Example - Using the Process Monitor to check for antivirus software

You can use the Process Monitor to verify that antivirus or anti-spyware software is a running on a device. If the monitor does not find the specified program running, an associated action will notify you of this potentially harmful vulnerability.

For this example, we will configure and assign a Process Monitor that checks to see if Norton AntiVirus™ is running on a device. We will also configure and assign an Email Action to notify you if the monitor fails.

To configure the Process Monitor:

  1. Go to the Active Monitor Library.
    • From the web interface, click GO. The GO menu appears.
    • If the WhatsUp section is not visible, click WhatsUp. The WhatsUp section of the GO menu appears.
    • Select Configure > Active Monitor Library. The Active Monitor Library appears.

      - or -

    • From the main menu bar of the console, select Configure > Active Monitor Library. The Active Monitor Library appears.
  2. In the Active Monitor Library, click New. The Select Active Monitor Type dialog appears.
  3. Select Process Monitor from the list, then click OK. The Add Process Monitor dialog appears.

  4. Enter a Name for the monitor, such as Norton AntiVirus Monitor.
  5. Enter a Description for the monitor. This description is displayed next to the monitor name in the Active Monitor Library.
  6. Enter or browse (...) to the Process name that the monitor will check. To monitor Norton AntiVirus software, enter rtvscan.exe.
  7. Under the Thresholds to monitor section of the dialog, select Down if the process is and not loaded. If the monitor does not find the rtvscan.exe process running on the device to which the monitor is assigned, the monitor is considered down.

    Tip: Click Advanced to set the SNMP timeout and number of retries, and to decide if the monitor is used in Discovery.

  8. Click OK to save changes.

After configuring the Norton AntiVirus Monitor, you need to assign it to the device(s) that you want to check are running the monitor. In the next steps of this example, you will assign the monitor to a single device, and then, using the Action Builder, configure and assign an Email Action that will notify you when the monitor goes down.

Tip: You can also assign the monitor to multiple devices at one time via Bulk Field Change. For more information, see Assigning a monitor to multiple devices.

To assign the Norton AntiVirus Monitor, and configure and assign an Email Action:

  1. Go to the properties for the device to which you want to assign the monitor.
    • From either the Device View or Map View, right-click the device. The right-click menu appears.
    • Select Properties. The Device Properties dialog appears.
  2. Click Active Monitors. The Device Properties - Active Monitors dialog appears.
  3. Click Add. The Active Monitor Properties dialog appears.
  4. Select the Norton AntiVirus Monitor, then click Next.
  5. Set the monitor's polling properties, then click Next.
  6. Select Apply individual actions, then click Add. The Action Builder appears.
  7. Select Create a new action, then click Next.
  8. Select the Email Action, then click Next.
  9. Under Execute the action on the following state change, select 20 minutes (Down at least 20 min); this option specifies that WhatsUp Gold will issue a state change after the monitor has been unable to find rtvscan.exe on the device for 20 minutes. Click Finish. The New Email Action dialog appears.

    Note: On the console, ensure that the Mail Destination tab is selected.

  10. Enter a Name for the monitor, such as Norton AntiVirus Email Notification.
  11. In SMTP Mail Server, enter the IP address or Host (DNS) name of your email server (SMTP mail host).
  12. Enter the Port on which the SMTP Server is installed. The default SMTP port is 25.
  13. Optionally, change the Timeout from the default of 5 seconds.
  14. In Mail To, enter the email addresses to which you want send the notification. You can enter two addresses, separated by commas (with no spaces). The address should not contain brackets, spaces, quotation marks, or parentheses.
  15. Select SMTP server requires authentication if your SMTP server uses authentication. This enables the Username and Password options.
  16. Enter a Username and Password to be used with authentication.
  17. Select Use an encrypted connection (SSL/TLS) if your SMTP server requires data encryption over a TLS connection.
  18. Click Mail Content to enter the notification content.

  19. In From, enter the email address that will appear in the From field of the email that is sent from WhatsUp Gold.
  20. In Subject, enter %ActiveMonitor.Name has failed (%Device.HostName). This message indicates the monitor's name, its failed state, and the hostname of the device on which the monitor has failed.
  21. In Message body, enter

    This %ActiveMonitor.Name has failed on %Device.Address.

    Please restart the Norton AntiVirus software on this device.

    ----------------------------------------

    This mail was sent on %System.Date at %System.Time
    Ipswitch WhatsUp Gold

    This message indicates that the Norton AntiVirus software has stopped on the specified device and that it should be restarted.

    Tip: Optionally, you can add a link to the Device Status or Mobile Device Status report for the device to which the monitor is assigned.

  22. Click OK to save changes.
  23. On the Active Monitor Properties dialog, click Finish.

See Also

Using the Process Monitor