Add to the library


News & Events | Promotions | Licensing center | Anti-cyber fraud center | Customers | Company

Many malware programs operate according to similar algorithms, exploit the same operating system vulnerabilities, and have the same set of malicious functions.

If a suspicious program’s behavior resembles the behavioral patterns of known malware, the Dr.Web anti-virus protection system can detect and block that program—even if an entry for it has yet to be included in the Dr.Web virus database.

This is due to the fact that none of the software’s proactive technologies depend on the signatures of these suspicious programs being present in the virus database. All these technologies are developed solely by Doctor Web.

Here we’ve listed just some of them:

Universal malware decompression technology

Attackers have to spend a lot of time on the development of each new malware species that is designed to go unrecognised by an anti-virus. They also have to spend a great deal of time testing their new malware against current anti-viruses. To bypass such labour-intensive activities, criminals encrypt their malware or compress it with packers whose format is not recognised by any archiving application. To recognise a packed or encrypted program, most anti-viruses require a corresponding entry (signature) in their anti-virus database, which means that the system is defenceless until the virus database is updated.

Dr.Web still protects systems in situations like these.

  • Dr.Web FLY-CODE is a unique universal decompression technology that allows viruses packed with packers, unknown even to Dr.Web, to be detected.
  • The comprehensive analysis of packed threats significantly improves the detection of supposedly “new” malicious programs that were added to the Dr.Web virus database before they were concealed by new packers. In addition, this type of analysis eliminates the need to keep adding definitions of new threats into the virus database. With Dr.Web virus databases kept small, system requirements do not need to be constantly increased. Updates remain traditionally small, while the quality of detection and curing remains at the same traditionally high level.
Technologies for analysing behaviour and terminating malicious processes

Today’s criminals are after data and money. This encourages them to create new types of malware that can’t be recognised or blocked by anti-viruses and other security software. The risk of unknown malware reaching computers before it can be analysed in an anti-virus laboratory increases every year. Under these circumstances, controlling the behaviour of running system processes and applications becomes an essential element of present-day anti-virus security.

  • The behavioural analysis technology Dr.Web Process Heuristic protects systems against new, highly prolific malicious programs that are capable of avoiding detection by traditional signature-based analysis and heuristic routines because they haven't yet been analysed in an anti-virus laboratory and, therefore, are unknown to Dr.Web at the moment of intrusion.

Unlike traditional behavioural analysis, which relies on predefined rules describing the behaviour of legitimate programs that are well known to criminals, Dr.Web Process Heuristic analyses the behaviour of each running program in real time by comparing it with the reputation information stored in the Dr.Web cloud which is constantly updated. It determines whether the program is dangerous and then takes whatever measures are necessary to neutralise the threat.

This data protection technology helps minimise losses resulting from the actions of unknown malware — and consumes very few of the protected system’s resources.

Dr.Web Process Heuristic monitors any attempts to modify the system:

  • Detects malicious processes that modify files (such as encryption ransomware);
  • Prevents malware from injecting its code into the processes of other applications;
  • Protects critical system areas from being modified by malware;
  • Detects and stops the execution of malicious, suspicious or unreliable scripts and processes;
  • Prevents malware from modifying boot sectors so that malicious code can’t be executed on the computer;;
  • Blocks changes in the Windows Registry to make sure that the safe mode won't be disabled.
  • Prevents malicious programs from altering basic system routines. By blocking certain registry keys, it prevents malware from changing the appearance of the desktop or hiding a Trojan with a rootkit;
  • Prevents malware from changing launch permissions.

Dr.Web Process Heuristic starts protecting a system during the boot-up phase, even before the traditional, signature-based anti-virus is loaded!

  • Prevents new or unknown drivers from being downloaded without the user's consent.
  • Prevents malware and certain other applications, such as anti-antiviruses, from adding their entries into the Windows Registry , so that they could be launched automatically.
  • Locks registry sections containing information about virtual device drivers, ensuring that no new virtual devices are created.
  • Blocks connections between spyware and its control servers.
  • Prevents malware from disrupting system routines such as scheduled backups.

Dr.Web Process Heuristic works right out of the box, but the user can always configure rules based on their own needs!

Dr.Web Process Heuristic, includes the technology Dr.Web ShellGuard, which blocks routes into the system so that programs that exploit vulnerabilities can’t get in. Exploits are malicious objects that take advantage of software flaws, including those not yet known to anyone except for the intruders who created them (i.e., zero-day vulnerabilities). The vulnerabilities are used to gain control over a targeted application or the operating system.

Impregnable systems don’t exist.
Developers try to release patches quickly for known vulnerabilities. For example, Microsoft releases security updates quite often. However, users often install some of them way too late (or don't install them at all). This encourages intruders to search for new vulnerabilities and exploit those that have been discovered but aren't yet closed on the computers that are being targeted.

Dr.Web ShellGuard protects the most common applications installed on almost all computers running Windows:

  • All popular web browsers (Internet Explorer, Mozilla Firefox, Google Chrome, and Vivaldi Browser);
  • MS Office applications including MS Office 2016;
  • System Applications;
  • Applications that use java, flash and pdf;
  • Media players (software).

Intelligent updating from the cloud for non-signature Dr.Web ShellGuard blocking routines

To detect malicious actions, Dr.Web ShellGuard uses information stored by the anti-virus locally as well as reputation data from Dr.Web Cloud which includes:

  • Information about the routines used by programs with malicious intentions;
  • Information about files that are 100% clean;
  • Information about the compromised digital signatures of well-known software developers;
  • Information about digital signatures used by adware and riskware;
  • Protection routines used by specific applications.

The cloud can collect information about the operation of Dr.Web on PCs, including data about brand new threats, which enables Doctor Web to promptly respond to discovered defects and update rules stored by the anti-virus on machines.

How it works

  • If it detects that malicious code is attempting to exploit a vulnerability, Dr.Web will end the attacked process immediately. It won't perform any actions with application files and won't move any files to the quarantine.
  • Users will also see notifications about a thwarted attempt to perform malicious actions; no response on their part will be required.
  • An entry about the disrupted attack is added to the Dr.Web event log.
  • The cloud will also be instantly notified about the incident. If necessary, Doctor Web specialists will instantly respond, for example, by upgrading the system monitoring routine.

The preventive protection is available under Dr.Web Security Space and Dr.Web Anti-virus licenses.

Technology that detects malware similar to programs previously registered in the Dr.Web knowledge base

The anti-virus laboratory receives hundreds of thousands of malware samples per day! And the number is growing.

Under these circumstances, the security of a protected machine greatly depends on how quickly a new malicious program is received and processed by the anti-virus laboratory. However, systems that have Dr.Web installed on them do not remain unprotected until an update arrives.

  • The cutting-edge, non-signature scan technology Origins Tracing™ ensures the high probability that viruses unknown to Dr.Web will be detected.
  • The heuristic analyser, whose analyses are based on criteria typical of various groups of malicious programs, detects most known threats.

Dr.Web preventive protection settings for Windows

In Dr.Web for Windows, settings can be managed on the "Preventive Protection" tab.

The user is offered four setting modes: optimal (enabled by default), medium, paranoid, and user.

screen The optimal mode protects only those registry threads that are used by the malicious software and that can be blocked (blocked from having any changes made to them)—without significantly burdening computer resources.
When the preventive protection mode is elevated, the system defends itself more vigilantly against malware programs with which the Dr.Web virus database is unfamiliar, but simultaneously the risk increases for a conflict to arise between the constraints created by the preventive protection and the needs of running applications. screen

Dr.Web preventive protection settings for Windows

Let's take a closer look at what the user gains by switching on each setting.


The HOSTS file

This file lets you define the relationship between the host domain name and its IP address. The processing priority of the HOSTS file is higher than the priority for accessing the DNS server. The HOSTS file allows cybercriminals to block access to anti-virus company websites and redirect users to fake sites.

Dr.Web preventive protection does not allow malware to modify the HOSTS file and redirect users to phishing resources.

The integrity of running applications

The process is a set of resources and data that is located in a computer's RAM. The process of one program should not change the process of another program. But what about malicious programs? For example, Trojan.Encoder.686 (CTB-Locker) violates this rule.

Dr.Web preventive protection prevents malware from injecting itself into other programs' processes (for example, it prohibits Trojans from modifying a browser's process in order to access the e-banking system), thereby not allowing them to implement their functionality, in full or partially.

The integrity of user files

Some extortionist malware (ransomware) encrypts user data and demands a ransom for its decryption. Enabling this option helps protect against encryption ransomware, for example, Trojan.Encoder.94, Trojan.Encoder.102, and Trojan.Encoder.686 (CTB-Locker).

Dr.Web preventive protection detects malware processes that modify user files and blocks encryption ransomware activity.

Low-level disk access

When Windows is operating normally, file access occurs by referring to the file system, which is controlled by the operating system. Trojan bootkits that modify the MBR access the disk directly, bypassing the Windows file system and accessing certain disk sectors. Trojans injected into the MBR are extremely hard to detect and neutralise.

Dr.Web preventive protection prevents malware from modifying the MBR and prevents Trojans from being launched in the system.

Driver loading

Many rootkits secretly launch their drivers and services to hide their presence in the system and perform unauthorised actions, such as sending logins and passwords as well as other identifying information to cybercriminals.

Dr.Web preventive protection prohibits new or unknown drivers from being downloaded without user consent.

Application startup parameters

The Windows registry contains the Image File Execution Options key (entry), which can be used to assign a debugger (a program that helps the programmer debug written code as well as modify the data of a debugged process) to any Windows application. Malware that has been assigned to debug a system process or application (e.g., Internet Explorer or Windows Explorer), can use this key to get full access to whatever interests the intruders.

Dr.Web preventive protection blocks access to the Image File Execution Options registry key.
Ordinary users have no real need to debug applications on the fly, and the risk of malware using the Image File Execution Options key is very high.

Multimedia device drivers

Some malicious programs create executable files and register them as virtual devices.

Dr.Web preventive protection blocks the registry branches that are responsible for virtual device drivers, making it impossible to install a new virtual device.

Winlogon registry keys, Winlogon notifiers

The Winlogon notification package interface facilitates the ability to process events assigned to user entry and exit, operating system enablement and disablement, and some other tasks. H Once it has accessed a Winlogon notification package, malware can restart the OS, shut down the computer, and prevent users from entering the OS environment. This activity is typical of Trojan.Winlock.3020 and Trojan.Winlock.6412.

Dr.Web preventive protection prevents the registry branches responsible for the Winlogon notification package from being modified, and prohibits malware from adding new tasks—those needed by the attackers—into the OS’s logic.

Windows registry startup keys

This option simultaneously blocks multiple Windows registry settings in the branch [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]: For example, AppInit_DLLs (which causes Windows to download the DLL specified every time a program is started), AppInit_DLLs (which can be used to inject a rootkit into Windows), Run (which is required to run programs in a minimised form after the OS has been started), and IconServiceLib (which is responsible for downloading IconCodecService.dll library, the parameter needed for the desktop and icons to appear normally on the screen).

Dr.Web preventive protection blocks a number of Windows registry settings, thus, for example, preventing viruses from modifying the normal desktop display or preventing rootkits from concealing a Trojan’s presence in the system.

Executable file associations

Some malicious programs violate executable file associations, resulting in programs not being able to start, or in undesired programs starting up—those under the direction of malware.

Dr.Web preventive protection does not allow malware to modify program startup rules.

Software Restriction Policies (SRP)

In Windows, software restriction policies (SRP) can be configured in such a way as to allow only programs from certain folders to be launched (for example, Program Files) and prohibit the execution of programs from other sources. Blocking the registry branch responsible for the SRP’s configuration prevents configured policies from being modified, thus reinforcing previously implemented protection.

Dr.Web preventive protection allows a system to be protected against malware that enters a computer through email and removable media, and launches itself from the temporary directory, for example. This option is recommended for use in a corporate environment.

Browser Helper Objects (BHO) for Internet Explorer

This setting can be used to prevent new plugins for Internet Explorer from being installed. This is done by blocking the appropriate registry branch.

Dr.Web preventive protection shields the browser from malicious plugins, from browser blockers, for example.

Program autorun

Prohibits modifications from being made to some registry branches responsible for the autorun of programs.

Dr.Web preventive protection can prevent the autorun of malicious programs by thwarting their attempts to register in the registry for subsequent launch.

Autorun policies

This option blocks the registry branch that helps run any program when the user logs in.

Dr.Web preventive protection can prevent the autorun of certain programs, such as anti-antiviruses.

Safe mode configuration

Some Trojans disable Windows safe mode to make it more difficult to cure a computer.

Dr.Web preventive protection blocks modifications from being made to the registry to prevent the safe mode from being switched off.

Session Manager parameters

This option protects the configuration of the Windows session manager—the system on which the stability of the operating system depends. Without such protection, malicious programs can initialise the environment variables, run a number of system processes, and execute operations to remove, move or copy files until the system is fully loaded, etc.

Dr.Web preventive protection keeps malicious programs from being introduced into the operating system before it is fully loaded, and, accordingly, before the anti-virus is up and running.

System services

This option prevents the registry parameters responsible for the normal operation of system services from being edited. Some viruses can block the registry editor, complicating the user’s normal work. For example, they can clear the desktop of shortcuts to programs that were installed on the computer or prevent files from being moved.

Dr.Web preventive protection prohibits malware from disabling operating system services. For example, it prevents malware from interfering with the regular backing up of files.