ESET Server Security – Table of Contents

Provided data

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

All WMI classes for the ESET application are located in the root\ESET namespace. The following classes, which are described in more detail below, are currently implemented:

General

•ESET_Application

•ESET_Features

•ESET_Statistics

Logs

•ESET_ThreatLog

•ESET_EventLog

•ESET_ODFileScanLogs

•ESET_ODFileScanLogRecords

•ESET_ODServerScanLogs

•ESET_ODServerScanLogRecords

•ESET_HIPSLog

•ESET_URLLog

•ESET_DevCtrlLog

•ESET_GreylistLog

•ESET_MailServeg

•ESET_HyperVScanLogs

•ESET_HyperVScanLogRecords

ESET_Product

There can only be one instance of the ESET_Product class. Properties of this class refer to basic information about your installed ESET application:

•ID – Application type identifier, for example, “eshp”

•Name - Name of the application, for example, "ESET Security"

•Edition - Product edition, for example, Microsoft SharePoint Server

•FullName - Full name of the application, for example, "ESET Security for Microsoft SharePoint Server"

•Version - Application version, for example, "6.5.14003.0"

•VirusDBVersion - Version of the virus database, for example, "14533 (20161201)"

•VirusDBLastUpdate - Timestamp of the last update of the virus database. The string contains the timestamp in WMI datetime format. for example, “20161201095245.000000+060”

•SubscriptionExpiration - Date of the subscription expiration. The string contains timestamp in WMI datetime format

•KernelRunning - Boolean value indicating whether the ekrn service is running on the machine, for example, “TRUE”

•StatusCode - Number indicating the protection status of the application: 0 - Green (OK), 1 - Yellow (Warning), 2 - Red (Error)

•StatusText - Message describing the reason for a non-zero status code, otherwise it is null

ESET_Features

The ESET_Features class has multiple instances, depending on the number of application features. Each instance contains:

•Name - Name of the feature (list of names is provided below)

•Status - Status of the feature: 0 - inactive, 1 - disabled, 2 - enabled

A list of strings representing currently recognized application features:

•CLIENT_FILE_AV - Real-time file system anti-virus protection

•CLIENT_WEB_AV - Client web anti-virus protection

•CLIENT_DOC_AV - Client document anti-virus protection

•CLIENT_NET_FW - Client personal firewall

•CLIENT_EMAIL_AV - Client email anti-virus protection

•CLIENT_EMAIL_AS - Client email anti-spam protection

•SERVER_FILE_AV - Real-time antivirus protection of files on the protected file server applications, for example, files in SharePoint's content database in the case of ESET Server Security

•SERVER_EMAIL_AV - Antivirus protection of emails of protected server applications, for example, emails in Microsoft Exchange or IBM Domino

•SERVER_EMAIL_AS - Antispam protection of emails of protected server applications, for example, emails in Microsoft Exchange or IBM Domino

•SERVER_GATEWAY_AV - Antivirus protection of protected network protocols on the gateway

•SERVER_GATEWAY_AS - Antispam protection of protected network protocols on the gateway

ESET_Statistics

The ESET_Statistics class has multiple instances, depending on the number of scanners in the application. Each instance contains:

•Scanner - String code for the specific scanner, for example, “CLIENT_FILE”

•Total - Total number of files scanned

•Infected - Number of infected files found

•Cleaned - Number of cleaned files

•Timestamp - Timestamp of the last change of this statistics. In WMI datetime format, for example, “20130118115511.000000+060”

•ResetTime - Timestamp of when the statistics counter was last reset. In WMI datetime format, for example, “20130118115511.000000+060”

List of strings representing currently recognized scanners:

•CLIENT_FILE

•CLIENT_EMAIL

•CLIENT_WEB

•SERVER_FILE

•SERVER_EMAIL

•SERVER_WEB

ESET_ThreatLog

The ESET_ThreatLog class has multiple instances, each one representing a log record from the “Detected threats” log. Each instance contains:

•ID - Unique ID of this scan log record

•Timestamp - Creation timestamp of the log (in the WMI date/time format)

•LogLevel - severity of the log record expressed as a number in the [0-8]. Values correspond to the following named levels: Debug, Info-Footnote, Info, Info-Important, Warning, Error, SecurityWarning, Error-Critical, SecurityWarning-Critical

•Scanner - Name of the scanner that created this log event

•ObjectType - Type of object that produced this log event

•ObjectName - Name of the object that produced this log event

•Threat - Name of the threat that has been found in the object described by ObjectName and ObjectType properties

•Action - Action performed after the threat was identified

•User - User account that caused this log event to be generated

•Information - Additional description of the event

•Hash - Hash of the object that produced this log event

•FirstSeenHere - Date and time of the first presence of the file on the computer

•UserSID - User SID that caused this log event to be generated

•UserPN - User principal name that caused this log event to be generated

ESET_EventLog

The ESET_EventLog class has multiple instances, each one representing a log record from the “Events” log. Each instance contains:

•ID - Unique ID of this scan log record

•Timestamp - Creation timestamp of the log (in the WMI date/time format)

•LogLevel - Severity of the log record expressed as a number in the [0-8] interval. Values correspond to the following named levels: Debug, Info-Footnote, Info, Info-Important, Warning, Error, SecurityWarning, Error-Critical, SecurityWarning-Critical

•Module - Name of the module that created this log event

•Event - Description of the event

•UserSID - User SID that caused this log event to be generated

•UserPN - User principal name that caused this log event to be generated

ESET_ODFileScanLogs

The ESET_ODFileScanLogs class has multiple instances, each one representing an On-demand file scan record. This is equivalent to the GUI “On-demand computer scan” list of logs. Each instance contains:

•ID - Unique ID of this scan log record

•Timestamp - Creation timestamp of the log (in the WMI date/time format)

•Targets - Target folders/objects of the scan

•TotalScanned - Total number of objects scanned

•Infected - Number of infected objects found

•Cleaned - Number of objects cleaned

•Status - Status of the scan process

ESET_ODFileScanLogRecords

The ESET_ODFileScanLogRecords class has multiple instances, each one representing a log record in one of the scan logs represented by instances of the ESET_ODFileScanLogs class. Instances of this class provide log records of all the On-demand scans/logs. When an instance of a specific scan log is required, it must be filtered only by the LogID property. Each class instance contains:

•LogID - ID of the scan log this record belongs to (ID of one of the instances of the ESET_ODFileScanLogs class)

•ID - Unique ID of this scan log record

•Timestamp - Creation timestamp of the log (in the WMI date/time format)

•LogLevel - Severity of the log record expressed as a number [0-8]. Values correspond to the following named levels: Debug, Info-Footnote, Info, Info-Important, Warning, Error, SecurityWarning, Error-Critical, SecurityWarning-Critical

•Log - The actual log message

ESET_ODServerScanLogs

The ESET_ODServerScanLogs class has multiple instances, each one representing a run of the on-demand server scan. Each instance contains:

•ID - Unique ID of this scan log record

•Timestamp - Creation timestamp of the log (in the WMI date/time format)

•Targets - Target folders/objects of the scan

•TotalScanned - Total number of objects scanned

•Infected - Number of infected objects found

•Cleaned - Number of objects cleaned

•RuleHits - Total number of rule hits

•Status - Status of the scan process

ESET_ODServerScanLogRecords

The ESET_ODServerScanLogRecords class has multiple instances, each one representing a log record in one of the scan logs represented by instances of the ESET_ODServerScanLogs class. Instances of this class provide log records of all the on-demand scans/logs. When an instance of a specific scan log is required, it must be filtered only by the LogID property. Each class instance contains:

•LogID - ID of the scan log this record belongs to (ID of one of the instances of the ESET_ ODServerScanLogs class)

•ID - Unique ID of this scan log record

•Timestamp - Creation timestamp of the log record (in the WMI date/time format)

•Log - The actual log message

ESET_SmtpProtectionLog

The ESET_SmtpProtectionLog class has multiple instances, each one representing a log record from the “Smtp protection” log. Each instance contains:

•ID - Unique ID of this scan log record

•Timestamp - Creation timestamp of the log record (in the WMI date/time format)

•HELODomain - Name of the HELO domain

•IP - Source IP address

•Sender - Email sender

•Recipient - Email recipient

•ProtectionType - Type of protection used

•Action - Action performed

•Reason - Reason for action

•TimeToAccept - Number of minutes after which the email will be accepted

ESET_HIPSLog

The ESET_HIPSLog class has multiple instances, each one representing a log record from the “HIPS” log. Each instance contains:

•ID - Unique ID of this log record

•Timestamp - Creation timestamp of the log record (in the WMI date/time format)

•Application - Source application

•Target - Type of operation

•Action - Action taken by HIPS, e.g. allow, deny, etc.

•Rule - Name of the rule responsible for the action

•AdditionalInfo

ESET_URLLog

The ESET_URLLog class has multiple instances, each one representing a log record from the “Filtered websites” log. Each instance contains:

•ID - Unique ID of this log record

•Timestamp - Creation timestamp of the log record (in the WMI date/time format)

•URL - The URL

•Status - What happened to URL, e.g. "Blocked by Web control"

•Application - Application that tried to access the URL

•User - User account the application was running under

ESET_DevCtrlLog

The ESET_DevCtrlLog class has multiple instances, each one representing a log record from the “Device control” log. Each instance contains:

•ID - Unique ID of this log record

•Timestamp - Creation timestamp of the log record (in the WMI date/time format)

•Device - Device name

•User - User account name

•UserSID - User account SID

•Group - User group name

•GroupSID - User group SID

•Status - What happened to the device, e.g. "Writing blocked"

•DeviceDetails - Additional info regarding the device

•EventDetails - Additional info regarding the event

ESET_MailServerLog

The ESET_MailServerLog class has multiple instances, each one representing a log record from the “Mail server” log. Each instance contains:

•ID - Unique ID of this log record

•Timestamp - Creation timestamp of the log record (in the WMI date/time format)

•IPAddr - Source IP address

•HELODomain - Name of the HELO domain

•Sender - Email sender

•Recipient - Email recipient

•Subject - Email subject

•ProtectionType - Protection type that has performed the action described by the current log record, i.e. malware, antispam or rules.

•Action - Action performed

•Reason - The reason why was the action performed on the object by the given ProtectionType.

ESET_HyperVScanLogs

The ESET_HyperVScanLogs class has multiple instances, each one representing a run of the Hyper-V file scan. This is equivalent to the GUI “Hyper-V scan” list of logs. Each instance contains:

•ID - Unique ID of this log record

•Timestamp - Creation timestamp of the log record (in the WMI date/time format)

•Targets - Target machines/disks/volumes of the scan

•TotalScanned - Total number of objects scanned

•Infected - Number of infected objects found

•Cleaned - Number of objects cleaned

•Status - Status of the scan process

ESET_HyperVScanLogRecords

The ESET_HyperVScanLogRecords class has multiple instances, each one representing a log record in one of the scan logs represented by instances of the ESET_HyperVScanLogs class. Instances of this class provide log records of all the Hyper-V scans/logs. When an instance of a specific scan log is required, it must be filtered only by the LogID property. Each class instance contains:

•LogID - ID of the scan log this record belongs to (ID of one of the instances of the ESET_HyperVScanLogs class)

•ID - Unique ID of this log record

•Timestamp - Creation timestamp of the log record (in the WMI date/time format)

•Log - The actual log message

ESET_NetworkProtectionLog

The ESET_NetworkProtectionLog class has multiple instances, each one representing a log record from the “Network protection” log. Each instance contains:

•ID - Unique ID of this log record

•Timestamp - Creation timestamp of the log record (in the WMI date/time format)

•Event - Event triggering network protection action

•Action - Action performed by network protection

•Source - Source address of network device

•Target - Destination address of network device

•Protocol - Network communication protocol

•RuleOrWormName - Rule or worm name related to the event

•Application - Application that initiated the network communication

•User - User account that caused this log event to be generated

ESET_SentFilesLog

The ESET_SentFilesLog class has multiple instances, each one representing a log record from the “Sent files” log. Each instance contains:

•ID - Unique ID of this log record

•Timestamp - Creation timestamp of the log record (in the WMI date/time format)

•Sha1 - Sha-1 hash of sent file

•File - Sent File

•Size - Sent file size

•Category - Sent file category

•Reason - Reason of sending the file

•SentTo - ESET department the file was sent to

•User - User account that caused this log event to be generated

ESET_OneDriveScanLogs

The ESET_OneDriveScanLogs class has multiple instances, each one representing a run of the OneDrive scan. This is equivalent to the GUI “OneDrive scan” list of logs. Each instance contains:

•ID - Unique ID of this OneDrive log

•Timestamp - Creation timestamp of the log (in the WMI date/time format)

•Targets - Target folders/objects of the scan

•TotalScanned - Total number of objects scanned

•Infected - Number of infected objects found

•Cleaned - Number of objects cleaned

•Status - Status of the scan process

ESET_OneDriveScanLogRecords

The ESET_OneDriveScanLogRecords class has multiple instances, each one representing a log record in one of the scan logs represented by instances of the ESET_OneDriveScanLogs class. Instances of this class provide log records of all the OneDrive scans/logs. When an instance of a specific scan log is required, it must be filtered only by the LogID property. Each instance contains:

•LogID - ID of the scan log this record belongs to (ID of one of the instances of the ESET_OneDriveScanLogs class)

•ID - Unique ID of this OneDrive log

•Timestamp - Creation timestamp of the log (in the WMI date/time format)

•Log - The actual log message

ESET_ODMailServerScanLogs

The ESET_ODMailServerScanLogs class has multiple instances, each one representing a run of the On-demand mail server scan. Each instance contains:

•ID - Unique ID of this scan log

•Timestamp - Creation timestamp of the log (in the WMI date/time format)

•Targets - Target folders/objects of the scan

•TotalScanned - Total number of objects scanned

•Infected - Number of infected objects found

•Cleaned - Number of objects cleaned

•RuleHits - Total number of rule hits

•Phishing - Total number of phishing links detected

•Status - Status of the scan process

ESET_ODMailServerScanLogRecords

The ESET_ODMailServerScanLogRecords class has multiple instances, each one representing a log record in one of the scan logs represented by instances of the ESET_ODMailServerScanLogs class. Instances of this class provide log records of all the On-demand scans/logs. When instances of a particular scan log are required only, they must be filtered by the LogID property. Each class instance contains:

•LogID - ID of the scan log this record belongs to (ID of one of the instances of the ODMailServerScanLogRecords)

•ID - Unique ID of this scan log

•Timestamp - Creation timestamp of the log (in the WMI date/time format)

•Log - The actual log message

ESET_AuditLog

•ID - Unique ID of this log record

•Timestamp - Creation timestamp of the log record

•Type - Type of the change in product configuration

•Description - Description of the change in product configuration

•Source- Source component that performed the change in product configuration

•User - User account that caused this log event to be generated

•UserSID - User SID that caused this log event to be generated

•UserPN - User principal name that caused this log event to be generated

ESET_BPPLog

•ID - Unique ID of this log record

•Timestamp - Creation timestamp of the log record

•Action - Action performed

•File - File affected by the action

•Hash - Sha-1 hash of the file

•Information - Additional description of the event

•User - User account that caused this log event to be generated

ESET_VAPMLog

•ID - Unique ID of this log record

•Timestamp - Creation timestamp of the log record

•Event - Description of the event

ESET_FolderProtectionLog

•ID - Unique ID of this log record

•Timestamp - Creation timestamp of the log record

•Application - Application trying to access the target

•Action - Application permission handled; values: Allow, Block, Ask

•Target - Target folder

•Account - User account

ESET_UpdateLog

•ID - Unique ID of this log record

•Timestamp - Creation timestamp of the log record

•Event - Description of the update event

ESET_WebControlLog

•ID - Unique ID of this log record

•Timestamp - Creation timestamp of the log record

•Account - User account

•Group - Group

•URL - Target URL

•MatchingURL - Matching URL

•Category - Category

•Action - Action performed

ESET_MicrophoneLog

•ID - Unique ID of this log record

•Timestamp - Creation timestamp of the log record

•Account - User account

•Application - Application trying to access the target

•Device - Microphone device

•MatchingURL - Matching URL

˄˅