Loading...

Knowledge Center


Endpoint Security Natural Language String event messaging index
Technical Articles ID:   KB85494
Last Modified:  3/21/2019
Rated:


Environment

McAfee Endpoint Security (ENS) Adaptive Threat Protection (ATP) 10.x
McAfee ENS Firewall 10.x
McAfee ENS Threat Prevention 10.x
McAfee ENS Web Control 10.x

Summary

This article contains an explanation of ENS event messages. ENS event messaging uses Natural Language Strings (NLS). ENS logs threat data, including threat origin and duration before detection, in NLS. You can access this information from the management consoles and the Endpoint Security Client in the Event Log. NLS provides descriptive explanations that provide context around threat events. Some events might require further explanation than what can be contained in the small string of text found in an event. If a specific event is missing from a table below, McAfee believed it did not require further explanation. This article will be amended as needed in response to requests from customers through our Technical Support team.

NOTE: Various event messages refer to this article (KB85494) for more information.

It is possible for a single event ID to exhibit different natural language strings. Each event ID has a specific meaning, but details in the event shape the type of language used to express that event's details. For example, one instance of Event ID 1272 might contain all expected information, so an NLS is chosen that best describes all that information. Another instance of Event ID 1272 might be missing the process name. Instead of using a blank to represent the process name, which would be confusing, we use a different NLS that omits the process name but still explains the rest of the known detail.
 
Factors that influence an NLS message include:
  • Whether an Attack Vector is local or remote
  • Whether an event is for an On-Access Scan (OAS) or On-Demand Scan (ODS)
  • Action taken (Cleaned, Deleted, Delete Pending, Access Denied, Continue, None, Moved, Blocked, or Generic)
  • Presence or absence of errors (Repair Failed, DeleteOnReboot, FailedDeleteFile, BackupFailed, or FailedDeletePending)
  • Object type (whether the object is a boot sector)
  • Whether the process name is supplied
The following is a comparison of traditional and NLS event messaging for a detection that resulted in No Action being taken:

Traditional messaging syntax:
 
NLS messaging syntax:
" <domain>\<user> ran <process name>, which attempted to access <path>\<filename>. The <malware type> named <malware name> was detected and access to the file was denied."
 
Example NLS detection message:
"Interweb\jsmith ran notepad.exe, which attempted to access C:\data\temp\eicar.com. The Test Virus named Eicar Test File was detected and access to the file was denied."

Contents
Click to expand the section you want to view:
The string Additional research is required to identify what process holds the file-lock, see KB85494 displays in some OAS event messages and refers customers to this KB article for more information. In this scenario, the product has denied access to an infected file and tried to delete the file, but could not do so at the time the detection occurred. The delete fails because a file-lock prevents Windows from deleting the file in response to our request. To ensure that the malicious file is deleted, we will continue to deny access to the file and will delete it when we are able to. If you would like to investigate what processes currently have this file-lock open, use the following tools.

Windows Task Manager
  1. Open Task Manager while logged on as an Administrator by clicking Ctrl+Shift+Esc.
  2. Click the Performance tab.
  3. Click Resource Monitor.
  4. Click the CPU tab.
  5. In the section Associated Handles, search for the file name in question. A partial file name might suffice.
  6. Wait for the search results.
Process Explorer
  1. Run Process Explorer as an Administrator.
  2. Click the Find menu, and select Find Handle or DLL.
  3. Search for the file name in question.
  4. Wait for the search results.
When a process has been identified, take appropriate next steps. Assess the process behavior by evaluating whether:
  • The file in use must be used by the process
  • The process is safe or trusted
  • It is safe to terminate the process
  • You must capture any data about this process to submit to Technical Support for investigation
The string For information on how to respond to this event, see KB85494 displays in some Access Protection rule violation event messages and refers customers to this KB article for more information. In this scenario, an action was blocked in accordance with the definition of the rule that was described in the event message itself. These violations are not false positives. It is not possible for the Access Protection feature to return a false positive because it is matching on whether a behavior occurred rather than using virus definitions or signatures.

Determine whether the behavior was expected:
  • If expected, you must either:
    • Accept or ignore the data
    • Create an exclusion for the specified rule to exclude the process that is violating the rule
  • If not expected, investigate the behavior further because either:
    • The behavior is occurring because of malware that has infiltrated the process
    • The behavior is normal and needs to be reclassified as expected behavior, in which case you would see the previous bullet for expected behavior
If the events become too frequent, take action to avoid having the data fill your ePolicy Orchestrator database, which causes the SQL Server to run out of disk space resulting in network latency, or both.

Actions can include:
  • Purging events from the database
  • Freeing disk space
  • Configuring the agent to filter out (no longer send) the specific event
  • Deleting unprocessed events from the ePolicy Orchestrator Events folder
  • Deleting events from client machines that have yet to send to ePolicy Orchestrator the events that have accumulated
Currently there is little that can be done from the centralized administration point (ePolicy Orchestrator server) or its Agent Handlers except to reconfigure the agents to filter out the event.
The following table lists event IDs and the NLS that might accompany them.
 
NOTE: This table contains common events, actions, and their associated NLS. It provides a correlation between event IDs by feature and the possible selection of NLS that might be used for the event depending on natural string selection criteria. The NLS tag, shown in the last column, is further explained in the following tables. Click the hyperlink to jump to that specific entry in the tables below.

The following are links to the tables below:
 
Feature
Action Taken
Event IDs
Possible NLS
OAS
 
Cleaned 1025, 1060 IDS_NATURAL_LANG_OAS_DETECTION_CLN
IDS_NATURAL_LANG_OAS_DETECTION_R_CLN
IDS_NATURAL_LANG_OAS_DETECTION_B_CLN
Deleted 1027, 1028, 1054, 1055, 1101, 1104, 1278,
1279, 1280, 1281, 1293, 1303, 1306, 1312,
1313, 1314, 1315, 1316, 1317, 1318, 1319,
1320, 1321, 1322, 1323, 1324, 1325, 1326,
1327, 1328, 1405, 1408, 1410, 1414, 1415,
1416, 1417, 1418, 1419, 1420
IDS_NATURAL_LANG_OAS_DETECTION_DEL
IDS_NATURAL_LANG_OAS_DETECTION_R_DEL
Access Denied 1024, 1026, 1037, 1053, 1061, 1100, 1274,
1275, 1276, 1277, 1282, 1283, 1284, 1285,
1289, 1290, 1291, 1292, 1294, 1296, 1298,
1300, 1302, 1304, 1305, 1307, 1308, 1310,
1311, 1401, 1402, 1404, 1407, 1409, 1411, 1413
IDS_NATURAL_LANG_OAS_DETECTION_DEN
IDS_NATURAL_LANG_OAS_DETECTION_R_DEN
IDS_NATURAL_LANG_OAS_DETECTION_B_DEN
IDS_NATURAL_LANG_OAS_DETECTION_DEN_NOACTORPROCNAME
Continue 1400 IDS_NATURAL_LANG_OAS_DETECTION_NON
IDS_NATURAL_LANG_OAS_DETECTION_R_NON
IDS_NATURAL_LANG_OAS_DETECTION_NON_NOACTORPROCNAME
Moved 1032, 1056, 1102, 1270, 1271, 1272, 1273,
1297, 1301, 1309, 1403, 1406, 1412
IDS_NATURAL_LANG_OAS_DETECTION_MOV
IDS_NATURAL_LANG_OAS_DETECTION_R_MOV
Delete Pending 1421, 1422, 1423, 1424, 1425, 1426, 1427,
1428, 1429, 1430, 1431
IDS_NATURAL_LANG_OAS_DETECTION_DLP
IDS_NATURAL_LANG_OAS_DETECTION_R_DLP
IDS_NATURAL_LANG_OAS_DETECTION_DLP_NOACTORPROCNAME
ODS Cleaned 1025, 1060 IDS_NATURAL_LANG_ODS_DETECTION_CLEANED
IDS_NATURAL_LANG_ODS_DETECTION_B_CLEANED
Delete Pending 1421, 1422, 1423, 1424, 1425, 1426, 1427,
1428, 1429, 1430, 1431
IDS_NATURAL_LANG_ODS_DETECTION_DLP
Delete 1027, 1028, 1054, 1055, 1101, 1104, 1278,
1279, 1280, 1281, 1293, 1303, 1306, 1312,
1313, 1314, 1315, 1316, 1317, 1318, 1319,
1320, 1321, 1322, 1323, 1324, 1325, 1326,
1327, 1328, 1405, 1408, 1410, 1414, 1415,
1416, 1417, 1418, 1419, 1420
IDS_NATURAL_LANG_ODS_DETECTION_DELETED
Continue 1024, 1026, 1037, 1051, 1053, 1059, 1061,
1095, 1096, 1099, 1100, 1103, 1202, 1203,
1274, 1275, 1276, 1277, 1282, 1283, 1284,
1285, 1289, 1290, 1291, 1292, 1294, 1296,
1298, 1300, 1302, 1304, 1305, 1307, 1308,
1310, 1311, 1400, 1401, 1402, 1404, 1407,
1409, 1411, 1413, 1064, 1065, 1087,
 1088, 1118, 1119, 1120, 1121,
IDS_NATURAL_LANG_ODS_DETECTION_GENERIC
Access Protection/System Protection Block 1092 IDS_NATURAL_LANG_DESC_DETECTION_APSP_1
IDS_NATURAL_LANG_DESC_DETECTION_APSP_2
IDS_NATURAL_LANG_DESC_DETECTION_APSP_3
WouldBlock 1095 IDS_NATURAL_LANG_DESC_DETECTION_APSP_4
IDS_NATURAL_LANG_DESC_DETECTION_APSP_5
IDS_NATURAL_LANG_DESC_DETECTION_APSP_6

Back to top

Strings from On-Access Scan
 
Event IDs
NLS
IDS_NATURAL_LANG_OAS_DETECTION_DEL "|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and deleted."
IDS_NATURAL_LANG_OAS_DETECTION_CLN "|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_DEN "|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and access to the file was denied."
   
IDS_NATURAL_LANG_OAS_DETECTION_DEN_NOACTORPROCNAME "Attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected and access to the file was denied."
IDS_NATURAL_LANG_OAS_DETECTION_NON_NOACTORPROCNAME "Attempted to access |TargetPath|\|TargetName| and the threat ||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_NON "|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName| and the ||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_MOV "|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and the file was moved." 
   
IDS_NATURAL_LANG_OAS_DETECTION_BLO "|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and blocked."
IDS_NATURAL_LANG_OAS_DETECTION_GENERIC "|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected. The scanner took the following action: ||ThreatActionTaken||."
   
IDS_NATURAL_LANG_OAS_DETECTION_ENC "|AV_DETECTION_USERNAME| accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan |TargetName| because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_ENC2 "An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_TO "|TargetUserName| ran |SourceProcessName|, which accessed |TargetPath|\|TargetName|. The file scan ran for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_TO2 "An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The file scan ran for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_COR "|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The file is corrupt and could not be scanned."
IDS_NATURAL_LANG_OAS_DETECTION_COR2 "An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner couldn't scan the file because it is corrupted."
   
IDS_NATURAL_LANG_OAS_DETECTION_DLP "|TargetUserName| ran \"|SourceProcessName|\", which attempted to access \"|TargetPath|\|TargetName|\". The threat ||ThreatType|| named |ThreatName| was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_OAS_DETECTION_DLP_NOACTORPROCNAME "Attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
   
IDS_NATURAL_LANG_OAS_DETECTION_NRP "|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but no clean information is available."
IDS_NATURAL_LANG_OAS_DETECTION_SHV "|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The scanner could not scan the file due to a sharing violation."
IDS_NATURAL_LANG_OAS_DETECTION_SHV2 "An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file due to a sharing violation."
IDS_NATURAL_LANG_OAS_DETECTION_NPM "|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The scanner could not scan the file because it doesn't have access rights."
IDS_NATURAL_LANG_OAS_DETECTION_NPM2 "An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it doesn't have access rights."
IDS_NATURAL_LANG_OAS_DETECTION_DLR "|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected and will be deleted on reboot."
IDS_NATURAL_LANG_OAS_DETECTION_DLE "|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but deletion failed."
IDS_NATURAL_LANG_OAS_DETECTION_BUE "|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but quarantine failed."
   

IDS_NATURAL_LANG_OAS_DETECTION_R_DEL
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and deleted."
IDS_NATURAL_LANG_OAS_DETECTION_R_CLN "|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_R_DEN "|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and access to the file was denied."
IDS_NATURAL_LANG_OAS_DETECTION_R_NON "|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_R_MOV "|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and the file was moved."
IDS_NATURAL_LANG_OAS_DETECTION_R_BLO "|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and blocked."
IDS_NATURAL_LANG_OAS_DETECTION_R_ENC "|AV_DETECTION_USERNAME| accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_R_TO "|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The file scan ran for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLP "The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_OAS_DETECTION_R_NRP "The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but no clean information is available."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLR "The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected and will be deleted on reboot."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLE "The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but deletion failed."
IDS_NATURAL_LANG_OAS_DETECTION_R_BUE "The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but quarantine failed."
   
IDS_NATURAL_LANG_OAS_DETECTION_B_CLN "|TargetUserName| accessed volume |TargetPath|:. The ||ThreatType|| named |ThreatName| was detected in the boot sector and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_B_DEN "|TargetUserName| accessed volume |TargetPath|:. The ||ThreatType|| named |ThreatName| was detected in the boot sector. Both the primary (||FirstAttemptedAction||) and secondary (||SecondAttemptedAction||) actions failed, so access to the file was denied."
IDS_NATURAL_LANG_OAS_DETECTION_ERROR "The scanner detected a threat but, due to an error, no additional information is available."
IDS_NATURAL_LANG_OAS_DETECTION_NO_INFO "The scanner detected a threat while scanning |TargetName| but, due to an error, no additional information is available."

Back to top

Strings from Exploit Prevention
 
Event IDs
NLS
IDS_NATURAL_LANG_DESC_DETECTION_APSP_1 "|SourceUserName| ran |SourceProcessName|, which attempted to access |TargetPath|, violating the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to respond to this event, see KB85494."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_2 "|SourceUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|, violating the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to respond to this event, see KB85494."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_3 "|SourceUserName| ran |SourceProcessName|, which attempted to access |TargetProcessName|, violating the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to respond to this event, see KB85494."
   
IDS_NATURAL_LANG_DESC_DETECTION_APSP_4 "|SourceUserName| ran |SourceProcessName|, which accessed |TargetPath|, violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't configured to block."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_5 "|SourceUserName| ran |SourceProcessName|, which accessed |TargetPath|\|TargetName|, violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't configured to block."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_6 "|SourceUserName| ran |SourceProcessName|, which accessed the process |TargetProcessName|, violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't configured to block."
   
IDS_NATURAL_LANG_DESC_DETECTION_BOP_1
All but SMEP and TAMPER (no API name or caller module)
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName| and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_2
All but SMEP & TAMPER with API name
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName|, which targeted the |APIName| API, and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_4
All but SMEP & TAMPER with a caller module
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName| called from module |CallerModule|, which targeted the |APIName| API, and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_3
SMEP
"|ThreatName| attempted an exploit at |ThreatTimestamp| and was ||ThreatActionTaken||. For more information, check the Windows Event Viewer for record number |TargetName|."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_5
TAMPER
TAMPER "Tampering has been detected with Exploit Prevention's monitoring of processes on this computer."
   
IDS_NATURAL_LANG_DESC_DETECTION_BOP_1N
All but SMEP and TAMPER (no API name or caller module)
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName|. It wasn't blocked because Exploit Prevention was set to Report Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_2N
All but SMEP & TAMPER with API name
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName|, which targeted the |APIName|) API. It wasn't blocked because Exploit Prevention was set to Report Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_4N
All but SMEP & TAMPER with a caller module
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName| called from module |CallerModule|, which targeted the |APIName| API. It wasn't blocked because Exploit Prevention was set to Report Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_3N
SMEP
"|ThreatName| attempted an exploit at |ThreatTimestamp|. For more information, check the Windows Event Viewer for record number |TargetName|. It wasn't blocked because Exploit Prevention was set to Report Only."

Back to top

Strings from ScriptScan
 
Event IDs
NLS
IDS_NATURAL_LANG_DETECTION_SS_URL "|TargetUserName| ran |TargetProcessName|, which accessed |TargetURL|. The ||ThreatType|| named |ThreatName| was detected and blocked."
IDS_NATURAL_LANG_DETECTION_SS_FILE "|TargetUserName| ran |TargetProcessName|, which accessed |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and blocked."

Back to top

Strings from On-Demand Scan
 
Event IDs
NLS
IDS_NATURAL_LANG_ODS_DETECTION_NONE "|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. Both the primary (||FirstAttemptedAction||) and secondary (||SecondAttemptedAction||) actions failed, so the scanner took no action."
IDS_NATURAL_LANG_ODS_DETECTION_CLEANED "|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The file was cleaned."
IDS_NATURAL_LANG_ODS_DETECTION_DELETED "|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The file was deleted."
   
IDS_NATURAL_LANG_ODS_DETECTION_GENERIC "|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The scanner took the following action: ||ThreatActionTaken||."
IDS_NATURAL_LANG_ODS_DETECTION_NO_INFO "|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. Due to an error, no additional information is available."
   
IDS_NATURAL_LANG_ODS_DETECTION_B_NONE "|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning the boot sector of volume |TargetPath|:. Both the primary (||FirstAttemptedAction||) and secondary (||SecondAttemptedAction||) actions failed, so the scanner took no action."
IDS_NATURAL_LANG_ODS_DETECTION_B_CLEANED "|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning the boot sector of volume |TargetPath|:. The boot sector was cleaned."
   
IDS_NATURAL_LANG_ODS_DETECTION_ENC "|TargetUserName| ran the ||TaskName|| on-demand scan. The scanner could not scan |TargetName| because it was encrypted."
IDS_NATURAL_LANG_ODS_DETECTION_TO "|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the scan timed out."
IDS_NATURAL_LANG_ODS_DETECTION_FS "|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the file size exceeds the configured maximum file size to scan."
IDS_NATURAL_LANG_ODS_DETECTION_COR "|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the file is corrupt."
   
IDS_NATURAL_LANG_ODS_DETECTION_DLP "|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName| but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_ODS_DETECTION_NRP "|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. However, no clean information is available."
IDS_NATURAL_LANG_ODS_DETECTION_SHV "|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| due to a sharing violation."
IDS_NATURAL_LANG_ODS_DETECTION_NPM "|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the scanner doesn't have access rights to it."
   
IDS_NATURAL_LANG_ODS_DETECTION_DLR "|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The threat will be deleted on reboot."
IDS_NATURAL_LANG_ODS_DETECTION_DLE "|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. However, deletion of the threat failed."
IDS_NATURAL_LANG_ODS_DETECTION_BUE "|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. However, quarantine of the threat failed."
IDS_NATURAL_LANG_ODS_DETECTION_ERROR "The on-demand scan detected a threat but, due to an error, no additional information is available."

Back to top

Strings from Dynamic Application Containment (DAC)
 
Event IDs
NLS
IDS_NATURAL_LANG_DESC_DAC_1 "The application |SourceFilePath|\|SourceProcessName| was contained at the request of |RequesterDisplayName|."
IDS_NATURAL_LANG_DESC_DAC_2 "|RequesterDisplayName| requested to contain the application |SourceFilePath|\|SourceProcessName|, which is already contained."
IDS_NATURAL_LANG_DESC_DAC_3 "The application |SourceFilePath|\|SourceProcessName| was released from containment at the request of |RequesterDisplayName|."
IDS_NATURAL_LANG_DESC_DAC_4 "|RequesterDisplayName| requested to release the application |SourceFilePath|\|SourceProcessName|. However, the application is still contained because other requests remain."
IDS_NATURAL_LANG_DESC_DAC_5 "|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed due to an exclusion and the application was released from containment."
IDS_NATURAL_LANG_DESC_DAC_6 "|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed due to an exclusion."
IDS_NATURAL_LANG_DESC_DAC_7 "|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed and the application was released from containment because Dynamic Application Containment was uninstalled."
IDS_NATURAL_LANG_DESC_DAC_8 "|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed because Dynamic Application Containment was uninstalled."

Back to top
From ePolicy Orchestrator, %install dir%\server\extensions\installed\ENDP_AM_1000 (as an example), you can get the following event information for ENS from strings_en.properties.
 
Event ID Event Information ENS Module
1024 Infected file found. Threat Prevention
1025 Infected file successfully Cleaned. Threat Prevention
1027  Infected file deleted.   Threat Prevention
1037 Infected boot record found Threat Prevention
1051  Unable to scan password protected Threat Prevention
1059 Scan Timed Out  Threat Prevention
1064 Service was started. Threat Prevention
1065 Service ended. Threat Prevention
1087  On-access Scan started Threat Prevention
1088 On-access scan stopped. Threat Prevention
1091 JavaScript or VBScript security violation detected and blocked Threat Prevention
1092 Access Protection rule violation detected and blocked Threat Prevention
1095 Access Protection rule violation detected and NOT blocked Threat Prevention
1096 event_name_1096=Port blocking rule violation detected and NOT blocked
event_desc_1096=Port blocking rule violation detected and NOT blocked
Threat Prevention
1102 event_name_1102=Multiple extension heuristic detection - moved
event_desc_1102=The file %FILENAME% detected with multiple extension heuristics. The file was moved to the quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1103 event_name_1103=Prescan needed
event_desc_1103=The file %FILENAME% is infected with the %VIRUSNAME% %VIRUSTYPE%. Prescan is needed for removal. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1104 event_name_1104=Multiple extension heuristic detection - delete on reboot
event_desc_1104=The file %FILENAME% detected with multiple extension heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1106 event_name_1106=Multiple extension heuristic detection - message deleted
event_desc_1106=The message %FILENAME% detected with multiple extension heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1118 The update was successful Common
1119 The update failed; see event log Common
1120 The update is running Common
1121 The update was cancelled Common
1202 event_name_1202=On-Demand Scan started
event_desc_1202=On-Demand Scan started
Threat Prevention
1203 event_name_1203=On-Demand Scan complete
event_desc_1203=On-Demand Scan complete. Viruses Found %NUMVIRS%, Cleaned %NUMCLEANED%, Deleted %NUMDELETED%, Quarantined %NUMQUARANTINED%.Scan version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1278 file infected.  No cleaner available, file deleted successfully Threat Prevention
1280 file infected. Undetermined clean error, deleted successfully Threat Prevention
1282  file infected. No cleaner available, delete failed Threat Prevention
1284 file infected. Undetermined clean error, delete failed Threat Prevention
1290  file infected. No cleaner available, OAS denied access and continued  Threat Prevention
1292 file infected. Undetermined clean error, OAS denied access and continued Threat Prevention
1300 file infected. Delete failed, denied access and continued (OAS) Threat Prevention
1301 event_name_1301=Multiple extension heuristic detection - clean error, quarantined successfully
event_desc_1301=The file %FILENAME% detected with multiple extension heuristics. The file was moved to the quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1302 event_name_1302=Multiple extension heuristic detection - move failed, clean error
event_desc_1302=The file %FILENAME% detected with multiple extension heuristics. Unable to move the file to quarantine area and unable to clean the file. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1303 event_name_1303=Multiple extension heuristic detection - clean error, deleted successfully
event_desc_1303=The file %FILENAME% detected with multiple extension heuristics. The file has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1304 event_name_1304=Multiple extension heuristic detection - clean error, delete failed
event_desc_1304=The file %FILENAME% detected with multiple extension heuristics. Unable to clean the file and unable to delete the file. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1305 event_name_1305=Multiple extension heuristic detection - clean error, denied access and continued
event_desc_1305=The file %FILENAME% detected with multiple extension heuristics. Access to the file was denied. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1306 event_name_1306=Multiple extension heuristic detection - move failed, deleted successfully
event_desc_1306=The file %FILENAME% detected with multiple extension heuristics. The file has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1307 event_name_1307=Multiple extension heuristic detection - move failed, delete failed
event_desc_1307=The file %FILENAME% detected with multiple extension heuristics. Unable to move the file to quarantine area and unable to delete the file. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1308 event_name_1308=Multiple extension heuristic detection - move failed, denied access and continued
event_desc_1308=The file %FILENAME% detected with multiple extension heuristics. Access to the file was denied. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1309 event_name_1309=Multiple extension heuristic detection - delete failed, quarantined successfully
event_desc_1309=The file %FILENAME% detected with multiple extension heuristics. The file was moved to the quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1310 event_name_1310=Multiple extension heuristic detection - delete failed, quarantine failed
event_desc_1310=The file %FILENAME% detected with multiple extension heuristics. Unable to delete the file and unable to move the file to quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1311 event_name_1311=Multiple extension heuristic detection - delete failed, denied access and continued
event_desc_1311=The file %FILENAME% detected with multiple extension heuristics. Access to the file was denied. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1312 event_name_1312=Move failed, delete failed, file will be deleted on reboot
event_desc_1312=The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1313 event_name_1313=Multiple extension heuristic detection - move failed, delete failed, file will be deleted on reboot
event_desc_1313=The file %FILENAME% detected with multiple extension heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1314 event_name_1314=Encrypted file - clean error, delete on reboot
event_desc_1314=The encrypted file %FILENAME% will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1315 event_name_1315=Heuristic detection - clean error, delete on reboot
event_desc_1315=The file %FILENAME% detected with heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1316 event_name_1316=Multiple extension heuristic detection - clean error, delete on reboot
event_desc_1316=The file %FILENAME% detected with multiple extension heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1317 event_name_1317=No cleaner available - clean error, delete on reboot
event_desc_1317=The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1318 event_name_1318=Undetermined - clean error, delete on reboot
event_desc_1318=The file %FILENAME% has an undetermined infection. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1319 event_name_1319=Undetermined - clean error, message deleted
event_desc_1319=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1320 event_name_1320=Encrypted - clean error, message deleted
event_desc_1320=Encrypted message %FILENAME% has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1321 event_name_1321=Heuristic detection - clean error, message deleted
event_desc_1321=The message %FILENAME% detected with heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1322 event_name_1322=Multiple extension heuristic detection - clean error, message deleted
event_desc_1322=The message %FILENAME% detected with multiple extension heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1323 event_name_1323=Clean error, message deleted
event_desc_1323=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1324 event_name_1324=Move failed, message deleted
event_desc_1324=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1325 event_name_1325=Multiple extension heuristic detection - move failed, message deleted
event_desc_1325=The message %FILENAME% detected with multiple extension heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1326 event_name_1326=Clean error, message deleted
event_desc_1326=Clean error, message deleted
Threat Prevention
1327 event_name_1327=Move failed, message deleted
event_desc_1327=Move failed, message deleted
Threat Prevention
1328 event_name_1328=Move failed, message delete (multiple extensions)
event_desc_1328=Move failed, message delete (multiple extensions)
Threat Prevention
1400 event_name_1400=User defined object detected, no Action Taken
event_desc_1400=User defined object detected, no Action Taken
Threat Prevention
1401 event_name_1401=Clean failed (user defined detection), no Action Taken
event_desc_1401=Clean failed (user defined detection), no Action Taken
Threat Prevention
1402 event_name_1402=Clean failed (user defined detection), Move failed
event_desc_1402=Clean failed (user defined detection), Move failed
Threat Prevention
1403 event_name_1403=Moved (user defined detection), Clean failed
event_desc_1403=Moved (user defined detection), Clean failed
Threat Prevention
1404 event_name_1404=Clean failed (user defined detection), Delete failed
event_desc_1404=Clean failed (user defined detection), Delete failed
Threat Prevention
1405 event_name_1405=Deleted (user defined detection), Clean failed
event_desc_1405=Deleted (user defined detection), Clean failed
Threat Prevention
1406 event_name_1406=Moved (user defined detection)
event_desc_1406=Moved (user defined detection)
Threat Prevention
1407 event_name_1407=Move failed(user defined detection), Delete failed
event_desc_1407=Move failed(user defined detection), Delete failed
Threat Prevention
1408 event_name_1408=Deleted (user defined detection), Move failed
event_desc_1408=Deleted (user defined detection), Move failed
Threat Prevention
1409 event_name_1409=Move failed(user defined detection), no Action Taken
event_desc_1409=Move failed(user defined detection), no Action Taken
Threat Prevention
1410 event_name_1410=Deleted (user defined detection)
event_desc_1410=Deleted (user defined detection)
Threat Prevention
1411 event_name_1411=Delete failed (user defined detection), Move failed
event_desc_1411=Delete failed (user defined detection), Move failed
Threat Prevention
1412 event_name_1412=Moved (user defined detection), Delete failed
event_desc_1412=Moved (user defined detection), Delete failed
Threat Prevention
1413 event_name_1413=Delete failed (user defined detection), no Action Taken
event_desc_1413=Delete failed (user defined detection), no Action Taken
Threat Prevention
1414 event_name_1414=Clean failed, delete failed, file (user defined detection) will be deleted on reboot
event_desc_1414=Clean failed, delete failed, file (user defined detection) will be deleted on reboot
Threat Prevention
1415 event_name_1415=Deleted failed, file (user defined detection) will be deleted on reboot
event_desc_1415=Deleted failed, file (user defined detection) will be deleted on reboot
Threat Prevention
1416 event_name_1416=Move failed, delete failed, file (user defined detection) will be deleted on reboot
event_desc_1416=Move failed, delete failed, file (user defined detection) will be deleted on reboot
Threat Prevention
1417 event_name_1417=Email message deleted (user defined detection)
event_desc_1417=Email message deleted (user defined detection)
Threat Prevention
1418 event_name_1418=Email message deleted (user defined detection), Clean failed
event_desc_1418=Email message deleted (user defined detection), Clean failed
Threat Prevention
1419 event_name_1419=Email message deleted (user defined detection), Move failed
event_desc_1419=Email message deleted (user defined detection), Move failed
Threat Prevention
1420 event_name_1420=Email message deleted (user defined detection), Delete failed
event_desc_1420=Email message deleted (user defined detection), Delete failed
Threat Prevention
1421 event_name_1421=Clean error as no cleaner was available, and delete pending
event_desc_1421=Clean error as no cleaner was available, and delete pending
Threat Prevention
1422 event_name_1422=Clean failed for heuristic detection, delete pending
event_desc_1422=Clean failed for heuristic detection, delete pending
Threat Prevention
1423 event_name_1423=Clean error (undetermined error), delete pending
event_desc_1423=Clean error (undetermined error), delete pending
Threat Prevention
1424 event_name_1424=Clean failed for encrypted file, delete pending
event_desc_1424=Clean failed for encrypted file, delete pending
Threat Prevention
1425 event_name_1425=Clean error (multiple extension heuristic detection), delete pending
event_desc_1425=Clean error (multiple extension heuristic detection), delete pending
Threat Prevention
1426 event_name_1426=Move failed, delete pending
event_desc_1426=Move failed, delete pending
Threat Prevention
1427 event_name_1427=Move failed (multiple extension heuristic detection), delete pending
event_desc_1427=Move failed (multiple extension heuristic detection), delete pending
Threat Prevention
1428 event_name_1428=Delete pending, a file still exists
event_desc_1428=Delete pending, a file still exists
Threat Prevention
1429 event_name_1429=Delete pending (multiple extension heuristic detection)
event_desc_1429=Delete pending (multiple extension heuristic detection)
Threat Prevention
1430 event_name_1430=User-defined detection, delete pending
event_desc_1430=User-defined detection, delete pending
Threat Prevention
1431 event_name_1431=User-defined detection, move failed, delete pending
event_desc_1431=User-defined detection, move failed, delete pending
Threat Prevention
18051 event_name_18051=An unauthorized escalation of privilege was attempted and blocked (SMEP)
event_desc_18051=An unauthorized escalation of privilege was attempted and blocked (SMEP)
Threat Prevention
18052 event_name_18052=Buffer Overflow detected and blocked (GBOP)
event_desc_18052=Buffer Overflow detected and blocked (GBOP)
Threat Prevention
18053 event_name_18053=An unauthorized escalation of privilege was attempted and blocked (GPEP)
event_desc_18053=An unauthorized escalation of privilege was attempted and blocked (GPEP)
Threat Prevention
18054 event_name_18054=An exploit was attempted and blocked
event_desc_18054=An exploit was attempted and blocked
Threat Prevention
18055 event_name_18055=A suspicious call was detected and blocked
event_desc_18055=A suspicious call was detected and blocked
Threat Prevention
18056 event_name_18056=Buffer Overflow detected and blocked (DEP)
event_desc_18056=Buffer Overflow detected and blocked (DEP)
Threat Prevention
18057 event_name_18057=Tampering with Exploit Prevention has been detected.
event_desc_18057=Tampering with Exploit Prevention has been detected.
Threat Prevention
18058 event_name_18058=Access Protection rule violation detected
event_desc_18058=Access Protection rule violation detected
Threat Prevention
18059 event_name_18059=Network intrusion detected and handled
event_desc_18059=Network intrusion detected and handled
Threat Prevention
18060 event_name_18060=Exploit Prevention Files/Process/Registry violation detected
event_desc_18060=Exploit Prevention Files/Process/Registry violation detected
Threat Prevention
18600 event_name_18600=Browser navigation
event_desc_18600=Browser navigation
Web Protection
18601 event_name_18601=Browser file download
event_desc_18601=Browser file download
Web Protection
34852 event_name_34852=On-Demand Scan Paused
event_desc_34852=On-Demand Scan Paused
Threat Prevention
34853 event_name_34853=On-Demand Scan Auto-Paused
event_desc_34853=On-Demand Scan Auto-Paused
Threat Prevention
34854 event_name_34854=On-Demand Scan Resumed
event_desc_34854=On-Demand Scan Resumed
Threat Prevention
34855 event_name_34855=On-Demand Scan Canceled or Stopped
event_desc_34855=On-Demand Scan Canceled or Stopped
Threat Prevention
34865 event_name_34865=DLL Injection Event
event_desc_34865=DLL Injection Event
Common
34900 event_name_34900=On-Demand Scan Deferred
event_desc_34900=On-Demand Scan Deferred
Threat Prevention
34910 event_name_34910=Quarantined Item Restored
event_desc_34910=Quarantined Item Restored
Threat Prevention
34920 event_name_34920=Roll back successful
event_desc_34920=Roll back successful
Threat Prevention
34921 event_name_34921=Roll back failed
event_desc_34921=Roll back failed
Threat Prevention
34922 event_name_34922=Roll back did not occur
event_desc_34922=Roll back did not occur
Threat Prevention
34923 event_name_34923=The item was corrupt
event_desc_34923=The item was corrupt
Threat Prevention
34924 event_name_34924=The object was not scanned due to a sharing violation
event_desc_34924=The object was not scanned due to a sharing violation
Threat Prevention
34925 event_name_34925=The object was not scanned because the scanner does not have enough rights to read it
event_desc_34925=The object was not scanned because the scanner does not have enough rights to read it
Threat Prevention
34926 event_name_34926=The object was not scanned because the file size exceeds the configured maximum file size to scan.
event_desc_34926=The object was not scanned because the file size exceeds the configured maximum file size to scan.
Threat Prevention
34928 event_name_34928=Threat Prevention False Positive Mitigation
event_desc_34928=Threat Prevention False Positive Mitigation
Threat Prevention
34935 event_name_34935=Script security violation detected and blocked by AMSI
event_desc_34935=Script security violation detected and blocked by AMSI
Threat Prevention
34936 event_name_34936=Script security violation detected and deleted by AMSI
event_desc_34936=Script security violation detected and deleted by AMSI
Threat Prevention
34937 event_name_34937=Script security violation detected, AMSI would block
event_desc_34937=Script security violation detected, AMSI would block
Threat Prevention
34938 event_name_34938=Script security violation detected, AMSI would delete
event_desc_34938=Script security violation detected, AMSI would delete
Threat Prevention
35000 event_name_35000=Traffic allowed by Firewall
event_desc_35000=Traffic allowed by Firewall
Firewall
35001 event_name_35001=Firewall intrusion detected and handled
event_desc_35001=Firewall intrusion detected and handled
Firewall
35002 event_name_35002=Traffic blocked by Firewall
event_desc_35002=Traffic blocked by Firewall
Firewall
35003 event_name_35003=Firewall added adaptive rule
event_desc_35003=Firewall added adaptive rule
Firewall
35009 event_name_35009=Firewall is disabled from Mctray
event_desc_35009=Firewall is disabled from Mctray
Firewall
35010 event_name_35010=Firewall timed groups are enabled from McTray
event_desc_35010=Firewall timed groups are enabled from McTray
Firewall
35011 event_name_35011=Firewall policy was corrupt and has been repaired
event_desc_35011=Firewall policy was corrupt and has been repaired
Firewall
35012 event_name_35012=Firewall policy has been replaced with a new copy
event_desc_35012=Firewall policy has been replaced with a new copy
Firewall
35100 event_name_35100=Adaptive Threat Protection Access Protection Violation
event_desc_35100=Adaptive Threat Protection Access Protection Violation
Threat Intelligence Exchange / ATP
35102 event_name_35102=Adaptive Threat Protection Would Block
event_desc_35102=Adaptive Threat Protection Would Block
Threat Intelligence Exchange / ATP
35103 event_name_35103=Adaptive Threat Protection Would Allow
event_desc_35103=Adaptive Threat Protection Would Allow
Threat Intelligence Exchange / ATP
35104 event_name_35104=Adaptive Threat Protection Block
event_desc_35104=Adaptive Threat Protection Block
Threat Intelligence Exchange / ATP
35105 event_name_35105=Adaptive Threat Protection Allow
event_desc_35105=Adaptive Threat Protection Allow
Threat Intelligence Exchange / ATP
35106 event_name_35106=Adaptive Threat Protection Would Clean
event_desc_35106=Adaptive Threat Protection Would Clean
Threat Intelligence Exchange / ATP
35107 event_name_35107=Adaptive Threat Protection Clean
event_desc_35107=Adaptive Threat Protection Clean
Threat Intelligence Exchange / ATP
35111
event_name_35111=Threat Intelligence Would Contain
event_desc_35111=If Threat Intelligence module for Endpoint Security were enabled it would have contained this object.
Threat Intelligence Exchange / ATP
35112
event_name_35112=Threat Intelligence Contain
event_desc_35112=Threat Intelligence module for Endpoint Security contained this object either by reputation.
Threat Intelligence Exchange / ATP
35113
event_name_35113=Threat Intelligence Would Release
event_desc_35113=If Threat Intelligence module for Endpoint Security were enabled it would have released this object from containment.
Threat Intelligence Exchange / ATP
35114
event_name_35114=Threat Intelligence Release
event_desc_35114=Threat Intelligence module for Endpoint Security released this object from containment.
Threat Intelligence Exchange / ATP
37275
event_name_37275=Application contained
event_desc_37275=Application contained
Threat Intelligence Exchange / ATP
37276
event_name_37276=Application released from containment
event_desc_37276=Application released from containment
Threat Intelligence Exchange / ATP
37277
event_name_37277=Requester added to contained application
event_desc_37277=Requester added to contained application
Threat Intelligence Exchange / ATP
37278
event_name_37278=Requester removed from contained application
event_desc_37278=Requester removed from contained application
Threat Intelligence Exchange / ATP
37279
event_name_37279=Dynamic Application Containment violation blocked
event_desc_37279=Dynamic Application Containment violation blocked
Threat Intelligence Exchange / ATP
37280
event_name_37280=Dynamic Application Containment violation allowed
event_desc_37280=Dynamic Application Containment violation allowed
Threat Intelligence Exchange / ATP

Back to top

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.