Events
Defender activity on the client is logged in the form of events. They are periodically scanned by the ACMP Agent and sent to the ACMP Server. If the events are alarms and possible threats, they are sent to the server in real time.
The interval at which the scanner runs can be configured in Agent Tasks.
Events are divided into different event types:
| Event typ | Description |
|---|---|
| Alarms | Contains all detected and possible threats found on the client, such as the detection of a virus. |
| Warnings | Contains possible security-related information which, if ignored, could lead to a security breach, e.g. by disabling a scan. |
| Hints | Contains non-security-related information, such as the start of a scan. |
| Errors | Contains incorrect or failed operations that have taken place on the client. |
| Information | Contains any ongoing information, such as update status. |
Warning:
The scanning of the Information event type is disabled by default. If you want to enable it, you can make the changes in the Defender Management First Steps wizard or in the navigation under System > Settings > Defender Management by selecting the Information checkbox. Note, however, that the large number of events can increase the load on the database.
Displaying events
To view all logged events, go to the Defender Management plugin in the navigation and click the Events tab. You will see a list of all events, starting with the current event. Each event has 2 statuses: read and unread.
You can tell the status by the open or closed letter icon on the event entry. You have read the entry if you have clicked on Mark as read in the ribbon bar. You can add a comment to the item.
Each event contains the following properties in the list:
| Event entry | Categories all events into 5 types |
| Event ID | ID assigned by Microsoft |
| Event name | More detailed categorisation oft he event to see what triggered it |
| Computer name | The name of the Client on which the event occurred. |
| Time of creation | Date and time when the event occurred on the Client |
| Comment creator | ACMP identification user who created the comment |
| Comment date | Date the comment was made |
| Event message | Message decribing the event |
| Event level | Rough categorisation of the event, assigned by Microsoft |
| Details | Exact information about the event |
You can also view these properties in the Client Details or use them as fields in queries and reports.
If you only want to see a particular type of event in the list, you can set and filter the required type using the filter icon above the list.
Viewing the Events of a specific client
To view the events of a specific Client, you can either filter for specific Clients in the Defender plug-in on the Events tab using the filter option in the column, or view them in the Client details of the required Client. To do this, double-click on a particular Event entry in the list that has occurred on the required Client. This will take you to the Client details.
Scanning events
The Defender Scanner is disabled by default and can be manually enabled. This can be done either after completing the First Steps wizard or manually from the Agent Tasks > Defender Scanner navigation. Double-click to bring up a wizard where you can set the time and interval.
Real-time notification of defected threats
Real-time transmission of detected threat events is available for immediate response in urgent cases. This is only available for alerts. If a threat is detected on the client, the ACMP Agent transmits it in real time to the ACMP Server and it can be viewed in the Events.
Deleting obsolete events
To avoid unnecessary storage usage, you can regularly run cleanup jobs for both events and quarantine files.
The jobs can be found in the navigation under System > Settings > ACMP Server > Scheduled Server Tasks > Defender Events cleanup. By default, all events are deleted after 30 days. The cleanup itself takes place every 5 hours, although this interval can also be customised.