As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Technical Articles ID:
KB85494
Last Modified: 2023-11-27 04:53:55 Etc/GMT
Environment
Endpoint Security (ENS) Adaptive Threat Protection (ATP) 10.x
ENS Firewall 10.x
ENS Threat Prevention 10.x
ENS Web Control 10.x
Summary
Recent updates to this article
Date
Update
November 27, 2023
Added note referring to the Event IDs index.
This article contains an explanation of ENS event messages. ENS event messaging uses Natural Language Strings (NLSs). ENS logs threat data, including threat origin and duration before detection, in NLSs. You can access this information from the management consoles and the ENS Client in the Event Log. NLSs provide descriptive explanations that provide context around threat events. Some events might need more explanation than is contained in the string of text in an event. If a specific event is missing from a table below, it's because we believe that it doesn't require further explanation. This article is amended as needed in response to requests from customers through our Technical Support team.
NOTE: Several event messages refer to article KB85494 for more information.
It's possible for a single event ID to exhibit different NLSs. Each event ID has a specific meaning, but details in the event shape the type of language used to express that event's details. For example, one instance of Event ID 1272 might contain all the expected information. So, an NLS is chosen that best describes all that information. Another instance of Event ID 1272 might be missing the process name. Instead of using a blank to represent the process name, which would be confusing, we use a different NLS. This NLS omits the process name but still explains the remaining known details.
Factors that influence an NLS message include the following:
Whether an Attack Vector is local or remote
Whether an event is for an on-access scan (OAS) or on-demand scan (ODS)
Action taken (Cleaned, Deleted, Delete Pending, Access Denied, Continue, None, Moved, Blocked, or Generic)
Presence or absence of errors (Repair Failed, DeleteOnReboot, FailedDeleteFile, BackupFailed, or FailedDeletePending)
Object type (whether the object is a boot sector)
Whether the process name is supplied
The following is a comparison of traditional and NLS event messaging for a detection that results in No Action being taken:
Traditional messaging syntax:
NLS messaging syntax:
" <domain>\<user> ran <process name>, which attempted to access <path>\<filename>. The <malware type> named <malware name> was detected and access to the file was denied."
Example NLS detection message:
"Interweb\jsmith ran notepad.exe, which attempted to access C:\data\temp\eicar.com. The Test Virus named Eicar Test File was detected and access to the file was denied."
Contents
Click to expand the section you want to view:
The string "To identify the process locking the file, see KB85494" displays in some OAS event messages and refers customers to this KB article for more information. In this scenario, the product denies access to an infected file and tries to delete the file. But, it can't do so at the time of detection. The delete fails because a file-lock prevents Windows from deleting the file in response to our request. Windows holds the file deletion request in a delete-pending state. We continue to deny access to that file, which prevents any new handles from being opened. Windows completes the file deletion when all handles to the detected file are closed. If you would like to investigate what processes currently have this file-lock open, use the following tools.
Windows Task Manager
Open Task Manager while logged on as an Administrator by clicking Ctrl+Shift+Esc.
Click the Performance tab.
Click Resource Monitor.
Click the CPU tab.
In the section Associated Handles, search for the file name in question. A partial file name might suffice.
Wait for the search results.
Process Explorer
Run Process Explorer as an Administrator.
Click the Find menu, and select Find Handle or DLL.
Search for the file name in question.
Wait for the search results.
Take appropriate next steps when a process is identified. To assess the process behavior, evaluate it based on the following:
Whether the process must use the file in use
Whether the process is safe or trusted
Whether it's safe to close the process
Whether you must capture any data about this process to submit to Technical Support for investigation
The string "For information on how to respond to this event, see KB85494" displays in some Access Protection rule violation event messages and refers customers to this KB article for more information. In this scenario, an action is blocked in accordance with the definition of the rule that's described in the event message itself. These violations aren't false-positives. It isn't possible for the Access Protection feature to return a false-positive. This is because it matches based on whether a behavior occurs rather than using virus definitions or signatures.
Determine whether the behavior is expected:
If expected, you must perform either of the actions below:
Accept or ignore the data.
Create an exclusion for the specified rule to exclude the process that's violating the rule. For more information, see the "Access Protection: Files, processes, and registry exclusions" section of the Endpoint Security 10.7.x Threat Prevention Product Guide.
If unexpected, investigate the behavior further because either of the following is true:
The behavior occurs because of malware that has infiltrated the process.
The behavior is normal and needs to be reclassified as expected behavior, in which case you would see the previous bullet for expected behavior.
If the events become too frequent, take action to avoid having the data fill your ePolicy Orchestrator (ePO) database. A full database can cause the SQL Server to run out of disk space, network latency, or both.
Actions can include the following:
Purging events from the database
Freeing disk space
Configuring the agent to filter out (no longer send) the specific event
Deleting unprocessed events from the ePO Events folder
Deleting events from client systems that have yet to send to ePO the events that have accumulated
Currently there's little that can be done from the centralized administration point (ePO server) or its Agent Handlers, except to reconfigure the agents to filter out the event.
The following table lists the event IDs and NLSs that might accompany them.
NOTE: This table contains common events, actions, and their associated NLSs. It provides a correlation between event IDs by feature and the possible selection of NLSs that might be used for the event depending on natural string selection criteria. The NLS tag, shown in the last column is further explained in the following tables. To jump to that specific entry in the tables below, click the hyperlink.
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and deleted."
IDS_NATURAL_LANG_OAS_DETECTION_CLN
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_DEN
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and access to the file was denied."
"Attempted to access |TargetPath|\|TargetName| and the threat ||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_NON
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName| and the ||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_MOV
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and the file was moved."
IDS_NATURAL_LANG_OAS_DETECTION_BLO
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and blocked."
IDS_NATURAL_LANG_OAS_DETECTION_GENERIC
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected. The scanner took the following action: ||ThreatActionTaken||."
IDS_NATURAL_LANG_OAS_DETECTION_ENC
"|AV_DETECTION_USERNAME| accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan |TargetName| because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_ENC2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_TO
"|TargetUserName| ran |SourceProcessName|, which accessed |TargetPath|\|TargetName|. The file scan ran for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_TO2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The file scan ran for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_COR
"|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The file is corrupt and could not be scanned."
IDS_NATURAL_LANG_OAS_DETECTION_COR2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner couldn't scan the file because it is corrupted."
IDS_NATURAL_LANG_OAS_DETECTION_DLP
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access \"|TargetPath|\|TargetName|\". The threat ||ThreatType|| named |ThreatName| was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
"Attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_OAS_DETECTION_NRP
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but no clean information is available."
IDS_NATURAL_LANG_OAS_DETECTION_SHV
"|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The scanner could not scan the file due to a sharing violation."
IDS_NATURAL_LANG_OAS_DETECTION_SHV2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file due to a sharing violation."
IDS_NATURAL_LANG_OAS_DETECTION_NPM
"|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The scanner could not scan the file because it doesn't have access rights."
IDS_NATURAL_LANG_OAS_DETECTION_NPM2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it doesn't have access rights."
IDS_NATURAL_LANG_OAS_DETECTION_DLR
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected and will be deleted on reboot."
IDS_NATURAL_LANG_OAS_DETECTION_DLE
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but deletion failed."
IDS_NATURAL_LANG_OAS_DETECTION_BUE
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but quarantine failed."
IDS_NATURAL_LANG_OAS_DETECTION_R_DEL
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and deleted."
IDS_NATURAL_LANG_OAS_DETECTION_R_CLN
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_R_DEN
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and access to the file was denied."
IDS_NATURAL_LANG_OAS_DETECTION_R_NON
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_R_MOV
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and the file was moved."
IDS_NATURAL_LANG_OAS_DETECTION_R_BLO
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and blocked."
IDS_NATURAL_LANG_OAS_DETECTION_R_ENC
"|AV_DETECTION_USERNAME| accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_R_TO
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The file scan ran for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLP
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_OAS_DETECTION_R_NRP
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but no clean information is available."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLR
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected and will be deleted on reboot."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLE
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but deletion failed."
IDS_NATURAL_LANG_OAS_DETECTION_R_BUE
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but quarantine failed."
IDS_NATURAL_LANG_OAS_DETECTION_B_CLN
"|TargetUserName| accessed volume |TargetPath|:. The ||ThreatType|| named |ThreatName| was detected in the boot sector and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_B_DEN
"|TargetUserName| accessed volume |TargetPath|:. The ||ThreatType|| named |ThreatName| was detected in the boot sector. Both the primary (||FirstAttemptedAction||) and secondary (||SecondAttemptedAction||) actions failed, so access to the file was denied."
IDS_NATURAL_LANG_OAS_DETECTION_ERROR
"The scanner detected a threat but, due to an error, no additional information is available."
IDS_NATURAL_LANG_OAS_DETECTION_NO_INFO
"The scanner detected a threat while scanning |TargetName| but, due to an error, no additional information is available."
"|SourceUserName| ran |SourceProcessName|, which attempted to access |TargetPath|, violating the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to respond to this event, see KB85494."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_2
"|SourceUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|, violating the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to respond to this event, see KB85494."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_3
"|SourceUserName| ran |SourceProcessName|, which attempted to access |TargetProcessName|, violating the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to respond to this event, see KB85494."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_4
"|SourceUserName| ran |SourceProcessName|, which accessed |TargetPath|, violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't configured to block."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_5
"|SourceUserName| ran |SourceProcessName|, which accessed |TargetPath|\|TargetName|, violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't configured to block."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_6
"|SourceUserName| ran |SourceProcessName|, which accessed the process |TargetProcessName|, violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't configured to block."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_1
All but SMEP and TAMPER (no API name or caller module)
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName| and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_2
All but SMEP & TAMPER with API name
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName|, which targeted the |APIName| API, and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_4
All but SMEP & TAMPER with a caller module
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName| called from module |CallerModule|, which targeted the |APIName| API, and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_3
SMEP
"|ThreatName| attempted an exploit at |ThreatTimestamp| and was ||ThreatActionTaken||. For more information, check the Windows Event Viewer for record number |TargetName|."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_5
TAMPER
TAMPER
"Tampering has been detected with Exploit Prevention's monitoring of processes on this computer."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_1N
All but SMEP and TAMPER (no API name or caller module)
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName|. It wasn't blocked because Exploit Prevention was set to Report Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_2N
All but SMEP & TAMPER with API name
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName|, which targeted the |APIName|) API. It wasn't blocked because Exploit Prevention was set to Report Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_4N
All but SMEP & TAMPER with a caller module
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName| called from module |CallerModule|, which targeted the |APIName| API. It wasn't blocked because Exploit Prevention was set to Report Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_3N
SMEP
"|ThreatName| attempted an exploit at |ThreatTimestamp|. For more information, check the Windows Event Viewer for record number |TargetName|. It wasn't blocked because Exploit Prevention was set to Report Only."
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. Both the primary (||FirstAttemptedAction||) and secondary (||SecondAttemptedAction||) actions failed, so the scanner took no action."
IDS_NATURAL_LANG_ODS_DETECTION_CLEANED
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The file was cleaned."
IDS_NATURAL_LANG_ODS_DETECTION_DELETED
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The file was deleted."
IDS_NATURAL_LANG_ODS_DETECTION_GENERIC
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The scanner took the following action: ||ThreatActionTaken||."
IDS_NATURAL_LANG_ODS_DETECTION_NO_INFO
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. Due to an error, no additional information is available."
IDS_NATURAL_LANG_ODS_DETECTION_B_NONE
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning the boot sector of volume |TargetPath|:. Both the primary (||FirstAttemptedAction||) and secondary (||SecondAttemptedAction||) actions failed, so the scanner took no action."
IDS_NATURAL_LANG_ODS_DETECTION_B_CLEANED
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning the boot sector of volume |TargetPath|:. The boot sector was cleaned."
IDS_NATURAL_LANG_ODS_DETECTION_ENC
"|TargetUserName| ran the ||TaskName|| on-demand scan. The scanner could not scan |TargetName| because it was encrypted."
IDS_NATURAL_LANG_ODS_DETECTION_TO
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the scan timed out."
IDS_NATURAL_LANG_ODS_DETECTION_FS
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the file size exceeds the configured maximum file size to scan."
IDS_NATURAL_LANG_ODS_DETECTION_COR
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the file is corrupt."
IDS_NATURAL_LANG_ODS_DETECTION_DLP
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName| but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_ODS_DETECTION_NRP
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. However, no clean information is available."
IDS_NATURAL_LANG_ODS_DETECTION_SHV
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| due to a sharing violation."
IDS_NATURAL_LANG_ODS_DETECTION_NPM
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the scanner doesn't have access rights to it."
IDS_NATURAL_LANG_ODS_DETECTION_DLR
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The threat will be deleted on reboot."
IDS_NATURAL_LANG_ODS_DETECTION_DLE
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. However, deletion of the threat failed."
IDS_NATURAL_LANG_ODS_DETECTION_BUE
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. However, quarantine of the threat failed."
IDS_NATURAL_LANG_ODS_DETECTION_ERROR
"The on-demand scan detected a threat but, due to an error, no additional information is available."
IDS_ALERT_ACT_TAK_CONT
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The scanner took the following action: ||ThreatActionTaken||."
Strings from Dynamic Application Containment (DAC)
Event IDs
NLS
IDS_NATURAL_LANG_DESC_DAC_1
"The application |SourceFilePath|\|SourceProcessName| was contained at the request of |RequesterDisplayName|."
IDS_NATURAL_LANG_DESC_DAC_2
"|RequesterDisplayName| requested to contain the application |SourceFilePath|\|SourceProcessName|, which is already contained."
IDS_NATURAL_LANG_DESC_DAC_3
"The application |SourceFilePath|\|SourceProcessName| was released from containment at the request of |RequesterDisplayName|."
IDS_NATURAL_LANG_DESC_DAC_4
"|RequesterDisplayName| requested to release the application |SourceFilePath|\|SourceProcessName|. However, the application is still contained because other requests remain."
IDS_NATURAL_LANG_DESC_DAC_5
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed due to an exclusion and the application was released from containment."
IDS_NATURAL_LANG_DESC_DAC_6
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed due to an exclusion."
IDS_NATURAL_LANG_DESC_DAC_7
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed and the application was released from containment because Dynamic Application Containment was uninstalled."
IDS_NATURAL_LANG_DESC_DAC_8
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed because Dynamic Application Containment was uninstalled."
From ePO, %install dir%\server\extensions\installed\ENDP_AM_1000 (as an example), you can get the following event information for ENS fromstrings_en.properties.
Event ID
Event Information
ENS Module
1024
Infected file found.
Threat Prevention
1025
Infected file successfully Cleaned.
Threat Prevention
1027
Infected file deleted.
Threat Prevention
1037
Infected boot record found
Threat Prevention
1051
Unable to scan password protected
Threat Prevention
1059
Scan Timed Out
Threat Prevention
1064
Service was started.
Threat Prevention
1065
Service ended.
Threat Prevention
1087
On-access Scan started
Threat Prevention
1088
On-access scan stopped.
Threat Prevention
1091
JavaScript or VBScript security violation detected and blocked
Threat Prevention
1092
Access Protection rule violation detected and blocked
Threat Prevention
1095
Access Protection rule violation detected and NOT blocked
Threat Prevention
1096
event_name_1096=Port blocking rule violation detected and NOT blocked
event_desc_1096=Port blocking rule violation detected and NOT blocked
Threat Prevention
1102
event_name_1102=Multiple extension heuristic detection - moved
event_desc_1102=The file %FILENAME% detected with multiple extension heuristics. The file was moved to the quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1103
event_name_1103=Prescan needed
event_desc_1103=The file %FILENAME% is infected with the %VIRUSNAME% %VIRUSTYPE%. Prescan is needed for removal. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1104
event_name_1104=Multiple extension heuristic detection - delete on reboot
event_desc_1104=The file %FILENAME% detected with multiple extension heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1106
event_name_1106=Multiple extension heuristic detection - message deleted
event_desc_1106=The message %FILENAME% detected with multiple extension heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1118
The update was successful
Common
1119
The update failed; see event log
Common
1120
The update is running
Common
1121
The update was cancelled
Common
1202
event_name_1202=On-Demand Scan started
event_desc_1202=On-Demand Scan started
file infected. No cleaner available, OAS denied access and continued
Threat Prevention
1292
file infected. Undetermined clean error, OAS denied access and continued
Threat Prevention
1300
file infected. Delete failed, denied access and continued (OAS)
Threat Prevention
1301
event_name_1301=Multiple extension heuristic detection - clean error, quarantined successfully
event_desc_1301=The file %FILENAME% detected with multiple extension heuristics. The file was moved to the quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1302
event_name_1302=Multiple extension heuristic detection - move failed, clean error
event_desc_1302=The file %FILENAME% detected with multiple extension heuristics. Unable to move the file to quarantine area and unable to clean the file. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1303
event_name_1303=Multiple extension heuristic detection - clean error, deleted successfully
event_desc_1303=The file %FILENAME% detected with multiple extension heuristics. The file has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1304
event_name_1304=Multiple extension heuristic detection - clean error, delete failed
event_desc_1304=The file %FILENAME% detected with multiple extension heuristics. Unable to clean the file and unable to delete the file. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1305
event_name_1305=Multiple extension heuristic detection - clean error, denied access and continued
event_desc_1305=The file %FILENAME% detected with multiple extension heuristics. Access to the file was denied. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1306
event_name_1306=Multiple extension heuristic detection - move failed, deleted successfully
event_desc_1306=The file %FILENAME% detected with multiple extension heuristics. The file has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1307
event_name_1307=Multiple extension heuristic detection - move failed, delete failed
event_desc_1307=The file %FILENAME% detected with multiple extension heuristics. Unable to move the file to quarantine area and unable to delete the file. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1308
event_name_1308=Multiple extension heuristic detection - move failed, denied access and continued
event_desc_1308=The file %FILENAME% detected with multiple extension heuristics. Access to the file was denied. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1309
event_name_1309=Multiple extension heuristic detection - delete failed, quarantined successfully
event_desc_1309=The file %FILENAME% detected with multiple extension heuristics. The file was moved to the quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1310
event_name_1310=Multiple extension heuristic detection - delete failed, quarantine failed
event_desc_1310=The file %FILENAME% detected with multiple extension heuristics. Unable to delete the file and unable to move the file to quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1311
event_name_1311=Multiple extension heuristic detection - delete failed, denied access and continued
event_desc_1311=The file %FILENAME% detected with multiple extension heuristics. Access to the file was denied. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1312
event_name_1312=Move failed, delete failed, file will be deleted on reboot
event_desc_1312=The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1313
event_name_1313=Multiple extension heuristic detection - move failed, delete failed, file will be deleted on reboot
event_desc_1313=The file %FILENAME% detected with multiple extension heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1314
event_name_1314=Encrypted file - clean error, delete on reboot
event_desc_1314=The encrypted file %FILENAME% will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1315
event_name_1315=Heuristic detection - clean error, delete on reboot
event_desc_1315=The file %FILENAME% detected with heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1316
event_name_1316=Multiple extension heuristic detection - clean error, delete on reboot
event_desc_1316=The file %FILENAME% detected with multiple extension heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1317
event_name_1317=No cleaner available - clean error, delete on reboot
event_desc_1317=The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1318
event_name_1318=Undetermined - clean error, delete on reboot
event_desc_1318=The file %FILENAME% has an undetermined infection. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1319
event_name_1319=Undetermined - clean error, message deleted
event_desc_1319=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1320
event_name_1320=Encrypted - clean error, message deleted
event_desc_1320=Encrypted message %FILENAME% has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1321
event_name_1321=Heuristic detection - clean error, message deleted
event_desc_1321=The message %FILENAME% detected with heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1322
event_name_1322=Multiple extension heuristic detection - clean error, message deleted
event_desc_1322=The message %FILENAME% detected with multiple extension heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1323
event_name_1323=Clean error, message deleted
event_desc_1323=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1324
event_name_1324=Move failed, message deleted
event_desc_1324=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1325
event_name_1325=Multiple extension heuristic detection - move failed, message deleted
event_desc_1325=The message %FILENAME% detected with multiple extension heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
event_name_1400=User defined object detected, no Action Taken
event_desc_1400=User defined object detected, no Action Taken
Threat Prevention
1401
event_name_1401=Clean failed (user defined detection), no Action Taken
event_desc_1401=Clean failed (user defined detection), no Action Taken
Threat Prevention
1402
event_name_1402=Clean failed (user defined detection), Move failed
event_desc_1402=Clean failed (user defined detection), Move failed
Threat Prevention
1403
event_name_1403=Moved (user defined detection), Clean failed
event_desc_1403=Moved (user defined detection), Clean failed
Threat Prevention
1404
event_name_1404=Clean failed (user defined detection), Delete failed
event_desc_1404=Clean failed (user defined detection), Delete failed
Threat Prevention
1405
event_name_1405=Deleted (user defined detection), Clean failed
event_desc_1405=Deleted (user defined detection), Clean failed
Threat Prevention
1406
event_name_1406=Moved (user defined detection)
event_desc_1406=Moved (user defined detection)
Threat Prevention
1407
event_name_1407=Move failed(user defined detection), Delete failed
event_desc_1407=Move failed(user defined detection), Delete failed
Threat Prevention
1408
event_name_1408=Deleted (user defined detection), Move failed
event_desc_1408=Deleted (user defined detection), Move failed
Threat Prevention
1409
event_name_1409=Move failed(user defined detection), no Action Taken
event_desc_1409=Move failed(user defined detection), no Action Taken
Threat Prevention
1410
event_name_1410=Deleted (user defined detection)
event_desc_1410=Deleted (user defined detection)
Threat Prevention
1411
event_name_1411=Delete failed (user defined detection), Move failed
event_desc_1411=Delete failed (user defined detection), Move failed
Threat Prevention
1412
event_name_1412=Moved (user defined detection), Delete failed
event_desc_1412=Moved (user defined detection), Delete failed
Threat Prevention
1413
event_name_1413=Delete failed (user defined detection), no Action Taken
event_desc_1413=Delete failed (user defined detection), no Action Taken
Threat Prevention
1414
event_name_1414=Clean failed, delete failed, file (user defined detection) will be deleted on reboot
event_desc_1414=Clean failed, delete failed, file (user defined detection) will be deleted on reboot
Threat Prevention
1415
event_name_1415=Deleted failed, file (user defined detection) will be deleted on reboot
event_desc_1415=Deleted failed, file (user defined detection) will be deleted on reboot
Threat Prevention
1416
event_name_1416=Move failed, delete failed, file (user defined detection) will be deleted on reboot
event_desc_1416=Move failed, delete failed, file (user defined detection) will be deleted on reboot
Threat Prevention
1417
event_name_1417=Email message deleted (user defined detection)
event_desc_1417=Email message deleted (user defined detection)
Threat Prevention
1418
event_name_1418=Email message deleted (user defined detection), Clean failed
event_desc_1418=Email message deleted (user defined detection), Clean failed
Threat Prevention
1419
event_name_1419=Email message deleted (user defined detection), Move failed
event_desc_1419=Email message deleted (user defined detection), Move failed
Threat Prevention
1420
event_name_1420=Email message deleted (user defined detection), Delete failed
event_desc_1420=Email message deleted (user defined detection), Delete failed
Threat Prevention
1421
event_name_1421=Clean error as no cleaner was available, and delete pending
event_desc_1421=Clean error as no cleaner was available, and delete pending
Threat Prevention
1422
event_name_1422=Clean failed for heuristic detection, delete pending
event_desc_1422=Clean failed for heuristic detection, delete pending
event_name_18051=An unauthorized escalation of privilege was attempted and blocked (SMEP)
event_desc_18051=An unauthorized escalation of privilege was attempted and blocked (SMEP)
Threat Prevention
18052
event_name_18052=Buffer Overflow detected and blocked (GBOP)
event_desc_18052=Buffer Overflow detected and blocked (GBOP)
Threat Prevention
18053
event_name_18053=An unauthorized escalation of privilege was attempted and blocked (GPEP)
event_desc_18053=An unauthorized escalation of privilege was attempted and blocked (GPEP)
Threat Prevention
18054
event_name_18054=An exploit was attempted and blocked
event_desc_18054=An exploit was attempted and blocked
Threat Prevention
18055
event_name_18055=A suspicious call was detected and blocked
event_desc_18055=A suspicious call was detected and blocked
Threat Prevention
18056
event_name_18056=Buffer Overflow detected and blocked (DEP)
event_desc_18056=Buffer Overflow detected and blocked (DEP)
Threat Prevention
18057
event_name_18057=Tampering with Exploit Prevention has been detected.
event_desc_18057=Tampering with Exploit Prevention has been detected.
event_name_34920=Roll back successful
event_desc_34920=Roll back successful
Threat Prevention
34921
event_name_34921=Roll back failed
event_desc_34921=Roll back failed
Threat Prevention
34922
event_name_34922=Roll back did not occur
event_desc_34922=Roll back did not occur
Threat Prevention
34923
event_name_34923=The item was corrupt
event_desc_34923=The item was corrupt
Threat Prevention
34924
event_name_34924=The object was not scanned due to a sharing violation
event_desc_34924=The object was not scanned due to a sharing violation
Threat Prevention
34925
event_name_34925=The object was not scanned because the scanner does not have enough rights to read it
event_desc_34925=The object was not scanned because the scanner does not have enough rights to read it
Threat Prevention
34926
event_name_34926=The object was not scanned because the file size exceeds the configured maximum file size to scan
event_desc_34926=The object was not scanned because the file size exceeds the configured maximum file size to scan