|
Agent deinstalled
Called when deinstallation of Agent is completed.
Database
|
Parameters
|
Returned value
|
available
|
•login — login name of administrator
•state — completion state:
•true — success
•false — failed
•id — station ID
•address — station address
•station — station name
•message — empty if state is true, otherwise contains error message |
ignored
|
Procedure text:
--[[
Called:
when deinstallation of Agent completed
Database:
available
Parameters:
login login name of administrator
state true success
false failed
id station ID
address station address
station station name
message empty if state is 'true' or contains error message
Returned value:
ignored
]]
local args = ... -- args.login, args.state, args.id
-- args.address, args.station, args.message
|
Component completed at station
Called when the component completed event is received from Agent.
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•address — station address
•station — station name
•component — component number
•pid — process ID
•infections — threats detected
•errors — access errors detected
•exitcode — component exit code |
ignored
|
Procedure text:
--[[
Called:
when "component completed" event received from Agent
Database:
available
Parameters:
id station ID
address station address
station station name
component component number
pid process ID
infections infections found
errors access errors detected
exitcode component exit code
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.component,
-- args.pid, args.exitcode, args.infections, args.errors
|
Task executed
Called when job executed event is received from Agent.
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•address — station address
•station — station name
•done — execution state:
•true — executed successfully
•false — execution failed
•time — task completion time
•name — task name
•error — error or status message |
ignored
|
Procedure text:
--[[
Called:
when "job executed" event received from Agent
Database:
available
Parameters:
id station ID
address station address
station station name
done true executed successfully
false execution failed
time job completion time
name job name
job job ID (empty for Agent prior version 11 (protocol 3.1+))
error error or other message
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.done,
-- args.name, args.job, args.time, args.error
|
Component started at station
Called when the component started event is received from Agent.
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•address — station address
•station — station name
•component — component number
•pid — process ID
•engine — virus-finding engine version
•records — virus records number
•user — user name and group of process owner
•time — start time (station time) |
ignored
|
Procedure text:
--[[
Called:
when "component started" event received from Agent
Database:
available
Parameters:
id station ID
address station address
station station name
component component number
pid process ID
engine virus-finding engine version
records virus records number
user user name and group (process owner)
time start time (station time)
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.component,
-- args.pid, args.records, args.user, args.time, args.engine
|
Station geolocation changed
Called when station geolocation is changed.
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•address — station address
•station — station name
•latitude — station latitude in the DD.DDDDDD format
•longitude — station longitude in the DD.DDDDDD format |
ignored
|
Procedure text:
--[[
Called:
when agent geolocation changed
Database:
available
Parameters:
id station ID
address station address
station station name
latitude station latitude in DD.DDDDDD format
longitude station longitude in DD.DDDDDD format
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.name, args.latitude, args.longitude
|
Station must be rebooted
Called after Dr.Web Server received the reboot required message from a station.
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•address — station network address
•station — NetBIOS name of a station. Does not replaced by DNS name
•product — product ID
•description — product description
•from_revision — current revision number
•to_revision — new revision number
•from_revision_date — current revision date
•to_revision_date — new revision date |
ignored
|
Procedure text:
--[[
Called:
after server received 'reboot required' station message.
Database:
available
Parameters:
id station ID
address station network address
station station name (this is NetBIOS station name not replaced by DNS one)
product product ID
description product description
from_revision current revision number
to_revision new revision number
from_revision_date current revision date
to_revision_date new revision date
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.product, args.description, args.from_revision, args.to_revision, args.from_revision_date, args.to_revision_date
|
Threat to a station security detected
Called when the virus detected event is received from Agent.
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•address — station address
•station — station name
•component — component number
•pid — process ID
•time — time of event occurrence (station time)
•user — user name and group of process owner
•object — path to the object in the file system
•owner — user name and group of object owner
•virus — virus name
•action — action code
•objecttype — object type:
▫-1 — unknown
▫0 — file
▫1 — boot sector
▫2 — memory block or process
▫3 — viral activity
•infectiontype — threat type (see Dr.Web API)
•compsid — station SID
•compmac — station MAC address
•description — station description
•compdn — station LDAP DN (for clients under Windows OS only)
•sha1 — SHA-1 hash of detected object
•sha256 — SHA-256 hash of detected object
•hashdb — bulletin containing the hash |
ignored
|
Procedure text:
--[[
Called:
when "virus detected" event received from Agent
Database:
available
Parameters:
id station ID
address station address
station station name
component component number
pid process ID
time event time (station time)
user user name and group (process owner)
object filesystem object path
owner object owner (user name and group)
virus virus name
action action code (see Dr.Web API; only errors bit set)
objecttype object type
-1 unknown
0 file
1 boot sector
2 memory block / process
3 virus like activity
infectiontype infection type (see Dr.Web API)
compsid computer sid
compmac computer MAC
description computer description
compdn computer LDAP DN
sha1 object SHA-1 hash
sha256 object SHA-256 hash
hashdb hash database containing object
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.component,
-- args.pid, args.time, args.user, args.object, args.owner,
-- args.virus, args.action, args.objecttype, args.infectiontype
-- args.compsid, args.compmac, args.description, args.compdn
-- args.sha1, args.sha256, args.hashdb
|
Report of Preventive protection
Called when the Preventive protection report received from a station.
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•address — station address
•station — station name
•time — time of event occurrence on a station
•pid — process ID
•path — executable path of a process with suspicious activity
•target_path — path to the protected object to which the access attempt was made
•hips_type — protected object type (numeric)
•shell_guard_type — blocking reason of unauthorized code execution (numeric)
•denied — access was denied (true | false)
•is_user_action — action was requested from a user (true | false)
•event_count — number of automatically denied events (if the is_user_action is false)
•event_user — user who initiated a process with suspicious activity
•action_user — user who specified the reaction on suspicious activity of a process (if the is_user_action is true)
•sha1 — SHA-1 hash of detected object
•sha256 — SHA-256 hash of detected object
•hashdb — bulletin containing the hash |
ignored
|
Procedure text:
--[[
Called:
when HIPS event received from Agent
Database:
available
Parameters:
id station ID
address station address
station station name
time station time
pid numeric,process id
path process file path
target_path affected resource path
hips_type numeric, HIPS type
shell_guard_type numeric, Shell Guard event type
denied boolean, access was denied
is_user_action boolean, user was asked
event_count event number (for accumulation period - if is_user_action is false)
event_user user which initiated the suspicious activity
action_user user which allowed or denied the activity (non-empty only if is_user_action is true)
sha1 process file SHA-1 hash
sha256 process file SHA-256 hash
hashdb hash database containing process file
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.time,
-- args.pid, args.path, args.target_path, args.hips_type, args.shell_guard_type,
-- args.denied, args.is_user_action, args.event_count, args.event_user, args.action_user
-- args.sha1, args.sha256, args.hashdb
|
Station authorization failed
Called after Agent connection rejected because of authorization error.
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•address — station address
•station — station name
•reason — failure reason
•type — one of station, installer, proxy
•compsid — station SID
•compmac — station MAC address
•description — station description |
ignored
|
Procedure text:
--[[
Called:
just after Agent connection rejected due authorization error
Database:
available
Parameters:
id station ID
address station address
station station name
reason failure reason
type one of 'station' | 'installer' | 'proxy'
compsid station UID (SID on Windows)
compmac station MAC address
description station description
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.reason, args.type, args.compsid, args.compmac, args.description
|
Station date/time error
Called when invalid station time/date detected.
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•address — station address
•station — station name
•now — server time (in milliseconds)
•time — station time (in milliseconds)
•valid_delta — valid time delta (in milliseconds) |
ignored
|
Procedure text:
--[[
Called:
when invalid station time/date detected
Database:
available
Parameters:
id station ID
address station address
station station name
now server time (in milliseconds)
time station time (in milliseconds)
valid_delta valid time delta (in milliseconds)
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station
-- args.now, args.date, args.valid_delta
|
Station update failed
Called after Dr.Web Server received the update failed message from a station.
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•address — station network address
•station — NetBIOS name of a station. Does not replaced by DNS name
•product — product ID
•description — product description
•from_revision — current revision number
•to_revision — new revision number
•from_revision_date — current revision date
•to_revision_date — new revision date |
ignored
|
Procedure text:
--[[
Called:
after server received 'update failed' station message.
Database:
available
Parameters:
id station ID
address station network address
station station name (this is NetBIOS station name not replaced by DNS one)
product product ID
description product description
from_revision current revision number
to_revision new revision number
from_revision_date current revision date
to_revision_date new revision date
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.product, args.description, args.from_revision, args.to_revision, args.from_revision_date, args.to_revision_date
|
Station scan error
Called when the scan error event is received from Agent.
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•address — station address
•station — station name
•component — component number
•pid — process ID
•time — time of event occurrence (station time)
•user — user name and group of process owner
•object — path to the object in the file system
•owner — user name and group of object owner
•action — action code
•compsid — station SID
•compmac — station MAC address
•description — station description
•ldapdn — station LDAP DN (for clients under Windows OS only)
•sha1 — SHA-1 hash of detected object
•sha256 — SHA-256 hash of detected object
•hashdb — bulletin containing the hash |
ignored
|
Procedure text:
--[[
Called:
when "scan error" event received from Agent
Database:
available
Parameters:
id station ID
address station address
station station name
component component number
pid process ID
time event time (station time)
user user name and group (process owner)
object filesystem object path
owner object owner (user name and group)
action action code (error bit(s) set)
compsid computer SID
compmac computer MAC
description computer description
ldapdn computer LDAP DN
sha1 object SHA-1 hash
sha256 object SHA-256 hash
hashdb hash database containing object
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.component,
-- args.pid, args.time, args.user, args.object, args.owner,
-- args.action, args.compsid, args.compmac, args.description, args.ldapdn
-- args.sha1, args.sha256, args.hashdb
|
List of components received
Called when Agent reports installed components list.
Database
|
Parameters
|
Returned value
|
available
|
•id — station address
•station — station name
•count — number of components reported
•component_0 — component name
•time_0 — installation time
•from_0 — installation source (Dr.Web Server address, MSI, etc.)
•path_0 — installation path |
ignored
|
Procedure text:
--[[
Called:
when Agent reported installed components
Database:
available
Parameters:
id station ID
address station address
station station name
count number of components reported
component_0 component name
time_0 installation time
from_0 installation source (server address, MSI, etc)
path_0 installation path
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.count
-- args.component_0, args.time_0, args.from_0, args.path_0
-- args.component_1, args.time_1, args.from_1, args.path_1
-- ...
|
Information on virus databases received
Called when Agent sends virus bases information.
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•address — station address
•station — station name
•count — number of virus bases
•name_0 — virus base file name
•md5_0 — virus base file MD5
•version_0 — virus base version
•issued_0 — virus base issue date and time
•records_0 — number of records in virus base
•type_0 — virus base type |
ignored
|
Procedure text:
--[[
Called:
when Agent sent virus bases information
Database:
available
Parameters:
id station ID
address station address
station station name
count number of found virus bases
name_0 virus base file name
md5_0 virus base file MD5
version_0 virus base version
issued_0 virus base issue date and time
records_0 number of records
type_0 virus base type
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.count,
-- args.name_0, args.md5_0, args.version_0,
-- args.issued_0, args.records_0, args.type_0,
-- args.name_1, args.md5_1, args.version_1,
-- args.issued_1, args.records_1, args.type_1,
-- ...
|
Station status
Called when Agent reports state of components, virus bases and some local policies (sending events, receiving updates and tasks).
Database
|
Parameters
|
Returned value
|
available
|
•events — reporting on events:
▫true — Agent sends information on events
▫false — Agent does not send information on events
•jobs — accepting tasks (scheduled and remote scans):
▫true — Agent accepts tasks
▫false — Agent does not accept tasks
•updates — accepting updates:
•true — Agent accepts updates
•false — Agent does not accept updates |
ignored
|
Procedure text:
--[[
Called:
when Agent report its local policy
Database:
available
Parameters:
events true Agent send events
false Agent do not send events
jobs true Agent accept jobs (schedule & remote scan)
false Agent do not accept jobs
updates true Agent accept updates
false Agent do not accept updates
Returned value:
ignored
]]
local args = ... -- args.events, args.jobs, args.updates
|
Station authorization in progress
Called when station tries to authorize (ID and password already checked, valid and known).
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•connected — checking for stations with this ID already connected to Dr.Web Server:
▫true — other station with this ID already connected to Dr.Web Server
▫false — no other stations with this ID connected
•current_address — network address of already connected station (not empty only if connected is true)
•current_name — name of already connected station
•last_address — network address of a station with this ID at its last connection
•last_time — last seen time of a station with this ID
•last_server — Dr.Web Server of a station with this ID at its last connection
•new_name — name of connecting station
•new_address — network address of connecting station |
string — result of a request to connect the station
nil — default Dr.Web Server behavior
deny — deny authorization for station
force — allow authorization even if other station with this ID already connected (disconnect connected station)
newbie — reset station to newbie
|
Procedure text:
--[[
Called:
when station tries to authorize (id and password already checked, valid and known)
Database:
available
Parameters:
id station ID
connected true station with same ID already connected to server
false no any station with same ID connected
current_address already connected station network address (not empty only if 'connected' is true)
current_name last connected station name
last_address last disconnected station network address
last_time last disconnected station seen time
last_server last connected station server
new_name now connecting station name
new_address now connecting station network address
Returned value:
nil default server behavior
string 'deny' deny authorization for station
'force' allow authorization even if other station with same ID already connected (by disconnecting it)
'newbie' reset station to newbie
Procedure from next set will be called if returned nothing.
]]
local args = ... -- args.id, args.connected, args.current_address, args.current_name, args.last_address,
-- args.last_time, args.last_server, args.new_name, args.new_address
-- no return => `nil' value
|
Station connected
Called when Agent connected successfully.
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•address — station address
•station — station name
•os — station OS
•platform — station platform
•compsid — station SID
•compmac — station MAC address
•description — station description |
ignored
|
Procedure text:
--[[
Called:
when Agent connected successfully
Database:
available
Parameters:
id station ID
address station address
station station name
os station os
platform station platform
compsid station UID (Security ID on Windows)
compmac station MAC address
description station description
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.name, args.os, args.platform, args.compsid, args.compmac, args.description
|
Station created
Called when station creation is completed.
Database
|
Parameters
|
Returned value
|
available
|
•login — login name of administrator
•id — station ID
•name — station name
•state — operation completion state:
▫0 — created successfully
▫1 — operation failed (database error)
▫2 — operation timed out (database overloaded)
▫3 — no available license
▫4 — station already exists |
ignored
|
Procedure text:
--[[
Called:
when station create completed
Database:
available
Parameters:
login administrator`s login name
id station ID
name station name
state operation completion state:
0 created successfully
1 operation failed (database error)
2 operation timed out (database overloaded)
3 no available license
4 already exists
Returned value:
ignored
]]
local args = ... -- args.login, args.id, args.name, args.state
|
Station deleted
Called when station deleted.
Database
|
Parameters
|
Returned value
|
available
|
•login — login name of administrator
•id — station ID |
ignored
|
Procedure text:
--[[
Called:
when station deleted
Database:
available
Parameters:
login administrator`s login name
id station id
Returned value:
ignored
]]
local args = ... -- args.login, args.id
|
Station scan statistic
Called when the scan statistics event is received from Agent.
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•address — station address
•station — station name
•component — component number
•pid — process ID
•user — user name and group of process owner
•time — time of event occurrence (station time)
•size — summary size of all scanned objects
•elapsedtime — elapsed time
•scanned — number of scanned objects
•infected — number of objects infected by known virus
•modifications — number of objects infected by virus modification
•suspicious — number of suspicious objects
•cured — number of cured files
•deleted — number of deleted files
•renamed — number of renamed files
•moved — number of quarantined files
•locked — number of locked files (SpIDer Guard only)
•errors — number of not scanned files due to access error |
ignored
|
Procedure text:
--[[
Called:
when "scan statistics" event received from Agent
Database:
available
Parameters:
id station ID
address station address
station station name
component number of component
pid process ID
user user name and group (process owner)
time event time (station time)
size summary size of all scanned objects
elapsedtime elapsed time
scanned number of scanned objects
infected number of objects infected by known virus
modifications number of objects infected by virus modification
suspicious number of suspicious objects
cured number of cured files
deleted number of deleted files
renamed number of renamed files
moved number of quarantined files
locked number of locked files (SpIDer Guard only)
errors number of not scanned files (due access error)
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station, args.component,
-- args.pid, args.time, args.user, args.scanned,
-- args.infected, args.modifications, args.suspicious,
-- args.cured, args.deleted, args.renamed, args.moved,
-- args.locked, args.errors, args.size, args.elapsedtime
|
Agent installation
Called when the installation event occurred.
Database
|
Parameters
|
Returned value
|
available
|
•id — installation ID (attention: it is not station ID)
•address — station address
•station — station name
•event — event type:
▫0 — installation begin
▫1 — successfully completed
▫2 — rejected
▫3 — timed out
▫4 — failed
▫5 — incomplete
•message — error message (or empty if there is no error)
•sessionid — installation session ID |
ignored
|
Procedure text:
--[[
Called:
when "installation" event occured
Database:
available
Parameters:
id installation ID (not station!)
address station address
station station name
event event type:
0 installation begin
1 successully completed
2 rejected
3 timed out
4 failed
5 incomplete
message error message (or empty if there is no error)
sessionid installation session ID
Returned value:
ignored
]]
local args = ... -- args.id, args.address, args.station
-- args.event, args.message, args.sessionid
|
Device blocked
Called when device on station has been blocked.
Database
|
Parameters
|
Returned value
|
available
|
•id — station ID
•address — station address
•name — station name
•user — user name
•instance_id — device instance ID
•friendly_name — device friendly name
•description — device description
•guid — device GUID
•class — device class (parent group name) |
ignored
|
Procedure text:
--[[
Called:
when device on station blocked
Database:
available
Parameters:
id station ID
address station address
station station name
user user name
instance_id device instance id
friendly_name device friendly name
description device description
guid device guid
class device group class guid
blocktime time when station was blocked
blockrcvtime time when server received alert
Returned value:
ignored
]]
local args = ... -- args.id args.address args.station args.user args.instance_id
-- args.friendly_name args.description args.guid args.class
-- args.station_time args.args.recv_time
|
|