This document lists the tables in the Ivanti EPM Database that are related to the Ivanti Antivirus product:
Within this document you can click the images for a full-size version.
The following are the tables used for Ivanti Antivirus:
Antivirus table
The information from this table shows up in the Antivirus Licensing information in the Ivanti Antivirus Action Center, in the Inventory of each client, and in the Antivirus License section of the Security activity tool. This table records the inventory information for not only the Ivanti Antivirus product but also for other 3rd party Antivirus products. This table is updated by an Inventory Scan or sent directly to the Core Server through the WSVulnerabilityCore web service by the Ivanti Antivirus Service. This information is sent under the following conditions:
- After AV installation
- After activating with a new license
- After a scanning task is done
- After pattern files are updated
In addition you can run "LDAV.EXE /submitallavdata" to send this information manually.
When this information is sent to the core it will log into the LDAV.LOG as "("Submitting all Antivirus table information...")
For an Inventory Scan this information is gathered through LDAVHLPR.DLL. Periodic updates of this .DLL are provided within Ivanti Patch Content to support gathering information on newer versions of Antivirus Software. The information gathered can from each 3rd party vendor can vary. Some information may not be applicable or available to gather through the Ivanti Inventory or Patch and Compliance scan processes.
This information shows up in the Inventory of a client in this manner:
This table consists of the following columns:
| ColumnName | Description |
|---|---|
| Computer_IDN | Unique database identifier for the computer associated to the Antivirus information in the next columns |
| Antivirus_IDN | Unique database identifier for the Antivirus entry |
| ProductName | Name of the Antivirus product |
| AutoProtect | Whether the realtime scanner (AutoProtect) is enabled or not |
| ProductVersion | Version of the Antivirus product |
| EngineVersion | Version of the Antivirus engine |
| DefVersion | Version of the currently active definitions at the time of the last Inventory Scan or Security and Compliance Scan |
| PubDate | Publication date of the antivirus definitions (pattern files) on the client |
| DefInstallDate | Time and date that the current definition files (pattern files) were updated on the client |
| LastVirusScan | Last time and date a regular virus scan was executed on the client |
| LastFullVirusScan | Last time and date a full virus scan was executed on the client |
| LastQuickVirusScan | Last time and date a quick virus scan was executed on the client. |
| AgentRunning | Source of the server for the Pattern Files. Typically this will only apply to Ivanti Antivirus |
| PatternServer | Source of the server for the Pattern Files. Typically this will only apply to Ivanti Antivirus |
| LicenseExpirationDate | Date and time that the current antivirus product license expires |
| LicensePeriod | Length of time in days remaining |
| License Number | Product license number that the client is currently using |
| LicenseProductName | Name of the licensed product |
| LicenseMaxCount | Total number of nodes that the license reported by the client is good for |
| StartFullVirusScan | Time and date that the last full virus scan was started |
| StartQuickVirusScan | Time and date that the last quick virus scan was started |
| FullVirusScanCancelled | Time and date the last full virus scan was canceled |
| QuickVirusScanCancelled | Time and date the last quick virus scan was canceled |
AntivirusPatches table
This table lists the patches for the Antivirus product that are installed on the client.
This information is sent to the Core when an Inventory Scan runs.
| Column Name | Description |
|---|---|
| Computer_Idn | Unique database identifier for the computer associated to the Antivirus information in the next columns |
| AntivirusPatches_Idn | Unique database identifier for the AntivirusPatches entry |
| DisplayName | How the patch appears in the client interface (under the support link at the bottom of the LDAV UI) |
| InstalledDate | Date and time that the patch was installed |
| MoreInfoURL | If applicable, the link to go to for more information about the patch |
| PatchName | Name of the patch |
This shows up in the Client Inventory in this location:
The LANDESK Antivirus service logs patch information every time it starts during the initialize period to HKEY_CLASSES_ROOT\Installer\Products\<product guid>\patches and it then stored in HKLM\Software\LANDESK\ManagementSuite\WinClient\Antivirus\Patches
InfectedFiles table
This information shows up in the Security Activity tool under Ivanti Antivirus - Infections by Computer, and Ivanti Antivirus - Infections by Virus
This table consists of the following columns:
| Column Name | Description |
|---|---|
| Computer_Idn | Unique database identifier for the computer that was infected |
| InfectedFiles_Idn | Unique database identifier for the file that was found that contained a virus |
| Path | Path on the client computer where the infected file was found |
| Virus | Particular virus found within the infected file |
| Failure | Description of the failure |
QuarantinedFiles table
This information shows up in the Security Activity tool under Ivanti Antivirus - Quarantined Infections by computer and Ivanti Antivirus - Infections by virus
This table stores both information about files that have been Quarantined or files that have been moved into the Backup folder.
This table consists of the following columns:
| Column Name | Description |
|---|---|
| Computer_Idn | Unique database identifier for the computer associated to the Antivirus information in the next columns |
| QuarantinedFiles_Idn | Unique database identifier for the files that were quarantined |
| Filename | Name of the quarantined file |
| Status | 0 = Riskware, 1= Infected, 2 = Suspicious, 3 = Clean, 4 = User Added, 5 = Unknown, 6 = Cured |
| Virus | Virus that was found in the quarantined file |
| OriginalLocation | Path where the file was found on the client computer |
| GUIDFilename | GUID assigned to the filename |
| QuarantineDate | Date and time that the file was quarantined |
This information shows up in the Inventory of the client under Security - Quarantined Files. Each file is listed as a separate entry under Quarantined Files and shows the values for Date Quarantined, Filename, GUID Filename, Original Location, Status, and Virus
SecurityAction table
This information shows up in the Security Activity Tool under Ivanti Antivirus - Activity, Activity by computer, and activity by virus. In addition, LANDESK Endpoint Security activity information is stored in the SecurityAction table.
| Column Name | Description |
|---|---|
| SecurityAction_Idn | Unique Database Identifier for this particular instance of a Security Action |
| Computer_Idn | Unique Database Identifier for the computer that this Security Action relates to |
| ActionTaken | Action that was taken |
| ActionCode | Code type of the action that was taken |
| ActionDate | Date and time that the action occurred |
| Application | Application Name |
| MD5Hash | MD5 Hash of the file if a file was involved |
| SHA1Hash | SHA1 Hash of the file if a file was involved |
| SHA256Hash | SHA256 Hash of the file if a file was involved |
| Type | Type code for the action that occurred |
| Filesize | Size in kilobytes of the file if a file was involved |
| FileDate | File Creation Date of the file if a file was involved |
| FileVersion | File Version of the file from within the file properties of a file if a file was involved |
| CompanyName | Company Name from within the file properties of the file if a file was involved |
| ProductName | Product Name from within the file properties of the file if a file was involved |
| ProductVersion | Product Version from within the file properties of the file if a file was involved |
| UserName | User Logged in when the action occurred |
| ConfigGUID | Unique GUID of the Setting that was in use when the action occurred |
| LocationID | Information being gathered on values |
The information in this table makes up most of the Ivanti Antivirus information shown in the Security Activity tool. This information is stored in ActionHistory.XML files on the client and sent to the core server every 2 minutes by Softmon, or when a Security and Compliance scan runs.
The exception would be the licensing information which is stored in the Antivirus table and is sent by the Ivanti Antivirus Service on the client WSVulnerability web service on the core server.
The following are the codes returned to the core server and their meanings:
| Result | Code |
| IS_VIRUS_REPAIR_FAILED | 10 |
| IS_VIRUS_REPAIR_SUCCEEDED | 11 |
| IS_VIRUS_QUARANTINE_FAILED | 12 |
| IS_VIRUS_QUARANTINE_SUCCEEDED | 13 |
| IS_SUSPICIOUS_QUARANTINE_FAILED | 14 |
| IS_SUSPICIOUS_QUARANTINE_SUCCEEDED | 15 |
| IS_SUSPICIOUS_NO_ACTION_TAKEN | 16 |
| IS_RT_VIRUS_REPAIR_FAILED | 17 |
| IS_RT_VIRUS_REPAIR_SUCCEEDED | 18 |
| IS_RT_VIRUS_QUARANTINE_FAILED | 19 |
| IS_RT_VIRUS_QUARANTINE_SUCCEEDED | 20 |
| IS_RT_SUSPICIOUS_QUARANTINE_FAILED | 21 |
| IS_RT_SUSPICIOUS_QUARANTINE_SUCCEEDED | 22 |
| IS_APP_BLOCK_FAILED | 23 |
| IS_APP_BLOCK_SUCCEEDED | 24 |
| IS_AVSERVICE_FAILED_TO_START | 25 |
| IS_VIRUS_FOUND | 26 |
| IS_RT_VIRUS_FOUND | 27 |
| IS_SUSPICIOUS_FOUND | 28 |
| IS_RT_SUSPICIOUS_FOUND | 29 |
| IS_REBOOT_NEEDED | 30 |
| IS_REBOOT_NOT_NEEDED | 31 |
| IS_INSTALLING_AV | 32 |
| IS_REMOVING_AV | 33 |
| IS_INSTALLED_AV | 34 |
| IS_REMOVED_AV | 35 |
| IS_FAILED_INSTALL_AV | 36 |
| IS_FAILED_REMOVE_AV | 37 |
| IS_AV_REBOOT_PENDING | 38 |
| IS_LOGIN | 39 |
| IS_LOGOFF | 40 |
| IS_AUTH_SUCCEEDED | 41 |
| IS_AUTH_WOULD_HAVE_FAILED | 42 |
| IS_AUTH_FAILED | 43 |
| IS_DECRYPT_SUCCEEDED | 44 |
| IS_DECRYPT_FAILED_KEY_NOT_FOUND | 45 |
| IS_TIMBER_SCAN_FAILURE | 46 |
| IS_TIMBER_SCAN_SUCCEEDED | 47 |
TrustedItem table
Trusted items are a list of objects that Ivanti Antivirus does not monitor or control. This list is populated with a list of Ivanti EPM client files at the time of Ivanti Antivirus install, and can be added to by a settings update, or by a user on the client computer if that permission is given.
You can add a trusted item and it will block Ivanti Antivirus access to that item, however you must be very sure that it does not represent any threat.
| Column Name | Description |
|---|---|
| Computer_Idn | Unique database identifier of the computer that has this object in it's trusted applications list |
| TrustedItem_Idn | Unique database identifier of the trusted object |
| Item | Item full path and name |
| Status | User Added = 4, Admin Added = 6 (Admin added is either as part of installation or a settings update). |
| ObjectType | File = 0, Folder = 1, Extension = 2 |
| AddedDate | Date that the object was added |
| Folder | Folder where the trusted item is |
On the client side these are the entries from the Exclusion Rules or Trusted Applications
This information shows up in the Inventory of the client under Security - Trusted Items. Each file is listed as a separate entry under Trusted Items and shows the values for Folder, Item, Object Type and Status
Security Activity
When an event happens with Ivanti Endpoint Security (Application blocked, device blocked, startup module added, etc) this information is sent to the core server and is then able to be viewed within the Security Activity tool and is stored in the database.
How actions are sent from the Client to the core server
Whenever an action takes place (A device is blocked, shadow copy activity takes place, etc) this activity is recorded in the ActionHistory.(ClientIPAddress).ID#.xml file. If no further activity takes place within 2 minutes, Softmon will send this information to the core server. Otherwise, every time Vulscan runs it gathers the ActionHistory information and sends it to the core server. This ActionHistory information gets stored in the SecurityAction table in the database and is displayed in the Security Activity window. After the ActionHistory is sent, the .XML is renamed to .SENT.XML. 11 copies of this file are kept on the client. .sent and then .sent #'s 1-10.
If ActionHistory is sent during a Vulnerability Scan, this action will be logged in the Vulscan.log file
If ActionHistory is sent via Softmon, this is logged in the Softmon.log file
───────────────────────────────────────
The following SQL query will return all of the Endpoint Security related activity.
select * from patchhistory where Actioncode IN (10,11,12,13,14,15,16,17,18.19.20.21,22,23,24,25,26,27,28.... etc through to 45)