—
All WMI classes for the ESET application are in the root\ESET namespace. The following classes, described in more detail below, are currently implemented:
General
•ESET_Application
•ESET_Features
•ESET_Statistics
Logs
•ESET_ThreatLog
•ESET_EventLog
•ESET_ODFileScanLogs
•ESET_ODFileScanLogRecords
•ESET_ODServerScanLogs
•ESET_ODServerScanLogRecords
•ESET_HIPSLog
•ESET_URLLog
•ESET_DevCtrlLog
•ESET_GreylistLog
•ESET_MailServeg
•ESET_HyperVScanLogs
•ESET_HyperVScanLogRecords
ESET_Application
There can be only one instance of the ESET_Application class. Its properties provide basic information about your installed ESET application:
ID |
Application type identifier, for example, “eshp.” |
Name |
Name of the application, for example, "ESET Security." |
Edition |
Product edition, for example, Microsoft SharePoint Server. |
FullName |
Indicates the full name of the application, for example, "ESET Security for Microsoft SharePoint Server." |
Version |
Application version. |
VirusDBVersion |
Version of the virus database. |
VirusDBLastUpdate |
Timestamp of the last virus database update. The string contains the timestamp in WMI datetime format. |
SubscriptionExpiration |
Date of subscription expiration. The string contains a timestamp in WMI datetime format. |
KernelRunning |
Boolean value indicating whether the ekrn service is running on the machine, for example, “TRUE.” |
StatusCode |
Represents the application's protection status; 0 means Green (OK), 1 means Yellow (Warning), and 2 means Red (Error). |
StatusText |
The message describing the reason for a non-zero status code is null. |
ESET_Features
The ESET_Features class includes multiple instances, depending on the number of application features.
•Name: The name of the feature (see the list of names below).
•Status: The status of the feature. 0 is inactive, 1 is disabled, and 2 is enabled.
A list of strings representing currently recognized application features:
•CLIENT_FILE_AV: Real-time file system antivirus protection.
•CLIENT_WEB_AV: Client web antivirus protection.
•CLIENT_DOC_AV: Client document antivirus protection.
•CLIENT_NET_FW: Client personal firewall.
•CLIENT_EMAIL_AV: Client email antivirus protection.
•CLIENT_EMAIL_AS: Client email antispam protection.
•SERVER_FILE_AV:Real-time antivirus protection of files on the protected file server applications.
•SERVER_EMAIL_AV: Antivirus protection for emails on protected server applications.
•SERVER_EMAIL_AS: Antispam protection for emails on protected server applications.
•SERVER_GATEWAY_AV: Antivirus protection for protected network protocols on the gateway.
•SERVER_GATEWAY_AS: Antispam protection for protected network protocols on the gateway.
ESET_Statistics
The ESET_Statistics class includes multiple instances, depending on the number of scanners in the application.
Scanner |
String code for the specific scanner, for example, “CLIENT_FILE.” |
Total |
Number of files scanned. |
Infected |
Number of infected files found. |
Cleaned |
Number of cleaned files. |
Timestamp |
Time of the last change to these statistics (in WMI datetime format). |
ResetTime |
Time when the statistics counter was last reset (in WMI datetime format). |
List of strings representing currently recognized scanners:
•CLIENT_FILE
•CLIENT_EMAIL
•CLIENT_WEB
•SERVER_FILE
•SERVER_EMAIL
•SERVER_WEB
ESET_ThreatLog
The ESET_ThreatLog class includes multiple instances, each representing a record from the “Detected threats” log.
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Scanner |
Name of the scanner for this log. |
ObjectType |
Type of object for this log event. |
ObjectName |
Name of the object related to this log event. |
Threat |
Name of the threat found in the object described by the ObjectName and ObjectType properties. |
Action |
Action taken after identifying the threat. |
User |
Account responsible for this log event. |
Information |
Additional event details. |
Hash |
Hash value of the relevant object. |
FirstSeenHere |
When the file first appeared. |
UserSID |
The UserSID of the account responsible for this log event. |
UserPN |
The user principal name for this log event. |
ESET_EventLog
The ESET_EventLog class contains multiple instances, each one representing a log record from the “Events” log.
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Module |
Name of the module that created this log event |
Event |
Description of the event. |
UserSID |
The UserSID of the account responsible for this log event. |
UserPN |
The user principal name for this log event. |
ESET_ODFileScanLogs
The ESET_ODFileScanLogs class contains multiple instances, each one representing an On-demand file scan record. This is equivalent to the GUI “On-demand computer scan” list of logs.
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
Targets |
The target folders or objects of the scan. |
TotalScanned |
The total number of objects scanned. |
Infected |
The number of infected objects found. |
Cleaned |
The number of objects cleaned. |
Status |
The status of the scan process. |
ESET_ODFileScanLogRecords
Each ESET_ODFileScanLogRecords instance represents a log record from one of the ESET_ODFileScanLogs. This class provides records of all On-demand scans. To retrieve a specific scan log instance, filter by the LogID property.
LogID |
The unique identifier for the scan log. Use this property to match the record to its corresponding log in ESET_ODFileScanLogs. |
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Log |
The actual log message. |
ESET_ODServerScanLogs
The ESET_ODServerScanLogs class contains multiple instances, each one representing a run of the On-demand server scan.
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
Targets |
The target folders or objects of the scan. |
TotalScanned |
The total number of objects scanned. |
Infected |
The number of infected objects found. |
Cleaned |
The number of objects cleaned. |
RuleHits |
The total number of rule hits. |
Status |
The status of the scan process. |
ESET_ODServerScanLogRecords
The ESET_ODServerScanLogRecords class contains multiple instances, each representing a log record from one of the scan logs in the ESET_ODServerScanLogs class. Instances provide records of all On-demand scans. To retrieve a specific scan log, filter by the LogID property.
LogID |
The unique identifier for the scan log. Use this property to match the record to its corresponding log in ESET_ODServerScanLogs. |
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Log |
The actual log message. |
ESET_SmtpProtectionLog
The ESET_SmtpProtectionLog class contains multiple instances, each one representing a log record from the “Smtp protection” log.
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
HELODomain |
Name of the HELO domain. |
IP |
Source IP address. |
Sender |
The email's sender. |
Recipient |
The email's recipient. |
ProtectionType |
Specifies the type of protection applied. |
Action |
The action that was performed. |
Reason |
Provides the reason for the chosen action. |
TimeToAccept |
Indicates the number of minutes after which the email will be accepted. |
ESET_HIPSLog
The ESET_HIPSLog class contains multiple instances, each one representing a log record from the “HIPS” log.
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Application |
Name of the HELO domain. |
Targets |
Indicates the type of operation. |
Action |
Describes the action taken by HIPS, such as allow or deny. |
Rule |
Identifies the rule responsible for the action. |
AdditionalInfo |
Provides any supplementary information. |
ESET_URLLog
The ESET_URLLog class contains multiple instances, each one representing a log record from the “Filtered websites” log.
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Application |
Name of the application that attempted to access the URL. |
URL |
The URL |
Status |
Describes what occurred with the URL, for example, "Blocked by Web control." |
User |
Specifies the user account under which the application was running. |
ESET_DevCtrlLog
The ESET_DevCtrlLog class has multiple instances, each one representing a log record from the “Device control” log.
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Device |
Name of the device. |
User |
User account name. |
UserSID |
The UserSID of the account responsible for this log event. |
Group |
User group name. |
GroupSID |
User group SID. |
Status |
Action taken on the device, for example, "Writing blocked." |
DeviceDetails |
Additional information about the device. |
EventDetails |
Additional information about the event. |
ESET_MailServerLog
The ESET_MailServerLog class contains multiple instances, each one representing a log record from the “Mail server” log.
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
HELODomain |
Name of the HELO domain. |
IPAddr |
Source IP address. |
Sender |
The email's sender. |
Recipient |
The email's recipient. |
Subject |
The subject of the email. |
ProtectionType |
The protection type that performed the action described in the log record, such as malware, antispam, or rules. |
Action |
The action that was performed. |
Reason |
The reason the action was performed on the object by the specified ProtectionType. |
ESET_HyperVScanLogs
The ESET_HyperVScanLogs class contains multiple instances, with each instance representing a run of the Hyper-V file scan. Each scan log instance in this class is associated with a collection of log records, as displayed in the GUI's list of Hyper-V scan logs.
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
Targets |
The target machines/disks/volumes of the scan. |
TotalScanned |
The total number of objects scanned. |
Infected |
The number of infected objects found. |
Cleaned |
The number of objects cleaned. |
Status |
The status of the scan process. |
ESET_HyperVScanLogRecords
The ESET_HyperVScanLogs class contains multiple instances, with each instance representing a run of the Hyper-V file scan. Each scan log instance in this class is associated with a collection of log records, as displayed in the GUI's list of Hyper-V scan logs.
LogID |
The unique identifier for the scan log (ID of one of the instances of the ESET_HyperVScanLogs class). |
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Log |
The actual log message. |
ESET_NetworkProtectionLog
The ESET_NetworkProtectionLog class contains multiple instances, each one representing a log record from the “Network protection” log.
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Event |
Name of the scanner for this log. |
Action |
The specific action that was performed. |
Source |
Source address of network device. |
Target |
Specifies the destination address of the network device. |
Protocol |
Specifies the network communication protocol. |
User |
Account responsible for this log event. |
RuleOrWormName |
Specifies the rule or worm name related to the event. |
Application |
Specifies the application that initiated the network communication. |
ESET_SentFilesLog
The ESET_SentFilesLog class contains multiple instances, with each instance representing a record from the “Sent files” log.
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Sha1 |
The SHA-1 hash of the sent file. |
File |
The name of the sent file. |
Size |
The size of the sent file. |
Category |
The category assigned to the sent file. |
Reason |
The reason the file was sent. |
SentTo |
The ESET department to which the file was sent. |
User |
The user account that triggered this log event. |
ESET_OneDriveScanLogs
The ESET_OneDriveScanLogs class contains multiple instances, each one representing a run of the OneDrive scan. This is equivalent to the GUI “OneDrive scan” list of logs.
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
Targets |
The target folders/objects of the scan. |
TotalScanned |
The total number of objects scanned. |
Infected |
The number of infected objects found. |
Cleaned |
The number of objects cleaned. |
Status |
The status of the scan process. |
ESET_OneDriveScanLogRecords
The ESET_OneDriveScanLogRecords class contains multiple instances, each representing a log record within a scan log from the ESET_OneDriveScanLogs class. These instances provide records for all OneDrive scans. To retrieve records for a specific scan log, filter by the LogID property.
LogID |
The unique identifier for the scan log (ID of one of the instances of the ESET_OneDriveScanLogRecords class). |
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Log |
The actual log message. |
ESET_ODMailServerScanLogs
The ESET_ODMailServerScanLogs class has multiple instances, each one representing a run of the On-demand mail server scan.
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
Targets |
The target machines/disks/volumes the scan. |
TotalScanned |
The total number of objects scanned. |
Infected |
The number of infected objects found. |
Cleaned |
The number of objects cleaned. |
RuleHits |
The total number of rule hits. |
Phishing |
The total number of phishing links detected. |
Status |
The status of the scan process. |
ESET_ODMailServerScanLogRecords
The ESET_ODMailServerScanLogRecords class represents individual log records within scan logs managed by the ESET_ODMailServerScanLogs class. It provides records for all on-demand scans. To retrieve records for a specific scan log, filter by the LogID property.
LogID |
The unique identifier for the scan log (ID of one of the instances of the ODMailServerScanLogRecords class). |
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Log |
The actual log message. |
ESET_AuditLog
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Type |
Specifies the nature of the application configuration change. |
Description |
Provides details about the application configuration change. |
Source |
Identifies the component responsible for the configuration change. |
User |
Indicates the user account that triggered this log event. |
UserSID |
The UserSID of the account responsible for this log event. |
UserPN |
The user principal name for this log event. |
ESET_BPPLog
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Action |
The specific action that was performed. |
File |
The file affected by the action. |
Information |
Additional event details. |
Hash |
The SHA-1 hash value of the file. |
User |
The user account responsible for generating this log event. |
ESET_VAPMLog
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Event |
A description of the event. |
ESET_FolderProtectionLog
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Application |
Application trying to access the target. |
Action |
Application permission handled; values: Allow, Block, Ask. |
Target |
The folder the application is attempting to access. |
Account |
The user account associated with the access request. |
ESET_UpdateLog
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Event |
A description of the event. |
ESET_WebControlLog
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Account |
Refers to the user account. |
Group |
Indicates the associated group. |
URL |
Specifies the target URL. |
MatchingURL |
Identifies the matching URL. |
Category |
Defines the relevant category. |
Action |
Describes the action performed. |
ESET_MicrophoneLog
ID |
The unique ID of the scan log record. |
Timestamp |
The creation timestamp of the log (in WMI datetime format). |
LogLevel |
Severity of the log record, represented as a number from 0 to 8. The mapping is: 0–Debug, 1–Info-Footnote, 2–Info, 3–Info-Important, 4–Warning, 5–Error, 6–SecurityWarning, 7–Error-Critical, 8–SecurityWarning-Critical. |
Account |
Refers to the user account. |
Application |
The application is attempting to access the target. |
Device |
This refers to the microphone. |
MatchingURL |
Identifies the matching URL. |