1 2 3 Previous Next 20 Replies Latest reply on May 19, 2011 6:43 AM by mpageaud

    Reporting for on-demand scan?

      I have a request from higher up to run an on-demand scan for all nodes. That is easy enough with ePO's schedule tasks. Now, how can I report which node ran or did not ran the on-demand scan? I really don't want to collect all the on-demand scan log files and manually confirm each one.

      Help please?
      Thanks.
        • 1. RE: Reporting for on-demand scan?
          search i don't feel like copying for the third time.... I will give a hint. search for managed tasks.
          • 2. RE: Reporting for on-demand scan?
            Ok, this is what I found from the search

             

            Create a query...

            1. Grouped Summary Table
            Groub By
            2. Event Generated Time (UTC)
            3. Analyzer Detection Method
            4. Event Description



            I understand what you said but how do I put that into a script in the query section? I am pretty clueless on SQL.
            • 3. RE: Reporting for on-demand scan?
              I should have asked before. What version of ePO are you running. What i posted before is for ePO 4.
              • 4. RE: Reporting for on-demand scan?
                It's 3.6.1
                • 5. RE: Reporting for on-demand scan?
                  See now it is not so easy if you do not know anything about SQL and not on ePO4. I would recommend getting someone to help in your office that knows SQL. Someone else here may still be on version 3 and could help out. I just do not know the DB scheme anymore.



                  I have an old script that is labeled "All Scanning Events but excludes Cookies and Event ID's 1051"

                   

                  select
                  EventDateTime as 'Date Time',
                  EventLocalDateTime as 'Local Date Time',
                  TVDEventID as 'EventID',
                  TVDSeverity as 'Severity',
                  TVDTaskName as 'Task Name',
                  UserName as 'User Name',
                  HostName as 'Computer Name',
                  HostIPAddress as 'IP Address',
                  ProductName as 'Product Name',
                  ProductVersion as 'Product Version',
                  EngineVersion as 'Engine',
                  DATVersion as 'DAT\Definition',
                  VirusName as 'Threat Name',
                  VirusType as 'Threat Type',
                  FileName as 'File Name',
                  ScanTime as 'Scan Time',
                  ActionTaken as 'Action Taken',
                  ProductID as 'Product ID',
                  cast(AgentGUID as varchar(50)) as 'Agent GUID',
                  NodeID as 'Node ID'
                  from Events
                  WHERE VirusName not like 'Cookie%'
                  AND TVDEventID not like '1051%'
                  AND TVDEventID not like '1059'
                  ORDER BY EventDateTime desc




                  Basically, you can use the above to get started and you would need to modify it to fit your needs. You would modify the bottom after "WHERE...." to pick what you want. You will want to take a look at the DB fields to find events coming back that match your "TVDTaskName".

                  In theory without looking at the DB or knowing the task name it you may want to add something like

                   

                  WHERE VirusName not like 'Cookie%'
                  AND TVDEventID not like '1051%'
                  AND TVDEventID not like '1059%'
                  AND TVDTaskName = 'Weekly Virus Scan'
                  ORDER BY EventDateTime desc




                  From there you can select the results or export (i forget) and paste them into excel and make all sorts of fun charts for the higher ups.


                  P.S I would triple check this script before running it, just to make sure it is right as i can not confirm it actually works. I just have it as one of my old scripts.
                  • 6. RE: Reporting for on-demand scan?
                    Thanks Johonn. I will give it a try.
                    • 7. RE: Reporting for on-demand scan?
                      I sort out the managed and ePO task name. It appears that many of the nodes did not reported back on the scanning but I know they did because I confirmed it by checking the log manually. I have approx. 2700 nodes and I was able to confirm only 380 from the events.

                      Any idea why?
                      • 8. RE: Reporting for on-demand scan?
                        What events did they report? Is it possible you do not have all the correct events being reported or are filtered out. I can not remember if the Event Desc. is given or just the Event ID with what you are seeing but from my report Event ID 1034 is "Scan completed. No viruses found." which should be the bulk of the events if you do not have a virus running wild in your domain. Below is a sample of the scan that was run this past weekend for us with all the possible return Event Desc's.


                         


                        March 28, 2009
                        (managed) Weekly_Virus_Scan
                        Scan completed. No viruses found.
                        Scan found infected files.
                        Unwanted program deleted.
                        Infected file deleted.
                        Scan was cancelled.
                        file infected. Undetermined clean error, deleted successfully
                        Unwanted program, clean error, deleted
                        Scan found and cleaned infected files.
                        Infected file successfully Cleaned.
                        Unwanted program, no cleaner, deleted
                        unwanted program, clean error, delete failed
                        file infected. Undetermined clean error, delete failed

                        • 9. RE: Reporting for on-demand scan?
                          I don't have many 1034. What I did instead was only filtered the Task Name to contain demand, leaving Event unfiltered. Then filtered out the Computer Name and remove the duplicate. I have a lot of 1051 events.
                          1 2 3 Previous Next