The text for messages is generated by a Dr.Web Server component named the templates processor on the basis of the templates files.
|
Windows network message system functions only under Windows OS with Windows Messenger (Net Send) service support.
The Windows Vista OS and later versions do not support Windows Messenger service.
|
A template file consists of text and variables enclosed in braces. When editing a template file, the variables listed below can be used.
The variables are written as follows:
•{<VAR>}—substitute the current value of the <VAR> variable. •{<VAR>:<N>}—the first <N> characters of the <VAR> variable. •{<VAR>:<first>:<N>}—the value of <N> characters of the <VAR> variable that go after the first <first> characters (beginning from the <first>+1 symbol), if the remainder is less, it is supplemented by spaces on the right. •{<VAR>:<first>:-<N>}—the value of <N> characters of the <VAR> variable that go after the first <first> characters (beginning from the <first>+1 symbol), if the remainder is less, it is supplemented by spaces on the left. •{<VAR>/<original1>/<replace1>[/<original2>/<replace2>]}—replace specified characters of <VAR> variable with given characters: <original1> characters are replaced with <replace1> characters, <original2> characters are replaced with <replace2> characters, etc. The number of substitution pairs are not limited.
•{<VAR>/<original1>/<replace1[{<SUB_VAR>}]>[/<original2>/<replace2>]}—similarly to the above described replaces to the specified values but the <SUB_VAR> nested variable is used. Actions with nested variables are the same as the actions with parent variables. Nesting level for recursive substitutions is not limited.
•{<VAR>/<original1>/<replace1>/<original2>/<replace2>/*/<replace3>}—similarly to the above described replaces to the specified values but also the value from <replace3> can be substituted, if none of the listed original values match. Also, if either <original1>, or <original2> have not been found in <VAR>, all values will be replaced with the <replace3>. Notation of variables
Variable
|
Value
|
Expression
|
Result
|
SYS.TIME
|
10:35:17:456
|
{SYS.TIME:5}
|
10:35
|
SYS.TIME
|
10:35:17:456
|
{SYS.TIME:3:5}
|
35:17
|
SYS.TIME
|
10:35:17:456
|
{SYS.TIME:3:-12}
|
°°°35:17:456
|
SYS.TIME
|
10:35:17:456
|
{SYS.TIME:3:12}
|
35:17:456°°°
|
SYS.TIME
|
10:35:17:456
|
{SYS.TIME/10/99/35/77}
|
99:77:17.456
|
Conventions
Environment Variables
To form messages texts you can use environment variables of the Dr.Web Server process (the System user).
Environment variables are available in the Control Center messages editor, in the ENV drop-down list. Please note: the variables must be specified with the ENV. prefix (the prefix ends with a dot).
System Variables
•SYS.BRANCH—system version (Dr.Web Server and Agents), •SYS.BUILD—Dr.Web Server build date, •SYS.DATE—current system date, •SYS.DATETIME—current system date and time, •SYS.HOST—Dr.Web Server DNS name, •SYS.MACHINE—network address of a computer with Dr.Web Server installed, •SYS.OS—operating system name of a computer with Dr.Web Server installed, •SYS.PLATFORM—Server platform, •SYS.PLATFORM.SHORT—short variant of SYS.PLATFORM, •SYS.SERVER—product name (Dr.Web Server), •SYS.TIME—current system time, •SYS.VERSION—Dr.Web Server version. Common Variables for Stations
•GEN.LoginTime—station login time, •GEN.StationAddress—station address, •GEN.StationDescription—station description, •GEN.StationID—station unique identifier, •GEN.StationLDAPDN—distinguished name of a station under Windows OS. Relevant for stations included into ADS/LDAP domain, •GEN.StationMAC—stations MAC address, •GEN.StationName—station name, •GEN.StationPrimaryGroupID—identifier of the station primary group, •GEN.StationPrimaryGroupName—name of the station primary group, •GEN.StationSID—security identifier of a station. Common Variables for Repository
•GEN.CurrentRevision—current version identifier, •GEN.Folder—product location folder, •GEN.NextRevision—updated version identifier, •GEN.Product—product description. Notification Parameters and Variables by Types
Administrators
Administrator authorization failed
Parameter
|
Value
|
Notification sending reason
|
Sent on error of administrator authorization in the Control Center. The reason of authorization failure is given in the notification text.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.Login
|
login
|
MSG.Address
|
Control Center network address
|
MSG.LoginErrorCode
|
numeric error code
|
Unknown administrator
Parameter
|
Value
|
Notification sending reason
|
Sent on attempt of authorization in the Control Center by administrator with unknown login.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.Login
|
login
|
MSG.Address
|
network address of Dr.Web Security Control Center
|
Installations
For messages of this group, you can also use common variables for stations given above.
Installation on station failed
Parameter
|
Value
|
Notification sending reason
|
Sent if an error occurred during the Agent installation on a station. The error reason is given in the notification text.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.Error
|
error message
|
Installation on station successfully completed
Parameter
|
Value
|
Notification sending reason
|
Sent on succeeded Agent installation on a station.
|
Additional configuration
|
Not required.
|
Variables
|
Absent.
|
Licenses
License key automatically updated
Parameter
|
Value
|
Notification sending reason
|
Sent if a license key has been automatically updated. At this, a new key has been successfully downloaded and propagated on all objects of an old license key.
|
Additional configuration
|
For detailed information on automatic license update, refer the Administrator Manual, p. Automatic Licenses Update.
|
Variables
|
MSG.KeyId
|
Identifier of an old license key
|
MSG.KeyName
|
Name of an old license key
|
MSG.NewKeyId
|
Identifier of a new license key
|
MSG.NewKeyName
|
Name of a new license key
|
License key blocked
Parameter
|
Value
|
Notification sending reason
|
Sent if during the update from Dr.Web Global Update System, information on the license key blocking has been received. This key can no longer be used.
|
Additional configuration
|
To get detailed information on blocking reason, please contact the technical support service.
|
Variables
|
MSG.KeyId
|
ID of a license key
|
MSG.KeyName
|
Name of a user of a license key
|
License key cannot be automatically updated
Parameter
|
Value
|
Notification sending reason
|
Sent if a license key cannot be automatically updated, because the compound of licensed components differs in the current and the new keys. At this, a new key successfully downloaded but not propagated on all objects of an old license key. You must replace the license key manually.
|
Additional configuration
|
For detailed information on automatic license update, refer the Administrator Manual, p. Automatic Licenses Update.
|
Variables
|
MSG.ExpirationDate
|
date of license expiration
|
MSG.Expired
|
•1—the term has expired •0—the term has not expired |
MSG.KeyDifference
|
The reason why automatic replacement is impossible:
•the compound of licensed components differs in the current and the new license keys •the new license key has fewer licenses than the current license key |
MSG.KeyId
|
Identifier of an old license key
|
MSG.KeyName
|
Name of an old license key
|
MSG.NewKeyId
|
Identifier of a new license key
|
MSG.NewKeyName
|
Name of a new license key
|
License key expiration
Parameter
|
Value
|
Notification sending reason
|
Sent if the license key is about to expire, and automatic license update is not available.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.ExpirationDate
|
date of license expiration
|
MSG.Expired
|
•1—the term has expired •0—the term has not expired |
MSG.KeyId
|
Identifier of a license key
|
MSG.KeyName
|
Name of a license key
|
License limitation on a number of online stations is reached
Parameter
|
Value
|
Notification sending reason
|
Sent if during connection of a station to Dr.Web Server, it was detected that the number of stations in the group into which the connected station is included, reached the limitation in the license key assigned for this group.
At this, a new station cannot register on Dr.Web Server.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.ID
|
station UUID
|
MSG.StationName
|
station name
|
Common variables for stations given above are also available.
|
Licenses donation has expired
Parameter
|
Value
|
Notification sending reason
|
Sent if the period of licenses donation to neighbor Dr.Web Servers from the license key of this Dr.Web Server has expired.
|
Additional configuration
|
The period of licenses donation to neighbor Dr.Web Servers is specified in the Administration → Dr.Web Server configuration → Licenses section.
|
Variables
|
MSG.ObjId
|
license key ID
|
MSG.Server
|
the neighbor Dr.Web Server name
|
Limitation on a number of donated licenses is reached
Parameter
|
Value
|
Notification sending reason
|
Sent if the number of requested licenses for donation to neighbor Dr.Web Servers exceeds the number of licenses that are available in the license key.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.ObjId
|
license key ID
|
Limitation on a number of licenses in the license key
Parameter
|
Value
|
Notification sending reason
|
Sent if during the Dr.Web Server startup, it was detected that the number of stations in a group already exceeded the number of licenses in the license key assigned to this group.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.KeyId
|
ID of a license key
|
MSG.KeyName
|
license key user name
|
MSG.Licensed
|
number of allowed licenses
|
MSG.LicenseLimit
|
licenses state:
•1—number of free licenses in the license key is close to the end •2—number of free licenses in the license key has ended •3—the license key has been assigned to more objects than allowed in this key. |
MSG.Licensed
|
number of objects to which the key has been assigned
|
MSG.Total
|
number of licenses in the key
|
Number of stations in the group is close to the license limit
Parameter
|
Value
|
Notification sending reason
|
Sent if the number of stations in the group is closing to the license limitation in the key assigned to this group.
|
Additional configuration
|
The number of available licenses left in the key to send the notification is: less than three licenses or less than 5% from the total number of licenses in the key.
|
Variables
|
MSG.Free
|
number of free licenses left
|
MSG.Licensed
|
number of stations using licenses of this group
|
MSG.Total
|
Total number of licenses in all keys assigned to the group.
Please note: license keys of the group can also be assigned to other licensing objects.
|
GEN.StationPrimaryGroupID
|
primary group ID
|
GEN.StationPrimaryGroupName
|
primary group name
|
Newbies
For messages of this group, you can also use common variables for stations given above.
Station automatically rejected
Parameter
|
Value
|
Notification sending reason
|
Sent if a new station requested a connection to Dr.Web Server and has been rejected by Dr.Web Server automatically.
|
Additional configuration
|
The situation may occur if in the Administration → Dr.Web Server configuration → General section, for the Newbies registration mode option, the Always deny access value is set.
|
Variables
|
Absent.
|
Station is waiting for approval
Parameter
|
Value
|
Notification sending reason
|
Sent if a new station requested a connection to Dr.Web Server and administrator must approve or reject the station manually.
|
Additional configuration
|
The situation may occur if in the Administration → Dr.Web Server configuration → General section, for the Newbies registration mode option, the Approve access manually value is set.
|
Variables
|
Absent.
|
Station rejected by administrator
Parameter
|
Value
|
Notification sending reason
|
Sent if a new station requested a connection to Dr.Web Server and has been rejected by administrator manually.
|
Additional configuration
|
The situation may occur if in the Administration → Dr.Web Server configuration → General section, for the Newbies registration mode option, the Approve access manually value is set and an administrator selected the Anti-virus Network → Unapproved stations → Reject selected stations option for this station.
|
Variables
|
MSG.AdminAddress
|
network address of the Control Center
|
MSG.AdminName
|
administrator name
|
Other
Epidemic in the network
Parameter
|
Value
|
Notification sending reason
|
Sent if an epidemic detected in the anti-virus network. It means that during specified time period, it was detected more than specified number of threats in the network.
|
Additional configuration
|
To sent epidemic notifications, you must set the Track epidemic flag in the Administration → Dr.Web Server configuration → Statistics section. Parameters on epidemic detection are set in the same section.
|
Variables
|
MSG.Infected
|
total number of detected threats
|
MSG.Virus
|
the most common threats
|
Large number of abnormally terminated connections detected
Parameter
|
Value
|
Notification sending reason
|
Sent on a large number of abnormally terminated connections with clients: stations, Agent installers, neighbor Dr.Web Servers, Proxy Servers.
|
Additional configuration
|
To be able to sent notifications on multiple abnormally terminated connections, you must set the Abnormally terminated connections flag in the Administration → Dr.Web Server configuration → Statistics section and configure corresponding parameters in the same section.
|
Variables
|
MSG.Total
|
number of terminated connections
|
MSG.AddrsCount
|
number of addresses that were disconnected
|
Large number of blocks by the Application Control detected
Parameter
|
Value
|
Notification sending reason
|
Sent on a large number of blocked applications at stations by the Application Control component.
|
Additional configuration
|
To be able to sent notifications on multiple blocked applications, you must set the Multiple blockings by Application Control flag in the Administration → Dr.Web Server configuration → Statistics section and configure corresponding parameters in the same section.
|
Variables
|
MSG.Total
|
total number of blocks
|
MSG.Profile
|
most common profiles according to which the block was made
|
Neighbor server has not connected for a long time
Parameter
|
Value
|
Notification sending reason
|
Sent according to the task in the Dr.Web Server schedule. Contains information that the neighbor Dr.Web Server has not connected to this Dr.Web Server for a long time. The date of last connection is given in the notification text.
|
Additional configuration
|
The time period during which the neighbor Dr.Web Server should not get connected to send the notification, is set in the Neighbor server has not connected for a long time task of the Dr.Web Server schedule configured in the Administration → Dr.Web Server Task Schedule.
|
Variables
|
MSG.LastDisconnectTime
|
the time when Dr.Web Server has been connected at the last time
|
MSG.StationName
|
the neighbor Dr.Web Server name
|
Dr.Web Server log rotation error
Parameter
|
Value
|
Notification sending reason
|
Sent if an error occurred during rotation of the Dr.Web Server operation log. The reason of log rotation error is given in the notification text.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.Error
|
message text
|
Dr.Web Server log write error
Parameter
|
Value
|
Notification sending reason
|
Sent when an error occurred during writing an information into the Dr.Web Server operation log. The reason of log write error is given in the notification text.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.Error
|
message text
|
Statistic report
Parameter
|
Value
|
Notification sending reason
|
Sent after generation of a periodic report according to the task in the Dr.Web Server schedule. Also, notification contains the path for downloading the report file.
|
Additional configuration
|
The report is generated according to the Statistic reports task in the Dr.Web Server schedule configured in the Administration → Dr.Web Server Task Schedule.
|
Variables
|
MSG.Attachment
|
path to the report
|
MSG.AttachmentType
|
MIME type
|
GEN.File
|
report file name
|
Summary report of Preventive protection
Parameter
|
Value
|
Notification sending reason
|
Sent at receiving a lot of reports from the Preventive protection component on the network stations.
|
Additional configuration
|
To send a single notification on the Preventive protection report, you must set the Group reports of Preventive protection flag in the Administration → Dr.Web Server configuration → Statistics section. Parameters on reports grouping are set in the same section.
|
Variables
|
MSG.AutoBlockedActCount
|
number of processes with suspicious activity that were blocked automatically
|
MSG.AutoBlockedProc
|
processes with suspicious activity that were blocked automatically
|
MSG.HipsType
|
protected object type
|
MSG.IsShellGuard
|
dividing on types of the Preventive protection reactions at automatic blocking:
•blocking of unauthorized code •check the access to the protected objects |
MSG.ShellGuardType
|
the most common reason of a blocking of unauthorized code execution at automatic event blocking
|
MSG.Total
|
total number of Preventive protection events detected on the network
|
MSG.UserAllowedActCount
|
number of processes with suspicious activity that were allowed by user
|
MSG.UserAllowedHipsType
|
type of the most common protected objects access to which was allowed by user
|
MSG.UserAllowedIsShellGuard
|
dividing on types of the Preventive protection reactions when the access was allowed by user:
•blocking of unauthorized code •check the access to the protected objects |
MSG.UserAllowedProc
|
processes with suspicious activity that were allowed by user
|
MSG.UserAllowedShellGuard
|
the most common reason of a blocking of unauthorized code execution which was allowed by user
|
MSG.UserBlockedActCount
|
number of processes with suspicious activity that were blocked by user
|
MSG.UserBlockedHipsType
|
type of the most common protected objects access to which was blocked by user
|
MSG.UserBlockedIsShellGuard
|
dividing on types of the Preventive protection reactions when the access was blocked by user:
•blocking of unauthorized code •check the access to the protected objects |
MSG.UserBlockedProc
|
processes with suspicious activity that were blocked by user
|
MSG.UserBlockedShellGuard
|
the most common reason of a blocking of unauthorized code execution which was blocked by user
|
Repository
For messages of this group, you can also use common variables for repository given above.
Not enough free space on disk
Parameter
|
Value
|
Notification sending reason
|
Sent if on a disk where the Dr.Web Server var folder with variable data located, is running out of space.
|
Additional configuration
|
Low disk space defined if it is less than 315 MB or less than 1000 nodes (for UNIX system based OS) left, if this values do not redefined by environment variables.
|
Variables
|
Common variables for repository given above are not available.
|
MSG.FreeInodes
|
the number of free inodes file descriptors (has the meaning only for some UNIX system-based OS)
|
MSG.FreeSpace
|
free space in bytes
|
MSG.Path
|
the path to the folder with low free space
|
MSG.RequiredInodes
|
number of free inodes required for operation (has the meaning only for some UNIX system-based OS)
|
MSG.RequiredSpace
|
free space required for operation
|
Repository cannot be updated
Parameter
|
Value
|
Notification sending reason
|
Sent if during update of repository or repository product from the GUS, an error has occurred. Reason of the update error and also the name of the product at product update error, are given in the notification text.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.Error
|
error message
|
MSG.ExtendedError
|
detailed description of an error
|
Repository product is up-to-date
Parameter
|
Value
|
Notification sending reason
|
Sent if during repository updates check, it was detected that requested product is up-to-date. At this, update of this product from the GUS is not required.
|
Additional configuration
|
Not required.
|
Variables
|
Absent.
|
Repository product is updated
Parameter
|
Value
|
Notification sending reason
|
Sent when repository update from the GUS successfully completed.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.Added
|
list of added files (each name in a separate line)
|
MSG.AddedCount
|
number of added files
|
MSG.Deleted
|
list of deleted files (each name in a separate line)
|
MSG.DeletedCount
|
number of deleted files
|
MSG.Replaced
|
list of replaced files (each name in a separate line)
|
MSG.ReplacedCount
|
number of replaced files
|
Repository update already running
Parameter
|
Value
|
Notification sending reason
|
Sent if during the Dr.Web Server update, the other update was started.
|
Additional configuration
|
Not required.
|
Variables
|
Absent.
|
Update of repository product is frozen
Parameter
|
Value
|
Notification sending reason
|
Sent if the repository product was frozen by administrator. At this, update of this product from the GUS is not performed.
|
Additional configuration
|
You can manage repository products including their frozen and unfrozen states in the Administration → Detailed repository configuration section.
|
Variables
|
Absent.
|
Update of repository product is started
Parameter
|
Value
|
Notification sending reason
|
Sent if during repository updates check, it was detected that for requested products the update is required. At this, the update from the GUS is launched.
|
Additional configuration
|
Not required.
|
Variables
|
Absent.
|
Stations
For messages of this group, you can also use common variables for stations given above.
|
In multiserver network, it is possible to receive notifications about events on stations of neighbor Dr.Web Servers. You can enable this option when configuring neighbor Dr.Web Server connections (see Administrator Manual, the Setting Connections between Several Dr.Web Servers section).
The following notifications are available to receive on event on the neighbor Dr.Web Server: Security threat detected, Report of Preventive protection, Scan error, Scan statistics.
|
Application Control blocked the process
Parameter
|
Value
|
Notification sending reason
|
Sent if an application was blocked at station by the Application Control component.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.AppCtlAction
|
applied action:
•0—unknown, •2—blocked •3—blocked (not found in the trusted applications list) •5—blocked by deny rules •7—blocked by policies settings. |
MSG.AppCtlType
|
event type:
•0—unknown •1—process launch •2—host process launch •3—script interpreter launch •4—module load •5—driver load •6—MSI setup launch •7—new executable file dropped on disk •8—executable file modified on disk. |
MSG.Path
|
path to the blocked process
|
MSG.Profile
|
name of the profile according to which the block was made
|
MSG.Rule
|
name of the rule according to which the block was made
|
MSG.SHA256
|
blocked process hash (SHA-256)
|
MSG.StationTime
|
station time when the process was blocked
|
MSG.Target
|
path to the blocked script in case of host process
|
MSG.TargetSHA256
|
hash the blocked script in case of host process (SHA-256)
|
MSG.TestMode
|
whether the test mode is on
|
MSG.User
|
user on behalf of which the blocked object was launched
|
Application Control blocked the process from the known hashes of threats list
Parameter
|
Value
|
Notification sending reason
|
Sent if an application from the known hashes of threats was blocked at station by the Application Control component.
|
Additional configuration
|
Notification on detection by the list of known hashes is possible only if the usage of bulletins of known threat hashes is licensed (the license in at least one of the license keys used by Dr.Web Server is sufficient).
You can check the license in the information on a license key that can be found in the License Manager section, the Allowed lists of hash bulletins parameter (If the feature is not licensed, this parameter is absent).
|
Variables
|
MSG.AppCtlAction
|
applied action:
•0—unknown, •2—blocked •3—blocked (not found in the trusted applications list) •5—blocked by deny rules •7—blocked by policies settings. |
MSG.AppCtlType
|
event type:
•0—unknown •1—process launch •2—host process launch •3—script interpreter launch •4—module load •5—driver load •6—MSI setup launch •7—new executable file dropped on disk •8—executable file modified on disk. |
MSG.Document
|
bulletin containing the hash
|
MSG.Path
|
path to the blocked process
|
MSG.Profile
|
name of the profile according to which the block was made
|
MSG.Rule
|
name of the rule according to which the block was made
|
MSG.SHA256
|
blocked process hash (SHA-256)
|
MSG.StationTime
|
station time when the process was blocked
|
MSG.Target
|
path to the blocked script in case of host process
|
MSG.TargetSHA256
|
hash the blocked script in case of host process (SHA-256)
|
MSG.TestMode
|
whether the test mode is on
|
MSG.User
|
user on behalf of which the blocked object was launched
|
Cannot create the station account
Parameter
|
Value
|
Notification sending reason
|
Sent if a new stations account cannot be created on Dr.Web Server. Error details are given in the Dr.Web Server log file.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.ID
|
station UUID
|
MSG.StationName
|
station name
|
Connection terminated abnormally
Parameter
|
Value
|
Notification sending reason
|
Sent on abnormal termination of a connection with a client: station, Agent installer, neighbor Dr.Web Server, Proxy Server.
|
Additional configuration
|
To be able to sent notifications on abnormally terminated connections, you must set the Abnormally terminated connections flag in the Administration → Dr.Web Server configuration → Statistics section and configure corresponding parameters in the same section.
|
Variables
|
MSG.Total
|
number of terminated connections
|
MSG.Type
|
client type
|
Critical error of station update
Parameter
|
Value
|
Notification sending reason
|
Sent if a notification received from a station reports an error during update of anti-virus components from Dr.Web Server.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.Product
|
updated product
|
MSG.ServerTime
|
local time of receipt of a message by Dr.Web Server
|
Device blocked
Parameter
|
Value
|
Notification sending reason
|
Sent if a notification received from a station reports that a connected to the station device has been blocked by Dr.Web anti-virus component.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.Capabilities
|
device characteristics
|
MSG.Class
|
device class (the name of a parent group)
|
MSG.Description
|
device description
|
MSG.FriendlyName
|
user friendly name of the device
|
MSG.InstanceId
|
identifier of a device instance
|
MSG.User
|
user name
|
Report of Preventive protection
Parameter
|
Value
|
Notification sending reason
|
Sent at receiving the report from the Preventive protection component from a station of this or neighbor Dr.Web Server.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.AdminName
|
administrator who initiated the action on a suspicious process
|
MSG.Denied
|
action on a suspicious process:
•denied •allowed |
MSG.HipsType
|
protected object type
|
MSG.IsShellGuard
|
dividing on types of the Preventive protection reactions:
•blocking of unauthorized code •check the access to the protected objects |
MSG.Path
|
path to the process with suspicious activity
|
MSG.Pid
|
identifier of the process with suspicious activity
|
MSG.ShellGuardType
|
reason of execution of unauthorized code blocking
|
MSG.StationTime
|
time of event occurrence on a station
|
MSG.Target
|
path to the protected object to which the access attempt was made
|
MSG.Total
|
number of denials in case of automatic reaction of the Preventive protection
|
MSG.User
|
user who launched the suspicious process
|
MSG.UserAction
|
initiator of the action on a suspicious process
•user •automatic reaction of the Preventive protection |
GEN.ServerRecvLinkID
|
UUID of the last neighbor Dr.Web Server from which the Preventive protection report on connected stations was received (empty value if the report was received about stations connected to this Dr.Web Server)
|
GEN.ServerRecvLinkName
|
the name of the last neighbor Dr.Web Server from which the Preventive protection report on connected stations was received (empty value if the report was received about stations connected to this Dr.Web Server)
|
GEN.ServerOriginatorID
|
UUID of the Dr.Web Server to which the station is connected from which the Preventive protection report was received
|
GEN.ServerOriginatorName
|
the name of the Dr.Web Server to which the station is connected from which the Preventive protection report was received
|
Report of Preventive protection on threat detection by known hashes of threats
Parameter
|
Value
|
Notification sending reason
|
Sent at receiving the report from the Preventive protection component from a station of this or neighbor Dr.Web Server at threat detection from the list of known hashes of threats.
|
Additional configuration
|
Notification on detection by the list of known hashes is possible only if the usage of bulletins of known threat hashes is licensed (the license in at least one of the license keys used by Dr.Web Server is sufficient).
You can check the license in the information on a license key that can be found in the License Manager section, the Allowed lists of hash bulletins parameter (If the feature is not licensed, this parameter is absent).
|
Variables
|
MSG.AdminName
|
administrator who initiated the action on a suspicious process
|
MSG.Denied
|
action on a suspicious process:
•denied •allowed |
MSG.Document
|
bulletin containing the hash of detected threat
|
MSG.HipsType
|
protected object type
|
MSG.IsShellGuard
|
dividing on types of the Preventive protection reactions:
•blocking of unauthorized code •check the access to the protected objects |
MSG.Path
|
path to the process with suspicious activity
|
MSG.Pid
|
identifier of the process with suspicious activity
|
MSG.SHA1
|
SHA-1 hash of detected object
|
MSG.SHA256
|
SHA-256 hash of detected object
|
MSG.ShellGuardType
|
reason of execution of unauthorized code blocking
|
MSG.StationTime
|
time of event occurrence on a station
|
MSG.Target
|
path to the protected object to which the access attempt was made
|
MSG.Total
|
number of denials in case of automatic reaction of the Preventive protection
|
MSG.User
|
user who launched the suspicious process
|
MSG.UserAction
|
initiator of the action on a suspicious process
•user •automatic reaction of the Preventive protection |
GEN.ServerRecvLinkID
|
UUID of the last neighbor Dr.Web Server from which the Preventive protection report on connected stations was received (empty value if the report was received about stations connected to this Dr.Web Server)
|
GEN.ServerRecvLinkName
|
the name of the last neighbor Dr.Web Server from which the Preventive protection report on connected stations was received (empty value if the report was received about stations connected to this Dr.Web Server)
|
GEN.ServerOriginatorID
|
UUID of the Dr.Web Server to which the station is connected from which the Preventive protection report was received
|
GEN.ServerOriginatorName
|
the name of Dr.Web Server to which the station is connected from which the Preventive protection report was received
|
Scan error
Parameter
|
Value
|
Notification sending reason
|
Sent if a notification received from a station reports an error during scanning.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.Component
|
component name
|
MSG.Error
|
error message
|
MSG.ObjectName
|
object name
|
MSG.ObjectOwner
|
object owner
|
MSG.RunBy
|
component is launched by this user
|
MSG.ServerTime
|
event receipt time, GMT
|
GEN.ServerRecvLinkID
|
UUID of the last neighbor Dr.Web Server from which the Preventive protection report on connected stations was received (empty value if the report was received about stations connected to this Dr.Web Server)
|
GEN.ServerRecvLinkName
|
the name of the last neighbor Dr.Web Server from which the Preventive protection report on connected stations was received (empty value if the report was received about stations connected to this Dr.Web Server)
|
GEN.ServerOriginatorID
|
UUID of the Dr.Web Server to which the station is connected from which the Preventive protection report was received
|
GEN.ServerOriginatorName
|
the name of the Dr.Web Server to which the station is connected from which the Preventive protection report was received
|
Scan error at threat detection by known hashes of threats
Parameter
|
Value
|
Notification sending reason
|
Sent if scan error occurred at threat detection from the list of known hashes of threats.
|
Additional configuration
|
Notification on detection by the list of known hashes is possible only if the usage of bulletins of known threat hashes is licensed (the license in at least one of the license keys used by Dr.Web Server is sufficient).
You can check the license in the information on a license key that can be found in the License Manager section, the Allowed lists of hash bulletins parameter (If the feature is not licensed, this parameter is absent).
|
Variables
|
MSG.Component
|
component name
|
MSG.Document
|
bulletin containing the hash of detected threat
|
MSG.Error
|
error message
|
MSG.ObjectName
|
object name
|
MSG.ObjectOwner
|
object owner
|
MSG.RunBy
|
component is launched by this user
|
MSG.SHA1
|
SHA-1 hash of detected object
|
MSG.SHA256
|
SHA-256 hash of detected object
|
MSG.ServerTime
|
event receipt time, GMT
|
GEN.ServerRecvLinkID
|
UUID of the last neighbor Dr.Web Server from which the Preventive protection report on connected stations was received (empty value if the report was received about stations connected to this Dr.Web Server)
|
GEN.ServerRecvLinkName
|
the name of the last neighbor Dr.Web Server from which the Preventive protection report on connected stations was received (empty value if the report was received about stations connected to this Dr.Web Server)
|
GEN.ServerOriginatorID
|
UUID of the Dr.Web Server to which the station is connected from which the Preventive protection report was received
|
GEN.ServerOriginatorName
|
the name of the Dr.Web Server to which the station is connected from which the Preventive protection report was received
|
Scan statistics
Parameter
|
Value
|
Notification sending reason
|
Sent if a notification received from a station reports a scan completion. Administrative notification also contains brief scan statistic.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.Component
|
component name
|
MSG.Cured
|
number of cured objects
|
MSG.DeletedObjs
|
number of deleted objects
|
MSG.Errors
|
number of scan errors
|
MSG.Infected
|
number of infected objects
|
MSG.Locked
|
number of blocked objects
|
MSG.Modifications
|
number of objects infected with known modifications of viruses
|
MSG.Moved
|
number of moved objects
|
MSG.Renamed
|
number of renamed objects
|
MSG.RunBy
|
component is launched by this user
|
MSG.Scanned
|
number of scanned objects
|
MSG.ServerTime
|
event receipt time, GMT
|
MSG.Speed
|
processing speed in KB/s
|
MSG.Suspicious
|
number of suspicious objects
|
MSG.VirusActivity
|
number of detected viruses
|
GEN.ServerRecvLinkID
|
UUID of the last neighbor Dr.Web Server from which the Preventive protection report on connected stations was received (empty value if the report was received about stations connected to this Dr.Web Server)
|
GEN.ServerRecvLinkName
|
the name of the last neighbor Dr.Web Server from which the Preventive protection report on connected stations was received (empty value if the report was received about stations connected to this Dr.Web Server)
|
GEN.ServerOriginatorID
|
UUID of the Dr.Web Server to which the station is connected from which the Preventive protection report was received
|
GEN.ServerOriginatorName
|
the name of the Dr.Web Server to which the station is connected from which the Preventive protection report was received
|
Security threat detected
Parameter
|
Value
|
Notification sending reason
|
Sent if a notification received from a station reports the threat detection. Administrative notification also contains detailed information on detected threats.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.Action
|
action upon a detection
|
MSG.Component
|
component name
|
MSG.InfectionType
|
threat type
|
MSG.ObjectName
|
infected object name
|
MSG.ObjectOwner
|
infected object owner
|
MSG.RunBy
|
component is launched by this user
|
MSG.ServerTime
|
event receipt time, GMT
|
MSG.Virus
|
threat name
|
GEN.ServerRecvLinkID
|
UUID of the last neighbor Dr.Web Server from which the Preventive protection report on connected stations was received (empty value if the report was received about stations connected to this Dr.Web Server)
|
GEN.ServerRecvLinkName
|
the name of the last neighbor Dr.Web Server from which the Preventive protection report on connected stations was received (empty value if the report was received about stations connected to this Dr.Web Server)
|
GEN.ServerOriginatorID
|
UUID of Dr.Web Server to which the station is connected from which the Preventive protection report was received
|
GEN.ServerOriginatorName
|
the name of Dr.Web Server to which the station is connected from which the Preventive protection report was received
|
Security threat detected by known hashes of threats
Parameter
|
Value
|
Notification sending reason
|
Sent if a notification received from a station reports the threat detection from the list of known hashes of threats. Administrative notification also contains detailed information on detected threats.
|
Additional configuration
|
Notification on detection by the list of known hashes is possible only if the usage of bulletins of known threat hashes is licensed (the license in at least one of the license keys used by Dr.Web Server is sufficient).
You can check the license in the information on a license key that can be found in the License Manager section, the Allowed lists of hash bulletins parameter (If the feature is not licensed, this parameter is absent).
|
Variables
|
MSG.Action
|
action upon a detection
|
MSG.Component
|
component name
|
MSG.Document
|
bulletin containing the hash of detected threat
|
MSG.InfectionType
|
threat type
|
MSG.ObjectName
|
infected object name
|
MSG.ObjectOwner
|
infected object owner
|
MSG.RunBy
|
component is launched by this user
|
MSG.SHA1
|
SHA-1 hash of detected object
|
MSG.SHA256
|
SHA-256 hash of detected object
|
MSG.ServerTime
|
event receipt time, GMT
|
MSG.Virus
|
threat name
|
GEN.ServerRecvLinkID
|
UUID of the last neighbor Dr.Web Server from which the Preventive protection report on connected stations was received (empty value if the report was received about stations connected to this Dr.Web Server)
|
GEN.ServerRecvLinkName
|
the name of the last neighbor Dr.Web Server from which the Preventive protection report on connected stations was received (empty value if the report was received about stations connected to this Dr.Web Server)
|
GEN.ServerOriginatorID
|
UUID of the Dr.Web Server to which the station is connected from which the Preventive protection report was received
|
GEN.ServerOriginatorName
|
the name of the Dr.Web Server to which the station is connected from which the Preventive protection report was received
|
Station already logged in
Parameter
|
Value
|
Notification sending reason
|
Send on attempt to connect to Dr.Web Server of a station with identifier which matches the identifier of a station already connected to this Dr.Web Server.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.ID
|
station UUID
|
MSG.Server
|
ID of the Dr.Web Server at which the station is registered
|
MSG.StationName
|
station name
|
Station approved by administrator
Parameter
|
Value
|
Notification sending reason
|
Sent if a new station requested a connection to Dr.Web Server and has been approved by administrator manually.
|
Additional configuration
|
The situation may occur if in the Administration → Dr.Web Server configuration → General section, for the Newbies registration mode option, the Approve access manually value is set and an administrator selected the Anti-virus Network → Unapproved stations → Approve selected stations and set a primary group option for this station.
|
Variables
|
MSG.AdminAddress
|
network address of the Control Center
|
MSG.AdminName
|
administrator name
|
Station authorization failed
Parameter
|
Value
|
Notification sending reason
|
Sent if a station provided incorrect credentials when trying to connect to Dr.Web Server. Further actions that depend on a stations approval policy, are also given in the notification.
|
Additional configuration
|
Stations approval policy is set in the Newbies registration mode option of the Administration → Dr.Web Server configuration → General section.
|
Variables
|
MSG.ID
|
station UUID
|
MSG.Rejected
|
values:
•rejected—access to a station is denied •newbie—there was an attempt to assign the "newbie" status to a station |
MSG.StationName
|
station name
|
Station automatically approved
Parameter
|
Value
|
Notification sending reason
|
Sent if a new station requested a connection to Dr.Web Server and has been approved by Dr.Web Server automatically.
|
Additional configuration
|
The situation may occur if in the Administration → Dr.Web Server configuration → General section, for the Newbies registration mode option, the Approve access automatically value is set.
|
Variables
|
Absent.
|
Station has not connected to Dr.Web Server for a long time
Parameter
|
Value
|
Notification sending reason
|
Sent according to the task in the Dr.Web Server schedule. Contains information that the station has not connected to this Dr.Web Server for a long time. The date of last connection is given in the notification text.
|
Additional configuration
|
The time period during which the station should not get connected to send the notification, is set in the Station has not connected for a long time task of the Dr.Web Server schedule configured in the Administration → Dr.Web Server Task Schedule.
|
Variables
|
Common variables for stations given above are not available.
|
MSG.DaysAgo
|
number of days since the last connection to Dr.Web Server
|
MSG.LastSeenFrom
|
address of the station at the last connection to Dr.Web Server
|
MSG.StationDescription
|
station description
|
MSG.StationID
|
station UUID
|
MSG.StationMAC
|
station MAC address
|
MSG.StationName
|
station name
|
MSG.StationSID
|
station security identifier
|
Station reboot required
Parameter
|
Value
|
Notification sending reason
|
Sent if a station reboot is required for one of the following reasons:
•to complete the cure •to apply the updates •to change the state of hardware virtualization •to complete the cure and apply the updates •to complete the cure and change the state of hardware virtualization •to apply the updates and change the state of hardware virtualization •to complete the cure, apply the updates and change the state of hardware virtualization. |
Additional configuration
|
Not required.
|
Variables
|
MSG.Reason
|
reboot reason
the list of possible reboot reasons is given in the predefined template
|
Station reboot required to apply updates
Parameter
|
Value
|
Notification sending reason
|
Sent if a notification received from a station reports that the product has been installed or updated, and the station restart is required.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.Product
|
updated product
|
MSG.ServerTime
|
local time of receipt of a message by Dr.Web Server
|
Unknown station
Parameter
|
Value
|
Notification sending reason
|
Sent if a new station requested a connection to Dr.Web Server, but was not allowed to review for approval or rejection of the registration.
|
Additional configuration
|
Not required.
|
Variables
|
MSG.ID
|
UUID of unknown station
|
MSG.Rejected
|
values:
•rejected—access to a station is denied •newbie—there was an attempt to assign the "newbie" status to a station |
MSG.StationName
|
station name
|
|