kcm.trellix.com
Open in
urlscan Pro
161.69.38.126
Public Scan
URL:
https://kcm.trellix.com/corporate/index?page=content&id=KB85494&locale=zh_TW&viewlocale=zh_TW
Submission: On May 24 via manual from GB — Scanned from GB
Submission: On May 24 via manual from GB — Scanned from GB
Form analysis 0 forms found in the DOM
Text Content
Loading...
我的帳戶
登入
為何選擇 Trellix?
產品
威脅中心
新聞室
支援
合作夥伴
為何選擇 Trellix?
--------------------------------------------------------------------------------
領導力 職業生涯
XDR 解決方案簡介
瞭解隨時適應新環境的 XDR 生態系統如何為您的企業注入活力。
我們活動安全性的執行長
Trellix 執行長 Bryan Palma 解釋了針對不斷學習的安全性的迫切需求。
Trellix 平台
--------------------------------------------------------------------------------
端點安全性 雲端安全性 協同作業 資料與使用者 應用程式安全性 基礎架構安全性
Gartner MQ (端點)
下載最新的 Magic Quadrant 報告,依願景執行力與完成程度評估 19 位廠商。
Gartner® 報告:針對 XDR 的市場指南
依據 Gartner 的報告,「XDR 是一種新興技術,可提供改進的威脅預防、偵測和回應能力。」
威脅中心
--------------------------------------------------------------------------------
最新威脅
2022 年威脅預測
企業在 2022 年應該注意哪些網路安全性威脅呢?
Log4J 與知曉太多的記憶體
在網路安全行業中,從沒有片刻的無聊時光,如今正是採用這個新概念作為優勢來為企業提供助力的絕佳時機。
新聞室
--------------------------------------------------------------------------------
新聞 故事 資源
McAfee Enterprise 和 FireEye 合併為 Trellix
這兩個在網路安全領域值得信賴的領導者攜手合作,創造一個彈性數位世界。
我們活動安全性的執行長
Trellix 執行長 Bryan Palma 解釋了針對不斷學習的安全性的迫切需求。
支援首頁
KNOWLEDGE CENTER
取得 FireEye 產品相關支援
* 首頁
* Knowledge Center
* 下載
* 服務請求
* 工具
* 程式和政策
此文章沒有目前語言版本,因此顯示英文版本。
--------------------------------------------------------------------------------
COMPLETE LIST OF EVENT IDS FOR ENDPOINT SECURITY
Technical Articles ID: KB85494
Last Modified: 2022-04-19 09:15:21 Etc/GMT
--------------------------------------------------------------------------------
ENVIRONMENT
Endpoint Security (ENS) Adaptive Threat Protection (ATP) 10.x
ENS Firewall 10.x
ENS Threat Prevention 10.x
ENS Web Control 10.x
SUMMARY
This article contains an explanation of ENS event messages. ENS event messaging
uses Natural Language Strings (NLSs). ENS logs threat data, including threat
origin and duration before detection, in NLSs. You can access this information
from the management consoles and the ENS Client in the Event Log. NLSs
provide descriptive explanations that provide context around threat events. Some
events might need more explanation than is contained in the string of text in an
event. If a specific event is missing from a table below, it's because we
believe that it doesn't require further explanation. This article is amended as
needed in response to requests from customers through our Technical Support
team.
NOTE: Several event messages refer to article KB85494 for more information.
It's possible for a single event ID to exhibit different NLSs. Each event ID has
a specific meaning, but details in the event shape the type of language used to
express that event's details. For example, one instance of Event ID 1272 might
contain all expected information. So, an NLS is chosen that best describes all
that information. Another instance of Event ID 1272 might be missing the process
name. Instead of using a blank to represent the process name, which would be
confusing, we use a different NLS. This NLS omits the process name but still
explains the remaining known details.
Factors that influence an NLS message include the following:
* Whether an Attack Vector is local or remote
* Whether an event is for an on-access scan (OAS) or on-demand scan (ODS)
* Action taken (Cleaned, Deleted, Delete Pending, Access Denied, Continue,
None, Moved, Blocked, or Generic)
* Presence or absence of errors (Repair Failed, DeleteOnReboot,
FailedDeleteFile, BackupFailed, or FailedDeletePending)
* Object type (whether the object is a boot sector)
* Whether the process name is supplied
The following is a comparison of traditional and NLS event messaging for a
detection that results in No Action being taken:
Traditional messaging syntax:
<date><time> No Action Taken (Clean failed because the detection isn't
cleanable) <domain>\<user> <process name> <path>\<Filename> <malware name>
(<malware type>)
NLS messaging syntax:
" <domain>\<user> ran <process name>, which attempted to access
<path>\<filename>. The <malware type> named <malware name> was detected and
access to the file was denied."
Example NLS detection message:
"Interweb\jsmith ran notepad.exe, which attempted to access
C:\data\temp\eicar.com. The Test Virus named Eicar Test File was detected and
access to the file was denied."
Contents
Click to expand the section you want to view:
Expand All
Tools for Process Investigation
The string "To identify the process locking the file, see KB85494" displays in
some OAS event messages and refers customers to this KB article for more
information. In this scenario, the product denies access to an infected file and
tries to delete the file. But, it can't do so at the time of detection. The
delete fails because a file-lock prevents Windows from deleting the file in
response to our request. Windows holds the file deletion request in a
delete-pending state. We continue to deny access to that file, which prevents
any new handles from being opened. Windows completes the file deletion when all
handles to the detected file are closed. If you would like to investigate what
processes currently have this file-lock open, use the following tools.
Windows Task Manager
1. Open Task Manager while logged on as an Administrator by clicking
Ctrl+Shift+Esc.
2. Click the Performance tab.
3. Click Resource Monitor.
4. Click the CPU tab.
5. In the section Associated Handles, search for the file name in question. A
partial file name might suffice.
6. Wait for the search results.
Process Explorer
1. Run Process Explorer as an Administrator.
2. Click the Find menu, and select Find Handle or DLL.
3. Search for the file name in question.
4. Wait for the search results.
Take appropriate next steps when a process is identified. To assess the process
behavior, evaluate it based on the following:
* Whether the process must use the file in use
* Whether the process is safe or trusted
* Whether it's safe to close the process
* Whether you must capture any data about this process to submit to Technical
Support for investigation
Tools for Access Protection Rule Violation Investigation
The string "For information on how to respond to this event, see KB85494"
displays in some Access Protection rule violation event messages and refers
customers to this KB article for more information. In this scenario, an action
is blocked in accordance with the definition of the rule that's described in the
event message itself. These violations aren't false positives. It isn't possible
for the Access Protection feature to return a false positive. The reason is
because it matches based on whether a behavior occurs rather than using virus
definitions or signatures.
Determine whether the behavior is expected:
* If expected, you must perform either of the actions below:
* Accept or ignore the data.
* Create an exclusion for the specified rule to exclude the process that's
violating the rule. For more information, see the "Access Protection:
Files, processes, and registry exclusions" section of the Endpoint Security
10.7.x Threat Prevention Product Guide.
* If unexpected, investigate the behavior further because either of the
following is true:
* The behavior occurs because of malware that has infiltrated the process.
* The behavior is normal and needs to be reclassified as expected behavior,
in which case you would see the previous bullet for expected behavior.
If the events become too frequent, take action to avoid having the data fill
your ePolicy Orchestrator (ePO) database. A full database can cause the SQL
Server to run out of disk space, network latency, or both.
Actions can include the following:
* Purging events from the database
* Freeing disk space
* Configuring the agent to filter out (no longer send) the specific event
* Deleting unprocessed events from the ePO Events folder
* Deleting events from client systems that have yet to send to ePO the events
that have accumulated
Currently there's little that can be done from the centralized administration
point (ePO server) or its Agent Handlers, except to reconfigure the agents to
filter out the event.
NLS Event Messaging Index
The following table lists the event IDs and NLSs that might accompany them.
NOTE: This table contains common events, actions, and their associated NLSs. It
provides a correlation between event IDs by feature and the possible selection
of NLSs that might be used for the event depending on natural string selection
criteria. The NLS tag, shown in the last column, is further explained in the
following tables. To jump to that specific entry in the tables below, click the
hyperlink.
The following are links to the tables below:
Strings from OAS
Strings from Exploit Prevention
Strings from ScriptScan
Strings from ODS
Strings from Dynamic Application Containment (DAC)
Feature
Action Taken
Event IDs
Possible NLS OAS
Cleaned 1025, 1060 IDS_NATURAL_LANG_OAS_DETECTION_CLN
IDS_NATURAL_LANG_OAS_DETECTION_R_CLN
IDS_NATURAL_LANG_OAS_DETECTION_B_CLN Deleted 1027, 1028, 1054, 1055, 1101, 1104,
1278,
1279, 1280, 1281, 1293, 1303, 1306, 1312,
1313, 1314, 1315, 1316, 1317, 1318, 1319,
1320, 1321, 1322, 1323, 1324, 1325, 1326,
1327, 1328, 1405, 1408, 1410, 1414, 1415,
1416, 1417, 1418, 1419, 1420 IDS_NATURAL_LANG_OAS_DETECTION_DEL
IDS_NATURAL_LANG_OAS_DETECTION_R_DEL Access Denied 1024, 1026, 1037, 1053, 1061,
1100, 1274,
1275, 1276, 1277, 1282, 1283, 1284, 1285,
1289, 1290, 1291, 1292, 1294, 1296, 1298,
1300, 1302, 1304, 1305, 1307, 1308, 1310,
1311, 1401, 1402, 1404, 1407, 1409, 1411,
1413 IDS_NATURAL_LANG_OAS_DETECTION_DEN
IDS_NATURAL_LANG_OAS_DETECTION_R_DEN
IDS_NATURAL_LANG_OAS_DETECTION_B_DEN
IDS_NATURAL_LANG_OAS_DETECTION_DEN_NOACTORPROCNAME Continue 1400
IDS_NATURAL_LANG_OAS_DETECTION_NON
IDS_NATURAL_LANG_OAS_DETECTION_R_NON
IDS_NATURAL_LANG_OAS_DETECTION_NON_NOACTORPROCNAME Moved 1056, 1102, 1270, 1271,
1272, 1273,
1297, 1301, 1309, 1403, 1406, 1412 IDS_NATURAL_LANG_OAS_DETECTION_MOV
IDS_NATURAL_LANG_OAS_DETECTION_R_MOV Delete Pending 1421, 1422, 1423, 1424,
1425, 1426, 1427,
1428, 1429, 1430, 1431 IDS_NATURAL_LANG_OAS_DETECTION_DLP
IDS_NATURAL_LANG_OAS_DETECTION_R_DLP
IDS_NATURAL_LANG_OAS_DETECTION_DLP_NOACTORPROCNAME ODS Cleaned 1025, 1060
IDS_NATURAL_LANG_ODS_DETECTION_CLEANED
IDS_NATURAL_LANG_ODS_DETECTION_B_CLEANED Delete Pending 1421, 1422, 1423, 1424,
1425, 1426, 1427,
1428, 1429, 1430, 1431 IDS_NATURAL_LANG_ODS_DETECTION_DLP Delete 1027, 1028,
1054, 1055, 1101, 1104, 1278,
1279, 1280, 1281, 1293, 1303, 1306, 1312,
1313, 1314, 1315, 1316, 1317, 1318, 1319,
1320, 1321, 1322, 1323, 1324, 1325, 1326,
1327, 1328, 1405, 1408, 1410, 1414, 1415,
1416, 1417, 1418, 1419, 1420 IDS_NATURAL_LANG_ODS_DETECTION_DELETED Continue
1024, 1026, 1037, 1051, 1053, 1059, 1061,
1095, 1096, 1099, 1100, 1103, 1202, 1203,
1274, 1275, 1276, 1277, 1282, 1283, 1284,
1285, 1289, 1290, 1291, 1292, 1294, 1296,
1298, 1300, 1302, 1304, 1305, 1307, 1308,
1310, 1311, 1400, 1401, 1402, 1404, 1407,
1409, 1411, 1413, 1064, 1065, 1087,
1088, 1118, 1119, 1120, 1121, IDS_NATURAL_LANG_ODS_DETECTION_GENERIC
IDS_ALERT_ACT_TAK_CONT Access Protection/System Protection Block 1092
IDS_NATURAL_LANG_DESC_DETECTION_APSP_1
IDS_NATURAL_LANG_DESC_DETECTION_APSP_2
IDS_NATURAL_LANG_DESC_DETECTION_APSP_3 WouldBlock 1095
IDS_NATURAL_LANG_DESC_DETECTION_APSP_4
IDS_NATURAL_LANG_DESC_DETECTION_APSP_5
IDS_NATURAL_LANG_DESC_DETECTION_APSP_6
Back to top
Strings from OAS
Event IDs
NLS IDS_NATURAL_LANG_OAS_DETECTION_DEL "|TargetUserName| ran
|SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The
||ThreatType|| named |ThreatName| was detected and deleted."
IDS_NATURAL_LANG_OAS_DETECTION_CLN "|TargetUserName| ran |SourceProcessName|,
which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named
|ThreatName| was detected and cleaned." IDS_NATURAL_LANG_OAS_DETECTION_DEN
"|TargetUserName| ran |SourceProcessName|, which attempted to access
|TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected
and access to the file was denied."
IDS_NATURAL_LANG_OAS_DETECTION_DEN_NOACTORPROCNAME "Attempted to access
|TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was
detected and access to the file was denied."
IDS_NATURAL_LANG_OAS_DETECTION_NON_NOACTORPROCNAME "Attempted to access
|TargetPath|\|TargetName| and the threat ||ThreatType|| named |ThreatName| was
detected." IDS_NATURAL_LANG_OAS_DETECTION_NON "|TargetUserName| ran
|SourceProcessName|, which attempted to access |TargetPath|\|TargetName| and the
||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_MOV "|TargetUserName| ran |SourceProcessName|,
which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named
|ThreatName| was detected and the file was moved."
IDS_NATURAL_LANG_OAS_DETECTION_BLO "|TargetUserName| ran |SourceProcessName|,
which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named
|ThreatName| was detected and blocked." IDS_NATURAL_LANG_OAS_DETECTION_GENERIC
"|TargetUserName| ran |SourceProcessName|, which attempted to access
|TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected.
The scanner took the following action: ||ThreatActionTaken||."
IDS_NATURAL_LANG_OAS_DETECTION_ENC "|AV_DETECTION_USERNAME| accessed
|AV_DETECTION_FULL_LOCATION|. The scanner could not scan |TargetName| because it
was encrypted." IDS_NATURAL_LANG_OAS_DETECTION_ENC2 "An unknown user accessed
|AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it was
encrypted." IDS_NATURAL_LANG_OAS_DETECTION_TO "|TargetUserName| ran
|SourceProcessName|, which accessed |TargetPath|\|TargetName|. The file scan ran
for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_TO2 "An unknown user accessed
|AV_DETECTION_FULL_LOCATION|. The file scan ran for the maximum time allotted
and was canceled." IDS_NATURAL_LANG_OAS_DETECTION_COR "|AV_DETECTION_USERNAME|
accessed \"|AV_DETECTION_FULL_LOCATION|\". The file is corrupt and could not be
scanned." IDS_NATURAL_LANG_OAS_DETECTION_COR2 "An unknown user accessed
|AV_DETECTION_FULL_LOCATION|. The scanner couldn't scan the file because it is
corrupted." IDS_NATURAL_LANG_OAS_DETECTION_DLP "|TargetUserName| ran
\"|SourceProcessName|\", which attempted to access
\"|TargetPath|\|TargetName|\". The threat ||ThreatType|| named |ThreatName| was
detected but the file can't be deleted because it's locked. The file will be
deleted when the file isn't locked. To identify the process locking the file,
see KB85494." IDS_NATURAL_LANG_OAS_DETECTION_DLP_NOACTORPROCNAME "Attempted to
access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName|
was detected but the file can't be deleted because it's locked. The file will be
deleted when the file isn't locked. To identify the process locking the file,
see KB85494." IDS_NATURAL_LANG_OAS_DETECTION_NRP "|TargetUserName| ran
\"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|.
The threat ||ThreatType|| named |ThreatName| was detected but no clean
information is available." IDS_NATURAL_LANG_OAS_DETECTION_SHV
"|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The scanner
could not scan the file due to a sharing violation."
IDS_NATURAL_LANG_OAS_DETECTION_SHV2 "An unknown user accessed
|AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file due to a
sharing violation." IDS_NATURAL_LANG_OAS_DETECTION_NPM "|AV_DETECTION_USERNAME|
accessed \"|AV_DETECTION_FULL_LOCATION|\". The scanner could not scan the file
because it doesn't have access rights." IDS_NATURAL_LANG_OAS_DETECTION_NPM2 "An
unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan
the file because it doesn't have access rights."
IDS_NATURAL_LANG_OAS_DETECTION_DLR "|TargetUserName| ran
\"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|.
The threat ||ThreatType|| named |ThreatName| was detected and will be deleted on
reboot." IDS_NATURAL_LANG_OAS_DETECTION_DLE "|TargetUserName| ran
\"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|.
The threat ||ThreatType|| named |ThreatName| was detected but deletion failed."
IDS_NATURAL_LANG_OAS_DETECTION_BUE "|TargetUserName| ran
\"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|.
The threat ||ThreatType|| named |ThreatName| was detected but quarantine
failed."
IDS_NATURAL_LANG_OAS_DETECTION_R_DEL "|TargetPath|\|TargetName| was accessed
from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was
detected and deleted." IDS_NATURAL_LANG_OAS_DETECTION_R_CLN
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The
||ThreatType|| named |ThreatName| was detected and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_R_DEN "|TargetPath|\|TargetName| was accessed
from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was
detected and access to the file was denied."
IDS_NATURAL_LANG_OAS_DETECTION_R_NON "|TargetPath|\|TargetName| was accessed
from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was
detected." IDS_NATURAL_LANG_OAS_DETECTION_R_MOV "|TargetPath|\|TargetName| was
accessed from the remote system |SourceIPV4|. The ||ThreatType|| named
|ThreatName| was detected and the file was moved."
IDS_NATURAL_LANG_OAS_DETECTION_R_BLO "|TargetPath|\|TargetName| was accessed
from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was
detected and blocked." IDS_NATURAL_LANG_OAS_DETECTION_R_ENC
"|AV_DETECTION_USERNAME| accessed |AV_DETECTION_FULL_LOCATION|. The scanner
could not scan the file because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_R_TO "|TargetPath|\|TargetName| was accessed from
the remote system |SourceIPV4|. The file scan ran for the maximum time allotted
and was canceled." IDS_NATURAL_LANG_OAS_DETECTION_R_DLP "The file
|TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The
threat ||ThreatType|| named |ThreatName| was detected but the file can't be
deleted because it's locked. The file will be deleted when the file isn't
locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_OAS_DETECTION_R_NRP "The file |TargetPath|\|TargetName| was
accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named
|ThreatName| was detected but no clean information is available."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLR "The file |TargetPath|\|TargetName| was
accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named
|ThreatName| was detected and will be deleted on reboot."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLE "The file |TargetPath|\|TargetName| was
accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named
|ThreatName| was detected but deletion failed."
IDS_NATURAL_LANG_OAS_DETECTION_R_BUE "The file |TargetPath|\|TargetName| was
accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named
|ThreatName| was detected but quarantine failed."
IDS_NATURAL_LANG_OAS_DETECTION_B_CLN "|TargetUserName| accessed volume
|TargetPath|:. The ||ThreatType|| named |ThreatName| was detected in the boot
sector and cleaned." IDS_NATURAL_LANG_OAS_DETECTION_B_DEN "|TargetUserName|
accessed volume |TargetPath|:. The ||ThreatType|| named |ThreatName| was
detected in the boot sector. Both the primary (||FirstAttemptedAction||) and
secondary (||SecondAttemptedAction||) actions failed, so access to the file was
denied." IDS_NATURAL_LANG_OAS_DETECTION_ERROR "The scanner detected a threat
but, due to an error, no additional information is available."
IDS_NATURAL_LANG_OAS_DETECTION_NO_INFO "The scanner detected a threat while
scanning |TargetName| but, due to an error, no additional information is
available."
Back to top
Strings from Exploit Prevention
Event IDs
NLS IDS_NATURAL_LANG_DESC_DETECTION_APSP_1 "|SourceUserName| ran
|SourceProcessName|, which attempted to access |TargetPath|, violating the rule
\"||AnalyzerRuleName||\" and was blocked. For information on how to respond to
this event, see KB85494." IDS_NATURAL_LANG_DESC_DETECTION_APSP_2
"|SourceUserName| ran |SourceProcessName|, which attempted to access
|TargetPath|\|TargetName|, violating the rule \"||AnalyzerRuleName||\" and was
blocked. For information on how to respond to this event, see KB85494."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_3 "|SourceUserName| ran
|SourceProcessName|, which attempted to access |TargetProcessName|, violating
the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to
respond to this event, see KB85494." IDS_NATURAL_LANG_DESC_DETECTION_APSP_4
"|SourceUserName| ran |SourceProcessName|, which accessed |TargetPath|,
violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule
wasn't configured to block." IDS_NATURAL_LANG_DESC_DETECTION_APSP_5
"|SourceUserName| ran |SourceProcessName|, which accessed
|TargetPath|\|TargetName|, violating the rule \"||AnalyzerRuleName||\". Access
was allowed because the rule wasn't configured to block."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_6 "|SourceUserName| ran
|SourceProcessName|, which accessed the process |TargetProcessName|, violating
the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't
configured to block." IDS_NATURAL_LANG_DESC_DETECTION_BOP_1
All but SMEP and TAMPER (no API name or caller module) "|ThreatName| attempted
to exploit |TargetPath|\|TargetProcessName| and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_2
All but SMEP & TAMPER with API name "|ThreatName| attempted to exploit
|TargetPath|\|TargetProcessName|, which targeted the |APIName| API, and was
||ThreatActionTaken||." IDS_NATURAL_LANG_DESC_DETECTION_BOP_4
All but SMEP & TAMPER with a caller module "|ThreatName| attempted to exploit
|TargetPath|\|TargetProcessName| called from module |CallerModule|, which
targeted the |APIName| API, and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_3
SMEP "|ThreatName| attempted an exploit at |ThreatTimestamp| and was
||ThreatActionTaken||. For more information, check the Windows Event Viewer for
record number |TargetName|." IDS_NATURAL_LANG_DESC_DETECTION_BOP_5
TAMPER
TAMPER "Tampering has been detected with Exploit Prevention's monitoring of
processes on this computer."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_1N
All but SMEP and TAMPER (no API name or caller module) "|ThreatName| attempted
to exploit |TargetPath|\|TargetProcessName|. It wasn't blocked because Exploit
Prevention was set to Report Only." IDS_NATURAL_LANG_DESC_DETECTION_BOP_2N
All but SMEP & TAMPER with API name "|ThreatName| attempted to exploit
|TargetPath|\|TargetProcessName|, which targeted the |APIName|) API. It wasn't
blocked because Exploit Prevention was set to Report Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_4N
All but SMEP & TAMPER with a caller module "|ThreatName| attempted to exploit
|TargetPath|\|TargetProcessName| called from module |CallerModule|, which
targeted the |APIName| API. It wasn't blocked because Exploit Prevention was set
to Report Only." IDS_NATURAL_LANG_DESC_DETECTION_BOP_3N
SMEP "|ThreatName| attempted an exploit at |ThreatTimestamp|. For more
information, check the Windows Event Viewer for record number |TargetName|. It
wasn't blocked because Exploit Prevention was set to Report Only."
Back to top
Strings from ScriptScan
Event IDs
NLS IDS_NATURAL_LANG_DETECTION_SS_URL "|TargetUserName| ran |TargetProcessName|,
which accessed |TargetURL|. The ||ThreatType|| named |ThreatName| was detected
and blocked." IDS_NATURAL_LANG_DETECTION_SS_FILE "|TargetUserName| ran
|TargetProcessName|, which accessed |TargetPath|\|TargetName|. The
||ThreatType|| named |ThreatName| was detected and blocked."
Back to top
Strings from ODS
Event IDs
NLS IDS_NATURAL_LANG_ODS_DETECTION_NONE "|TargetUserName| ran the ||TaskName||
on-demand scan, which detected the ||ThreatType|| named |ThreatName| while
scanning |TargetPath|\|TargetName|. Both the primary (||FirstAttemptedAction||)
and secondary (||SecondAttemptedAction||) actions failed, so the scanner took no
action." IDS_NATURAL_LANG_ODS_DETECTION_CLEANED "|TargetUserName| ran the
||TaskName|| on-demand scan, which detected the ||ThreatType|| named
|ThreatName| while scanning |TargetPath|\|TargetName|. The file was cleaned."
IDS_NATURAL_LANG_ODS_DETECTION_DELETED "|TargetUserName| ran the ||TaskName||
on-demand scan, which detected the ||ThreatType|| named |ThreatName| while
scanning |TargetPath|\|TargetName|. The file was deleted."
IDS_NATURAL_LANG_ODS_DETECTION_GENERIC "|TargetUserName| ran the ||TaskName||
on-demand scan, which detected the ||ThreatType|| named |ThreatName| while
scanning |TargetPath|\|TargetName|. The scanner took the following action:
||ThreatActionTaken||." IDS_NATURAL_LANG_ODS_DETECTION_NO_INFO "|TargetUserName|
ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named
|ThreatName| while scanning |TargetPath|\|TargetName|. Due to an error, no
additional information is available." IDS_NATURAL_LANG_ODS_DETECTION_B_NONE
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the
||ThreatType|| named |ThreatName| while scanning the boot sector of volume
|TargetPath|:. Both the primary (||FirstAttemptedAction||) and secondary
(||SecondAttemptedAction||) actions failed, so the scanner took no action."
IDS_NATURAL_LANG_ODS_DETECTION_B_CLEANED "|TargetUserName| ran the ||TaskName||
on-demand scan, which detected the ||ThreatType|| named |ThreatName| while
scanning the boot sector of volume |TargetPath|:. The boot sector was cleaned."
IDS_NATURAL_LANG_ODS_DETECTION_ENC "|TargetUserName| ran the ||TaskName||
on-demand scan. The scanner could not scan |TargetName| because it was
encrypted." IDS_NATURAL_LANG_ODS_DETECTION_TO "|TargetUserName| ran on-demand
scan ||TaskName||, which was unable to scan |TargetName| because the scan timed
out." IDS_NATURAL_LANG_ODS_DETECTION_FS "|TargetUserName| ran on-demand scan
||TaskName||, which was unable to scan |TargetName| because the file size
exceeds the configured maximum file size to scan."
IDS_NATURAL_LANG_ODS_DETECTION_COR "|TargetUserName| ran on-demand scan
||TaskName||, which was unable to scan |TargetName| because the file is
corrupt." IDS_NATURAL_LANG_ODS_DETECTION_DLP "|TargetUserName| ran on-demand
scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName|
while scanning |TargetPath|\|TargetName| but the file can't be deleted because
it's locked. The file will be deleted when the file isn't locked. To identify
the process locking the file, see KB85494." IDS_NATURAL_LANG_ODS_DETECTION_NRP
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat
||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|.
However, no clean information is available." IDS_NATURAL_LANG_ODS_DETECTION_SHV
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan
|TargetName| due to a sharing violation." IDS_NATURAL_LANG_ODS_DETECTION_NPM
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan
|TargetName| because the scanner doesn't have access rights to it."
IDS_NATURAL_LANG_ODS_DETECTION_DLR "|TargetUserName| ran on-demand scan
||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while
scanning |TargetPath|\|TargetName|. The threat will be deleted on reboot."
IDS_NATURAL_LANG_ODS_DETECTION_DLE "|TargetUserName| ran on-demand scan
||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while
scanning |TargetPath|\|TargetName|. However, deletion of the threat failed."
IDS_NATURAL_LANG_ODS_DETECTION_BUE "|TargetUserName| ran on-demand scan
||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while
scanning |TargetPath|\|TargetName|. However, quarantine of the threat failed."
IDS_NATURAL_LANG_ODS_DETECTION_ERROR "The on-demand scan detected a threat but,
due to an error, no additional information is available." IDS_ALERT_ACT_TAK_CONT
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the
||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The
scanner took the following action: ||ThreatActionTaken||."
Back to top
Strings from Dynamic Application Containment (DAC)
Event IDs
NLS IDS_NATURAL_LANG_DESC_DAC_1 "The application
|SourceFilePath|\|SourceProcessName| was contained at the request of
|RequesterDisplayName|." IDS_NATURAL_LANG_DESC_DAC_2 "|RequesterDisplayName|
requested to contain the application |SourceFilePath|\|SourceProcessName|, which
is already contained." IDS_NATURAL_LANG_DESC_DAC_3 "The application
|SourceFilePath|\|SourceProcessName| was released from containment at the
request of |RequesterDisplayName|." IDS_NATURAL_LANG_DESC_DAC_4
"|RequesterDisplayName| requested to release the application
|SourceFilePath|\|SourceProcessName|. However, the application is still
contained because other requests remain." IDS_NATURAL_LANG_DESC_DAC_5
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName|
was removed due to an exclusion and the application was released from
containment." IDS_NATURAL_LANG_DESC_DAC_6 "|RequesterDisplayName| request to
contain |SourceFilePath|\|SourceProcessName| was removed due to an exclusion."
IDS_NATURAL_LANG_DESC_DAC_7 "|RequesterDisplayName| request to contain
|SourceFilePath|\|SourceProcessName| was removed and the application was
released from containment because Dynamic Application Containment was
uninstalled." IDS_NATURAL_LANG_DESC_DAC_8 "|RequesterDisplayName| request to
contain |SourceFilePath|\|SourceProcessName| was removed because Dynamic
Application Containment was uninstalled."
Back to top
Event IDs Index
From ePO, %install dir%\server\extensions\installed\ENDP_AM_1000 (as an
example), you can get the following event information for ENS from
strings_en.properties.
Event ID Event Information ENS Module 1024 Infected file found. Threat
Prevention 1025 Infected file successfully Cleaned. Threat Prevention 1027
Infected file deleted. Threat Prevention 1037 Infected boot record found
Threat Prevention 1051 Unable to scan password protected Threat Prevention 1059
Scan Timed Out Threat Prevention 1064 Service was started. Threat Prevention
1065 Service ended. Threat Prevention 1087 On-access Scan started Threat
Prevention 1088 On-access scan stopped. Threat Prevention 1091 JavaScript or
VBScript security violation detected and blocked Threat Prevention 1092 Access
Protection rule violation detected and blocked Threat Prevention 1095 Access
Protection rule violation detected and NOT blocked Threat Prevention 1096
event_name_1096=Port blocking rule violation detected and NOT blocked
event_desc_1096=Port blocking rule violation detected and NOT blocked Threat
Prevention 1102 event_name_1102=Multiple extension heuristic detection - moved
event_desc_1102=The file %FILENAME% detected with multiple extension heuristics.
The file was moved to the quarantine area. Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1103
event_name_1103=Prescan needed
event_desc_1103=The file %FILENAME% is infected with the %VIRUSNAME%
%VIRUSTYPE%. Prescan is needed for removal. Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1104
event_name_1104=Multiple extension heuristic detection - delete on reboot
event_desc_1104=The file %FILENAME% detected with multiple extension heuristics.
The file will be deleted on reboot. Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1106
event_name_1106=Multiple extension heuristic detection - message deleted
event_desc_1106=The message %FILENAME% detected with multiple extension
heuristics. The message has been deleted. Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1118 The update was
successful Common 1119 The update failed; see event log Common 1120 The update
is running Common 1121 The update was cancelled Common 1202
event_name_1202=On-Demand Scan started
event_desc_1202=On-Demand Scan started Threat Prevention 1203
event_name_1203=On-Demand Scan complete
event_desc_1203=On-Demand Scan complete Threat Prevention 1278 file infected.
No cleaner available, file deleted successfully Threat Prevention 1280 file
infected. Undetermined clean error, deleted successfully Threat Prevention 1282
file infected. No cleaner available, delete failed Threat Prevention 1284 file
infected. Undetermined clean error, delete failed Threat Prevention 1290 file
infected. No cleaner available, OAS denied access and continued Threat
Prevention 1292 file infected. Undetermined clean error, OAS denied access and
continued Threat Prevention 1300 file infected. Delete failed, denied access and
continued (OAS) Threat Prevention 1301 event_name_1301=Multiple extension
heuristic detection - clean error, quarantined successfully
event_desc_1301=The file %FILENAME% detected with multiple extension heuristics.
The file was moved to the quarantine area. Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1302
event_name_1302=Multiple extension heuristic detection - move failed, clean
error
event_desc_1302=The file %FILENAME% detected with multiple extension heuristics.
Unable to move the file to quarantine area and unable to clean the file.
Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention 1303 event_name_1303=Multiple extension heuristic detection -
clean error, deleted successfully
event_desc_1303=The file %FILENAME% detected with multiple extension heuristics.
The file has been deleted. Detected using Scan engine version %ENGINEVERSION%
DAT version %DATVERSION%. Threat Prevention 1304 event_name_1304=Multiple
extension heuristic detection - clean error, delete failed
event_desc_1304=The file %FILENAME% detected with multiple extension heuristics.
Unable to clean the file and unable to delete the file. Detected using Scan
engine version %ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1305
event_name_1305=Multiple extension heuristic detection - clean error, denied
access and continued
event_desc_1305=The file %FILENAME% detected with multiple extension heuristics.
Access to the file was denied. Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1306
event_name_1306=Multiple extension heuristic detection - move failed, deleted
successfully
event_desc_1306=The file %FILENAME% detected with multiple extension heuristics.
The file has been deleted. Detected using Scan engine version %ENGINEVERSION%
DAT version %DATVERSION%. Threat Prevention 1307 event_name_1307=Multiple
extension heuristic detection - move failed, delete failed
event_desc_1307=The file %FILENAME% detected with multiple extension heuristics.
Unable to move the file to quarantine area and unable to delete the file.
Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention 1308 event_name_1308=Multiple extension heuristic detection -
move failed, denied access and continued
event_desc_1308=The file %FILENAME% detected with multiple extension heuristics.
Access to the file was denied. Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1309
event_name_1309=Multiple extension heuristic detection - delete failed,
quarantined successfully
event_desc_1309=The file %FILENAME% detected with multiple extension heuristics.
The file was moved to the quarantine area. Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1310
event_name_1310=Multiple extension heuristic detection - delete failed,
quarantine failed
event_desc_1310=The file %FILENAME% detected with multiple extension heuristics.
Unable to delete the file and unable to move the file to quarantine area.
Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention 1311 event_name_1311=Multiple extension heuristic detection -
delete failed, denied access and continued
event_desc_1311=The file %FILENAME% detected with multiple extension heuristics.
Access to the file was denied. Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1312
event_name_1312=Move failed, delete failed, file will be deleted on reboot
event_desc_1312=The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%.
The file will be deleted on reboot. Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1313
event_name_1313=Multiple extension heuristic detection - move failed, delete
failed, file will be deleted on reboot
event_desc_1313=The file %FILENAME% detected with multiple extension heuristics.
The file will be deleted on reboot. Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1314
event_name_1314=Encrypted file - clean error, delete on reboot
event_desc_1314=The encrypted file %FILENAME% will be deleted on reboot.
Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention 1315 event_name_1315=Heuristic detection - clean error, delete
on reboot
event_desc_1315=The file %FILENAME% detected with heuristics. The file will be
deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT
version %DATVERSION%. Threat Prevention 1316 event_name_1316=Multiple extension
heuristic detection - clean error, delete on reboot
event_desc_1316=The file %FILENAME% detected with multiple extension heuristics.
The file will be deleted on reboot. Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1317
event_name_1317=No cleaner available - clean error, delete on reboot
event_desc_1317=The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%.
The file will be deleted on reboot. Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1318
event_name_1318=Undetermined - clean error, delete on reboot
event_desc_1318=The file %FILENAME% has an undetermined infection. The file will
be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT
version %DATVERSION%. Threat Prevention 1319 event_name_1319=Undetermined -
clean error, message deleted
event_desc_1319=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The
message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT
version %DATVERSION%. Threat Prevention 1320 event_name_1320=Encrypted - clean
error, message deleted
event_desc_1320=Encrypted message %FILENAME% has been deleted. Detected using
Scan engine version %ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention
1321 event_name_1321=Heuristic detection - clean error, message deleted
event_desc_1321=The message %FILENAME% detected with heuristics. The message has
been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version
%DATVERSION%. Threat Prevention 1322 event_name_1322=Multiple extension
heuristic detection - clean error, message deleted
event_desc_1322=The message %FILENAME% detected with multiple extension
heuristics. The message has been deleted. Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1323
event_name_1323=Clean error, message deleted
event_desc_1323=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The
message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT
version %DATVERSION%. Threat Prevention 1324 event_name_1324=Move failed,
message deleted
event_desc_1324=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The
message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT
version %DATVERSION%. Threat Prevention 1325 event_name_1325=Multiple extension
heuristic detection - move failed, message deleted
event_desc_1325=The message %FILENAME% detected with multiple extension
heuristics. The message has been deleted. Detected using Scan engine version
%ENGINEVERSION% DAT version %DATVERSION%. Threat Prevention 1326
event_name_1326=Clean error, message deleted
event_desc_1326=Clean error, message deleted Threat Prevention 1327
event_name_1327=Move failed, message deleted
event_desc_1327=Move failed, message deleted Threat Prevention 1328
event_name_1328=Move failed, message delete (multiple extensions)
event_desc_1328=Move failed, message delete (multiple extensions) Threat
Prevention 1400 event_name_1400=User defined object detected, no Action Taken
event_desc_1400=User defined object detected, no Action Taken Threat Prevention
1401 event_name_1401=Clean failed (user defined detection), no Action Taken
event_desc_1401=Clean failed (user defined detection), no Action Taken Threat
Prevention 1402 event_name_1402=Clean failed (user defined detection), Move
failed
event_desc_1402=Clean failed (user defined detection), Move failed Threat
Prevention 1403 event_name_1403=Moved (user defined detection), Clean failed
event_desc_1403=Moved (user defined detection), Clean failed Threat Prevention
1404 event_name_1404=Clean failed (user defined detection), Delete failed
event_desc_1404=Clean failed (user defined detection), Delete failed Threat
Prevention 1405 event_name_1405=Deleted (user defined detection), Clean failed
event_desc_1405=Deleted (user defined detection), Clean failed Threat Prevention
1406 event_name_1406=Moved (user defined detection)
event_desc_1406=Moved (user defined detection) Threat Prevention 1407
event_name_1407=Move failed(user defined detection), Delete failed
event_desc_1407=Move failed(user defined detection), Delete failed Threat
Prevention 1408 event_name_1408=Deleted (user defined detection), Move failed
event_desc_1408=Deleted (user defined detection), Move failed Threat Prevention
1409 event_name_1409=Move failed(user defined detection), no Action Taken
event_desc_1409=Move failed(user defined detection), no Action Taken Threat
Prevention 1410 event_name_1410=Deleted (user defined detection)
event_desc_1410=Deleted (user defined detection) Threat Prevention 1411
event_name_1411=Delete failed (user defined detection), Move failed
event_desc_1411=Delete failed (user defined detection), Move failed Threat
Prevention 1412 event_name_1412=Moved (user defined detection), Delete failed
event_desc_1412=Moved (user defined detection), Delete failed Threat Prevention
1413 event_name_1413=Delete failed (user defined detection), no Action Taken
event_desc_1413=Delete failed (user defined detection), no Action Taken Threat
Prevention 1414 event_name_1414=Clean failed, delete failed, file (user defined
detection) will be deleted on reboot
event_desc_1414=Clean failed, delete failed, file (user defined detection) will
be deleted on reboot Threat Prevention 1415 event_name_1415=Deleted failed, file
(user defined detection) will be deleted on reboot
event_desc_1415=Deleted failed, file (user defined detection) will be deleted on
reboot Threat Prevention 1416 event_name_1416=Move failed, delete failed, file
(user defined detection) will be deleted on reboot
event_desc_1416=Move failed, delete failed, file (user defined detection) will
be deleted on reboot Threat Prevention 1417 event_name_1417=Email message
deleted (user defined detection)
event_desc_1417=Email message deleted (user defined detection) Threat Prevention
1418 event_name_1418=Email message deleted (user defined detection), Clean
failed
event_desc_1418=Email message deleted (user defined detection), Clean failed
Threat Prevention 1419 event_name_1419=Email message deleted (user defined
detection), Move failed
event_desc_1419=Email message deleted (user defined detection), Move failed
Threat Prevention 1420 event_name_1420=Email message deleted (user defined
detection), Delete failed
event_desc_1420=Email message deleted (user defined detection), Delete failed
Threat Prevention 1421 event_name_1421=Clean error as no cleaner was available,
and delete pending
event_desc_1421=Clean error as no cleaner was available, and delete pending
Threat Prevention 1422 event_name_1422=Clean failed for heuristic detection,
delete pending
event_desc_1422=Clean failed for heuristic detection, delete pending Threat
Prevention 1423 event_name_1423=Clean error (undetermined error), delete pending
event_desc_1423=Clean error (undetermined error), delete pending Threat
Prevention 1424 event_name_1424=Clean failed for encrypted file, delete pending
event_desc_1424=Clean failed for encrypted file, delete pending Threat
Prevention 1425 event_name_1425=Clean error (multiple extension heuristic
detection), delete pending
event_desc_1425=Clean error (multiple extension heuristic detection), delete
pending Threat Prevention 1426 event_name_1426=Move failed, delete pending
event_desc_1426=Move failed, delete pending Threat Prevention 1427
event_name_1427=Move failed (multiple extension heuristic detection), delete
pending
event_desc_1427=Move failed (multiple extension heuristic detection), delete
pending Threat Prevention 1428 event_name_1428=Delete pending, a file still
exists
event_desc_1428=Delete pending, a file still exists Threat Prevention 1429
event_name_1429=Delete pending (multiple extension heuristic detection)
event_desc_1429=Delete pending (multiple extension heuristic detection) Threat
Prevention 1430 event_name_1430=User-defined detection, delete pending
event_desc_1430=User-defined detection, delete pending Threat Prevention 1431
event_name_1431=User-defined detection, move failed, delete pending
event_desc_1431=User-defined detection, move failed, delete pending Threat
Prevention 18051 event_name_18051=An unauthorized escalation of privilege was
attempted and blocked (SMEP)
event_desc_18051=An unauthorized escalation of privilege was attempted and
blocked (SMEP) Threat Prevention 18052 event_name_18052=Buffer Overflow detected
and blocked (GBOP)
event_desc_18052=Buffer Overflow detected and blocked (GBOP) Threat Prevention
18053 event_name_18053=An unauthorized escalation of privilege was attempted and
blocked (GPEP)
event_desc_18053=An unauthorized escalation of privilege was attempted and
blocked (GPEP) Threat Prevention 18054 event_name_18054=An exploit was attempted
and blocked
event_desc_18054=An exploit was attempted and blocked Threat Prevention 18055
event_name_18055=A suspicious call was detected and blocked
event_desc_18055=A suspicious call was detected and blocked Threat Prevention
18056 event_name_18056=Buffer Overflow detected and blocked (DEP)
event_desc_18056=Buffer Overflow detected and blocked (DEP) Threat Prevention
18057 event_name_18057=Tampering with Exploit Prevention has been detected.
event_desc_18057=Tampering with Exploit Prevention has been detected. Threat
Prevention 18058 event_name_18058=Access Protection rule violation detected
event_desc_18058=Access Protection rule violation detected Threat Prevention
18059 event_name_18059=Network intrusion detected and handled
event_desc_18059=Network intrusion detected and handled Threat Prevention 18060
event_name_18060=Exploit Prevention Files/Process/Registry violation detected
event_desc_18060=Exploit Prevention Files/Process/Registry violation detected
Threat Prevention 18600 event_name_18600=Browser navigation
event_desc_18600=Browser navigation Web Protection 18601
event_name_18601=Browser file download
event_desc_18601=Browser file download Web Protection 34852
event_name_34852=On-Demand Scan Paused
event_desc_34852=On-Demand Scan Paused Threat Prevention 34853
event_name_34853=On-Demand Scan Auto-Paused
event_desc_34853=On-Demand Scan Auto-Paused Threat Prevention 34854
event_name_34854=On-Demand Scan Resumed
event_desc_34854=On-Demand Scan Resumed Threat Prevention 34855
event_name_34855=On-Demand Scan Canceled or Stopped
event_desc_34855=On-Demand Scan Canceled or Stopped Threat Prevention 34857
event_name_34857=Client interface logon audit
event_desc_34857=Client interface logon audit Common 34865 event_name_34865=DLL
Injection Event
event_desc_34865=DLL Injection Event Common 34900 event_name_34900=On-Demand
Scan Deferred
event_desc_34900=On-Demand Scan Deferred Threat Prevention 34910
event_name_34910=Quarantined Item Restored
event_desc_34910=Quarantined Item Restored Threat Prevention 34920
event_name_34920=Roll back successful
event_desc_34920=Roll back successful Threat Prevention 34921
event_name_34921=Roll back failed
event_desc_34921=Roll back failed Threat Prevention 34922 event_name_34922=Roll
back did not occur
event_desc_34922=Roll back did not occur Threat Prevention 34923
event_name_34923=The item was corrupt
event_desc_34923=The item was corrupt Threat Prevention 34924
event_name_34924=The object was not scanned due to a sharing violation
event_desc_34924=The object was not scanned due to a sharing violation Threat
Prevention 34925 event_name_34925=The object was not scanned because the scanner
does not have enough rights to read it
event_desc_34925=The object was not scanned because the scanner does not have
enough rights to read it Threat Prevention 34926 event_name_34926=The object was
not scanned because the file size exceeds the configured maximum file size to
scan
event_desc_34926=The object was not scanned because the file size exceeds the
configured maximum file size to scan Threat Prevention 34928
event_name_34928=Threat Prevention False Positive Mitigation
event_desc_34928=Threat Prevention False Positive Mitigation Threat Prevention
34935 event_name_34935=Script security violation detected and blocked by AMSI
event_desc_34935=Script security violation detected and blocked by AMSI Threat
Prevention 34936 event_name_34936=Script security violation detected and deleted
by AMSI
event_desc_34936=Script security violation detected and deleted by AMSI Threat
Prevention 34937 event_name_34937=Script security violation detected, AMSI would
block
event_desc_34937=Script security violation detected, AMSI would block Threat
Prevention 34938 event_name_34938=Script security violation detected, AMSI would
delete
event_desc_34938=Script security violation detected, AMSI would delete Threat
Prevention 35000 event_name_35000=Traffic allowed by Firewall
event_desc_35000=Traffic allowed by Firewall Firewall 35001
event_name_35001=Firewall intrusion detected and handled
event_desc_35001=Firewall intrusion detected and handled Firewall 35002
event_name_35002=Traffic blocked by Firewall
event_desc_35002=Traffic blocked by Firewall Firewall 35003
event_name_35003=Firewall added adaptive rule
event_desc_35003=Firewall added adaptive rule Firewall 35009
event_name_35009=Firewall is disabled from Mctray
event_desc_35009=Firewall is disabled from Mctray Firewall 35010
event_name_35010=Firewall timed groups are enabled from McTray
event_desc_35010=Firewall timed groups are enabled from McTray Firewall 35011
event_name_35011=Firewall policy was corrupt and has been repaired
event_desc_35011=Firewall policy was corrupt and has been repaired Firewall
35012 event_name_35012=Firewall policy has been replaced with a new copy
event_desc_35012=Firewall policy has been replaced with a new copy Firewall
35100 event_name_35100=Adaptive Threat Protection Access Protection Violation
event_desc_35100=Adaptive Threat Protection Access Protection Violation Threat
Intelligence Exchange / ATP 35101 event_name_35101=Adaptive Threat Protection
False Positive Mitigation
event_desc_35100=Adaptive Threat Protection for Endpoint Security reversed a
VirusScan conviction. Threat Intelligence Exchange / ATP 35102
event_name_35102=Adaptive Threat Protection Would Block
event_desc_35102=Adaptive Threat Protection Would Block Threat Intelligence
Exchange / ATP 35103 event_name_35103=Adaptive Threat Protection Would Allow
event_desc_35103=Adaptive Threat Protection Would Allow Threat Intelligence
Exchange / ATP 35104 event_name_35104=Adaptive Threat Protection Block
event_desc_35104=Adaptive Threat Protection Block Threat Intelligence Exchange /
ATP 35105 event_name_35105=Adaptive Threat Protection Allow
event_desc_35105=Adaptive Threat Protection Allow Threat Intelligence Exchange /
ATP 35106 event_name_35106=Adaptive Threat Protection Would Clean
event_desc_35106=Adaptive Threat Protection Would Clean Threat Intelligence
Exchange / ATP 35107 event_name_35107=Adaptive Threat Protection Clean
event_desc_35107=Adaptive Threat Protection Clean Threat Intelligence Exchange /
ATP 35111
event_name_35111=Threat Intelligence Would Contain
event_desc_35111=If Threat Intelligence module for Endpoint Security were
enabled it would have contained this object.
Threat Intelligence Exchange / ATP 35112
event_name_35112=Threat Intelligence Contain
event_desc_35112=Threat Intelligence module for Endpoint Security contained this
object either by reputation.
Threat Intelligence Exchange / ATP 35113
event_name_35113=Threat Intelligence Would Release
event_desc_35113=If Threat Intelligence module for Endpoint Security were
enabled it would have released this object from containment.
Threat Intelligence Exchange / ATP 35114
event_name_35114=Threat Intelligence Release
event_desc_35114=Threat Intelligence module for Endpoint Security released this
object from containment.
Threat Intelligence Exchange / ATP 35116
event_name_35116=Adaptive Threat Protection Block Source
event_desc_35116=Endpoint Security Adaptive Threat Protection blocked the
execution of this object either by reputation or user prompt.
Threat Intelligence Exchange / ATP 35117
event_name_35117=Adaptive Threat Protection Would Block Source
event_desc_35117=If Endpoint Security Adaptive Threat Protection was enabled, it
would have blocked this object.
Threat Intelligence Exchange / ATP 37275
event_name_37275=Application contained
event_desc_37275=Application contained
Threat Intelligence Exchange / ATP 37276
event_name_37276=Application released from containment
event_desc_37276=Application released from containment
Threat Intelligence Exchange / ATP 37277
event_name_37277=Requester added to contained application
event_desc_37277=Requester added to contained application
Threat Intelligence Exchange / ATP 37278
event_name_37278=Requester removed from contained application
event_desc_37278=Requester removed from contained application
Threat Intelligence Exchange / ATP 37279
event_name_37279=Dynamic Application Containment violation blocked
event_desc_37279=Dynamic Application Containment violation blocked
Threat Intelligence Exchange / ATP 37280
event_name_37280=Dynamic Application Containment violation allowed
event_desc_37280=Dynamic Application Containment violation allowed
Threat Intelligence Exchange / ATP
Back to top
AFFECTED PRODUCTS
* Endpoint Security Adaptive Threat Protection
* Endpoint Security Firewall 10.7.x
* Endpoint Security Firewall 10.6.x
* Endpoint Security Threat Prevention 10.7.x
* Endpoint Security Threat Prevention 10.6.x
* Endpoint Security Web Control 10.7.x
* Endpoint Security Web Control 10.6.x
LANGUAGES:
This article is available in the following languages:
* German
* English United States
* Spanish Spain
* French
* Italian
* Japanese
* Portuguese Brasileiro
* Chinese Simplified
--------------------------------------------------------------------------------
台灣 / 繁體中文
Copyright © 2022 Musarubra US LLC | 隱私 | 法律 | 服務條款 | 聯絡我們
選擇所在地區
北美地區
*
* Canada - 英文
* Canada - 法文
* United States/英文
拉丁美洲
* América Latina / 西班牙文
* Brasil / 葡萄牙文
* México / 西班牙文
亞太地區
* Australia / 英文
* 中国 / 簡體中文
* Hong Kong / 英文
* India / 英文
* 日本 / 日文
* 한국 / 韓文
* Singapore / 英文
* 台灣 / 繁體中文
歐洲、中東、非洲
* Česká Republika / 捷克文
* Danmark / 丹麥文
* Suomi / 芬蘭文
* France / 法文
* Deutschland / 德文
* Italia / 義大利文
* Қазақстан / 俄文
* الشرق الأوسط / 阿拉伯文
* Nederland / 荷蘭文
* Norge / 挪威文
* Polska / 波蘭文
* Portugal / 葡萄牙文
* Россия / 俄文
* España / 西班牙文
* Sverige / 瑞典文
* Türkiye / 土耳其文
* Україна / 俄文
* South Africa / 英文
* United Kingdom / 英文
América Latina - Español
Australia - English
Brasil - Português
Canada - English
Canada - Français
China - 中国 (Simplified Chinese)
Deutschland - Deutsch
España - Español
France - Français
Hong Kong - English
India - English
Italia - Italiano
Japan - 日本 (Japanese)
Korea - 한국 (Korean)
México - Español
Nederland - Nederlands
Singapore - English
Taiwan - 台灣 (Traditional Chinese)
United Kingdom - English
United States - English
TITLE
--------------------------------------------------------------------------------
Question?
No
--------------------------------------------------------------------------------
TITLE
--------------------------------------------------------------------------------
Question?
--------------------------------------------------------------------------------