Endpoint Status Detail

The Endpoint Status Detail displays information about the endpoint selected in the Endpoint Status View. The detail consists of the following tabs: Details, Tasks, Policies, State History, Uploads, Searches in Progress, Scheduled Searches, Workflow Rules, Endpoint Messages, and RSOP.

In this article

Details
Tasks
Policies
State History
Uploads
Searches in Progress
Scheduled Searches
Workflow Rules
Endpoint Messages
RSOP
Pager

Details

The Details tab displays the following information:

General

Field	Description
Host Name	The name of the endpoint as stored internally in the database. This may be different than the Display Name - the name shown throughout the Console (for example in the Endpoint List) - if the endpoint has been edited. The Host Name is used when determining if endpoints should be automatically merged and when syncing AD tags.
Guid	The unique identifier for the endpoint. Each endpoint is tracked internally according to its GUID. When the endpoint software is un-installed from a system and the settings are deleted, the GUID is deleted from that system and a re-installation of the Agent software causes a new GUID to be obtained, and causes a new endpoint to be displayed in the Console. This can be avoided by saving the GUID and applying it to the system, having the endpoints automatically merged during GUID registration, or it can be resolved after the fact by merging the old endpoint into the new one.
Type	A text display of the types of results that have been found on that endpoint. The valid values can be one or more of the following (separated by a comma): None Database Web Site Exchange SharePoint Site All: If all four apply
Platform Type	The platform on which the selected endpoint is running. The possible values are: Desktop Server Other

IP Addresses: IP addresses are automatically updated during GUID registration and when the endpoint sends search results to the Console. They can also be manually edited by a Console user. If the endpoint has not reported an IP address, then the IP addresses section does not display.

Field	Description
Address 1	An IP address reported by the endpoint. This address is noted as the default IP Address (appears in bold text) when viewing the Edit Endpoint dialog. This is the IP address used in Reporting when the column Endpoints->IP Address is used.
Address 2	Address 2: Another MAC address reported by the endpoint.

Mac Addresses: MAC addresses are automatically updated during GUID registration and when the endpoint sends search results to the Console. They can also be manually edited by a Console user. If the endpoint has not reported a Mac address, then the Mac addresses section does not display.

Field	Description
Address 1	A MAC address reported by the endpoint. This address is noted as the default MAC address (appears in bold text) when viewing the Edit Endpoint dialog. This is the MAC address used in Reporting when the column Endpoints->MAC Address is used.
Address 2	Another IP address reported by the endpoint.

Tags: Shows each tag of which the selected endpoint is a member. If the endpoint is not a member of any tag, then the tags section does not display.

Field	Description
Tag 1	A tag to which the selected endpoint belongs.
Tag 2	Another tag to which the selected endpoint belongs.

Tasks

The Tasks tab displays the following information:

Field	Description
Endpoint	The display name of the endpoint.
Task Name	The name as entered in the Add New Task dialog in the Scheduled Tasks section of a policy, "Search Now" for a task executed via the Search button on the ribbon, "Gather Data" for a gather data executed via the Diagnostics right-click menu of an endpoint or tag, "Uninstall Endpoint" when initiating an uninstall via the Uninstall Endpoint right-click menu or "Reset Profile Password" for a reset of the profile password initiated via the Reset Profile Password right-click menu of an endpoint, "Delete Ignore Lists" when deleting the endpoint ignore lists via the Delete Ignore lists right-click menu option, "Support Mode" for and endpoint that has been put in support mode via the Support Mode right-click menu option or "Delete Search History" by using the Delete Search History right-click menu of an endpoint.
Search Type	"Search" when executed as a scheduled search, "Search Now" for a task executed via the Search button on the ribbon, "Gather Data" for a gather data executed via the Diagnostics right-click menu of an endpoint or tag, "Delete Ignore Lists" when deleting the endpoint ignore lists via the Delete Ignore lists right-click menu option, "Support Mode" for and endpoint that has been put in support mode via the Support Mode right-click menu option or "Reset Profile Password" for a reset of the profile password initiated via the Reset Profile Password right-click menu of an endpoint.
Last Status Update	The time stamp of the most recent information related to this task as one of the following: The time on the Console that the status as shown in the "Current Status" column was reported by the endpoint, or; After a search has been completed and the results are imported by the Console, one of the following time stamps: The end of the search as reported by the endpoint in the search results. If that is not available, the start of the search as reported by the endpoint. If that is not available, the time on the Console server that the results were imported.
Current Status	None: The task has been created, but it has not yet been obtained by the endpoint. Task Acknowledged: The endpoint has obtained the task and is waiting for the scheduled time to execute the task. Task Skipped: The endpoint service encountered an error while processing tasks and skipped any task that was scheduled to be executed. Additional attempts are made to process the tasks. If this status persists, please check the endpoint service log files on the endpoint to determine the cause of the error. Task Failed: The endpoint service attempted to launch the task but an error was encountered. No attempt is made to launch the task again. For example, if the task was configured to stop an existing search and that search could not be stopped, the task fails. Task Executed: This status is set when the endpoint service has executed the task and when the results of the task have been received by the Console. Search Now and Gather Data executed tasks are removed when the Update Policy States service task runs. Task Initiated: The endpoint service has launched the task but the task has not yet completed. Search Canceled: The scheduled search was canceled from the endpoint after it had begun its search. Search Completed: The search has been successfully completed, but the results have not yet been received by the Console.
Most Recent Run	The time stamp of the most recent time that the task was set to the Executed state.
Pause/Resume State	Verifies if this search is active or paused.

You may sort the tasks by clicking on specific column headers to toggle between ascending, descending and no sort. Any column which has sorting on it displays an up arrow or a down arrow in the center of the column header indicating ascending or descending, respectively. No arrow indicates that column is not sorted. When you click on a column header to set a sort it removes any previous sorting from all other columns. You can sort multiple columns at the same time by holding down the shift key while selecting a sort. You can reorder the columns by clicking on the column header and dragging and dropping them to the left or right.

Policies

The Policies tab displays the following information:

Field	Description
Name	The display name of the endpoint.
Policy Name	The name of the policy as it appears in the Policy List on the Policies tab, "Search Now" for a task executed via the Search button on the ribbon or "Endpoint Item (Licenses)" for a license update applied to an endpoint. Double-clicking on a policy row takes you to that policy in the Polices tab.
Status	Never Applied: The endpoint has never applied a policy. Pending Update: The Console has a new policy for the endpoint but the endpoint has not yet applied the policy. Up to date: The endpoint has applied the latest policy.

You may sort the policies by clicking on specific column headers to toggle between ascending, descending and no sort. Any column which has sorting on it displays an up arrow or a down arrow in the center of the column header indicating ascending or descending, respectively. No arrow indicates that column is not sorted. When you click on a column header to set a sort it removes any previous sorting from all other columns. You can reorder the columns by clicking on the column header and dragging and dropping them to the left or right.

State History

The State History tab displays the following information:

Field	Description
Name	The display name of the endpoint.
Timestamp	The time stamp, local to the Console, of the time the task State was updated.
State	Provides information about the state of the endpoint. By default, only certain states are enabled and can be configured to be sent by endpoints with the following Policy setting in a System Policy applied to the endpoint: Console\AgentActivityStateDataConfiguration Task Acknowledged: The endpoint has obtained the task and is waiting for the scheduled time to execute the task. Enabled by default. Task Initiated: The endpoint service has launched the task but the task has not yet completed. Enabled by default. Executed: This status is set when the endpoint service has executed the task and when the results of the task have been received by the Console. Enabled by default. Skipped: The endpoint service encountered an error while processing tasks and skipped any task that was scheduled to be executed. Additional attempts are made to process the tasks. If this status persists, please check the endpoint service log files on the endpoint to determine the cause of the error. Enabled by default. Failed: The endpoint service attempted to launch the task but an error was encountered. No attempt is made to launch the task again. For example, if the task was configured to stop an existing search and that search could not be stopped, the task fails. Enabled by default. Offline: The Offline state is reported when a remote machine to be searched is offline or cannot be contacted. Search Started: A search has been initiated on the endpoint from the Console. Search Paused: The search is currently paused. Search Canceled: The search was canceled. Search Completed: The search has been successfully completed. Endpoint Opened: The endpoint has been opened interactively. Endpoint Closed: The endpoint was opened interactively and has been closed. Endpoint Searching: The endpoint was opened interactively and a search is currently in progress. Endpoint Paused: The endpoint was opened interactively, a search started and then paused. Endpoint Stopped: The endpoint was opened interactively, a search started and then stopped. Endpoint Completed: The endpoint was opened interactively and a search was successfully completed. Upgrade Successful: The Agent software has been successfully upgraded using the Endpoint Updates page of the Admin tab. Upgrade delayed: The upgrade of the Agent software, using the Endpoint Updates page of the Admin tab, has been delayed. This is usually due to the Spirion endpoint being opened, locking the files. Upgrade Failed: The upgrade of the Agent software, using the Endpoint Updates page of the Admin tab, has failed.
Code	None: This column is blank or displays None if the upgrade was successful, delayed, or failed for a reason other than having missing OCR files. OCR Files Missing: The existing endpoint has OCR capability but the upgrade being applied does not.
Information	If the endpoint software upgrade was successful, this shows the version that was just installed. If the Agent software upgrade was delayed or failed due to missing OCR files, this shows the version waiting to be installed. If the Agent software upgrade failed due to some other reason, this shows the version currently installed.

Note: When searching remote machines with team members, the task state is reported by the team member and assigned to each target. If one of the targets is offline, you may see the state history for that target as reported by a different target. This is because a team member may be assigned to search multiple targets and the team member reports task states globally and not by target and those states are then assigned to every target. For example, a team member may be assigned to search two targets, target A is online and target B is offline. The team member reports Task Acknowledged, Task Initiated and Search Started for both targets even though only target A is actually performing a search. Once the search is complete, target A shows Search Completed while target B shows Offline.

You may sort the endpoint states by clicking on specific column headers to toggle between ascending, descending and no sort. Any column which has sorting on it displays an up arrow or a down arrow in the center of the column header indicating ascending or descending, respectively. No arrow indicates that column is not sorted. When you click on a column header to set a sort it removes any previous sorting from all other columns. You can reorder the columns by clicking on the column header and dragging and dropping them to the left or right.

When there is a failure to upgrade a windows endpoint due to OCR failure, more detail is provided in the EPS log on the endpoint. For example, if you used an MSI that did not contain OCR files to upgrade an endpoint that had OCR, in the State History tab for that endpoint, the State column displays "Upgrade Failed" and the Code column displays "OCR Files Missing". The EPS log for that endpoint contains further detail on why the failure occurred.

Uploads

When data has been uploaded from the endpoint to the Console, details of the upload display here.

The Uploads tab displays the following information:

Field	Description
Name	The Display Name of the endpoint.
Id	This is the actual name of the uploaded file.
Date/Time	The time stamp, local to the Console, of when the upload was completed.
Type	The type of upload. Gather Data: Diagnostic data imported from the endpoint when the Gather Data was requested via the Console Diagnostics function. Results: Search results data from the endpoint. Log Data: Log data sent by the endpoint. Locations Actions: Return values of Actions requested via the Console Results tab (e.g., Shred, Redact, or Ignore) after the endpoint has successfully performed the requested action or failed to do so. Search Analysis: When a search is performed using a discovery team with the distributed searching option enabled, an analysis of the folders to search and the sizes of those folders is first performed. This is the result of the analysis.
State	Uploading: The file is in the process of being uploaded. Uploaded: The file has been uploaded but not yet imported. Done: The file has been uploaded and imported. Error: The file has not successfully been imported.
Import Priority	The priority of uploads to be imported. All uploads with a priority import first, followed by any skipped uploads. If an error occurs, N/A displays for Import Priority. Errored imports retain original prioritization when re-imported. Skipped imports move to the bottom of the priority list and also shows as N/A.
Size	The size, in bytes, of the uploaded file. Once a file has been successfully imported into the database, the uploaded file is deleted after a specified number of days, depending upon the value of the Days to keep uploaded files after importing succeeds setting. If the Size field is blank, then the file has been deleted and no longer exists on the Console.

Right clicking on one of the rows in the uploads view opens a menu with the following options:

Field	Description
Save	This allows you to save the upload to your computer. Clicking on the Save option prompts you for a location to save the upload. The Save option is Enabled for Gather Data only.
Delete	This allows you to delete the selected upload. Clicking on the Delete option opens a confirmation dialog which reads "Do you want to delete the selected upload(s)?
Add to Queue	Select Add to Queue and select the appropriate option (Move to Top, Move to Bottom, etc.). Postponed imports retain their import priority.

You may Sort the Uploads by clicking on specific column headers to toggle between ascending, descending and no sort. Any column which has sorting on it displays an up arrow or a down arrow in the center of the column header indicating ascending or descending, respectively. No arrow indicates that column is not sorted. When you click on a column header to set a sort it removes any previous sorting from all other columns. You can reorder the columns by clicking on the column header and dragging and dropping them to the left or right.

Searches in Progress

The Searches in Progress tab displays the following information:

Field	Description
Name	The Display Name of the endpoint.
Current Progress	The percentage complete for the current location type.
Overall Progress	How far into the total number of location types for the Endpoint you are searching. For example, Browsers are multiple location types because searching Internet Explorer Passwords is one type and Firefox Passwords is another.
Locations	The first number is the total number of the items searched so far that contain at least one Identity Match. The second number is the total number of items of all types searched on your computer so far.
Matches	This is the total number of Identity Matches found so far across all locations.
Last Update	The time stamp of the most recent status update from the endpoint related to this search. If the endpoint sends the same state as previously sent it is considered to be an update. The value in parentheses indicates how long since the last update was received from the endpoint. The color changes to red when no update is sent after 5x the value in the Endpoints search progress update interval setting.
Last Status Change	The time stamp of the most recent status change from the endpoint related to this search. If the endpoint sends a different progress state from previously it is considered to be a change. The value in parentheses indicates how long since the last status change was received from the endpoint. The color changes to yellow when no update is sent after 1x the value in the Endpoints search progress update interval setting and it changes to red after 6x the interval. For a Discovery Team search, once the Last Status Change turns red, the data being searched is reassigned to another Discovery Team member. This can happen up to 3 times at which point the data is marked permanently as failed.
Task Name	The name as entered in the Add New Task dialog in the Scheduled Tasks section of a policy or "Search Now" for a task executed via the Search button on the ribbon. The Task name, if present, is a hyperlink. When clicked, it switches to the Scheduled Searches tab and highlights the related row.
Endpoint State	Task Acknowledged: The endpoint has obtained the task and is waiting for the scheduled time to execute the task. Task Initiated: The endpoint service has launched the task but the task has not yet completed. Task Executed: This status is set when the endpoint service has executed the task and when the results of the task have been received by the Console. Search Now and Gather Data executed tasks are removed when the Update Policy States service task runs. Task Skipped: The endpoint service encountered an error while processing tasks and skipped any task that was scheduled to be executed. Additional attempts are made to process the tasks. If this status persists, please check the endpoint service log files on the endpoint to determine the cause of the error. Task Failed: The endpoint service attempted to launch the task but an error was encountered. No attempt is made to launch the task again. For example, if the task was configured to stop an existing search and that search could not be stopped, the task fails. Search Started: A search has been initiated on the endpoint. Search Paused: The search is currently paused. Search Canceled: The search was canceled. Search Completed: The search has been successfully completed. Endpoint Searching: The endpoint was opened interactively and a search is currently in progress. Endpoint Paused: The endpoint was opened interactively, a search started and then paused. Endpoint Stopped: The endpoint was opened interactively, a search started and then stopped. Endpoint Completed: The endpoint was opened interactively and a search was successfully completed.
Name	The display name of the endpoint performing the search. This is populated only when using Discovery Teams.
Targets	The display name of endpoint to be searched. This is populated only when using Discovery Teams.

Click the Refresh button to get the latest search progress data as it does not automatically refresh. You may adjust the interval at which endpoints send search progress updates to the Console via the Endpoints search progress update interval(s) setting on the Applications Settings page.

You may sort the Searches in Progress by clicking on specific column headers to toggle between ascending, descending and no sort. Any column which has sorting on it displays an up arrow or a down arrow in the center of the column header indicating ascending or descending, respectively. No arrow indicates that column is not sorted. When you click on a column header to set a sort it removes any previous sorting from all other columns. You can reorder the columns by clicking on the column header and dragging and dropping them to the left or right.

Completed search information is deleted after the specified number in days in the Days to keep completed search progress information setting.

Incomplete searches are removed the next time a search is run on that endpoint.

Note: If one of the Discovery Team members is powered off while it is performing a search of a target and does not come back online, that team members search is marked as failed and is assigned to another available team member.

Scheduled Searches

The Scheduled Searches tab displays the following information:

Field	Description
State	The state of a scheduled search is displayed with an icon to indicate its current status. Hovering the mouse over the icon displays a tooltip that displays the status. Clicking the icon switches to the Searches In Progress tab and highlights the related row. In Progress: Indicates that the search is currently running. The button is a hyperlink and when clicked it switches to the Searches in Progress tab and highlights the related row. Warning: Indicates that no update has been sent from the endpoint after 1x the value in the Endpoints search progress update interval setting. Error: Indicates that no update has been sent from the endpoint after 5x the value in the Endpoints search progress update interval setting. No icon: The search is not currently in progress.
Endpoint	The display name of the endpoint.
Task Name	The name as entered in the Add New Task dialog in the Scheduled Tasks section of a policy or "Search Now" for a task executed via the Search button on the ribbon.
Policy Name	The name of the policy as it appears in the Policy List on the Policies tab or "(Search Now)" for a task executed via the Search button on the ribbon.
Schedule	How frequently the task runs.
Boundaries	Shows the first date and time the search runs and, if configured, the final date and time the search runs. The time displays in a 24 hour format. So if you are in the Eastern Time Zone in the United States and create a scheduled task to begin on September 24, 2013 at 1:00 PM, it displays as 2013-09-24 13:00-04:00. 13:00 indicates the start time of 1:00 PM and -04:00 indicates the offset from GMT of your time zone. If you selected ‘Synchronize across time zones’, it displays as 2013-09-24 13:00Z, where the ‘Z’ indicates Zulu.
Next Run	The next date that the search is scheduled to execute.
Team Member	The display name of the endpoint performing the search. This column is populated only when using Discovery Teams and the endpoint in the Endpoint column is the target of the search.
Targets	The display name of endpoint to be searched. This column is populated only when using Discovery Teams and the endpoint in the Endpoint column is the Team Member performing the search.

You may sort the Scheduled Searches by clicking on specific column headers to toggle between ascending, descending and no sort. Any column which has sorting on it displays an up arrow or a down arrow in the center of the column header indicating ascending or descending, respectively. No arrow indicates that column is not sorted. When you click on a column header to set a sort it removes any previous sorting from all other columns. You can reorder the columns by clicking on the column header and dragging and dropping them to the left or right.

Note: Only non-Discovery Team searches have the Next Run value updated to show the next run date of the recurring task. For Discovery Team searches this field only displays the date for the current search.

Workflow Rules

The Workflow Rules tab allows you to quickly see which Workflow Rules are applied to an endpoint. The Worklfow Rules tab displays the following information:

Field	Description
Endpoint	The display name of the endpoint.
Rule	The name of the Workflow Rule.

Endpoint Messages

The Endpoint Messages tab displays the following information:

Field

Description

Endpoint

The display name of the endpoint.

Search Date

The date of the search.

Message

The

User stopped search: The user stopped the search prior to its completion.
Outlook timed out: Outlook timed out while waiting for an Outlook operation to complete while the search was in progress.
Outlook closed: Outlook was closed normally while the search was in progress.
Outlook closed unexpectedly: Outlook was closed unexpectedly while the search was in progress.

RSOP

The Resultant Set of Policies (RSOP) tab displays the merged policy as it would be received by the endpoint. The RSOP tab only loads if a single endpoint is selected in the endpoints list or top grid on the status page, and displays the following elements:

Field	Description
Name	The policy type or the name of the category or setting.
Value	The currently established value of the setting.
Status	Never Applied: The endpoint has never applied a policy. Pending Update: The Console has a new policy for the endpoint but the endpoint has not yet applied the policy. Up to date: The endpoint has applied the latest policy.
Description	A short description of the setting.
Platform	This is the platform(s) to which the setting is applicable. The valid values are any combination of "Win", "Mac", and "Linux." This field is blank for folders.
Policies	The policy names for “User Set” settings and the names of any policy that has the setting set.

Pager

At the bottom of each tab, with the exception of the Details tab, there is a pager. Console has the ability to display large sets of data, however, it is not always practical to display the entire data set in one view. The pager allows quick navigation between pages. Tabular data is displayed by splitting the data into pages, enabling the user to view large data sets by navigating forward and backward through the list of pages at the bottom of the grid.

The available elements of the pager are noted below:

: Clicking the "First Page" button returns to the first page of users. This button is disabled when viewing the first page.
: Clicking the "Previous Page" button steps backward through the pages, one at a time. This button is disabled when viewing the first page.
: Clicking a specific page number updates the display to show the users on that page. The currently selected page number is highlighted in blue. A maximum of 9 page numbers displays at one time. If there are more than 9 pages of data, an ellipsis is displayed. Clicking on the ellipsis to the right of the page numbers advances the results by 5 pages. Clicking on the ellipsis to the left takes you back 5 pages.
: Clicking the "Next Page" button steps forward through the pages, one at a time. This button is disabled when viewing the last page.
: Clicking on the "Last Page" button sets the view to the last page of data. This button is disabled when viewing the last page.
: The "Page Size" button allows you to select the number of rows that display per page. The default value on the "Searches in Progress" and "Scheduled Searches" tabs is defaulted to the max page count (500 for Internet Explorer and 1000 for Firefox and Chrome). For all other tabs the default value is 100.