En el sector de la ciberseguridad no hay tiempo para aburrirse y nunca ha habido un mejor momento para aceptar esta idea como una ventaja y un catalizador de la actividad empresarial.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Endpoint Security (ENS) Protección adaptable frente a amenazas (ATP) 10.x
Firewall 10.x de ENS
Prevención de amenazas 10.x de ENS
Control web de ENS 10.x
Resumen
Este artículo contiene una explicación de los mensajes de eventos de ENS. La mensajería de eventos de ENS utiliza cadenas de lenguaje natural (NLSs). ENS registra datos de amenazas, incluidos el origen y la duración de la amenaza antes de la detección, en NLSs. Puede acceder a esta información desde las consolas de administración y el cliente de ENS en el registro de eventos. NLSs proporcionan explicaciones descriptivas que proporcionan contexto en torno a los eventos de amenazas. Es posible que algunos eventos requieran más explicación de la contenida en la cadena de texto de un evento. Si falta un evento concreto en una tabla a continuación, es porque creemos que no necesita explicación adicional. Este artículo se modificará según sea necesario en respuesta a las solicitudes de los clientes a través de nuestro equipo de Soporte técnico.
NOTA: Varios mensajes de eventos hacen referencia al KB85494 para obtener más información.
Es posible que un único ID de evento muestre NLSs diferentes. Cada ID de evento tiene un significado específico, pero los detalles de la forma de evento especifican el tipo de idioma utilizado para expresar los detalles del evento. Por ejemplo, una instancia del ID de evento 1272 podría contener toda la información esperada. Por lo tanto, se elige un NLS que mejor describa toda esa información. Es posible que falte el nombre de proceso en otra instancia del ID de evento 1272. En lugar de utilizar un espacio en blanco para representar el nombre del proceso, lo que sería confuso, usamos un NLS distinto. Esta NLS omite el nombre del proceso, pero sigue explicando los detalles conocidos restantes.
Entre los factores que influyen en un mensaje NLS se incluyen los siguientes:
Si un vector de ataque es local o remoto
Si un evento es para un análisis en tiempo real (OAS) o un análisis bajo demanda (ODS)
Presencia o ausencia de errores (reparación fallida, DeleteOnReboot, FailedDeleteFile, BackupFailed o FailedDeletePending)
Tipo de objeto (si el objeto es un sector de arranque)
Si se ha proporcionado el nombre del proceso
A continuación se ofrece una comparación de los mensajes de eventos tradicionales y NLS para una detección que provoca que no se realice ninguna acción:
Sintaxis de mensajería tradicional:
Sintaxis de mensajería de NLS:
" <domain>\<user> ran <process name>, which attempted to access <path>\<filename>. The <malware type> named <malware name> was detected and access to the file was denied."
Ejemplo de mensaje de detección de NLS:
"Interweb\jsmith ran notepad.exe, which attempted to access C:\data\temp\eicar.com. The Test Virus named Eicar Test File was detected and access to the file was denied."
Contenido Haga clic para expandir la sección que desee ver:
La cadena " To identify the process locking the file, see KB85494" muestra en algunos mensajes de eventos de OAS y remite a los clientes a este artículo de la base de datos para obtener más información. En este caso, el producto deniega el acceso a un archivo infectado e intenta eliminar el archivo. No obstante, no puede hacerlo en el momento de la detección. La eliminación falla debido a que un bloqueo de archivo impide que Windows elimine el archivo como respuesta a nuestra solicitud. Windows mantiene la solicitud de eliminación de archivos en un estado pendiente de eliminación. Seguimos denegando el acceso a ese archivo, lo que impide que se abran nuevos identificadores. Windows finaliza la eliminación del archivo cuando se cierran todos los identificadores del archivo detectado. Si desea investigar los procesos que tienen abierto este archivo, utilice las siguientes herramientas.
Administrador de tareas
Abrir Administrador de tareas Inicie sesión como administrador haciendo clic en CTRL + MAYÚS + ESC.
Haga clic en el vínculo Rendimiento pestaña.
Haga clic Monitor de recursos.
Haga clic en el vínculo CPU pestaña.
En la sección Identificadores asociados, busque el nombre del archivo en cuestión. Es posible que el nombre de archivo parcial sea suficiente.
Espere a que se muestren los resultados de búsqueda.
Explorador de procesos
Ejecutar Explorador de procesos como administrador.
Haga clic en el vínculo Buscar menú y seleccione Buscar controlador o DLL.
Busque el nombre del archivo en cuestión.
Espere a que se muestren los resultados de búsqueda.
Lleve a cabo los siguientes pasos a la hora de identificar un proceso. Para evaluar el comportamiento del proceso, evalúelo según lo siguiente:
Si el proceso debe utilizar el archivo en uso
Si el proceso es seguro o de confianza
Si es seguro cerrar el proceso
Si debe capturar datos sobre este proceso para enviarlos a Soporte técnico para su investigación
La cadena " For information on how to respond to this event, see KB85494" muestra en algunos mensajes de eventos de infracción de reglas de protección de acceso y remite a los clientes a este artículo de la base de datos para obtener más información. En este caso, se bloquea una acción conforme a la definición de la regla que se describe en el propio mensaje de evento. Estas infracciones no son falsos positivos. La función protección de acceso no puede devolver un falso positivo. El motivo se debe a que se encuentra en función de si se produce un comportamiento en lugar de utilizar las definiciones o firmas de virus.
Determine si se espera el comportamiento:
Si se espera, debe realizar cualquiera de las acciones siguientes:
Acepte o ignore los datos.
Cree una exclusión para la regla especificada con el fin de excluir el proceso que infringe la regla. Para obtener más información, consulte la sección protección de acceso ": archivos, procesos y exclusiones de registro" de la Endpoint Security 10.7.x Guía del producto prevención de amenazas.
Si es inesperado, investigue el comportamiento aún más porque se cumple una de las siguientes condiciones:
El comportamiento se debe a malware que ha infiltrado el proceso.
El comportamiento es normal y se debe reclasificar como comportamiento esperado, en cuyo caso se vería la viñeta anterior para el comportamiento esperado.
Si los eventos son demasiado frecuentes, lleve a cabo la acción para evitar que los datos rellenen la base de dato de ePolicy Orchestrator (ePO). Una base de datos completa puede provocar que la SQL Server se quede sin espacio en el disco, latencia de red o ambas cosas.
Las acciones pueden incluir lo siguiente:
Eventos de purga de la base de datos
Liberación de espacio en el disco
Configuración del agente para filtrar (no volver a enviar) el evento específico
Eliminación de eventos sin procesar de la carpeta eventos de ePO
Eliminación de eventos de sistemas cliente que aún no han enviado a ePO los eventos que se han acumulado
Actualmente, hay poco que se puede hacer desde el punto de administración centralizado (servidor de ePO) o su Controladores de agentes, excepto para volver a configurar los agentes a fin de filtrar el evento.
En la siguiente tabla se muestran los ID de eventos y NLSs que pueden acompañar a ellos.
NOTA: Esta tabla contiene eventos, acciones y NLSs asociados comunes. Proporciona una correlación entre los ID de eventos por función y la posible selección de NLSs que podrían utilizarse para el evento en función de los criterios de selección de cadenas naturales. La etiqueta NLS, que se muestra en la última columna, se explica con más detalle en las siguientes tablas. Para saltar a esa entrada específica en las tablas siguientes, haga clic en el hipervínculo.
A continuación se indican los vínculos a las tablas siguientes:
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and deleted."
IDS_NATURAL_LANG_OAS_DETECTION_CLN
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_DEN
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and access to the file was denied."
"Attempted to access |TargetPath|\|TargetName| and the threat ||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_NON
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName| and the ||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_MOV
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and the file was moved."
IDS_NATURAL_LANG_OAS_DETECTION_BLO
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected and blocked."
IDS_NATURAL_LANG_OAS_DETECTION_GENERIC
"|TargetUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|. The ||ThreatType|| named |ThreatName| was detected. The scanner took the following action: ||ThreatActionTaken||."
IDS_NATURAL_LANG_OAS_DETECTION_ENC
"|AV_DETECTION_USERNAME| accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan |TargetName| because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_ENC2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_TO
"|TargetUserName| ran |SourceProcessName|, which accessed |TargetPath|\|TargetName|. The file scan ran for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_TO2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The file scan ran for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_COR
"|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The file is corrupt and could not be scanned."
IDS_NATURAL_LANG_OAS_DETECTION_COR2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner couldn't scan the file because it is corrupted."
IDS_NATURAL_LANG_OAS_DETECTION_DLP
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access \"|TargetPath|\|TargetName|\". The threat ||ThreatType|| named |ThreatName| was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
"Attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_OAS_DETECTION_NRP
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but no clean information is available."
IDS_NATURAL_LANG_OAS_DETECTION_SHV
"|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The scanner could not scan the file due to a sharing violation."
IDS_NATURAL_LANG_OAS_DETECTION_SHV2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file due to a sharing violation."
IDS_NATURAL_LANG_OAS_DETECTION_NPM
"|AV_DETECTION_USERNAME| accessed \"|AV_DETECTION_FULL_LOCATION|\". The scanner could not scan the file because it doesn't have access rights."
IDS_NATURAL_LANG_OAS_DETECTION_NPM2
"An unknown user accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it doesn't have access rights."
IDS_NATURAL_LANG_OAS_DETECTION_DLR
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected and will be deleted on reboot."
IDS_NATURAL_LANG_OAS_DETECTION_DLE
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but deletion failed."
IDS_NATURAL_LANG_OAS_DETECTION_BUE
"|TargetUserName| ran \"|SourceProcessName|\", which attempted to access |TargetPath|\|TargetName|. The threat ||ThreatType|| named |ThreatName| was detected but quarantine failed."
IDS_NATURAL_LANG_OAS_DETECTION_R_DEL
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and deleted."
IDS_NATURAL_LANG_OAS_DETECTION_R_CLN
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_R_DEN
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and access to the file was denied."
IDS_NATURAL_LANG_OAS_DETECTION_R_NON
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected."
IDS_NATURAL_LANG_OAS_DETECTION_R_MOV
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and the file was moved."
IDS_NATURAL_LANG_OAS_DETECTION_R_BLO
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The ||ThreatType|| named |ThreatName| was detected and blocked."
IDS_NATURAL_LANG_OAS_DETECTION_R_ENC
"|AV_DETECTION_USERNAME| accessed |AV_DETECTION_FULL_LOCATION|. The scanner could not scan the file because it was encrypted."
IDS_NATURAL_LANG_OAS_DETECTION_R_TO
"|TargetPath|\|TargetName| was accessed from the remote system |SourceIPV4|. The file scan ran for the maximum time allotted and was canceled."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLP
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_OAS_DETECTION_R_NRP
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but no clean information is available."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLR
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected and will be deleted on reboot."
IDS_NATURAL_LANG_OAS_DETECTION_R_DLE
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but deletion failed."
IDS_NATURAL_LANG_OAS_DETECTION_R_BUE
"The file |TargetPath|\|TargetName| was accessed from remote system |SourceIPV4|. The threat ||ThreatType|| named |ThreatName| was detected but quarantine failed."
IDS_NATURAL_LANG_OAS_DETECTION_B_CLN
"|TargetUserName| accessed volume |TargetPath|:. The ||ThreatType|| named |ThreatName| was detected in the boot sector and cleaned."
IDS_NATURAL_LANG_OAS_DETECTION_B_DEN
"|TargetUserName| accessed volume |TargetPath|:. The ||ThreatType|| named |ThreatName| was detected in the boot sector. Both the primary (||FirstAttemptedAction||) and secondary (||SecondAttemptedAction||) actions failed, so access to the file was denied."
IDS_NATURAL_LANG_OAS_DETECTION_ERROR
"The scanner detected a threat but, due to an error, no additional information is available."
IDS_NATURAL_LANG_OAS_DETECTION_NO_INFO
"The scanner detected a threat while scanning |TargetName| but, due to an error, no additional information is available."
"|SourceUserName| ran |SourceProcessName|, which attempted to access |TargetPath|, violating the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to respond to this event, see KB85494."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_2
"|SourceUserName| ran |SourceProcessName|, which attempted to access |TargetPath|\|TargetName|, violating the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to respond to this event, see KB85494."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_3
"|SourceUserName| ran |SourceProcessName|, which attempted to access |TargetProcessName|, violating the rule \"||AnalyzerRuleName||\" and was blocked. For information on how to respond to this event, see KB85494."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_4
"|SourceUserName| ran |SourceProcessName|, which accessed |TargetPath|, violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't configured to block."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_5
"|SourceUserName| ran |SourceProcessName|, which accessed |TargetPath|\|TargetName|, violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't configured to block."
IDS_NATURAL_LANG_DESC_DETECTION_APSP_6
"|SourceUserName| ran |SourceProcessName|, which accessed the process |TargetProcessName|, violating the rule \"||AnalyzerRuleName||\". Access was allowed because the rule wasn't configured to block."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_1
All but SMEP and TAMPER (no API name or caller module)
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName| and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_2
All but SMEP & TAMPER with API name
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName|, which targeted the |APIName| API, and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_4
All but SMEP & TAMPER with a caller module
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName| called from module |CallerModule|, which targeted the |APIName| API, and was ||ThreatActionTaken||."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_3
SMEP
"|ThreatName| attempted an exploit at |ThreatTimestamp| and was ||ThreatActionTaken||. For more information, check the Windows Event Viewer for record number |TargetName|."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_5
TAMPER
TAMPER
"Tampering has been detected with Exploit Prevention's monitoring of processes on this computer."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_1N
All but SMEP and TAMPER (no API name or caller module)
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName|. It wasn't blocked because Exploit Prevention was set to Report Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_2N
All but SMEP & TAMPER with API name
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName|, which targeted the |APIName|) API. It wasn't blocked because Exploit Prevention was set to Report Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_4N
All but SMEP & TAMPER with a caller module
"|ThreatName| attempted to exploit |TargetPath|\|TargetProcessName| called from module |CallerModule|, which targeted the |APIName| API. It wasn't blocked because Exploit Prevention was set to Report Only."
IDS_NATURAL_LANG_DESC_DETECTION_BOP_3N
SMEP
"|ThreatName| attempted an exploit at |ThreatTimestamp|. For more information, check the Windows Event Viewer for record number |TargetName|. It wasn't blocked because Exploit Prevention was set to Report Only."
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. Both the primary (||FirstAttemptedAction||) and secondary (||SecondAttemptedAction||) actions failed, so the scanner took no action."
IDS_NATURAL_LANG_ODS_DETECTION_CLEANED
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The file was cleaned."
IDS_NATURAL_LANG_ODS_DETECTION_DELETED
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The file was deleted."
IDS_NATURAL_LANG_ODS_DETECTION_GENERIC
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The scanner took the following action: ||ThreatActionTaken||."
IDS_NATURAL_LANG_ODS_DETECTION_NO_INFO
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. Due to an error, no additional information is available."
IDS_NATURAL_LANG_ODS_DETECTION_B_NONE
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning the boot sector of volume |TargetPath|:. Both the primary (||FirstAttemptedAction||) and secondary (||SecondAttemptedAction||) actions failed, so the scanner took no action."
IDS_NATURAL_LANG_ODS_DETECTION_B_CLEANED
"|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning the boot sector of volume |TargetPath|:. The boot sector was cleaned."
IDS_NATURAL_LANG_ODS_DETECTION_ENC
"|TargetUserName| ran the ||TaskName|| on-demand scan. The scanner could not scan |TargetName| because it was encrypted."
IDS_NATURAL_LANG_ODS_DETECTION_TO
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the scan timed out."
IDS_NATURAL_LANG_ODS_DETECTION_FS
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the file size exceeds the configured maximum file size to scan."
IDS_NATURAL_LANG_ODS_DETECTION_COR
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the file is corrupt."
IDS_NATURAL_LANG_ODS_DETECTION_DLP
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName| but the file can't be deleted because it's locked. The file will be deleted when the file isn't locked. To identify the process locking the file, see KB85494."
IDS_NATURAL_LANG_ODS_DETECTION_NRP
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. However, no clean information is available."
IDS_NATURAL_LANG_ODS_DETECTION_SHV
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| due to a sharing violation."
IDS_NATURAL_LANG_ODS_DETECTION_NPM
"|TargetUserName| ran on-demand scan ||TaskName||, which was unable to scan |TargetName| because the scanner doesn't have access rights to it."
IDS_NATURAL_LANG_ODS_DETECTION_DLR
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The threat will be deleted on reboot."
IDS_NATURAL_LANG_ODS_DETECTION_DLE
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. However, deletion of the threat failed."
IDS_NATURAL_LANG_ODS_DETECTION_BUE
"|TargetUserName| ran on-demand scan ||TaskName||, which detected the threat ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. However, quarantine of the threat failed."
IDS_NATURAL_LANG_ODS_DETECTION_ERROR
"The on-demand scan detected a threat but, due to an error, no additional information is available."
IDS_ALERT_ACT_TAK_CONT
.|TargetUserName| ran the ||TaskName|| on-demand scan, which detected the ||ThreatType|| named |ThreatName| while scanning |TargetPath|\|TargetName|. The scanner took the following action: ||ThreatActionTaken||."
Cadenas de Contención dinámica de aplicaciones (DAC)
ID de evento
NLS
IDS_NATURAL_LANG_DESC_DAC_1
"The application |SourceFilePath|\|SourceProcessName| was contained at the request of |RequesterDisplayName|."
IDS_NATURAL_LANG_DESC_DAC_2
"|RequesterDisplayName| requested to contain the application |SourceFilePath|\|SourceProcessName|, which is already contained."
IDS_NATURAL_LANG_DESC_DAC_3
"The application |SourceFilePath|\|SourceProcessName| was released from containment at the request of |RequesterDisplayName|."
IDS_NATURAL_LANG_DESC_DAC_4
"|RequesterDisplayName| requested to release the application |SourceFilePath|\|SourceProcessName|. However, the application is still contained because other requests remain."
IDS_NATURAL_LANG_DESC_DAC_5
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed due to an exclusion and the application was released from containment."
IDS_NATURAL_LANG_DESC_DAC_6
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed due to an exclusion."
IDS_NATURAL_LANG_DESC_DAC_7
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed and the application was released from containment because Dynamic Application Containment was uninstalled."
IDS_NATURAL_LANG_DESC_DAC_8
"|RequesterDisplayName| request to contain |SourceFilePath|\|SourceProcessName| was removed because Dynamic Application Containment was uninstalled."
Desde ePO, %install dir%\server\extensions\installed\ENDP_AM_1000 (como ejemplo), puede obtener la siguiente información de eventos para ENS desde strings_en.properties .
ID de evento
Información de evento
Módulo ENS
1024
Infected file found.
Threat Prevention
1025
Infected file successfully Cleaned.
Threat Prevention
1027
Infected file deleted.
Threat Prevention
1037
Infected boot record found
Threat Prevention
1051
Unable to scan password protected
Threat Prevention
1059
Scan Timed Out
Threat Prevention
1064
Service was started.
Threat Prevention
1065
Service ended.
Threat Prevention
1087
On-access Scan started
Threat Prevention
1088
On-access scan stopped.
Threat Prevention
1091
JavaScript or VBScript security violation detected and blocked
Threat Prevention
1092
Access Protection rule violation detected and blocked
Threat Prevention
1095
Access Protection rule violation detected and NOT blocked
Threat Prevention
1096
event_name_1096=Port blocking rule violation detected and NOT blocked
event_desc_1096=Port blocking rule violation detected and NOT blocked
Threat Prevention
1102
event_name_1102=Multiple extension heuristic detection - moved
event_desc_1102=The file %FILENAME% detected with multiple extension heuristics. The file was moved to the quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1103
event_name_1103=Prescan needed
event_desc_1103=The file %FILENAME% is infected with the %VIRUSNAME% %VIRUSTYPE%. Prescan is needed for removal. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1104
event_name_1104=Multiple extension heuristic detection - delete on reboot
event_desc_1104=The file %FILENAME% detected with multiple extension heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1106
event_name_1106=Multiple extension heuristic detection - message deleted
event_desc_1106=The message %FILENAME% detected with multiple extension heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1118
The update was successful
Common
1119
The update failed; see event log
Common
1120
The update is running
Common
1121
The update was cancelled
Common
1202
event_name_1202=On-Demand Scan started
event_desc_1202=On-Demand Scan started
file infected. No cleaner available, OAS denied access and continued
Threat Prevention
1292
file infected. Undetermined clean error, OAS denied access and continued
Threat Prevention
1300
file infected. Delete failed, denied access and continued (OAS)
Threat Prevention
1301
event_name_1301=Multiple extension heuristic detection - clean error, quarantined successfully
event_desc_1301=The file %FILENAME% detected with multiple extension heuristics. The file was moved to the quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1302
event_name_1302=Multiple extension heuristic detection - move failed, clean error
event_desc_1302=The file %FILENAME% detected with multiple extension heuristics. Unable to move the file to quarantine area and unable to clean the file. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1303
event_name_1303=Multiple extension heuristic detection - clean error, deleted successfully
event_desc_1303=The file %FILENAME% detected with multiple extension heuristics. The file has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1304
event_name_1304=Multiple extension heuristic detection - clean error, delete failed
event_desc_1304=The file %FILENAME% detected with multiple extension heuristics. Unable to clean the file and unable to delete the file. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1305
event_name_1305=Multiple extension heuristic detection - clean error, denied access and continued
event_desc_1305=The file %FILENAME% detected with multiple extension heuristics. Access to the file was denied. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1306
event_name_1306=Multiple extension heuristic detection - move failed, deleted successfully
event_desc_1306=The file %FILENAME% detected with multiple extension heuristics. The file has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1307
event_name_1307=Multiple extension heuristic detection - move failed, delete failed
event_desc_1307=The file %FILENAME% detected with multiple extension heuristics. Unable to move the file to quarantine area and unable to delete the file. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1308
event_name_1308=Multiple extension heuristic detection - move failed, denied access and continued
event_desc_1308=The file %FILENAME% detected with multiple extension heuristics. Access to the file was denied. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1309
event_name_1309=Multiple extension heuristic detection - delete failed, quarantined successfully
event_desc_1309=The file %FILENAME% detected with multiple extension heuristics. The file was moved to the quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1310
event_name_1310=Multiple extension heuristic detection - delete failed, quarantine failed
event_desc_1310=The file %FILENAME% detected with multiple extension heuristics. Unable to delete the file and unable to move the file to quarantine area. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1311
event_name_1311=Multiple extension heuristic detection - delete failed, denied access and continued
event_desc_1311=The file %FILENAME% detected with multiple extension heuristics. Access to the file was denied. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1312
event_name_1312=Move failed, delete failed, file will be deleted on reboot
event_desc_1312=The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1313
event_name_1313=Multiple extension heuristic detection - move failed, delete failed, file will be deleted on reboot
event_desc_1313=The file %FILENAME% detected with multiple extension heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1314
event_name_1314=Encrypted file - clean error, delete on reboot
event_desc_1314=The encrypted file %FILENAME% will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1315
event_name_1315=Heuristic detection - clean error, delete on reboot
event_desc_1315=The file %FILENAME% detected with heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1316
event_name_1316=Multiple extension heuristic detection - clean error, delete on reboot
event_desc_1316=The file %FILENAME% detected with multiple extension heuristics. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1317
event_name_1317=No cleaner available - clean error, delete on reboot
event_desc_1317=The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1318
event_name_1318=Undetermined - clean error, delete on reboot
event_desc_1318=The file %FILENAME% has an undetermined infection. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1319
event_name_1319=Undetermined - clean error, message deleted
event_desc_1319=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1320
event_name_1320=Encrypted - clean error, message deleted
event_desc_1320=Encrypted message %FILENAME% has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1321
event_name_1321=Heuristic detection - clean error, message deleted
event_desc_1321=The message %FILENAME% detected with heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1322
event_name_1322=Multiple extension heuristic detection - clean error, message deleted
event_desc_1322=The message %FILENAME% detected with multiple extension heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1323
event_name_1323=Clean error, message deleted
event_desc_1323=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1324
event_name_1324=Move failed, message deleted
event_desc_1324=The message %FILENAME% contains the %VIRUSNAME% %VIRUSTYPE%. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
Threat Prevention
1325
event_name_1325=Multiple extension heuristic detection - move failed, message deleted
event_desc_1325=The message %FILENAME% detected with multiple extension heuristics. The message has been deleted. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
event_name_1400=User defined object detected, no Action Taken
event_desc_1400=User defined object detected, no Action Taken
Threat Prevention
1401
event_name_1401=Clean failed (user defined detection), no Action Taken
event_desc_1401=Clean failed (user defined detection), no Action Taken
Threat Prevention
1402
event_name_1402=Clean failed (user defined detection), Move failed
event_desc_1402=Clean failed (user defined detection), Move failed
Threat Prevention
1403
event_name_1403=Moved (user defined detection), Clean failed
event_desc_1403=Moved (user defined detection), Clean failed
Threat Prevention
1404
event_name_1404=Clean failed (user defined detection), Delete failed
event_desc_1404=Clean failed (user defined detection), Delete failed
Threat Prevention
1405
event_name_1405=Deleted (user defined detection), Clean failed
event_desc_1405=Deleted (user defined detection), Clean failed
Threat Prevention
1406
event_name_1406=Moved (user defined detection)
event_desc_1406=Moved (user defined detection)
Threat Prevention
1407
event_name_1407=Move failed(user defined detection), Delete failed
event_desc_1407=Move failed(user defined detection), Delete failed
Threat Prevention
1408
event_name_1408=Deleted (user defined detection), Move failed
event_desc_1408=Deleted (user defined detection), Move failed
Threat Prevention
1409
event_name_1409=Move failed(user defined detection), no Action Taken
event_desc_1409=Move failed(user defined detection), no Action Taken
Threat Prevention
1410
event_name_1410=Deleted (user defined detection)
event_desc_1410=Deleted (user defined detection)
Threat Prevention
1411
event_name_1411=Delete failed (user defined detection), Move failed
event_desc_1411=Delete failed (user defined detection), Move failed
Threat Prevention
1412
event_name_1412=Moved (user defined detection), Delete failed
event_desc_1412=Moved (user defined detection), Delete failed
Threat Prevention
1413
event_name_1413=Delete failed (user defined detection), no Action Taken
event_desc_1413=Delete failed (user defined detection), no Action Taken
Threat Prevention
1414
event_name_1414=Clean failed, delete failed, file (user defined detection) will be deleted on reboot
event_desc_1414=Clean failed, delete failed, file (user defined detection) will be deleted on reboot
Threat Prevention
1415
event_name_1415=Deleted failed, file (user defined detection) will be deleted on reboot
event_desc_1415=Deleted failed, file (user defined detection) will be deleted on reboot
Threat Prevention
1416
event_name_1416=Move failed, delete failed, file (user defined detection) will be deleted on reboot
event_desc_1416=Move failed, delete failed, file (user defined detection) will be deleted on reboot
Threat Prevention
1417
event_name_1417=Email message deleted (user defined detection)
event_desc_1417=Email message deleted (user defined detection)
Threat Prevention
1418
event_name_1418=Email message deleted (user defined detection), Clean failed
event_desc_1418=Email message deleted (user defined detection), Clean failed
Threat Prevention
1419
event_name_1419=Email message deleted (user defined detection), Move failed
event_desc_1419=Email message deleted (user defined detection), Move failed
Threat Prevention
1420
event_name_1420=Email message deleted (user defined detection), Delete failed
event_desc_1420=Email message deleted (user defined detection), Delete failed
Threat Prevention
1421
event_name_1421=Clean error as no cleaner was available, and delete pending
event_desc_1421=Clean error as no cleaner was available, and delete pending
Threat Prevention
1422
event_name_1422=Clean failed for heuristic detection, delete pending
event_desc_1422=Clean failed for heuristic detection, delete pending
event_name_18051=An unauthorized escalation of privilege was attempted and blocked (SMEP)
event_desc_18051=An unauthorized escalation of privilege was attempted and blocked (SMEP)
Threat Prevention
18052
event_name_18052=Buffer Overflow detected and blocked (GBOP)
event_desc_18052=Buffer Overflow detected and blocked (GBOP)
Threat Prevention
18053
event_name_18053=An unauthorized escalation of privilege was attempted and blocked (GPEP)
event_desc_18053=An unauthorized escalation of privilege was attempted and blocked (GPEP)
Threat Prevention
18054
event_name_18054=An exploit was attempted and blocked
event_desc_18054=An exploit was attempted and blocked
Threat Prevention
18055
event_name_18055=A suspicious call was detected and blocked
event_desc_18055=A suspicious call was detected and blocked
Threat Prevention
18056
event_name_18056=Buffer Overflow detected and blocked (DEP)
event_desc_18056=Buffer Overflow detected and blocked (DEP)
Threat Prevention
18057
event_name_18057=Tampering with Exploit Prevention has been detected.
event_desc_18057=Tampering with Exploit Prevention has been detected.
event_name_34920=Roll back successful
event_desc_34920=Roll back successful
Threat Prevention
34921
event_name_34921=Roll back failed
event_desc_34921=Roll back failed
Threat Prevention
34922
event_name_34922=Roll back did not occur
event_desc_34922=Roll back did not occur
Threat Prevention
34923
event_name_34923=The item was corrupt
event_desc_34923=The item was corrupt
Threat Prevention
34924
event_name_34924=The object was not scanned due to a sharing violation
event_desc_34924=The object was not scanned due to a sharing violation
Threat Prevention
34925
event_name_34925=The object was not scanned because the scanner does not have enough rights to read it
event_desc_34925=The object was not scanned because the scanner does not have enough rights to read it
Threat Prevention
34926
event_name_34926=The object was not scanned because the file size exceeds the configured maximum file size to scan
event_desc_34926=The object was not scanned because the file size exceeds the configured maximum file size to scan
El contenido de este artículo se creó en inglés. En caso de darse cualquier diferencia entre el contenido en inglés y su traducción, el primero siempre será el más preciso. La traducción de algunas partes de este contenido la ha proporcionado Microsoft mediante el uso de traducción automática.