Operating Principles

 Top  Previous  Next

By default, the component is run automatically upon Dr.Web for UNIX startup. When run, the component structures data according to the structure described in MIB Dr.Web and waits for requests to receive data from external SNMP managers. The component receives information on the status of the program components and notifications on detected threats directly from the configuration daemon Dr.Web ConfigD, as shown in the figure below.

Figure 1. Diagram of the components’ operation

In this scheme, the following notations are used:

 

— Dr.Web for UNIX as a whole and external Dr.Web applications together with systems which are not included in the solution.

 

— external to Dr.Web for UNIX programs and products for its integration.

 

— Components that are included in Dr.Web for UNIX engine. Other product components use the engine as a service that performs anti-virus checks.

 

— Service components designed to perform particular anti-virus protection functions (for example, scanning file system objects, updating virus databases, managing the operation of the product).

 

— Components that provide the user with the interface for Dr.Web for UNIX.

 

— Quarantine as a set of file system directories which store isolated malicious files.

Components marked with a dashed line can be missing depending on the distribution.

Threats can be detected by the scanning engine during scanning initiated by Dr.Web for UNIX components; thus, the scheme contains an abstract “client scanning module”. On threat detection, the appropriate count (of this threat type) is incremented by one and all SNMP managers that can receive notifications get an SNMP trap notifying on the detected threat.

Integration with the System SNMP Agent

To enable correct operation of Dr.Web SNMP agent if the main system SNMP agent snmpd (net-snmp), already operates on the server, configure transmission of SNMP requests through the Dr.Web MIB branch from snmpd to Dr.Web SNMPD. For that purpose, edit the snmpd configuration file (usually for Linux the file is as follows: /etc/snmp/snmpd.conf), by adding the following line in it:

proxy -v <version> -c <community> <host>:<port> <MIB branch>

Where:

<version> – SNMP version in use (2c, 3).

<community>—“community string” used by Dr.Web SNMPD.

<host>:<port>—the address which Dr.Web SNMPD is listening.

<MIB branch>—OID of the MIB branch containing descriptions of variables and SNMP notifications (trap) used by Dr.Web (the OID equals .1.3.6.1.4.1.29690).

If you are using the default settings of Dr.Web SNMP agent, then the added line should look like this:

proxy -v 2c -c public localhost:50000 .1.3.6.1.4.1.29690

Note that since port 161 in this case will be used by the system’s standard snmpd, it is required to specify another port for Dr.Web SNMPD in the ListenAddress parameter (in this example, 50000).