My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Behavioral Analysis

In Dr.Web versions 9-11.5, this module is known as Preventive Protection.

With the Behavioural Analysis module, Dr.Web can:

  • protect systems against new, highly prolific malicious programs that are capable of avoiding detection by traditional signature-based analysis and heuristic routines because their entries haven't yet been added to the security system (for example, because the latest updates have not been downloaded)
  • detect unwanted file modification, monitor the operation of all system processes to detect actions that are typical of malware (e.g., encryption ransomware activities), and prevent malicious objects from injecting their code into other processes
  • detect and neutralise threats that have not yet been discovered: encryption ransomware, injectors, remote-controlled malware used for espionage and to create botnets, and malware packers


Let's take a closer look at what the user gains by switching on each setting.

The HOSTS file

his file lets you define the relationship between the host domain name and its IP address.

The processing priority of the HOSTS file is higher than the priority for accessing the DNS server. The HOSTS file allows cybercriminals to block access to anti-virus company websites and redirect users to fake sites.

Dr.Web does not allow malware to modify the HOSTS file and redirect users to phishing resources.

The integrity of running applications

The process is a set of resources and data that is located in a computer's RAM. The process of one program should not change the process of another program. But what about malicious programs? For example, Trojan.Encoder.686 (CTB-Locker) violates this rule.


Dr.Web prevents malware from injecting itself into other programs processes (for example, it prohibits Trojans from modifying a browser's process in order to access the e-banking system), thereby not allowing them to implement their functionality, in full or partially.

Low-level disk access

When Windows is operating normally, file access occurs by referring to the file system, which is controlled by the operating system. Trojan bootkits that modify the MBR access the disk directly, bypassing the Windows file system and accessing certain disk sectors.

Trojans injected into the MBR are extremely hard to detect and neutralise.


Dr.Web prevents malware from modifying the MBR and prevents Trojans from being launched in the system.


Driver loading

Many rootkits secretly launch their drivers and services to hide their presence in the system and perform unauthorised actions, such as sending logins and passwords as well as other identifying information to cybercriminals.

Dr.Web prohibits new or unknown drivers from being downloaded without user consent.

Application startup parameters

The Windows registry contains the Image File Execution Options key (entry), which can be used to assign a debugger (a program that helps the programmer debug written code as well as modify the data of a debugged process) to any Windows application. Malware that has been assigned to debug a system process or application (e.g., Internet Explorer or Windows Explorer), can use this key to get full access to whatever interests the intruders.


Dr.Web blocks access to the Image File Execution Options registry key.
Ordinary users have no real need to debug applications on the fly, and the risk of malware using the Image File Execution Options key is very high.


Multimedia device drivers

Some malicious programs create executable files and register them as virtual devices.

Dr.Web blocks the registry branches that are responsible for virtual device drivers, making it impossible to install a new virtual device.

Winlogon registry keys, Winlogon notifiers

The Winlogon notification package interface facilitates the ability to process events assigned to user entry and exit, operating system enablement and disablement, and some other tasks. H Once it has accessed a Winlogon notification package, malware can restart the OS, shut down the computer, and prevent users from entering the OS environment. This activity is typical of Trojan.Winlock.3020 and Trojan.Winlock.6412.


Dr.Web prevents the registry branches responsible for the Winlogon notification package from being modified, and prohibits malware from adding new tasks—those needed by the attackers—into the OS’s logic.


Windows registry startup keys

This option simultaneously blocks multiple Windows registry settings in the branch [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]: For example, AppInit_DLLs (which causes Windows to download the DLL specified every time a program is started), AppInit_DLLs (which can be used to inject a rootkit into Windows), Run (which is required to run programs in a minimised form after the OS has been started), and IconServiceLib (which is responsible for downloading IconCodecService.dll library, the parameter needed for the desktop and icons to appear normally on the screen).

Dr.Web blocks a number of Windows registry settings, thus, for example, preventing viruses from modifying the normal desktop display or preventing rootkits from concealing a Trojan’s presence in the system.

Executable file associations

Some malicious programs violate executable file associations, resulting in programs not being able to start, or in undesired programs starting up—those under the direction of malware.


Dr.Web does not allow malware to modify program startup rules.


Software Restriction Policies (SRP)

In Windows, software restriction policies (SRP) can be configured in such a way as to allow only programs from certain folders to be launched (for example, Program Files) and prohibit the execution of programs from other sources. Blocking the registry branch responsible for the SRP’s configuration prevents configured policies from being modified, thus reinforcing previously implemented protection.

Dr.Web allows a system to be protected against malware that enters a computer through email and removable media, and launches itself from the temporary directory, for example. This option is recommended for use in a corporate environment.

Browser Helper Objects (BHO) for Internet Explorer

This setting can be used to prevent new plugins for Internet Explorer from being installed. This is done by blocking the appropriate registry branch.


Dr.Web shields the browser from malicious plugins, from browser blockers, for example.


Program autorun

Prohibits modifications from being made to some registry branches responsible for the autorun of programs.

Dr.Web can prevent the autorun of malicious programs by thwarting their attempts to register in the registry for subsequent launch.

Autorun policies

This option blocks the registry branch that helps run any program when the user logs in.


Dr.Web can prevent the autorun of certain programs, such as anti-antiviruses.


Safe mode configuration

Some Trojans disable Windows safe mode to make it more difficult to cure a computer.

Dr.Web blocks modifications from being made to the registry to prevent the safe mode from being switched off.

Session Manager parameters

This option protects the configuration of the Windows session manager—the system on which the stability of the operating system depends. Without such protection, malicious programs can initialise the environment variables, run a number of system processes, and execute operations to remove, move or copy files until the system is fully loaded, etc.


Dr.Web keeps malicious programs from being introduced into the operating system before it is fully loaded, and, accordingly, before the anti-virus is up and running.


System services

This option prevents the registry parameters responsible for the normal operation of system services from being edited.

Some viruses can block the registry editor, complicating the user’s normal work. For example, they can clear the desktop of shortcuts to programs that were installed on the computer or prevent files from being moved.

Dr.Web prohibits malware from disabling operating system services. For example, it prevents malware from interfering with the regular backing up of files.

Dr.Web settings

The user is offered four setting modes: optimal (enabled by default), medium, paranoid, and user.


The optimal mode protects only those registry threads that are used by the malicious software and that can be blocked (blocked from having any changes made to them) — without significantly burdening computer resources.

When the mode is elevated, the system defends itself more vigilantly against malware programs with which the Dr.Web virus database is unfamiliar, but simultaneously the risk increases for a conflict to arise between the constraints created by the Behavioral Analysis and the needs of running applications.