Anti-Malware Events

By default, the Vulnerability ProtectionDeep Security Manager collects Anti-Malware Event logs from the Agents/Appliances at every heartbeat. The Event data is used to populate the various reports, graphs, and charts in the Vulnerability ProtectionDeep Security Manager.

Once collected by the Vulnerability ProtectionDeep Security Manager, Events are kept for a period of time which can be set from Storage tab in the Administration > System Settings page. The default setting is one week.

From the main page you can:

• View () the properties of an individual event.
• Filter the list. Use the Period and Computer toolbars to filter the list of events.
• Export () the event list data to a CSV file.
• View existing Auto-Tagging () Rules.
• Search () for a particular event.

Additionally, right-clicking an Event gives you the option to:

• Add Tag(s) to this event (See Event Tagging.)
• Remove Tag(s) from this event.
• View the Computer Details window of the computer that generated the log entry.
• View Quarantined File Details of the file associated with this event. (Only available if the action associated with this event was quarantined.)

Columns for the Anti-Malware Events display:

• Time: Time the event took place on the computer.
• Computer: The computer on which this event was logged. (If the computer has been removed, this entry will read "Unknown Computer".)
• Infected File(s): The location and name of the infected file.
• Tag(s): Event tags associated with this event.
• Malware: The name of the malware that was found.
• Scan Type: The type of scan that found the malware (Real-Time, Scheduled, or Manual).
• Action Taken: Displays the results of the actions specified in the Malware Scan Configuration associated with event.
  • Cleaned: Vulnerability ProtectionDeep Security successfully terminated processes or deleted registries, files, cookies, or shortcuts, depending on the type of malware.
  • Clean Failed: Malware could not be cleaned for a variety of possible reasons.
  • Deleted: An infected file was deleted.
  • Delete Failed: An infected file could not be deleted for a variety of possible reasons. For example, the file may be locked by another application, is on a CD, or is in use. If possible, Vulnerability ProtectionDeep Security will delete the infected file once it is released.
  • Quarantined: An infected file was moved to the quarantine folder.
  • Quarantine Failed: An infected file could not be quarantined for a variety of possible reasons. For example, the file may be locked by another application, is on a CD, or is in use. If possible, Vulnerability ProtectionDeep Security will quarantine the infected file once it is released. It is also possible that the "Maximum disk space used to store quarantined files" (specified on the Policy/Computer Editor > Anti-Malware > Advanced tab) has been exceeded.
  • Access Denied: Vulnerability ProtectionDeep Security has prevented the infected file from being accessed without removing the file from the system.
  • Passed: Vulnerability ProtectionDeep Security did not take any action but logged the detection of the malware.
• Event Origin: Indicates from which part of the Vulnerability ProtectionDeep Security System the event originated.
• Reason: The Malware Scan Configuration that was in effect when the malware was detected.
• Major Virus Type: The type of malware detected. Possible values are: Joke, Trojan, Virus, Test, Spyware, Packer, Generic, or Other. For information on these types of malware, see the Anit-Malware event details or see Anti-Malware.

View Event Properties

Double-clicking an event (or selecting View from the context menu) displays the Properties window for that entry which displays all the information about the event on one page. The Tags tab displays tags that have been attached to this Event. For More information on Event tagging, see Policies > Common Objects > Other > Tags, and Event Tagging in the Reference section.

Filter the List and/or Search for an Event

Selecting "Open Advanced Search" from the "Search" drop-down menu toggles the display of the advanced search options.

The Period toolbar lets you filter the list to display only those events that occurred within a specific timeframe.

The Computers toolbar lets you organize the display of event log entries by computer groups or computer Policies.

Advanced Search functions (searches are not case sensitive):

• Contains: The entry in the selected column contains the search string
• Does Not Contain: The entry in the selected column does not contain the search string
• Equals: The entry in the selected column exactly matches the search string
• Does Not Equal: The entry in the selected column does not exactly match the search string
• In: The entry in the selected column exactly matches one of the comma-separated search string entries
• Not In: The entry in the selected column does not exactly match any of the comma-separated search string entries

Pressing the "plus" button (+) to the right of the search bar will display an additional search bar so you can apply multiple parameters to your search. When you are ready, press the submit button (at the right of the toolbars with the right-arrow on it).

Export

Clicking Export... exports all or selected events to a CSV file.

Auto-Tagging...

Clicking Auto-Tagging... displays a list of existing Anti-Malware Auto-Tagging Rules.