|
Component completed on station of neighbor Dr.Web Server
Called when the component completed event is received from neighbor Dr.Web Server.
Database
|
Parameters
|
Returned value
|
available
|
•neighborid — ID of neighbor Dr.Web Server from which the event is received
•neighborname — neighbor Dr.Web Server name
•originatorid — ID of Dr.Web Server that originated the event
•originatorname — name of Dr.Web Server that originated the event
•stationid — station ID
•stationname — station name
•eventid — event ID
•component — component number
•pid — process ID
•infections — threats detected
•errors — access errors detected
•exitcode — component exit code
•time — end time (station time) |
ignored
|
Procedure text:
--[[
Called:
when "component completed" event recived from neighbor server
Database:
available
Parameters:
neighborid neighbor server ID which the event received from
neighborname neighbor server name
originatorid ID of the event server originator
originatorname name of the event server originator
stationid station ID
stationname station name
eventid event ID
component component number
pid process ID
infections infections found
errors access errors detected
exitcode component exit code
time end time (station time)
Returned value:
ignored
]]
local args = ... -- args.neighborid, args.neighborname,
-- args.originatorid, args.originatorname,
-- args.eventid, args.stationid,
-- args.stationname, args.time
-- args.component, args.pid, args.infections
-- args.errors, args.exitcode
|
Component started on station of neighbor Dr.Web Server
Called when the event component started is received from neighbor Dr.Web Server.
Database
|
Parameters
|
Returned value
|
available
|
•neighborid — ID of neighbor Dr.Web Server from which the event is received
•neighborname — neighbor Dr.Web Server name
•originatorid — ID of Dr.Web Server that originated the event
•originatorname — name of Dr.Web Server that originated the event
•stationid — station ID
•stationname — station name
•eventid — event ID
•component — component number
•pid — process ID
•engine — virus-finding engine version
•records — virus records number
•user — user name and group of process owner
•time — start time (station time) |
ignored
|
Procedure text:
--[[
Called:
when "component started" event recived from neighbor server
Database:
available
Parameters:
neighborid neighbor server ID which the event received from
neighborname neighbor server name
originatorid ID of the event server originator
originatorname name of the event server originator
stationid station ID
stationname station name
eventid event ID
component component number
pid process ID
engine virus-finding engine version
records virus records number
user user name and group (process owner)
time start time (station time)
Returned value:
ignored
]]
local args = ... -- args.neighborid, args.neighborname,
-- args.originatorid, args.originatorname,
-- args.eventid, args.stationid,
-- args.stationname,
-- args.component, args.pid, args.engine
-- args.records, args.user, args.time
|
Geolocation of neighbor Dr.Web Server or station of neighbor Dr.Web Server changed
Called when geolocation event is received from neighbor Dr.Web Server.
Database
|
Parameters
|
Returned value
|
available
|
•neighborid — ID of neighbor Dr.Web Server from which the event is received
•neighborname — neighbor Dr.Web Server name
•originatorid — ID of Dr.Web Server that originated the event
•originatorname — name of Dr.Web Server that originated the event
•stationid — station ID
•stationname — station name
•latitude — latitude in the DD.DDDDDD format
•longitude — longitude in the DD.DDDDDD format |
ignored
|
Procedure text:
--[[
Called:
when "geolocation" event received from neighbor server
Database:
available
Parameters:
neighborid neighbor server ID which the event received from
neighborname neighbor server name
originatorid ID of the event server originator
originatorname name of the event server originator
stationid station ID
stationname station name
latitude latitude in DD.DDDDDD format
longitude longitude in DD.DDDDDD format
Returned value:
ignored
]]
local args = ... -- args.neighborid, args.neighborname,
-- args.originatorid, args.originatorname,
-- args.eventid, args.stationid,
-- args.stationname,
-- args.latidue,args.longitude
-- ...
|
Hardware and software on station of neighbor Dr.Web Server are changed
Called when environment changed event received from neighbor Dr.Web Server.
Database
|
Parameters
|
Returned value
|
available
|
•neighborid — ID of neighbor Dr.Web Server from which the event is received
•neighborname — neighbor Dr.Web Server name
•originatorid — ID of Dr.Web Server that originated the event
•originatorname — name of Dr.Web Server that originated the event
•stationid — station ID
•stationname — station name
•eventid — event ID
•group_name — name of a station primary group
•category — environment category |
ignored
|
Procedure text:
--[[
Called:
when "environment changed" event recived from neighbor server
Database:
available
Parameters:
neighborid neighbor server ID which the event received from
neighborname neighbor server name
originatorid ID of the event server originator
originatorname name of the event server originator
stationid station ID
stationname station name
eventid event ID
group_name station primary group name
category environment category
Returned value:
ignored
]]
local args = ... -- args.neighborid, args.neighborname,
-- args.originatorid, args.originatorname,
-- args.eventid, args.stationid,args.stationname,
-- args.group_name, args.category
|
Security threat detected on a station of neighbor Dr.Web Server
Called when the virus detected event is received from neighbor Dr.Web Server.
Database
|
Parameters
|
Returned value
|
available
|
•neighborid — ID of neighbor Dr.Web Server from which the event is received
•neighborname — neighbor Dr.Web Server name
•originatorid — ID of Dr.Web Server that originated the event
•originatorname — name of Dr.Web Server that originated the event
•stationid — station ID
•stationname — station name
•eventid — event ID
•component — component number
•pid — process ID
•time — time of event occurrence (station time)
•user — user name and group of process owner
•object — path to the object in the file system
•owner — user name and group of object owner
•action — action code
•objecttype — object type:
▫-1 — unknown
▫0 — file
▫1 — boot sector
▫2 — memory block or process
▫3 — viral activity
•infectiontype — threat type (see Dr.Web API)
•sha1 — SHA-1 hash of detected object |
ignored
|
Procedure text:
--[[
Called:
when "" event recived from neighbor server
Database:
available
Parameters:
neighborid neighbor server ID which the event received from
neighborname neighbor server name
originatorid ID of the event server originator
originatorname name of the event server originator
stationid station ID
stationname station name
eventid event ID
component component number
pid process ID
time event time (station time)
user user name and group (process owner)
object filesystem object path
owner object owner (user name and group)
action action code (see Dr.Web API; only errors bit set)
objecttype object type
-1 unknown
0 file
1 boot sector
2 memory block / process
3 virus like activity
infectiontype infection type (see Dr.Web API)
sha1 object SHA-1 hash
sha256 object SHA-256 hash
hashdb hash database containing object
Returned value:
ignored
]]
local args = ... -- args.neighborid, args.neighborname,
-- args.originatorid, args.originatorname,
-- args.eventid, args.stationid,
-- args.stationname,
-- args.component, args.pid, args.time, args.user,
-- args.object, args.owner,
-- args.action, args.objecttype, args.infectiontype,
-- args.sha1, args.sha256, args.hashdb
|
Report of Preventive protection from the neighbor Dr.Web Server
Called when the Preventive protection report received for a station from neighbor Dr.Web Server.
Database
|
Parameters
|
Returned value
|
available
|
•neighborid — ID of neighbor Dr.Web Server from which the event is received
•neighborname — neighbor Dr.Web Server name
•originatorid — ID of Dr.Web Server that originated the event
•originatorname — name of Dr.Web Server that originated the event
•stationid — station ID
•stationname — station name
•eventid — event ID
•pid — process ID
•path — executable path of a process with suspicious activity
•target_path — path to the protected object to which the access attempt was made
•hips_type — protected object type (numeric)
•shell_guard_type — blocking reason of unauthorized code execution (numeric)
•denied — access was denied (true | false)
•is_user_action — action was requiested from a user (true | false)
•event_count — number of automatically denied events (if the is_user_action is false)
•event_user — user who initiated a process with suspicious activity
•action_user — user who specified the reaction on suspicious activity of a process (if the is_user_action is true)
•event_time — time of event occurrense on a station
•recv_time — report receiving time by neighbor Dr.Web Server
•sha1 — SHA-1 hash of detected object
•sha256 — SHA-256 hash of detected object
•hashdb — bulletin containing the hash |
ignored
|
Procedure text:
--[[
Called:
when HIPS event received from neighbor server
Database:
available
Parameters:
neighborid neighbor server ID which the event received from
neighborname neighbor server name
originatorid ID of the event server originator
originatorname name of the event server originator
stationid station ID
stationname station name
eventid event ID
pid numeric,process id
path process file path
target_path affected resource path
hips_type numeric, HIPS type
shell_guard_type numeric, Shell Guard event type
denied boolean, access was denied
is_user_action boolean, user was asked
event_count event number (for accumulation period - if is_user_action is false)
event_user user which initiated the suspicious activity
action_user user which allowed or denied the activity (non-empty only if is_user_action is true)
event_time station time
recv_time server originator time
sha1 process file SHA-1 hash
sha256 process file SHA-256 hash
hashdb hash database containing process file
Returned value:
ignored
]]
local args = ... -- args.neighborid, args.neighborname, args.originatorid, args.originatorname,
-- args.stationid, args.stationname, args.eventid
-- args.pid, args.path, args.target_path, args.hips_type, args.shell_guard_type,
-- args.denied, args.is_user_action, args.event_count, args.event_user, args.action_user
-- args.event_time, args.recv_time, args.sha1, args.sha256, args.hashdb
|
Authorization error on neighbor Dr.Web Server
Called after connection with neighbor Dr.Web Server had been rejected because of authorization error.
Database
|
Parameters
|
Returned value
|
available
|
•id — Dr.Web Server ID
•address — Dr.Web Server address
•name — Dr.Web Server name
•reason — failure reason |
ignored
|
Procedure text:
--[[
Called:
just after server connection rejected due (authorization) error
Database:
available
Parameters:
id server ID
address server address
name server name
reason failure reason
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.name, args.reason
|
Scan error of a station of neighbor Dr.Web Server
Called when the scan error event is received from neighbor Dr.Web Server.
Database
|
Parameters
|
Returned value
|
available
|
•neighborid — ID of neighbor Dr.Web Server from which the event is received
•neighborname — neighbor Dr.Web Server name
•originatorid — ID of Dr.Web Server that originated the event
•originatorname — name of Dr.Web Server that originated the event
•stationid — station ID
•stationname — station name
•eventid — event ID
•component — component number
•pid — process ID
•time — time of event occurrence (station time)
•user — user name and group of process owner
•object — path to the object in the file system
•owner — user name and group of object owner
•action — action code
•sha1 — SHA-1 hash of detected object
•sha256 — SHA-256 hash of detected object
•hashdb — bulletin containing the hash |
ignored
|
Procedure text:
--[[
Called:
when "" event recived from neighbor server
Database:
available
Parameters:
neighborid neighbor server ID which the event received from
neighborname neighbor server name
originatorid ID of the event server originator
originatorname name of the event server originator
stationid station ID
stationname station name
eventid event ID
component component number
pid process ID
time event time (station time)
user user name and group (process owner)
object filesystem object path
owner object owner (user name and group)
action action code (error bit(s) set)
sha1 object SHA-1 hash
sha256 object SHA-256 hash
hashdb hash database containing object
Returned value:
ignored
]]
local args = ... -- args.neighborid, args.neighborname,
-- args.originatorid, args.originatorname,
-- args.eventid, args.stationid,
-- args.stationname,
-- args.component, args.pid, args.time, args.user,
-- args.object, args.owner, args.action,
-- args.sha1, args.sha256, args.hashdb
|
Neighbor Dr.Web Server connected
Called when neighbor Dr.Web Server is connected.
Database
|
Parameters
|
Returned value
|
available
|
•id — Dr.Web Server ID
•address — Dr.Web Server address
•name — Dr.Web Server name |
ignored
|
Procedure text:
--[[
Called:
when server connected
Database:
available
Parameters:
id server ID
address server address
name server name
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.name
|
Station status from neighbor Dr.Web Server
Called when neighbor Dr.Web Server reports station status including states of components, virus bases and some local policies (sending events, receiving updates and tasks).
Database
|
Parameters
|
Returned value
|
available
|
•neighborid — ID of neighbor Dr.Web Server from which the event is received
•neighborname — neighbor Dr.Web Server name
•originatorid — ID of Dr.Web Server that originated the event
•originatorname — name of Dr.Web Server that originated the event
•stationid — station ID
•stationname — station name
•eventid — event ID
•count — number of different status codes
•state_0 — state value
•number_0 — number of stations in state_0 |
ignored
|
Procedure text:
--[[
Called:
when "" event recived from neighbor server
Database:
available
Parameters:
neighborid neighbor server ID which the event received from
neighborname neighbor server name
originatorid ID of the event server originator
originatorname name of the event server originator
stationid station ID
stationname station name
eventid event ID
count number of different status code
state_0 state value
number_0 number of the stations in 'state_0'
Returned value:
ignored
]]
local args = ... -- args.neighborid, args.neighborname,
-- args.originatorid, args.originatorname,
-- args.eventid, args.stationid,
-- args.stationname,
-- args.count,
-- args.state_0, args.number_0
-- args.state_1, args.number_1
-- ...
|
Station of neighbor Dr.Web Server deleted
Called when station is deleted on neighbor Dr.Web Server.
Database
|
Parameters
|
Returned value
|
available
|
•neighborid — ID of neighbor Dr.Web Server from which the event is received
•neighborname — neighbor Dr.Web Server name
•originatorid — ID of Dr.Web Server that originated the event
•originatorname — name of Dr.Web Server that originated the event
•stationid — station ID
•stationname — station name |
ignored
|
Procedure text:
--[[
Called:
when station was deleted on neighbor server
Database:
available
Parameters:
neighborid neighbor server ID which the event received from
neighborname neighbor server name
originatorid ID of the event server originator
originatorname name of the event server originator
stationid station ID
stationname station name
Returned value:
ignored
]]
local args = ... -- args.neighborid, args.neighborname,
-- args.originatorid, args.originatorname,
-- args.eventid, args.stationid,
-- args.stationname
-- ...
|
Scan statistic of a station of neighbor Dr.Web Server
Called when the scan statistics event is received from neighbor Dr.Web Server.
Database
|
Parameters
|
Returned value
|
available
|
•neighborid — ID of neighbor Dr.Web Server from which the event is received
•neighborname — neighbor Dr.Web Server name
•originatorid — ID of Dr.Web Server that originated the event
•originatorname — name of Dr.Web Server that originated the event
•stationid — station ID
•stationname — station name
•eventid — event ID
•component — component number
•pid — process ID
•user — user name and group of process owner
•time — time of event occurrence (station time)
•size — summary size of all scanned objects
•elapsedtime — elapsed time
•scanned — number of scanned objects
•infected — number of objects infected by known virus
•modifications — number of objects infected by virus modification
•suspicious — number of suspicious objects
•cured — number of cured files
•deleted — number of deleted files
•renamed — number of renamed files
•moved — number of quarantined files
•locked — number of locked files (SpIDer Guard only)
•errors — number of not scanned files due to access error |
ignored
|
Procedure text:
--[[
Called:
when "scan statistics" event recived from neighbor server
Database:
available
Parameters:
neighborid neighbor server ID which the event received from
neighborname neighbor server name
originatorid ID of the event server originator
originatorname name of the event server originator
stationid station ID
stationname station name
eventid event ID
component number of component
pid process ID
user user name and group (process owner)
time event time (station time)
size summary size of all scanned objects
elapsedtime elapsed time
scanned number of scanned objects
infected number of objects infected by known virus
modifications number of objects infected by virus modification
suspicious number of suspicious objects
cured number of cured files
deleted number of deleted files
renamed number of renamed files
moved number of quarantined files
locked number of locked files (SpIDer Guard only)
errors number of not scanned files (due access error)
Returned value:
ignored
]]
local args = ... -- args.neighborid, args.neighborname,
-- args.originatorid, args.originatorname,
-- args.eventid, args.stationid,
-- args.stationname,
-- args.component, args.pid, args.time, args.user,
-- args.scanned, args.infected, args.modifications,
-- args.suspicious, args.cured, args.deleted, args.renamed,
-- args.moved, args.locked, args.errors, args.size, args.elapsedtime
|
Agent installation from neighbor Dr.Web Server
Called when the installation event is received from neighbor Dr.Web Server.
Database
|
Parameters
|
Returned value
|
available
|
•neighborid — ID of neighbor Dr.Web Server from which the event is received
•neighborname — neighbor Dr.Web Server name
•originatorid — ID of Dr.Web Server that originated the event
•originatorname — name of Dr.Web Server that originated the event
•stationid — station ID
•stationname — station name
•eventid — event ID
•event — event type:
▫0 stationname — installation has begun
▫1 — installation successfully completed
▫2 — rejected
▫3 — timed out
▫4 — failed
▫5 — incomplete
•message — error message (or empty if there is no error)
•address — station address
•begtime — begin time
•endtime — end time |
ignored
|
Procedure text:
--[[
Called:
when "installation" event recived from neighbor server
Parameters:
neighborid neighbor server ID which the event received from
neighborname neighbor server name
originatorid ID of the event server originator
originatorname name of the event server originator
stationid station ID
stationname station name
eventid event ID5
event event type:
0 installation begin
1 successully completed
2 rejected
3 timed out
4 failed
5 incomplete
message error message (or empty if there is no error)
address station address
begtime begin time
endtime end time
Returned value:
ignored
]]
local args = ... -- args.neighborid, args.neighborname,
-- args.originatorid, args.originatorname,
-- args.eventid, args.stationid,
-- args.stationname,
-- args.event, args.message, args.address
-- args.begtime, args.endtime
|
|