detection.wiki
Blog

Microsoft-Antimalware-Service

124 events across 1 channel

Event IDTitleChannel
1Application
2Application
4Application
5Application
6Application
7Application
8Application
9Application
10Application
11Application
12Application
13Application
14Application
15Application
16Application
17Application
18Application
19Application
20Application
21Application
22Application
23Application
24Application
25Application
26Application
27Application
28Application
29Application
30Application
31Application
32Application
33Application
34Application
35Application
36Application
37Application
38Application
39Application
40Application
41Application
42Application
43Application
44Application
45Application
46Application
47Application
48Application
49Application
50Application
51Application
52Application
53Application
54Application
55Application
56Application
57Application
58Application
59Application
60Application
61Application
62Application
63Application
64Application
65Application
66Application
67Application
68Application
69Application
70Application
1000An antimalware scan started.Application
1001An antimalware scan finished.Application
1002An antimalware scan was stopped before it finished.Application
1006The antimalware engine found malware or other potentially unwanted software.Application
1007The antimalware platform performed an action to protect your system from malware …Application
1008The antimalware platform attempted to perform an action to protect your system …Application
1009The antimalware platform restored an item from quarantine.Application
1010The antimalware platform couldn't restore an item from quarantine.Application
1011The antimalware platform deleted an item from quarantine.Application
1012The antimalware platform couldn't delete an item from quarantine.Application
1013The antimalware platform deleted history of malware and other potentially …Application
1014The antimalware platform couldn't delete history of malware and other …Application
1015The antimalware platform detected suspicious behavior.Application
1116The antimalware platform detected malware or other potentially unwanted …Application
1117The antimalware platform performed an action to protect your system from malware …Application
1118The antimalware platform attempted to perform an action to protect your system …Application
1119The antimalware platform encountered a critical error when trying to take action …Application
1120Microsoft Defender Antivirus deduced the hashes for a threat resource.Application
1121Event when an attack surface reduction rule fires in block mode.Application
1127Controlled Folder Access (CFA) blocked an untrusted process from making changes …Application
1150Antimalware platform health status report.Application
1151Endpoint Protection client health report (time in UTC)Application
2000The antimalware definitions updated successfully.Application
2001The security intelligence update failed.Application
2002The antimalware engine updated successfully.Application
2003The antimalware engine update failed.Application
2004There was a problem loading antimalware definition.Application
2005The antimalware engine failed to load because the antimalware platform is out of …Application
2006The platform update failed.Application
2007The platform will soon be out of date.Application
2010The antimalware engine used the Dynamic Signature Service to get other …Application
2011The Dynamic Signature Service deleted the out-of-date dynamic definitions.Application
2012The antimalware engine encountered an error when trying to use the Dynamic …Application
2013The Dynamic Signature Service deleted all dynamic definitions.Application
2020The antimalware engine downloaded a clean file.Application
2021The antimalware engine failed to download a clean file.Application
2030The antimalware engine was downloaded and is configured to run offline on the …Application
2031The antimalware engine was unable to download and configure an offline scan.Application
2040Antimalware support for this operating system version will soon end.Application
2041Antimalware support for this operating system has ended.Application
2042The antimalware engine no longer supports this operating system, and is no …Application
3002Real-time protection encountered an error and failed.Application
3007Real-time protection recovered from a failure.Application
5000Real-time protection is enabled.Application
5001Real-time protection is disabled.Application
5004The real-time protection configuration changed.Application
5007The antimalware platform configuration changed.Application
5008The antimalware engine encountered an error and failed.Application
5009Scanning for malware and other potentially unwanted software is enabled.Application
5010Scanning for malware and other potentially unwanted software is disabled.Application
5011Scanning for viruses is enabled.Application
5012Scanning for viruses is disabled.Application
5013Tamper protection blocked a change to Microsoft Defender Antivirus.Application
5100The antimalware platform expires soon.Application
5101The antimalware platform is expired.Application

Event ID 1 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Description

Event ID 2 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 4 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 5 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 6 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 7 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 8 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 9 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 10 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 11 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 12 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 13 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 14 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 15 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 16 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 17 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Description

Event ID 18 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Description

Event ID 19 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Description

Event ID 20 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
File_ID
USN

Event ID 21 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
File_ID
USN

Event ID 22 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
File_ID
USN

Event ID 23 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
File_ID
USN

Event ID 24 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 25 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 26 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 27 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 28 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
ServiceVersion
OsIsFreshInstall

Event ID 29 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 30 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 31 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
TrustedUSN
TrustedState
SFCState

Event ID 32 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 33 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 34 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 35 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 36 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 37 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 38 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 39 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Bytes

Event ID 40 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 41 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 42 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 43 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 44 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Command

Event ID 45 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 46 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 47 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 48 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Sha1
Sha256
MD5
ProcessID
ProcessCreationTime
ProcessPath
ThreatName
RealPath
WasExecutingWhileDetected
Action
RemediationErrorCode
DetectionTime
User
UserSid
ResourceSchema
DetectionGuid
Classification
SchemaParamAndDataDelimiter
SchemaParamList
SchemaParamDataList
DetectionSource
IsPassiveMode
SigSeq
SigSha
isCritical
ThreatTrackingId
PlatformVersion
PlatformUpdateTime
EngineVersion
EngineUpdateTime
ASSignatureVersion
ASSignatureUpdateTime
AVSignatureVersion
AVSignatureUpdateTime
BlockThreatExecSubCategory
PropertyBag
AllowThreatExpirationUTC

Event ID 49 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
RuleId
isAudit
Sha1
Sha256
MD5
FileSize
ProcessID
ProcessCreationTime
ProcessIntegrityLevel
ProcessPath
TargetPath
SigSeq
SigSha
CommandLine
DetectionTime
TargetIdentified
ParentCommandLine
InvolvedFile
InheritanceFlags
RuleType
RuleState
SessionId
UserName

Event ID 50 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
IsAudit
Uri
ProcessId
ProcessCreationTime
UserSid
ResponseCategory
IsWarn
DisplayName
IocId

Event ID 51 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
LocalIpAddressLength
LocalIpAddress
RemoteIpAddressLength
RemoteIpAddress
ProcessId
ProcessCreationTime
UserSid
ProcessName
Uri
RequestHeaders
ResponseHeaders
ConnectionType

Event ID 52 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
RuleId
State
EventTimestamp
Action
Process
ProcessId
Source
Target
SessionId

Event ID 53 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
UniqueId
TotalSourceFiles
CurrentIndexOfSourceFile
PolicyVersion
PolicyRuleId
EnforcementLevel
IsActionBypass
EventTimestamp
ActionType
Process
ProcessId
ProcessCreationTime
Source
Target
SessionId
UserSid

Event ID 54 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
StatusCode
StatusDetails

Event ID 55 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Allow
UserOverrideKey
FriendlyName
Uri
ProcessId
ProcessCreationTime
UserSid
ResponseCategory
IocId

Event ID 56 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
RuleId
RuleState
SessionId
TargetIdentified
Parent
Target
InvolvedFile
ProcessId
ProcessCreationTime

Event ID 57 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
DnsServerAddressLength
DnsServerIpAddress
QueryName
QueryType
ClassType
ProcessId
ProcessCreationTime
UserSid
ProcessName

Event ID 58 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
DnsServerAddressLength
DnsServerIpAddress
AnswerName
Ttl
RecordType
ResourceRecord
ProcessId
ProcessCreationTime
UserSid
ProcessName

Event ID 59 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
IsIncoming
SourceIpLength
SourceIp
DestinationIpLength
DestinationIp
Size
DestinationDNSName
ProcessId
ProcessCreationTime
UserSid
ProcessName
ConnectionType
IsBehindProxy

Event ID 60 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
TS_State
TS_PreviousState
TS_StartUTC
TS_ExpirationUTC
TS_ExpirationMinutesLeft
TS_StateChangeSource
TS_StateChangeReason
TS_QuotaMinutesLeft
PlatformVersion
EngineVersion

Event ID 61 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
TlsServerAddressLength
TlsServerIpAddress
TlsAlertLevel
TlsAlertDescription
ProcessId
ProcessCreationTime
UserSid
ProcessName

Event ID 62 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Timestamp
RollbackVersion

Event ID 63 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Description

Event ID 64 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Description

Event ID 65 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Description

Event ID 66 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Description

Event ID 67 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
DetectionTime
TP_State
TP_Scenario
TP_ResourceType
TP_ResourceName
TP_ResourceOldState
TP_ResourceNewState
TP_IsBlocked
TP_IsUserMode
ProcessName
ProcessId
ProcessCreationTime

Event ID 68 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
FullPath
Version
FileSize
FrameworkType
Sha256
JsonModelMetadata

Event ID 69 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Version
TransportType
ServerName
CommandName
CommandArgs
UrlEndpoint
Environment
Headers

Event ID 70 —

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
ProcessName
ProcessId
ProcessCreationTime
RegKeyName
RegValueName
DisruptionMode

Event ID 1000 — An antimalware scan started.

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Scan IDID number of the relevant scan.
Scan TypeScan type. Examples: Antivirus, Antispyware, or Antimalware
Scan ParametersScan parameters. Examples: Full scan, Quick scan, or Custom scan
Scan ResourcesResources (such as files/directories/BHO) that were scanned.
UserDomain\User

Event ID 1001 — An antimalware scan finished.

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Scan IDID number of the relevant scan.
Scan TypeScan type. Examples: Antivirus, Antispyware, or Antimalware
Scan ParametersScan parameters. Examples: Full scan, Quick scan, or Custom scan
UserDomain\User
Scan TimeThe duration of a scan.

Event ID 1002 — An antimalware scan was stopped before it finished.

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Scan IDID number of the relevant scan.
Scan TypeScan type. Examples: Antivirus, Antispyware, or Antimalware
Scan ParametersScan parameters. Examples: Full scan, Quick scan, or Custom scan
UserDomain\User
Scan TimeThe duration of a scan.

Event ID 1006 — The antimalware engine found malware or other potentially unwanted software.

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description. Examples: Any threat or malware type.
PathFile path
Detection OriginDetection origin. Examples: Unknown, Local computer, Network share, Internet, Incoming traffic, or Outgoing traffic
Detection TypeDetection type. Examples: Heuristics, Generic, Concrete, or Dynamic signature
Detection SourceDetection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls. Early Launch Antimalware (ELAM). This source includes malware detected by the boot sequence. Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC.
Status
UserDomain\User
Process NameProcess name (identified by PID)
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1007 — The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus took action to protect this machine from malware or other potentially unwanted software.

Fields

NameDescription
UserDomain\User
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
ActionAction. Examples: Clean: The resource was cleaned. Quarantine: The resource was quarantined. Remove: The resource was deleted. Allow: The resource was allowed to execute/exist. User defined: User-defined action that's typically from this list of actions specified by the user. No action: No action Block: The resource was blocked from executing.
Status
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1008 — The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus encountered an error when taking action on malware or other potentially unwanted software.

Fields

NameDescription
UserDomain\User
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
ActionAction. Examples: Clean: The resource was cleaned. Quarantine: The resource was quarantined. Remove: The resource was deleted. Allow: The resource was allowed to execute/exist. User defined: User-defined action that's typically from this list of actions specified by the user. No action: No action Block: The resource was blocked from executing.
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
Status
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1009 — The antimalware platform restored an item from quarantine.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus restored an item from quarantine.

Fields

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
UserDomain\User
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1010 — The antimalware platform couldn't restore an item from quarantine.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus encountered an error trying to restore an item from quarantine.

Fields

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
UserDomain\User
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1011 — The antimalware platform deleted an item from quarantine.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus deleted an item from quarantine.

Fields

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
UserDomain\User
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1012 — The antimalware platform couldn't delete an item from quarantine.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus encountered an error trying to delete an item from quarantine.

Fields

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
UserDomain\User
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1013 — The antimalware platform deleted history of malware and other potentially unwanted software.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus removed history of malware and other potentially unwanted software.

Fields

NameDescription
TimeThe time when the event occurred, for example when the history is purged. This parameter isn't used in threat events so that there's no confusion regarding whether it's remediation time or infection time. For such events, we specifically call them as Action Time or Detection Time.
UserDomain\User

Event ID 1014 — The antimalware platform couldn't delete history of malware and other potentially unwanted software.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus encountered an error trying to remove history of malware and other potentially unwanted software.

Fields

NameDescription
TimeThe time when the event occurred, for example when the history is purged. This parameter isn't used in threat events so that there's no confusion regarding whether it's remediation time or infection time. For such events, we specifically call them as Action Time or Detection Time.
UserDomain\User
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.

Event ID 1015 — The antimalware platform detected suspicious behavior.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus detected a suspicious behavior.

Fields

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
Detection OriginDetection origin. Examples: Unknown, Local computer, Network share, Internet, Incoming traffic, or Outgoing traffic
Detection TypeDetection type. Examples: Heuristics, Generic, Concrete, or Dynamic signature
Detection SourceDetection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this source protects against malicious webpage controls. Early Launch Antimalware (ELAM). This source includes malware detected by the boot sequence. Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC
Status
UserDomain\User
Process NameProcess name (identified by PID)
Signature IDEnumeration matching severity.
Signature VersionDefinition version
Engine VersionAntimalware Engine version
Fidelity Label
Target File NameName of the file.

Event ID 1116 — The antimalware platform detected malware or other potentially unwanted software.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus detected malware or other potentially unwanted software.

Fields

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
Detection OriginDetection origin. Examples: Unknown, Local computer, Network share, Internet, Incoming traffic, or Outgoing traffic
Detection TypeDetection type. Examples: Heuristics, Generic, Concrete, or Dynamic signature
Detection SourceDetection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls. Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence. Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC
UserDomain\User
Process NameProcess name (identified by PID)
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1117 — The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus took action to protect this machine from malware or other potentially unwanted software.

Fields

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
Detection OriginDetection origin. Examples: Unknown, Local computer, Network share, Internet, Incoming traffic, or Outgoing traffic
Detection TypeDetection type. Examples: Heuristics, Generic, Concrete, or Dynamic signature
Detection SourceDetection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this source protects against malicious webpage controls. Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence. Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC
UserDomain\User
Process NameProcess name (identified by PID)
ActionAction. Examples: Clean: The resource was cleaned. Quarantine: The resource was quarantined. Remove: The resource was deleted. Allow: The resource was allowed to execute/exist. User defined: User-defined action that's typically from this list of actions specified by the user. No action: No action Block: The resource was blocked from executing.
Action StatusDescription of other actions
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1118 — The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus encountered a noncritical error when taking action on malware or other potentially unwanted software.

Fields

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
Detection OriginDetection origin. Examples: Unknown, Local computer, Network share, Internet, Incoming traffic, or Outgoing traffic
Detection TypeDetection type. Examples: Heuristics, Generic, Concrete, or Dynamic signature
Detection SourceDetection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls. Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence. Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC
UserDomain\User
Process NameProcess name (identified by PID)
ActionAction. Examples: Clean: The resource was cleaned. Quarantine: The resource was quarantined. Remove: The resource was deleted. Allow: The resource was allowed to execute/exist User defined: User-defined action that's typically from this list of actions specified by the user. No action: No action Block: The resource was blocked from executing
Action StatusDescription of additional actions
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1119 — The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus encountered a critical error when taking action on malware or other potentially unwanted software.

Fields

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
Detection OriginDetection origin. Examples: Unknown, Local computer, Network share, Internet, Incoming traffic, or Outgoing traffic
Detection TypeDetection type. Examples: Heuristics, Generic, Concrete, or Dynamic signature
Detection SourceDetection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls. Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC
UserDomain\User
Process NameProcess name (identified by PID)
ActionAction. Examples: Clean: The resource was cleaned Quarantine: The resource was quarantined. Remove: The resource was deleted. Allow: The resource was allowed to execute/exist. User defined: User-defined action that's typically from this list of actions specified by the user. No action: No action Block: The resource was blocked from executing.
Action StatusDescription of other actions
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1120 — Microsoft Defender Antivirus deduced the hashes for a threat resource.

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields

NameDescription
Current Platform Version
Threat Resource PathPath
Hashes

Event ID 1121 — Event when an attack surface reduction rule fires in block mode.

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 1127 — Controlled Folder Access (CFA) blocked an untrusted process from making changes to the memory.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Controlled Folder Access blocked an untrusted process from potentially modifying disk sectors.

Fields

NameDescription
Product NameProduct Name. Examples: Microsoft Defender Antivirus
Product Version
Detection TimeDetection Time, time when CFA blocked an untrusted process
UserDomain\User
PathDevice name, name of the device or disk that an untrusted process accessed for modification
Process NameProcess path, the process path name that CFA blocked from accessing the device or disk for modification
Security Intelligence Version
Engine VersionAntimalware Engine version

Event ID 1150 — Antimalware platform health status report.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus client is up and running in a healthy state.

Fields

NameDescription
Platform VersionCurrent platform version
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1151 — Endpoint Protection client health report (time in UTC)

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Antivirus client health report.

Fields

NameDescription
Platform VersionCurrent platform version
Engine VersionAntimalware Engine version
Network Realtime Inspection engine version
Antivirus signature version
Antispyware signature version
Network Realtime Inspection signature version
RTP stateRealtime protection state (Enabled or Disabled)
OA stateOn Access state (Enabled or Disabled)
IOAV stateIE Downloads and Outlook Express Attachments state (Enabled or Disabled)
BM stateBehavior Monitoring state (Enabled or Disabled)
Antivirus signature ageAntivirus signature age (in days). Calculated as the time starting from the Security Intelligence Update (SIU) release date, to the current date. Before a signature is updated for the first time, it'll display an age of 65535 days.
Antispyware signature ageAntispyware signature age (in days). Timestamp reflecting the Security Intelligence Update (SIU) release date (not the local installation time). Before the timestamp is updated for the first time, its value is null.
Last quick scan ageLast quick scan age (in days)
Last full scan ageLast full scan age (in days)
Antivirus signature creation time
Antispyware signature creation time
Last quick scan start time
Last quick scan end time
Last quick scan sourceLast quick scan source (0 = scan didn't run, 1 = user initiated, 2 = system initiated)
Last full scan start time
Last full scan end time
Last full scan sourceLast full scan source (0 = scan didn't run, 1 = user initiated, 2 = system initiated)
Product statusFor internal troubleshooting

Event ID 2000 — The antimalware definitions updated successfully.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Antivirus signature version was updated.

Fields

NameDescription
Current Signature Version
Previous Signature Version
Signature TypeSignature type. Examples: Antivirus, Antispyware, Antimalware, or Network Inspection System
Update TypeUpdate type, either Full or Delta.
UserDomain\User
Current Engine Version
Previous Engine Version

Event ID 2001 — The security intelligence update failed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus encountered an error trying to update signatures.

Fields

NameDescription
New security intelligence versionNew version number
Previous security intelligence versionPrevious version
Update SourceUpdate source. Examples: Security intelligence update folder Internal security intelligence update server Microsoft Update Server File share Microsoft Malware Protection Center (MMPC)
Update StageUpdate stage. Examples: Search, Download, or Install
Source PathFile share name for Universal Naming Convention (UNC), server name for Windows Server Update Services (WSUS)/Microsoft Update/ADL.
Signature TypeSignature type. Examples: Antivirus, Antispyware, Antimalware, or Network Inspection System
Update TypeUpdate type, either Full or Delta.
UserDomain\User
Current Engine Version
Previous Engine Version
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.

Event ID 2002 — The antimalware engine updated successfully.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus engine version was updated.

Fields

NameDescription
Current Engine Version
Previous Engine Version
Engine TypeEngine type, either antimalware engine or Network Inspection System engine.
UserDomain\User

Event ID 2003 — The antimalware engine update failed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus encountered an error trying to update the engine.

Fields

NameDescription
New Engine Version
Previous Engine Version
Engine TypeEngine type, either antimalware engine or Network Inspection System engine.
UserDomain\User
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.

Event ID 2004 — There was a problem loading antimalware definition.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.

Fields

NameDescription
Signatures Attempted
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
Signature VersionDefinition version
Engine VersionAntimalware engine version

Event ID 2005 — The antimalware engine failed to load because the antimalware platform is out of date.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus couldn't load antimalware engine because current platform version isn't supported. Microsoft Defender Antivirus reverts back to the last known-good engine and a platform update will be attempted.

Fields

NameDescription
Current Platform Version

Event ID 2006 — The platform update failed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus encountered an error trying to update the platform.

Fields

NameDescription
Current Platform Version
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.

Event ID 2007 — The platform will soon be out of date.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Microsoft Defender Antivirus platform to maintain the best level of protection available.

Fields

NameDescription
Current Platform Version

Event ID 2010 — The antimalware engine used the Dynamic Signature Service to get other definitions.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus used Dynamic Signature Service to retrieve more signatures to help protect your machine.

Fields

NameDescription
Current Signature Version
Signature TypeSignature type. Examples: Antivirus, Antispyware, Antimalware, or Network Inspection System
Current Engine Version
Dynamic Signature TypeDynamic signature type. Examples: Version, Timestamp, No limit, or Duration
Persistence PathPath
Dynamic Signature VersionVersion number
Dynamic Signature Compilation TimestampTimestamp
Persistence Limit TypePersistence limit type. Examples: VDM version, Timestamp, or No limit
Persistence LimitPersistence limit of the fastpath signature.

Event ID 2011 — The Dynamic Signature Service deleted the out-of-date dynamic definitions.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.

Fields

NameDescription
Current Signature Version
Signature TypeSignature type. Examples: Antivirus, Antispyware, Antimalware, or Network Inspection System
Current Engine Version
Dynamic Signature TypeDynamic signature type. Examples: Version, Timestamp, No limit, or Duration
Persistence PathPath
Dynamic Signature VersionVersion number
Dynamic Signature Compilation TimestampTimestamp
Removal Reason
Persistence Limit TypePersistence limit type. Examples: VDM version, Timestamp, or No limit
Persistence LimitPersistence limit of the fastpath signature.

Event ID 2012 — The antimalware engine encountered an error when trying to use the Dynamic Signature Service.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus encountered an error trying to use Dynamic Signature Service.

Fields

NameDescription
Current Signature Version
Signature TypeSignature type. Examples: Antivirus, Antispyware, Antimalware, or Network Inspection System
Current Engine Version
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
Dynamic Signature TypeDynamic signature type. Examples: Version, Timestamp, No limit, or Duration
Persistence PathPath
Dynamic Signature VersionVersion number
Dynamic Signature Compilation TimestampTimestamp
Persistence Limit TypePersistence limit type. Examples: VDM version, Timestamp, or No limit
Persistence LimitPersistence limit of the fastpath signature.

Event ID 2013 — The Dynamic Signature Service deleted all dynamic definitions.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus discarded all Dynamic Signature Service signatures.

Fields

NameDescription
Current Signature Version

Event ID 2020 — The antimalware engine downloaded a clean file.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus downloaded a clean file.

Fields

NameDescription
FilenameName of the file.
Current Signature Version
Current Engine Version

Event ID 2021 — The antimalware engine failed to download a clean file.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus encountered an error trying to download a clean file.

Fields

NameDescription
FilenameName of the file.
Current Signature Version
Current Engine Version
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.

Event ID 2030 — The antimalware engine was downloaded and is configured to run offline on the next system restart.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus downloaded and configured offline antivirus to run on the next reboot.

Event ID 2031 — The antimalware engine was unable to download and configure an offline scan.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus encountered an error trying to download and configure offline antivirus.

Fields

NameDescription
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.

Event ID 2040 — Antimalware support for this operating system version will soon end.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

The support for your operating system expires shortly. Running Microsoft Defender Antivirus on an out of support operating system isn't an adequate solution to protect against threats.

Event ID 2041 — Antimalware support for this operating system has ended.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

The support for your operating system has expired. Running Microsoft Defender Antivirus on an out of support operating system isn't an adequate solution to protect against threats.

Event ID 2042 — The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

The support for your operating system has expired. Microsoft Defender Antivirus is no longer supported on your operating system, has stopped functioning, and isn't protecting against malware threats.

Event ID 3002 — Real-time protection encountered an error and failed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus Real-Time Protection feature encountered an error and failed.

Fields

NameDescription
FeatureFeature. Examples: On Access, Internet Explorer downloads and Microsoft Outlook Express attachments, Behavior monitoring, or Network Inspection System.
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
ReasonThe reason Microsoft Defender Antivirus real-time protection restarted a feature.

Event ID 3007 — Real-time protection recovered from a failure.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus Real-time Protection restarted a feature. It's recommended that you run a full system scan to detect any items that might have been missed while this agent was down.

Fields

NameDescription
FeatureFeature. Examples: On Access, IE downloads and Outlook Express attachments, Behavior monitoring, or Network Inspection System
ReasonThe reason Microsoft Defender Antivirus real-time protection restarted a feature.

Event ID 5000 — Real-time protection is enabled.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled.

Event ID 5001 — Real-time protection is disabled.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled.

Event ID 5004 — The real-time protection configuration changed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus real-time protection feature configuration changed.

Fields

NameDescription
FeatureFeature. Examples: On Access, IE downloads and Outlook Express attachments, Behavior monitoring, or Network Inspection System

Event ID 5007 — The antimalware platform configuration changed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus configuration changed. If this event is unexpected, you should review the settings as the event might be the result of malware.

Fields

NameDescription
Old valueOld antivirus configuration value.
New valueNew antivirus configuration value.

Event ID 5008 — The antimalware engine encountered an error and failed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus engine was terminated due to an unexpected error.

Fields

NameDescription
Failure TypeFailure type. Examples: Crash or Hang
Exception CodeError code
Resource

Event ID 5009 — Scanning for malware and other potentially unwanted software is enabled.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus enabled scanning for malware and other potentially unwanted software.

Event ID 5010 — Scanning for malware and other potentially unwanted software is disabled.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus scanning for malware and other potentially unwanted software is disabled.

Event ID 5011 — Scanning for viruses is enabled.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus enabled scanning for viruses.

Event ID 5012 — Scanning for viruses is disabled.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus scanning for viruses is disabled.

Event ID 5013 — Tamper protection blocked a change to Microsoft Defender Antivirus.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

If Tamper protection is enabled then any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked.

Event ID 5100 — The antimalware platform expires soon.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.

Fields

NameDescription
Expiration ReasonThe reason Microsoft Defender Antivirus expires.
Expiration DateThe date Microsoft Defender Antivirus expires.

Event ID 5101 — The antimalware platform is expired.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message

Microsoft Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.

Fields

NameDescription
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.