Drweb Cureit Manual en Free

© 2003-2011 Doctor Web. All rights reserved.

Dr.Web® CureIt!®Version 6.0.0User Manual16.12.2011

Doctor Web Head Office2-12A, 3rd str. Yamskogo polyaMoscow, Russia125124

Web site: www.drweb.comPhone: +7 (495) 789-45-87

Refer to the official web site for regional and international officeinformation.

This document is the property of Doctor Web. No part of thisdocument may be reproduced, published or transmitted in any formor by any means for any purpose other than the purchaser's personaluse without proper attribution.

TRADEMARKSDr.Web, the Dr.WEB logos, SpIDer Mail, SpIDer Guard, CureIt!,CureNet!, and AV-desk are trademarks and registered trademarks ofDoctor Web in Russia and/or other countries. Other trademarks,registered trademarks and company names used in this document areproperty of their respective owners.

DISCLAIMERIn no event shall Doctor Web and its resellers or distributors be liablefor errors or omissions, or any loss of profit or any other damagecaused or alleged to be caused directly or indirectly by this document,the use of or inability to use information contained in this document.

Doctor Web

We thank all our customers for their support anddevotion to the Dr.Web products!

Doctor Web develops and distributes Dr.Web® informationsecurity solutions which provide efficient protection from malicious

software and spam.

Doctor Web customers can be found among home users from allover the world and in government enterprises, small companies

and nationwide corporations.

Dr.Web antivirus solutions are well known since 1992 forcontinuing excellence in malware detection and compliance withinternational information security standards. State certificates andawards received by the Dr.Web solutions, as well as the globally

widespread use of our products are the best evidence ofexceptional trust to the company products.

User Manual

4

Table of Contents

5Document Conventions

6Dr.Web® CureIt!®

7Enhanced Protection Mode

8Dr.Web CureIt! Update

10Dr.Web Products

10Sending Statisctics

12Testing Anti-virus

13Anti-virus Scans

16Actions Upon Detection

18Scan Tab

19Statistics Tab

20Detection Methods

22Scanner Settings

22Scanning Tab

24File Types Tab

25Actions Tab

27Advanced Cure Settings

28Log File Tab

29General Tab

30Command Line Parameters

30Command Line Switches

User Manual

5Document Conventions

Document Conventions

This guide utilizes the following content conventions and signs (seeTable 1).

Table 1. Document Conventions and Signs

Convention Description

Bold Names of buttons and other elements of the graphicaluser interface (GUI), and required user input that must beentered exactly as given in the guide.

Green andbold

Names of Doctor Web products and components.

Green andunderlined

Hyperlinks to topics and web pages.

Monospace Code examples, input to the command line and applicationoutput.

Italic Placeholders which represent information that must besupplied by the user. For command-line input, it indicatesparameter values.

In addition, it may indicate a term in position of adefinition.

CAPITALLETTERS

Names of keys and key sequences.

Plus sign ('+') Indicates a combination of keys. For example, ALT+F1means to hold down the ALT key while pressing the F1key.

Exclamationmark

A warning about potential errors or any other importantcomment.

User Manual

6Dr.Web® CureIt!®

Dr.Web® CureIt!®

Dr.Web® CureIt!® is an anti-virus scanner based on the standardDr.Web Scanner for Windows. Although Dr.Web CureIt! haslimited performance capabilities in comparison with Dr.Web anti-virus for Windows (no resident monitor, no command linescanner, no updating utility etc.), it is nevertheless able toeffectively scan the system and perform necessary actions fordetected threats.

You can use Dr.Web CureIt! free of charge to scan your personalcomputer. For any commercial use of Dr.Web CureIt!, however, alicense is required. For details on licensing and purchasing theproduct, visit the Dr.Web CureIt! official website.

Dr.Web CureIt! detects and neutralizes the following types ofmalicious programs:

Worms

Viruses

Trojans

Rootkits

Spyware

Dialers

Adware

Hacktools

Jokes

Riskware

Dr.Web CureIt! is the ideal solution for situations when installationof an anti-virus is impossible due to virus activity or some otherreason, because it does not require installation, operates underMicrosoft® Windows® and Microsoft® Windows Server® operatingsystemsf for 32 or 64-bit platforms (from Microsoft Windows 2000and to Microsoft Windows 7) and is constantly supplemented withthe latest virus databases to ensure its effectiveness against all virusthreats and other malicious programs. It also automatically definesthe language used by your operating system. If your language is not

http://www.freedrweb.com/cureit/?lng=en

User Manual

7Dr.Web® CureIt!®

supported, then Dr.Web CureIt! will use English by default.

Dr.Web CureIt! sends general information on your computer andits state of information security to Doctor Web. When using Dr.Web CureIt! (Commerce Edition), statistics gathering is optional.

To use Dr.Web CureIt! (Free Edition), you must run the programwith administrative privileges and have connection to the Internet.

Enhanced Protection Mode

This mode helps you detect and remove malicious programs thatblock access to Windows operating system (Windows blockers suchas Trojan.Winlock). Usually, such blocking is achieved by covering allWindows Desktop with a pop-up window, which makes standardanti-virus tools inaccessible.

Dr.Web CureIt! runs on a separate protected desktop that cannotbe blocked or covered. In this enhanced protection mode, all anti-virus windows are displayed above windows on Windows Desktopincluding those of malicious programs.

After starting Dr.Web CureIt!, click OK to continue running inenhanced protection mode. In this case, all scanning and curingactions will be carried out via the protected desktop and otherfunctions of the operating system will be inaccessible until scancompletes. If access to the operating system is not complicated byWindows blockers, you can click Cancel to switch to standard modeand continue working on your computer during anti-virus scan.

Once you select to operate in enhanced protection mode, youcannot switch to standard mode until scanning completes.

User Manual

8Dr.Web® CureIt!®

Figure 1. Enhanced Protection Mode

Dr.Web CureIt! Update

Dr.Web CureIt! does not include an updating module, therefore itremains fully efficient only until the next database update (whichoccurs approximately every hour). After that, to ensure theultimate anti-virus operation efficiency, the latest version of Dr.WebCureIt! should be downloaded again.

The latest Dr.Web CureIt! version is always available for downloadfrom the Dr.Web CureIt! official Web site. Once you downloadthe program, it acts as a very effective scanner with the latestdatabases and the most advanced virus detection engine.

http://www.freedrweb.com/cureit/

http://www.freedrweb.com/cureit/

http://www.freedrweb.com/cureit/?lng=en

User Manual

9Dr.Web® CureIt!®

To download latest Dr.Web CureIt!

1. Start Dr.Web CureIt! in standard mode. This feature is notavailable when running in enhanced mode.

2. In the first window, click Update.

This opens the Dr.Web CureIt! official website with thedefault Internet browser, where you can download the latestversion of the Dr.Web CureIt!.

Figure 2. First window

User Manual

10Dr.Web® CureIt!®

Dr.Web Products

You can download the latest version of the full Dr.Web Anti-virusfor Windows using Dr.Web CureIt!. Demo licenses allow you touse the anti-virus for one month free of charge.

Figure 3. Last window

On the Doctor Web official Web sites you can also read thedevelopment history of Dr.Web CureIt! and learn about other Dr.Web solutions for continuous protection of your computers.

Sending Statisctics

In order to provide analysis of information security threats andoverall viral situation around the globe as well as to ensurecontinuous development and improvement of Dr.Web products,Dr.Web CureIt! collects and sends to Doctor Web impersonalstatistics while it scans and cures your system. This statistics containonly the following general information:

http://www.freedrweb.com/cureit/history/?lng=en

http://products.drweb.com/home/?lng=en

http://products.drweb.com/home/?lng=en

User Manual


CPU details including processor name, technical description,current and maximum speed, number of processor cores, andnumber of logical processors.

RAM details including amount of physical and virtual memoryboth total and available at scanning.

Operating system parameters including its name, version, builtnumber, installed service packs, operation mode, type ofaccount (user or administrative), and locale settings.

Information on installed anti-virus, anti-spy, and firewallsoftware.

Information on each detected threat including its name andtype, the name and type of infected object, and hash of theinfected file when necessary.

Scan summary including scanning time, number of scannedfiles and objects, number of suspicious objects, and number ofdetected threats per type.

Summary on applied actions including number of unmodifiedobjects as well as number of cured, deleted, moved,renamed, and ignored objects.

The privacy statement from Doctor Web is available on the on theofficial website at http://company.drweb.com/policy/.

http://company.drweb.com/policy/?lng=en

User Manual


Testing Anti-virus

The EICAR(European Institute for Computer Anti-Virus Research) Test File helps testing performance of anti-virus programs thatdetect viruses using signatures.

For this purpose, most of the anti-virus software vendors generallyuse a standard test.com program. This program was designedspecially so that users could test reaction of newly-installed anti-virustools to detection of viruses without compromising security of theircomputers. Although the test.com program is not actually a virus, itis treated by the majority of anti-viruses as if it were a virus. Ondetection of this "virus", Dr.Web® CureIt!® reports the following: EICAR Test File (Not a Virus!). Other anti-virus tools

alert users in a similar way.

The test.com program is a 68-byte COM-file that prints the followingline on the console when executed: EICAR-STANDARD-ANTIVIRUS-TEST-FILE!

The test.com file contains the following character string only:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

To create your own test file with the "virus", you may create a newfile with this line and save it with as test.com.

User Manual

13Anti-virus Scans

Anti-virus Scans

The license agreement of Dr.Web Anti-virus for Windows alsoallows you to checks e-mail messages. The Dr.Web CureIt!license agreement does not allow e-mail checks.

Dr.Web CureIt! sends general information on your computer andits state of information security to Doctor Web. When using Dr.Web CureIt! (Commerce Edition), this statistics gathering isoptional.

As soon as Dr.Web CureIt! starts with default settings, it scansRAM and Windows startup objects for viruses. Other objects of thefile system are scanned on your demand using Dr.Web Scanner.

Dr.Web Scanner performs anti-virus scanning of files, archives of allcommon types (Zip, Arj, Lha, Rar etc), and file containers(PowerPoint, RTF etc). The scanning is performed using alldetection methods. At scanning executable files processed withspecial compression utilities are unpacked. When an object infectedwith a known virus is detected, Dr.Web Scanner attempts to cureit. If curing fails, the infected object will be moved to thequarantine. Suspicious files are displayed in the special report field inthe bottom part of the main window.

Dr.Web CureIt! does not scan archives by default. To enable thisfeature, run the program with the /AR command line parameter.

To start anti-virus scan

1. Start Dr.Web CureIt!.

2. In the first window, click Start. This starts Dr.WebScanner.

3. Be default, Dr.Web Scanner performs express scan. Tomanage scanning process, use the following options:

User Manual

14Anti-virus Scans

To scan the objects selected, click Start in theright part of the tab

To suspend scanning, click Pause . To continue with

the check, click Start again

To terminate scanning, click Stop

Hot keys:

F1 – Help

F3 – Main window, the Scan tab

F4 – Main window, the Statistics tab

F5 – the Scan path and mask window

F7 – Scan RAM and startup objects

F9 – Dr.Web Scanner settings tabs

F10 – Switch to the main menu

Ctrl+F5 – Begin scanning

Ctrl+F6 – Stop scanning

Ctrl+F2 – Clear report list

Alt+X – Exit

4. If necessary, stop the quick scan and on the Scan tab of themain Dr.Web Scanner window, select one of the followingscanning modes:

Express scan

Complete scan

Custom scan

5. Scan results display in the bottom part of the tab and on the Statistics tab.

Scan Modes

Express Scan

In this mode the following objects are scanned:

Random access memory

Boot sectors of all disks

Startup objects

User Manual

15Anti-virus Scans

Boot disk root folder

Root directory of Windows installation disk

Windows system folder

User documents folder ("My documents")

System temporary files

User temporary files

Figure 4. Scanner main window. Anti-virus check of a filesystem

Complete Scan

In this mode all hard drives and removable media (including bootsectors of all disks) are scanned.

Custom Scan

This mode allows you to select folders and files to be scanned.

When this mode is selected, the file system tree appears in thecenter of the Scan tab. If necessary, you can expand the treeobjects down to the level of any folder or file included.

User Manual

16Anti-virus Scans

Select objects to be scanned in the file system tree. Boot sectorsof all disks will be checked along with the selected objects.

The picture below illustrates a case when in the Custom mode theC logical disk and a folder on the D logical disk are selected forscanning (their icons are marked with red dots).

Actions Upon Detection

When an object infected with a known virus is detected, Dr.WebScanner attempts to cure it. If curing fails, the infected object willbe moved to the quarantine. Suspicious files are displayed in thespecial report field in the bottom part of the main window.

Figure 5. Scanner main window. Detected threats

The table of the report list includes the data on infected orsuspicious objects detected during the scanning, and the actionsmade by the program. If these objects are detected in filecontainers, the table lists these infected objects and the containers

User Manual

17Anti-virus Scans

containing them.

The Object table column lists names of an infected file or a bootsector.

The Path table column contains the path to the infected object.

The Status table column lists the name of a virus (for files and bootsectors), or information on the infected archive.

The Action table column contains information on the actions made(curing, deletion, renaming, removing of an object).

If an infected or suspicious file used by another 32-bit Windowsapplication is found, the action specified by you cannot be applied

immediately. The string "Will be cured after reboot" or "

Will be deleted after reboot", i.e. depending on the

action specified, will appear in the Action column of the Dr.WebScanner report field. The necessary action will actually be takenafter the next reboot. That is why, if such objects are found, it isrecommended to reboot the system immediately after thescanning.

You can set the program to remove a detected virus threat listed inthe report by right clicking the line of the report list with thedescription of the infected object. To select objects in the reportlist the following keys and combinations of keys are additionallyused:

INSERT – select an object and move the cursor to nextposition

CTRL+A – select all

the * button on the numeric keyboard – invert selection

To perform an action, right-click an object and select the action toperform or select an object and click the corresponding buttonbelow the report field:

To restore the state of the object before infection, select orclick Cure. (This action is available for known viruses only andis not always avaliable.)

User Manual

18Anti-virus Scans

To delete the infected object, select or click Delete.

To change the extension of a filename specified byprogram settings, select or click Rename.

To move an infected file to a special directory (quarantine),select or click Move. The path to quarantine is specified byprogram settings.

If the Cure option is selected, additional context menu will open.Select the necessary action of the program, if the curing fails.

For archives, the only action available is Delete. Note, that whenDr.Web Scanner detects a malicious object within an archive(container), it performs the action you select for the whole archive(container). By default, when the Delete action is selected, Dr.Web Scanner displays a warning message that data might belost.

For boot sectors, the only action available is Cure.

Different windows, settings and actions can also be accessed withhot keys.

Scan Tab

In this window, you can select a scanning mode (in the Scan tab)and see the results of the operation of the Dr.Web Scanner (inthe Statistics tab).

Depending on the selected mode, either a list of objects to scan ora file system tree is displayed in the center of the window.

At the bottom of the window there is a table where information oninfected and suspicious objects and program's actions is displayed.


User Manual

19Anti-virus Scans

Figure 6. Scanner main window. Scan tab

Statistics Tab

The statistics tab shows the total information on Dr.Web Scanneroperations, which include the total number of objects scanned, thenumber of objects infected with known viruses or modifications ofknown viruses, the number of suspicious objects, and also theactions carried out by the program over infected or suspiciousobjects.

User Manual

20Anti-virus Scans

Figure 7. Scanner main window. Statistics tab

You can also receive statistics for any logical disk of the computer.To display the statistics, select a disk in the drop-down list on top ofthe tab.

To clear the report list, click Clear.


Detection Methods

The Dr.Web anti-virus solutions use several malicious softwaredetection methods simultaneously, and that allows them to performthorough checks on suspicious files and control software behaviour:

1. The scans begin with signature analysis, which is performedby comparison of file code segments to the known virussignatures. A signature is a finite continuous sequence of

User Manual

21Anti-virus Scans

bytes which is necessary and sufficient to identify a specificvirus. To reduce the size of the signature dictionary, the Dr.Web anti-virus solutions use signature checksums insteadof using complete signature sequences. Checksums uniquelyidentify signatures which preserves correctness of virusdetection and neutralization. The Dr.Web virus databasesare composed so that some entries can be used to detectnot just specific viruses, but whole classes of threats.

2. On completion of signature analysis, the Dr.Web anti-virussolutions use the unique Origins Tracing™ method todetect new and modified viruses which use the knowninfection mechanisms. Thus the Dr.Web users are protectedagainst such viruses as notorious blackmailer Trojan.Encoder.18 (also known as gpcode). In addition todetection of new and modified viruses, the OriginsTracing™ mechanism allowed to considerably reduce thenumber of false triggering of the Dr.Web heuristics analyser.

3. The detection method used by the heuristics analyser isbased on certain knowledge about attributes thatcharacterize malicious code. Each attribute or characteristichas weight coefficient which determines the level of itsseverity and reliability. Depending on the sum weight of afile, the heuristics analyzer calculates the probability ofunknown virus infection. As any system of hypothesis testingunder uncertainty, the heuristics analyser may commit type Ior type II errors (omit viruses or raise false alarms).

While performing any of the abovementioned checks, the Dr.Webanti-virus solutions use the most recent information aboutknown malicious software. As soon as experts of Doctor WebVirus Laboratory discover new threats, the update for virussignatures, behaviour characteristics and attributes is issued. Insome cases updates can be issued several times per hour. Thereforeeven if a brand new virus passes through the Dr.Web residentguards and penetrates the system, then after update the virus isdetected in the list of processes and neutralized.

User Manual

22Scanner Settings

Scanner Settings

The program default settings are optimal for most cases. Do notneedlessly modify these settings.

To change the settings of the program

1. In the program main menu, select Options, then selectChange settings. The settings window with several tabswill open.

2. Modify options and, if necessary, click Apply.

3. After editing settings, click OK to save the changes made, orclick Cancel to close the window without saving thechanges.

4. To get information on the settings, click Help.

Changes in the settings of Dr.Web Scanner within Dr.WebCureIt! are retained only in the current program session. Newsession resets program settings to default values.

Scanning Tab

In the tab you can select files and folders to be excluded fromscanning.

Location of excluded folders

Here you can create a list of folders (for example, the Quarantinefolder, program files folders) excluded from scanning.

To create a list of excluded folders

Enter a path to the folder you do not want to be scanned.

You can also click Browse and select the necessary

User Manual

23Scanner Settings

object.

Click Add. The folder will be added to the list.

To remove a folder from the list, select it and click Remove.

Figure 8. Settings. Scan tab

Excluded files

Here you can create a list of files (file masks) to be excluded fromscanning. If a mask is specified, all files the names of which matchthe mask will be excluded from scanning (this option is appropriatefor temporary files, swap files, etc).

To create a list of excluded files

Enter a file name or a mask to be excluded from scanning.

You can also click Browse and select a file. The * and ?symbols can be used instead of a part of a file name. The *symbol is used instead of any symbol combination; the ?symbol is used instead of only one (any) symbol.

Click Add. The file mask will be added to the list.

To remove an object from the list, select it and clickRemove.

User Manual

24Scanner Settings

In case you want to exclude a definite file from scanning, add the

path to this file (you can use Browse ) and its name (specifythe file name manually) to the list of Excluded paths.

On this tab you can also enable or disable the heuristic analyzer,which helps to detect suspicious objects that can be infected withunknown viruses. By default, this option is enabled. It is notrecommended to disable the option.

File Types Tab

On this tab you can configure additional restrictions for the files tobe scanned according to the scan mode, and determine if archivesand mail are included in the scanning.

The files are selected for scanning in the Scan mode radio buttonsarea.

The All files option provides for maximum protection. This option isselected by default.

The Selected types and the User masks options instruct to checkonly those files, the extensions or names of which fall within the listspecified in the right part of the tab. By default, the list includes theextensions of main file types, which can be virus carriers, and of themain types of file archives. The list can be edited.

Scanning of emails is not allowed by Dr.Web CureIt! licenseagreement. Use Dr.Web anti-virus for Windows to checkemails.

User Manual

25Scanner Settings

Figure 9. Settings. File types tab

Actions Tab

On this tab you can set program reactions on detection of infectedor suspicious files, malicious programs and infected archives.

For different types of infected objects, actions are assignedseparately from respective drop-down lists:

Objects infected with known and (supposedly) curable viruses

Objects infected with incurable viruses

Supposedly infected (suspicious) objects

Reaction on detection of malicious software and infected packages(archives, email, containers) is also set separately.

By default, Dr.Web Scanner just informs the user when there is asuspicion an object is infected with a virus. The data for all infectedor suspicious objects are displayed in the report list, in which youcan manually specify the necessary program’s action. If an objectinfected with a known virus is detected, Dr.Web Scanner bydefault attempts to cure it. If curing fails, the action specified for

User Manual

26Scanner Settings

incurable objects will be applied (by default it will be moved).

Figure 10. Settings. Actions tab

Apart from reporting, there are other actions available:

Cure (available for Infected objects only) – instructs the Dr.Web Scanner to try to cure objects infected with a knownvirus. If the virus is incurable, or the attempt of curing failed,the action set for incurable viruses will be applied.

Delete – instructs the Dr.Web Scanner to delete infectedor suspicious files (no action will be taken to boot sectors).Rename – instructs the Dr.Web Scanner to rename theextension of an infected or suspicious file according to themask specified in the Rename extension field (by default, it isrenamed to #??, i.e. the first symbol in the extension isreplaced with #).

Move to – instructs the Dr.Web Scanner to move infectedor suspicious files to the quarantine folder specified in theMove path field (by default, the Quarantine subdirectorywhich is located in %USERPROFILE%\DoctorWeb\).

Ignore – (enabled for malicious programs only) instructs theDr.Web Scanner not to display information in the reportwindow.

User Manual

27Scanner Settings

Advanced Cure Settings

To cure some infected files, a system reboot is required. In thiswindow you can adjust additional reboot settings.

Figure 11. Advanced Settings

If you select the Restart automatically, if necessary optionbutton then the Dr.Web CureIt! will reboot Windowsautomatically, without prompting the user.

During a system reboot all unsaved data will be lost. It isrecommended to close all running applications before attempting tocure if the Restart automatically, if necessary option buttonis selected.

By default, the Do not restart automatically option and thePrompt restart, when necessary options are selected. In thiscase, Dr.Web Scanner prompts you to confirm reboot whenevernecessary.

If you clear the Prompt restart, when necessary checkbox, Dr.Web CureIt! will not reboot Windows. In this case, it may becomeimpossible to correctly cure some infected files.

User Manual

28Scanner Settings

Log File Tab

On this tab you can configure logging options.

Figure 12. Settings. Log file tab

By default, the Log to file check box is selected.

By default, the CureIt.log log file is located in %USERPROFILE%\DoctorWeb\.

You can specify the name and the location of the log file, textencoding, the log mode (to add new entries to the end of the logfile or to overwrite the file in the beginning of each session), andthe level of detail of the log. You can also specify whether the sizeof the log file should be limited or not, and specify the maximumsize.

User Manual

29Scanner Settings

General Tab

On this tab you can configure interaction between Dr.Web CureIt!and the operating system and set sound alerts for different events.

Figure 13. Settings. General tab

The Autosave settings box is not available in Dr.Web CureIt!.

The Check the battery state checkbox when enabled instructsto check before scanning is active whether your computer runs onbattery. This option is available on portable computers only.

The Scan priority slider allows to modify the priority of the scanprocess in a system.

Sound alerts on virus events are not allowed by the Dr.WebCureIt! license agreement and are only available when using Dr.Web Anti-virus for Windows.

User Manual


Command Line Parameters

You can run Dr.Web CureIt! with additional parameters. Objectsto be scanned and command line switches can be specified ascommand line parameters. Command line switches are used todefine additional parameters when launching a program.

Syntax:

[path][CureIt!-filename] [switches][scan_obj ects_list]

If a parameter contains a blank space, you have to put quotationmarks around it. For example:

636frs47.exe /tm-

45hlke49.exe /tm- /ts- d:\test\

10sfr56g.exe /OK- "d:\Program Files\"

Command line switches start with the forward slash mark ("/") andare separated by blanks.

The list of objects to be scanned can be left empty or containseveral paths separated by blanks. If no path to the objects isspecified, Dr.Web Scanner searches for the objects in the Dr.WebCureIt! directory.

Below are a few most commonly used ways of specifying path toobjects which should be scanned:

* - scan all files on all disks

C: - scan all files on disk C

D:\Games - scan all files in the specified folder

C:\games\* – scan all files and subfolders in the specifiedfolder

Command Line Switches

/? – display short help on the program and launch scanning.

User Manual


/@<file_name> or /@+<file_name> instructs to scan objectslisted in the specified file. Each object is specified in a separate lineof the list-file. It can be either a full path with the file name or the ?boot string which means that scanning of boot sectors should beperformed. The file names with mask and directory names should bespecified there. The list-file can be prepared manually in any texteditor; this can also be done automatically via applications using theDr.Web Scanner to check certain files. After the scanning iscompleted, the Dr.Web Scanner deletes the list-file, if usedwithout the '+' character.

/AL – to scan all files in the given device, or in the given folder,regardless the extensions or the internal format.

/AR – to scan files inside the archives. At present, the scanning ofarchives (without curing) created by the ARJ, ZIP, PKZIP, ALZIP,RAR, LHA, GZIP, TAR, BZIP2, 7-ZIP, ACE, etc. archivers, as well asof MS CAB-archives – Windows Cabinet Files and ISO-images ofoptical disks (CD and DVD) is available. As it is specified (/AR) theswitch instructs to inform a user if an archive with infected orsuspicious files is detected. If the switch is supplemented with theD, M or R modifier, other actions are taken: /ARD – delete; /ARM– move (by default, to the infected.!!! directory); /ARR – rename(by default, the first character of extension is replaced by the #character). The switch may end with the N modifier, and in thiscase the name of the archiver after the name of the archived filewill not be printed.

Dr.Web CureIt! does not scan archives by default. To enable thisfeature, you have to specify the /AR command line parameterexplicitly. To check files in archives when running scan from GUI,select the Files in archives checkbox on the File Types tab ofScanner settings.

/CU – actions with infected files and boot sectors of drives. Thecurable objects are cured and the incurable files are deleted withoutadditional D, M or R modifiers (if different action is not specified bythe /IC switch). Other actions taken towards infected files: /CUD – delete; /CUM – move (by default, to the Quarantinedirectory in the %USERPROFILE%\DoctorWeb\ directory); /CUR –rename (by default, the first symbol of extension is replaced by the

User Manual


'#' character).

/EX – to scan files with the default extensions: EXE, COM, DLL,SYS, VXD, OV?, BAT, BIN, DRV, PRG, BOO, SCR, CMD, 386, FON,DO?, XL?, WIZ, RTF, CL*, HT*, VB*, JS*, INF, PP?, OBJ, LIB, PIF,AR?, ZIP, R??, GZ, Z, TGZ, TAR, TAZ, CAB, HLP, MD?, INI, MBR,IMG, CSC, CPL, MBP, SH, SHB, SHS, SHT*, MSG, CHM, XML, PRC,ASP, LSP, MSO, OBD, THE*, EML, NWS, SWF, MPP, TBB.

If an element of the list of scanned objects contains the explicit fileextension, and it is used with the '*' and '?' special characters, allfiles specified in this element of the list will be scanned and not onlythose matching this list of extensions.

/FAST – perform an express scan of the system (for moreinformation on the express scan mode see Anti-Virus Scans).

/FULL – perform a full scan of all hard drives and removable datacarriers (including boot sectors).

/GO – batch mode of the program. All questions implying answersfrom a user are skipped; solutions implying a choice are takenautomatically. This mode is useful for automatic scanning of files, forexample, during a daily or weekly check of the hard disk.

/HA – to perform heuristic scanning of files and search for unknownviruses in them.

/ICR, /ICD or /ICM – actions with infected files which cannot becured: /ICR – rename; /ICD – delete; /ICM – move.

/LITE – perform a basic scan of random access memory, bootsectors of all disks and startup objects. This switch disables the /FAST or /FULL mode.

Dr.Web CureIt! starts in the /FAST mode by default.

User Manual


/MW – actions with all types of unsolicited programs. As it isspecified (/MW) the switch instructs to inform a user. If the switchis supplemented with the D, M, R or I modifier, other actions aretaken: /MWD – delete; /MWM – move (by default, to theQuarantine directory in the %USERPROFILE%\DoctorWeb\ directory); /MWR – rename (by default, the first symbol of extension isreplaced by the '#' character); /MWI – ignore. Actions with certaintypes of unsolicited programs are specified by the /ADW, /DLS, /JOK, /RSK, /HCK switches.

/NR – do not create a log file.

/NS – disable interrupting of computer scanning. With this switchspecified, a user will not be able to interrupt scanning by pressingESC.

/OK – display full list of scanned objects and mark the uninfectedones with Ok.

/PF – prompt on, if multiple floppies are scanned.

/PR – prompt for confirmation before action.

/QU – the Dr.Web Scanner checks the objects specified in thecommand line (files, disks, folders) and then automaticallyterminates.

/RP<file_name> or /RP+<file_name> – log to a file the name ofwhich is specified in the switch. If no name is specified, log to adefault file. If the '+' character is present, the file is appended. Ifthere is no character, a new one is created.

/SCP:<n> – sets the priority of the scanning process, where <n>is a number ranging from 1 to 50.

/SD – scan subfolders.

/SPR, /SPD or /SPM – actions with suspicious files: /SPR –rename; /SPD – delete; /SPM – move.

/ST – sets stealth mode of the GUI version of the scanner. Theprogram operates without any windows opened and self-

User Manual


terminates. But, if during scanning virus objects were detected, thescanner window will be opened after the scanning made. Suchscanner mode presupposes, that the list of the scanned objects isspecified in the command line.

/TB – scan boot sectors and master boot records (MBR) of the harddrive.

/TM – search for viruses in main memory (including Windows systemarea).

/TS – search for viruses in autorun files (in Autorun directory,system INI-files, Windows registry).

/UPN – disable the output of the names of the programs used forpacking, conversion or vaccination of the scanned executable filesto the log file by the Dr.Web Scanner.

"Negative" Forms

Certain switches allow the '-' character to be used at the end. Insuch "negative" form the switch means cancellation of the mode.Such option can be useful if a certain mode is enabled by default.Here is the list of the command line switches allowing the"negative" form:/ADW /AR /CU /DLS /FULL /FAST /FN /HCK /JOK /HA /IC /MW /OK /PF /PR /RSK /SD /SP /TB /TM /TS

For the /CU, /IC and /SP switches the "negative" form cancels anyactions specified in the description of these switches. This meansthat infected and suspicious objects will be reported but no actionswill be applied.

For the /RP switch, the "negative" form is written as /NR.

For the /AL and /EX switches, the "negative" form is not allowed.However, specifying one of them cancels the other.

If several alternative parameters are found in the command line, thelast of them takes effect.

© 2003-2011 Doctor Web

Documents

Drweb Cureit Manual en Free