Custom spyware report

(imported topic written by jvdh11)

I have been tasked to update a report we have for our company that we currently run every morning to view virus activity from the previous 24 hours. Now my boss wants this expanded to include spyware/grayware. The report was originally created by a team member that is no longer with the company so i’m left trying to figure it out. I have attached the current report and highlighted the areas I believe need to be updated. The problem is I don’t know where to find the information I need for reference in order to update that info.

I have figured out how the report pulls the data. At the end of those highlighted areas it references fixlet 21 which is the analysis for virus/malware information. the spyware/grayware is fixlet 42, easy enough to update. Before that in the same line all the corresponding information pulled from that analysis is defined.

example,

Virus info "

14 May 2013 09:34:00 -0300, TROJ_SPNR.0CI312, 6, 1, 0, C:\Windows\assembly\GAC_64\Desktop.ini, NULL"

So I can tell the date obviously, then virus name, then the 6, 1, 0 are as mentioned defined in that code. then virus path

so with the spyware/grayware the output is slightly different

example,

29 Apr 2013 12:03:00 +1000, ADW_CROSSID, 1, 3, 201304291203104948730_ADW_CROSSID

The only difference between the two is the digits in the middle. so for the above example the 1, 3. there is one less digit. I need to find out what those numbers translate to just like the ones in the virus report. If I know this I can simply modify the virus report to reflect the updates numerical values.

I hope I explained this well enough. Thanks to anyone who’s able to help.

(imported comment written by vpetrell)

There’s a pre-build top 25 spyware report already in web reports that you can use as a start.

Here’s what I have found so for for the meanings for the codes:

/** For Spyware Infections - Scan Types **/

0 = SpywareInfections_scantype_manual

1 = SpywareInfections_scantype_realtime

2 = SpywareInfections_scantype_scheduled

3 = SpywareInfections_scantype_scannow

4 = SpywareInfections_scantype_dcs

/** For Spyware Infections - Results **/

1 = SpywareInfections_ActionResult_failure

2 = SpywareInfections_ActionResult_success

16 = SpywareInfections_ActionResult_success

(imported comment written by vpetrell)

This report with the top 25 spyware events and the results.

You can change the following line to include more results:

var XRECENT = 25; // The “X” in “Top X Most Recent…”

I’ve asked for all the CPM data to be stored in a more readable format and stored historically. Vote for my RFE and maybe they’ll make the reporting a but easier for us. :slight_smile:

http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=31951

(imported comment written by jvdh11)

I can’t believe I missed that. Thank You. I spent a lot of time this morning going through the forums when the answer was already in front of me.

Stupid PEBKAC errors