"By default, SpIDer Guard XP version operates in the enhanced protection mode. In this mode the guard immediately checks all files, the scanning of which is specified in the program's settings, and all other opened files are put on the queue for check (files opened for reading in the Smart and Create and write files modes). With the computer resources available, the guard will also check these files. " --------this is from the help file

But the default is disabled, so when you open a folder, if you don't run, it will not notify you whether there is a malware. I am confused with the explain above, what if the computer resources is not available?

{QUOTE-> "By default, SpIDer Guard XP version operates in the enhanced protection mode. In this mode the guard immediately checks all files, the scanning of which is specified in the program's settings, and all other opened files are put on the queue for check (files opened for reading in the Smart and Create and write files modes). With the computer resources available, the guard will also check these files. " --------this is from the help file

But the default is disabled, so when you open a folder, if you don't run, it will not notify you whether there is a malware. I am confused with the explain above, what if the computer resources is not available? <-QUOTE}

"Enhanced Protection" is essentially a background scanner, which is activated when a computer is idle (eg "when the computer resources are available"). Basically, SpIDer Guard waits for disk activity to stay low for some time to start background tasks.

Thank you for your reply.

1.When in smart mode, a file is open for reading, it is not scanned when the computer is busy, am i right?

2.When enchanced protection is disabled(the set up default setting), if you just browse the folder contain the malware, it will not nofity;if enabled, it will notify you a few minutes later, am i right?

{QUOTE-> Thank you for your reply.

1.When in smart mode, a file is open for reading, it is not scanned when the computer is busy, am i right?

2.When enchanced protection is disabled(the set up default setting), if you just browse the folder contain the malware, it will not nofity;if enabled, it will notify you a few minutes later, am i right? <-QUOTE}

"Enhanced" means what it enhances the default modes of operation in some way. Simply put, files what otherwise would not be scanned go to the background scanner. In "smart" mode SpIDer Guard scans in that way files opened for reading. It is quite impossible for a typical system to be busy for a long time, so after a short delay these files are scanned in background.

It is not intended to be a defence against "running" malware, because there is a delay as noted above. We are planning to add such a defence in the next release.

If "enhanced protection" is disabled, SpIDer Guard operates as usual (in the selected mode). So, in "smart" mode it does not scan files in a folder if these files are not opened for writing.

Thanks, a little clear now.
But today I run a software to defend against arp poision attack, it run and closed serveral times for a period. My computer is not busy, enhanced protection disabled, smart mode. Drweb at last report once that it is a hack tool. So according to the explanation above, how it happened? I think this programme should be scanned the first time run, but drweb don't report. After serveral running, it notify once at last. Is it scanned at the background? I can't understand the behavior of the shield.

{QUOTE-> Thanks, a little clear now.
But today I run a software to defend against arp poision attack, it run and closed serveral times for a period. My computer is not busy, enhanced protection disabled, smart mode. Drweb at last report once that it is a hack tool. So according to the explanation above, how it happened? I think this programme should be scanned the first time run, but drweb don't report. After serveral running, it notify once at last. Is it scanned at the background? I can't understand the behavior of the shield. <-QUOTE}

Check the log file for details. Note the two-letter sign in square brackets in front of file names at every line:

[CR] stands for "Create". File is being created or opened. SpIDer Guard operates in "RunAndOpen" mode, or "Smart" mode and file is on remote or removable volume.
[CL] stands for "Close". File is being closed. SpIDer Guard operates in "Smart" or "CreateAndWrite" modes.
[RN] stands for "Rename". File is being renamed with suspicious (executable) extension.
[PR] stands for "Process". This file is an executable image loaded in some process address space.
[BG] stands for "Background". Background scanner.

Thanks, it is scanned by the Process.
30-10-2006 20:41:22 [PR] F:\Downloads\arp30sj\ARP - is a HackTool program Tool.Arp

ink, i would check the settings, in "actions".. maybe you do not have spiderguard set to flag riskware.. by default, "riskware" is set to "ignore"..

i myself am new to dr.web, and i was just checking out the settings..

{QUOTE-> ink, i would check the settings, in "actions".. maybe you do not have spiderguard set to flag riskware.. by default, "riskware" is set to "ignore"..

i myself am new to dr.web, and i was just checking out the settings.. <-QUOTE}

Yes，I change the default settings to report hack tools, otherwise it will not report.

{QUOTE-> ink, i would check the settings, in "actions".. maybe you do not have spiderguard set to flag riskware.. by default, "riskware" is set to "ignore"..

i myself am new to dr.web, and i was just checking out the settings.. <-QUOTE}

Firefighter posted some images as an example for configuration a while back. See post 67 at this link.
http://www.wilderssecurity.com/showthread.php?t=100841&page=3&highlight=drweb+4.33..8)

{QUOTE-> Firefighter posted some images as an example for configuration a while back. See post 67 at this link.
http://www.wilderssecurity.com/showthread.php?t=100841&page=3&highlight=drweb+4.33..8) <-QUOTE}

I fully understand the meaning of each configuration.
Infected objects should be report, if first cure,second should be report not move. Because most action need is delete not cure, and for the clean one, you can choose ignore, it is not convenient to restore.

{QUOTE-> I fully understand the meaning of each configuration.
Infected objects should be report, if first cure,second should be report not move. Because most action need is delete not cure, and for the clean one, you can choose ignore, it is not convenient to restore. <-QUOTE}

My post was for Redwolfe. He mentioned he was new to DrWEB and I thought the link may be a help to him...::) :)

{QUOTE-> Firefighter posted some images as an example for configuration a while back. See post 67 at this link.
http://www.wilderssecurity.com/showthread.php?t=100841&page=3&highlight=drweb+4.33..8) <-QUOTE}

Good link. I had forgotten about this little jewel of FF's Thanks for resurrecting it.

{QUOTE-> Good link. I had forgotten about this little jewel of FF's Thanks for resurrecting it. <-QUOTE}

At my age I tend to do lots of resurrecting...::) :blink: ;D