SolarWinds Log & Event Manager (LEM) is a powerful SIEM tool that allows you to be proactive with your network needs. It provides functionality where you can monitor your antivirus software to track whether or not your antivirus solution is able to fully clean the viruses it detects.


To create a LEM Rule to track when viruses are not cleaned, you need to clone and enable the Virus Attack – Bad State rule to track the state of virus attacks reported by your antivirus software. The Bad Virus State User-Defined Group defines a bad state as any virus that has not been fully cleaned by your antivirus software. That is, any virus that has been left alone, quarantined, or renamed. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to prove to auditors that you are auditing the critical events on your network.


The following is how you can configure your antivirus software to log to your SolarWinds LEM appliance and set up the appropriate tool on your SolarWinds LEM Manager.

  1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator.
  2. Select the Build tab, and then click Rules.
  3. Click Default Rules on the Refine Results pane (left).
  4. Enter Virus Attack – Bad State in the search box at the top of the Refine Results pane.
  5. Click the gear button next to the rule (left), and then click Clone.
  6. Select the folder where you want to save the cloned rule, and then click OK.
  7. Select Enable at the top of the Rule Creation window, next to the Description field.
  8. Click Save.
  9. Back on the main Rules screen, click Activate Rules.