LANDESK Endpoint Security: Database Tables, Inventory Information, and Security Activity

Version 11

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

     

    This document lists the tables in the LANDESK Database that are related to the following LANDESK Endpoint Security Components:

     

    • Application Control
    • Whitelisting
    • LANDESK Firewall

     

    Tables Used by Endpoint Security

     

    SecurityAction Table

     

    The information in this table shows up in the Security Activity Tool. This table is utilized by Application Control, Device Control, and the LANDESK Firewall

    Security Activity.png

    This table consists of the following columns:

     

    Column NameDescription
    SecurityAction_IdnUnique Database Identifier for this particular instance of a Security Action
    Computer_IdnUnique Database Identifier for the computer that this Security Action relates to
    ActionTakenAction that was taken (See ActionCode list)
    ActionCodeCode type of the action that was taken
    ActionDateDate and time that the action occurred
    ApplicationApplication Name
    MD5HashMD5 Hash of the file if a file was involved
    SHA1HashSHA1 Hash of the file if a file was involved
    SHA256HashSHA256 Hash of the file if a file was involved
    TypeType code for the action that occurred
    FilesizeSize in kilobytes of the file if a file was involved
    FileDateFile Creation Date of the file if a file was involved
    FileVersionFile Version of the file from within the file properties of a file if a file was involved
    CompanyNameCompany Name from within the file properties of the file if a file was involved
    ProductNameProduct Name from within the file properties of the file if a file was involved
    ProductVersionProduct Version from within the file properties of the file if a file was involved
    UserNameUser Logged in when the action occurred
    ConfigGUIDUnique GUID of the Setting that was in use when the action occurred
    LocationIDInformation being gathered on values

     

    DeviceControlAction Table

     

    The information in this table shows up in the Security Activity Tool - Primarily under the Device Control section.

     

    This table consists of the following columns:

    Column NameDescription

    DeviceControlAction_Idn

    Unique identifier for the device control event

    Computer_Idn

    Unique database identifier for the computer where the event was generated

    Description

    Friendly name of the device which triggered the event

    HardwareID

    Vendor-defined identification string

    Service

    The service name for this device

    DeviceClass

    The device setup class of this device

    Enumerator

    The name of the device's enumerator.

    VendorID

    Device vendor ID

    DeviceID

    Device ID

    InstancePath

    System-supplied device identification string that uniquely identifies the device

    VolumeSerial

    Serial of the volume related to this event, if applicable

    ActionCode

    Security Action Code (See ActionCode list)

    ActionDate

    Date/time of the Device Control event

    ActionType

    Security Action Type (see SecurityActionType list)

    UserName

    Name of the user who tried to use this device, if applicable

    ConfigGUID

    Unique identifier of the Device Control settings that belong to this event

    LocationID

    Location identifier (unused)

     

    ShadowCopyAction Table

    The information in this table shows up in the Security Activity Tool. Appearing under Device Control > Shadow Copy Files.

     

    This table consists of the following columns:

    Column NameDescription

    ShadowCopyAction_Idn

    Unique identifier for the shadow copy event

    Computer_Idn

    Unique database identifier for the computer where the event was generated

    FileName

    Name of the file that was copied (source file)

    ActionCode

    Security Action Code (See ActionCode list)

    ActionDate

    Date/time of the event

    ActionType

    Security Action Type (see SecurityActionType list)

    CachedFileName

    Name of the copy (Destination File)

    FileSize

    Size of the copied file

    FileDate

    Last write time of the copied file

    DeviceDescription

    Friendly name of the device where the file was copied to

    DeviceLabel

    Label of the device/volume where the file was copied to

    VolumeSerial

    Serial of the device/volume where the file was copied to

    UserName

    Name of the user who copied the file

    ConfigGUID

    Unique identifier of the Device Control settings that belong to this event

    LocationID

    Location identifier (unused)

    InstancePath

    System-supplied device identification string that uniquely identifies the device where the file was copied to

     

    ActionCode List

    ResultCode
    VIGMODE_ALERT_FILE_BREACH100
    VIGMODE_ALERT_FILE_RECERTIFY101
    VIGMODE_ALERT_NET_CONNECT102
    VIGMODE_ALERT_NET_BIND103
    VIGMODE_ALERT_PROCESS_BREACH104
    VIGMODE_ALERT_PROCESS_SETUP105
    VIGMODE_ALERT_REG_BREACH106
    VIGMODE_ALERT_LOAD_LIBRARY107
    VIGMODE_ALERT_GLOBAL_HOOK108
    VIGMODE_ALERT_EXE_BREACH109
    VIGMODE_ALERT_NEW_STARTUP_MODULE110
    VIGMODE_ALERT_BUFFER_OVERFLOW111
    VIGMODE_ALERT_UNAUTHORIZED_EXECUTION113
    VIGMODE_ALERT_NET_SMTP114
    VIGMODE_ALERT_VOLUME_BLOCKED115
    VIGMODE_ALERT_DEVICE_DETECTED116
    VIGMODE_ALERT_CDDVD_BLOCKED117
    VIGMODE_ALERT_SHADOWCOPY118
    VIGMODE_ALERT_SHADOWCOPY_OVERSIZE_FILE119
    VIGMODE_ALERT_SHADOWCOPY_ERROR120
    VIGMODE_ALERT_DCM_TEMP_BYPASS121
    VIGMODE_ALERT_LOCATIONAWARENESS_UNDEFINED_LOCATION_FOUND122
    VIGMODE_ALERT_HARDWARE_KEYLOGGER123
    VIGMODE_ALERT_CONFIG_REFRESH124
    VIGMODE_ALERT_SHADOWCOPY_ENCRYPTED125
    VIGMODE_ALERT_CERTIFY_ADD_PERMISSION126
    VIGMODE_ALERT_CERTIFY_REPLACE_PERMISSION127
    SecurityActionCodeSeenDigitalSigners128
    VIGMODE_ALERT_EXCEPTION_REQUEST129
    VIGMODE_ALERT_MONITORED_DIR_MODIFICATION130
    VIGMODE_ALERT_EXCEPTION_REQUEST_FIREWALL131
    HIPS_REACT_DENY81
    HIPS_REACT_LEARN82
    HIPS_REACT_USERALLOW83
    HIPS_REACT_FORCE_LEARN84
    VIGMODE_REASON_CERTIFY_CLIENT_UI85
    VIGMODE_REASON_CERTIFY_RECERTIFICATION86
    VIGMODE_REASON_CERTIFY_AUTHORIZED_INSTALLER87
    VIGMODE_REASON_CERTIFY_TRUSTED_SYSTEM_COMPONENT88
    VIGMODE_REASON_CERTIFY_WINTRUST_CACHE89
    SecurityActionTypeInformation90

     

    Inventory

     

    The LANDESK Inventory Scanner populates some useful information in the Core Console for reference.

     

    Endpoint Security Exception Requests

      Security > Endpoint Security > Security Exception Request

     

    Endpoint Agent Behavior Settings

      LANDESK Management > Agent Settings > Endpoint Security

     

    Endpoint Security Version

      LANDESK Management > Endpoint Security

     

    Endpoint Security Driver

      OS > Drivers and Services > Service > LANDESK Endpoint Security

    Inventory.png