Dr.Web FixIt! — a new cloud service for investigating information security incidents

Hello world!

At the beginning of August 2022, we introduced a cloud service Dr.Web FixIt! the general public. It is designed for remote analysis of virus-dependent computer incidents (VKO) on the Windows platform and elimination of their consequences. At the heart of FixIt! there is an extensive knowledge base with information about various types of operating system infections, ways to detect signs of compromise, as well as a set of algorithms for detecting and treating threats. The service was conceived as a stand-alone multifunctional tool for combating cyber threats, which complements the existing anti-virus tools on the market. However, it is also a powerful diagnostic solution that helps you assess the status of computers and identify all sorts of problems with the system and software installed on it.

What is special about Dr.Web FixIt!

Traditional anti-virus systems for detecting malicious applications use signature and non-signature virus databases, heuristic and behavioral analysis, as well as other methods that are somehow based on previously known patterns and algorithms of malware. Dr.Web FixIt! acts differently. It generates a detailed report on the status of the system under test, which, using a wide range of filters, can be analyzed by the operator. Filters allow you to perform diagnostics to detect anomalies and potential infections, search for traces of intruders, possible vulnerabilities and other security threats (for example, the absence of important patches and OS updates). Thus, the service helps to study the target system in terms of a number of parameters and identify the presence of a variety of problems in it. Including the presence of the latest malware, including programs used for targeted attacks and not detected by any other tools.

Dr.Web FixIt! in a sense, it can be compared with the work of a whole team of Digital Forensics specialists, who, step by step, bit by bit, collect evidence of cybercrime and analyze the vector of infection. Here, information is collected automatically, and thanks to filters, fewer resources and man-hours are spent on analyzing the received data.

At the same time, diagnostics is only part of the functionality of the service. Upon completion of Dr.Web FixIt! allows you to treat infections, as well as correct other identified shortcomings. For example, adjust system settings or make changes to the Windows registry.

How the service works

Standard algorithm of actions when working with Dr.Web FixIt! next:

1. Primary computer diagnostics and data collection.

2. Application of the necessary, according to the operators, filters, with the help of which a slice of data is created for analysis.

3. Computer treatment.

For the initial assessment of the state of the computer being checked (for example, traces of the presence of unknown malicious programs or other signs of compromise), the specialist generates the Dr.Web FixIt! diagnostic utility. The user of the investigated machine only needs to run this module – it will automatically generate a report with all the necessary diagnostic information.

The received report is sent to the service, where the operator responsible for analyzing the incident applies the necessary filters to obtain a slice of the data of interest to him. It is possible to use both preset filters and create your own.

At the end of the analysis of the report, the operator notes the identified problems and selects the actions and commands necessary to treat the target computer. At this stage, a unique instance of the Dr.Web FixIt! healing utility is formed. In the course of work, it will make corrections that are necessary for that particular machine on which the initial diagnostics were carried out. The user will have to run it, and it will perform all the actions to correct problems itself – in accordance with the specified treatment script (scenario).

After the healing utility finishes its work, it prepares a new report, which is also uploaded to the service. The operator applies the necessary filters to the new report and checks the data. If the problems are fixed, the task is closed. Otherwise, a new healing utility is formed, to which new commands are added, if necessary. This process is repeated until the incident is resolved successfully.

Dr.Web FixIt! does not require installation, so its use will not lead to a conflict with already installed third-party antiviruses.

Who can benefit from Dr.Web FixIt!

First of all, Dr.Web FixIt! is intended for specialists whose duties include monitoring the security of computer infrastructure and analyzing information security incidents. That is, to specialists of SOC-centers (Security Operation Center). The service is especially relevant in cases where there is no physical access to the machine under study by technical personnel of the appropriate qualification. For example, if it is located in a remote branch of the organization, and it is not possible to perform a qualitative and comprehensive analysis of the target system on site.

In addition, Dr.Web FixIt! It will also be useful for companies where the qualifications of system administrators do not allow them to correctly analyze computer incidents related to the action of malware and attacks by cybercriminals. Using this solution will give businesses the opportunity to optimize the cost of maintaining technical staff. The service can also be used by private specialists in the field of information security.

At the same time, Dr.Web FixIt! can also be used for general computer diagnostics according to a wide range of criteria. This includes searching for a potential conflict between installed software, searching for errors in the regular Dr.Web anti-virus products installed on the target machine, and many other scenarios. It all depends on what kind of information the specialist is interested in at the moment.

So, to summarize, the target audience of Dr.Web FixIt! – this is:

• Employees of departments involved in monitoring the operation of information security systems and responding to information security incidents (SOC).

• Employees of information security departments of companies and organizations.

• system administrators.

• Experts and researchers in the field of information security.

Features of licensing and expert support

Dr.Web FixIt! licensed by the number of tasks. A task is a set of activities within which the analysis and treatment of a computer is performed. Tasks have a limited validity period of 10 days, after which all generated reports remain available, but new actions become impossible. In order to continue disinfecting your computer, you will need to open a new task where you can upload the previously created reports. Currently, it is possible to purchase packages of 1, 10, 20, 50 or 100 tasks. At the same time, the license term of Dr.Web FixIt! – 1 year.

If necessary, Doctor Web specialists will help you analyze the received diagnostic data and suggest how to eliminate the consequences of an attack or other identified problems. To use this service, you must purchase an expert accompaniment certificate through personal account of a business user. Unlike standard tasks, tasks with expert support do not have life cycle restrictions – they become perpetual.

When may expert support of a task be required?

• If you need to analyze the data obtained with Dr.Web FixIt!.

• If you need help in eliminating the consequences of infection.

• If it is necessary to determine the potential extent of damage based on the analysis of detected malicious files.

• If you need advice on measures to minimize losses and prevent recurrence of attacks.

It is important to note that user information received by Doctor Web as part of the service is governed by the privacy policy. The Company processes it in accordance with the laws of the Russian Federation and makes every possible effort to protect it. You can familiarize yourself with the policy on our website at the link: https://company.drweb.ru/policy/.

Conclusion

Cloud service Dr.Web FixIt! for remote diagnostics of information security incidents and elimination of their consequences allows not only to solve the issues of searching for and neutralizing cyber threats on computers running Windows, but also to improve the information security of enterprises. This is a functional tool based on Russian technologies and Doctor Web’s own long-term expertise. In this article, we have considered only the basic features of the service. For a more detailed acquaintance with it, you can request demo accessand then independently decide whether it is suitable for solving your problems.