(imported topic written by bendernet91)
Can anyone provide me with the relevance of how to get the “Results” (cleaned, etc.) from Trend Micro by doing an analysis?
(imported comment written by BenKus)
Do you have the CPM product on BigFix or are you running the Trend products independent of BigFix?
Ben
(imported comment written by bendernet91)
I have the CPM product on BigFix.
(imported comment written by jcampbell91)
If you are looking for reports on discovered infections and the actions taken the following analyses should provide that information for you.
Windows:
ID 21: Core Protection Module - Virus/Malware Information
ID42: Core Protection Module - Spyware/Grayware Information
Mac:
ID 5: Core Protection Module for Mac - Virus/Malware Information
Reports on infections can also be viewed from the Core Protection Module Dashboard under “Reports” and then selecting “Infection”.
(imported comment written by bendernet91)
ID 21: Core Protection Module - Virus/Malware Information Only tells me what was detected. Not if it was cleaned.
ID42: Core Protection Module - Spyware/Grayware Information Only tells me what was detected. Not if it was cleaned.
Need to be able to email the infections reports on a daily basis.
(imported comment written by jcampbell91)
The analyses display the lines from the logs where the action / result is displayed as a numerical code just after the name of the detected infection. Here are the codes currently handled by the Reports Dashboard.
Windows:
0 - Cleaned
1 - Quarantined / Moved
2 - Deleted
3 - Renamed
5 - Clean Failed
6 - Quarantined / Moved Failed
7 - Delete Failed
8 - Rename Failed
10 - Clean Failed, File Quarantined / Moved
11 - Clean Failed, File Deleted
12 - Clean Failed, File Renamed
13 - Access Denied
14 - Clean Failed, Quarantine / Move Failed
15 - Clean Failed, Delete Failed
16 - Clean Failed, Rename Failed
25 - Passed / No Action
Mac:
1001 Cleaned
1002 Deleted
1003 Quarantined
1004 Passed
1005 Pass failed
1006 Quarantined failed
1007 Deleted failed
Here is a modified version of the relevance from the existing analyses that should translate the display the Action / Result and the Scan Type codes to plain text.
Windows:
(following text of first ", " of (date ((last 2 of it & " " & first 3 of (month (first 2 of following text of first 4 of it as integer) as string) & " " & first 4 of it) of it) as string) of parenthesized part 1 of it & " " & concatenation “:” of (first 2 of it; last 2 of it; “00”) of (if length of it = 3 then “0” & it else (if (length of it = 2) then (“00” & it) else (if (length of it = 1) then (“000”& it) else (it)))) of parenthesized part 2 of it & " " & local time zone as string,concatenation “%2C” of substrings separated by “,” of parenthesized part 3 of it, (if (it = “0”) then “Cleaned” else if (it = “1”) then “Quarantined / Moved” else if (it = “2”) then “Deleted” else if (it = “3”) then “Renamed” else if (it = “5”) then “Clean Failed” else if (it = “6”) then “Quarantined / Moved Failed” else if (it = “7”) then “Delete Failed” else if (it = “8”) then “Rename Failed” else if (it = “10”) then “Clean Failed - File Quarantined / Moved” else if (it = “11”) then “Clean Failed - File Deleted” else if (it = “12”) then “Clean Failed - File Renamed” else if (it = “13”) then “Access Denied” else if (it = “14”) then “Clean Failed - Quarantine / Move Failed” else if (it = “15”) then “Clean Failed - Delete Failed” else if (it = “16”) then “Clean Failed - Rename Failed” else if (it = “25”) then “Passed / No Action” else “Unkown Result”) of parenthesized part 4 of it as string ,(if (it = “0”) then “Manual Scan” else if (it = “1”) then “Realtime Scan” else if (it = “2”) then “Scheduled Scan” else if (it = “3”) then “On Demand Scan” else if (it = “4”) then “DCS Scan” else “Unkown Scan Type”) of parenthesized part 5 of it as string, parenthesized part 6 of it, concatenation “%2C” of substrings separated by “,” of parenthesized part 7 of it) of (matches (regular expression “(\d})<;>(\d{1,4})<;>(.+)<;>(\d{1,2})<;>(\d{1{8})<;>(\d*)<;>(.+)<;>”) of ((item 1 of it as string) of (maximum of line numbers of lines of it, lines of it) whose ((line number of item 1 of it) > ((item 0 of it) - (if exists setting “_CPM_MaxVirusReportCount” whose (exists value of it) of client then value of setting “_CPM_MaxVirusReportCount” of client as string as integer else 25))))) of (files “pccnt35.log” of folders ((it as string & “Misc”) of values “Application Path” of keys “HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion” of registry))
Mac:
(if (exists it AND number of lines of it > 0) then ((following text of first “, " of (date ((last 2 of it & " " & first 3 of (month (first 2 of following text of first 4 of it as integer) as string) & " " & first 4 of it) of it) as string) of parenthesized part 1 of it & " " & concatenation “:” of (first 2 of it; first 2 of last 4 of it; “00”) of (if length of it = 3 then “0” & it else (if (length of it = 2) then (“00” & it) else (if (length of it = 1) then (“000”& it) else (it)))) of parenthesized part 2 of it & " " & (”+0000" as time zone as string) ,concatenation “%2C” of substrings separated by “,” of parenthesized part 3 of it, (if (it = “1001”) then “Cleaned” else if (it = “1002”) then “Deleted” else if (it = “1003”) then “Quarantined / Moved” else if (it = “1004”) then “Passed” else if (it = “1005”) then “Pass Failed” else if (it = “1006”) then “Quarantined / Moved Failed” else if (it = “1007”) then “Delete Failed” else “Unkown Action”) of parenthesized part 4 of it as string, (if (it = “1”) then “Realtime Scan” else if (it = “2”) then “Manual Scan” else if (it = “3”) then “Scheduled Scan” else if (it = “4”) then “On Demand Scan” else “Unkown Scan Type”) of parenthesized part 5 of it as string, concatenation “%2C” of substrings separated by “,” of parenthesized part 6 of it) of (matches (regex "^(
0-9
{8})<;>(
0-9
{6})<;>(.*)<;>(
0-9
{4})<;>(
0-9
)<;>(.*)<;>") of ((item 1 of it as string) of (maximum of line numbers of lines of it, lines of it) whose ((line number of item 1 of it) > ((item 0 of it) - (if exists setting “_CPMMac_MaxVirusReportCount” whose (exists value of it) of client then value of setting “_CPMMac_MaxVirusReportCount” of client as string as integer else 25))))) of (files “/var/log/TrendMicro/MPM/malware.log”)) else (nothing)) of (files “/var/log/TrendMicro/MPM/malware.log”)
(imported comment written by bendernet91)
Yes! Thank You. “Cleaned” else if (it = “1”) then “Quarantined / Moved” , is the section of relevance I needed to create my analysis and email from web reports to coworkers.