The page may not load correctly.
The technologies incorporated into Dr.Web Preventive Protection enhance traditional signature-based Dr.Web protection with cutting-edge, non-signature (behavioural) tools. With Preventive Protection, Dr.Web can:
And those are just a few of the things that Dr.Web Preventative Protection can do.
Let's take a closer look at what the user gains by switching on each setting.
his file lets you define the relationship between the host domain name and its IP address.
The processing priority of the HOSTS file is higher than the priority for accessing the DNS server. The HOSTS file allows cybercriminals to block access to anti-virus company websites and redirect users to fake sites.
Dr.Web preventive protection does not allow malware to modify the HOSTS file and redirect users to phishing resources.
The process is a set of resources and data that is located in a computer's RAM. The process of one program should not change the process of another program. But what about malicious programs? For example, Trojan.Encoder.686 (CTB-Locker) violates this rule.
Dr.Web preventive protection prevents malware from injecting itself into other programs processes (for example, it prohibits Trojans from modifying a browser's process in order to access the e-banking system), thereby not allowing them to implement their functionality, in full or partially.
Some extortionist malware (ransomware) encrypts user data and demands a ransom for its decryption. Enabling this option helps protect against encryption ransomware, for example, Trojan.Encoder.94, Trojan.Encoder.102, and Trojan.Encoder.686 (CTB-Locker).
Dr.Web preventive protection detects malware processes that modify user files and blocks encryption ransomware activity.
When Windows is operating normally, file access occurs by referring to the file system, which is controlled by the operating system. Trojan bootkits that modify the MBR access the disk directly, bypassing the Windows file system and accessing certain disk sectors.
Trojans injected into the MBR are extremely hard to detect and neutralise.
Dr.Web preventive protection prevents malware from modifying the MBR and prevents Trojans from being launched in the system.
Many rootkits secretly launch their drivers and services to hide their presence in the system and perform unauthorised actions, such as sending logins and passwords as well as other identifying information to cybercriminals.
Dr.Web preventive protection prohibits new or unknown drivers from being downloaded without user consent.
The Windows registry contains the Image File Execution Options key (entry), which can be used to assign a debugger (a program that helps the programmer debug written code as well as modify the data of a debugged process) to any Windows application. Malware that has been assigned to debug a system process or application (e.g., Internet Explorer or Windows Explorer), can use this key to get full access to whatever interests the intruders.
Dr.Web preventive protection blocks access to the Image File Execution Options registry key.
Ordinary users have no real need to debug applications on the fly, and the risk of malware using the Image File Execution Options key is very high.
Some malicious programs create executable files and register them as virtual devices.
Dr.Web preventive protection blocks the registry branches that are responsible for virtual device drivers, making it impossible to install a new virtual device.
The Winlogon notification package interface facilitates the ability to process events assigned to user entry and exit, operating system enablement and disablement, and some other tasks. H Once it has accessed a Winlogon notification package, malware can restart the OS, shut down the computer, and prevent users from entering the OS environment. This activity is typical of Trojan.Winlock.3020 and Trojan.Winlock.6412.
Dr.Web preventive protection prevents the registry branches responsible for the Winlogon notification package from being modified, and prohibits malware from adding new tasks—those needed by the attackers—into the OS’s logic.
This option simultaneously blocks multiple Windows registry settings in the branch [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]: For example, AppInit_DLLs (which causes Windows to download the DLL specified every time a program is started), AppInit_DLLs (which can be used to inject a rootkit into Windows), Run (which is required to run programs in a minimised form after the OS has been started), and IconServiceLib (which is responsible for downloading IconCodecService.dll library, the parameter needed for the desktop and icons to appear normally on the screen).
Dr.Web preventive protection blocks a number of Windows registry settings, thus, for example, preventing viruses from modifying the normal desktop display or preventing rootkits from concealing a Trojan’s presence in the system.
Some malicious programs violate executable file associations, resulting in programs not being able to start, or in undesired programs starting up—those under the direction of malware.
Dr.Web preventive protection does not allow malware to modify program startup rules.
In Windows, software restriction policies (SRP) can be configured in such a way as to allow only programs from certain folders to be launched (for example, Program Files) and prohibit the execution of programs from other sources. Blocking the registry branch responsible for the SRP’s configuration prevents configured policies from being modified, thus reinforcing previously implemented protection.
Dr.Web preventive protection allows a system to be protected against malware that enters a computer through email and removable media, and launches itself from the temporary directory, for example. This option is recommended for use in a corporate environment.
This setting can be used to prevent new plugins for Internet Explorer from being installed. This is done by blocking the appropriate registry branch.
Dr.Web preventive protection shields the browser from malicious plugins, from browser blockers, for example.
Prohibits modifications from being made to some registry branches responsible for the autorun of programs.
Dr.Web preventive protection can prevent the autorun of malicious programs by thwarting their attempts to register in the registry for subsequent launch.
This option blocks the registry branch that helps run any program when the user logs in.
Dr.Web preventive protection can prevent the autorun of certain programs, such as anti-antiviruses.
Some Trojans disable Windows safe mode to make it more difficult to cure a computer.
Dr.Web preventive protection blocks modifications from being made to the registry to prevent the safe mode from being switched off.
This option protects the configuration of the Windows session manager—the system on which the stability of the operating system depends. Without such protection, malicious programs can initialise the environment variables, run a number of system processes, and execute operations to remove, move or copy files until the system is fully loaded, etc.
Dr.Web preventive protection keeps malicious programs from being introduced into the operating system before it is fully loaded, and, accordingly, before the anti-virus is up and running.
This option prevents the registry parameters responsible for the normal operation of system services from being edited.
Some viruses can block the registry editor, complicating the user’s normal work. For example, they can clear the desktop of shortcuts to programs that were installed on the computer or prevent files from being moved.
Dr.Web preventive protection prohibits malware from disabling operating system services. For example, it prevents malware from interfering with the regular backing up of files.
In Dr.Web for Windows, settings can be managed on the "Preventive Protection" tab.
The user is offered four setting modes: optimal (enabled by default), medium, paranoid, and user.
The optimal mode protects only those registry threads that are used by the malicious software and that can be blocked (blocked from having any changes made to them)—without significantly burdening computer resources.
When the preventive protection mode is elevated, the system defends itself more vigilantly against malware programs with which the Dr.Web virus database is unfamiliar, but simultaneously the risk increases for a conflict to arise between the constraints created by the preventive protection and the needs of running applications.