Téléchargez le rapport Magic Quadrant de Gartner, qui évalue 18 fournisseurs selon des critères tels que la vision complète et la capacité de mise en œuvre.
Selon Gartner, « le XDR est une technologie émergente capable de renforcer l'efficacité de la prévention, de la détection et de la neutralisation des menaces ».
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Liste complète des ID d’événement pour Endpoint Security
Articles techniques ID:
KB85494
Date de la dernière modification : 2022-07-11 11:11:50 Etc/GMT
Environnement
Protection adaptive contre les menaces Endpoint Security (ENS) (ATP) 10.x
Pare-feu 10.x ens
Prévention contre les menaces 10.x ens
Contrôle Web ENS 10.x
Synthèse
Cet article contient une explication des messages d'événement ENS. La messagerie d’événement ENS utilise des chaînes de langage naturel (NLSs). ENS consigne les données de menace, y compris l’origine des menaces et la durée avant la détection, dans NLSs. Vous pouvez accéder à ces informations à partir des consoles de gestion et du client ENS dans le journal des événements. NLSs fournit des explications descriptives qui fournissent un contexte autour des événements de menace. Certains événements peuvent nécessiter plus d’explications que celles contenues dans la chaîne de texte d’un événement. Si un événement spécifique n’est pas présent dans le tableau ci-dessous, c’est parce que nous pensons qu’il ne nécessite aucune explication supplémentaire. Cet article est modifié si nécessaire en réponse aux demandes des clients par l'intermédiaire de notre équipe de support technique.
REMARQUE : Plusieurs messages d’événement se réfèrent à l’article KB85494 pour plus d’informations.
Il est possible pour un ID d’événement unique d’exposer différents NLSs. Chaque ID d'événement a une signification spécifique, mais les détails de l'événement déterminent le type de langage utilisé pour exprimer les détails de cet événement. Par exemple, une instance de l'ID d'événement 1272 peut contenir toutes les informations attendues. Ainsi, un NLS est choisi qui décrit le mieux toutes ces informations. Le nom du processus peut être manquant dans une autre instance de l'ID d'événement 1272. Au lieu d'utiliser un espace pour représenter le nom du processus, ce qui pourrait prêter à confusion, nous utilisons un autre système NLS. Ce NLS omet le nom du processus, mais explique toujours les autres détails connus.
Les facteurs qui influencent un message NLS sont les suivants :
Si un vecteur d’attaque est local ou distant
Si un événement est destiné à une analyse à l’accès (OAS) ou à une analyse à la demande (ODS)
Action entreprise (nettoyé, supprimé, suppression en attente, accès refusé, continuer, aucun, déplacé, bloqué ou générique)
Présence ou absence d’erreurs (Echec de réparation, DeleteOnReboot, FailedDeleteFile, BackupFailed ou FailedDeletePending)
Type d’objet (indique si l’objet est un secteur d’amorçage)
Indique si le nom du processus est fourni
Vous trouverez ci-après une comparaison des messages d’événement traditionnels et NLS pour détecter une détection qui entraîne l’absence d’une action :
Syntaxe de messagerie traditionnelle :
Syntaxe de la messagerie NLS :
" <domain>\<user> ran <process name>, which attempted to access <path>\<filename>. The <malware type> named <malware name> was detected and access to the file was denied."
Exemple de message de détection NLS :
"Interweb\jsmith ran notepad.exe, which attempted to access C:\data\temp\eicar.com. The Test Virus named Eicar Test File was detected and access to the file was denied."
Contenus Cliquez pour développer la section à afficher :
La chaîne " To identify the process locking the file, see KB85494" s’affiche dans certains messages d’événement OAS et renvoie les clients à cet article KB pour plus d’informations. Dans ce cas, le produit refuse l’accès à un fichier infecté et tente de supprimer le fichier. Cependant, il ne peut pas le faire au moment de la détection. La suppression échoue, car un verrouillage de fichier empêche Windows de supprimer le fichier en réponse à notre demande. Windows contient la demande de suppression de fichier dans un état d’attente de suppression. Nous continuons à refuser l’accès à ce fichier, ce qui empêche l’ouverture de nouveaux descripteurs. Windows termine la suppression du fichier lorsque tous les descripteurs du fichier détecté sont fermés. Si vous souhaitez rechercher les processus actuellement verrouillés par ce fichier, utilisez les outils suivants.
Gestionnaire des tâches Windows
Ouvrir Gestionnaire de tâches Lorsque vous êtes connecté en tant qu’administrateur, cliquez sur Ctrl + Maj + Echap.
Cliquez sur le lien Performances onglet.
Cliquez sur Moniteur de ressource.
Cliquez sur le lien Processeur onglet.
Dans la section Descripteurs associés, recherchez le nom du fichier en question. Un nom de fichier partiel peut suffire.
Attendez les résultats de la recherche.
Explorateur de processus
Exécuter Explorateur de processus en tant qu’administrateur.
Cliquez sur le lien Démarrer menu, puis sélectionnez Rechercher un handle ou une DLL.
Recherchez le nom du fichier en question.
Attendez les résultats de la recherche.
Effectuez les étapes suivantes appropriées lorsqu’un processus est identifié. Pour évaluer le comportement du processus, évaluez-le en fonction des éléments suivants :
Si le processus doit utiliser le fichier en cours d’utilisation
Si le processus est sécurisé ou approuvé
Si vous pouvez fermer le processus en toute sécurité
Si vous devez capturer des données concernant ce processus à soumettre à des Support technique à des fins d’investigation
La chaîne " For information on how to respond to this event, see KB85494" s’affiche dans certaines règles de protection de l’accès violation messages d’événement et renvoie les clients à cet article de la base de connaissances pour plus d’informations. Dans ce cas, une action est bloquée en fonction de la définition de la règle décrite dans le message d’événement lui-même. Ces violations ne sont pas des faux positifs. La fonctionnalité de protection de l’accès ne peut pas renvoyer un faux positif. La raison est qu’elle correspond à l’existence d’un comportement au lieu d’utiliser des définitions ou des signatures virus.
Déterminez si le comportement est attendu :
Si vous le souhaitez, vous devez effectuer l’une des actions ci-dessous :
Acceptez ou ignorez les données.
Créez un exclusion pour la règle spécifiée afin d’exclure le processus qui viole la règle. Pour plus d’informations, reportez-vous à la section "protection de l’accès : fichiers, processus et exclusions de Registre" de la section 10.7.x Guide produit de Endpoint Security prévention contre les menaces.
Si cela est inhabituel, procédez à une investigation supplémentaire, car l’une des conditions suivantes est vraie :
Ce problème est dû à un logiciel malveillant qui a infiltré le processus.
Le comportement est normal et doit être reclassé comme comportement attendu, auquel cas vous devriez voir la puce précédente pour le comportement attendu.
Si les événements deviennent trop fréquents, entreprenez des actions pour éviter que les données ne remplissent votre base de données ePolicy Orchestrator (ePO). Une base de données complète peut provoquer l’espace disque disponible sur le SQL Server, la latence du réseau ou les deux.
Les actions peuvent inclure les éléments suivants :
Purge des événements de la base de données
Libération d'espace disque
Configuration de l’agent pour le filtrage de l’événement spécifique (n’est plus envoyé)
Suppression des événements non traités du dossier Evénements ePO
Suppression des événements des systèmes client qui n’ont pas encore été envoyés à ePO les événements qui se sont accumulés
Il n’y a actuellement que peu de choses à faire à partir du point d’administration centralisé (serveur ePO) ou de ses gestionnaires Agent, sauf pour reconfigurer les agents pour filtrer l’événement.
Le tableau suivant répertorie les ID d’événement et les NLSs qui peuvent les accompagner.
REMARQUE : Ce tableau contient les événements courants, les actions et les NLSs associés. Il fournit une corrélation entre les ID d’événement par fonctionnalité et la sélection possible de NLSs qui peut être utilisée pour l’événement en fonction des critères de sélection de chaîne naturelle. Le marqueur NLS, affiché dans la dernière colonne, est expliqué plus en détail dans les tableaux suivants. Pour accéder directement à cette entrée spécifique dans les tableaux ci-dessous, cliquez sur le lien hypertexte.
Vous trouverez ci-dessous les liens vers les tableaux ci-dessous :
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and deleted."
IDS_NATURAL_LANG_OAS_DETECTION_CLN
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_DEN
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and access to the file was denied."
"Attempted to access |TargetPath|\|TargetName| and the threat ||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_NON
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName| and the ||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_MOV
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and the file was moved."
IDS_NATURAL_LANG_OAS_DETECTION_BLO
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and blocked."
IDS_NATURAL_LANG_OAS_DETECTION_GENERIC
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected. The scanner took the following action: ||ThreatActionTaken||."
IDS_NATURAL_LANG_OAS_DETECTION_ENC
"|AV_DETECTION_USERNAME| accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan |TargetName| because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_ENC2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_TO
"|TargetUserName| ran |SourceProcessName|, which accessed |TargetPath|\|TargetName|. The file scan ran for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_TO2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The file scan ran for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_COR
"|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The file is corrupt and could not be scanned."
IDS_NATURAL_LANG_OAS_DETECTION_COR2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner couldn't scan the file because it is corrupted."
IDS_NATURAL_LANG_OAS_DETECTION_DLP
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access \"|TargetPath|\|TargetName|\". The threat ||ThreatType|| named |ThreatName| was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
"Attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_OAS_DETECTION_NRP
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but no clean information is available."
IDS_NATURAL_LANG_OAS_DETECTION_SHV
"|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The scanner could not scan the file due to a sharing violation."
IDS_NATURAL_LANG_OAS_DETECTION_SHV2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file due to a sharing violation."
IDS_NATURAL_LANG_OAS_DETECTION_NPM
"|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The scanner could not scan the file because it doesn't have access rights."
IDS_NATURAL_LANG_OAS_DETECTION_NPM2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it doesn't have access rights."
IDS_NATURAL_LANG_OAS_DETECTION_DLR
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected and will be deleted on reboot."
IDS_NATURAL_LANG_OAS_DETECTION_DLE
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but deletion failed."
IDS_NATURAL_LANG_OAS_DETECTION_BUE
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but quarantine failed."
IDS_NATURAL_LANG_OAS_DETECTION_R_DEL
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and deleted."
IDS_NATURAL_LANG_OAS_DETECTION_R_CLN
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_R_DEN
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and access to the file was denied."
IDS_NATURAL_LANG_OAS_DETECTION_R_NON
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_R_MOV
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and the file was moved."
IDS_NATURAL_LANG_OAS_DETECTION_R_BLO
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and blocked."
IDS_NATURAL_LANG_OAS_DETECTION_R_ENC
"|AV_DETECTION_USERNAME| accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_R_TO
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The file scan ran for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLP
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_OAS_DETECTION_R_NRP
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but no clean information is available."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLR
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected and will be deleted on reboot."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLE
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but deletion failed."
IDS_NATURAL_LANG_OAS_DETECTION_R_BUE
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but quarantine failed."
IDS_NATURAL_LANG_OAS_DETECTION_B_CLN
"|TargetUserName| accessed volume |TargetPath|:. The ||ThreatType|| named |ThreatName| was detected in the boot sector and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_B_DEN
"|TargetUserName| accessed volume |TargetPath|:. The ||ThreatType|| named |ThreatName| was detected in the boot sector. Both the primary (||FirstAttemptedAction||) and secondary (||SecondAttemptedAction||) actions failed, so access to the file was denied."
IDS_NATURAL_LANG_OAS_DETECTION_ERROR
"The scanner detected a threat but, due to an error, no additional information is available."
IDS_NATURAL_LANG_OAS_DETECTION_NO_INFO
"The scanner detected a threat while scanning |TargetName| but, due to an error, no additional information is available."
"|SourceUserName| ran |SourceProcessName|, which attempted to access |TargetPath|, violating the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to respond to this event, see KB85494."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_2
"|SourceUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|, violating the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to respond to this event, see KB85494."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_3
"|SourceUserName| ran |SourceProcessName|, which attempted to access |TargetProcessName|, violating the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to respond to this event, see KB85494."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_4
"|SourceUserName| ran |SourceProcessName|, which accessed |TargetPath|, violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't configured to block."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_5
"|SourceUserName| ran |SourceProcessName|, which accessed |TargetPath|\|TargetName|, violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't configured to block."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_6
"|SourceUserName| ran |SourceProcessName|, which accessed the process |TargetProcessName|, violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't configured to block."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_1
All but SMEP and TAMPER (no API name or caller module)
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName| and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_2
All but SMEP & TAMPER with API name
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName|, which targeted the |APIName| API, and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_4
All but SMEP & TAMPER with a caller module
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName| called from module |CallerModule|, which targeted the |APIName| API, and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_3
SMEP
"|ThreatName| attempted an exploit at |ThreatTimestamp| and was ||ThreatActionTaken||. For more information, check the Windows Event Viewer for record number |TargetName|."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_5
TAMPER
TAMPER
"Tampering has been detected with Exploit Prevention's monitoring of processes on this computer."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_1N
All but SMEP and TAMPER (no API name or caller module)
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName|. It wasn't blocked because Exploit Prevention was set to Report Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_2N
All but SMEP & TAMPER with API name
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName|, which targeted the |APIName|) API. It wasn't blocked because Exploit Prevention was set to Report Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_4N
All but SMEP & TAMPER with a caller module
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName| called from module |CallerModule|, which targeted the |APIName| API. It wasn't blocked because Exploit Prevention was set to Report Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_3N
SMEP
"|ThreatName| attempted an exploit at |ThreatTimestamp|. For more information, check the Windows Event Viewer for record number |TargetName|. It wasn't blocked because Exploit Prevention was set to Report Only."
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. Both the primary (||FirstAttemptedAction||) and secondary (||SecondAttemptedAction||) actions failed, so the scanner took no action."
IDS_NATURAL_LANG_ODS_DETECTION_CLEANED
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The file was cleaned."
IDS_NATURAL_LANG_ODS_DETECTION_DELETED
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The file was deleted."
IDS_NATURAL_LANG_ODS_DETECTION_GENERIC
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The scanner took the following action: ||ThreatActionTaken||."
IDS_NATURAL_LANG_ODS_DETECTION_NO_INFO
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. Due to an error, no additional information is available."
IDS_NATURAL_LANG_ODS_DETECTION_B_NONE
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning the boot sector of volume |TargetPath|:. Both the primary (||FirstAttemptedAction||) and secondary (||SecondAttemptedAction||) actions failed, so the scanner took no action."
IDS_NATURAL_LANG_ODS_DETECTION_B_CLEANED
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning the boot sector of volume |TargetPath|:. The boot sector was cleaned."
IDS_NATURAL_LANG_ODS_DETECTION_ENC
"|TargetUserName| ran the ||TaskName|| on-demand scan. The scanner could not scan |TargetName| because it was encrypted."
IDS_NATURAL_LANG_ODS_DETECTION_TO
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the scan timed out."
IDS_NATURAL_LANG_ODS_DETECTION_FS
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the file size exceeds the configured maximum file size to scan."
IDS_NATURAL_LANG_ODS_DETECTION_COR
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the file is corrupt."
IDS_NATURAL_LANG_ODS_DETECTION_DLP
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName| but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_ODS_DETECTION_NRP
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. However, no clean information is available."
IDS_NATURAL_LANG_ODS_DETECTION_SHV
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| due to a sharing violation."
IDS_NATURAL_LANG_ODS_DETECTION_NPM
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the scanner doesn't have access rights to it."
IDS_NATURAL_LANG_ODS_DETECTION_DLR
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The threat will be deleted on reboot."
IDS_NATURAL_LANG_ODS_DETECTION_DLE
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. However, deletion of the threat failed."
IDS_NATURAL_LANG_ODS_DETECTION_BUE
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. However, quarantine of the threat failed."
IDS_NATURAL_LANG_ODS_DETECTION_ERROR
"The on-demand scan detected a threat but, due to an error, no additional information is available."
IDS_ALERT_ACT_TAK_CONT
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The scanner took the following action: ||ThreatActionTaken||."
Chaînes de confinement D’APPLICATION dynamique (DAC)
ID d’événement
NLS
IDS_NATURAL_LANG_DESC_DAC_1
"The application |SourceFilePath|\|SourceProcessName| was contained at the request of |RequesterDisplayName|."
IDS_NATURAL_LANG_DESC_DAC_2
"|RequesterDisplayName| requested to contain the application |SourceFilePath|\|SourceProcessName|, which is already contained."
IDS_NATURAL_LANG_DESC_DAC_3
"The application |SourceFilePath|\|SourceProcessName| was released from containment at the request of |RequesterDisplayName|."
IDS_NATURAL_LANG_DESC_DAC_4
"|RequesterDisplayName| requested to release the application |SourceFilePath|\|SourceProcessName|. However, the application is still contained because other requests remain."
IDS_NATURAL_LANG_DESC_DAC_5
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed due to an exclusion and the application was released from containment."
IDS_NATURAL_LANG_DESC_DAC_6
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed due to an exclusion."
IDS_NATURAL_LANG_DESC_DAC_7
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed and the application was released from containment because Dynamic Application Containment was uninstalled."
IDS_NATURAL_LANG_DESC_DAC_8
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed because Dynamic Application Containment was uninstalled."
A partir d’ePO %install dir%\server\extensions\installed\ENDP_AM_1000 (par exemple), vous pouvez obtenir les informations d’événement suivantes pour ens à partir de strings_en.properties .
ID d'événement
Informations sur l'événement
Module ENS
1024
Infected file found.
Threat Prevention
1025
Infected file successfully Cleaned.
Threat Prevention
1027
Infected file deleted.
Threat Prevention
1037
Infected boot record found
Threat Prevention
1051
Unable to scan password protected
Threat Prevention
1059
Scan Timed Out
Threat Prevention
1064
Service was started.
Threat Prevention
1065
Service ended.
Threat Prevention
1087
On-access Scan started
Threat Prevention
1088
On-access scan stopped.
Threat Prevention
1091
JavaScript or VBScript security violation detected and blocked
Threat Prevention
1092
Access Protection rule violation detected and blocked
Threat Prevention
1095
Access Protection rule violation detected and NOT blocked
Threat Prevention
1096
event_name_1096=Port blocking rule violation detected and NOT blocked
event_desc_1096=Port blocking rule violation detected and NOT blocked
Threat Prevention
1102
event_name_1102=Multipl'extension heuristic detection - moved
event_desc_1102=The file %FILENAME% detected with multipl'extension heuristics. The file was moved to the quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1103
event_name_1103=Prescan needed
event_desc_1103=The file %FILENAME% is infected with the %VIRUSNAME% %VIRUSTYPE%. Prescan is needed for removal. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1104
event_name_1104=Multipl'extension heuristic detection - delete on reboot
event_desc_1104=The file %FILENAME% detected with multipl'extension heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1106
event_name_1106=Multipl'extension heuristic detection - message deleted
event_desc_1106=The message %FILENAME% detected with multipl'extension heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1118
The update was successful
Common
1119
The update failed; see event log
Common
1120
The update is running
Common
1121
The update was cancelled
Common
1202
event_name_1202=On-Demand Scan started
event_desc_1202=On-Demand Scan started
file infected. No cleaner available, OAS denied access and continued
Threat Prevention
1292
file infected. Undetermined clean error, OAS denied access and continued
Threat Prevention
1300
file infected. Delete failed, denied access and continued (OAS)
Threat Prevention
1301
event_name_1301=Multipl'extension heuristic detection - clean error, quarantined successfully
event_desc_1301=The file %FILENAME% detected with multipl'extension heuristics. The file was moved to the quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1302
event_name_1302=Multipl'extension heuristic detection - move failed, clean error
event_desc_1302=The file %FILENAME% detected with multipl'extension heuristics. Unable to move the file to quarantine area and unable to clean the file. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1303
event_name_1303=Multipl'extension heuristic detection - clean error, deleted successfully
event_desc_1303=The file %FILENAME% detected with multipl'extension heuristics. The file has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1304
event_name_1304=Multipl'extension heuristic detection - clean error, delete failed
event_desc_1304=The file %FILENAME% detected with multipl'extension heuristics. Unable to clean the file and unable to delete the file. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1305
event_name_1305=Multipl'extension heuristic detection - clean error, denied access and continued
event_desc_1305=The file %FILENAME% detected with multipl'extension heuristics. Access to the file was denied. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1306
event_name_1306=Multipl'extension heuristic detection - move failed, deleted successfully
event_desc_1306=The file %FILENAME% detected with multipl'extension heuristics. The file has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1307
event_name_1307=Multipl'extension heuristic detection - move failed, delete failed
event_desc_1307=The file %FILENAME% detected with multipl'extension heuristics. Unable to move the file to quarantine area and unable to delete the file. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1308
event_name_1308=Multipl'extension heuristic detection - move failed, denied access and continued
event_desc_1308=The file %FILENAME% detected with multipl'extension heuristics. Access to the file was denied. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1309
event_name_1309=Multipl'extension heuristic detection - delete failed, quarantined successfully
event_desc_1309=The file %FILENAME% detected with multipl'extension heuristics. The file was moved to the quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1310
event_name_1310=Multipl'extension heuristic detection - delete failed, quarantine failed
event_desc_1310=The file %FILENAME% detected with multipl'extension heuristics. Unable to delete the file and unable to move the file to quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1311
event_name_1311=Multipl'extension heuristic detection - delete failed, denied access and continued
event_desc_1311=The file %FILENAME% detected with multipl'extension heuristics. Access to the file was denied. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1312
event_name_1312=Move failed, delete failed, file will be deleted on reboot
event_desc_1312=The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1313
event_name_1313=Multipl'extension heuristic detection - move failed, delete failed, file will be deleted on reboot
event_desc_1313=The file %FILENAME% detected with multipl'extension heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1314
event_name_1314=Encrypted file - clean error, delete on reboot
event_desc_1314=The encrypted file %FILENAME% will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1315
event_name_1315=Heuristic detection - clean error, delete on reboot
event_desc_1315=The file %FILENAME% detected with heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1316
event_name_1316=Multipl'extension heuristic detection - clean error, delete on reboot
event_desc_1316=The file %FILENAME% detected with multipl'extension heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1317
event_name_1317=No cleaner available - clean error, delete on reboot
event_desc_1317=The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1318
event_name_1318=Undetermined - clean error, delete on reboot
event_desc_1318=The file %FILENAME% has an undetermined infection. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1319
event_name_1319=Undetermined - clean error, message deleted
event_desc_1319=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1320
event_name_1320=Encrypted - clean error, message deleted
event_desc_1320=Encrypted message %FILENAME% has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1321
event_name_1321=Heuristic detection - clean error, message deleted
event_desc_1321=The message %FILENAME% detected with heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1322
event_name_1322=Multipl'extension heuristic detection - clean error, message deleted
event_desc_1322=The message %FILENAME% detected with multipl'extension heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1323
event_name_1323=Clean error, message deleted
event_desc_1323=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1324
event_name_1324=Move failed, message deleted
event_desc_1324=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1325
event_name_1325=Multipl'extension heuristic detection - move failed, message deleted
event_desc_1325=The message %FILENAME% detected with multipl'extension heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
event_name_1400=User defined object detected, no Action Taken
event_desc_1400=User defined object detected, no Action Taken
Threat Prevention
1401
event_name_1401=Clean failed (user defined detection), no Action Taken
event_desc_1401=Clean failed (user defined detection), no Action Taken
Threat Prevention
1402
event_name_1402=Clean failed (user defined detection), Move failed
event_desc_1402=Clean failed (user defined detection), Move failed
Threat Prevention
1403
event_name_1403=Moved (user defined detection), Clean failed
event_desc_1403=Moved (user defined detection), Clean failed
Threat Prevention
1404
event_name_1404=Clean failed (user defined detection), Delete failed
event_desc_1404=Clean failed (user defined detection), Delete failed
Threat Prevention
1405
event_name_1405=Deleted (user defined detection), Clean failed
event_desc_1405=Deleted (user defined detection), Clean failed
Threat Prevention
1406
event_name_1406=Moved (user defined detection)
event_desc_1406=Moved (user defined detection)
Threat Prevention
1407
event_name_1407=Move failed(user defined detection), Delete failed
event_desc_1407=Move failed(user defined detection), Delete failed
Threat Prevention
1408
event_name_1408=Deleted (user defined detection), Move failed
event_desc_1408=Deleted (user defined detection), Move failed
Threat Prevention
1409
event_name_1409=Move failed(user defined detection), no Action Taken
event_desc_1409=Move failed(user defined detection), no Action Taken
Threat Prevention
1410
event_name_1410=Deleted (user defined detection)
event_desc_1410=Deleted (user defined detection)
Threat Prevention
1411
event_name_1411=Delete failed (user defined detection), Move failed
event_desc_1411=Delete failed (user defined detection), Move failed
Threat Prevention
1412
event_name_1412=Moved (user defined detection), Delete failed
event_desc_1412=Moved (user defined detection), Delete failed
Threat Prevention
1413
event_name_1413=Delete failed (user defined detection), no Action Taken
event_desc_1413=Delete failed (user defined detection), no Action Taken
Threat Prevention
1414
event_name_1414=Clean failed, delete failed, file (user defined detection) will be deleted on reboot
event_desc_1414=Clean failed, delete failed, file (user defined detection) will be deleted on reboot
Threat Prevention
1415
event_name_1415=Deleted failed, file (user defined detection) will be deleted on reboot
event_desc_1415=Deleted failed, file (user defined detection) will be deleted on reboot
Threat Prevention
1416
event_name_1416=Move failed, delete failed, file (user defined detection) will be deleted on reboot
event_desc_1416=Move failed, delete failed, file (user defined detection) will be deleted on reboot
Threat Prevention
1417
event_name_1417=Email message deleted (user defined detection)
event_desc_1417=Email message deleted (user defined detection)
Threat Prevention
1418
event_name_1418=Email message deleted (user defined detection), Clean failed
event_desc_1418=Email message deleted (user defined detection), Clean failed
Threat Prevention
1419
event_name_1419=Email message deleted (user defined detection), Move failed
event_desc_1419=Email message deleted (user defined detection), Move failed
Threat Prevention
1420
event_name_1420=Email message deleted (user defined detection), Delete failed
event_desc_1420=Email message deleted (user defined detection), Delete failed
Threat Prevention
1421
event_name_1421=Clean error as no cleaner was available, and delete pending
event_desc_1421=Clean error as no cleaner was available, and delete pending
Threat Prevention
1422
event_name_1422=Clean failed for heuristic detection, delete pending
event_desc_1422=Clean failed for heuristic detection, delete pending
event_name_18051=An unauthorized escalation of privilege was attempted and blocked (SMEP)
event_desc_18051=An unauthorized escalation of privilege was attempted and blocked (SMEP)
Threat Prevention
18052
event_name_18052=Buffer Overflow detected and blocked (GBOP)
event_desc_18052=Buffer Overflow detected and blocked (GBOP)
Threat Prevention
18053
event_name_18053=An unauthorized escalation of privilege was attempted and blocked (GPEP)
event_desc_18053=An unauthorized escalation of privilege was attempted and blocked (GPEP)
Threat Prevention
18054
event_name_18054=An exploit was attempted and blocked
event_desc_18054=An exploit was attempted and blocked
Threat Prevention
18055
event_name_18055=A suspicious call was detected and blocked
event_desc_18055=A suspicious call was detected and blocked
Threat Prevention
18056
event_name_18056=Buffer Overflow detected and blocked (DEP)
event_desc_18056=Buffer Overflow detected and blocked (DEP)
Threat Prevention
18057
event_name_18057=Tampering with Exploit Prevention has been detected.
event_desc_18057=Tampering with Exploit Prevention has been detected.
event_name_34920=Roll back successful
event_desc_34920=Roll back successful
Threat Prevention
34921
event_name_34921=Roll back failed
event_desc_34921=Roll back failed
Threat Prevention
34922
event_name_34922=Roll back did not occur
event_desc_34922=Roll back did not occur
Threat Prevention
34923
event_name_34923=The item was corrupt
event_desc_34923=The item was corrupt
Threat Prevention
34924
event_name_34924=The object was not scanned due to a sharing violation
event_desc_34924=The object was not scanned due to a sharing violation
Threat Prevention
34925
event_name_34925=The object was not scanned because the scanner does not have enough rights to read it
event_desc_34925=The object was not scanned because the scanner does not have enough rights to read it
Threat Prevention
34926
event_name_34926=The object was not scanned because the file size exceeds the configured maximum file size to scan
event_desc_34926=The object was not scanned because the file size exceeds the configured maximum file size to scan
Le contenu du présent article a été rédigé en anglais. En cas de divergences entre la version anglaise et sa traduction, la version en anglais prévaut. Certaines parties de ce contenu ont été traduites par le moteur de traduction automatique de Microsoft.