Daily Scan Report

Hello LS,

can't find anything

no wonder, it's not there :smileyhappy:.

Daily Scan results

What information are you interested in, what is results? As far as SEC is concerned a scan is just two attributes of a computer - a name and a completion time. Related alerts and events (except those for cancel and abort) don't indicate the scan causing them.

BTW - daily (if it really means every day) scans are perhaps an overkill. What's the reason for running them that frequently?

Christian.

Hi QC!

Thanks for the reply, and apologies for the delay in getting back to you.

The customer wants a report on how the Daily Scans went (failed, success, errors etc). I've read that the information could be pulled out of the SQL database but I was looking to get some advice on it first before I go down that road.

LS

Hello LS,

success

can be deduced from the LastScanName and LastScanDateTime columns in the ComputersAndDeletedComputers table. No history is kept (there's only Last, if a Full System Scan ...  initiated from the console finished later the information about the scheduled scan is lost) and there's no indication whether the schedule has been missed, the scan has started but been aborted, cancelled or otherwise could not complete, or the completion event hasn't been sent to SEC.

failed

abort and cancel errors could be selected from the Errors table, the scan's name is in the Insert1 column. The reason for the abort is in rows with the same ComputerID and a similar AlertTime.    

{alerts and} errors

don't AFAIK indicate whether they are related to a scan and which one.

With not much coding you can get the (number of or list of endpoints with) completed and aborted scans - results might not be 100% correct. The better source for this information (including starts) are the scan logs on the endpoints though.

Christian

Awesome - that sounds like what I'm after. I don't suppose you have anything documented on how I'd pull this data out?

LS

Hello LS,

there's no documentation, the following Q&D (I'm about to leave for three weeks, so ...) code should give you all the scans completed in the last 24 hours:

SELECT 
    Name
   ,LastScanName
   ,LastScanDateTime 
    FROM ComputersAndDeletedComputers 
    WHERE 
      DATEDIFF(hour,LastScanDateTime,SYSDATETIME()) < 24 
 /* Uncomment to get only a specific scan   
      AND
      LastScanName='Daily Scan'
 */

 and this failed scans (as far as I can see the error is the same whether the scan aborted or has been cancelled by an admin):

SELECT 
    c.Name
   ,e.Insert1 AS LastScanName
   ,e.AlertTime AS LastScanDateTime 
    FROM Errors as e
      INNER JOIN ComputersAndDeletedComputers as c
            ON c.id = e.ComputerID
    WHERE 
      DATEDIFF(hour,LastScanDateTime,SYSDATETIME()) < 24 
      AND
      e.Source = 'SAV'
      AND
      e.Number=539492364
   /* Uncomment to get only a specific scan   
      AND
      LastScanName='Daily Scan'
   */

 For a simple way to run this please see this post. Getting the details of the related errors is tricky (and can't be done on a Friday afternoon)

HTH

Christian