|
代理端已卸载
完成代理端删除操作后调用。
数据库
|
参数
|
返回值
|
可使用
|
•login——管理员注册名,
•state——完成状态:
▫true——成功,
▫false——失败,
•id——工作站ID,
•address——工作站地址,
•station——工作站名称,
•message——true状态下为空,其它情况下为出错通知 |
忽略
|
钩子文本:
--[[
Called:
when deinstallation of Agent completed
Database:
available
Parameters:
login login name of administrator
state true success
false failed
id station ID
address station address
station station name
message empty if state is 'true' or contains error message
Returned value:
ignored
]]
local args = ... -- args.login, args.state, args.id
-- args.address, args.station, args.message
|
结束工作站上组件的运行
从代理端获得component completed事件时调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站地址,
•station——工作站名称,
•component——组件编号,
•pid——进程ID,
•infections——侦测到威胁,
•errors——发现访问权限错误,
•exitcode——组件结束运行代码, |
忽略
|
钩子文本:
--[[
Called:
when "component completed" event received from Agent
Database:
available
Parameters:
id station ID
address station address
station station name
component component number
pid process ID
infections infections found
errors access errors detected
exitcode component exit code
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.component,
-- args.pid, args.exitcode, args.infections, args.errors
|
任务已完成
从代理端获得job executed事件时调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站地址,
•station——工作站名称,
•done——执行状态:
▫true——成功执行,
▫false——执行失败,
•time——任务完成时间,
•name——任务名称,
•error——出错或状态通知 |
忽略
|
钩子文本:
--[[
Called:
when "job executed" event received from Agent
Database:
available
Parameters:
id station ID
address station address
station station name
done true executed successfully
false execution failed
time job completion time
name job name
job job ID (empty for Agent prior version 11 (protocol 3.1+))
error error or other message
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.done,
-- args.name, args.job, args.time, args.error
|
启动工作站上的组件
从代理端获得component started事件时调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站地址,
•station——工作站名称,
•component ——组件编号,
•pid——进程ID,
•engine——搜索引擎版本,
•records——病毒记录数量,
•user——进程所属组和所属用户名称,
•time——开始时间(工作站时间) |
忽略
|
钩子文本:
--[[
Called:
when "component started" event received from Agent
Database:
available
Parameters:
id station ID
address station address
station station name
component component number
pid process ID
engine virus-finding engine version
records virus records number
user user name and group (process owner)
time start time (station time)
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.component,
-- args.pid, args.records, args.user, args.time, args.engine
|
工作站地理位置发生了改变
更改工作站地理位置时调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站地址,
•station——工作站名称,
•latitude——工作站纬度,格式为DD.DDDDDD,
•longitude——工作站经度,格式为DD.DDDDDD |
忽略
|
钩子文本:
--[[
Called:
when agent geolocation changed
Database:
available
Parameters:
id station ID
address station address
station station name
latitude station latitude in DD.DDDDDD format
longitude station longitude in DD.DDDDDD format
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.name, args.latitude, args.longitude
|
必须重启工作站
Dr.Web服务器从工作站获得reboot required通知后调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站网络地址,
•station——工作站NetBIOS名称。不可替换为DNS名称,
•Product——产品ID,
•description——产品描述,
•from_revision——当前校检编号,
•to_revision——新校检编号,
•from_revision_date——当前校检日期,
•to_revision_date ——新校检日期 |
忽略
|
钩子文本:
--[[
Called:
after server received 'reboot required' station message.
Database:
available
Parameters:
id station ID
address station network address
station station name (this is NetBIOS station name not replaced by DNS one)
product product ID
description product description
from_revision current revision number
to_revision new revision number
from_revision_date current revision date
to_revision_date new revision date
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.product, args.description, args.from_revision, args.to_revision, args.from_revision_date, args.to_revision_date
|
在工作站上侦测到安全威胁
从代理端获得virus detected事件时调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站地址,
•station——工作站名称,
•component——组件编号,
•pid——进程ID,
•time——事件发生的时间(工作站时间),
•user——进程所属组和所属用户名称,
•object——对象在文件系统中的路径,
•owner——对象所属组和所属用户名称,
•virus——病毒名称,
•action——操作代码,
•objecttype——对象类型:
▫-1未知,
▫0文件,
▫1——引导扇区,
▫2——存储器单元或进程,
▫3——病毒活动
•infectiontype——威胁类型(参见Dr.Web API),
•compsid——工作站SID,
•compmac——工作站MAC地址,
•description——工作站描述
•compdn——工作站LDAP DN(只限Windows操作系统客户端),
•sha1——侦测到的对象的哈希值SHA-1,
•sha256——侦测到的对象的哈希值SHA-256,
•hashdb——包含哈希值的公报 |
忽略
|
钩子文本:
--[[
Called:
when "virus detected" event received from Agent
Database:
available
Parameters:
id station ID
address station address
station station name
component component number
pid process ID
time event time (station time)
user user name and group (process owner)
object filesystem object path
owner object owner (user name and group)
virus virus name
action action code (see Dr.Web API; only errors bit set)
objecttype object type
-1 unknown
0 file
1 boot sector
2 memory block / process
3 virus like activity
infectiontype infection type (see Dr.Web API)
compsid computer sid
compmac computer MAC
description computer description
compdn computer LDAP DN
sha1 object SHA-1 hash
sha256 object SHA-256 hash
hashdb hash database containing object
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.component,
-- args.pid, args.time, args.user, args.object, args.owner,
-- args.virus, args.action, args.objecttype, args.infectiontype
-- args.compsid, args.compmac, args.description, args.compdn
-- args.sha1, args.sha256, args.hashdb
|
预防性保护报告
获得来自工作站的预防性保护报告时调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站地址,
•station——工作站名称,
•time——工作站出现事件的时间,
•pid——进程ID,
•path——可疑进程可执行文件路径,
•target_path——被企图访问的受保护对象路径,
•hips_type——受保护对象类型(数值),
•shell_guard_type——阻止未注册代码的原因(数值),
•denied——访问已被禁止(true | false),
•is_user_action——已向用户询问的操作(true | false),
•event_count——自动阻止的事件数量(仅限is_user_action值为false时),
•event_user——启动可疑进程的用户,
•action_user——对可疑进程指定反应的用户(仅限is_user_action值为true时),
•sha1——侦测到的对象的哈希值SHA-1,
•sha256——侦测到的对象的哈希值SHA-256,
•hashdb——包含哈希值的公报 |
忽略
|
钩子文本:
--[[
Called:
when HIPS event received from Agent
Database:
available
Parameters:
id station ID
address station address
station station name
time station time
pid numeric,process id
path process file path
target_path affected resource path
hips_type numeric, HIPS type
shell_guard_type numeric, Shell Guard event type
denied boolean, access was denied
is_user_action boolean, user was asked
event_count event number (for accumulation period - if is_user_action is false)
event_user user which initiated the suspicious activity
action_user user which allowed or denied the activity (non-empty only if is_user_action is true)
sha1 process file SHA-1 hash
sha256 process file SHA-256 hash
hashdb hash database containing process file
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.time,
-- args.pid, args.path, args.target_path, args.hips_type, args.shell_guard_type,
-- args.denied, args.is_user_action, args.event_count, args.event_user, args.action_user
-- args.sha1, args.sha256, args.hashdb
|
工作站登录出错
因登录错误拒绝与代理端的连接后调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站地址,
•station——工作站名称,
•reason——断开原因,
•type——station、installer、proxy之一,
•compsid——工作站SID,
•compmac——工作站MAC地址,
•description——工作站描述 |
忽略
|
钩子文本:
--[[
Called:
just after Agent connection rejected due authorization error
Database:
available
Parameters:
id station ID
address station address
station station name
reason failure reason
type one of 'station' | 'installer' | 'proxy'
compsid station UID (SID on Windows)
compmac station MAC address
description station description
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.reason, args.type, args.compsid, args.compmac, args.description
|
工作站日期/时间错误
发现工作站上时间/日期有误时调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站地址,
•station——工作站名称,
•now——Dr.Web服务器时间(以毫秒计),
•time——工作站时间(以毫秒计),
•valid_delta——允许的时间差(以毫秒计) |
忽略
|
钩子文本:
--[[
Called:
when invalid station time/date detected
Database:
available
Parameters:
id station ID
address station address
station station name
now server time (in milliseconds)
time station time (in milliseconds)
valid_delta valid time delta (in milliseconds)
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station
-- args.now, args.date, args.valid_delta
|
工作站更新出错
Dr.Web服务器从工作站获得update failed通知后调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站网络地址,
•station——工作站NetBIOS名称。不可替换为DNS名称,
•Product——产品ID,
•description——产品描述,
•from_revision——当前校检编号,
•to_revision——新校检编号,
•from_revision_date——当前校检日期,
•to_revision_date ——新校检日期 |
忽略
|
钩子文本:
--[[
Called:
after server received 'update failed' station message.
Database:
available
Parameters:
id station ID
address station network address
station station name (this is NetBIOS station name not replaced by DNS one)
product product ID
description product description
from_revision current revision number
to_revision new revision number
from_revision_date current revision date
to_revision_date new revision date
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.product, args.description, args.from_revision, args.to_revision, args.from_revision_date, args.to_revision_date
|
工作站扫描出错
从代理端获得事件scan error时调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站地址,
•station——工作站名称,
•component——组件编号,
•pid——进程ID,
•time——事件发生的时间(工作站时间),
•user——进程所属组和所属用户名称,
•object——对象在文件系统中的路径,
•owner——对象所属组和所属用户名称,
•action——操作代码,
•compsid——工作站SID,
•compmac——工作站MAC地址,
•description——工作站描述
•ldapdn——工作站LDAP DN(只限Windows操作系统客户端),
•sha1——侦测到的对象的哈希值SHA-1,
•sha256——侦测到的对象的哈希值SHA-256,
•hashdb——包含哈希值的公报 |
忽略
|
钩子文本:
--[[
Called:
when "scan error" event received from Agent
Database:
available
Parameters:
id station ID
address station address
station station name
component component number
pid process ID
time event time (station time)
user user name and group (process owner)
object filesystem object path
owner object owner (user name and group)
action action code (error bit(s) set)
compsid computer SID
compmac computer MAC
description computer description
ldapdn computer LDAP DN
sha1 object SHA-1 hash
sha256 object SHA-256 hash
hashdb hash database containing object
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.component,
-- args.pid, args.time, args.user, args.object, args.owner,
-- args.action, args.compsid, args.compmac, args.description, args.ldapdn
-- args.sha1, args.sha256, args.hashdb
|
已获得组件列表
代理端通知已安装组件列表时调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站地址,
•station——工作站名称,
•count——列出的组件数量,
•component_0——组件名称,
•time_0——安装时间,
•from_0——安装源(Dr.Web服务器地址、MSI等等),
•path_0——安装路径 |
忽略
|
钩子文本:
--[[
Called:
when Agent reported installed components
Database:
available
Parameters:
id station ID
address station address
station station name
count number of components reported
component_0 component name
time_0 installation time
from_0 installation source (server address, MSI, etc)
path_0 installation path
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.count
-- args.component_0, args.time_0, args.from_0, args.path_0
-- args.component_1, args.time_1, args.from_1, args.path_1
-- ...
|
已获得病毒库信息
代理端发送病毒库信息时调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站地址,
•station——工作站名称,
•count——病毒库数量,
•name_0——病毒库文件名称,
•md5_0——病毒库文件MD5,
•version_0——病毒库版本,
•issued_0——病毒库发布日期和时间,
•records_0——病毒库记录数量,
•type_0——病毒库类型 |
忽略
|
钩子文本:
--[[
Called:
when Agent sent virus bases information
Database:
available
Parameters:
id station ID
address station address
station station name
count number of found virus bases
name_0 virus base file name
md5_0 virus base file MD5
version_0 virus base version
issued_0 virus base issue date and time
records_0 number of records
type_0 virus base type
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.count,
-- args.name_0, args.md5_0, args.version_0,
-- args.issued_0, args.records_0, args.type_0,
-- args.name_1, args.md5_1, args.version_1,
-- args.issued_1, args.records_1, args.type_1,
-- ...
|
工作站状态
代理端报告组件、病毒库以及某些本地策略(发送事件、接收更新和任务)的状态时调用。
数据库
|
参数
|
返回值
|
可使用
|
•events——事件通知:
▫true——代理端发送事件信息,
▫false——代理端不发送事件信息,
•jobs——接收任务(日程任务、远程扫描任务):
▫true——代理端接收任务,
▫false——代理端不接收任务,
•updates——接收更新:
▫true——代理端接收更新,
▫false——代理端不接收更新 |
忽略
|
钩子文本:
--[[
Called:
when Agent report its local policy
Database:
available
Parameters:
events true Agent send events
false Agent do not send events
jobs true Agent accept jobs (schedule & remote scan)
false Agent do not accept jobs
updates true Agent accept updates
false Agent do not accept updates
Returned value:
ignored
]]
local args = ... -- args.events, args.jobs, args.updates
|
工作站正在进行登录
工作站尝试登录时调用(ID和密码已通过检查,有效、已知)。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•connected——检查是否有此ID工作站已连接到Dr.Web服务器:
▫true——有此ID的另一工作站已连接到Dr.Web服务器,
▫false——没有已连接的有此ID的工作站,
•current_address有此ID已连接的工作站的网络地址(仅当connected值为true时不为空),
•current_name——有此ID已连接的工作站的名称,
•last_address——上次连接时有此ID工作站的网络地址,
•last_time——有此ID工作站上次出现的时间,
•last_server——有此ID工作站上次连接时的Dr.Web服务器,
•new_name——需连接的工作站的名称,
•new_address——需连接的工作站的网络地址 |
•string——工作站连接申请结果
•nil——Dr.Web服务器默认操作
•deny——拒绝工作站登录
•force——允许登录,即便是有此ID的另一工作站已连接(关闭已连接的工作站)
•newbie——将工作站归为新工作站 |
钩子文本:
--[[
Called:
when station tries to authorize (id and password already checked, valid and known)
Database:
available
Parameters:
id station ID
connected true station with same ID already connected to server
false no any station with same ID connected
current_address already connected station network address (not empty only if 'connected' is true)
current_name last connected station name
last_address last disconnected station network address
last_time last disconnected station seen time
last_server last connected station server
new_name now connecting station name
new_address now connecting station network address
Returned value:
nil default server behavior
string 'deny' deny authorization for station
'force' allow authorization even if other station with same ID already connected (by disconnecting it)
'newbie' reset station to newbie
Procedure from next set will be called if returned nothing.
]]
local args = ... -- args.id, args.connected, args.current_address, args.current_name, args.last_address,
-- args.last_time, args.last_server, args.new_name, args.new_address
-- no return => `nil' value
|
工作站已连接
代理端成功连接时调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站地址,
•station——工作站名称,
•os——工作站操作系统,
•platform——工作站平台,
•compsid——工作站SID,
•compmac——工作站MAC地址,
•description——工作站描述 |
忽略
|
钩子文本:
--[[
Called:
when Agent connected successfully
Database:
available
Parameters:
id station ID
address station address
station station name
os station os
platform station platform
compsid station UID (Security ID on Windows)
compmac station MAC address
description station description
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.name, args.os, args.platform, args.compsid, args.compmac, args.description
|
工作站已创建
结束工作站的创建时调用。
数据库
|
参数
|
返回值
|
可使用
|
•login——管理员注册名,
•id——工作站ID,
•name——工作站名称,
•state——操作完成状态:
▫0——成功创建,
▫1——操作执行出错(数据库错误),
▫2——等待操作超时(数据库超负荷),
▫3——没有可用授权,
▫4——工作站已存在 |
忽略
|
钩子文本:
--[[
Called:
when station create completed
Database:
available
Parameters:
login administrator`s login name
id station ID
name station name
state operation completion state:
0 created successfully
1 operation failed (database error)
2 operation timed out (database overloaded)
3 no free license
4 already exists
Returned value:
ignored
]]
local args = ... -- args.login, args.id, args.name, args.state
|
工作站已删除
删除工作站时调用。
数据库
|
参数
|
返回值
|
可使用
|
•login——管理员注册名,
•id——工作站ID |
忽略
|
钩子文本:
--[[
Called:
when station deleted
Database:
available
Parameters:
login administrator`s login name
id station id
Returned value:
ignored
]]
local args = ... -- args.login, args.id
|
工作站扫描统计信息
从代理端获得scan statistics事件时调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站地址,
•station——工作站名称,
•component——组件编号,
•pid——进程ID,
•user——进程所属组和所属用户名称,
•time——事件发生的时间(工作站时间),
•size ——所有已扫描对象总体大小,
•elapsedtime——用时,
•scanned——已扫描对象数量,
•infected——被已知病毒感染的对象数量,
•modifications——被病毒变种感染的对象数量,
•suspicious——可疑对象数量,
•cured——已清除文件数量,
•deleted——已删除文件数量,
•renamed——已重命名文件数量,
•moved——已隔离文件数量,
•locked——已被阻止的文件数量(只限SpIDer Guard),
•errors——因访问权限错误而未能扫描的文件数量 |
忽略
|
钩子文本:
--[[
Called:
when "scan statistics" event received from Agent
Database:
available
Parameters:
id station ID
address station address
station station name
component number of component
pid process ID
user user name and group (process owner)
time event time (station time)
size summary size of all scanned objects
elapsedtime elapsed time
scanned number of scanned objects
infected number of objects infected by known virus
modifications number of objects infected by virus modification
suspicious number of suspicious objects
cured number of cured files
deleted number of deleted files
renamed number of renamed files
moved number of quarantined files
locked number of locked files (SpIDer Guard only)
errors number of not scanned files (due access error)
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.component,
-- args.pid, args.time, args.user, args.scanned,
-- args.infected, args.modifications, args.suspicious,
-- args.cured, args.deleted, args.renamed, args.moved,
-- args.locked, args.errors, args.size, args.elapsedtime
|
代理端安装
接收到事件installation后调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——安装ID(注意:这不是工作站ID),
•address——工作站地址,
•station——工作站名称,
•event——事件类型:
▫0——安装开始,
▫1——已成功结束,
▫2——被拒绝,
▫3——已超时,
▫4——已失败,
▫5——未结束
•message——出错通知(如没有错误为空),
•sessionid——安装对话ID |
忽略
|
钩子文本:
--[[
Called:
when "installation" event occured
Database:
available
Parameters:
id installation ID (not station!)
address station address
station station name
event event type:
0 installation begin
1 successully completed
2 rejected
3 timed out
4 failed
5 incomplete
message error message (or empty if there is no error)
sessionid installation session ID
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station
-- args.event, args.message, args.sessionid
|
设备已被锁
在工作站阻止设备时调用。
数据库
|
参数
|
返回值
|
可使用
|
•id——工作站ID,
•address——工作站地址,
•name——工作站名称,
•user——用户名,
•instance_id——一个设备的识别码,
•friendly_name——设备可识别的名称,
•description——设备描述,
•guid——设备GUID,
•class——设备等级(父组名称) |
忽略
|
钩子文本:
--[[
Called:
when device on station blocked
Database:
available
Parameters:
id station ID
address station address
station station name
user user name
instance_id device instance id
friendly_name device friendly name
description device description
guid device guid
class device group class guid
blocktime time when station was blocked
blockrcvtime time when server received alert
Returned value:
ignored
]]
local args = ... -- args.id args.address args.station args.user args.instance_id
-- args.friendly_name args.description args.guid args.class
-- args.station_time args.args.recv_time
|
|