from any domain use the character instead of the domain name in the address For example if you enter ivanov SpIDer Mail will deliver without scanning the messages from all senders with the ivanov mailbox name Black List If the sender s address is on the black list the message will be automatically regarded as spam e To add a definite sender enter the full email address for example spam domain com All messages received from these addresses will be automatically regarded as spam e Addresses must be divided by the symbol e To add a group of sender addresses enter the mask that determines their names The mask defines template for an object definition It may contain regular characters from the email addresses and special character replaces any including the empty one sequence of any symbols 113 Ta 2 N ax 7 Dr Web for Outlook 114 For example the following addresses are available e mailbox domain com
59. cked Install on the previous step go to the description of step 10 Otherwise the Installation parameters window displays On the first tab you can specify the components to be installed 22 2 Installing the program 23 3 Dr WEB Installation parameters Components Installation path Advanced options a Updater Automatic Updating Utility lt Scanner Scans computer for viruses on demand v SplDer Mail Scans e mails for viruses T Anti spam Protects e mails from spam v SplDer Guard Protects computer from viruses in real time Doctor Web Ltd 1992 2014 3 Dr WEB Installation parameters Components Installation path Advanced options Specify the installation folder C Program Files DrWeb Doctor Web Ltd 1992 20 English v 3 6 MB 5 6 MB 6 3 MB 3 3 MB 0 2 MB English User Manual A AN 1 v A 4 yy 2 Installing the program 24 9 If you specified a valid key file or selected Receive license during installation on step 5 the last tab of the window allows you to select Update during installation checkbox to download updates to virus databases and other program components The window also prompts you to create shortcuts to Dr Web Security Space Dr Web Security Sp 3 Dr WEB English X Installation parameters Components Installation path Advanced options Update during installation E Cr
60. clusions Page On this tab you can specify files and folders to be excluded from scanning a Settings a z aK Ss gt A amp Main Actions Exclusions Log Restore defaults Files and folders excluded from scanning Browse Add Name Delete Scan contents of the following files W Archives E mail files W Installation packages Here you can list names or masks for the files to be excluded from scanning All files with the names which match the name or mask specified will be excluded from scanning this option is appropriate for temporary files swap files etc Ta AN ax 4 Dr Web Scanner You can also add archives emaill files and installation packages to scanning Log Page In the Log page you can set up the parameters of the log file xa OBB O Main Actions Exclusions Log Restore defaults Specify logging level Maximum a Standard General information about Dr Web Scanner Starts of Dr Web Scanner and total checking time Detected errors and threats Minimum Most parameters set by default should be left unchanged However you can change the details of logging by default the information on infected or suspicious objects is always logged the information on the scanned packed files and archives and on successful scanning of other files is omitted 79 Ta AN ax 4 Dr Web Scanner 80 Restore defaults Page On the Restore defaults page
61. corresponding timeslots blue Methods e To mark one timeslot click on it once e To mark several adjacent timeslots click once on the first one and select the rest of required squares while holding the mouse button A N 1 gt A 9 Parental Control 133 ax 4 Select days of week and time when the user is restricted from using the computer and then mark the corresponding timeslots red 5 After editing click OK to save the changes or Cancel to cancel them Ta AN A 9 Parental Control Access Control Page On this page you can block access data to portable data storages limit access to specific devices folders or files on your computer Also you can block data transfer over the network A Access control rules are effective for all Windows accounts Access to portable data storages To block access to data on portable data storages USB flash floppy CD DVD ZIP drives etc set the corresponding checkbox If you want to have access to data on specific USB data storage devices regardless this setting you can list devices access to which will be always allowed To do this click White list this button is enabled only if the checkbox is set You can use the created White List on other computers if Dr Web anti virus protection version 9 0 is installed on them 134 9 Parental Control Parental Control SpliDer Gate SplDer Mail SpiDer Guard Firewall Users E Block access t
62. ctim s account and for other crimes Vishing a type of Phishing technique in which war dialers or VoIP is used instead of emails 190 Ta AN ax Appendices Actions Applied to Threats There are many methods of neutralizing computer threats Products of Doctor Web combine these methods for the most reliable protection of computers and networks using flexible user friendly settings and a comprehensive approach to security assurance The main actions for neutralizing malicious programs are Cure an action applied to viruses worms and trojans It implies deletion of malicious code from infected files or deletion of a malicious program s functional copies as well as the recovery of affected objects i e return of the object s structure and operability to the state which was before the infection if it is possible Not all malicious programs can be cured However products of Doctor Web are based on more effective curing and file recovery algorithms compared to other anti virus manufacturers Move to quarantine an action when the malicious object is moved to a special folder and isolated from the rest of the system This action is preferable in cases when curing is impossible and for all suspicious objects It is recommended to send copies of such files to the virus laboratory of Doctor Web for analysis Delete the most effective action for neutralizing computer threats It can be applied to any type of maliciou
63. ctional copies to other computers in the network It can begin distributing itself either upon a user s action or in an automatic mode choosing which computers to attack Worms do not necessarily consist of only one file the worm s body Many of them have an infectious part the shellcode which loads into the main memory RAM and then downloads the worm s body as an executable file via the network If only the shellcode is present in the system the worm can be rid of by simply restarting the system at which the RAM is erased and reset However if the worm s body infiltrates the computer then only an anti virus program can cope with it Worms have the ability to cripple entire networks even if they do not bear any payload i e do not cause any direct damage due to their intensive distribution Trojan horses Trojans This type of malicious program cannot reproduce or infect other programs A Trojan substitutes a high usage program and performs its functions or imitates the programs operation At the same time it performs some malicious actions in the system damages or deletes data sends confidential information etc or makes it possible for another person to access the computer without permission e g to harm the computer of a third party 186 Ta AN ax Appendices A Trojan s masking and malicious facilities are similar to those of a virus and it can even be a component of a virus However most Tro
64. d access and prevents leak of vital data through networks Install Dr Web Firewall Doctor Web Ltd 1992 2014 4 At this step you are prompted to connect to Dr Web cloud services that allow anti virus components to use real time information on threats This information is stored and updated on Doctor Web servers keel z English lt 6 Dr WEB Dr Web Cloud You can connect to cloud services to allow Dr Web anti virus components to use real time information on threats This information is stored and updated on Doctor Web servers In turn data about Dr Web operation on your computer will be automatically sent to Doctor Web servers The information obtained from your computer will not be used for your identification or to contact you Privacy statement wantto connect to services recommended Iwill decide later Doctor Web Ltd 1992 Ta J i ax 2 Installing the program 21 5 On the Registration Wizard window you are prompted that a license is required for Dr Web Security Space operation Do one of the following e if a key file is present on the hard drive or removable media click Specify path to an available valid key file and select the file in the open window To change the path click Browse and select another key file e if you want to receive a key file during the installation select Receive license during installation e if you want to continue the installation and
65. d white lists In this mode you grant access to the websites in the white list only Access to any other website is blocked To list trusted websites click Black and white lists This option enables safe search for Google Yandex Yahoo Bing and Rambler search engines which allows to exclude of unwanted webpages from search results virus databases on regular basis d Lists of categorized websites are updated with the Dr Web 130 A AN T v A 4 yy 9 Parental Control 131 4 After editing click OK to save the changes or Cancel to cancel them To create Black and while lists 1 Enter a domain name or part of it into the field e If you wish to add a specific web site enter its full address e g www example com Access to all resources on that web site will be allowed restricted e If you wish to allow restrict access to web sites which contain certain text in their address name enter that text into the field e g example means that access to example com example test com test com example test example222 ru etc will be allowed restricted l Black and white lists a You can use white and black lists to allow or block access to specified web sites http Allow Deny White list Black list Delete Help OK Cancel e If the string contains the symbol it will be considered a domain name In this case all resources on the domain will be filtered If the string also co
66. ded before it was moved to the quarantine e Restore to remove file to the selected folder and specify a new file name Use this option only when you are sure that the selected objects are not harmful e Delete delete file from the quarantine and from the system To apply an action to several files simultaneously select the checkboxes next to the object names and then click the corresponding button Ta AN ax 3 Getting Started 67 3 5 Anti virus Network This section allows to manage version 9 0 of Dr Web Anti virus for Windows Dr Web Anti virus for Windows Servers or Dr Web Security Space on other computers of your network To access Dr Web Security Space remote control in the menu of the SpIDer Agent d in the taskbar notification area select Tools and then select Anti virus Network item 3 k Ece All detected connections You can review summary information about Dr Web product on selected computer If you have remote access to a computer you can manage settings and enable or disable Dr Web components z 192 168 21 130 SplDer Guard Enabled Anti spam Enabled P address SplDer Gate Enabled Web filtering Disabled 192 168 21 130 SplDer Mail Enabled Access Control Disabled Last update Firewall Enabled Self protection Enabled 10 2 2013 12 19 PM To access remote anti virus select a computer in the list and click Connect Enter password specified in settings of the remote
67. e Ta AN ax Appendices 182 getcomponents command parameters s version arg p product arg Version name Specify product to get the list of components that belong to this product If product is not specified all components of this version will be listed getrevisions command parameters s version arg n component arg Version name Component name uninstall command parameters n component arg I progress to console param arg e add to exclude Name of the component that should be uninstalled Print information about command execution to console Pass additional parameters to the script lt Name gt lt value gt Components to be deleted Updating of this components will not be performed Ta AN ax Appendices 183 keyupdate command parameters m md5 arg o output arg b backup g proxy arg u user arg k password arg progress to console MD5 hash of previous key file Output file name to store new key Backup of old key file if exists Proxy server for updating lt Address gt lt port gt Username for proxy server Password for proxy server Print information about downloading to console download command parameters zones arg key dir arg l progress to console g proxy arg u user arg k password arg s vers
68. e If necessary the program will notify you about the components required and provide download links 450 MB for Dr Web Security Space components Files created during installation will require additional space i686 compatible Recommended minimum screen resolution is 800x600 Minimum 512 MB of RAM Internet connection for updating virus databases and Dr Web Security Space components Ta AN ax 1 Introduction 1 4 Detection Methods The Dr Web Anti virus solutions use several malicious software detection methods simultaneously and that allows them to perform thorough checks on suspicious files and control software behavior Detection Methods Signature analysis The scans begin with signature analysis which is performed by comparison of file code segments to the known virus signatures A signature is a finite continuous sequence of bytes which is necessary and sufficient to identify a specific virus To reduce the size of the signature dictionary the Dr Web Anti virus solutions use signature checksums instead of complete signature sequences Checksums uniquely identify signatures which preserves correctness of virus detection and neutralization The Dr Web virus databases are composed so that some entries can be used to detect not just specific viruses but whole classes of threats Origins Tracing On completion of signature analysis the Dr Web use the unique Origins Tracing method to detect new and
69. e following computer security threats in the mail Infected objects Bomb viruses in files or archives Adware Hacktools Dialer programs Joke programs Riskware Spyware Trojan horses Trojans Computer worms and viruses 106 Ta ax 7 Dr Web for Outlook 7 2 2 Configuring Actions Dr Web for Outlook allows to specify reaction to detection of infected or suspicious files and malicious objects during email attachments check To configure the virus check of email attachments and to specify the program actions for the detected malicious objects in the Microsoft Outlook mail application in the Tools Options Dr Web Anti virus tab in the Files Options select Dr Web for Outlook and click Add in Options button for Microsoft Outlook 2010 click Check attachments Check attachments Scan settings amp Infected Not cured Suspicious Malware Adware Dialers Jokes Hacktools Riskware If check failed Cure Move to quarantine Move to quarantine Move to quarantine Move to quarantine Move to quarantine Move to quarantine Move to quarantine Move to quarantine V Check archives recommended Ok Cancel Apply In the Check attachments window specify the actions for different types of checked objects and also for the check failure You can also enable disable checking the archives 107 Ta 2
70. e or password if you set Protect Dr Web settings by password checkbox on the Self protection page in Dr Web Security Space Main settings You can restore settings to their default values on the Restore defaults page of Dr Web Security Space Main settings Ta ax 5 SpIDer Guard 86 5 2 SpIDer Guard Settings The main adjustable parameters of SpIDer Guard are in the Settings panel To receive help on parameters specified on a page select that page and click Help When you finish editing the parameters click OK to save changes or Cancel to cancel the changes made Some of the most frequently changed settings of the program are described below The default settings are optimal for most cases They should not be changed without necessity Scanning Page By default SpIDer Guard is set in Optimal mode to scan files that are being executed created or changed on the hard drives and all files that are opened on removable media Main Parental Control SpliDer Gate SplDer Mail SplDer Guard Firewall e Scanning Scan mode Optimal recommended 5 Paranoid Actions Excluded files Scan options V Use heuristic analysis recommended E Scan computer for rootkits recommended Excluded processes Background scanning for malware that hides its presence in the system can detect this malware or if necessary promptly cure the computer Additional tasks E Scan loading programs and modules
71. eate shortcut on the desktop V Create shortcut on the Start menu Doctor Web Ltd 1992 2014 m When you finish adjusting the installation parameters click OK 10 If at step 5 you selected Receive license during installation the Registration Wizard will attempt to receive the key file from the Internet During default installation as well as if you specified a key file or received it during the installation and selected Update during installation checkbox on step 9 the wizard updates virus databases and other Dr Web Security Space components Updating starts automatically and does not require any additional actions 12 It is required to restart the computer after the installation completes 1 m Ta J N 2 Installing the program 25 ax 2 2 Removing or changing the program 1 Start the installation wizard with the special tool Add or Remove programs of the Windows operating system 2 In the open window select the installation mode e to select the components to install select Change components e to restore anti virus protection on your computer select Restore program e to remove all installed components select Remove program Dr Web Security Space eA 3 Dr WEB English Removing or changing Dr Web Security Space components WB Change components A Configure Dr Web Security Space components according to your needs Restore program Restore Dr Web anti virus protection on y
72. echnical Support 197 7 Ta ax 1 Introduction 1 Introduction Dr Web Security Space provides multi level protection of RAM hard disks and removable devices against any kind of viruses rootkits Trojans spyware adware hacktools and all possible types of malicious objects from any external source The module architecture of Dr Web Security Space is its significant feature The anti virus engine and virus databases are common for all components and different operating environments At present in addition to Dr Web products for Windows there are versions of anti virus software for IBM OS 2 Novell NetWare Macintosh Microsoft Windows Mobile Android Symbian and several Unix based systems Linux FreeBSD Solaris Dr Web Security Space uses a convenient and efficient procedure for updating virus databases and program components via the Internet Dr Web Security Space can detect and remove undesirable programs adware dialers jokes riskware and hacktools from your computer To detect undesirable programs and perform actions with the files contained in the programs standard anti virus components are used Dr Web Security Space includes the following components e Dr Web Scanner Scanner is an anti virus scanner with graphical interface The program runs on user demand or as scheduled and checks the computer for viruses There is also a command line version Dr Web Console Scanner
73. ect Register license e In the License Manager window click Get new license and select from Internet After activation is started the Registration Wizard window opens To activate the license you need to enter the registration serial number supplied to you when purchasing Dr Web Security Space You can activate a demo period to evaluate Dr Web Security Space e for 3 months For that register on the website and receive a serial number After you complete the questionnaire a serial number A required to activate the demo period for 3 months is sent to the specified email address e For 1 month For that purpose no serial number is required and no registration data is requested XZ a Ks 3 Getting Started 60 19 Starting activation The first window prompts you to select one of the following activation methods e Get demo e Activate license If you have a serial number for activation of a license or a demo period for 3 months select Activate license Enter the serial number and click Next y x Step 1 License type amp A license is required to use Dr Web product To continue please register and obtain a license from Doctor Web servers or activate a demo period Get demo You do not need a serial number to activate a demo period You may activate it again only after a certain waiting period 5 Activate license Please enter serial number What is a license Where is the serial number
74. ed at the portable data carrier accessible for writing the Quarantine folder will be created on the data carrier and infected objects will be moved to this folder To open this window click the SpIDer Agent icon in the notification area select Tools and then select Quarantine Manager List of quarantined files E Object Threat v Date added Path eicar copy com EICAR Test File NOT a Vir 28 06 2012 17 15 00 C E eicar com EICAR Test File NOT a Vir 13 04 2011 15 02 03 C Users o usmanova Download E yw5wml4tcom part EICAR Test File NOT a Vir 13 04 2011 14 21 39 C users o usmanovalap temp Help Delete Restore Restore to Ta 3 Getting Started 66 ax The central table lists the following information on quarantined objects that are available to you e Object name of the quarantined object e Threat malware class of the object which is assigned by Dr Web Security Space when the object is quarantined e Date added the date and time when the object was moved to Quarantine e Path full path to the object before it was quarantined Quarantine displays objects which can be accessed by your user account Only users with administrative privileges can view hidden objects In the Quarantine Manager window the following buttons are available e Restore remove file from the quarantine and restore it to the original location with the same name to the folder where the object had resi
75. ed when the application on your computer attempted to connect to the network e Listening the rule is applied when the application on your computer is awaiting for a connection attempt from the network Ta ax 10 Dr Web Firewall 166 Protocol The protocol used to transmit data Local address The protocol and host address from which comes an attempt to connect Remote address The protocol and host address to which the connection is attempted Sent The number of bytes sent through this connection Received The number of bytes received through this connection In the active connections statistics window you can terminate any active process by right clicking the process in the table and selecting Terminate process To terminate any active process you need administrative privileges Otherwise you can terminate only those processes that are run under your account From the context menu you can also block an active or unblock a disabled connection The blocked connections are marked with red in the table Ta 2 AN ax 10 Dr Web Firewall 167 10 4 2 Application Filter Log The application filter log stores information on all attempts of applications installed on your computer to connect to a network m Parental Control SplDerGate SplDerMail SplDer Guard Firewall Active applications Time Application Rule name Direction Action Endpoint e Application journal 12 1
76. el Can be one of following error info debug Directory where repository and settings are located Directory for storing log file Log file name Repository directory lt data_dir gt repo by default Enable tracing Command to execute getversions getcomponents getrevisions init update uninstall exec download and keyupdate List of the zones that should be used instead of specified in configuration file 179 Ta 2 AN ax init command parameters Appendices 180 s version arg p product arg a path arg n component arg u user arg k password arg g proxy arg e exclude arg Version name Product name Product directory path This directory will be used as default directory for all components included in product Dr Web Updater will search for a key file in this directory Component name and installation folder lt Name gt lt install path gt Username for proxy server Password for proxy server Proxy server for updating lt Address gt lt port gt Component name that will be excluded from product during installation update command parameters p product arg n component arg x selfrestart arg yes geo update Product name If specified only this product will be updated If nothing is specified all products will be updated If components are specified only these components will
77. em answers These numbers are then used to mark up the price of telephoning facilities or to connect the user to expensive telephone services All the above programs are considered malicious because they pose a threat to the user s data or his right of confidentiality Programs that do not conceal their presence distribute spam and different traffic analyzers are usually not considered malicious although they can become a threat under certain circumstances Among other programs there is also a class of riskware programs These were not intended as malicious but can potentially be a threat to the system s security due to their certain features Riskware programs are not only those which can accidentally damage or delete data but also ones which can be used by crackers or some malicious programs to do harm to the system Among such programs are various remote chat and administrative tools FTP servers etc 189 Ta AN ax Appendices Below is a list of various hacker attacks and internet fraud e Brute force attack performed by a special Trojan horse program which uses its inbuilt password dictionary or generates random symbol strings in order to figure out the network access password by trial and error DoS attack denial of service or DDoS attack distributed denial of service a type of network attack which verges on terrorism It is carried out via a huge number of service requests sent to a server When a c
78. en editing is finished click OK to save the changes made or Cancel to cancel the changes Ta ax 4 Dr Web Scanner 76 Main Page On this tab you can set general parameters of Scanner operation You can enable sound notifications on particular events set Scanner to apply recommended actions to detected threats automatically and configure Scanner interaction with the operating system It is recommended to run Scanner under an account with administrative privileges Otherwise all folders and files that are not accessible to unprivileged user including system folder are not scanned To run Scanner under an administrative account select the Run scanning process with administrative rights checkbox Main Actions Exclusions Log Restore defaults E af Use sound alerts E Automatically apply actions to threats E C Turn off computer after scanning E Interrupt scanning when switching to battery mode If required limit the use of computer resources to 50 recommended v Run scanning pro s with administrative rights Ta 4 Dr Web Scanner 77 ax Actions Page To set reaction on threat detection 1 Select the Actions tab in the Scanner settings window whee B g Main Actions Exclusions Log Restore defaults Infected Cure recommended z Incurable Move to quarantine recommended Zi Suspicious Move to quarantine
79. er a dialer program redirecting modem calls to predefined paid numbers or paid resources Joke a joke program Program a potentially dangerous program riskware Tool a program used for hacking hacktool Miscellaneous Generic this prefix is used after another prefix describing the environment or the development method to name a typical representative of this type of viruses Such virus does not possess any characteristic features such as text strings special effects etc which could be used to assign it some specific name 195 Ta AN Appendices A e Exploit a tool exploiting known vulnerabilities of an OS or application to implant malicious code or perform unauthorized actions e Silly this prefix was used to name simple featureless viruses the with different modifiers in the past Suffixes Suffixes are used to name some specific virus objects e Origin this suffix is added to names of objects detected using the Origins Tracing algorithm e generator an object which is not a virus but a virus generator e based a virus which is developed with the help of the specified generator or a modified virus In both cases the names of this type are generic and can define hundreds and sometimes even thousands of viruses e dropper an object which is not a virus but an installer of the given virus 196 Ta BY ax Appendices Appendix D Technical Sup
80. ertain number of requests is received depending on the server s hardware capabilities the server becomes unable to cope with them and a denial of service occurs DDoS attacks are carried out from many different IP addresses at the same time unlike DoS attacks when requests are sent from one IP address Mail bombs a simple network attack when a big email or thousands of small ones is sent to a computer or a company s mail server which leads to a system breakdown There is a special method of protection against such attacks used in the Dr Web products for mail servers Sniffing a type of network attack also called passive tapping of network It is unauthorized monitoring of data and traffic flow performed by a packet sniffer a special type of non malicious program which intercepts all the network packets of the monitored domain Spoofing a type of network attack when access to the network is gained by fraudulent imitation of connection Phishing an Internet fraud technique which is used for stealing personal confidential data such as access passwords bank and identification cards data etc Fictitious letters supposedly from legitimate organizations are sent to potential victims via spam mailing or mail worms In these letters victims are offered to visit phony web sites of such organizations and confirm the passwords PIN codes and other personal information which is then used for stealing money from the vi
81. ese actions for each resource Click OK In the settings of the mail client instead of the address and port of POP3 SMTP IMAP4 NNTP server specify the address localhost lt port_SpiDer_Mail gt where lt port_SpiDer_Mail gt is the address assigned to an appropriate POP3 SMTP IMAP4 NNTP server Ta AN ax 6 SpIDer Mail 98 Additional settings To get access to advanced settings click Advanced To enable one or checkboxes Scanning optimization options v S T Additional actions on messages lt Help Message scan timeout 250 seconds Insert X AntiVirus header into messages Delete modified messages on server Check archives Maximum file size to extract 30720 KB E Maximum compression ratio 0 E Maximum archive nesting level 64 OK more options select the corresponding Message scan timeout Maximum file size to extract Maximum compression ratio Maximum archive nexting level The maximum message scanning time If exceeded SpIDer Mail stops the scan and acknowledges message as unchecked The maximum file size at unpacking If the size of extracted files will exceed the limit SpIDer Mail neither unpacks nor scans the archive The maximum archives compression rate If the compression rate of the archive exceed the limit SpIDer Mail neither unpacks nor scans the archive The maximum nesting level for archived
82. ess manually Enter the user name and password if necessary e Anti virus Network updates are to be downloaded from a local network computer if Dr Web product is installed and update mirror is created on it Internet recommended 5 Local or network folder Path Brows oO Username Password Anti virus Network Ta AN ax 3 Getting Started 38 Proxy Server By default all components use direct connection mode If necessary you can enable use of a proxy server and specify its connection settings To do that click Change The window with proxy server parameters opens Do not use proxy server Use proxy server Address User Password Authorization type None Help OK Select Use proxy server and specify the following parameters for the proxy connection Address Specify the address of the proxy server Port Specify the port of the proxy server User Specify the username to use when connecting to the proxy server Password Specify the password to use when connecting to the proxy server under the provided username Ta BY ax 3 Getting Started 39 Authorization Select an authorization type required to connect to the type proxy server After editing click OK to save the changes or Cancel to cancel them To edit the proxy connection settings click Change again Update Mirror To allow other local network computers with installed Dr Web prod
83. essage as read Black and white lists aD Messages from e mails included into the white list are skipped without check for ej spam White list Messages from e mails included into the black list are always considered as spam Cancel To configure spam filter 1 To run spam checks select the Check for spam checkbox 2 You can add special text to the spam message header by setting the Add prefix to message header check box The added prefix text is specified to the right of the check box The default prefix is SPAM 3 The checked messages can be marked as read in the message options To mark messages as read on spam check select the Mark message as read check box This option is enabled by default 4 You can also configure black and white lists Ta J i ax 7 Dr Web for Outlook 111 If spam filter defines certain messages incorrectly you are advised to forward such messages to special email addresses for analysis e Messages which are wrongly regarded as spam should be forwarded to vrnonspam drweb com e Unblocked spam messages should be forwarded to vrspam drweb com Forward messages as attachments do not include them to the message body 7 3 2 Using Black and White Lists Black and white lists are used for messages filtration To review and edit the black and white lists click Black list or White list respectively on the Spam filter window White list Messages from e mails
84. etwork interface Adapter Rule e Interfaces ed Nogxniouenne Agantep pabouero cro Default Rule Advanced To defile rule sets for network interfaces 1 In the Firewall settings window select Interfaces 2 For an interface of interest select the appropriate ruleset If the ruleset does not exist you can create a new set of packet filtering rules 3 Click OK to save changes or click Cancel to close the window without saving changes To list all available interfaces click All This opens a windows where you can selected interfaces that should be listed in the table permanently Active interfaces are listed in the table automatically To configure rules for interfaces click Configure 153 Ta s 10 Dr Web Firewall Packet Filter Packet filtering allows you to control access to network regardless of which program initiates connection Firewall applies these rules to network packets transmitted through network interfaces of your computer Packet filtering allows you to control access to networks on a lower level than the application filter thus providing you with more flexible options Firewall provides you the following default filtering rule sets e Default Rule this set includes rules describing the most popular system configurations and preventing common network attacks This rule set is used by default for new network interfaces e Allow All this rule set configures Firewall to pass t
85. f applications whose HTTP traffic should always be checked or exclude certain applications from being monitored By default SpIDer Gate blocks all incoming malware objects URL filtering of malicious and unreliable Web sites is also enabled by default You can also connect to Doctor Web cloud services which allow the anti virus components to use real time information on threats This information is stored and updated on Doctor Web servers SpIDer Gate resides in the main memory of the computer and automatically launches upon Windows startup 119 Ta 8 SpIDer Gate 120 ax 8 1 Managing SpIDer Gate SpIDer Gate can be managed via the SpIDer Gate item in the menu of the SpIDer Agent About Register license My Dr Web Help amp SpIDer Guard e SpIDer Mail gt gt m SplDer Gate 4 Statistics Parental Control gt Settings gt a Firewall Updater Disable GS Scanner Tools gt User mode The Statistics item opens a window containing information about the SpIDer Gate performance within the current session The Settings item provides access to the major part of adjustable parameters of the program The Disable Enable item allows to start stop SpIDer Gate Settings and Disable Enable items are not available in User A mode You can restore settings to their default values on the Restore defaults page of Dr Web Security Space Main settings Ta AN ax 8 S
86. files During scan SpIDer Mail proceeds unpacking and scanning the archive until this limit is exceeded Ta BY ax 6 SpIDer Mail Actions Page On this page you can configure reactions of SpIDer Mail to various virus events Main Help Scanning Infected messages Cure recommended Actions Incurable messages Move to quarantine recommended X Anti spam Excluded applications Parental Control SplDer Gate SplDer Mail SpiDer Guard Firewall Suspicious messages Move to quarantine recommended X Unchecked messages Ignore recommended kd Malformed messages gnore recommended zj Adware Move to quarantine recommended X Dialers Move to quarantine recommended 7 Jokes Ignore recommended 2d Hacktools Ignore recommended X Riskware ignore recommended X To configure default actions 1 In the Infected messages drop down list choose the program s action upon detection of an infected message Cure action is recommended In the Incurable messages drop down list choose the program s action upon detection of an incurable message Move to quarantine action is recommended Other actions with moved files are described in Neutralizing Detected Threats In the Suspicious messages drop down list choose the program s action upon detection of a suspicious message Move to quarantine action is recommended 99 Ta AN ax 6 SpIDer Mail 4 In the Non c
87. files names of packers and contents of scanned complex objects archives email attachments file containers It is recommended to use this mode to determine the most frequent objects scanned by SpIDer Guard If necessary you can add these objects to the list of exclusions in order to increase computer performance Ta ax 3 Getting Started 51 SpIder Gate Time of updates starts and stops of SpIDer Gate virus events connection interception settings names of scanned files names of packers and contents of scanned archives It is recommended to use this mode for reception of more detailed information on the checked up objects and work of the HTTP watchman SpIDer Mail Time of updates and SpIDer Mail starts and stops virus events connection interception settings names of scanned files names of packers and contents of scanned archives It is recommended to use this mode when testing mail interception settings Firewall Dr Web Firewall does not log its operation in standard mode When you enable detailed logging Firewall collects data on network packets pcap logs Dr Web List of updated Dr Web Security Space files and their Updater downloading states details on execution of auxiliary scripts date and time of updates details on Dr Web Security Space components restarting after update Dr Web Information on Dr Web components changing of Dr Web Services components settings components starts and stops
88. gram Files Microsoft Office OFFICE 11 EXCEL EXE Digital signature Microsoft Corporation Remote address tep 65 55 227 140 r office microsoft com Port 80 www http Direction Outbound 138 Ta J 1 ax 10 Dr Web Firewall To process connection attempts 1 To make a decision consider the following information displayed in the notification Application name The name of the application Ensure that the Application path Digital signature Endpoint Port Direction Path to the application executable file corresponds to its usual location The full path to the application executable file and its name Digital signature of the application The protocol used and the network address the application is trying to connect to The network ports used for the connection attempt Connection type 2 Once you make a decision select an appropriate action e To block this connection once select Block once e To allow this connection once select Allow once e To open a window where you can create a new application filter rule select Create new rule In the open window you can either choose one of the predefined rules or create your rule for application 139 10 Dr Web Firewall 140 Microsoft Office Excel The following network access problems were detected There is no appropriate rule for this application You can allow block or customize application network access You ca
89. hat are not recommended for visiting or URLs due to a notice from copyright owner are blocked only if the corresponding options are enabled on the Actions page At that white list and list of excluded applications also have an effect Files transmitted by instant messaging clients are also checked When a threat is detected the file transmission is blocked if the corresponding setting is enabled on the Actions page Viruses are 122 Ta AN ax 8 SpIDer Gate blocked automatically if the Check traffic in IM clients option is enabled To get access to advanced settings click Advanced in Scanning tab Advanced Settings Check archives Check installation packages Scan priority Optimal recommended X Help OK Cancel In this window you can configure additional settings of HTTP traffic scans You can adjust Scan priority that determines distribution of resources depending on traffic scanning priority Internet connection speed decreases when SpIDer Gate operates with lower priority since the monitor have to wait longer for downloading and scans larger portions of data When you increase the priority SpIDer Gate starts scanning data more often thus increasing speed of your Internet connection However frequent scans also increase processor load Actions Page On this page you can configure additional settings of HTTP traffic scans and specify actions on detection of a threat 123
90. he default settings are optimal for most uses Do not change them unnecessarily To configure Firewall 1 Click the SpIDer Agent icon amp in the notification area select Firewall and then select Settings The Firewall tab of the settings window opens that contains the following pages e The Applications page where you can configure filtering parameters for applications e The Interfaces page where you can configure filtering parameters on network packet level e The Advanced page where you can select a Firewall operation mode 145 Ta 2 AN ax 10 Dr Web Firewall 146 2 Configure options as necessary To get information on options in the page click Help 3 After editing click OK to save the changes or Cancel to cancel them 10 3 1 Applications Page Application level filtering helps you control access of various application and processes to network resources as well as enable or disable the applications to run other processes You can create rules for both system and user applications d Firewall allows you to create no more than one set of rules per each application Main Parental Control SpliDer Gate SplDer Mail SpiDer Guard Firewall Applications Application O Path Aa Interfaces PicPick C Program Files x86 PicPi Akad Local Secur amp C Windows System32 Isass E Windows St C Windows System32 wininit Wi
91. hecked messages and Malformed messages drop down lists choose the program s action upon detection of a non checked or malformed message Ignore action is recommended 5 In the Adware and Dialers drop down lists choose the program s action upon detection of adware and dilers Move to quarantine action is recommended 6 The same procedure is used when setting the program s actions upon detection of messages containing jokes riskware and hacktools Ignore action is recommended 7 Click OK to apply changes and close the SpIDer Mail Settings window Protection against suspicious messages can be disabled if a PC is additionally protected by a constantly loaded SpIDer Guard component Additionally you can increase the default level of reliability of anti virus protection by selecting the Move to quarantine option in the Not checked messages drop down list Files with moved messages should be checked by the scanner You can enable the mode when the deleted or moved messages are immediately deleted from the POP3 IMAP4 server For this set the Delete modified messages on server check box in advanced settings 100 Ta AN ax 6 SpIDer Mail Anti spam Page Settings of the spam filter can be set on the Anti spam page By default SpIDer Mail scans incoming messages for spam To disable the spam filter select the Do not check mail for the spam mode ET Parental Control SpliDer Gate SplDer Mail SpiDer Guard
92. hrough all packets e Block All this rule set configures Firewall to block all packets For fast switching between filtering modes you can create custom sets of filtering rules amp Packet filter settings Se Set as default Name New Default Rule Delete Allow All Copy Block All Edt Use TCP stateful packet filtering V Management of fragmented IP packets Help OK 154 Ta ax 10 Dr Web Firewall To set rulesets for network interfaces 1 In the Firewall settings window select Interfaces and click Configure 2 Do one of the following e Configure sets of filtering rules by adding new rules modifying or deleting existing ones or changing order of their execution e Configure additional filtering settings To configure sets of filtering rules Do one of the following e To add a new rule set click New The new rule set is added to the beginning of the list e To edit an existing set of rules select the rule set in the list and click Edit e To add a copy of existing set of rules select the rule set and click Copy The copy is added after the selected rule set e To delete a selected rule set click Delete To configure additional settings On the Packet Filter settings use the following options Use TCP stateful Select this checkbox to filter packets according to the packet filtering state of existing TCP connections Firewall will block packets that do n
93. i virus Network j Preventive Protection E Enable Remote Control Dr Web Cloud Change Password Self protection Advanced Restore defaults Help Ta ax 3 Getting Started 3 2 4 Preventive Protection Page On this page you can configure Dr Web Security Space reaction to such actions of other programs that can compromise security of your computer You can also protect your important data from unwanted changes Parental Control SpiDer Gate SplDer Mail SplDer Guard Firewall Notifications Level of suspicious activity blocking Minimum recommended Asti nis Network Data loss prevention Disabled Preventive Protection You can configure Dr Web to create protected copies of important files Dr Web Cloud Restore To cancel unwanted changes you can restore your files from protected Self protection copies Advanced Create You can create copies manually No copies yet Restore defaults Preventive Protection Level In the default Minimum mode Dr Web Security Space disables automatic changes to system objects modification of which explicitly signifies a malicious attempt to damage the operating system It also blocks low level access to disk and protects the HOSTS file from modification If there is a high risk of you computer getting infected you can increase protection by selecting the Medium mode In this mode Dr Web Security Space blocks access to the critical objects that can be po
94. improved and ways to overcome them are developed Encrypted viruses for instance cipher their code upon every infection to hamper their detection in a file boot sector or memory All copies of such viruses contain only a small common code fragment the decryption procedure which can be used as a virus signature Polymorphic viruses also encrypt there code but besides that they generate a special decryption procedure which is different in every copy of the virus This means that such viruses do not have byte signatures Stealth viruses perform certain actions to disguise their activity and thus conceal their presence in an infected object Such viruses gather the characteristics of a program before infecting it and then plant these dummy characteristics which mislead the scanner searching for modified files 185 Ta AN ax Appendices Viruses can also be classified according to the programming language in which they are written in most cases it is assembler high level programming languages scripting languages etc or according to the affected operating systems Computer worms Worms have become a lot more widespread than viruses and other malicious programs recently Like viruses they are able to reproduce themselves and spread their copies but they do not infect other programs A worm infiltrates the computer from the worldwide or local network usually via an attachment to an email and distributes its fun
95. in accordance with SSL protocol For instance you can set SpIDer Gate to check encrypted data transmitted via HTTPS protocol or set SpIDer Mail to receive and send messages via POP3S SMTPS or IMAPS These protocols use encrypted SSL connections In order for Dr Web to scan such encrypted traffic and maintain transparent integration with some browsers and mail clients that do not refer to the Windows system certificate storage it may be necessary to import Doctor Web SSL certificate into the application certificate storages To save the certificate from the system storage for future use in third party applications click Export and select a convenient folder Ta J AN ax 3 Getting Started 55 3 2 8 Restore Page On this page you can restore all Dr Web Security Space settings to their default values as well as export settings or import them Parental Control SpiDer Gate SplDer Mail SplDer Guard Firewall Notifications Export settings You can save product settings by exporting them to hard disk as a file Update Anti virus Network Import settings If you have a previously saved configuration file you can import the settings and apply them to the product Preventive Protection Dr Web Cloud Restore defaults If any difficulties occurred after change of product settings restore default settings Self protection Advanced e Restore defaults Ta 3 Getting Started 56 ax 3 3 Lice
96. in the configuration file and have a higher priority then the parameters which are specified in it Switches begin with the forward slash character and are separated with blanks as other command line parameters Scanner and Console Scanner Parameters AA apply actions to detected threats automatically Only for Scanner AC check installation packages Option is enabled by default AFS use forward slash to separate paths in archive Option is disabled by default AR check archives Option is enabled by default ARC lt ratio gt maximum archive object compression If the compression rate of the archive exceed the limit scanner neither unpacks not scans the archive unlimited ARL lt level gt maximum archive level unlimited ARS lt size gt maximum archive size If the archive size exceed the limit scanner neither unpacks nor scans the archive unlimited KB ART lt size gt minimum size of file inside archive beginning from which compression ratio check will be performed unlimited KB 174 Ta AN ax Appendices ARX lt size gt maximum size of objects in archives that should be checked unlimited KB BI show information on Dr Web virus databases Option s enabled by default DR scan folders recursively i e scan subfolders Option is enabled by default E lt engines gt perform scanning in specified number of threads FAST perform an
97. ing ot gt No logging Allow packets ICMPv4 Ping ot e No logging New Edt _ Copy _ __ Delete Help Description Allows PPPoE Allows PPPoE Allows to establi ICMPv4 Ping ot ICMPv4 Ping ot Ta J i 10 Dr Web Firewall 157 ax For each rule in the set the following information displays Enabled Execution states for the rule Action The action for Firewall to perform when the packet is intercepted e Block packets e Allow packets Rule name The rule name Direction The packet sender the rule is applied when packet is received from the network e E the rule is applied when packet is sent into the network from your computer the rule is applied regardless of packet transfer direction Log The logging mode for the rule This parameter defines which information is stored in the Firewall log e Log headers the packet header only e Entire packet the whole packet e No logging no information is logged Description The rule description To configure rulesets 1 If you select to create or edit an existing rule set on the Packet filtering settings page in the open window specify the name for the rule set 2 Use the following options to create filtering rules e to add a new rule click New The new rule is added to the beginning of the list e to modify a rule select it and click Edit A N 1 J A 10 Dr Web Firewall ax e
98. ion Description Allow Block Publisher Path Hep Manual5 EC So C Program Files EC Software HelpAndManual5 HELPMAN EXE A You need administrative rights to create rules Ta yan A 4 10 Dr Web Firewall 143 10 2 Managing Firewall Firewall installs as a network component and loads on Windows startup If necessary you can suspend Firewall operation review its statistics or change settings After a session under limited user account Guest is open Firewall A displays an access error message Firewall status is then displayed as inactive in SpIDer Agent However Firewall is enabled and operates with default settings or settings set earlier in administrative mode SpIDer Agent provides you with the main Firewall management and configuration features Click the SpIDer Agent icon and select the Firewall submenu to access them About Register license My Dr Web Help G SpIDer Guard e SpIDer Mail SplDer Gate Parental Control Statistics Settings Disable User mode A Settings and Disable Enable items are not available in User mode Ta AN ax 10 Dr Web Firewall 144 Statistics Displays information on events which Firewall handled Settings Opens Firewall settings You can restore settings to their default values on the Restore defaults page of Dr Web Security Space Main settings Disable Enable Suspends or resumes Firewall operation
99. ion arg p product arg Zone description file Directory where key file is located Print information about command execution to console Proxy server for updating lt Address gt lt port gt Username for proxy server Password for proxy server Version name Product name Ta AN ax Appendices Appendix B Computer Threats and Neutralization Methods With the development of computer technologies and network solutions malicious programs malware of different kinds meant to strafe users become more and more widespread Their development began together with computer science and facilities of protection against them progressed alongside Nevertheless there is still no common classification for all possible threats due to their unpredictable development character and constant improvement of applicable technologies Malicious programs can be distributed through the Internet local area networks email and portable data mediums Some of them rely on the user s carelessness and lack of experience and can be run in completely automatic mode Others are tools controlled by a computer cracker and they can harm even the most secure systems This chapter describes all of the most common and widespread types of malware against which products of Doctor Web are aimed Classification of Computer Threats Computer viruses This type of malicious programs is characterized by the ability to implement its code into
100. it e to add a copy of a rule select the rule and click Copy The copy is added after the selected rule e to delete a rule select it and click Delete 4 If you selected to create a new rule set or edit the existing one adjust the settings in the open window 5 When you finish adjusting the settings click OK to save changes or Cancel to reject them Rule Settings Application filtering rules control interaction of a particular application with certain network hosts amp New application rule Rule name Rule name Description Rule description Action Block packets X State Enabled Connection type Inbound ad Logging Off Local address Local port IP all Any Any X TCP amp UDP X Help OK l Cancel Ta J 1 ax 10 Dr Web Firewall 151 To add or edit a rule 1 Configure the following parameters General Rule name The rule name Description The rule description Action The action for Firewall to perform when the connection attempt is detected e Block packets e Allow packets State One of the following execution states for the rule e Enabled apply rule for all matching connection attempts e Disabled do not apply the rule yet Connection type The party which initiates the connection e Inbound apply the rule when someone from the network attempts to connect to the application on your computer e Outbound apply the rule when the application on your comp
101. jans are distributed as separate executable files through file exchange servers removable data carriers or email attachments which are launched by a user or a system task Rootkits It is a type of malicious program used to intercept system functions of an operating system in order to conceal itself Besides a rootkit can conceal tasks of other programs registry keys folders and files It can be distributed either as an independent program or a component of another malicious program A rootkit is basically a set of utilities which a cracker installs on a system to which she had just gained access There are two kinds of rootkits according to the mode of operation User Mode Rootkits UMR which operate in user mode intercept functions of the user mode libraries and Kernel Mode Rootkits KMR which operate in kernel mode intercept functions on the level of the system kernel which makes it harder to detect Hacktools Hacktools are programs designed to assist the intruder with hacking The most common among them are port scanners which detect vulnerabilities in firewalls and other components of the computer s protection system Besides hackers such tools are used by administrators to check the security of their networks Occasionally common software which can be used for hacking and various programs that use social engineering techniques are designated as among hacktools as well 187 Ta AN ax Appendices Spywa
102. lDer Gate SplDer Mail SplDer Guard Firewall Updating components All recommended Only virus databases Update frequency 30 minutes recommended Update source Internet recommended Change Proxy server Disabled Change Update mirror Disabled Change Se Gene Update source Updating components Update frequency Proxy server You can specify a convenient update source You can choose one of the update modes e All recommended select to download updates to Dr Web virus databases engine and other components e Only virus databases select to download updates to Dr Web virus databases and engine other components are not updated You can select frequency for checking of availability of updates You can configure connection to a proxy server Ta ax 3 Getting Started 37 Update mirror You can create an update mirror that will be used by local network computers with installed Dr Web product Update Source To select an update source click Change In the open window select one of the following update sources e Internet recommended updates are to be downloaded from Doctor Web servers This source is used by default e Local or network folder updates are to be downloaded from a local or network folder where updates were copied To specify the path to the folder click Browse and select the required folder or enter the addr
103. lder Skip skip the object without performing any action or displaying a notification 108 Ta J 1 7 Dr Web for Outlook ax 7 3 Spam Check 1 The Spam Filter section is available for Dr Web Security Space only If your license does not support the Spam filter its settings are not available and the emails check for spam is not performed Dr Web for Outlook checks emails for spam by means of Dr Web Anti spam and filters the messages according to the user defined settings To configure the check for spam in the Microsoft Outlook mail application in the Tools Options Dr Web Anti virus tab in the Files Options select Dr Web for Outlook and click Add in Options button for Microsoft Outlook 2010 click Spam filter The window with spam filter settings will be opened administrative rights The Spam filter window will be available only for users with For Windows Vista and later operating systems after clicking Spam filter e if UAC is enabled administrator is requested to confirm program actions user without administrative rights is requested to enter accounting data of system administrator e if UAC is disabled administrator can change program settings user does not have the access to change program settings 109 7 Dr Web for Outlook 110 7 3 1 Configuring Spam Filter Spam filter Spam filtering parameters V Check for spam V Add prefix to message header 7 Mark m
104. lected a window with SpIDer Mail settings will open read Adjusting Certain Program Settings The Disable Enable item allows to start stop SpIDer Mail A Settings and Disable Enable items are not available in User mode You can restore settings to their default values on the Restore defaults page of Dr Web Security Space Main settings Ta J 1 ax 6 SpIDer Mail 6 2 SpIDer Mail Settings To modify SpIDer Mail settings open the settings window as described in Managing SpIDer Mail When editing the settings use the program s help system general help for each page is generated by clicking Help there is also a context prompt for certain elements of the interface When you finish adjusting the settings click OK The default settings are optimal for most cases They should not be changed without necessity Scanning Page Most default settings are optimal for the majority of situations The most frequently used parameters except the default ones are described below Main Parental Control SplDer Gate SplDer Mail SpiDer Guard Firewall e Scanning Scan options F Heuristic analysis I Virus activity control E Check installation packages Actions Anti spam Excluded applications Use SplDer Mail as proxy server 95 Ta AN ax 6 SpIDer Mail 96 Using SpIDer Mail as a proxy server SpIDer Mail can intercept connections with the following mail servers e POP3 server
105. lete Ta AN ax 9 Parental Control 9 Parental Control The Parental Control component allows you to restrict access to devices on your computer and both local and web resources You can also set time limits on using the Internet and computer for certain Windows accounts By restricting access to the local file system you can maintain the integrity of important files protect them from viruses and secure the confidentiality of stored data It is possible to restrict access to separate files or folders on local drives and external data carriers You can also completely restrict copying data to any kinds of external data carriers By controlling access to web resources you can restrict a user to view undesirable web sites e g pages on violence gambling adult content etc or allow access only to certain web sites specified in the Parental Control settings You can also connect to Doctor Web cloud services which allow the anti virus components to use real time information on threats This information is stored and updated on Doctor Web servers 126 Ta 9 Parental Control 127 ax 9 1 Managing Parental Control Parental Control can be managed via the Parental Control submenu in the menu of the SpIDer Agent Register license My Dr Web Help amp SpIDer Guard e SpIDer Mail SplDer Gate Parental Control P Firewall Updater GS Scanner Statistics Settings b
106. lt Scanner selects a recommended action for the type of detected threat 2 Click Neutralize Scanner applies all selected actions to the selected threats Suspicious objects are moved to Quarantine and should be sent for bo analysis to the anti virus laboratory of Doctor Web To send the files right click anywhere in the Quarantine windows and select Submit file to Doctor Web Laboratory There are some limitations e For suspicious objects curing is impossible e For objects which are not files boot sectors moving and deletion are impossible e For files inside archives installation packages or attachments no actions are possible The detailed report on Dr Web Scanner operation is stored in the dwscanner log file that resides in the USERPROFILE Doctor Web folder Ta 2 N 4 Dr Web Scanner 75 ax 4 3 Scanner Settings It is recommended for Scanner to be run by a user with A administrator privileges because files to which unprivileged users have no access including system folders are not scanned Default program settings are optimal for most applications and they should not be modified if there is no special need for it To configure Scanner 1 To open Scanner settings click the Settings icon on the toolbar This opens the Settings window which contains several tabs 2 Make the necessary changes 3 For more detailed information on the settings specified in each tab use the Help Q button 4 Wh
107. lt To add a file folder or mask to the list type its name into the entry field and click Add To enter an existing file name or folder or edit the path in the field before adding it to the list you can click Browse to the right and select the object in a standard file browsing window To remove a file or folder from the list select it in the list and click Remove Excluded processes Page On the Excluded processes page you can specify a list of processes to be excluded from scanning Ta AN ax 6 SpIDer Mail 6 SpIDer Mail SpIDer Mail is an anti virus mail scanner that installs by default and monitors data exchange between mail clients and mail servers made via POP3 SMTP IMAP4 or NNTP IMAP4 stands for IMAPv4rev1 protocols Any incoming messages are intercepted by SpIDer Mail before they are received by the mail client They are scanned for viruses with the maximum possible level of detail If no viruses or suspicious objects are found they are passed on to the mail program in a transparent mode as if it was received immediately from the server Similar procedure is applied for outgoing messages before they are sent to servers By default the program s reaction upon detection of infected incoming messages as well as messages that were not scanned e g due to their complicated structure is as follows e Messages infected with a virus are not delivered the mail program receives an instruction to delete thi
108. ly destroyed Advanced users can modify mail scanning parameters and the program s reactions to virus events Dr Web Scanner can also detect viruses in mailboxes of several formats but SpIDer Mail has several advantages e Not all formats of popular mailboxes are supported by Dr Web Scanner In this case when using SpIDer Mail the infected messages are not even delivered to mailboxes e The Scanner does not check the mailboxes at the moment of the mail receipt but either on user demand or according to schedule Furthermore this action is rather resource consuming and takes a lot of time Thus with all the components in their default settings SpIDer Mail detects viruses and suspicious objects distributed via email first and does not let them infiltrate into your computer Its operation is rather resource sparing scanning of email files can be performed without other components 92 Ta AN ax G 6 SpIDer Mail Anti spam Dr Web Anti spam technologies consist of several thousand rules that can be divided into several groups Heuristic analysis a highly intelligent technology that empirically analyzes all parts of a message header message body and attachments if any Detection of evasion techniques this advanced anti spam technology allows detecting evasion techniques adopted by spammers to bypass anti spam filters HTML signature analysis messages containing HTML code are compared with a list of k
109. me to time the updates also include enhancements to anti virus algorithms and fix bugs in software and documentation Dr Web Updater helps you download and install the updates during the licensed period 171 T ax A J AN 11 Automatic Updating 11 1 Running Updates You can run Updater in one of the following ways e From the command line by running drwupsrv exe file located in the Dr Web Security Space installation folder e By selecting Updater in the SpIDer Agent menu On launching Updater displays a window with information on relevance of Dr Web virus databases and Dr Web Security Space components If necessary you can start an update process Update parameters can be configured on the Update page of Dr Web Security Space Main settings If launching Dr Web Updater automatically changes are A logged into dwupdater log file that is located in the allusersprofile o Application Data Doctor Web Logs folder in Windows 7 allusersprofile Doctor Web Logs Dr Web Updater Update is not required Dr Web updates virus databases and components automatically Last update 27 08 2013 13 46 Next update 27 08 2013 14 16 Why do need to update Dr Web regularly 172 Ta ax 11 Automatic Updating Update Procedure Before starting an update Updater checks if you have a key file registered If no key file is found Updater suggests you to obtain a key file on the Interne
110. modified viruses which use the known infection mechanisms Thus Dr Web users are protected against such threats as notorious blackmailer Trojan Encoder 18 also known as gpcode In addition to detection of new and modified viruses the Origins Tracing mechanism allows to considerably reduce the number of false triggering of the heuristics analyzer Objects detected using the Origins Tracing algorithm are indicated with the Origin extension added to their names 13 Ta AN ax 1 Introduction Execution emulation The technology of program code emulation is used for detection of polymorphic and encrypted viruses when the search against checksums cannot be applied directly or is very difficult to be performed due to the impossibility of building secure signatures The method implies simulating the execution of an analyzed code by an emulator a programming model of the processor and runtime environment The emulator operates with protected memory area emulation buffer in which execution of the analyzed program is modelled instruction by instruction However none of these instructions is actually executed by the CPU When the emulator receives a file infected with a polymorphic virus the result of the emulation is a decrypted virus body which is then easily determined by searching against signature checksums Heuristic analysis The detection method used by the heuristics analyzer is based on certain knowledge
111. n choose one of predefined rules or create your own application rule Application name E Microsoft Office Excel Application path C Program Files Microsott Ottice OFFICE 11 EXCEL EXE Digital signature Microsoft Corporation Address tep 65 55 227 140 r office microsoft com Port 80 www http Direction Outbound Apply predefined rule Allow network connections for application on port 80 www http B Create custom rule 3 Click OK Firewall executes the selected action and closes the notification window In cases when connection was initiated by a trusted application an application with existing rules but this application was run by an unknown parent process a corresponding notification will be prompted Google Chrome Dr Web Firewall has detected network activity Application name Google Chrome Application path C Program Files Google Chrome Application chrome exe Digital signature P Goode Inc Remote address tep 173 194 71 102 apis google com Port 443 https Direction Outbound Ta AN 10 Dr Web Firewall 141 ax To set parent processes rules 1 Consider the information about parent process displayed in the notification e To block this connection once select Block once e To allow this connection once select Allow once e To open a window where you can create a new application filter rule select Create new rule In the open window you can
112. ndows Ses C Windows System32 smss a Windows Upd C Windows System32 wuau j E Windows Pro C Windows System32 wer Services and C Windows System32 senic 5 Windows Expl C Windows explorer exe M Windows Log C Windows System32 winlog E WU IE10 Win C Windows SoftwareDistributi E Userinit Log a C Windows System32 useri picpick_instexe C Users tester Desktop picpi LEl ienreore ava f 1 m C A Windowe Tamn lE18C97 New Edit Copy Delete Help OK Cancel Ta 2 N ax 10 Dr Web Firewall 147 This page lists all applications and processes for which there is an application filter rule set You can create new filter rule sets as well as edit the existing ones or delete those that are unnecessary Each application is explicitly identified by the path to its executable file Firewall uses the SYSTEM name to indicate the rule set applied to the operating system kernel the system process for which there is no unique executable file If the application file for which the rule was created changes e g due to update installation then Dr Web Firewall asks to confirm that the application is still allowed to access network resources To configure rule sets In the Firewall settings window select the Applications page and do one of the following to add a new set of rules click New to edit an existing set of rules select the rule set in the list and click
113. not create copies while on battery mode Delete copies OK Cancel If your files were corrupted you can restore their copies created by the certain date For that purpose click Restore In the open window select the required date and all copies that were available for the date will be restored to the specified folder To start creation of protected copies manually click Create in the main window and configure settings for the new copy Ta 2 AN ax 3 Getting Started 45 3 2 5 Dr Web Cloud Page On this page you can connect to Doctor Web cloud services and take part in Dr Web quality improvement program Parental Control SplDer Gate SplDer Mail SplDer Guard Firewall Notifications You can connect to cloud services to allow Dr Web anti virus components to use real time information on threats This information is stored and updated on Doctor Web Update servers In turn data about Dr Web operation on your computer will be automatically sent to Doctor Web servers Anti virus Network The information obtained from your computer will not be used for your identification or to Preventive Protection contact you e Dr Web Cloud want to connect to services recommended Self protection 2 Iwill decide later Advanced Restore defaults Privacy statement by Doctor Web Cloud Services Dr Web Cloud Checker provides most recent information on threats which is updated on Doctor Web servers in
114. nown patterns from the anti spam library Such comparison in combination with the data on sizes of images typically used by spammers helps protect users against spam messages with HTML code linked to online content Semantic analysis the words and phrases of a message both visible to the human eye and hidden are compared with words and phrases typical of spam using a special dictionary Anti scamming scam as well as pharming messages is the most dangerous type of spam including so called Nigerian scams loan scams lottery and casino scams and false messages from banks and credit organizations A special module of Dr Web Anti spam is used to filter scams Technical spam bounces are delivery failure messages sent by a mail server Such messages are also sent by a mail worm Therefore bounces are as unwanted as spam 93 Ta ax 6 SpIDer Mail 94 6 1 Managing SpIDer Mail SpIDer Mail can be managed via the SpIDer Mail item in the menu of the SpIDer Agent About Register license My Dr Web Help G SpIDer Guard pz Statistics SplDer Gate gt Settings Parental Control gt Firewall gt Disable Updater S Scanner Tools gt User mode If the Statistics menu item is selected a window with information on the program s operation during current session the number of scanned infected suspicious objects and taken actions will open If the Settings menu item is se
115. ns allow protection of the following registry objects branches from modification in the system profile as well as in all user profiles updates or installation and operation of programs including defragmentation programs disable the corresponding options in this group 1 If any problems occur during installation of important Microsoft Ta AN aX 3 Getting Started 43 Data Loss Prevention To protect important files from modification by malware you can enable Data loss prevention This option allows copying of files that reside in the specified folders To configure creation of file copies click Change In the open window select Enable data loss prevention Click Add to specify folders which content is to be copied You can add a new folder at any time You can also specify the disk to store the file copies and frequency of their creation After the specified period Dr Web will check whether the files in the specified folders were modified If so a new copy is created Moreover you can delete the copies if it is required to clear space on the disk at that deletion cannot affect the original files as well as disable creation of protected copies while on Battery mode Ta A 3 Getting Started 44 Disable data loss prevention Enable data loss prevention Folders C 3 3 GB of 20 4 GB free Frequency every day Help Specify folder for storing protected copies Do
116. nsing To use Dr Web Security Space for an extended period of time activate a license You can purchase a license with the product or on the official Doctor Web website A license allows to take advantage of all product features during the whole period Parameters of the license key file are set in accordance with the software license agreement If you want to evaluate the product before purchasing it you can activate a demo period It provides you with full functionality of the main components but the period of validity is considerably restricted 1 Demo period is available only for Dr Web Security Space You can activate a demo period for the same computer no more than once a year Demo period is available for e 3 months For that register on the official Doctor Web website and receive a serial number e For 1 month For that purpose no serial number is required and no registration data is requested Ta ax 3 Getting Started 57 Key File The use rights for the Dr Web Security Space are specified in the key file The license key file has the key extension and contains the following information e List of licensed anti virus components e Licensed period for the product e Availability of Technical Support for the user e Other restrictions for example the number of remote computers allowed for simultaneous anti virus check A valid license key file satisfies the following criteria e License is
117. nstall Dr Web Security Space There are two installation modes of Dr Web Security Space e The background mode e The usual mode Installation with command line parameters To install Dr Web Security Space with command line parameters enter in the command line the executable file name with necessary parameters these parameters affect installation in background mode installation language reboot after installation and Dr Web Firewall installation Ta ax 2 Installing the program 18 reboot Restart computer automatically after installation is complete installFirewall Install Dr Web Firewall lang Language used for the installation The value of this parameter is language in ISO 639 1 format silent Installation in background mode For example to start background installation of Dr Web Security Space with reboot after installation execute the following command C Documents and Settings drweb 900 win space exe silent yes reboot yes Usual Installation To start usual installation do one of the following e run the file if the installation kit is supplied as a single executable file e insert the company disk into the CD DVD drive if the installation kit is supplied on the disk If autorun is enabled the installation will start automatically If autorun is disabled run the autorun exe file of the installation kit manually In the open window click Install Follow the instructions of the
118. ntains the symbol e g example com test then the part to the left of it will be considered the domain name and the part to the right will be allowed restricted on the domain for example example com testi1 template example com test22 etc will be filtered 2 Do one of the following e To allow access to the website click Allow e To deny access to the website click Deny Ta 2 i 9 Parental Control 132 ax 3 To delete a web resource from the list select it and click the corresponding Delete button Time Limits By default all users have unlimited access to use the computer and the Internet You can change the mode separately for each user To set time limits 1 On the User page in Parental Control settings find the account of the required user 2 Click the corresponding link in the Time limits section The settings window opens amp Time limits lt You can specify periods of time during which access to the Internet or to the computer is blocked for the user Hours 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 Monday Tuesday Wednesday Thursday Friday Sunday No limits BB Block Internet access BB Block all Help OK Cancel 3 Select days of week and time when the user is restricted from using the Internet and then mark the
119. ntine recommended bi Excluded processes Adware Move to quarantine recommended d Dialers Delete Jokes Ignore recommended Hacktools nore recommended Riskware Ignore recommended Help OK 2 In the Infected objects drop down list select the program s action upon detection of an infected object Cure action is recommended 3 In the Incurable objects drop down list select the program s action upon detection of an incurable object Move to quarantine action is recommended Ta AN ax 5 SpIDer Guard 90 4 In the Suspicious objects drop down list select the program s action upon detection of a suspicious object Move to quarantine action is recommended 5 In the Adware and Dialers drop down lists select the program s action upon detection of dangerous files Move to quarantine action is recommended 6 The same procedure is used when setting the program s actions upon detection of objects containing jokes riskware and hacktools Ignore action is recommended 7 Click OK to apply changes and close the SpIDer Guard Settings window Excluded files Page On the Excluded files page folders and files to be excluded from checking are specified In the Excluded files and folders field the list of folders and files to be excluded from scanning can be set These can be the quarantine folder of the anti virus some program folders temporary files swap files etc The list is empty by defau
120. o a computer Disabled scanning of archives even if SpIDer Guard is constantly active means that viruses can still easily penetrate a PC but their detection will be postponed When the infected archive is unpacked or an infected message is opened an attempt to write the infected object on the hard drive will be taken and SpIDer Guard will inevitably detect it Also you can select Block autoruns from removable media check box to disable autoplay option for portable data storages such as CD DVD flash memory etc This option helps to protect you computer from viruses transmitted via removable media If any problem occur during installation with autorun option it is recommended to remove Block autoruns from removable media check box Ta ax 5 SpIDer Guard 89 Actions Page On this page you can adjust SpIDer Guard reaction to infected objects The Cure Ignore Delete and Move to quarantine actions are similar to those of the Scanner All actions with files are described in Appendix B Computer Threats and Neutralization Methods chapter To change the default actions in SpIDer Guard 1 In the SpIDer Guard Settings window select the Actions tab Main Parental Control SpiDer Gate SplDer Mail SplDer Guard Firewall Scanning Infected objects Cure recommended X e Actions F Incurable objects Move to quarantine recommended hd Excluded files Suspicious objects Move to quara
121. o data on portable data storages USB flash floppy CD DVD ZIP drives etc Access Control White list 0 E Block sending jobs to a printer Block data transfer over network LAN and the Internet E Control access to the following objects Protected object Ask Block Add Sending jobs to a printer To prevent sending jobs to a printer select the Block sending jobs to a printer checkbox By default this checkbox is not set To configure list of restricted objects 1 Select the Restrict access to the selected objects checkbox 2 Click Add and select the type of object You can limit access to a file or folder as well as a particular device or a whole class of devices Access restrictions for a class of devices has a higher A priority than restrictions for a particular device For instance if you block access to all removable media then an existing rule for a certain flash drive will become ineffective 3 Add the object to the list and do one of the following to set the restriction method 135 Ta AN ax 9 Parental Control e Select Ask to display a prompt when Parental Control detects an attempt to access the object In the prompt you will be able to select a reaction e Select Block to forbid access to the object automatically 4 To add other objects and folders to the list repeat steps 2 to 3 To remove an object from the list select the corresponding item in the list and click Delete
122. oint presentations 097M VBAS MS Office 97 VBA6 MS Office 2000 this virus infects files of more than one component of MS Office Development languages The HLL group is used to name viruses written in high level programming languages such as C C Pascal Basic and others HLLW worms HLLM mail worms HLLO viruses overwriting the code of the victim program HLLP parasitic viruses HLLC companion viruses The following prefix also refers to development language Java viruses designed for the Java virtual machine Ta J AN ax Appendices Script viruses Prefixes of viruses written in different scrip languages VBS Visual Basic Script JS Java Script Wscript Visual Basic Script and or Java Script Perl Perl PHP PHP BAT MS DOS command interpreter Trojan horses Trojan a general name for different Trojan horses Trojans In many cases the prefixes of this group are used with the Trojan prefix PWS password stealing Trojan Backdoor Trojan with RAT function Remote Administration Tool a utility for remote administration IRC Trojan which uses Internet Relay Chat channels DownLoader Trojan which secretly downloads different malicious programs from the Internet MulDrop Trojan which secretly downloads different viruses contained in its body Proxy Trojan which allows a third party user to work anonymously in the Internet
123. onnections on the application level On the Advanced page you can select Firewall operation mode and specify general filter settings for all applications Main Parental Control SpiDer Gate SplDer Mail SpiDer Guard Firewall Applications Dr Web Firewall operation mode Allow unknown connections Training Mode create rules for known applications automatically Interactive learning mode Interfaces e Advanced Block unknown connections Allow local connections Cancel To set operation mode 1 Inthe Firewall settings window select Advanced 2 Select one of the following operation modes e Allow unknown connections free access mode when all unknown applications are permitted to access networks e Default Training mode create rules for known applications automatically learning mode when rules for known applications are created automatically 161 Ta AN ax 10 Dr Web Firewall e Interactive learning mode learning mode when the user is provided with full control over Firewall reaction e Block unknown connections restricted access mode when all unknown connections are blocked For known connections Firewall applies the appropriate rules 3 Click OK to save changes or click Cancel to close the window without saving changes Learning Mode In this mode you have total control over Firewall reaction on unknown connection detection thus training the program
124. ot match active connections according to the TCP protocol specification This option helps protect your computer from DoS attacks denial of service resource scanning data injection and other malicious operations It is also recommended to enable stateful packet filtering when using complex data transfer protocols such as FTP SIP etc 155 Ta AN ax 10 Dr Web Firewall 156 Clear this checkbox to filter packets without regard to Management of fragmented IP packets Packet Filter Rulesets state of TCP sessions Select this checkbox to ensure correct processing of large amounts of data The maximum transmission unit MTU may vary for different networks therefore large IP packets may be received fragmented When this option is enabled Firewall applies the rule selected for the first fragment of a large IP packet to all other fragments Clear this checkbox to process fragmented packets independently The New packet ruleset or Edit ruleset window lists packet filtering rules for the selected rule set You can configure the list by adding new rules or modifying existing rules and the order of their execution The rules are applied according to their order in the set Default Rule Enabled Action Rule name Direction Log e Allow packets PPPoE Discov No logging ied Allow packets PPPoE Sessi e No logging E Allow packets GRE Allow to e No logging v Allow packets ICMP 4 P
125. ounts are automatically displayed in the settings window By default all users have unlimited access to Web resources and no time limits A Use the arrows to navigate through the user list Web Filter By default the No restrictions mode is set for all users You can configure access to Web resources and populate White and Black lists separately for each user To restrict access to websites 1 On the Users page in Parental Control settings find the required account 129 2 Click the corresponding link in the Web filtering section The 9 Parental Control settings window opens No restrictions Custom Help White list only Terrorism E Violence E Obscene language W Weapons Chats E Gambling E mail Drugs Social networks Filter allows you to specify web sites you want to allow or block regardless of other restrictions Black and white lists E Enable safe search Automatically enable safe search service of Google Yandex Yahoo Bing and Rambler OK J Cancel 3 Select a mode of access to websites No restrictions Custom White list only Enable safe search In this mode you grant unlimited access to Internet resources to all users of your computer In this mode you can select websites to block either by category or according to manually populated black and while lists To configure the lists click Black an
126. our computer Remove program Remove Dr Web anti virus protection from your computer Doctor Web Ltd 1992 2014 3 To remove Dr Web Security Space or select components to be installed it is required to enter the confirmation code from the picture in the open window 4 If the program prompts you restart the computer to complete the procedure Ta ax 3 Getting Started 3 Getting Started The installation program allows you to install the following Dr Web Security Space components on your computer Scanner GUI and console versions e SpIDer Guard e SpIDer Mail e Dr Web for Outlook e SpIDer Gate e Parental Control e Firewall e Anti spam e SpIDer Agent The components of Dr Web Security Space use common virus databases and anti virus engine In addition uniform algorithms that detect and neutralize viruses in scanned objects are implemented However the methods of selecting objects for scanning differ greatly which allows these components to be used for absolutely different and mutually supplementary PC protection policies For example Scanner scans on user demand or according to schedule certain files e g all files selected logical disks directories By default the main memory is scanned too Since it is the user who decides when to launch a task there is no need to worry about the sufficiency of computational resources needed for other important processes SpIDer Guard constantl
127. pIDer Gate 8 2 SpIDer Gate Settings The default settings are optimal for most cases They should not be changed without necessity To change the SpIDer Gate Settings 1 Make necessary changes on the pages of the SpIDer Gate Settings window 2 For more information about settings on a page click the Help 3 When you finish adjusting the settings click OK to save changes or Cancel to reject them Scanning Page On this page you can select a mode to scan traffic and transmitted data 121 8 SpIDer Gate Main Parental Control SplDer Gate SplDer Mail SplDer Guard Firewall e Scanning Scan mode Check all HTTP traffic Check incoming traffic recommended Excluded applications Check outgoing traffic Actions Scan options E Check traffic in IM clients This option enables check clients such as M lt ing of URLs and data transmitted by instant messaging Agent ICQ and Jabber clients Help In the Scan mode group you can choose type of the checked HTTP traffic IM Clients Check In the Scan options group you can enable check of URLs and data transmitted by instant messaging clients Mail RU Agent ICQ and clients using the Jabber protocol Only incoming traffic is checked By default this option is enabled Links transmitted in messages are checked according to the SpIDer Gate settings links to the websites known as infection sources are blocked automatically links to the websites t
128. plays information on your licenses To open this window click the SpIDer Agent icon in the notification area select Tools and then select License Manager Dr Web license Please note that you can own several licenses for Dr Web product All accessible licenses are presented in the list Current license 4191421 Z License type Serial Number Owner Privatebefa tester Activation date 15 11 2012 Expiration date 20 04 2014 License file C Program Files DrWeb 20121115132312 key Get new license Z Online service My Dr Web Delete current license Obtaining a key file To start the registration procedure for receiving the key file from Doctor Web servers click Get new licence and select from Internet in the drop down menu That launches Registration wizard key file obtaining To enable operation of Dr Web Security Space install a Dr Web Security Space key file on the system 62 Ta ax 3 Getting Started 63 To install existing a key file 1 Click Get new licence In the drop down menu select from file 2 Specify the path to the key file If the received key file is archived you do not need to extract it 3 Dr Web Security Space automatically switches to using the new key file The key files received during installation or within the product distribution kit are installed automatically To delete a licence from a list select it and click Delete current licence Las
129. port Support is available to customers who have purchased a commercial version of Dr Web products Visit Doctor Web technical support website at http support drweb com If you encounter any issues installing or using company products take advantage of the following Doctor Web support options e Download and review the latest manuals and guides at http download drweb com doc e Read the frequently asked questions at http support drweb com e Browse Dr Web official forum at http forum drweb com If you have not found solution for the problem you can request direct assistance from Doctor Web technical support by filling in the web from in the corresponding section of the support site at http support drweb com For regional office information visit the official Doctor Web website at http company drweb com contacts moscow 197 Doctor Web 1992 2014
130. r rootkits includes checking of autorun objects running processes and modules Random Access Memory RAM MBR VBR disks computer BIOS system and other system objects One of the key features of the Dr Web Anti rootkit is delicate attitude towards consumption of system resources processor time free RAM and others as well as consideration of hardware capacity When Dr Web Anti rootkit detects a threat it notifies you on detection and neutralizes the malicious activity During background rootkit scanning files and folders specified on Excluded files page of SpIDer Guard are excluded from scanning Ta ax 5 SpIDer Guard 88 To enable background scanning set the Scan computer for rootkits recommended checkbox Disabling of SpIDer Guard does not affect background scanning If background scanning is enabled it is performed regardless of whether SpIDer Guard is enabled or disabled In Additional tasks group you can configure SpIDer Guard parameters to check the following objects e Executables of running processes regardless of their location e Installation files e Files on network drives e Files and boot sectors on removable devices These parameters are applied in any scan mode Certain external devices e g mobile drives with USB interface can be identified by the system as hard drives That is why such devices should be used with utmost care and checked for viruses by the Scanner when connected t
131. ration and threat type Threats to your security can be neutralized either by restoring the original state of each infected objects curing or when curing is impossible by removing the infected object completely from your operating system deleting By clicking Neutralize you apply actions to the objects selected in the table Dr Web Security Space selects all objects by default A once scanning completes When necessary you can customize selection by using checkboxes next to object names or threat categories from the drop down menu in the table header Scanning completed i Dr Web Scanner detected threats Itish d to neutralize all detected threats immediately Dr Web Scanner will apply actions Threats detected 307 Threats neutralized 0 Scan time 00 00 11 Object Threat Action Path gt base64 eml Infected e mail Move C Users Anton Desktop Acc base64 em 4 b eicar rar Move v C Users Anton Desktop Accept eicar rar gt Mailbase Move C Users Anton Desktop Accep Mailbase _ b 172 Move C Users Anton Desktop Acceptanc L 7z hacktool exe Tool HideApp Move v CA Users Anton Desktop Ac hacktool exe gt messages thb Infected e mail Move C Users Anton Desktop A messages tbb A Hide additional information 73 Ta 4 Dr Web Scanner 74 ax To select an action 1 Where necessary select a custom action from the drop down list in the Action field By defau
132. re This type of malicious programs is designed to perform monitoring of the system and send the gathered information to a third party creator of the program or some other person concerned Among those who may be concerned are distributors of spam and advertisements scam agencies marketing agencies criminal organizations industrial espionage agents etc Spyware is secretly loaded to your system together with some other software or when browsing certain HTML pages and advertising windows It then installs itself without the user s permission Unstable browser operation and decrease in system performance are common side effects of spyware presence Adware Usually this term is referred to a program code implemented into freeware programs which perform forced display of advertisements to a user However sometimes such codes can be distributed via other malicious programs and show advertisements in internet browsers Many adware programs operate with data collected by spyware Joke programs Like adware this type of malicious programs does not deal any direct damage to the system Joke programs usually just generate message boxes about errors that never occurred and threaten to perform actions which will lead to data loss Their purpose is to frighten or annoy a user 188 Ta AN ax Appendices Dialers These are special programs which are designed to scan a range of telephone numbers and find those where a mod
133. rectly from the windows with notification on an unknown connection attempt Ta J 1 10 Dr Web Firewall 149 ax Access to network resources 1 Specify one of the following modes to access network resources e Allow all all connections will be allowed e Block all all connections will be blocked e Not specified settings specified for the selected operation mode of Firewall are used e Custom in this mode you can create a set of rules that will allow or block different connections 2 When you select the Custom mode a table with details on the application rule set displays below Enabled Execution states for the rule Action The action for Firewall to perform when the connection attempt is detected e Block packets e Allow packets Rule name The rule name Connection type The party which initiates the connection e Inbound the rule is applied when someone from the network attempts to connect to the application on your computer e Outbound the rule is applied when the application on your computer attempt to connect to the network e Any the rule is applied regardless of who initiate the connection Description The rule description Ta AN 10 Dr Web Firewall 150 A 3 If necessary edit the predefined rule set or create a new one e to add a new rule click New The new rules is added to the end of the list e to modify a rule select it and click Ed
134. s SMTP servers IMAP4 servers e NNTP servers To configure connection interception settings and enable use of SpIDer Mail as a proxy serve click Change SplDer Mail connections settings x SplDer Mail port Server address Server port Add SplDer Mail port Server address Server port Remove Help OK Cancel To remove an element from the list select it and click Remove To add a server or a group of servers to the list specify its address IP address or domain name in the Server address field and the called port number into the Server port field and click Add Ta ax 6 SpIDer Mail 97 The localhost address is not intercepted if the asterisk is specified If necessary this address should be specified in the interception list explicitly To set up mail interception 1 Make up a list of resources POP3 SMTP IMAP4 NNTP servers connections to which should be intercepted Number them one after another starting from 7000 Hereinafter these numbers will be called SpIDer Mail ports In the SpIDer Mail settings window select the Scanning page and click Change under the list of ports For every resource input the SpIDer Mail port that you assigned for the mail server into the SpIDer Mail port entry field a domain name or IP address of the server into the Server address entry field and the port number to which a connection is made into the Server port entry field and click Add Repeat th
135. s and virus databases The Register license item starts the registration procedure for receiving a key file from Doctor Web servers Ta ax 3 Getting Started 30 The My Dr Web item opens your personal web page on the Doctor Web official website This page gives information about your license e g period of usage serial number and allows you to renew your license contact Technical Support etc The Help item opens the Dr Web Security Space help system The SpIDer Guard SpIDer Mail SpIDer Gate Parental Control Firewall and Update items allow you to access the management and settings features as well as statistics of the corresponding components The Scanner item runs Dr Web Scanner To access the component settings and open your personal webpage My Dr Web you also need to enter the password if you set Protect Dr Web settings by password checkbox on the Self protection page in Dr Web Security Space Main settings The Tools item opens a submenu that provides access to e License Manager Main settings of Dr Web Security Space and particular components Quarantine Manager Anti virus Network Components statistics Report generation wizard Before contacting Doctor Web Technical Support generate a report than indicates how your operating system and Dr Web Security Space are functioning To adjust parameters in the open window click Report settings The report will be stored as an archive in
136. s message the server receives a notification that the message had been received this action is called deletion of the message e Messages with suspicious objects are moved to the quarantine folder as separate files the mail program receives a notification about this this action is called moving the message e Messages that were not scanned and safe messages are passed on e All deleted or moved messages remain on the POP3 or IMAP4 server Infected or suspicious outgoing messages are not sent to the server a user is notified that a message will not be sent usually the mail program will save it If an unknown virus distributing through email is resided on the computer the program can detect signs of a typical behavior for such viruses mass distribution By default this option is enabled 91 Ta AN A 6 SpIDer Mail SpIDer Mail uses Dr Web Anti spam technologies which allows to scan mail for spam messages By default this option is enabled For information on settings of the spam filter refer to Anti spam Page The default program settings are optimal for a beginner provide maximum protection level and require minimum user interference But some options of mail programs are blocked for example sending a message to many addresses might be considered as mass distribution and mail will not be scanned for spam useful information from their safe text part becomes unavailable if messages are automatical
137. s objects Note that deletion will sometimes be applied to certain files for which curing was selected This will happen if the file contains only malicious code and no useful information E g curing of a computer worm implies deletion of all its functional copies Block rename these actions can also be used for neutralizing malicious programs However fully operable copies of these programs remain in the file system In case of the Block action all access attempts to or from the file are blocked The Rename action means that the extension of the file is renamed which makes it inoperative 191 Ta AN ax Appendices Appendix C Naming of Viruses Specialists of the Dr Web Virus Laboratory give names to all collected samples of computer threats These names are formed according to certain principles and reflect a threat s design classes of vulnerable objects distribution environment OS and applications and some other features Knowing these principles may be useful for understanding software and organizational vulnerabilities of the protected system In certain cases this classification is conventional as some viruses can possess several features at the same time Besides it should not be considered exhaustive as new types of viruses constantly appear and the classification is made more precise The full and constantly updated version of this classification is available on the Doctor Web website The full name of a
138. ssion for usage of program modules is absent in the key file licence is blocked the key file is corrupted information is written during program launch and during program operating Parameters of program modules Scanner engine virus bases information is written during program launch and modules update Information on threats detection License expiration notifications a message is registered in 30 15 7 3 2 and 1 days before expiration To view Event Log 1 2 On the Control Panel select Administrative Tools Event Viewer In the tree view select Application The list of events registered in the log by user applications will be opened The source of Dr Web for Outlook messages is the Dr Web for Outlook application 115 Ta ax 7 Dr Web for Outlook 116 7 4 2 Debug Text Log The following information can be registered in the Dr Web for Outlook text log License validity status Malware detection reports per each detected malicious object Read write errors or errors while scanning for archives or password protected files parameters of program modules Scanner engine Dr Web virus databases Core failures License expiration notifications a message is registered in 30 15 7 3 2 and 1 days before expiration Enabling the program logging in the Log file decreases server performance therefore it is recommended to enable logging only in case of errors occurrence in operation of
139. stem Dr Web Scanner is installed as a usual Windows application and can be launched by the user or automatically see Automatic Launch of Scanning It is recommended for the scanner to be run by a user with administrator rights because files to which unprivileged users have no access including system folders are not scanned To launch Scanner Do one of the following e Click the Dr Web Scanner icon on the Desktop e Click the Scanner item in the menu of the SpIDer Agent in the taskbar notification area see SpIDer Agent chapter Click the Dr Web Scanner item in All Programs Dr Web directory of the Windows Start menu e Run the corresponding command in the Windows command line read Command Line Scanning Mode 4 Dr Web Scanner Express Scanning of crit Complete Scanning of all files on logical drives and removable media r Custom i l cify objects for scanning There are 3 scanning modes Express scan Complete scan and Custom scan Depending on the selected mode either a list of objects which will be scanned or a file system tree is displayed at the center of the window In Express scan mode the following objects are scanned e Boot sectors of all disks e Random access memory e Boot disk root folder e Windows system folder User documents folder My documents Temporary files System restore points Rootkits if scanning process is running under administrative privileges 71 T
140. sued at least once a week Immediately perform a complete scan whenever SpIDer Guard has been temporarily disabled and the PC was connected to the Internet or files were downloaded from removable media Anti virus protection can only be effective if you update the virus databases and other program files regularly preferably every hour For more information read Automatic Updating 28 Ta 3 Getting Started 29 ax 3 1 SpIDer Agent After Dr Web Security Space has been installed a SpIDer Agent d icon is added to the taskbar notification area If you hover the mouse cursor over the icon a pop up appears with information about the components that are running the date of last update and amount of virus signatures in the virus databases Furthermore notifications which are adjusted in the settings see below may appear above the SpIDer Agent icon The menu of the SpIDer Agent allows to perform the main management and settings functions of Dr Web Security Space About Register license My Dr Web Help amp SplDer Guard SpIDer Mail gt SplIDer Gate gt e Parental Control gt License Manager Settings Statistics Firewall gt Quarantine Manager Updater Anti virus Network a Scanner Report Wizard Tools gt User mode The About item opens a window showing information about your version of Dr Web Security Space and lists of included component
141. t through the user registration procedure If the key file is found Updater checks its validity at Doctor Web servers the file can be blocked if discredited i e its illegal distribution is uncovered If your key file is blocked due to misuse Updater displays an appropriate warning terminates the update and blocks Dr Web components If the key is blocked contact the dealer from which you purchased Dr Web Security Space After the key file is successfully verified Updater downloads and installs all updated files automatically according to your version of Dr Web Security Space If your subscription terms allow upgrade to newer software versions Updater also downloads and installs a new version of Dr Web Security Space when released After an update of Dr Web Security Space executable files or libraries a program restart may be required In such cases Updater displays an appropriate warning Scanner SpIDer Guard and SpIDer Mail start using the updated databases automatically When the Updater is launched in the command line mode the command line parameters can be used see Appendix A 173 Ta AN ax Appendices Appendices Appendix A Command Line Parameters Additional command line parameters switches are used to set parameters for programs which can be launched by opening an executable file This relates to Scanner Console Scanner and to Dr Web Updater The switches can set the parameters unavailable
142. t used key cannot be removed Security Space installation folder Dr Web Security Space verifies the file regularly Do not edit or otherwise modify the file to prevent the license from compromise 1 By default the license key file should be located in the Dr Web If no valid key file is found Dr Web Security Space components are blocked To receive a valid key file select Register License in the SpIDer Agent ca menu Ta ax 3 Getting Started 64 3 3 4 Renewing License When license expires or characteristics of the protected system change you may need to renew or extend the license If so you should change the registered the current key file Dr Web Security Space supports hot license update without stopping or reinstalling the product To change a key file 1 Open License Manager You can also purchase a new license or renew an existing one on your personal page on the Doctor Web website To visit the webpage use My Dr Web option in the License Manager window or on the SpIDer Agent menu 2 If your current key file is invalid Dr Web Security Space automatically switches to using the new key file Ta J AN ax 3 Getting Started 65 3 4 Quarantine Manager The Quarantine section of Dr Web Security Space serves for isolation of files that are suspicious as malware Quarantine folders are created separately on each logic disk where suspicious files are found When infected objects are detect
143. tentially used by malicious software 41 Ta AN ax 3 Getting Started 42 d Using this mode may lead to compatibility problems with legitimate software that uses the protected registry branches When it is required to have total control of access to critical Windows objects you can select the Paranoid mode In this mode Dr Web Security Space also provides you with interactive control over loading of drivers and automatic running of programs Integrity of This option allows detection of processes that inject running their code into running applications It indicates that the applications process may compromise computer security Processes that are added to the exclusion list of SpIDer Guard are not monitored Integrity of users This option allows detection of processes that modify files user files with the known algorithm which indicates that the process may compromise computer security Processes that are added to the exclusion list of SpIDer Guard are not monitored To protect your data from modification you can enable creation of protected copies that contain important data HOSTS file The operating system uses the HOSTS file when connecting to the Internet Changes to this file may indicate virus infection Low level disk Block applications from writing on disks by sectors access avoiding the file system Drivers loading Block applications from loading new or unknown drivers Critical Windows Other optio
144. the Doctor Web subfolder of the USERPROFILE directory The Administrative User mode item allows you to switch between full function Administrative mode and restricted User mode In User mode access to settings of components is forbidden as well as disabling of all components and self protection You need administrative rights to switch to Administrative mode Ta ax 3 Getting Started 31 This item displays when you do not have administrative privileges A For instance this item displays when you log into Microsoft Windows XP operating systems as a non privileged user or when User Account Control of Windows Vista or Microsoft Windows 7 operating system is enabled Otherwise the item is hidden and SpIDer Agent menu provides access to all features 3 2 Main Settings A Dr Web Security Space settings are not available in User mode Centralized settings adjustment allows you to configure main Dr Web Security Space settings and settings of all its components except Scanner To configure main settings 1 Click the SpIDer Agent icon in the Windows notification area 2 Select Tools and then select Settings A settings window opens on the Main tab 3 Configure required settings For information on settings in the sections click Help Ta AN ax 3 Getting Started 32 3 2 1 Notifications Page On this page you can set the types of email notifications or pop ups that appear above the SpI
145. tion Logging mode The logging mode for the rule This parameter defines which information is stored in the Firewall log e Log headers log packet headers only e Entire packet log whole packets e No logging do not log any information Criterion Filtering criterion E g transport or network protocol To add a filtering criterion select a criterion from the list and click Add You can add any number of filtering criteria For some headers there are additional criteria available 3 When you finish adjusting the settings click OK to save changes or Cancel to reject them If you do not add any criterion then the rule will allow or block all packets depending on the Action field Ta ax 10 Dr Web Firewall 160 Example Adding a packet filter that allows all packets from a sub network may look as follows c Add packet rule Ea Rule name New rule Description Rule description Action Allow packets X Direction Inbound X Logging mode No logging Dg Criterion Ethernet X f o Local IP address Any X Remote IP address Help OK J Cancel If you select value Any for the Local IP address and Remote IP address fields then the rule will be passed for any packet that contains an IPv4 header and was sent from a physical address of the local computer Ta ax 10 Dr Web Firewall 10 3 3 Advanced Page Operation mode sets reaction of Firewall to network c
146. tration providing that the validity When reactivating a license or a demo period you receive the same period is not expired A demo period can be reactivated only on the computer where the registration procedure was run If you reinstall the product or install it on several computers if the license allows for that you will be able to use the previously registered license key file Reactivation of the key file is not required The number of requests for a key file receipt is limited One serial number can be registered not more than 25 times If more requests are sent the key file will not be delivered In this case to receive a lost key file contact Technical Support describing your problem in detail stating your personal data input during the registration and the serial number Ta ax 3 Getting Started 59 3 3 2 Registration Wizard After startup SpIDer Agent checks whether you have a key file If no key file is found you are prompted to obtain a key file on the Internet A key file can be obtained during an installation procedure In the Registration Wizard window select Receive license during installation option and activation of a license or a demo period will start You can also obtain a key file by starting activation of a license or a demo period after the product is installed on your system For that do one of the following e Click the SpIDer Agent icon d in the notification area and sel
147. ucts to use your computer as an update source under the Update mirror click Change and select Create update mirror in the open window Specify the path to the folder where updates should be copied If your computer is connected to several networks you can specify IP address available to computers of only one network You can also specify the port for HTTP connections Update settings in local network Do not create update mirror 5 Create update mirror Path D Browse Address Port 0 0 0 0 8080 Ta yan A S 3 Getting Started 40 3 2 3 Anti virus Network On this page you can enable remote control of your anti virus from other local network computers by Anti virus Network If your computer is connected to an anti virus network you can create local update mirrors and control anti virus protection state or your computer remotely view statistics enable or disable Dr Web Security Space components and adjust their settings To prevent unauthorized access to Dr Web Security Space settings set a password for remote control Parental Control SplDer Gate SplDer Mail SplDer Guard Firewall Notifications You can enable remote control of Dr Web product on your computer from other Dr Web products installed on the local area network Users who remotely access your anti virus Update will be able to view statistics enable or disable components and modify the settings of RAA certain modules e Ant
148. utbound the application on your computer attempted to connect to the network e Any the rule was applied regardless of who initiated the connection A AN T v A A 10 Dr Web Firewall 168 Action The action Firewall performed when the connection attempt was detected e Block packets e Allow packets Endpoint The protocol IP address and the port used for the connection On this page you can save the information to a file or clear the log To save application filter log Click Save then enter the file name where to store the log To clear application filter log Click Clear All information will be deleted from the log Ta 3 AN ax 10 Dr Web Firewall 169 10 4 3 Packet Filter Log The packet filter log stores information on packets transmitted through all network interfaces installed on you computer if Log headers or Entire packet logging mode was set for these packets If No logging mode was set for a packet no information is stored Parental Control Active applications Application journal Packet Filter journal Help Time Direction SplDer Gate SplDer Mail Je B erceme Firewall Time Direction Rule name Interface Packet data The date and time when the packet was processed The packet sender e the packet was transmitted from the network to your computer e the packet was transmitted from your computer to the network e
149. uter attempt to connect to the network e Any apply the rule regardless of who initiate the connection Rule Settings Protocol The network and transport level protocols used for the connection attempt Firewall supports the following network level protocols e IPv4 e IPv6 e IP all any version of IP protocol Ta J AN ax 10 Dr Web Firewall 152 Inbound Outbound address Inbound Outbound port Firewall supports the following transport level protocols e TCP e UDP e TCP amp UDP TCP or UDP protocol e RAW The IP address of the remote host You can specify either a specific address Equals or several IP addresses using a range In range specific subnetwork mask Mask or masks of all subnetworks in which your computer has network addresses MY_NETWORK To apply the rule for all remote hosts select Any The port used for connection You can specify either a specific port number Equals or a port range In range To apply the rule for all ports select Any 2 When you finish adjusting the settings click OK to save changes or Cancel to reject them A AN v Aq 4 yy 10 Dr Web Firewall 10 3 2 Interfaces Page On the Interfaces page you can select a rule set to use for filtering packets transmitted through different network interfaces installed on your computer ttit bai x Main Parental Control SplDerGate SplDerMail SplDerGuard Firewall Applications N
150. utomatic Launch of Scanning SpIDer Guard 5 1 Managing SpIDer Guard 5 2 SpIDer Guard Settings SpIDer Mail 6 1 Managing SpIDer Mail 6 2 SpIDer Mail Settings Dr Web for Outlook 7 1 Configuring Dr Web for Outlook 7 2 Threat Detection 7 2 1 Types of Threats 7 2 2 Configuring Actions 7 3 Spam Check 7 3 1 Configuring Spam Filter 7 3 2 Using Black and White Lists 7 4 Logging 62 64 65 67 69 70 73 75 81 82 83 84 85 86 91 94 95 104 104 106 106 107 109 110 111 115 5 Ta AN A 7 4 1 Event Log 7 4 2 Debug Text Log 7 5 Statistics 8 SpIDer Gate 8 1 Managing SpIDer Gate 8 2 SpIDer Gate Settings 9 Parental Control 9 1 Managing Parental Control 9 2 Parental Control Settings 10 Dr Web Firewall 10 1 Training Firewall 10 2 Managing Firewall 10 3 Firewall Settings 10 3 1 Applications Page 10 3 2 Interfaces Page 10 3 3 Advanced Page 10 4 Event Logging 10 4 1 Active Applications 10 4 2 Application Filter Log 10 4 3 Packet Filter Log 11 Automatic Updating 11 1 Running Updates Appendices Appendix A Command Line Parameters Scanner and Console Scanner Parameters Dr Web Updater Command Line Parameters 115 116 118 119 120 121 126 127 128 137 138 143 145 146 153 161 164 165 167 169 171 172 174 174 174 179 6 Ta AN ax Appendix B Computer Threats and Neutralization Methods 184 Appendix C Naming of Viruses 192 Appendix D T
151. virus consists of several elements separated with full stops Some elements at the beginning of the full name prefixes and at the end of it suffixes are standard for the accepted classification Below is a list of all prefixes and suffixes used in Dr Web divided into groups Prefixes Affected operating systems The prefixes listed below are used for naming viruses infecting executable files of certain OS s e Win 16 bit Windows 3 1 programs e Win95 32 bit Windows 95 98 Me programs e WinNT 32 bit Windows NT 2000 XP Vista programs e Win32 32 bit Windows 95 98 Me and NT 2000 XP Vista programs e Win32 NET programs in Microsoft NET Framework operating system e OS2 OS 2 programs e Unix programs in various Unix based systems 192 Ta AN ax Note Appendices 193 Linux Linux programs FreeBSD FreeBSD programs SunOS SunOS Solaris programs Symbian Symbian OS mobile OS programs that some viruses can infect programs of one system even if they are designed to operate in another system Macrovirus prefixes The list of prefixes for viruses which infect MS Office objects the language of the macros infected by such type of virus is specified WM Word Basic MS Word 6 0 7 0 XM VBA3 MS Excel 5 0 7 0 W97M VBA5 MS Word 8 0 VBA6 MS Word 9 0 X97M VBA5 MS Excel 8 0 VBA6 MS Excel 9 0 A97M databases of MS Access 97 2000 PP97M MS PowerP
152. wide corporations Dr Web antivirus solutions are well known since 1992 for continuing excellence in malware detection and compliance with international information security standards State certificates and awards received by the Dr Web solutions as well as the globally widespread use of our products are the best evidence of exceptional trust to the company products We thank all our customers for their support and devotion to the Dr Web products Ta AN ax Table of Contents 1 Introduction 1 1 About This Manual 1 2 Document Conventions 1 3 System Requirements 1 4 Detection Methods 1 5 How to Test Anti virus 2 Installing the program 2 1 Installation Procedure 2 2 Removing or changing the program 3 Getting Started 3 1 SpIDer Agent 3 2 Main Settings 3 2 1 Notifications Page 3 2 2 Update Page 3 2 3 Anti virus Network 3 2 4 Preventive Protection Page 3 2 5 Dr Web Cloud Page 3 2 6 Self protection Page 3 2 7 Advanced Page 3 2 8 Restore Page 3 3 Licensing 3 3 1 Activation method 3 3 2 Registration Wizard 10 11 12 13 16 17 17 25 26 29 31 32 36 40 41 45 47 49 55 56 58 59 4 Ta AN ax 4 5 6 3 3 3 License Manager 3 3 4 Renewing License 3 4 Quarantine Manager 3 5 Anti virus Network Dr Web Scanner 4 1 Scanning Your System 4 2 Neutralizing Detected Threats 4 3 Scanner Settings 4 4 Scanning in Command Line Mode 4 5 Console Scanner 4 6 A
153. y reduces consumption of computer resources An anti virus HTTP monitor SpIDer Gate by default automatically checks incoming HTTP traffic and blocks all malware objects HTTP is used by web browsers download managers and other applications that exchange data with web servers i e those that work with the Internet SpIDer Gate resides in the computer s main memory and automatically launches upon Windows startup You can change the automatic launch mode by clearing the corresponding check box The Parental Control component is used to restrict access to both local and web resources Dr Web Firewall protects your computer from unauthorized access and prevents vital data from leaking through networks Firewall monitors connection attempts and data transfer and helps you block unwanted or suspicious connections on both network and application levels 27 Ta BY ax 3 Getting Started Ensuring Protection Against Virus Threats To ensure comprehensive anti virus protection we advise you to use the Dr Web Security Space components as follows Scan your computer file system with the default maximum scanning detail settings Keep default settings of SpIDer Guard Perform complete email scanning with SpIDer Mail Perform scanning of incoming HTTP traffic with SpIDer Gate Block all unknown connections with Dr Web Firewall Perform a periodic complete scan of your PC that coincides with when virus database updates are is
154. y resides in the main memory of the PC and intercepts calls made to the objects of the file system The program checks for viruses in files that are being launched created or changed on the hard drives and those that are opened on removable media and network drives Due to a balanced approach to the level of the file system scanning details the program hardly disturbs other processes on the PC However this results in insignificant decrease of virus detection reliability 26 Ta AN A 3 Getting Started An advantage of the program is that it provides you with uninterrupted control of the virus situation during the entire time a PC is running In addition some viruses can only be detected by the guard through their specific activity SpIDer Mail also constantly resides in the memory The program intercepts all calls from your mail clients to mail servers via POP3 SMTP IMAP4 NNTP protocols and scans incoming and outgoing email messages before they are received or sent by the mail client SpIDer Mail is designed to check all current mail traffic going through a computer As a result it becomes more efficient and less resource consuming to scan mailboxes For example you can control attempts at mass distribution of a mail worm s functional copies to the addresses specified in the user address book which is performed via the worm s own mail clients You can also disable scanning of email files for SpIDer Guard which considerabl
Download Pdf Manuals
Related Search