Check if user did run a VSE full scan within timeperiod
I am currently facing a problem I am not able to solve for 100%.
I´d like the let users decide when they run a full scan with VSE, but it has to be once in a month.
When i check the Threat Events i can see we have:
1202 - On-Demand Scan started
1203 - On-Demand Scan complete
1035 - Scan was cancelled
However even if I cancel a Scan-job it will still log the 1203 Event which makes it impossible for me to base queries on that.
My thoughts till now:
Do a query: Do we have a 1203 event on the system within the last 30 days?
run a server-task first running the query and then assign a TAG like "Scan run"
Next run a query asking for was there a 1035 within the last 30 days? If yes remove the TAG.
Next run a server-tasks that forces systems that don´t have the TAG to run a full-scan immediately.
BUT: If a user starts his device in the morning, starts the full scan and cancels it after 30 minutes because he needs to go to a meeting. 4 hours later he starts the scan again and waits till it´s finished.
The TAG would still be removed as we still have a 1035 within the last 30 days.
Anyone here with a similar problem and maybe a solution?