ScanLogic group event classes

23 May 2024

ID 151789

In the body of CEF messages for classes of ScanLogic group events, you can use keys in accordance with their semantics (see the table below).

Permissible values of the fields for classes of ScanLogic group events

Event class

Key

Value

All ScanLogic group classes

cs1

Message ID.

cs1Label

Its value is always MessageId.

src

IP address of the server from which the message was received.

act

Final action that was performed on the message.

fsize

Message size.

suser

Mail sender. The address is taken from the SMTP session.

duser

List of message recipients. The addresses are taken from the SMTP session.

cs2

List of rules.

cs2Label

Its value is always Rules.

outcome

Scan status.

cs3

List of recipients of notifications about triggered rules for which a notification is configured with the original message in an attachment. The addresses are taken from the SMTP session.

cs3Label

Its value is always UnsafeRecipients.

fname

File name.

LMS_EV_SCAN_LOGIC_ALL_NOT_PROCESSED

reason

Reason for the event. Possible values:

  • InternalError
  • Cancelled

LMS_EV_SCAN_LOGIC_AV_STATUS

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Disinfected
  • AttachmentsDeleted
  • Rejected
  • Deleted

cs4

Detection method. Possible values:

  • None
  • Local bases
  • KSN
  • KPSN user data

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • Clean
  • Encrypted
  • Error
  • Disinfected

reason

Reason for the event. Possible values:

  • already processed by another module
  • size-limit
  • nesting-level
  • filename
  • disabled by settings
  • license restriction
  • denylist
  • allowlist
  • personal denylist
  • personal allowlist
  • policy

LMS_EV_SCAN_LOGIC_AS_STATUS

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Rejected
  • Deleted

cs4

Detection method. Possible values are subject to change and do not depend on the product version.

cs4Label

Its value is always Method.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • Clean
  • Trusted
  • Formal
  • Error
  • ProbableSpam
  • Denylisted
  • Spam
  • MASSMAIL

reason

Reason for the event. Possible values:

  • already processed by another module
  • size-limit
  • nesting-level
  • filename
  • disabled by settings
  • license restriction
  • denylist
  • allowlist
  • personal denylist
  • personal allowlist
  • policy

LMS_EV_SCAN_LOGIC_AP_STATUS

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Disinfected
  • AttachmentsDeleted
  • Rejected
  • Deleted

cs4

Detection method. Possible values:

  • None
  • Local bases
  • KSN
  • KPSN user data
  • Heuristics

cs4Label

Its value is always Method.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • Clean
  • Error
  • Phishing

reason

Reason for the event. Possible values:

  • already processed by another module
  • size-limit
  • nesting-level
  • filename
  • disabled by settings
  • license restriction
  • denylist
  • allowlist
  • personal denylist
  • personal allowlist
  • policy

LMS_EV_SCAN_LOGIC_MLF_STATUS

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Rejected
  • Deleted

cs4

Detection method. Possible values:

  • None
  • Local bases
  • KSN
  • KPSN user data

cs4Label

Its value is always Method.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • Clean
  • Error
  • Malicious link

reason

Reason for the event. Possible values:

  • already processed by another module
  • size-limit
  • nesting-level
  • filename
  • disabled by settings
  • license restriction
  • denylist
  • allowlist
  • personal denylist
  • personal allowlist
  • policy

LMS_EV_SCAN_LOGIC_MA_STATUS

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Rejected
  • Deleted

cs4

SPF status. Possible values:

  • NotScanned
  • InternalError
  • None
  • Pass
  • Fail
  • SoftFail
  • Policy
  • Neutral
  • TempError
  • PermError
  • Policy, domain mismatch
  • Ignored, private IP

cs4Label

Its value is always SpfVerdict.

cs5

DKIM status.

cs5Label

Its value is always DkimVerdict.

cs6

DMARC status.

cs6Label

Its value is always DmarcVerdict.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • ViolationNotFound
  • ViolationFound

reason

Reason for the event. Possible values:

  • already processed by another module
  • size-limit
  • nesting-level
  • filename
  • disabled by settings
  • license restriction
  • denylist
  • allowlist
  • personal denylist
  • personal allowlist
  • policy

LMS_EV_SCAN_LOGIC_KT_STATUS

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Rejected
  • Deleted

suser

Name of the user account that extracted the message from KATA Quarantine.

cs4

Reason for skipping the scan. Possible values:

  • NoReason
  • Filtered
  • Timeout
  • Proceed
  • QueueLimitExceeded
  • Disabled
  • MessageSizeLimitExceeded

cs4Label

Its value is always SkipReason.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • NotDetected
  • Error
  • Detected
  • Skipped

reason

Reason for the event. Possible values:

  • already processed by another module
  • size-limit
  • nesting-level
  • filename
  • disabled by settings
  • license restriction
  • denylist
  • allowlist
  • personal denylist
  • personal allowlist
  • policy
  • NotScanned

LMS_EV_SCAN_LOGIC_CF_STATUS

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Disinfected
  • AttachmentsDeleted
  • Rejected
  • Deleted

cs4

Possible values:

  • DetectedFileFormat
  • DetectedFileName
  • DetectedFileSize

cs4Label

The value is always DetectedEntity.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • Clean
  • SizeExceeded
  • BannedFileName
  • BannedFileFormat
  • Error

reason

Reason for the event. Possible values:

  • already processed by another module
  • size-limit
  • nesting-level
  • filename
  • disabled by settings
  • license restriction
  • denylist
  • allowlist
  • personal denylist
  • personal allowlist
  • policy

LMS_EV_SCAN_LOGIC_PART_RESULT

cn1

Number of objects.

cn1Label

Its value is always ObjectsNumber.

cn2

Size of the blocked file.

cn2label

The value is always DetectedFileSize.

cs3

Unscanned files.

cs3Label

Its value is always AvExclude.

cs4

List of names of detected threats.

cs4Label

Its value is always Threats.

cs5

Name of the blocked file.

cs5Label

The value is always DetectedFileName.

cs6

Format of the blocked file.

cs6Label

The value is always DetectedFileFormat.

outcome

Scan status. Possible values:

  • BasesError
  • NotDetected
  • Encrypted
  • Error
  • Disinfected
  • Infected

reason

Reason for the event. Possible values:

  • NoReason
  • SizeLimit
  • NestingLevel
  • Filename
  • FileFormat

LMS_EV_SCAN_LOGIC_MESSAGE_BACKUP

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Disinfected
  • AttachmentsDeleted
  • Rejected
  • Deleted

reason

Reason for the event. Possible values:

  • NoReason
  • AntiSpam
  • AntiVirus
  • ContentFiltering
  • AntiPhishing
  • FailedToBackup
  • PersonalDenyList
  • MessageAuthentication
  • Kata
  • MaliciousLink

Each class of ScanLogic group events can contain only keys that are relevant to it (see the table below).

Relevant keys for classes of ScanLogic group events

Event class

Relevant keys

LMS_EV_SCAN_LOGIC_ALL_NOT_PROCESSED

cs1, cs1Label, src, act, fsize, suser, duser, reason

LMS_EV_SCAN_LOGIC_AS_STATUS

cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs4, cs4Label, reason, outcome

LMS_EV_SCAN_LOGIC_AV_STATUS

cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, cs4, reason, outcome

LMS_EV_SCAN_LOGIC_AP_STATUS

LMS_EV_SCAN_LOGIC_MLF_STATUS

cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome

LMS_EV_SCAN_LOGIC_KT_STATUS

cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, cs4, cs4Label, reason, suser, outcome

LMS_EV_SCAN_LOGIC_MA_STATUS

cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, reason, cs3, cs3Label, cs4, cs4Label, cs5, cs5Label, cs6, cs6Label, outcome

LMS_EV_SCAN_LOGIC_CF_STATUS

cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome

LMS_EV_SCAN_LOGIC_PART_RESULT

cs1, cs1Label, cn1, cn1Label, fname, act, reason, cs2, cs2Label, cs3, cs3Label, cs4, cs4Label, cs5, cs5Label, cs6, cs6Label, cn2, cn2Label, outcome

LMS_EV_SCAN_LOGIC_MESSAGE_BACKUP

cs1, cs1Label, src, act, fsize, suser, duser, reason, cs2, cs2Label

If the avStatus=Infected or avStatus=Disinfected status is indicated in the mime part field in a LMS_EV_SCAN_LOGIC_PART_RESULT event, the disinfectedObjects or deletedObjects list is indicated as the cn1 key value if one of these lists is available. If both lists are not empty, the cn1 and cn1Label keys will be added twice.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.