Elenco completo degli ID evento per Endpoint Security
Articoli tecnici ID:
KB85494
Ultima modifica: 2022-07-11 11:11:48 Etc/GMT
Ambiente
Protezione adattiva dalle minacce Endpoint Security (ENS) (ATP) 10.x
Firewall 10.x ENS
Prevenzione delle minacce 10.x ENS
Controllo Web ENS 10.x
Riepilogo
Questo articolo contiene una spiegazione dei messaggi di evento ENS. La messaggistica per eventi ENS utilizza stringhe di lingua naturale (NLSs). ENS registra i dati sulle minacce, tra cui l'origine delle minacce e la durata prima del rilevamento, in NLSs. È possibile accedere a queste informazioni dalle console di gestione e dal client ENS nel registro eventi. NLSs forniscono spiegazioni descrittive che forniscono il contesto intorno agli eventi di minaccia. Per alcuni eventi potrebbe essere necessaria una spiegazione maggiore rispetto a quella contenuta nella stringa di testo di un evento. Se un evento specifico non è presente in una tabella riportata di seguito, è perché riteniamo che non necessiti di ulteriori spiegazioni. Questo articolo è stato modificato in risposta alle richieste dei clienti tramite il nostro team Assistenza tecnica.
NOTA: Per ulteriori informazioni, fare riferimento all'articolo KB85494 di diversi messaggi di evento.
È possibile che un singolo ID evento mostri NLSs differenti. Ogni ID evento ha un significato specifico, ma i dettagli nell'evento formano il tipo di linguaggio utilizzato per esprimere i dettagli di tale evento. Ad esempio, un'istanza dell'ID evento 1272 potrebbe contenere tutte le informazioni previste. Pertanto, viene scelto un NLS che meglio descrive tutte le informazioni. Il nome del processo potrebbe mancare a un'altra istanza dell'ID evento 1272. Anziché utilizzare uno spazio vuoto per rappresentare il nome del processo, che potrebbe essere confuso, viene utilizzato un NLS diverso. Questo NLS omette il nome del processo ma spiega ancora i dettagli noti rimanenti.
I fattori che influenzano un messaggio NLS includono quanto segue:
Se un vettore di attacco è locale o remoto
Se un evento riguarda una scansione all'accesso (OAS) o una scansione su richiesta (ODS, on-Demand Scan)
Azione intrapresa (pulizia, eliminazione, eliminazione in sospeso, accesso negato, continua, nessuno, spostata, bloccata o generica)
Presenza o assenza di errori (riparazione non riuscita, DeleteOnReboot, FailedDeleteFile, BackupFailed o FailedDeletePending)
Tipo di oggetto (se l'oggetto è un settore di avvio)
Indica se il nome del processo viene fornito
Di seguito è riportato un confronto tra la messaggistica tradizionale e quella degli eventi NLS per un rilevamento che non comporta alcuna azione da intraprendere:
Sintassi di messaggistica tradizionale:
Sintassi della messaggistica NLS:
" <domain>\<user> ran <process name>, which attempted to access <path>\<filename>. The <malware type> named <malware name> was detected and access to the file was denied."
Esempio di messaggio di rilevamento NLS:
"Interweb\jsmith ran notepad.exe, which attempted to access C:\data\temp\eicar.com. The Test Virus named Eicar Test File was detected and access to the file was denied."
Contenuti Fare clic per espandere la sezione che si desidera visualizzare:
La stringa " To identify the process locking the file, see KB85494" viene visualizzata in alcuni messaggi di evento OAS e fa riferimento ai clienti di questo articolo della Knowledge base per ulteriori informazioni. In questo scenario, il prodotto nega l'accesso a un file infetto e tenta di eliminare il file. Ma non può farlo al momento del rilevamento. L'eliminazione non riesce perché un file-lock impedisce a Windows di eliminare il file in risposta alla nostra richiesta. Windows contiene la richiesta di eliminazione dei file in uno stato in attesa di eliminazione. Si continua a negare l'accesso a tale file, impedendo l'apertura di eventuali nuovi handle. Windows completa l'eliminazione del file quando tutti gli handle del file rilevato vengono chiusi. Se si desidera esaminare i processi attualmente aperti, utilizzare i seguenti strumenti.
Manager attività Windows
Aperto Manager attività durante l'accesso come amministratore, fare clic su CTRL + MAIUSC + ESC.
Fare clic sul pulsante Prestazioni scheda.
Fare clic su Monitoraggio delle risorse.
Fare clic sul pulsante CPU scheda.
Nella sezione Handle associati, cercare il nome del file in questione. Potrebbe essere sufficiente un nome di file parziale.
Attendere i risultati della ricerca.
Process Explorer
Esegui Process Explorer come amministratore.
Fare clic sul pulsante Trova menu, quindi selezionare Trova handle o DLL.
Cerca il nome del file in questione.
Attendere i risultati della ricerca.
Eseguire i passaggi successivi appropriati quando viene identificato un processo. Per valutare il comportamento del processo, valutarlo in base ai seguenti elementi:
Se il processo deve utilizzare il file in uso
Se il processo è sicuro o affidabile
Se è sicuro chiudere il processo
Se è necessario acquisire i dati relativi a questo processo da sottoporre a Assistenza tecnica per l'indagine
La stringa " For information on how to respond to this event, see KB85494" visualizzata in alcuni messaggi di evento di violazione della regola di protezione dell'accesso e fa riferimento ai clienti di questo articolo della Knowledge base per ulteriori informazioni. In questo scenario, un'azione viene bloccata conformemente alla definizione della regola descritta nel messaggio di evento stesso. Queste violazioni non sono falsi positivi. Non è possibile che la funzionalità di protezione dell'accesso restituisca un falso positivo. Il motivo è che corrisponde in base al fatto che si verifichi un comportamento piuttosto che utilizzare le definizioni o le firme di virus.
Determinare se il comportamento è previsto:
Se previsto, è necessario eseguire una delle azioni riportate di seguito:
Accettare o ignorare i dati.
Creare un'esclusione per la regola specificata per escludere il processo che sta violando la regola. Per ulteriori informazioni, consultare la "protezione dell'accesso: file, processi e esclusioni del registro di sistema" sezione del 10.7.x Guida del prodotto di Endpoint Security prevenzione delle minacce.
Se imprevisto, esaminare ulteriormente il comportamento perché una delle seguenti condizioni è vera:
Il comportamento si verifica a causa di malware che si è infiltrato nel processo.
Il comportamento è normale e deve essere riclassificato come comportamento previsto, nel qual caso viene visualizzato il punto elenco precedente per il comportamento previsto.
Se gli eventi diventano troppo frequenti, intervenire per evitare che i dati riempiano il database di ePolicy Orchestrator (ePO). Un database completo può causare l'esaurimento dello spazio su disco, della latenza di rete o di entrambi i SQL Server.
Le azioni possono includere quanto segue:
Eliminazione di eventi dal database
Liberare spazio su disco
Configurazione del agent per filtrare (non inviare più) l'evento specifico
Eliminazione di eventi non elaborati dalla cartella eventi di ePO
Eliminazione di eventi da sistemi client che non devono ancora inviare a ePO gli eventi che si sono accumulati
Al momento c'è poco che può essere fatto dal punto di amministrazione centralizzata (server ePO) o dai relativi gestori di Agent, ad eccezione di riconfigurare gli Agent per filtrare l'evento.
Nella tabella riportata di seguito sono elencati gli ID evento e NLSs che potrebbero accompagnarli.
NOTA: Questa tabella contiene eventi comuni, azioni e i relativi NLSs associati. Fornisce una correlazione tra gli ID evento per funzionalità e la possibile selezione di NLSs che potrebbero essere utilizzati per l'evento in base ai criteri di selezione delle stringhe naturali. Il tag NLS, visualizzato nell'ultima colonna, viene illustrato nelle tabelle seguenti. Per passare a tale voce specifica nelle tabelle riportate di seguito, fare clic sul collegamento ipertestuale.
Di seguito sono riportati i collegamenti alle tabelle seguenti:
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and deleted."
IDS_NATURAL_LANG_OAS_DETECTION_CLN
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_DEN
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and access to the file was denied."
"Attempted to access |TargetPath|\|TargetName| and the threat ||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_NON
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName| and the ||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_MOV
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and the file was moved."
IDS_NATURAL_LANG_OAS_DETECTION_BLO
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and blocked."
IDS_NATURAL_LANG_OAS_DETECTION_GENERIC
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected. The scanner took the following action: ||ThreatActionTaken||."
IDS_NATURAL_LANG_OAS_DETECTION_ENC
"|AV_DETECTION_USERNAME| accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan |TargetName| because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_ENC2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_TO
"|TargetUserName| ran |SourceProcessName|, which accessed |TargetPath|\|TargetName|. The file scan ran for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_TO2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The file scan ran for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_COR
"|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The file is corrupt and could not be scanned."
IDS_NATURAL_LANG_OAS_DETECTION_COR2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner couldn't scan the file because it is corrupted."
IDS_NATURAL_LANG_OAS_DETECTION_DLP
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access \"|TargetPath|\|TargetName|\". The threat ||ThreatType|| named |ThreatName| was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
"Attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_OAS_DETECTION_NRP
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but no clean information is available."
IDS_NATURAL_LANG_OAS_DETECTION_SHV
"|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The scanner could not scan the file due to a sharing violation."
IDS_NATURAL_LANG_OAS_DETECTION_SHV2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file due to a sharing violation."
IDS_NATURAL_LANG_OAS_DETECTION_NPM
"|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The scanner could not scan the file because it doesn't have access rights."
IDS_NATURAL_LANG_OAS_DETECTION_NPM2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it doesn't have access rights."
IDS_NATURAL_LANG_OAS_DETECTION_DLR
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected and will be deleted on reboot."
IDS_NATURAL_LANG_OAS_DETECTION_DLE
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but deletion failed."
IDS_NATURAL_LANG_OAS_DETECTION_BUE
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but quarantine failed."
IDS_NATURAL_LANG_OAS_DETECTION_R_DEL
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and deleted."
IDS_NATURAL_LANG_OAS_DETECTION_R_CLN
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_R_DEN
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and access to the file was denied."
IDS_NATURAL_LANG_OAS_DETECTION_R_NON
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_R_MOV
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and the file was moved."
IDS_NATURAL_LANG_OAS_DETECTION_R_BLO
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and blocked."
IDS_NATURAL_LANG_OAS_DETECTION_R_ENC
"|AV_DETECTION_USERNAME| accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_R_TO
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The file scan ran for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLP
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_OAS_DETECTION_R_NRP
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but no clean information is available."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLR
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected and will be deleted on reboot."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLE
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but deletion failed."
IDS_NATURAL_LANG_OAS_DETECTION_R_BUE
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but quarantine failed."
IDS_NATURAL_LANG_OAS_DETECTION_B_CLN
"|TargetUserName| accessed volume |TargetPath|:. The ||ThreatType|| named |ThreatName| was detected in the boot sector and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_B_DEN
"|TargetUserName| accessed volume |TargetPath|:. The ||ThreatType|| named |ThreatName| was detected in the boot sector. Both the primary (||FirstAttemptedAction||) and secondary (||SecondAttemptedAction||) actions failed, so access to the file was denied."
IDS_NATURAL_LANG_OAS_DETECTION_ERROR
"The scanner detected a threat but, due to an error, no additional information is available."
IDS_NATURAL_LANG_OAS_DETECTION_NO_INFO
"The scanner detected a threat while scanning |TargetName| but, due to an error, no additional information is available."
"|SourceUserName| ran |SourceProcessName|, which attempted to access |TargetPath|, violating the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to respond to this event, see KB85494."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_2
"|SourceUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|, violating the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to respond to this event, see KB85494."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_3
"|SourceUserName| ran |SourceProcessName|, which attempted to access |TargetProcessName|, violating the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to respond to this event, see KB85494."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_4
"|SourceUserName| ran |SourceProcessName|, which accessed |TargetPath|, violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't configured to block."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_5
"|SourceUserName| ran |SourceProcessName|, which accessed |TargetPath|\|TargetName|, violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't configured to block."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_6
"|SourceUserName| ran |SourceProcessName|, which accessed the process |TargetProcessName|, violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't configured to block."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_1
All but SMEP and TAMPER (no API name or caller module)
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName| and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_2
All but SMEP & TAMPER with API name
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName|, which targeted the |APIName| API, and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_4
All but SMEP & TAMPER with a caller module
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName| called from module |CallerModule|, which targeted the |APIName| API, and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_3
SMEP
"|ThreatName| attempted an exploit at |ThreatTimestamp| and was ||ThreatActionTaken||. For more information, check the Windows Event Viewer for record number |TargetName|."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_5
TAMPER
TAMPER
"Tampering has been detected with Exploit Prevention's monitoring of processes on this computer."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_1N
All but SMEP and TAMPER (no API name or caller module)
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName|. It wasn't blocked because Exploit Prevention was set to rapporto Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_2N
All but SMEP & TAMPER with API name
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName|, which targeted the |APIName|) API. It wasn't blocked because Exploit Prevention was set to rapporto Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_4N
All but SMEP & TAMPER with a caller module
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName| called from module |CallerModule|, which targeted the |APIName| API. It wasn't blocked because Exploit Prevention was set to rapporto Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_3N
SMEP
"|ThreatName| attempted an exploit at |ThreatTimestamp|. For more information, check the Windows Event Viewer for record number |TargetName|. It wasn't blocked because Exploit Prevention was set to rapporto Only."
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. Both the primary (||FirstAttemptedAction||) and secondary (||SecondAttemptedAction||) actions failed, so the scanner took no action."
IDS_NATURAL_LANG_ODS_DETECTION_CLEANED
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The file was cleaned."
IDS_NATURAL_LANG_ODS_DETECTION_DELETED
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The file was deleted."
IDS_NATURAL_LANG_ODS_DETECTION_GENERIC
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The scanner took the following action: ||ThreatActionTaken||."
IDS_NATURAL_LANG_ODS_DETECTION_NO_INFO
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. Due to an error, no additional information is available."
IDS_NATURAL_LANG_ODS_DETECTION_B_NONE
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning the boot sector of volume |TargetPath|:. Both the primary (||FirstAttemptedAction||) and secondary (||SecondAttemptedAction||) actions failed, so the scanner took no action."
IDS_NATURAL_LANG_ODS_DETECTION_B_CLEANED
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning the boot sector of volume |TargetPath|:. The boot sector was cleaned."
IDS_NATURAL_LANG_ODS_DETECTION_ENC
"|TargetUserName| ran the ||TaskName|| on-demand scan. The scanner could not scan |TargetName| because it was encrypted."
IDS_NATURAL_LANG_ODS_DETECTION_TO
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the scan timed out."
IDS_NATURAL_LANG_ODS_DETECTION_FS
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the file size exceeds the configured maximum file size to scan."
IDS_NATURAL_LANG_ODS_DETECTION_COR
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the file is corrupt."
IDS_NATURAL_LANG_ODS_DETECTION_DLP
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName| but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_ODS_DETECTION_NRP
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. However, no clean information is available."
IDS_NATURAL_LANG_ODS_DETECTION_SHV
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| due to a sharing violation."
IDS_NATURAL_LANG_ODS_DETECTION_NPM
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the scanner doesn't have access rights to it."
IDS_NATURAL_LANG_ODS_DETECTION_DLR
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The threat will be deleted on reboot."
IDS_NATURAL_LANG_ODS_DETECTION_DLE
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. However, deletion of the threat failed."
IDS_NATURAL_LANG_ODS_DETECTION_BUE
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. However, quarantine of the threat failed."
IDS_NATURAL_LANG_ODS_DETECTION_ERROR
"The on-demand scan detected a threat but, due to an error, no additional information is available."
IDS_ALERT_ACT_TAK_CONT
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The scanner took the following action: ||ThreatActionTaken||."
Stringhe da contenimento dinamico delle applicazioni (DAC)
ID evento
NLS
IDS_NATURAL_LANG_DESC_DAC_1
"The application |SourceFilePath|\|SourceProcessName| was contained at the request of |RequesterDisplayName|."
IDS_NATURAL_LANG_DESC_DAC_2
"|RequesterDisplayName| requested to contain the application |SourceFilePath|\|SourceProcessName|, which is already contained."
IDS_NATURAL_LANG_DESC_DAC_3
"The application |SourceFilePath|\|SourceProcessName| was released from containment at the request of |RequesterDisplayName|."
IDS_NATURAL_LANG_DESC_DAC_4
"|RequesterDisplayName| requested to release the application |SourceFilePath|\|SourceProcessName|. However, the application is still contained because other requests remain."
IDS_NATURAL_LANG_DESC_DAC_5
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed due to an exclusion and the application was released from containment."
IDS_NATURAL_LANG_DESC_DAC_6
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed due to an exclusion."
IDS_NATURAL_LANG_DESC_DAC_7
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed and the application was released from containment because Dynamic Application Containment was uninstalled."
IDS_NATURAL_LANG_DESC_DAC_8
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed because Dynamic Application Containment was uninstalled."
Da ePO, %install dir%\server\extensions\installed\ENDP_AM_1000 (ad esempio), è possibile ottenere le seguenti informazioni sugli eventi per ENS da strings_en.properties .
ID evento
Informazioni evento
Modulo ENS
1024
Infected file found.
Threat Prevention
1025
Infected file successfully Cleaned.
Threat Prevention
1027
Infected file deleted.
Threat Prevention
1037
Infected boot record found
Threat Prevention
1051
Unable to scan password protected
Threat Prevention
1059
Scan Timed Out
Threat Prevention
1064
Service was started.
Threat Prevention
1065
Service ended.
Threat Prevention
1087
On-access Scan started
Threat Prevention
1088
On-access scan stopped.
Threat Prevention
1091
JavaScript or VBScript security violation detected and blocked
Threat Prevention
1092
Access Protection rule violation detected and blocked
Threat Prevention
1095
Access Protection rule violation detected and NOT blocked
Threat Prevention
1096
event_name_1096=Port blocking rule violation detected and NOT blocked
event_desc_1096=Port blocking rule violation detected and NOT blocked
Threat Prevention
1102
event_name_1102=Multiple extension heuristic detection - moved
event_desc_1102=The file %FILENAME% detected with multiple extension heuristics. The file was moved to the quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1103
event_name_1103=Prescan needed
event_desc_1103=The file %FILENAME% is infected with the %VIRUSNAME% %VIRUSTYPE%. Prescan is needed for removal. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1104
event_name_1104=Multiple extension heuristic detection - delete on reboot
event_desc_1104=The file %FILENAME% detected with multiple extension heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1106
event_name_1106=Multiple extension heuristic detection - message deleted
event_desc_1106=The message %FILENAME% detected with multiple extension heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1118
The update was successful
Common
1119
The update failed; see event log
Common
1120
The update is running
Common
1121
The update was cancelled
Common
1202
event_name_1202=On-Demand Scan started
event_desc_1202=On-Demand Scan started
file infected. No cleaner available, OAS denied access and continued
Threat Prevention
1292
file infected. Undetermined clean error, OAS denied access and continued
Threat Prevention
1300
file infected. Delete failed, denied access and continued (OAS)
Threat Prevention
1301
event_name_1301=Multiple extension heuristic detection - clean error, quarantined successfully
event_desc_1301=The file %FILENAME% detected with multiple extension heuristics. The file was moved to the quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1302
event_name_1302=Multiple extension heuristic detection - move failed, clean error
event_desc_1302=The file %FILENAME% detected with multiple extension heuristics. Unable to move the file to quarantine area and unable to clean the file. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1303
event_name_1303=Multiple extension heuristic detection - clean error, deleted successfully
event_desc_1303=The file %FILENAME% detected with multiple extension heuristics. The file has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1304
event_name_1304=Multiple extension heuristic detection - clean error, delete failed
event_desc_1304=The file %FILENAME% detected with multiple extension heuristics. Unable to clean the file and unable to delete the file. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1305
event_name_1305=Multiple extension heuristic detection - clean error, denied access and continued
event_desc_1305=The file %FILENAME% detected with multiple extension heuristics. Access to the file was denied. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1306
event_name_1306=Multiple extension heuristic detection - move failed, deleted successfully
event_desc_1306=The file %FILENAME% detected with multiple extension heuristics. The file has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1307
event_name_1307=Multiple extension heuristic detection - move failed, delete failed
event_desc_1307=The file %FILENAME% detected with multiple extension heuristics. Unable to move the file to quarantine area and unable to delete the file. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1308
event_name_1308=Multiple extension heuristic detection - move failed, denied access and continued
event_desc_1308=The file %FILENAME% detected with multiple extension heuristics. Access to the file was denied. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1309
event_name_1309=Multiple extension heuristic detection - delete failed, quarantined successfully
event_desc_1309=The file %FILENAME% detected with multiple extension heuristics. The file was moved to the quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1310
event_name_1310=Multiple extension heuristic detection - delete failed, quarantine failed
event_desc_1310=The file %FILENAME% detected with multiple extension heuristics. Unable to delete the file and unable to move the file to quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1311
event_name_1311=Multiple extension heuristic detection - delete failed, denied access and continued
event_desc_1311=The file %FILENAME% detected with multiple extension heuristics. Access to the file was denied. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1312
event_name_1312=Move failed, delete failed, file will be deleted on reboot
event_desc_1312=The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1313
event_name_1313=Multiple extension heuristic detection - move failed, delete failed, file will be deleted on reboot
event_desc_1313=The file %FILENAME% detected with multiple extension heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1314
event_name_1314=Encrypted file - clean error, delete on reboot
event_desc_1314=The encrypted file %FILENAME% will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1315
event_name_1315=Heuristic detection - clean error, delete on reboot
event_desc_1315=The file %FILENAME% detected with heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1316
event_name_1316=Multiple extension heuristic detection - clean error, delete on reboot
event_desc_1316=The file %FILENAME% detected with multiple extension heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1317
event_name_1317=No cleaner available - clean error, delete on reboot
event_desc_1317=The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1318
event_name_1318=Undetermined - clean error, delete on reboot
event_desc_1318=The file %FILENAME% has an undetermined infection. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1319
event_name_1319=Undetermined - clean error, message deleted
event_desc_1319=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1320
event_name_1320=Encrypted - clean error, message deleted
event_desc_1320=Encrypted message %FILENAME% has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1321
event_name_1321=Heuristic detection - clean error, message deleted
event_desc_1321=The message %FILENAME% detected with heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1322
event_name_1322=Multiple extension heuristic detection - clean error, message deleted
event_desc_1322=The message %FILENAME% detected with multiple extension heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1323
event_name_1323=Clean error, message deleted
event_desc_1323=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1324
event_name_1324=Move failed, message deleted
event_desc_1324=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1325
event_name_1325=Multiple extension heuristic detection - move failed, message deleted
event_desc_1325=The message %FILENAME% detected with multiple extension heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
event_name_1400=User defined object detected, no Action Taken
event_desc_1400=User defined object detected, no Action Taken
Threat Prevention
1401
event_name_1401=Clean failed (user defined detection), no Action Taken
event_desc_1401=Clean failed (user defined detection), no Action Taken
Threat Prevention
1402
event_name_1402=Clean failed (user defined detection), Move failed
event_desc_1402=Clean failed (user defined detection), Move failed
Threat Prevention
1403
event_name_1403=Moved (user defined detection), Clean failed
event_desc_1403=Moved (user defined detection), Clean failed
Threat Prevention
1404
event_name_1404=Clean failed (user defined detection), Delete failed
event_desc_1404=Clean failed (user defined detection), Delete failed
Threat Prevention
1405
event_name_1405=Deleted (user defined detection), Clean failed
event_desc_1405=Deleted (user defined detection), Clean failed
Threat Prevention
1406
event_name_1406=Moved (user defined detection)
event_desc_1406=Moved (user defined detection)
Threat Prevention
1407
event_name_1407=Move failed(user defined detection), Delete failed
event_desc_1407=Move failed(user defined detection), Delete failed
Threat Prevention
1408
event_name_1408=Deleted (user defined detection), Move failed
event_desc_1408=Deleted (user defined detection), Move failed
Threat Prevention
1409
event_name_1409=Move failed(user defined detection), no Action Taken
event_desc_1409=Move failed(user defined detection), no Action Taken
Threat Prevention
1410
event_name_1410=Deleted (user defined detection)
event_desc_1410=Deleted (user defined detection)
Threat Prevention
1411
event_name_1411=Delete failed (user defined detection), Move failed
event_desc_1411=Delete failed (user defined detection), Move failed
Threat Prevention
1412
event_name_1412=Moved (user defined detection), Delete failed
event_desc_1412=Moved (user defined detection), Delete failed
Threat Prevention
1413
event_name_1413=Delete failed (user defined detection), no Action Taken
event_desc_1413=Delete failed (user defined detection), no Action Taken
Threat Prevention
1414
event_name_1414=Clean failed, delete failed, file (user defined detection) will be deleted on reboot
event_desc_1414=Clean failed, delete failed, file (user defined detection) will be deleted on reboot
Threat Prevention
1415
event_name_1415=Deleted failed, file (user defined detection) will be deleted on reboot
event_desc_1415=Deleted failed, file (user defined detection) will be deleted on reboot
Threat Prevention
1416
event_name_1416=Move failed, delete failed, file (user defined detection) will be deleted on reboot
event_desc_1416=Move failed, delete failed, file (user defined detection) will be deleted on reboot
Threat Prevention
1417
event_name_1417=Email message deleted (user defined detection)
event_desc_1417=Email message deleted (user defined detection)
Threat Prevention
1418
event_name_1418=Email message deleted (user defined detection), Clean failed
event_desc_1418=Email message deleted (user defined detection), Clean failed
Threat Prevention
1419
event_name_1419=Email message deleted (user defined detection), Move failed
event_desc_1419=Email message deleted (user defined detection), Move failed
Threat Prevention
1420
event_name_1420=Email message deleted (user defined detection), Delete failed
event_desc_1420=Email message deleted (user defined detection), Delete failed
Threat Prevention
1421
event_name_1421=Clean error as no cleaner was available, and delete pending
event_desc_1421=Clean error as no cleaner was available, and delete pending
Threat Prevention
1422
event_name_1422=Clean failed for heuristic detection, delete pending
event_desc_1422=Clean failed for heuristic detection, delete pending
event_name_18051=An unauthorized escalation of privilege was attempted and blocked (SMEP)
event_desc_18051=An unauthorized escalation of privilege was attempted and blocked (SMEP)
Threat Prevention
18052
event_name_18052=Buffer Overflow detected and blocked (GBOP)
event_desc_18052=Buffer Overflow detected and blocked (GBOP)
Threat Prevention
18053
event_name_18053=An unauthorized escalation of privilege was attempted and blocked (GPEP)
event_desc_18053=An unauthorized escalation of privilege was attempted and blocked (GPEP)
Threat Prevention
18054
event_name_18054=An exploit was attempted and blocked
event_desc_18054=An exploit was attempted and blocked
Threat Prevention
18055
event_name_18055=A suspicious call was detected and blocked
event_desc_18055=A suspicious call was detected and blocked
Threat Prevention
18056
event_name_18056=Buffer Overflow detected and blocked (DEP)
event_desc_18056=Buffer Overflow detected and blocked (DEP)
Threat Prevention
18057
event_name_18057=Tampering with Exploit Prevention has been detected.
event_desc_18057=Tampering with Exploit Prevention has been detected.
event_name_34920=Roll back successful
event_desc_34920=Roll back successful
Threat Prevention
34921
event_name_34921=Roll back failed
event_desc_34921=Roll back failed
Threat Prevention
34922
event_name_34922=Roll back did not occur
event_desc_34922=Roll back did not occur
Threat Prevention
34923
event_name_34923=The item was corrupt
event_desc_34923=The item was corrupt
Threat Prevention
34924
event_name_34924=The object was not scanned due to a sharing violation
event_desc_34924=The object was not scanned due to a sharing violation
Threat Prevention
34925
event_name_34925=The object was not scanned because the scanner does not have enough rights to read it
event_desc_34925=The object was not scanned because the scanner does not have enough rights to read it
Threat Prevention
34926
event_name_34926=The object was not scanned because the file size exceeds the configured maximum file size to scan
event_desc_34926=The object was not scanned because the file size exceeds the configured maximum file size to scan
Il contenuto di questo articolo è stato scritto in inglese. In caso di differenze tra il contenuto in inglese e la traduzione, fare sempre riferimento al contenuto in iglese. Parte del contenuto è stata tradotta con gli strumenti di traduzione automatica di Microsoft.