Drweb enhanced protection

Discussion in 'other anti-virus software' started by ink, Oct 29, 2006.

Thread Status:
Not open for further replies.
  1. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    "By default, SpIDer Guard XP version operates in the enhanced protection mode. In this mode the guard immediately checks all files, the scanning of which is specified in the program's settings, and all other opened files are put on the queue for check (files opened for reading in the Smart and Create and write files modes). With the computer resources available, the guard will also check these files. " --------this is from the help file

    But the default is disabled, so when you open a folder, if you don't run, it will not notify you whether there is a malware. I am confused with the explain above, what if the computer resources is not available?
     
  2. Serge Popov

    Serge Popov AV Expert

    Joined:
    Feb 10, 2006
    Posts:
    41
    "Enhanced Protection" is essentially a background scanner, which is activated when a computer is idle (eg "when the computer resources are available"). Basically, SpIDer Guard waits for disk activity to stay low for some time to start background tasks.
     
  3. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Thank you for your reply.

    1.When in smart mode, a file is open for reading, it is not scanned when the computer is busy, am i right?

    2.When enchanced protection is disabled(the set up default setting), if you just browse the folder contain the malware, it will not nofity;if enabled, it will notify you a few minutes later, am i right?
     
  4. Serge Popov

    Serge Popov AV Expert

    Joined:
    Feb 10, 2006
    Posts:
    41
    "Enhanced" means what it enhances the default modes of operation in some way. Simply put, files what otherwise would not be scanned go to the background scanner. In "smart" mode SpIDer Guard scans in that way files opened for reading. It is quite impossible for a typical system to be busy for a long time, so after a short delay these files are scanned in background.

    It is not intended to be a defence against "running" malware, because there is a delay as noted above. We are planning to add such a defence in the next release.

    If "enhanced protection" is disabled, SpIDer Guard operates as usual (in the selected mode). So, in "smart" mode it does not scan files in a folder if these files are not opened for writing.
     
  5. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Thanks, a little clear now.
    But today I run a software to defend against arp poision attack, it run and closed serveral times for a period. My computer is not busy, enhanced protection disabled, smart mode. Drweb at last report once that it is a hack tool. So according to the explanation above, how it happened? I think this programme should be scanned the first time run, but drweb don't report. After serveral running, it notify once at last. Is it scanned at the background? I can't understand the behavior of the shield.
     
  6. Serge Popov

    Serge Popov AV Expert

    Joined:
    Feb 10, 2006
    Posts:
    41
    Check the log file for details. Note the two-letter sign in square brackets in front of file names at every line:

    • [CR] stands for "Create". File is being created or opened. SpIDer Guard operates in "RunAndOpen" mode, or "Smart" mode and file is on remote or removable volume.
    • [CL] stands for "Close". File is being closed. SpIDer Guard operates in "Smart" or "CreateAndWrite" modes.
    • [RN] stands for "Rename". File is being renamed with suspicious (executable) extension.
    • [PR] stands for "Process". This file is an executable image loaded in some process address space.
    • [BG] stands for "Background". Background scanner.
     
  7. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Thanks, it is scanned by the Process.
    30-10-2006 20:41:22 [PR] F:\Downloads\arp30sj\ARP - is a HackTool program Tool.Arp
     
  8. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    ink, i would check the settings, in "actions".. maybe you do not have spiderguard set to flag riskware.. by default, "riskware" is set to "ignore"..

    i myself am new to dr.web, and i was just checking out the settings..
     
  9. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    Yes,I change the default settings to report hack tools, otherwise it will not report.
     
  10. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    Firefighter posted some images as an example for configuration a while back. See post 67 at this link.
    https://www.wilderssecurity.com/showthread.php?t=100841&page=3&highlight=drweb 4.33..:cool:
     
  11. ink

    ink Registered Member

    Joined:
    May 20, 2006
    Posts:
    185
    I fully understand the meaning of each configuration.
    Infected objects should be report, if first cure,second should be report not move. Because most action need is delete not cure, and for the clean one, you can choose ignore, it is not convenient to restore.
     
  12. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    My post was for Redwolfe. He mentioned he was new to DrWEB and I thought the link may be a help to him...:rolleyes: :)
     
  13. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
  14. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    At my age I tend to do lots of resurrecting...:rolleyes: :blink: :D
     
Loading...
Thread Status:
Not open for further replies.