Known Threat Activity Token Variables

Variable

Description

Virus variables: Used by alert or Outbreak Prevention Service event notifications

%device_ip%

IP address of an infected endpoint.

%egnver%

  • Scan engine version.

  • Used by the alert event category as well as the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Mode started" notifications. For the notification types of the alert event category, this variable refers to the scan engine version currently installed on the managed product server.

  • For the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Mode started" notifications, this variable refers to the Outbreak Prevention Policy required.

%ptnver%

  • Virus pattern version.

  • Used by the alert event category and the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Services started" notifications. For the notification types of the alert event category, this variable refers to the virus pattern version currently installed on the managed product server.

  • For the "Active Outbreak Prevention Policy received" and "Outbreak Prevention Services started" notifications, this variable refers to the Outbreak Prevention Policy required.

%scanmethod%

The scan method for specific virus actions. This token is only available for the following alerts:

  • Virus found-first action unsuccessful and second action unavailable

  • Virus found-first and second actions unsuccessful

  • Virus found-first action successful

  • Virus found-second action successful

%threat_info%

  • Virus/malware threat information provided by outbreak prevention policies.

  • Used by "Active Outbreak Prevention Policy received" and "Outbreak Prevention Services started."

%vcnt%

  • Virus count.

  • Used by virus outbreak alert.

%vdest%

  • Virus/malware destination.

  • Examples:

    Email detection: %vdest% is the intended recipient

    Host-based/Endpoint detection: %vdest% is the endpoint IP address or host name

  • Used by alert event category.

%vfile%

Infected file name. Used by alert event category.

%vfilepath%

Infected file directory. Used by alert event category.

%vname%

Virus or malware name. Used by alert event category.

%vsrc%

  • Virus/malware origin or infection source.

  • For example, the message sender takes the value of %vsrc% if an antivirus managed product detected a virus/malware in an email message.

  • Used by the alert event category as well as the network virus alert notification type.