Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 9383 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

On-Access Scan Type in Database??

TN_Vol

This may have been discussed, but I couldn’’’’t find an answer.  I need to determine when an AV alert is kicked off by an on-access scan or a scheduled scan.   Is there a table/column I can look at to verify what type of scan caught the malware?  Any help would be greatly appreciated!

:35373


This thread was automatically locked due to age.
  • 0

    HI,

    Yes, if you're running SEC 5.0+ you also have the reporting interface installed in to the database by default.  One table of interest which was added by the reporting interface was the Enumerations table. You can see in that  values such as:

    EnumID    EnumValue    Language    Position    Description
    4    200    en    5    Unknown
    4    201    en    2    On access
    4    203    en    3    On demand
    4    205    en    4    Scheduled
    4    206    en    1    In memory
    4    207    en    6    Web browser

    Some of the views added by the reporting interface may be what you need as they join on that as part of the view.

    More details on the SRI:

    /search?q= 8285

    Regards,

    Jak

    :35375
  • 0

    Thanks for the reply. I saw the Enumerations table, but I’’’’m having trouble find where those values are used.  The Events table has a column labeled “Scantype”, but it does not appear to contain all the events caught on machines.  I ran a test where I scanned a file (right click) and it was not in the Events table, but I did find it in the ThreatInstancesAll view.  I could not find any link to the Enumerations table from this view.  Do you know of any documentation around this? 

    :35379
  • 0

    HI,

    The Sophos Reporting Interface (SRI) is the offical and documented interface to the database.  In the documentation section of the website is has a link to the PDFs for each version. 

    http://www.sophos.com/en-us/support/documentation/reporting-interface.aspx

    It has the following views you might like to look into:

    [Sophos Reporting Interface].vThreatEventData

    [Sophos Reporting Interface].vThreatInstances

    Regards,

    Jak

    :35389