Add to the library


News & Events | Promotions | Licensing center | Anti-cyber fraud center | Customers | Company

Dr.Web anti-virus engine technologies

Criminal groups involved in the development and spread of viruses are thoroughly organized, so virus production has become streamlined, thus leading to explosive growth in the quantity of malicious malware. This immediately spawned a host of daily signature records being added to virus databases.


  • The Doctor Web virus monitoring service collects samples of malicious programs all over the Internet.
  • The Dr.Web anti-virus lab receives on average about 60,000 malware samples daily.
  • A record of sorts was set on November 28, 2012, when the Dr.Web anti-virus lab received over 300,000 samples. And that is not all of the malware that was created that day.

Virus analysts are not magicians and cannot instantly process the thousands and thousands of suspicious files received daily. Long gone are the times when anti-viruses could catch malware using only relevant virus signatures (i.e., records in virus databases) — i.e. detect only known viruses. If this were so till now, an anti-virus would be helpless in the face of unknown threats. However, an anti-virus remains the best and the only effective protection tool against all types of malicious threats — and, most importantly, — against viruses both known and unknown to the virus database.

Dr.Web incorporates many effective non-signature technologies for detecting and removing unknown malware. Together, they make it possible to detect the latest (unknown) threats before they are registered in the virus database. We'll describe just a few of them.

  • Fly-Code technology ensures the high-quality scanning of packed executables and virtualized file execution to unpack any (even non-standard) packers; this makes it possible to detect viruses that are even unknown to Dr.Web anti-virus software.
  • Origins Tracing treats a scanned executable as a specific sample which it then compares against the database of known malicious programs. The technology makes it highly likely that viruses not yet added to the Dr.Web virus database will be detected.
  • Structural entropy analysis detects unknown threats by arranging pieces of code in objects protected with encryption compression, interrupting the routines they use, and utilizing some additional parameters. This allows Dr.Web to detect a substantial portion of unknown threats.
  • ScriptHeuristic prevents any malicious browser scripts and PDF documents from being executed without disabling features provided by legitimate scripts. It protects against infection with unknown viruses that try to get into a system via a web browser. It works independently of the Dr.Web virus databases in any web browser.
  • Traditional heuristic analyser features routines to detect unknown malware. The heuristic analyser relies upon knowledge (heuristics) about certain properties typical to virus code and, vice versa, those that are extremely rare in viruses. Each of these attributes is characterized by its “weight”— — that is to say, by a number whose module refers to the importance and severity of the attribute; and its sign, respectively, indicates whether that attribute confirms or refutes the hypothesis on the possible existence of an unknown virus in the code being analyzed.
  • An execution emulator module is used to detect polymorphic and highly encrypted viruses when the search against checksums cannot be applied directly or is very difficult to perform (because secure signatures cannot be built). The method involves simulating the execution of an analyzed code by an emulator — a programming model of the processor (and, in part, PC and OS).

Dr.Web virus database

  • Dr.Web anti-viruses use a record low number of virus definitions in their database; one entry can identify dozens, hundreds or even thousands of similar viruses. This is a fundamental difference between the Dr.Web virus database and virus databases of other anti-virus programs. Even with a smaller number of entries, it can detect the same (or an even greater) number of malicious programs.
  • Even if no definition of a virus is present in the virus database, Dr.Web will most likely detect it by means of multiple technologies implemented in its anti-virus engine.
  • Dr.Web virus databases are devised in such a way that adding new entries doesn't lower the scanning speed.

What are the advantages of a small virus database with fewer entries?

  • Saved disk space
  • Lower memory usage
  • Lower updating traffic
  • Rapid virus analysis
  • Detection of future modifications of existing viruses


Every day millions of people around the world use the unique product Dr.Web CureIt!, created specifically to cure infected computers that run other anti-viruses.


Modern malware often operates invisibly to computer users, and, from the moment of its creation, it cannot even be detected by many anti-virus programs. Only an anti-virus can cure an infected system.