0 Replies Latest reply on Jun 9, 2017 3:08 AM by Daniel_S

    Check if user did run a VSE full scan within timeperiod

    Daniel_S

      Hey guys,

       

      I am currently facing a problem I am not able to solve for 100%.

      I´d like the let users decide when they run a full scan with VSE, but it has to be once in a month.

      When i check the Threat Events i can see we have:

      1202 - On-Demand Scan started

      1203 - On-Demand Scan complete

      1035 - Scan was cancelled

       

      However even if I cancel a Scan-job it will still log the 1203 Event which makes it impossible for me to base queries on that.

       

      My thoughts till now:

      Do a query: Do we have a 1203 event on the system within the last 30 days?

      run a server-task first running the query and then assign a TAG like "Scan run"

      Next run a query asking for was there a 1035 within the last 30 days? If yes remove the TAG.

      Next run a server-tasks that forces systems that don´t have the TAG to run a full-scan immediately.

       

      BUT: If a user starts his device in the morning, starts the full scan and cancels it after 30 minutes because he needs to go to a meeting. 4 hours later he starts the scan again and waits till it´s finished.

      The TAG would still be removed as we still have a 1035 within the last 30 days.

       

      Anyone here with a similar problem and maybe a solution?

       

      Best regards

      Dan