M4. Other

Automatic update of a license key

Called when a license key is expiring.

Database

Parameters

Returned value

available

event—event type:

expire—license key is expiring, automatic update is not available

diff —new license key has been downloaded, but the compound of licensed components differs in the current and the new keys. The license key must be replaced manually

renew—license key has been automatically updated

old_key—old license key content

new_key—new license key content. Available if the event type is diff or renew

ignored

Procedure text:

--[[

Called:

 when license key expire or have been renewed

 

Database:

 available

 

Parameters:

 event       event type: "expire" - license key expires or have done it

                         "diff"   - received new key, but components differs from current one

                         "renew"  - current key have been renewed, old one was deleted

 

 old_key     content of old license key    

 new_key     content of renew license key, available at event type "diff" or "renew"

 

Returned value:

 ignored

 

]]

 

local args = ... -- args.event, args.old_key, args.new_key

Epidemic detected

Called when virus epidemic is detected in the network.

Database

Parameters

Returned value

available

virus—most common threat

total—total number of detected threats

ignored

Procedure text:

--[[

Called:

 when virus epidemic has been detected by the server

 

Database:

 available

 

Parameters:

 total            total count of viruses

 virus            most frequently detected virus name

 

Returned value:

 ignored

 

]]

 

local args = ... -- args.total, args.virus

Report of Application Control

Called when the Application Control report received from a station.

Database

Parameters

Returned value

available

id—station ID

address—station network address

station—station name

time—time of event occurrence (station time)

sid—station SID

user—user who initiated a process with suspicious activity

type—event type

action—applied action

policy_type—matched policy type

policy_mask—matched policy mask

test_mode—event occurred in the test mode

profile_id—profile UUID used for activity blocking

profile_name—profile name used for activity blocking

rule_id—rule UUID used for activity blocking (if exists)

rule_name—rule name used for activity blocking (if exists)

process_path—path to the blocked process

process_file_sha256—process file SHA-256

process_file_version—process file version

process_file_description—process file description

process_file_origname—process file original name

process_file_prodname—process file product name

process_file_prodver        —process file product version

process_file_company—process file company name

process_cert_thumbprint—process file signing certificate thumbprint (SHA-1) (if exists)

process_cert_serial—process file signing certificate serial number (if exists)

process_cert_issuer—process file signing certificate issuer (if exists)

process_cert_subject        —process file signing certificate subject (if exists)

process_cert_timestamp—process file signing certificate issuance timestamp (if exists)

process_cert_not_before—process file signing certificate start timestamp (if exists)

process_cert_not_after—process file signing certificate expiration timestamp (if exists)

process_hashdb—bulletin containing the hash of process file

object_path—path to the blocked script or empty

object_file_sha256—script file SHA-256 (if exists)

object_file_version—script file version (if exists)

object_file_description—script file description (if exists)

object_file_origname—script file original name (if exists)

object_file_prodname—script file product name (if exists)

object_file_prodver—script file product version (if exists)

object_file_company—script file company name (if exists)

object_cert_thumbprint—script file signing certificate thumbprint (SHA-1) (if exists)

object_cert_serial—script file signing certificate serial number (if exists)

object_cert_issuer—script file signing certificate issuer (if exists)

object_cert_subject—script file signing certificate subject (if exists)

object_cert_timestamp—script file signing certificate issuance timestamp (if exists)

object_cert_not_before—script file signing certificate start timestamp (if exists)

object_cert_not_after—script file signing certificate expiration timestamp (if exists)

object_hashdb—bulletin containing the hash of script file

ignored

Procedure text:

--[[

Called:

 when application control event received from Agent

 

Database:

 available

 

Parameters:

 id                 station ID

 address            station address

 station            station name

 time               station time

 sid                SID of user initiated activity

 user               name of user initiated activity

 type               event type

 action             applied action

 policy_type        matched policy type

 policy_mask        matched policy mask

 test_mode          event occured in test mode

 profile_id         profile UUID used for activity blocking

 profile_name       profile name used for activity blocking

 rule_id            rule UUID used for activity blocking (if exist)

 rule_name          rule name used for activity blocking (if exist)

 

 process_path               path to affected process file

 process_file_sha256        process file SHA-256

 process_file_version       process file version

 process_file_description   process file description

 process_file_origname      process file original name

 process_file_prodname      process file product name

 process_file_prodver       process file product version

 process_file_company       process file company name

 process_cert_thumbprint    process file signing certificate thumbprint (SHA-1) (if exist)

 process_cert_serial        process file signing certificate serial number (if exist)

 process_cert_issuer        process file signing certificate issuer (if exist)

 process_cert_subject       process file signing certificate subject (if exist)

 process_cert_timestamp     process file signing certificate sign issuance timestamp (if exist)

 process_cert_not_before    process file signing certificate NotBefore timestamp (if exist)

 process_cert_not_after     process file signing certificate NotAfter timestamp (if exist)

 process_hashdb             hash database containing process file

 

 object_path                path to affected object file (script, etc) or empty

 object_file_sha256         object file SHA-256 (if exist)

 object_file_version        object file version (if exist)

 object_file_description    object file description (if exist)

 object_file_origname       object file original name (if exist)

 object_file_prodname       object file product name (if exist)

 object_file_prodver        object file product version (if exist)

 object_file_company        object file company name (if exist)

 object_cert_thumbprint     object file signing certificate thumbprint (SHA-1) (if exist)

 object_cert_serial         object file signing certificate serial number (if exist)

 object_cert_issuer         object file signing certificate issuer (if exist)

 object_cert_subject        object file signing certificate subject (if exist)

 object_cert_timestamp      object file signing certificate sign issuance timestamp (if exist)

 object_cert_not_before     object file signing certificate NotBefore timestamp (if exist)

 object_cert_not_after      object file signing certificate NotAfter timestamp (if exist)

 object_hashdb              hash database containing object file

 

Returned value:

 ignored

 

]]

 

local args = ...

Report of Application Control from the neighbor Dr.Web Server

Called when the Application Control report received for a station from neighbor Dr.Web Server.

Database

Parameters

Returned value

available

neighborid—ID of neighbor Dr.Web Server from which the event is received

neighborname—neighbor Dr.Web Server name

originatorid—ID of Dr.Web Server that originated the event

originatorname—name of Dr.Web Server that originated the event

stationid—station ID

stationname—station name

eventid—event ID

event_time—time of event occurrence on a station

sid—station SID

user—user who initiated a process with suspicious activity

type—event type

action—applied action

policy_type—matched policy type

policy_mask—matched policy mask

test_mode—event occurred in the test mode

profile_id—profile UUID used for activity blocking

profile_name—profile name used for activity blocking

rule_id—rule UUID used for activity blocking (if exists)

rule_name—rule name used for activity blocking (if exists)

process_path—path to the blocked process

process_file_sha256—process file SHA-256

process_file_version—process file version

process_file_description—process file description

process_file_origname—process file original name

process_file_prodname—process file product name

process_file_prodver—process file product version

process_file_company—process file company name

process_cert_thumbprint—process file signing certificate thumbprint (SHA-1) (if exists)

process_cert_serial—process file signing certificate serial number (if exists)

process_cert_issuer—process file signing certificate issuer (if exists)

process_cert_subject—process file signing certificate subject (if exists)

process_cert_timestamp—process file signing certificate issuance timestamp (if exists)

process_cert_not_before—process file signing certificate start timestamp (if exists)

process_cert_not_after—process file signing certificate expiration timestamp (if exists)

process_hashdb—bulletin containing the hash of process file

object_path—path to the blocked script or empty

object_file_sha256—script file SHA-256 (if exists)

object_file_version—script file version (if exists)

object_file_description—script file description (if exists)

object_file_origname—script file original name (if exists)

object_file_prodname—script file product name (if exists)

object_file_prodver—script file product version (if exists)

object_file_company—script file company name (if exists)

object_cert_thumbprint—script file signing certificate thumbprint (SHA-1) (if exists)

object_cert_serial—script file signing certificate serial number (if exists)

object_cert_issuer—script file signing certificate issuer (if exists)

object_cert_subject—script file signing certificate subject (if exists)

object_cert_timestamp—script file signing certificate issuance timestamp (if exists)

object_cert_not_before—script file signing certificate start timestamp (if exists)

object_cert_not_after—script file signing certificate expiration timestamp (if exists)

object_hashdb—bulletin containing the hash of script file

ignored

Procedure text:

--[[

Called:

 when application control event received from neighbor server

 

Database:

 available

 

Parameters:

 neighborid         neighbor server ID which the event received from

 neighborname       neighbor server name

 originatorid       ID of the event server originator

 originatorname     name of the event server originator

 stationid          station ID

 stationname        station name

 eventid            event ID

 event_time         station time

 recv_time          server originator time

 sid                SID of user initiated activity

 user               name of user initiated activity

 type               event type

 action             applied action

 policy_type        matched policy type

 policy_mask        matched policy mask

 test_mode          event occured in test mode

 profile_id         profile UUID used for activity blocking

 profile_name       profile name used for activity blocking

 rule_id            rule UUID used for activity blocking (if exist)

 rule_name          rule name used for activity blocking (if exist)

 

 process_path               path to affected process file

 process_file_sha256        process file SHA-256

 process_file_version       process file version

 process_file_description   process file description

process_file_origname      process file original name

 process_file_prodname      process file product name

 process_file_prodver       process file product version

 process_file_company       process file company name

 process_cert_thumbprint    process file signing certificate thumbprint (SHA-1) (if exist)

 process_cert_serial        process file signing certificate serial number (if exist)

 process_cert_issuer        process file signing certificate issuer (if exist)

 process_cert_subject       process file signing certificate subject (if exist)

 process_cert_timestamp     process file signing certificate sign issuance timestamp (if exist)

 process_cert_not_before    process file signing certificate NotBefore timestamp (if exist)

 process_cert_not_after     process file signing certificate NotAfter timestamp (if exist)

 process_hashdb             hash database containing process file

 

 object_path                path to affected object file (script, etc) or empty

 object_file_sha256         object file SHA-256 (if exist)

 object_file_version        object file version (if exist)

 object_file_description    object file description (if exist)

 object_file_origname       object file original name (if exist)

 object_file_prodname       object file product name (if exist)

 object_file_prodver        object file product version (if exist)

 object_file_company        object file company name (if exist)

 object_cert_thumbprint     object file signing certificate thumbprint (SHA-1) (if exist)

 object_cert_serial         object file signing certificate serial number (if exist)

 object_cert_issuer         object file signing certificate issuer (if exist)

 object_cert_subject        object file signing certificate subject (if exist)

 object_cert_timestamp      object file signing certificate sign issuance timestamp (if exist)

 object_cert_not_before     object file signing certificate NotBefore timestamp (if exist)

 object_cert_not_after      object file signing certificate NotAfter timestamp (if exist)

 object_hashdb              hash database containing object file

 

Returned value:

 ignored

 

]]

 

local args = ...

Dr.Web Proxy Server created

Called when Dr.Web Proxy Server creation is completed.

Database

Parameters

Returned value

available

loginlogin name of administrator

idDr.Web Proxy Server ID

nameDr.Web Proxy Server name

stateoperation completion state:

0created successfully

1operation failed (database error)

2operation timed out (database overloaded)

4Dr.Web Proxy Server already exists

ignored

Procedure text:

--[[

Called:

 when proxy create completed

 

Database:

 available

 

Parameters:

 login         administrator`s login name

 id            proxy ID

 name          proxy name

 state         operation completion state:

                 0  created successfully

                 1  operation failed (database error)

                 2  operation timed out (database overloaded)

                 4  already exists

 

Returned value:

 ignored

 

]]

 

local args = ... -- args.login, args.id, args.name, args.state

Dr.Web Proxy Server deleted

Called when Dr.Web Proxy Server deleted.

Database

Parameters

Returned value

availalbe

login—login name of administrator

id—Dr.Web Proxy Server ID

name—Dr.Web Proxy Server name

ignored

Procedure text:

--[[

Called:

 when proxy deleted

 

Database:

 available

 

Parameters:

 login     administrator`s login name

 id        proxy id

 name      proxy name

 

Returned value:

 ignored

 

]]

 

local args = ... -- args.login, args.id, args.name