On the Preventive Protection tab, you can configure Dr.Web reaction to actions of other programs that can compromise workstation security. Also, you can select a level of protection against exploits.
At that, you can configure a separate protection mode for particular applications or configure a general mode whose settings will be applied to all other processes.
Block WSL
Set the Block WSL flag to block Windows Subsystem for Linux on stations with Dr.Web Agent installed.
|
The option is relevant for Windows 10 only. |
Exploit Prevention
In the Exploit prevention section, you can configure the blocking of malicious programs that use vulnerabilities of well-known applications. From the corresponding drop-down list, select the required level of protection.
Protection level |
Description |
|---|---|
Prevent unauthorized code from running |
If an attempt of a malicious object to exploit software vulnerabilities to get access to critical regions of the operating system is detected, it will be blocked automatically. |
Interactive learning mode |
If an attempt of a malicious object to exploit software vulnerabilities to get access to critical regions of the operating system is detected, Dr.Web will display an appropriate message. Read the information and select a suitable action. |
Allow unauthorized code to be executed |
If an attempt of a malicious object to exploit software vulnerabilities to get access to critical regions of the operating system is detected, it will be allowed automatically. |
Level of Suspicious Activity Blocking
In the Level of suspicious activity blocking section, you can configure a general protection mode whose settings will be applied to all processes if the personal mode from the section below is not specified. You can also protect user data from unwanted changes.
Select one of protection levels that anti-virus provides:
•Paranoid—maximal protection level when you need total control of access to critical Windows OS objects.
|
Using this mode may lead to compatibility problems with legitimate software that uses the protected registry branches. |
•Medium—protection level at high risk of computer getting infected. In this mode, the access to the critical objects that can be potentially used by malicious software is additionally blocked.
•Optimal—protection level that disables automatic changes of system objects, modification of which explicitly signifies a malicious attempt to damage the operating system.
•User-defined—protection level that is set by a user (the Server administrator) and based on settings specified in the table below.
To specify custom settings of preventive protection level, set the flags in the table of this section to one of the following positions:
a)Allow—always allow actions with this object or from this object.
b)Ask—prompt the dialog box for setting necessary action by the user for the specific object.
c)Block—always deny actions with this object or from this object.
If you change table settings when one of the preinstalled levels in the Level of suspicious activity blocking section is set, it automatically changes to User-defined.
You can create several independent user-defined profiles.
To add a new user-defined profile, click 
. In the opened window, specify the name of a new profile and click Save.
To delete user-defined profile that you had created, select it in the Level of suspicious activity blocking list and click 
. You are not allowed to delete predefined profiles.
Preventive protection settings allow to monitor the following objects:
•Integrity of running applications—detect processes that inject their code into running applications that may compromise computer security. Processes that are added to the exclusion list of the SpIDer Guard component are not monitored.
•Integrity of users files—detect processes that modify user files with the known algorithm which indicates that the process may compromise computer security. Processes that are added to the exclusion list of the SpIDer Guard component are not monitored. To protect your data from unauthorized modifications, it is recommended that you set the creation of protected copies for important files.
•HOSTS file—the operating system uses this file for simplifying access to the Internet. Changes to this file may indicate virus infection or other malicious program.
•Low level disk access—block applications from writing on disks by sectors avoiding the file system.
•Drivers loading—block applications from loading new or unknown drivers.
Other options control access to critical Windows OS objects and allow protection of the following registry branches from modification (in the system profile as well as in all user profiles).
Protected registry branches
Option |
Registry branch |
|---|---|
Image File Execution Options |
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options |
User Drivers |
Software\Microsoft\Windows NT\CurrentVersion\Drivers32 Software\Microsoft\Windows NT\CurrentVersion\Userinstallable.drivers |
Winlogon parameters |
Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Userinit, Shell, UIHost, System, Taskman, GinaDLL |
Winlogon notifiers |
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify |
Windows shell autorun |
Software\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs, LoadAppInit_DLLs, Load, Run, IconServiceLib |
Executable files associations |
Software\Classes\.exe, .pif, .com, .bat, .cmd, .scr, .lnk (keys) Software\Classes\exefile, piffile, comfile, batfile, cmdfile, scrfile, lnkfile (keys) |
Software Restriction Policies |
Software\Policies\Microsoft\Windows\Safer |
Internet Explorer plug-ins (BHO) |
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects |
Program autorun |
Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\RunOnce Software\Microsoft\Windows\CurrentVersion\RunOnceEx Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup Software\Microsoft\Windows\CurrentVersion\RunOnceEx\Setup Software\Microsoft\Windows\CurrentVersion\RunServices Software\Microsoft\Windows\CurrentVersion\RunServicesOnce |
Policy autorun |
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run |
Safe mode configuration |
SYSTEM\ControlSetXXX\Control\SafeBoot\Minimal SYSTEM\ControlSetXXX\Control\SafeBoot\Network |
Session Manager parameters |
System\ControlSetXXX\Control\Session Manager\SubSystems, Windows |
System services |
System\CurrentControlXXX\Services |
|
If any problems occur during installation of important Microsoft updates or installation and operation of programs (including defragmentation programs), disable the corresponding options in this group. |
In the List of applications with personal parameters of access to the protected objects section, you can configure the separate protection mode for particular applications. To all other processes, the settings specified in the section above will be applied.
To Edit a Rule
1.To add one more rule, click .
a)To configure the added rule, click 
next to this rule.
b)In the opened window, specify the path to the application executable file on a protected workstation.
c)Look through default settings and, if necessary, edit them.
d)Click Save.
2.To edit an existing rule, click to the necessary rule and perform the steps from the units 1.a) - 1.d).
3.To delete an existing rule, click next to the necessary rule.