Next Topic

Previous Topic

Book Contents

Alerts

The Antivirus module does not have its own alerts page. Instead Antivirus alerts are enabled on managed machines using the Monitor > Event Log Alerts page.

Antivirus Event Log Settings

Event log alerts have a prerequisite. The collection of the appropriate event log data from a managed machine must be enabled. Using the Agent > Event Log Settings page, select the following settings for each Antivirus managed machine you wish to configure alerts for:

  • The Application Event Log Type
  • The Error, Warning, and Information Event Categories

Antivirus Event Log Alerts

On the Monitor > Event Log Alerts page select the Application event log type. When Antivirus is installed, the following predefined event sets can be assigned to a Antivirus managed machine.

  • ZC-KAV-CL1-W Client Install Reboot Required
  • ZC-KAV-DF0-EWI Definitions
  • ZC-KAV-DF1-W Definitions Not Updated in 2 Days
  • ZC-KAV-DF2-E Definition Update Failed
  • ZC-KAV-FS0-EWI Full Scans
  • ZC-KAV-FS1-I Full Scan Started
  • ZC-KAV-FS2-I Full Scan Completed
  • ZC-KAV-FS3-E Full Scan Failed to Complete
  • ZC-KAV-QS0-EWI Quick Scans
  • ZC-KAV-QS1-I Quick Scan Started
  • ZC-KAV-QS2-I Quick Scan Completed
  • ZC-KAV-QS3-E Quick Scan Failed to Complete
  • ZC-KAV-TH0-EWI Threats
  • ZC-KAV-TH1-W Threat Detected
  • ZC-KAV-TH2-I Threat Remediated

The ZC-KAV prefix indicates that these event sets are sample Antivirus event sets. Sample event sets can be used directly or they can be used as examples for building your own Antivirus alert event sets. The next segment following ZC-KAV indicates the type of alert. The following are the Antivirus alert types:

  • CLx - Client related alerts
  • DFx - Anti-Virus Definition related alerts
  • FSx - Anti-Virus Full Scan related alerts
  • QSx - Anti-Virus Quick Scan related alerts
  • THx - Anti-Virus Threat related alerts

If the number following the alert type designator is zero (0), the event set is a rollup of related alerts. Any number other than zero (0) indicates the event set is a single individual alert. The letters following the alert type segment indicate the event categories covered by the alert:

  • E = Error
  • W = Warning
  • I = Information

When configuring Antivirus alerts, ensure all three of the Error, Warning, and Information event categories are selected.

Also, for rollup event sets (ZC-KAV-DF0, ZC-KAV-FS0, ZC-KAV-QS0, or ZC-KAV-TH0), be sure to set the Ignore additional alarms for option to a low threshold, 1 minute, for example. This ensures that the multiple alerts possible in a rollup event set are not ignored if they should occur.