LANDESK Antivirus: Database Tables, Inventory Information, and Security Activity

Version 8

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

    This document lists the tables in the LANDESK Database that are related to the LANDESK Antivirus product:

    Within this document you can click the images for a full-size version.

     

    The following are the tables used for LANDESK Antivirus:

     

     

    Antivirus table

     

    The information from this table shows up in the Antivirus Licensing information in the LANDESK Antivirus Action Center, in the Inventory of each client, and in the Antivirus License section of the Security activity tool.  This table records the inventory information for not only the LANDESK Antivirus product, but also for other 3rd party Antivirus products.  This table is updated by an Inventory Scan or sent directly to the Core Server through the WSVulnerabilityCore web service by the LANDESK Antivirus Service.  This information is sent under the following conditions:

     

    • After AV installation
    • After activating with a new license
    • After a scanning task is done
    • After pattern files are updated

     

    In addition you can run "LDAV.EXE /submitallavdata" to send this information manually.

     

    When this information is sent to the core it will log into the LDAV.LOG as "("Submitting all Antivirus table information...")

     

    For an Inventory Scan this information is gathered through LDAVHLPR.DLL.  Periodic updates of this .DLL are provided within LANDESK Patch Content to support gathering information on newer versions of Antivirus Software.  The information gathered can from each 3rd party vendor can vary.  Some information may not be applicable or available to gather through the LANDESK Inventory or Security and Compliance scan processes.

     

    AntivirusTableLeft.jpg

                        AntivirusTableRight.jpg

    This information shows up in the Inventory of a client in this manner:

     

    Inventory-Info.jpg

     

     

    This table consists of the following columns:

    ColumnNameDescription
    Computer_IDNUnique database identifier for the computer associated to the Antivirus information in the next columns
    Antivirus_IDNUnique database identifier for the Antivirus entry
    ProductNameName of the Antivirus product
    AutoProtectWhether the realtime scanner (AutoProtect) is enabled or not
    ProductVersionVersion of the Antivirus product
    EngineVersionVersion of the Antivirus engine
    DefVersionVersion of the currently active definitions at the time of the last Inventory Scan or Security and Compliance Scan
    PubDatePublication date of the antivirus definitions (pattern files) on the client
    DefInstallDateTime and date that the current definition files (pattern files) were updated on the client
    LastVirusScanLast time and date a regular virus scan was executed on the client
    LastFullVirusScanLast time and date a full virus scan was executed on the client
    LastQuickVirusScanLast time and date a quick virus scan was executed on the client.
    AgentRunningSource of the server for the Pattern Files.  Typically this will only apply to LANDESK Antivirus
    PatternServerSource of the server for the Pattern Files.  Typically this will only apply to LANDESK Antivirus
    LicenseExpirationDateDate and time that the current antivirus product license expires
    LicensePeriodLength of time in days remaining
    License NumberProduct license number that the client is currently using
    LicenseProductNameName of the licensed product
    LicenseMaxCountTotal number of nodes that the license reported by the client is good for
    StartFullVirusScanTime and date that the last full virus scan was started
    StartQuickVirusScanTime and date that the last quick virus scan was started
    FullVirusScanCancelledTime and date the last full virus scan was cancelled
    QuickVirusScanCancelledTime and date the last quick virus scan was cancelled

     

    AntivirusPatches table

     

    This table lists the patches to the Antivirus product that are installed on the client.

     

    This information is sent to the Core when an Inventory Scan runs.

     

    AntiVirusPatches.jpg

     

    Column NameDescription
    Computer_IdnUnique database identifier for the computer associated to the Antivirus information in the next columns
    AntivirusPatches_IdnUnique database identifier for the AntivirusPatches entry
    DisplayNameHow the patch appears in the client interface (under the support link at the bottom of the LDAV UI)
    InstalledDateDate and time that the patch was installed
    MoreInfoURLIf applicable, the link to go to for more information about the patch
    PatchNameName of the patch

     

    This shows up in the Client Inventory in this location:

     

    LANDESKPatchesClient.jpg

    The LANDESK Antivirus service logs patch information every time it starts during the initialize period to HKEY_CLASSES_ROOT\Installer\Products\<product guid>\patches and it then stored in HKLM\Software\LANDESK\ManagementSuite\WinClient\Antivirus\Patches

     

     

    InfectedFiles table

     

    This information shows up in the Security Activity tool under LANDESK Antivirus - Infections by Computer, and LANDESK Antivirus - Infections by Virus

     

    InfectedFiles.jpg

     

    This table consists of the following columns:

    Column NameDescription
    Computer_IdnUnique database identifier for the computer that was infected
    InfectedFiles_IdnUnique database identifier for the file that was found that contained a virus
    PathPath on the client computer where the infected file was found
    VirusParticular virus found within the infected file
    FailureDescription of the failure

     

     

    QuarantinedFiles table

     

    This information shows up in the Security Activity tool under LANDESK Antivirus - Quarantined Infections by computer and LANDESK Antivirus - Infections by virus

     

    This table stores both information about files that have been Quarantined or files that have been moved into the Backup folder.

     

    QuarantinedFiles.jpg


    This table consists of the following columns:

     

    Column NameDescription
    Computer_IdnUnique database identifier for the computer associated to the Antivirus information in the next columns
    QuarantinedFiles_IdnUnique database identifier for the files that was quarantined
    FilenameName of the quarantined file
    Status0 = Riskware, 1= Infected, 2 = Suspicious, 3 = Clean, 4 = User Added, 5 = Unknown, 6 = Cured
    VirusVirus that was found in the quarantined file
    OriginalLocationPath where the file was found on the client computer
    GUIDFilenameGUID assigned to the filename
    QuarantineDateDate and time that the file was quarantined

     

    This information shows up in the Inventory of the client under Security - Quarantined Files.  Each file is listed as a separate entry under Quarantined Files and shows the values for Date Quarantined, Filename, GUID Filename, Original Location, Status, and Virus

    SecurityAction table

    This information shows up in the Security Activity Tool under LANDESK Antivirus - Activity, Activity by computer, and activity by virus.  In addition, LANDESK Endpoint Security activity information is stored in the SecurityAction table.

    SecurityActionLeft.jpg

                    SecurityActionRight.jpg

    Column NameDescription
    SecurityAction_IdnUnique Database Identifier for this particular instance of a Security Action
    Computer_IdnUnique Database Identifier for the computer that this Security Action relates to
    ActionTakenAction that was taken
    ActionCodeCode type of the action that was taken
    ActionDateDate and time that the action occurred
    ApplicationApplication Name
    MD5HashMD5 Hash of the file if a file was involved
    SHA1Hash SHA1 Hash of the file if a file was involved
    SHA256HashSHA256 Hash of the file if a file was involved
    TypeType code for the action that occurred
    FilesizeSize in kilobytes of the file if a file was involved
    FileDateFile Creation Date of the file if a file was involved
    FileVersionFile Version of the file from within the file properties of a file if a file was involved
    CompanyNameCompany Name from within the file properties of the file if a file was involved
    ProductNameProduct Name from within the file properties of the file if a file was involved
    ProductVersionProduct Version from within the file properties of the file if a file was involved
    UserNameUser Logged in when the action occurred
    ConfigGUIDUnique GUID of the Setting that was in use when the action occurred
    LocationIDInformation being gathered on values

     

    The information in this table makes up most of the LANDESK Antivirus information shown in the Security Activity tool.  This information is stored in ActionHistory.XML files on the client and sent to the core server every 2 minutes by Softmon, or when a Security and Compliance scan runs.

     

    The exception would be the licensing information which is stored in the Antivirus table and is sent by the LANDESK Antivirus Service on the client WSVulnerability web service on the core server.

    The following are the codes returned to the core server and their meanings:

     

    ResultCode
    IS_VIRUS_REPAIR_FAILED10
    IS_VIRUS_REPAIR_SUCCEEDED11
    IS_VIRUS_QUARANTINE_FAILED12
    IS_VIRUS_QUARANTINE_SUCCEEDED13
    IS_SUSPICIOUS_QUARANTINE_FAILED14
    IS_SUSPICIOUS_QUARANTINE_SUCCEEDED15
    IS_SUSPICIOUS_NO_ACTION_TAKEN16
    IS_RT_VIRUS_REPAIR_FAILED17
    IS_RT_VIRUS_REPAIR_SUCCEEDED18
    IS_RT_VIRUS_QUARANTINE_FAILED19
    IS_RT_VIRUS_QUARANTINE_SUCCEEDED20
    IS_RT_SUSPICIOUS_QUARANTINE_FAILED21
    IS_RT_SUSPICIOUS_QUARANTINE_SUCCEEDED22
    IS_APP_BLOCK_FAILED23
    IS_APP_BLOCK_SUCCEEDED24
    IS_AVSERVICE_FAILED_TO_START25
    IS_VIRUS_FOUND26
    IS_RT_VIRUS_FOUND27
    IS_SUSPICIOUS_FOUND28
    IS_RT_SUSPICIOUS_FOUND29
    IS_REBOOT_NEEDED30
    IS_REBOOT_NOT_NEEDED31
    IS_INSTALLING_AV32
    IS_REMOVING_AV33
    IS_INSTALLED_AV34
    IS_REMOVED_AV35
    IS_FAILED_INSTALL_AV36
    IS_FAILED_REMOVE_AV37
    IS_AV_REBOOT_PENDING38
    IS_LOGIN39
    IS_LOGOFF40
    IS_AUTH_SUCCEEDED41
    IS_AUTH_WOULD_HAVE_FAILED42
    IS_AUTH_FAILED43
    IS_DECRYPT_SUCCEEDED44
    IS_DECRYPT_FAILED_KEY_NOT_FOUND45

     

     

    TrustedItem table

     

    Trusted items are a list of objects that LANDESK Antivirus does not monitor or control.  This list is populated with a list of LANDESK client files at the time of LANDESK Antivirus install, and can be added to by a settings update, or by a user on the client computer if that permission is given.

    You can add a trusted item and it will block LANDESK Antivirus access to that item, however you must be very sure that it does not represent any threat.

    TrustedItem.jpg

     

    Column NameDescription
    Computer_IdnUnique database identifier of the computer that has this object in it's trusted applications list
    TrustedItem_IdnUnique database identifier of the trusted object
    ItemItem full path and name
    StatusUser Added = 4, Admin Added = 6  (Admin added is either as part of installation or a settings update).
    ObjectTypeFile = 0, Folder = 1, Extension = 2
    AddedDateDate that the object was added
    FolderFolder where the trusted item is

     

    On the client side these are the entries from the Exclusion Rules or Trusted Applications

    TrustedApplications.jpg

    This information shows up in the Inventory of the client under Security - Trusted Items.  Each file is listed as a separate entry under Trusted Items and shows the values for Folder, Item, Object Type and Status