Security Activity

The new Security Activity tool provides a convenient single window where you can view status and activity information for several LANDesk Security Suite services running on your managed devices.

Security Activity lets you view status and activity information for:

• LANDesk Antivirus
• Host Intrusion Prevention (HIPS)
• LANDesk Firewall
• Device Control

You can also perform these tasks:

• Configure security activity threshold settings
• Purge security activity information

Viewing security status and activity

The Security Activity tool lets you view information about LANDesk Security Suite services.

The security tools you can view are described in the following sections.

Viewing Antivirus activity and status information

If the antivirus scanner discovers any of the selected virus definitions on target devices, this information is reported to the core server. You can use any of the following methods to view detected security data after running a scan.

This window displays antivirus activity and status information by the following categories:

• Infections by computer
• Infections by virus
• Quarantined infections by computer
• Quarantined infections by virus
• Trusted items by computer
• Computers not recently reporting antivirus activity
• Recent antivirus activity by computer
• Recent antivirus activity by virus

Additionally, for a scanned device, right-click the device, select Security and Patch Information, and in the Type drop-down list select Antivirus. You can view:

• Missing antivirus updates
• Installed antivirus updates
• Purge repair history

About the Antivirus activity and status information dialog box

Use this dialog box to view detailed antivirus activity and status information for all of your managed devices with the LANDesk Antivirus agent. This scan result data is used to generate the LANDesk Antivirus reports available in the Reports tool.

To customize the scope and focus of data that is displayed, click Thresholds and change the time period thresholds for scanned device's recent antivirus activity and devices that haven't recently been scanned.

You can also right-click a device in this view to access its shortcut menu and directly perform available tasks.

This dialog box contains the following options:

• Refresh: Updates the fields in the dialog box with the latest antivirus scan information from the database.
• Thresholds: Opens the Threshold settings dialog box, where you can define the duration (in days) for both recent antivirus activity and "not recent" antivirus scanning. Thresholds determine the time period for which antivirus scan results are gathered and displayed for the two computer-specific display categories.
• Infections by computer: Lists devices in the right pane on which virus infections were discovered during the last system scan. Select a device to see the specific viruses infecting the device.
• Infections by virus: Lists viruses in the right pane that were discovered on managed devices during the last system scan. Select a virus definition to see the devices it has infected.
• Computers not recently scanned for antivirus vulnerabilities: Lists all of the devices with the LANDesk Antivirus agent that have not been scanned for viruses within the time period specified on the Threshold settings dialog box. If you want to run an immediate antivirus scan, right-click the device, click LANDesk Antivirus scan now, select an antivirus setting, and then click OK.
• Computers with recent antivirus activity: Lists all of the devices with the LANDesk Antivirus agent that have been scanned and have returned antivirus activity within the time period specified on the Threshold settings dialog box. Select a device to see its specific antivirus activities, including virus detection, removal, infected object quarantine, backup, and restoration.

Viewing HIPS activity

If HIPS detects violations to its rules and certification rights, this information is reported to the core server. You can use the following methods to view detected HIPS activity.

For information about HIPS activity throughout your network, in the Security Activity tool, open the Host Intrusion Prevention group. The window displays HIPS activity by the following categories:

• Preventions by computer
• Preventions by application
• Preventions by action

You can also view specific host intrusion activity at the bottom of the window, including the following details:

• Action Date
• Action
• Description
• Application
• File version
• File size
• File date
• Mode
• MD5 hash

About the HIPS activity dialog box

Use this dialog box to view detailed HIPS activity for all of your managed devices with the LANDesk HIPS agent. This data is used to generate the LANDesk HIPS reports available in the Reports tool.

To customize the scope and focus of data that is displayed, click Thresholds and change the time period threshold for storing HIPS activity information in the core database, and for the number of items to display in the HIPS activity window lists.

You can also right-click a device in this view to access its shortcut menu and directly perform available tasks.

This dialog box contains the following options:

• Refresh: Updates the fields in the dialog box with the latest HIPS information from the database.
• Thresholds: Opens the Threshold settings dialog box, where you can define the duration (in days) for storing HIPS data in the core database and the number of items to display in the HIPS activity lists.
• Purge: Completely and permanently removes HIPS activity data from both this display window and the core database.
• Preventions by computer: Lists devices in the right pane on which HIPS violations were discovered. Select a device to see the specific violations.
• Preventions by application: Lists applications in the right pane that were discovered on managed devices. Select an application to see the devices it was discovered on.
• Preventions by action: Lists actions in the right pane that were taken on managed devices. Select an action to see the devices on which it was taken.

Viewing LANDesk Firewall activity

The window displays Firewall activity by the following categories:

• Preventions by computer
• Preventions by application
• Preventions by action

Viewing Device Control activity

The window displays Device Control activity by the following categories:

• Blocked storage devices
• Blocked CD/DVD device
• Other blocked devices
• Shadow copy files

Configuring security activity threshold settings

Security activity information can build up quickly. You can use threshold settings to control how much information is collected.

About the Threshold Settings dialog box

Use this dialog box to define time periods for Antivirus, HIPS, and Firewall activity that appears in Security Activity views.

• Antivirus:
  • Threshold for recent antivirus activity: Specifies the time period (in days) to collect antivirus activity for devices that have been scanned and have returned antivirus activity.
  • Threshold for not recently scanned: Specifies the time period (in days) to collect device information for all devices configured with antivirus that have not been scanned.
• Truncate lists: Indicates the maximum number of entries to display in the lists in the activity dialogs. You can specify 1 item to 999,999 items.
• Automatic purge (HIPS / LANDesk Firewall only):
  • Automatically delete activity older than: Indicates the maximum number of days to keep reported HIPS activity, and LANDesk Firewall activity, for protected devices in the core database. You can specify 1 day to 999 days. However, we recommend that you carefully watch the amount of data being sent to the core and find an optimal number of days so that HIPS data doesn't use too much space or hamper performance.

Purging security activity

From time to time, you may want to purge security activity information for the various security components. You can do this with the Purge activity toolbar button in Security Activity.

Security activity purging is a one-time task, not a scheduled task or policy.

About the Purge security activity dialog box

Use this dialog box to completely remove activity records from the console and core database.

This dialog box contains the following options:

• Select activity type: Specifies which security component activity information you want to purge.
• Select computers: Specifies which managed devices' security activity is purged. (Note: You must be an administrator user to perform this task.)
• Select date range: Specifies the earliest date from which security activity is purged. Or, you can simply purge all of the existing activity information with the All records option.
• Purge: Completely removes activity records for the security components you've selected.