detection.wiki

Microsoft-Antimalware-Service

124 events across 1 channel

Event IDTitleChannel
1Application
2Application
4Application
5Application
6Application
7Application
8Application
9Application
10Application
11Application
12Application
13Application
14Application
15Application
16Application
17Application
18Application
19Application
20Application
21Application
22Application
23Application
24Application
25Application
26Application
27Application
28Application
29Application
30Application
31Application
32Application
33Application
34Application
35Application
36Application
37Application
38Application
39Application
40Application
41Application
42Application
43Application
44Application
45Application
46Application
47Application
48Application
49Application
50Application
51Application
52Application
53Application
54Application
55Application
56Application
57Application
58Application
59Application
60Application
61Application
62Application
63Application
64Application
65Application
66Application
67Application
68Application
69Application
70Application
1000An antimalware scan started.Application
1001An antimalware scan finished.Application
1002An antimalware scan was stopped before it finished.Application
1006The antimalware engine found malware or other potentially unwanted software.Application
1007The antimalware platform performed an action to protect your system from malware …Application
1008The antimalware platform attempted to perform an action to protect your system …Application
1009The antimalware platform restored an item from quarantine.Application
1010The antimalware platform couldn't restore an item from quarantine.Application
1011The antimalware platform deleted an item from quarantine.Application
1012The antimalware platform couldn't delete an item from quarantine.Application
1013The antimalware platform deleted history of malware and other potentially …Application
1014The antimalware platform couldn't delete history of malware and other …Application
1015The antimalware platform detected suspicious behavior.Application
1116The antimalware platform detected malware or other potentially unwanted …Application
1117The antimalware platform performed an action to protect your system from malware …Application
1118The antimalware platform attempted to perform an action to protect your system …Application
1119The antimalware platform encountered a critical error when trying to take action …Application
1120Microsoft Defender Antivirus deduced the hashes for a threat resource.Application
1121Event when an attack surface reduction rule fires in block mode.Application
1127Controlled Folder Access (CFA) blocked an untrusted process from making changes …Application
1150Antimalware platform health status report.Application
1151Endpoint Protection client health report (time in UTC)Application
2000The antimalware definitions updated successfully.Application
2001The security intelligence update failed.Application
2002The antimalware engine updated successfully.Application
2003The antimalware engine update failed.Application
2004There was a problem loading antimalware definition.Application
2005The antimalware engine failed to load because the antimalware platform is out of …Application
2006The platform update failed.Application
2007The platform will soon be out of date.Application
2010The antimalware engine used the Dynamic Signature Service to get other …Application
2011The Dynamic Signature Service deleted the out-of-date dynamic definitions.Application
2012The antimalware engine encountered an error when trying to use the Dynamic …Application
2013The Dynamic Signature Service deleted all dynamic definitions.Application
2020The antimalware engine downloaded a clean file.Application
2021The antimalware engine failed to download a clean file.Application
2030The antimalware engine was downloaded and is configured to run offline on the …Application
2031The antimalware engine was unable to download and configure an offline scan.Application
2040Antimalware support for this operating system version will soon end.Application
2041Antimalware support for this operating system has ended.Application
2042The antimalware engine no longer supports this operating system, and is no …Application
3002Real-time protection encountered an error and failed.Application
3007Real-time protection recovered from a failure.Application
5000Real-time protection is enabled.Application
5001Real-time protection is disabled.Application
5004The real-time protection configuration changed.Application
5007The antimalware platform configuration changed.Application
5008The antimalware engine encountered an error and failed.Application
5009Scanning for malware and other potentially unwanted software is enabled.Application
5010Scanning for malware and other potentially unwanted software is disabled.Application
5011Scanning for viruses is enabled.Application
5012Scanning for viruses is disabled.Application
5013Tamper protection blocked a change to Microsoft Defender Antivirus.Application
5100The antimalware platform expires soon.Application
5101The antimalware platform is expired.Application

Event ID 1 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceOnDemandScan
Opcode
Start

Fields #

NameDescription
Description UnicodeString

Event ID 2 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceOnDemandScan
Opcode
Stop

Event ID 4 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceCacheBuild
Opcode
Start

Event ID 5 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceCacheBuild
Opcode
Stop

Event ID 6 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceLoadEngine
Opcode
Start

Event ID 7 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceLoadEngine
Opcode
Stop

Event ID 8 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceReloadEngine
Opcode
Start

Event ID 9 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceReloadEngine
Opcode
Stop

Event ID 10 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceSync
Opcode
Start

Event ID 11 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceSync
Opcode
Stop

Event ID 12 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceAsync
Opcode
Start

Event ID 13 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceAsync
Opcode
Stop

Event ID 14 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceShutdown

Event ID 15 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceProcessScan
Opcode
Start

Event ID 16 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceProcessScan
Opcode
Stop

Event ID 17 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
EngineTask

Fields #

NameDescription
Description UnicodeString

Event ID 18 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceTask

Fields #

NameDescription
Description UnicodeString

Event ID 19 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceClean

Fields #

NameDescription
Description UnicodeString

Event ID 20 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
MOAC_CacheHit

Fields #

NameDescription
File_ID UInt64
USN UInt64

Event ID 21 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
MOAC_CacheMiss

Fields #

NameDescription
File_ID UInt64
USN UInt64

Event ID 22 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
MOAC_CacheAdd

Fields #

NameDescription
File_ID UInt64
USN UInt64

Event ID 23 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
MOAC_CacheDelete

Fields #

NameDescription
File_ID UInt64
USN UInt64

Event ID 24 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
MOAC_CacheFlush

Event ID 25 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceRoutineCleanup

Event ID 26 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceRoutineVerification

Event ID 27 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceRoutineCacheMaintenance

Event ID 28 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceVersion

Fields #

NameDescription
ServiceVersion UnicodeString
OsIsFreshInstall Boolean

Event ID 29 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceEngineUpdate
Opcode
Start

Event ID 30 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
ServiceEngineUpdate
Opcode
Stop

Event ID 31 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
CacheState

Fields #

NameDescription
TrustedUSN UInt64
TrustedState UInt64
SFCState UInt64

Event ID 32 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
SFCBuild
Opcode
Start

Event ID 33 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
SFCBuild
Opcode
Stop

Event ID 34 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Spynet_EventSpynetRequired

Event ID 35 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Spynet_EventCloudRequest

Event ID 36 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Spynet_EventSendTelemetry

Event ID 37 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Spynet_MpCmdRunStart

Event ID 38 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Spynet_GenerateReportStart

Event ID 39 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Spynet_GenerateReportComplete

Fields #

NameDescription
Bytes UInt32

Event ID 40 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Spynet_HandleResponseStart

Event ID 41 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Spynet_HandleResponseComplete

Event ID 42 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Spynet_SendReportStart

Event ID 43 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Spynet_SendReportComplete

Event ID 44 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
MpCmdRun_CreateProcess

Fields #

NameDescription
Command UnicodeString

Event ID 45 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Spynet_MpCmdRunCreateTimer

Event ID 46 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Spynet_MpCmdRunTimerTrigger

Event ID 47 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
IOAVScanTriggered
Opcode
Start

Event ID 48 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_RemediationInfoThreat

Fields #

NameDescription
Sha1 UnicodeString
Sha256 UnicodeString
MD5 UnicodeString
ProcessID UInt32
ProcessCreationTime UInt64
ProcessPath UnicodeString
ThreatName UnicodeString
RealPath UnicodeString
WasExecutingWhileDetected Boolean
Action UInt32
RemediationErrorCode HexInt32
DetectionTime UInt64
User UnicodeString
UserSid UnicodeString
ResourceSchema UnicodeString
DetectionGuid UnicodeString
Classification HexInt32
SchemaParamAndDataDelimiter UnicodeString
SchemaParamList UnicodeString
SchemaParamDataList UnicodeString
DetectionSource HexInt32
IsPassiveMode Boolean
SigSeq HexInt64
SigSha UnicodeString
isCritical Boolean
ThreatTrackingId UnicodeString
PlatformVersion UnicodeString
PlatformUpdateTime UInt64
EngineVersion UnicodeString
EngineUpdateTime UInt64
ASSignatureVersion UnicodeString
ASSignatureUpdateTime UInt64
AVSignatureVersion UnicodeString
AVSignatureUpdateTime UInt64
BlockThreatExecSubCategory UInt32
PropertyBag UnicodeString
AllowThreatExpirationUTC UInt64

Event ID 49 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_HipsFGInfo

Fields #

NameDescription
RuleId UnicodeString
isAudit Boolean
Sha1 UnicodeString
Sha256 UnicodeString
MD5 UnicodeString
FileSize UInt64
ProcessID UInt32
ProcessCreationTime UInt64
ProcessIntegrityLevel UInt32
ProcessPath UnicodeString
TargetPath UnicodeString
SigSeq UInt64
SigSha UnicodeString
CommandLine UnicodeString
DetectionTime UInt64
TargetIdentified Boolean
ParentCommandLine UnicodeString
InvolvedFile UnicodeString
InheritanceFlags UInt32
RuleType UInt32
RuleState UInt32
SessionId UInt32
UserName UnicodeString

Event ID 50 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_NetworkFilterLookup

Fields #

NameDescription
IsAudit Boolean
Uri UnicodeString
ProcessId UInt32
ProcessCreationTime UInt64
UserSid UnicodeString
ResponseCategory UnicodeString
IsWarn Boolean
DisplayName UnicodeString
IocId UnicodeString

Event ID 51 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_NetworkFilterConnectionInfo

Fields #

NameDescription
LocalIpAddressLength UInt32
LocalIpAddress Binary
RemoteIpAddressLength UInt32
RemoteIpAddress Binary
ProcessId UInt32
ProcessCreationTime UInt64
UserSid UnicodeString
ProcessName UnicodeString
Uri UnicodeString
RequestHeaders UnicodeString
ResponseHeaders UnicodeString
ConnectionType UnicodeString

Event ID 52 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_DlpInfo

Fields #

NameDescription
RuleId UnicodeString
State UInt32
EventTimestamp UInt64
Action UnicodeString
Process UnicodeString
ProcessId UInt32
Source UnicodeString
Target UnicodeString
SessionId UInt32

Event ID 53 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_DlpEventInfo

Fields #

NameDescription
UniqueId UInt64
TotalSourceFiles UInt32
CurrentIndexOfSourceFile UInt32
PolicyVersion UnicodeString
PolicyRuleId UnicodeString
EnforcementLevel UInt32
IsActionBypass Boolean
EventTimestamp UInt64
ActionType UnicodeString
Process UnicodeString
ProcessId UInt32
ProcessCreationTime UInt64
Source UnicodeString
Target UnicodeString
SessionId UInt32
UserSid SID

Event ID 54 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_DlpStatusInfo

Fields #

NameDescription
StatusCode UInt32
StatusDetails UnicodeString

Event ID 55 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_NetworkFilterBreakTheGlass

Fields #

NameDescription
Allow Boolean
UserOverrideKey UnicodeString
FriendlyName UnicodeString
Uri UnicodeString
ProcessId UInt32
ProcessCreationTime UInt64
UserSid UnicodeString
ResponseCategory UnicodeString
IocId UnicodeString

Event ID 56 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_HipsAsrUserExclusionInfo

Fields #

NameDescription
RuleId UnicodeString
RuleState UInt32
SessionId UInt32
TargetIdentified Boolean
Parent UnicodeString
Target UnicodeString
InvolvedFile UnicodeString
ProcessId UInt32
ProcessCreationTime UInt64

Event ID 57 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_NetworkFilterDnsQuestion

Fields #

NameDescription
DnsServerAddressLength UInt32
DnsServerIpAddress Binary
QueryName UnicodeString
QueryType UInt32
ClassType UInt32
ProcessId UInt32
ProcessCreationTime UInt64
UserSid UnicodeString
ProcessName UnicodeString

Event ID 58 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_NetworkFilterDnsAnswer

Fields #

NameDescription
DnsServerAddressLength UInt32
DnsServerIpAddress Binary
AnswerName UnicodeString
Ttl UInt64
RecordType UnicodeString
ResourceRecord UnicodeString
ProcessId UInt32
ProcessCreationTime UInt64
UserSid UnicodeString
ProcessName UnicodeString

Event ID 59 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_NetworkFilterVolumeNotification

Fields #

NameDescription
IsIncoming Boolean
SourceIpLength UInt32
SourceIp Binary
DestinationIpLength UInt32
DestinationIp Binary
Size UInt64
DestinationDNSName UnicodeString
ProcessId UInt32
ProcessCreationTime UInt64
UserSid UnicodeString
ProcessName UnicodeString
ConnectionType UnicodeString
IsBehindProxy Boolean

Event ID 60 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_TroubleshootingModeNotification

Fields #

NameDescription
TS_State UInt32
TS_PreviousState UInt32
TS_StartUTC UInt64
TS_ExpirationUTC UInt64
TS_ExpirationMinutesLeft UInt32
TS_StateChangeSource UInt32
TS_StateChangeReason UInt32
TS_QuotaMinutesLeft UInt32
PlatformVersion UnicodeString
EngineVersion UnicodeString

Event ID 61 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_NetworkFilterTlsAlert

Fields #

NameDescription
TlsServerAddressLength UInt32
TlsServerIpAddress Binary
TlsAlertLevel UInt8
TlsAlertDescription UInt8
ProcessId UInt32
ProcessCreationTime UInt64
UserSid UnicodeString
ProcessName UnicodeString

Event ID 62 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
RbM_RollbackComplete

Fields #

NameDescription
Timestamp UInt64
RollbackVersion UnicodeString

Event ID 63 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
StartRundownTask
Opcode
Start

Fields #

NameDescription
Description UnicodeString

Event ID 64 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
StartRundownTask
Opcode
Stop

Fields #

NameDescription
Description UnicodeString

Event ID 65 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
EndRundownTask
Opcode
Start

Fields #

NameDescription
Description UnicodeString

Event ID 66 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
EndRundownTask
Opcode
Stop

Fields #

NameDescription
Description UnicodeString

Event ID 67 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_TamperProtectionNotification

Fields #

NameDescription
DetectionTime UInt64
TP_State UnicodeString
TP_Scenario UnicodeString
TP_ResourceType UnicodeString
TP_ResourceName UnicodeString
TP_ResourceOldState UnicodeString
TP_ResourceNewState UnicodeString
TP_IsBlocked UInt32
TP_IsUserMode UInt32
ProcessName UnicodeString
ProcessId UInt32
ProcessCreationTime UInt64

Event ID 68 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_AiRuntimeModelEvent

Fields #

NameDescription
FullPath UnicodeString
Version UInt32
FileSize UInt64
FrameworkType UnicodeString
Sha256 UnicodeString
JsonModelMetadata UnicodeString

Event ID 69 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_AiRuntimeMcpEvent

Fields #

NameDescription
Version UInt32
TransportType UnicodeString
ServerName UnicodeString
CommandName UnicodeString
CommandArgs UnicodeString
UrlEndpoint UnicodeString
Environment UnicodeString
Headers UnicodeString

Event ID 70 —

Provider
Microsoft-Antimalware-Service
Channel
Application
Task
Sense_DisruptionExclusionsHardeningEvent

Fields #

NameDescription
ProcessName UnicodeString
ProcessId UInt32
ProcessCreationTime UInt64
RegKeyName UnicodeString
RegValueName UnicodeString
DisruptionMode UInt64

Event ID 1000 — An antimalware scan started.

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields #

NameDescription
Scan IDID number of the relevant scan.
Scan TypeScan type. Examples: Antivirus, Antispyware, or Antimalware
Scan ParametersScan parameters. Examples: Full scan, Quick scan, or Custom scan
Scan ResourcesResources (such as files/directories/BHO) that were scanned.
UserDomain\User

Event ID 1001 — An antimalware scan finished.

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields #

NameDescription
Scan IDID number of the relevant scan.
Scan TypeScan type. Examples: Antivirus, Antispyware, or Antimalware
Scan ParametersScan parameters. Examples: Full scan, Quick scan, or Custom scan
UserDomain\User
Scan TimeThe duration of a scan.

Event ID 1002 — An antimalware scan was stopped before it finished.

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields #

NameDescription
Scan IDID number of the relevant scan.
Scan TypeScan type. Examples: Antivirus, Antispyware, or Antimalware
Scan ParametersScan parameters. Examples: Full scan, Quick scan, or Custom scan
UserDomain\User
Scan TimeThe duration of a scan.

Event ID 1006 — The antimalware engine found malware or other potentially unwanted software.

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields #

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description. Examples: Any threat or malware type.
PathFile path
Detection OriginDetection origin. Examples: Unknown, Local computer, Network share, Internet, Incoming traffic, or Outgoing traffic
Detection TypeDetection type. Examples: Heuristics, Generic, Concrete, or Dynamic signature
Detection SourceDetection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls. Early Launch Antimalware (ELAM). This source includes malware detected by the boot sequence. Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC.
StatusNTSTATUS reference
UserDomain\User
Process NameProcess name (identified by PID)
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1007 — The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus took action to protect this machine from malware or other potentially unwanted software.

Message #

Microsoft Defender Antivirus took action to protect this machine from malware or other potentially unwanted software.

Fields #

NameDescription
UserDomain\User
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
ActionAction. Examples: Clean: The resource was cleaned. Quarantine: The resource was quarantined. Remove: The resource was deleted. Allow: The resource was allowed to execute/exist. User defined: User-defined action that's typically from this list of actions specified by the user. No action: No action Block: The resource was blocked from executing.
StatusNTSTATUS reference
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1008 — The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus encountered an error when taking action on malware or other potentially unwanted software.

Message #

Microsoft Defender Antivirus encountered an error when taking action on malware or other potentially unwanted software.

Fields #

NameDescription
UserDomain\User
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
ActionAction. Examples: Clean: The resource was cleaned. Quarantine: The resource was quarantined. Remove: The resource was deleted. Allow: The resource was allowed to execute/exist. User defined: User-defined action that's typically from this list of actions specified by the user. No action: No action Block: The resource was blocked from executing.
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
StatusNTSTATUS reference
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1009 — The antimalware platform restored an item from quarantine.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus restored an item from quarantine.

Message #

Microsoft Defender Antivirus restored an item from quarantine.

Fields #

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
UserDomain\User
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1010 — The antimalware platform couldn't restore an item from quarantine.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus encountered an error trying to restore an item from quarantine.

Message #

Microsoft Defender Antivirus encountered an error trying to restore an item from quarantine.

Fields #

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
UserDomain\User
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1011 — The antimalware platform deleted an item from quarantine.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus deleted an item from quarantine.

Message #

Microsoft Defender Antivirus deleted an item from quarantine.

Fields #

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
UserDomain\User
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1012 — The antimalware platform couldn't delete an item from quarantine.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus encountered an error trying to delete an item from quarantine.

Message #

Microsoft Defender Antivirus encountered an error trying to delete an item from quarantine.

Fields #

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
UserDomain\User
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1013 — The antimalware platform deleted history of malware and other potentially unwanted software.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus removed history of malware and other potentially unwanted software.

Message #

Microsoft Defender Antivirus removed history of malware and other potentially unwanted software.

Fields #

NameDescription
TimeThe time when the event occurred, for example when the history is purged. This parameter isn't used in threat events so that there's no confusion regarding whether it's remediation time or infection time. For such events, we specifically call them as Action Time or Detection Time.
UserDomain\User

Event ID 1014 — The antimalware platform couldn't delete history of malware and other potentially unwanted software.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus encountered an error trying to remove history of malware and other potentially unwanted software.

Message #

Microsoft Defender Antivirus encountered an error trying to remove history of malware and other potentially unwanted software.

Fields #

NameDescription
TimeThe time when the event occurred, for example when the history is purged. This parameter isn't used in threat events so that there's no confusion regarding whether it's remediation time or infection time. For such events, we specifically call them as Action Time or Detection Time.
UserDomain\User
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.

Event ID 1015 — The antimalware platform detected suspicious behavior.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus detected a suspicious behavior.

Message #

Microsoft Defender Antivirus detected a suspicious behavior.

Fields #

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
Detection OriginDetection origin. Examples: Unknown, Local computer, Network share, Internet, Incoming traffic, or Outgoing traffic
Detection TypeDetection type. Examples: Heuristics, Generic, Concrete, or Dynamic signature
Detection SourceDetection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this source protects against malicious webpage controls. Early Launch Antimalware (ELAM). This source includes malware detected by the boot sequence. Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC
StatusNTSTATUS reference
UserDomain\User
Process NameProcess name (identified by PID)
Signature IDEnumeration matching severity.
Signature VersionDefinition version
Engine VersionAntimalware Engine version
Fidelity Label
Target File NameName of the file.

Event ID 1116 — The antimalware platform detected malware or other potentially unwanted software.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus detected malware or other potentially unwanted software.

Message #

Microsoft Defender Antivirus detected malware or other potentially unwanted software.

Fields #

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
Detection OriginDetection origin. Examples: Unknown, Local computer, Network share, Internet, Incoming traffic, or Outgoing traffic
Detection TypeDetection type. Examples: Heuristics, Generic, Concrete, or Dynamic signature
Detection SourceDetection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls. Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence. Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC
UserDomain\User
Process NameProcess name (identified by PID)
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1117 — The antimalware platform performed an action to protect your system from malware or other potentially unwanted software.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus took action to protect this machine from malware or other potentially unwanted software.

Message #

Microsoft Defender Antivirus took action to protect this machine from malware or other potentially unwanted software.

Fields #

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
Detection OriginDetection origin. Examples: Unknown, Local computer, Network share, Internet, Incoming traffic, or Outgoing traffic
Detection TypeDetection type. Examples: Heuristics, Generic, Concrete, or Dynamic signature
Detection SourceDetection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this source protects against malicious webpage controls. Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence. Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC
UserDomain\User
Process NameProcess name (identified by PID)
ActionAction. Examples: Clean: The resource was cleaned. Quarantine: The resource was quarantined. Remove: The resource was deleted. Allow: The resource was allowed to execute/exist. User defined: User-defined action that's typically from this list of actions specified by the user. No action: No action Block: The resource was blocked from executing.
Action StatusDescription of other actions
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1118 — The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus encountered a noncritical error when taking action on malware or other potentially unwanted software.

Message #

Microsoft Defender Antivirus encountered a noncritical error when taking action on malware or other potentially unwanted software.

Fields #

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
Detection OriginDetection origin. Examples: Unknown, Local computer, Network share, Internet, Incoming traffic, or Outgoing traffic
Detection TypeDetection type. Examples: Heuristics, Generic, Concrete, or Dynamic signature
Detection SourceDetection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls. Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence. Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC
UserDomain\User
Process NameProcess name (identified by PID)
ActionAction. Examples: Clean: The resource was cleaned. Quarantine: The resource was quarantined. Remove: The resource was deleted. Allow: The resource was allowed to execute/exist User defined: User-defined action that's typically from this list of actions specified by the user. No action: No action Block: The resource was blocked from executing
Action StatusDescription of additional actions
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1119 — The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus encountered a critical error when taking action on malware or other potentially unwanted software.

Message #

Microsoft Defender Antivirus encountered a critical error when taking action on malware or other potentially unwanted software.

Fields #

NameDescription
NameThreat name
IDThreat ID
SeveritySeverity. Examples: Low, Moderate, High, or Severe
CategoryCategory description, for example, any threat or malware type.
PathFile path
Detection OriginDetection origin. Examples: Unknown, Local computer, Network share, Internet, Incoming traffic, or Outgoing traffic
Detection TypeDetection type. Examples: Heuristics, Generic, Concrete, or Dynamic signature
Detection SourceDetection source for example: User: user initiated System: system initiated Real-time: real-time component initiated IOAV: IE Downloads and Outlook Express Attachments initiated NIS: Network inspection system IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls. Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence Remote attestation Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. UAC
UserDomain\User
Process NameProcess name (identified by PID)
ActionAction. Examples: Clean: The resource was cleaned Quarantine: The resource was quarantined. Remove: The resource was deleted. Allow: The resource was allowed to execute/exist. User defined: User-defined action that's typically from this list of actions specified by the user. No action: No action Block: The resource was blocked from executing.
Action StatusDescription of other actions
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1120 — Microsoft Defender Antivirus deduced the hashes for a threat resource.

Provider
Microsoft-Antimalware-Service
Channel
Application

Fields #

NameDescription
Current Platform Version
Threat Resource PathPath
Hashes

Event ID 1121 — Event when an attack surface reduction rule fires in block mode.

Provider
Microsoft-Antimalware-Service
Channel
Application

Event ID 1127 — Controlled Folder Access (CFA) blocked an untrusted process from making changes to the memory.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Controlled Folder Access blocked an untrusted process from potentially modifying disk sectors.

Message #

Controlled Folder Access blocked an untrusted process from potentially modifying disk sectors.

Fields #

NameDescription
Product NameProduct Name. Examples: Microsoft Defender Antivirus
Product Version
Detection TimeDetection Time, time when CFA blocked an untrusted process
UserDomain\User
PathDevice name, name of the device or disk that an untrusted process accessed for modification
Process NameProcess path, the process path name that CFA blocked from accessing the device or disk for modification
Security Intelligence Version
Engine VersionAntimalware Engine version

Event ID 1150 — Antimalware platform health status report.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus client is up and running in a healthy state.

Message #

Microsoft Defender Antivirus client is up and running in a healthy state.

Fields #

NameDescription
Platform VersionCurrent platform version
Signature VersionDefinition version
Engine VersionAntimalware Engine version

Event ID 1151 — Endpoint Protection client health report (time in UTC)

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Antivirus client health report.

Message #

Antivirus client health report.

Fields #

NameDescription
Platform VersionCurrent platform version
Engine VersionAntimalware Engine version
Network Realtime Inspection engine version
Antivirus signature version
Antispyware signature version
Network Realtime Inspection signature version
RTP stateRealtime protection state (Enabled or Disabled)
OA stateOn Access state (Enabled or Disabled)
IOAV stateIE Downloads and Outlook Express Attachments state (Enabled or Disabled)
BM stateBehavior Monitoring state (Enabled or Disabled)
Antivirus signature ageAntivirus signature age (in days). Calculated as the time starting from the Security Intelligence Update (SIU) release date, to the current date. Before a signature is updated for the first time, it'll display an age of 65535 days.
Antispyware signature ageAntispyware signature age (in days). Timestamp reflecting the Security Intelligence Update (SIU) release date (not the local installation time). Before the timestamp is updated for the first time, its value is null.
Last quick scan ageLast quick scan age (in days)
Last full scan ageLast full scan age (in days)
Antivirus signature creation time
Antispyware signature creation time
Last quick scan start time
Last quick scan end time
Last quick scan sourceLast quick scan source (0 = scan didn't run, 1 = user initiated, 2 = system initiated)
Last full scan start time
Last full scan end time
Last full scan sourceLast full scan source (0 = scan didn't run, 1 = user initiated, 2 = system initiated)
Product statusFor internal troubleshooting

Event ID 2000 — The antimalware definitions updated successfully.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Antivirus signature version was updated.

Message #

Antivirus signature version was updated.

Fields #

NameDescription
Current Signature Version
Previous Signature Version
Signature TypeSignature type. Examples: Antivirus, Antispyware, Antimalware, or Network Inspection System
Update TypeUpdate type, either Full or Delta.
UserDomain\User
Current Engine Version
Previous Engine Version

Event ID 2001 — The security intelligence update failed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus encountered an error trying to update signatures.

Message #

Microsoft Defender Antivirus encountered an error trying to update signatures.

Fields #

NameDescription
New security intelligence versionNew version number
Previous security intelligence versionPrevious version
Update SourceUpdate source. Examples: Security intelligence update folder Internal security intelligence update server Microsoft Update Server File share Microsoft Malware Protection Center (MMPC)
Update StageUpdate stage. Examples: Search, Download, or Install
Source PathFile share name for Universal Naming Convention (UNC), server name for Windows Server Update Services (WSUS)/Microsoft Update/ADL.
Signature TypeSignature type. Examples: Antivirus, Antispyware, Antimalware, or Network Inspection System
Update TypeUpdate type, either Full or Delta.
UserDomain\User
Current Engine Version
Previous Engine Version
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.

Event ID 2002 — The antimalware engine updated successfully.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus engine version was updated.

Message #

Microsoft Defender Antivirus engine version was updated.

Fields #

NameDescription
Current Engine Version
Previous Engine Version
Engine TypeEngine type, either antimalware engine or Network Inspection System engine.
UserDomain\User

Event ID 2003 — The antimalware engine update failed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus encountered an error trying to update the engine.

Message #

Microsoft Defender Antivirus encountered an error trying to update the engine.

Fields #

NameDescription
New Engine Version
Previous Engine Version
Engine TypeEngine type, either antimalware engine or Network Inspection System engine.
UserDomain\User
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.

Event ID 2004 — There was a problem loading antimalware definition.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.

Message #

Microsoft Defender Antivirus encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.

Fields #

NameDescription
Signatures Attempted
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
Signature VersionDefinition version
Engine VersionAntimalware engine version

Event ID 2005 — The antimalware engine failed to load because the antimalware platform is out of date.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message #

Microsoft Defender Antivirus couldn't load antimalware engine because current platform version isn't supported. Microsoft Defender Antivirus reverts back to the last known-good engine and a platform update will be attempted.

Fields #

NameDescription
Current Platform Version

Event ID 2006 — The platform update failed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus encountered an error trying to update the platform.

Message #

Microsoft Defender Antivirus encountered an error trying to update the platform.

Fields #

NameDescription
Current Platform Version
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.

Event ID 2007 — The platform will soon be out of date.

Provider
Microsoft-Antimalware-Service
Channel
Application

Message #

Microsoft Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Microsoft Defender Antivirus platform to maintain the best level of protection available.

Fields #

NameDescription
Current Platform Version

Event ID 2010 — The antimalware engine used the Dynamic Signature Service to get other definitions.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus used Dynamic Signature Service to retrieve more signatures to help protect your machine.

Message #

Microsoft Defender Antivirus used Dynamic Signature Service to retrieve more signatures to help protect your machine.

Fields #

NameDescription
Current Signature Version
Signature TypeSignature type. Examples: Antivirus, Antispyware, Antimalware, or Network Inspection System
Current Engine Version
Dynamic Signature TypeDynamic signature type. Examples: Version, Timestamp, No limit, or Duration
Persistence PathPath
Dynamic Signature VersionVersion number
Dynamic Signature Compilation TimestampTimestamp
Persistence Limit TypePersistence limit type. Examples: VDM version, Timestamp, or No limit
Persistence LimitPersistence limit of the fastpath signature.

Event ID 2011 — The Dynamic Signature Service deleted the out-of-date dynamic definitions.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.

Message #

Microsoft Defender Antivirus used Dynamic Signature Service to discard obsolete signatures.

Fields #

NameDescription
Current Signature Version
Signature TypeSignature type. Examples: Antivirus, Antispyware, Antimalware, or Network Inspection System
Current Engine Version
Dynamic Signature TypeDynamic signature type. Examples: Version, Timestamp, No limit, or Duration
Persistence PathPath
Dynamic Signature VersionVersion number
Dynamic Signature Compilation TimestampTimestamp
Removal Reason
Persistence Limit TypePersistence limit type. Examples: VDM version, Timestamp, or No limit
Persistence LimitPersistence limit of the fastpath signature.

Event ID 2012 — The antimalware engine encountered an error when trying to use the Dynamic Signature Service.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus encountered an error trying to use Dynamic Signature Service.

Message #

Microsoft Defender Antivirus encountered an error trying to use Dynamic Signature Service.

Fields #

NameDescription
Current Signature Version
Signature TypeSignature type. Examples: Antivirus, Antispyware, Antimalware, or Network Inspection System
Current Engine Version
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
Dynamic Signature TypeDynamic signature type. Examples: Version, Timestamp, No limit, or Duration
Persistence PathPath
Dynamic Signature VersionVersion number
Dynamic Signature Compilation TimestampTimestamp
Persistence Limit TypePersistence limit type. Examples: VDM version, Timestamp, or No limit
Persistence LimitPersistence limit of the fastpath signature.

Event ID 2013 — The Dynamic Signature Service deleted all dynamic definitions.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus discarded all Dynamic Signature Service signatures.

Message #

Microsoft Defender Antivirus discarded all Dynamic Signature Service signatures.

Fields #

NameDescription
Current Signature Version

Event ID 2020 — The antimalware engine downloaded a clean file.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus downloaded a clean file.

Message #

Microsoft Defender Antivirus downloaded a clean file.

Fields #

NameDescription
FilenameName of the file.
Current Signature Version
Current Engine Version

Event ID 2021 — The antimalware engine failed to download a clean file.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus encountered an error trying to download a clean file.

Message #

Microsoft Defender Antivirus encountered an error trying to download a clean file.

Fields #

NameDescription
FilenameName of the file.
Current Signature Version
Current Engine Version
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.

Event ID 2030 — The antimalware engine was downloaded and is configured to run offline on the next system restart.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus downloaded and configured offline antivirus to run on the next reboot.

Message #

Microsoft Defender Antivirus downloaded and configured offline antivirus to run on the next reboot.

Event ID 2031 — The antimalware engine was unable to download and configure an offline scan.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus encountered an error trying to download and configure offline antivirus.

Message #

Microsoft Defender Antivirus encountered an error trying to download and configure offline antivirus.

Fields #

NameDescription
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.

Event ID 2040 — Antimalware support for this operating system version will soon end.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

The support for your operating system expires shortly. Running Microsoft Defender Antivirus on an out of support operating system isn't an adequate solution to protect against threats.

Message #

The support for your operating system expires shortly. Running Microsoft Defender Antivirus on an out of support operating system isn't an adequate solution to protect against threats.

Event ID 2041 — Antimalware support for this operating system has ended.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

The support for your operating system has expired. Running Microsoft Defender Antivirus on an out of support operating system isn't an adequate solution to protect against threats.

Message #

The support for your operating system has expired. Running Microsoft Defender Antivirus on an out of support operating system isn't an adequate solution to protect against threats.

Event ID 2042 — The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

The support for your operating system has expired. Microsoft Defender Antivirus is no longer supported on your operating system, has stopped functioning, and isn't protecting against malware threats.

Message #

The support for your operating system has expired. Microsoft Defender Antivirus is no longer supported on your operating system, has stopped functioning, and isn't protecting against malware threats.

Event ID 3002 — Real-time protection encountered an error and failed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus Real-Time Protection feature encountered an error and failed.

Message #

Microsoft Defender Antivirus Real-Time Protection feature encountered an error and failed.

Fields #

NameDescription
FeatureFeature. Examples: On Access, Internet Explorer downloads and Microsoft Outlook Express attachments, Behavior monitoring, or Network Inspection System.
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.
ReasonThe reason Microsoft Defender Antivirus real-time protection restarted a feature.

Event ID 3007 — Real-time protection recovered from a failure.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus Real-time Protection restarted a feature. It's recommended that you run a full system scan to detect any items that might have been missed while this agent was down.

Message #

Microsoft Defender Antivirus Real-time Protection restarted a feature. It's recommended that you run a full system scan to detect any items that might have been missed while this agent was down.

Fields #

NameDescription
FeatureFeature. Examples: On Access, IE downloads and Outlook Express attachments, Behavior monitoring, or Network Inspection System
ReasonThe reason Microsoft Defender Antivirus real-time protection restarted a feature.

Event ID 5000 — Real-time protection is enabled.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled.

Message #

Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled.

Event ID 5001 — Real-time protection is disabled.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled.

Message #

Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled.

Event ID 5004 — The real-time protection configuration changed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus real-time protection feature configuration changed.

Message #

Microsoft Defender Antivirus real-time protection feature configuration changed.

Fields #

NameDescription
FeatureFeature. Examples: On Access, IE downloads and Outlook Express attachments, Behavior monitoring, or Network Inspection System

Event ID 5007 — The antimalware platform configuration changed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus configuration changed. If this event is unexpected, you should review the settings as the event might be the result of malware.

Message #

Microsoft Defender Antivirus configuration changed. If this event is unexpected, you should review the settings as the event might be the result of malware.

Fields #

NameDescription
Old valueOld antivirus configuration value.
New valueNew antivirus configuration value.

Event ID 5008 — The antimalware engine encountered an error and failed.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus engine was terminated due to an unexpected error.

Message #

Microsoft Defender Antivirus engine was terminated due to an unexpected error.

Fields #

NameDescription
Failure TypeFailure type. Examples: Crash or Hang
Exception CodeError code
Resource

Event ID 5009 — Scanning for malware and other potentially unwanted software is enabled.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus enabled scanning for malware and other potentially unwanted software.

Message #

Microsoft Defender Antivirus enabled scanning for malware and other potentially unwanted software.

Event ID 5010 — Scanning for malware and other potentially unwanted software is disabled.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus scanning for malware and other potentially unwanted software is disabled.

Message #

Microsoft Defender Antivirus scanning for malware and other potentially unwanted software is disabled.

Event ID 5011 — Scanning for viruses is enabled.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus enabled scanning for viruses.

Message #

Microsoft Defender Antivirus enabled scanning for viruses.

Event ID 5012 — Scanning for viruses is disabled.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus scanning for viruses is disabled.

Message #

Microsoft Defender Antivirus scanning for viruses is disabled.

Event ID 5013 — Tamper protection blocked a change to Microsoft Defender Antivirus.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

If Tamper protection is enabled then any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked.

Message #

If Tamper protection is enabled then any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked.

Event ID 5100 — The antimalware platform expires soon.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.

Message #

Microsoft Defender Antivirus entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.

Fields #

NameDescription
Expiration ReasonThe reason Microsoft Defender Antivirus expires.
Expiration DateThe date Microsoft Defender Antivirus expires.

Event ID 5101 — The antimalware platform is expired.

Provider
Microsoft-Antimalware-Service
Channel
Application

Description

Microsoft Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.

Message #

Microsoft Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.

Fields #

NameDescription
Error CodeResult code associated with threat status. Standard HRESULT values.
Error DescriptionDescription of the error.