Dr.Web



Doctor Web, Ltd.

Dr.Web® Security Space

Quick Installation and Deployment Guide

Version 11.0

A practical guide for the course

DWCERT-001-11

Protecting computer systems with Dr.Web Security Space

Software version 11.00

Document version 1.0

Document status In progress

Last modified March 14, 2016

Attention! The materials presented in this document are the property of Doctor Web Ltd. The copyright of this document is protected by current legislation of the Russian Federation. No part of this document may be photographed, reproduced, or distributed in any form or by any means without the prior consent of Doctor Web Ltd. If you intend to use, copy, or distribute these course materials, please contact Doctor Web representatives via the web form at

.

Dr.Web®, SpIDer Guard®, SpIDer Mail®, Dr.Web CureIt!, and the Dr.WEB logo are registered trademarks of Doctor Web, Ltd., in Russia and/or other countries.

Other product names mentioned in this course material are the trademarks or registered trademarks of their respective owners.

Liability limitations

Under no circumstances shall Doctor Web® or its suppliers be responsible for any errors or inaccurate information found herein and any losses (direct or indirect, including lost profits) experienced by the buyer as a result of them.

The capabilities of Dr.Web for Windows Servers are not limited to the features described in this guide. To learn about all the solution’s features, please refer to the product documentation.

Attention! Doctor Web software products may have had changes made to them that are not indicated in this document. To learn about all the changes made to Doctor Web software products, go to .

© Doctor Web Ltd. 2006-2016



Table of Contents

1. Introduction 4

2. Requirements for the specialist studying this course 4

3. The purpose of the product 4

4. Installing Dr.Web Security Space 5

4.1. Installing from the command line 6

4.2. Installing with the Installation Wizard 6

5. Configuring the anti-virus protection 12

5.1. Getting started 12

5.2. Changing the interface language 14

5.3. Adjusting log verbosity 15

5.4. Changing the list of allowed components for a selected computer 16

5.5. Performing an anti-virus scan on a computer. Adjusting scanning priority 17

5.5.1. Using the Scanner 18

5.5.2. Scanning with another user’s permissions 24

5.5.3. Command-line scanning mode 24

5.6. Configuring how Dr.Web Security Space handles malicious files 25

5.7. Configuring Dr.Web Security Space system updates 27

5.8. Configuring Dr.Web Cloud 31

5.9. Configuring Dr.Web Security Space to detect previously unknown malicious files 33

5.10. Limiting encryption ransomware’s penetration capacity 35

5.11. Managing device blacklists and whitelists 40

5.12. Data Loss Prevention feature 42

5.13. Product operation testing 44

5.14. Limiting Internet and account access time 47

5.15. Controlling access to local and network resources 48

5.16. Email protection 50

5.17. Viewing operating statistics 56

5.18. Quarantine 56

5.19. Technical support service 57

5.19.1. Collecting information for the technical support service 58

6. Additional information 60

Introduction

This document outlines and describes:

• detailed steps for deploying Dr.Web Security Space to protect corporate servers.

Please note that this document does not contain information about the following:

• general anti-virus protection principles;

• major security threats;

• how to organise anti-virus protection based on the results of threat analysis.

This guide describes the basic features of Dr.Web Security Space, its components, and the sequence of steps needed to implement the actions most commonly involved in configuring the product, monitoring its condition, and keeping protected computers safe.

All sections of this guide contain screenshots that administrators can use to easily learn how the product works and get it to perform whatever tasks are needed. This guide contains sufficient information so that an administrator with zero knowledge of the product can understand its settings.

Attention! This guide describes only the most important features and settings of Dr.Web Security Space and the procedures most often used to carry out activities. Detailed information regarding the product’s features can be found in the product documentation.

Attention! Before you read this document, verify that you have the latest version. The current version can be found on the official Doctor Web site at .

This guide is intended for anti-virus network administrators, i.e., employees tasked with managing the anti-virus protection of network computers (desktops and servers).

1. Requirements for the specialist studying this course

It is assumed that the course participant has:

• basic knowledge of how to install, connect, and use computers;

• knowledge and practical skills acquired from administering local networks running Windows XP or later versions;

• familiarity with Dr.Web Security Space version 11.0 product documentation.

2. The purpose of the product

Dr.Web Security Space provides multilevel protection for all of a protected machine’s components (RAM, hard disks, and removable devices) against viruses, rootkits, Trojans, spyware, adware, hack tools, and other malicious programs from any external source.

One of Dr.Web Security Space’s important features is its modular architecture. Dr.Web Security Space utilises the Dr.Web engine and virus databases common to all Doctor Web products, regardless of which platform they support. It is largely because of this that Dr.Web products facilitate the organisation of effective anti-virus protection for different operating systems supporting various platforms—effective not only in terms of quality but also in terms of minimising system requirements and maintenance costs.

Dr.Web Security Space offers the user an array of component settings that can be used to protect a file system:

• Dr.Web Scanner – an anti-virus scanner with a graphical interface that runs on demand or according to a schedule and carries out anti-virus scanning.

• SpIDer Guard – an anti-virus guard that permanently resides in the memory, scans all files on the fly, and detects virus-like activity.

Dr.Web Security Space has convenient and efficient mechanisms for updating the virus databases and existing software components. This makes the entire updating process invisible and eliminates any need for the end-user to intervene in the process. There are none of the headaches that come from having to monitor an anti-virus.

To detect malicious objects, Dr.Web Security Space uses special technologies, many of which are completely unique.

• Signature analysis. Checks whether the code of suspicious files has any commonalities with the signatures of known viruses – matching up any characteristics that make it possible to identify a particular virus. Dr.Web virus databases are designed so that a single entry can reveal entire classes of malware.

|Misconception |

|“Anti-viruses use virus signatures (i.e., records in virus databases) to catch viruses.” If this were so, an anti-virus would be |

|helpless in the face of unknown threats. |

|However, an anti-virus remains the best and the only effective means of protection against all types of malicious threats–and most |

|importantly–against viruses that are both known and unknown to a virus database. Dr.Web incorporates many effective non-signature |

|technologies to detect and remove unknown malware. Together, they ensure that the latest (unknown) threats are detected before they are |

|recorded in the virus database. |

| |

• A traditional heuristic analyser features routines that facilitate the detection of unknown malware. The heuristic analyser relies on a knowledge (heuristics) of certain properties that are typical of virus code. It can also do the opposite and identify properties that are extremely rare in viruses. Each attribute is weighted, which means that each one is assigned a number whose modulus denotes the importance and severity of the attribute.

• An execution emulator module is used to detect polymorphic and highly encrypted viruses when the search against checksums cannot be applied directly or is very difficult to perform (because secure signatures cannot be built). The anti-virus uses an emulator (a CPU simulator and, in part, a system emulator) to simulate code execution.

• FLY-CODE technology ensures the high-quality scanning of packed executables and virtualised file execution to unpack any packers, including non-standard ones; this even makes it possible to detect viruses that are unknown to Dr.Web anti-virus software.

• Structural entropy analysis detects unknown threats by arranging pieces of code in objects protected with encryption compression.

• ScriptHeuristic prevents any malicious browser scripts and PDF documents from being executed, without disabling the functionality of legitimate scripts. It prevents unknown viruses from accessing and infecting systems via web browsers. It works independently of the Dr.Web virus databases, in any web browser.

• Origins Tracing. Technology that facilitates the detection of new or modified viruses that use known infection mechanisms. Origins Tracing helps significantly reduce the number of false-positives detected by the heuristic analyser. Origins Tracing treats a scanned executable as a specific sample which it then compares against the database of known malicious programs.

Doctor Web solutions are distinguished by the company’s continual efforts to improve its products’ capacity to detect and cure any kind of malware.

Dr.Web Security Space is easy to manage and no additional skills are required to learn how to use it. The product has a wealth of features, and all its settings are user-friendly and well-positioned so they can be found quickly. Today, however, it is not enough for a product to have simple features; in a world where new threats are constantly emerging, one must be able to use a product to maximum effect. How to do this will be discussed in this guide.

3. Installing Dr.Web Security Space

Attention! All security patches must be installed on a computer that is connected to the Internet; this concerns security patches not only for the operating system, but also for all the programs used. That is because criminals tend to use program vulnerabilities to infiltrate computers, rather than the operating system. It is essential to apply all security updates because the data contained within them closes vulnerabilities, preventing virus writers from exploiting them to gain system access. We recommend installing these updates before installing Dr.Web Security Space.

Attention! Your computer is not protected while you are installing anti-virus protection on it. Surfing the Internet, downloading files, and checking email should be avoided. As a rule, the system restart that is required for installing the system components signifies the end of the installation. After the system is restarted, the security of your computer will be ensured.

Attention! Before commencing with the installation, you must remove previously used anti-virus or antispyware programs. Dr.Web Security Space can detect and remove anti-virus software, but it is better to do this using the system uninstaller, partly because uninstallation can be protected with a password that is known only to you.

Attention! If you do not use the Russian version of your operating system, make sure that it has all the components needed to display Russian characters.

Attention! To install the anti-virus protection, you must have administrator privileges on this computer; only in this mode can the anti-virus resist viral threats.

The installation can be performed:

• in standard mode using the Wizard (recommended);

• in the background (from the command line).

1. Installing from the command line

To start the Dr.Web Security Space installation in the background, in the command line enter the name of the executable file that has the necessary parameters.

Let’s review the command option that, when used, carries out the Dr.Web Security Space installation and restarts the system after installation (in this case, the product distribution is located in C:\Documents and Settings):

C:\Documents and Settings\drweb-11.0-ss-win.exe /silent yes /reboot yes

If you want to install Dr.Web Security Space in a particular language, you must specify the following additional parameter:

/lang

The parameter value is a language code in the ISO 639-1 format. For the English language, the code value is en.

You can find information about command-line parameters in the product documentation.

2. Installing with the Installation Wizard

Run the installation file you received, and follow the Installation Wizard’s instructions. If the installation kit is on a disk, insert the disk into your CD/DVD/Blu-ray ROM. If autorun is enabled, the installation will start automatically. If autorun is disabled, launch the autorun.exe file located on the disk.

If you are installing Dr.Web under Windows Vista and later versions, you may receive a request from the user account control (UAC).

[pic]

If you receive a request, click Yes.

If anti-virus programs are already installed on the computer, the Installation Wizard will attempt to remove them. If it fails to do so, remove the anti-virus software yourself (including other versions of Dr.Web).

If you previously used a prior version of Dr.Web Security Space or Dr.Web Anti-virus and errors occur when you are removing the previous version and the anti-virus wouldn't uninstall, use the utility for emergency removal of corrupt Dr.Web installations. You can download the utility here: . You can also contact the technical support service at .

[pic]

Before the installation begins, the Installation Wizard also checks whether the installer is up to date. If a newer installer version is available, the Wizard will prompt you to download it.

When you begin installing the new version, the Installation Wizard window will open. Click on the appropriate link to view the agreement. Click Next, and accept the terms of the License Agreement.

[pic]

You will also be prompted to use Dr.Web Cloud services so that the anti-virus can receive real-time threat information from Doctor Web’s servers. With the ‘cloud’ services, you can check URLs in real time against the latest version of the Dr.Web databases. Select the needed option, and click Next.

At this stage, you will also be prompted to install Dr.Web Firewall to protect the computer from unauthorised access and prevent sensitive data from being leaked over the network. If you want to install Dr.Web Firewall, check the corresponding box. To select the anti-virus protection components, click Installation parameters.

To choose to install individual components and to specify the installation path and advanced options, click Installation parameters. The Installation parameters window will open.

Attention! This installation mode is intended for advanced users. For more information, refer to the User Guide.

In the Components tab, you will see the list of anti-virus components available for installation. Select the components you want to install on your computer.

Attention! Some components may be unavailable.

[pic]

In the Installation path tab, you can specify the directory in which you want to install the anti-virus software. The default installation directory is Dr.Web, located in Program files on the system disk.

If you are installing the anti-virus software on a computer that has no Internet access, go to Advanced options, and clear the Update during installation box.

[pic]

Also in the Advanced options tab, you can configure parameters to create desktop and Start menu shortcuts for launching Dr.Web.

Using the default installation is recommended since all Doctor Web products come with settings that ensure optimal performance. Advanced users can opt for a custom installation and decide what components to install.

To save the changes, click OK, and return to the previous dialogue.

You can also read about the privacy policy by following this link: .

Click Next to continue.

In the next window, you must specify the serial number or the key file (if available). If you need to evaluate the product’s capabilities and do not have a serial number or a key file, click Receive license later; once the product has been installed, you can get started with a temporary key file.

Attention! Be careful—even though the demo key acquisition process is fully automated, it does require Internet access.

[pic]

The Registration Wizard, which starts up when you select Receive Key file during installation, lets you register a license or get a demo key file.

[pic]

If you have two or more valid key files, you can get 150 bonus days via the Registration Wizard.

If Dr.Web has already been installed on your computer and you are upgrading to version 11.0 from an earlier version of Dr.Web, the anti-virus will automatically detect the key file. If the file is not found, click Browse, and specify the path to the existing key file (the one used by the older version).

To complete the installation, click Install.

Installation progress is also displayed in the Wizard

[pic]

[pic]

After all the necessary actions have been performed, the Wizard will prompt you to reboot the system. A reboot is particularly required to ensure that no virus was loaded before the anti-virus was installed; this is extremely important with regards to combating rootkits. Save all your data, click Restart now, and wait until the system restarts.

4. Configuring the anti-virus protection

1. Getting started

Once the anti-virus agent software is installed, the Agent icon [pic] appears in the system tray. You can use it to control all the anti-virus settings.

[pic]

If the SpIDer Agent has not started and the agent icon is not displayed in the system tray, go to Dr.Web in the Start menu, and click SpIDer Agent.

Attention! If you use Windows 7 or a later version, you must press [pic] to access the icon. It is recommended that you enable the display of the icon (click on the icon [pic] on the toolbar, select Customise, and configure the desired view for displaying icons), because its changing appearance lets you monitor the status of the anti-virus protection.

[pic]

The SpIDer Agent icon will not appear in the notification area if the corresponding option has not been enabled in the Control Center.

The SpIDer Agent indicates the current Dr.Web Agent status:

• [pic] all the components you need to protect your computer are running and working properly; connectivity has been established with the centralised protection server;

• [pic] Dr.Web Agent’s Self-protection or another important component (the SpIDer Guard monitor or the Firewall) is disabled, weakening your computer’s anti-virus security; the agent is trying to connect to the server but a connection has not yet been established. Enable Self-protection or other disabled component and wait for a connection to the server;

• [pic] an error occurred while one of Dr.Web’s key components was starting up. Your computer is at risk of infection. The server may have rejected the connection or denied access to its resources. Make sure that you have a valid key file, and, if necessary, copy it to an appropriate location or contact your anti-virus network administrator.

If the notification settings have not been modified, tips may pop up above the icon. Click on the anti-virus agent icon in the system tray to open the context menu, and configure the anti-virus components.

Attention! Administrator privileges are required to access the settings and disable any of the components.

The options available to the ordinary user are displayed in the menu right after installation. The system administrator uses the Control Center to determine which options are to be visible to users. By default, users cannot configure or shut down components.

The Agent main menu:

• My Dr.Web Portal provides access to the user’s personal page on the Doctor Web site.

• Tools. Provides access to the Quarantine manager and the Support section.

• Protection components. Quick access to the components list which can be used to enable or disable individual components (if you have administrator privileges).

• Scanner. Quickly launch different types of scans. Choose between express scan (checks the most used system areas), full scan, or custom scan (you select the system areas to be scanned).

• [pic] Operation mode. By default, Dr.Web is launched in user mode, in which case the Settings are not accessible (the [pic] icon is not present), and consequently the parameters of the protection components cannot be changed. To switch to a different mode, click [pic]. If the UAC is enabled, you will be prompted to elevate the process’s privileges.

[pic]

[pic]

If the option Protect Dr.Web settings with a password was enabled in the Settings section, you will have to enter the password to change the operation mode.

[pic]

• [pic] Statistics. Opens a window that provides information about the component’s activities during the current session (how many objects have been scanned, are infected, and appear suspicious; what actions have been taken, etc.).

• [pic]Settings. Opens a window that provides access to the basic settings and the settings of the protection components. If the option Protect Dr.Web settings with a password was enabled, you will have to enter the password.

• [pic] – opens the Help file.

2. Changing the interface language

To change the interface language, right-click on the [pic] icon in the system tray; then click the [pic] icon to access the language settings (the icon will change to[pic]), and click on the [pic] icon, select Main, and then choose Tools. In the newly appeared window, select Advanced, and in the Language drop-down list, change the interface language.

[pic]

3. Adjusting log verbosity

To change the protection components’ log verbosity level, right-click on the [pic] icon in the system tray. Then click the [pic] icon to access the settings (the icon will change to[pic]), and click on the [pic] icon. Select Main, and then select Tools.

[pic]

In the newly appeared window, click the item Advanced, and select Log → Change. Select the components for which you want to change the logging verbosity level.

[pic]

In the Advanced section, an inscription will indicate that Custom settings are now being used for logging.

4. Changing the list of allowed components for a selected computer

If you have sufficient permissions, you can start and stop the operation of the protection components on your computer. Right-click on the [pic] icon in the system tray, and click the [pic] icon to enable access to the settings (the icon will change to [pic]). Select Protection components, and toggle the switch next to the desired component.

[pic]

.

[pic]

The icon in the system tray will change to [pic]

5. Performing an anti-virus scan on a computer. Adjusting scanning priority

A full system scan should be performed immediately after the installation and on a regular basis going forward. This is particularly necessary because files scanned by the file monitor and written to a disk (including archives) may contain viruses that were unknown to the anti-virus at the moment they were being written to the disk. This means that if outbound traffic is not being scanned, there is a risk of infection occurring when the files are transferred to unprotected computers.

It is recommended that you perform scans as an administrator. Otherwise, files and folders that are inaccessible to a user because of insufficient permissions (including system folders) will not be scanned.

To start scanning, right-click the Dr.Web [pic] icon, and select[pic]. You can also double-click the [pic] icon on the desktop or select Dr.Web Scanner in the Dr.Web Section of the Start menu. You can also start the scanner via the command prompt.

To check a file or directory for viruses, right-click on the file or directory you want to scan, and select Scan with Dr.Web. In this case, the scanner will be run with the default settings.

Attention! If you are using Windows Vista or later (including Windows 7/8) and the UAC is enabled, you will need to confirm the program’s launch by clicking Yes.

[pic]

[pic]

1. Using the Scanner

A new generation scanner is used in Windows XP SP2 and later, Windows 2003 SP1 and later, and Windows Vista and later. The scanner comes with the ArkAPI component which facilitates anti-rootkit scanning.

Once the scanner starts, select the desired scan mode: express, full, or custom.

[pic]

Express scan is the recommended option at system start-up or if you are going to perform tasks that require substantial system resources.

You can start scanning with the default settings or you can change them. To change the scanning parameters, click on the [pic] icon in the system tray. Then click [pic] to access the settings (the icon will change to[pic]), and click on the [pic] icon. In the Tools menu, select Protection components → Scanner.

[pic]

In the Advanced settings tab, you can select the actions to be performed with malicious objects of different types. Move to quarantine is the default action for all objects (except for those that are infected).

It should be noted that different types of malicious objects have different lists of actions that can be applied to them. The option Cure is unavailable for incurable objects.

Attention! The scanner does not provide the option Rename because this action can be cancelled manually.

[pic]

By default, the scanner does not check archives and mail files because it would be very time-consuming to do so, and any malicious files within them can only be run after being processed by data-compression programs and mail clients, during which time they would be detected by specialised components. However, if you want files of these formats to be scanned, check the corresponding boxes in the File types tab.

In this tab, you can also enable and disable scanning for Email, Archives and Installers.

[pic]

Attention! You should always scan archives before sending them to anyone.

To customise the list of files and folders to be excluded from scanning, go to Tools, and click Exceptions → Files and folders.

[pic]

To add files and folders to the list, click on the [pic] icon, specify the file or folder, and indicate for which component an exception is to be added.

[pic]

You can always click Reset in the Settings page to use the default configuration.

[pic]

The chapter Adjusting log verbosity describes how to change the level of detail for report logging.

Disabling scan logging is not recommended even though this speeds up the process slightly.

If Custom scan is selected, you can specify the objects you want to scan.

[pic]

To choose Express or Full scan, press the corresponding button in the scanner window. A Custom scan will be started in the corresponding dialogue.

[pic]

Click Stop to stop the scan.

[pic]

The Pause button is unavailable while the system memory and processes are being scanned.

Attention! Running an express scan on your computer does not guarantee that it will be completely free of all known viruses. For example, some viruses running in the system can infect clean files—files that have already been scanned. If any malware is detected, we recommend scanning your computer with the free utility Dr.Web CureIt! before the installation. This utility can be downloaded from the free download section on Doctor Web's site.

If the option Neutralise detected threats was enabled in the scanner settings, detected threats will be disarmed automatically. Otherwise, once scanning is complete, the Dr.Web Scanner will notify you about any malware that has been detected and tell you what you need to do to eliminate it in the most expedient way possible.

[pic]

You can neutralise all detected threats simultaneously. To do so, click Neutralise. The selected actions will be applied to objects displayed in the table. If you want to change the action for certain objects, go into the drop-down action list and select the action needed for each object.

By default, all objects will be neutralised once scanning is complete. However, if necessary, you can manually select certain objects or groups of objects and neutralise them immediately by pressing Neutralise. To do this, check the corresponding boxes or use the drop-down list in the table header.

Some actions cannot be applied to certain object types:

• suspicious objects cannot be cured;

• objects that do not exist as files (e.g., boot sectors) cannot be moved or deleted;

• no actions are available for individual files in archives, installers, or emails; in cases like these, an action can only be applied to the entire object.

A detailed scanner operation report is saved in the log file dwscanner.log, which is located in %USERPROFILE%\Doctor Web.

2. Scanning using another user’s permissions

In some cases, you must have administrator privileges to scan directories or files. This particularly applies to some system sections that are off-limits to users who lack administrator privileges. To scan a directory, do one of the following:

• Run the Scanner as a different user. To do this, right-click on the Scanner icon, and in the drop-down menu, select 'Run as'... In the newly appeared window, select a user who has administrative privileges, if necessary.

[pic]

3. Command-line scanning mode

To start the scanner and specify additional parameters, use the following command:

[]dwscanner [] []

where:

− a placeholder for the list of objects to be scanned;

− command-line parameters that specify Scanner settings. If no switches are defined, scanning is performed with the previously specified settings (or with the default settings, if you have not changed them).

By default, − C:\Program Files\DrWeb

The list of objects to be scanned can be empty or contain multiple elements separated by spaces. The most common scanning options:

/FAST − perform an express system scan.

/FULL − scan all available hard drives and removable media (including their boot sectors).

/LITE − conduct an initial system check, which examines the memory and all disk boot sectors, and scans the system for rootkits.

Parameters − command-line switches that dictate how the scanner operates. If no parameters are specified, the previously saved settings (or the default settings, if they have not been modified) will be used. All options start with a forward slash and, like other parameters, are separated by spaces.

Dr.Web comes with a Console Scanner that allows you to run a scan from the command line, and offers numerous customisation options.

To start the Console Scanner, use the following command:

[]dwscancl [] [],

where:

− a placeholder for the list of objects to be scanned;

− a placeholder for command-line parameters that configure the Console Scanner’s operation. A switch begins with a forward slash (/); multiple switches are separated by spaces.

The list of objects to be scanned can be blank or contain several elements separated by spaces.

All Console Scanner switches are listed in Appendix А.

After the operation is complete, the Console Scanner returns one of the following codes:

0 − scanning completed successfully; infected objects not found;

1 − scanning completed successfully; infected objects detected;

10 − invalid switches specified;

11 − key file not found or does not support Console Scanner;

12 − Scanning Engine did not start;

255 − scanning aborted by user request.

6. Configuring how Dr.Web Security Space handles malicious files

Move to quarantine is the default action for most objects. It lets the user decide what to do with a detected malicious object.

Attention! Trojan.Encoder programs are incurable and will only be detected and removed. To recover data from encrypted files, it is desirable to have on hand the malicious file that was used to corrupt them. That is why removal to the quarantine should be selected as the default action.

Click on the [pic] icon in the system tray, and in the context menu, select [pic] (Administrator Mode). Then click on the gears icon [pic] (Settings). In the Settings window, select Protection components, and then select SpIDer Guard.

[pic]

The following actions can be applied to objects that have been detected:

• Cure, move to quarantine if incurable − return an object to its pre-infection state. If the file is incurable or curing fails, it will be moved to the quarantine. This action is only available for objects infected with known curable viruses except for Trojans and files contained in other objects.

• Cure, delete if incurable − return an object to its pre-infection state. If the file is incurable or curing fails, it will be removed. This action is only available for objects infected with known curable viruses except for Trojans and files contained in other objects.

• Delete − delete an object. No actions will be performed with the boot sectors.

• Move to quarantine − isolate an object in a special quarantine folder; no actions will be performed with the boot sectors.

• Ignore – skip over the object, without doing anything to it or displaying any notifications. This action is available only for the following malware types: adware, dealers, joke programs, riskware and hacktools.

• Notify − display a warning and skip over the object without performing any actions. This option is only available for suspicious objects.

Note:

• SpIDer Guard does not scan complex objects which is why no actions are performed on them or on the files within them.

• Processed objects are backed up in the quarantine.

The available list of actions varies depending on the type of malware involved. The options Cure, Move to quarantine and Delete are available for infected files. Bear in mind that the Cure option is unavailable for Trojans because programs of this type do not replicate themselves and cannot be cured.

To change the settings, you must have the necessary permissions, which are defined in the Control Center by the administrator for groups of hosts or for specific machines.

If the option Protect Dr.Web settings with a password was enabled in the Settings section, you will have to enter the password to access SpIDer Guard’s settings.

Similar settings should be used for anti-virus scanning. The settings can be adjusted in the Scanner tab in the same window.

[pic]

|Attention! DO NOT delete quarantined objects because in some cases malicious files may contain keys that can help decrypt files. |

7. Configuring Dr.Web Security Space system updates

Attention! To detect malware, Doctor Web anti-viruses utilise special Dr.Web virus databases containing information about known malicious programs. Due to the constant emergence of new threats and the development of algorithms implemented as executables and libraries, these virus databases must be periodically updated.

Updates can help detect previously unknown viruses, block their distribution, and in some cases, cure previously incurable, infected files. Automatic updating is required to maintain the security level that has been set for a computer.

Thanks to the best operating practices of Dr.Web anti-viruses; errors detected in programs are fixed, the help and documentation system is updated; and improved modules that scan and cure malware, while consuming minimal system resources, are released.

To keep the Doctor Web databases and software algorithms current, updates are carried out over the Internet. For as long as a license is valid, the updating module facilitates downloads and installations of add-ons for the virus databases and the updated software modules. It is important to remember that you must have Internet access to use the Updating module.

Updates can be carried out in one of the following ways:

• via the command line,

• via the updating module SpIDer Agent.

If launched automatically, the update runs in hidden mode; the Updating module report is contained in the file dwupdater.log, in the folder %allusersprofile%\Application Data\Doctor Web\Logs (Windows 8, %allusersprofile%\Doctor Web\ Logs).

How well the product detects and neutralises viruses greatly depends on the state of the virus databases. The operation of the updating module is determined by the structure of the virus databases and the routine for updating the databases and the system as a whole:

• The software unit includes the main virus database (drwebase.vdb) and its definitions (drw700хх.vdb files). Together they contain virus entries known at the time of a given software unit version’s release.

• Definitions are released weekly – files with virus entries for detecting and neutralizing viruses identified since the last weekly update. Weekly definitions are represented as files, the names of which look like this: drwXXXYY.vdb, where XXX is the number of the current version of the anti-virus, and YY is the ordinal number of the weekly definition.

• As needed (usually several times daily), Doctor Web issues hot add-ons containing virus entries for detecting and removing all the viruses that have been identified since the last weekly release of definitions. These add-ons are released in the form of a file named drwtoday.vdb. At the end of each day, the contents of this file are added to the cumulative update file drwdaily.vdb. The contents of drwdaily.vdb are released at the end of the week in the form of the next weekly update.

• Additional malware databases, drwnasty.vdb and drwrisky.vdb, are included in the software suite. Entries designed to detect adware and dialers are added to the virus database drwnasty.vdb. Entries for detecting jokers, riskware, and programs of unauthorised access are added to the virus database drwrisky.vdb.

• Periodically, cumulative malware databases are released. Hot definitions for these databases are released much less frequently than for the main virus database.

• Periodically, significant updates are released for the anti-virus protection components.

In order to run an update:

• in the command-line mode, call up the executable file drwupsrv.exe from the program installation directory;

• select Update in the SpIDer Agent context menu in the Windows notification area.

Although the installation package contains virus databases, we recommend immediately updating the anti-virus after installing the package. This may involve configuring settings for Internet access.

1. Check the version of the virus databases. If you hover your mouse cursor over the icon in the system tray, a tooltip will appear that displays the date of the last anti-virus update.

[pic]

To configure update settings, click on the [pic] icon in the system tray, and in the context menu, select in sequence the icons [pic] and [pic].

[pic]

In the newly appeared Settings window, select Main → Update.

[pic]

By default, the anti-virus retrieves updates from Doctor Web’s servers. To change the update source, click Change.

[pic]

Three options are available:

[pic]

If updates are to be retrieved from a local directory, specify the directory address and its access parameters.

[pic]

Do the same thing to retrieve updates from the anti-virus server.

To update the anti-virus or to check the update status, click the [pic] icon in the menu → [pic]

[pic]

To update the software manually, click Update.

[pic]

[pic]

8. Configuring Dr.Web Cloud

You will be prompted to use Dr.Web Cloud during the Dr.Web Security Space installation process. To enable this feature, do not clear the box by I want to connect to services. After the installation, reputation queries for each scanned object will be sent automatically and will not consume any of the protected computer’s resources.

[pic]

If Dr.Web Cloud was not enabled during the installation, click on the icons [pic] and [pic]. Then click on the [pic] icon.

[pic]

In the Settings window, select Main → Dr.Web Cloud.

[pic]

In the newly appeared window, select I want to connect to services.

9. Configuring Dr.Web Security Space to detect previously unknown malicious files

The preventive protection module will compare in real time the behaviour of launched programs with the behaviour of encryption ransomware, allowing unidentified members of the Trojan.Encoder malware family to be detected.

Autorun, used whenever removable media is connected to the PC, scans media contents and offers the user a list of available actions. A whole host of malicious programs can be loaded into a computer’s memory through the insertion of a CD, DVD or thumb drive. To prevent malware of this kind from launching itself, disable autorun for all removable media. To do this, use the Preventive Protection features.

Previously unknown programs can be detected during background scans of running processes as well as during regular anti-virus scans.

The Dr.Web anti-rootkit API facilitates background scanning and the neutralisation of active threats. The resident background scan routines search for active threats among start-up objects, running processes and modules, system objects, RAM, MBR/VBR and BIOS. If threats are detected, Dr.Web can notify the user about the danger, cure the infection, and block malicious activities.

To configure the Proactive Protection feature, click on the [pic] icon in the system tray, and in the context menu, click on the icons [pic] and[pic]. In the Settings window, select Protection Components, and then choose Preventive Protection.

In this section, you can adjust how your anti-virus responds to the actions of other applications that could result in your computer becoming infected.

[pic]

To configure the anti-virus’s response to the actions of third-party applications that could infect your computer, adjust the blocking level for suspicious activity. The Preventive Protection feature enables the anti-virus to maintain control over changes in all critical areas of Windows. To change the Preventive Protection settings, click Change blocking level for suspicious activity.

[pic][pic]

Select a corresponding item in the drop-down list.

In the default Optimal mode, the automatic modification of system objects—activity that would clearly indicate malicious activities are occurring in the system—is disabled. Low-level access to the disk is also disabled to protect the system from bootkits and blocker Trojans that infect the Master Boot Record. So that malware cannot prevent the anti-virus from being updated via the Internet or from blocking access to anti-virus developers’ sites, modifying the HOSTS file is not allowed.

If the threat of infection increases, raise the protection level to Medium. In this mode, access to objects that can potentially be used by malware is also blocked.

Attention! In this protection mode, compatibility issues can arise between Dr.Web and third-party programs that use protected Windows Registry branches.

If you want Dr.Web to maintain full control over critical Windows areas, you can increase the protection level to Paranoid. In this case, the prompt mode is used for loading drivers and automatically launching programs.

To adjust Preventive Protection, set the desired level of access to the protected objects. The mode will switch to User-defined automatically. In the User-defined mode, you can adjust the anti-virus’s responses to certain actions that could result in your computer becoming infected.

To enable anti-rootkit scanning, in the Settings window, select Protection components → SpIDer Gate. In the next window, click Advanced settings. By default, the option to scan the system for rootkits is enabled.

[pic]

10. Limiting encryption ransomware’s penetration capacity

An encryption Trojan can get into a system via spam (it can be attached to a message or downloaded using a link), IM messages (which also contain a download link) or from an infected site or a flash drive. To lower the infection risk, use an anti-spam and restrict access to potentially dangerous sites and removable data storage devices.

To restrict access to certain sites, files, and folders, click on the icons [pic] and [pic]. Then click on the [pic] icon, and in the Settings window, select Parental Control.

[pic]

In the next window, select the user account for which you want to set restrictions.

[pic]

[pic]

By default, there are no restrictions.

To restrict access to removable media, in the Settings window, select Main → Devices.

[pic]

In this window, select Restrict access to removable media. Then click Change for the device classes, and select the desired device classes.

[pic]

After that, you will be able to configure the Whitelist. If you only want devices on the whitelist to be accessible, click Change →[pic].

[pic]

In the newly appeared window, click Browse, and select the desired device.

[pic]

Press OK to confirm your choices.

[pic]

If you want to make a particular removable media device accessible to specific users only, click on the [pic] icon, and select the user accounts for which you need to grant access.

[pic]

Specify permissions for the device.

[pic]

Confirm your selection.

[pic]

11. Managing device blacklists and whitelists

Using the Parental (Office) Control features in the Devices tab, you can disable writing to removable media, restrict access to specific devices or allow access only from specific devices, and block the transfer of data over the network (LAN and Internet).

Attention! UAC settings are applied to all Windows accounts.

[pic]

To access Parental (Office) Control settings, click on the [pic] icon in the system tray, click on the [pic] icon to access the action settings (the icon will change to[pic]), click on the [pic] icon, select Tools, and then select in sequence Main and Devices.

To restrict user access to removable media (any drives that plug into the USB port), use the option Restrict access to removable media.

To restrict access to devices, toggle on Block the use of the specified devices for all users. To create a list of restricted resources, click Edit, and select Device classes or Device buses to restrict access to a specific device or a class of devices.

Attention! Rules for restricting access to a class of devices are of higher priority than separate rules for specific devices of this type. For example, if you deny access to all removable data-storage devices, a rule added earlier for a specific flash drive will no longer be in force.

[pic]

Attention! Do not deny access to display adapters, keyboards, monitors, or mouses.

User Windows accounts are displayed in the Parental Control tab. For each user, you can set time intervals during which Internet and account access will be denied (computer activity will be impossible). Flexible configuration can be used to restrict access to web resources. Controlling Internet access helps shield users from unwanted websites (containing violence, gambling, etc.) and grant them access to websites defined by the Parental Control settings.

You can also restrict access to a particular file or folder.

Parental Control settings are individual to each person using the same computer (other Dr.Web module settings are the same for all users).

To set these types of restrictions, click on the [pic] icon in the system tray. Then click [pic] to access the language settings (the icon will change to[pic]). Click on the [pic] icon, select Tools, and then choose Parental (Office) Control. In the next window, select the files and folders you would like to prevent the user from accessing. Click Objects.

[pic]

Click [pic]. A window for selecting files and folders will appear. Find the files (folders) to which you want to restrict access, and then click OK.

[pic]

This will result in a list of controlled objects being created.

When you are done with the configuration, click OK.

You can also prevent users from using all types of networks by selecting Block data transfer over network on the Devices page.

12. Data Loss Prevention feature

To configure the Data Loss Prevention feature, click on the [pic] icon in the system tray. Then, in the next menu, click on the [pic] icon, and select Tools.

[pic]

In the next window, select Data Loss Prevention, and enable automatic backups.

[pic]

Then specify the files and folders that are to be backed up.

[pic]

To add files and folders to the list, click on the [pic] icon, and indicate which files and directories are to be protected.

Select Copy files… to specify how often backups are to be made and where they will be stored.[pic]

13. Product operation testing

You can always check whether the product is operational by doing the following:

Right-click on the [pic] icon in the system tray, and click on [pic].

[pic]

After noting the number of threats, click Detailed report.

[pic]

Click [pic], and then select Create.

[pic]

In the Component list, select SpIDer Gate, set the filter name, and then click Filter.

[pic]

Note the number of infected objects detected for the component.

Launch your web browser, and go to .

On the loaded page, search for the text[pic]

and select any of the files available for downloading, e.g., choose the first one – . If the anti-virus is working properly, the browser should display the following window:

[pic]

Click More in the pop-up window to get more information and export it.

[pic]

Return to the Statistics section.

[pic]

The number of infected objects that have been detected by SpIDer Gate should increase by 1.

If you need to test the file monitor, you will first need to download the test virus file. In the agent menu, select Protection components, and toggle off SpIDer Gate. Return to , and try to download the test virus once again.

The result should be a pop-up window similar to the one displayed below:

[pic]

If SpIDer Guard is working in optimal mode, it won’t block the launch of the EICAR file because the file doesn’t pose any threat to the system. However, if you copy or create such a file on a hard drive, SpIDer Guard will automatically treat the file as malware and move it to the quarantine.

When the test is finished, enable SpIDer Gate: right-click on the [pic] icon in the system tray, and in the Protection components menu, toggle on SpIDer Gate.

14. Limiting Internet and account access time

Dr.Web Parental (Office) Control can be used to restrict user access to hardware and different program resources located on the computer and on websites. It can also be used to control time spent on the Internet and on the computer. Restricting access to local file system resources lets you preserve the integrity and confidentiality of sensitive data and protect files from infection. You can protect both individual files and entire folders located on local drives, as well as on removable media. To prevent unauthorised data access or data theft, you can restrict access to devices such as USB ports, hard disks, etc. Controlling Internet access helps shield users from unwanted websites (themed around violence, gambling, etc.) and grant access to sites defined by Dr.Web Parental (Office) Control settings.

The Dr.Web Parental (Office) Control parameters are applied simultaneously to all the users of a computer running Dr.Web Agent. By default, all user accounts are allowed unlimited access to web and local resources (no time limits exist).

To restrict Internet and account access time, click on the [pic] icon in the system tray. Then click [pic] to unlock the ability to change settings (the icon will change to[pic]). Click on the [pic] icon, select Tools, and then choose Parental (Office) Control. In the newly appeared window, you can change the settings for a user by selecting Time → Change. The Time limits window will open.

[pic]

Use the time grid to create an access schedule. To do this, hover the cursor over any white square. Clicking once will make the square turn blue; clicking twice will change it to maroon, and a triple-click will turn it white. Blue indicates that Internet access will be blocked during this period, and maroon indicates that a user account will be blocked. White shows that no restrictions are set. Once you have the right colour, hold the mouse button and move the cursor to change the colour for the time periods you need. This is how you can configure a working schedule for a particular user account. The example schedule prevents the user from using the computer on Saturdays and Sundays. It allows work on weekdays, but only within certain time blocks will they be able to get online.

If time limits have been set on computer or Internet access, the option Block the changing of system date and time in the Self-protection settings is enabled automatically.

15. Controlling access to local and network resources

You can restrict access to removable data-storage devices, and files and directories, and thereby reduce the risk of malware penetrating the computer.

The module’s settings can be protected with a password. You can change the password in the Settings window.

Attention! Do not use short passwords. Passwords should not contain simple letter combinations. Weak passwords make systems vulnerable to brute force attacks.

To access Parental (Office) Control settings, click on the [pic] icon in the system tray. Then click on the [pic] icon to unlock the ability to change the settings (the icon will change to[pic]). Click on the [pic] icon, select Tools, and then choose Parental (Office) Control.

If no restrictions have been placed on the user with regards to visiting specific web resources, No restrictions will be displayed in the Internet window.

[pic]

In the drop-down list, select Block by category to restrict access to websites based on pre-defined groups. Here, you can select groups of websites (sites for adults, violence, weapons, etc.) that are to be off-limits.

Check the required groups.

[pic]

You can also block access to all web resources except those that have been added to the whitelist. To do this, select Block all sites except websites from the whitelist.

The priority of lists is higher than the priority of pre-defined groups. For example, you can select the Social networks group, but add VKontakte to the whitelist. Then all social networks, except VKontakte, will be off-limits. To edit the whitelists and blacklists, press Whitelist and Blacklist.

[pic]

You can add website addresses to:

• Whitelist – access will be granted regardless of other Parental (Office) Control settings;

• Blacklist – access will be denied regardless of other Parental (Office) Control settings.

In the Whitelist field, enter the address of the web resource to which you want to allow access. Press [pic]. The resource’s address will be added to the Whitelist. You can fill in the Blacklist the same way. Press OK to save the settings.

To view statistics on the different resources that have been requested, click on the Agent icon [pic], and select a user name.

[pic]

16. Email protection

Email has been and remains one of the main channels used to distribute malware. SpIDer Mail ensures that you receive only virus-free email and helps keep your mailbox free of spam.

To configure SpIDer Mail do the following:

If you would like to optimise the operating speed of the mail filter, you can define mail processing rules. To do this, right-click on the [pic] icon in the system tray. Then click [pic] to access the settings (the icon will change to[pic]). Click on the [pic] icon, select Tools, and then select Protection components.

To configure anti-virus scan settings, click SpIDer Mail in the Protection components menu.

Make sure that the Check mail for spam option is enabled.

[pic]

Click Anti-spam → Change settings.

[pic]

Specify what prefix will be added to the subject of messages detected as spam. You can then use the prefix in the mail processing rules that can be created in your mail client.

Return to SpIDer Mail.

In the Actions tab, you can specify what the anti-virus should do if infected objects or files are found in a message. Move to quarantine is the default action for most objects. This allows them to be kept for further analysis.

[pic]

If you want to scan received archives, click Advanced settings, and check the Scan archives box.

[pic]

You can also specify the maximum processing time per message and archive processing rules. If you want to scan only small-sized archives (this increases scanning speed), you can change the values of Maximum file size to extract and Maximum archive nesting level.

Apart from placing a prefix in the subject field, SpIDer Mail also adds the X-DrWeb-SpamState (message field containing information that is hidden from the user) Yes/No string to the header field where ‘Yes’ indicates that the message's status is ‘spam’. This makes it possible to carry out additional mail filtering using markers added to both the header and the subject of a message.

Configure filtering rules in Microsoft Outlook 2007:

Go to the Tools menu, and open the Rules and Alerts tab.

[pic]

Select the Email rules tab, and click New Rule.

[pic]

Select Start from a blank rule, and enable the option Check messages when they arrive. Then press Next.

[pic]

In the conditions list, select containing specific words in the message header.

[pic]

In the bottom conditions window, choose ‘specific words’. In the newly appeared window, enter ‘X-DrWeb-SpamState: YES’ without quotation marks. Click Add, then OK and then press Next.

[pic]

Check the box next to Move them to the specified folder, and select the folder in which you want spam to be placed by clicking on the highlighted area that allows you to specify a folder. If you want to store spam in a new folder, click Create to create the folder. Press Next, and then click on the Finish button.

[pic]

To finish configuring the rules, close the rules window. The rules for filtering other mail clients are configured in a similar way.

To make sure the filter works correctly, compose a new email and add the following string to its body: XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X. This is the so-called GTUBE (Generic Test for Unsolicited Bulk Email). It is similar to the EICAR anti-virus test.

17. Viewing operating statistics

At any time, you can view statistics that show how the protection system is operating. To access statistics for a certain component, click on the [pic] icon in the system tray, and then click on the [pic] icon.

[pic]

Use filters to view statistics for the specific component.

18. Quarantine

Dr.Web anti-viruses isolate suspicious files in the quarantine. To adjust quarantine settings, click on the [pic] icon to unlock the ability to change the settings (the icon will change to[pic]). Click on the [pic] icon. Select Tools, then Main, and then choose Advanced.

[pic]

A separate Quarantine folder is created on each logical drive where suspicious files have been detected. The Dr.Web Quarantine directory is created in the root directory and has the ‘hidden’ attribute. Users do not have permission to access the quarantine directories.

Quarantined files stored on a local drive are encrypted, while quarantined files stored on a removable drive are not.

You can set the isolation mode for infected objects detected on removable media. By default, if an infected object is detected on removable data-storage media and the anti-virus can write data onto the media, the Dr.Web Quarantine folder is created there, and the infected object is moved to it. Using separate folders and avoiding removable media encryption helps you prevent possible data loss.

To view or modify the contents of the quarantine, select Tools in the Agent menu, and then select Quarantine Manager; a table containing information about the quarantine's current status will appear.

[pic]

The quarantine information table includes the following columns:

• Objects – the list of object file names placed in the quarantine;

• Threat – the classification of the malicious program as determined by Dr.Web while automatically transferring it to the quarantine;

• Date added – the date the object was moved to the quarantine;

• Path – the full path to the object’s location before it was quarantined.

Only users who have permission to access the files can see the corresponding objects in the quarantine. To display hidden objects, you must have administrator privileges.

If disk space is low, the quarantine is cleaned out automatically. Backups of quarantined files are deleted first, and then objects whose quarantine storage periods have expired.

If the quarantine is full and it cannot cleaned automatically, moving files to the quarantine will result in an error.

To remove all the files placed in the Quarantine folder on a particular drive, select them, click Remove, and confirm the removal request.

19. Technical support service

Contact Doctor Web’s technical support service if you experience any irresolvable situations, software operational issues, or issues with false-positives being detected.

1. Collecting information for the technical support service

One of the product’s big advantages is that it is very easy to collect the information needed by the technical support service. You do not need to collect files and data manually; the anti-virus will take care of it.

To gather information, click on the [pic] icon in the system tray, select Tools, and in the newly appeared window select Support → Report for technical support.

[pic]

In the next window, click Create Report.

[pic]

The anti-virus will automatically collect all the information and create an archive in the specified folder. You will be able to send the archive to Doctor Web’s support engineers or to your system administrator.

[pic]

[pic]

To configure the settings, in the next window, click on Report parameters. The report will be saved as an archive in the DoctorWeb directory located in the user profile folder %USERPROFILE%.

The report may include:

1. Technical information about the OS, including an overview of the following:

• computer;

• launched processes;

• scheduled tasks;

• services, drivers;

• default browser;

• installed applications;

• restriction policies;

• HOSTS file;

• DNS servers;

• MSInfo reports;

• event log entries;

• list of system catalogues;

• registry branches;

• Winsock providers;

• network connections;

• Dr.Watson debugger reports;

• performance index.

2. Information about Dr.Web products:

Information on how the Dr.Web anti-virus solution is operating is always available in the Windows event log. See Applications and Services Logs – Doctor Web.

5. Additional information

Should you encounter any problems while installing or using Doctor Web products, it is strongly recommended that you try one of the solutions described below before contacting technical support:

• Review the most current manuals and guides at ;

• Read the FAQ at ;

• Try to find the answer in the Dr.Web knowledge base at ;

• Visit Dr.Web forums at .

If, after doing the above, you still have not found the solution to your problem, complete the web form in the relevant section of .

You can find the Doctor Web office nearest you and all relevant contact information at .

My Dr.Web Portal helps you stay up to date with the latest news. To access it from the context menu, select My Dr.Web Portal, and go to the Doctor Web home page (the browser will open it by default):

Get acquainted with the most important sections of the website:

← Download – for obtaining distributions of Dr.Web products as well as viewing and downloading documents.

← Store – the Doctor Web online store where you can purchase a license for any of the company’s products, as well as read information about them.

← News – we recommend subscribing to Doctor Web news because the newsfeed periodically includes important information about Dr.Web product updates and virus activity.

← Help – for requesting technical support (see Section 6) and learning about other useful resources and services that help improve your anti-virus protection and your understanding of malware programs and the tools used to combat them.

← Training and certification – an important section devoted to training individuals to administer Dr.Web products. At , you can register in the Dr.Web training portal, sign up for courses or webinars that interest you, and upon completing these courses, take an exam and become a certified anti-virus protection specialist. This certificate opens up new career opportunities and confirms that you have obtained the requisite knowledge.

Doctor Web

Doctor Web® is a Russian anti-virus vendor.

The company also offers proven anti-virus and anti-spam solutions for major businesses, government entities, and personal use.

Dr.Web® anti-virus software has been developed since 1992. We have a solid record of detecting malicious programs, and we adhere to all international security standards.

Doctor Web has received numerous certificates and awards; our satisfied customers spanning the globe are clear evidence of the complete trust customers have in our products.

Doctor Web thanks all users who support Dr.Web® software!

Doctor Web® Headquarters in Russia

3rd street Yamskogo polya 2-12А, Moscow, Russia, 125124

Website:

Phone: +7 495 789-45-87

Information on the company’s regional offices can be found on its website.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download