cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_S
Level 12

Check if user did run a VSE full scan within timeperiod

Hey guys,

I am currently facing a problem I am not able to solve for 100%.

I´d like the let users decide when they run a full scan with VSE, but it has to be once in a month.

When i check the Threat Events i can see we have:

1202 - On-Demand Scan started

1203 - On-Demand Scan complete

1035 - Scan was cancelled

However even if I cancel a Scan-job it will still log the 1203 Event which makes it impossible for me to base queries on that.

My thoughts till now:

Do a query: Do we have a 1203 event on the system within the last 30 days?

run a server-task first running the query and then assign a TAG like "Scan run"

Next run a query asking for was there a 1035 within the last 30 days? If yes remove the TAG.

Next run a server-tasks that forces systems that don´t have the TAG to run a full-scan immediately.

BUT: If a user starts his device in the morning, starts the full scan and cancels it after 30 minutes because he needs to go to a meeting. 4 hours later he starts the scan again and waits till it´s finished.

The TAG would still be removed as we still have a 1035 within the last 30 days.

Anyone here with a similar problem and maybe a solution?

Best regards

Dan

Best regards
Dan
0 Kudos