Appendix 7. Application events in the Kaspersky Security Center event log
Information about the operation of each Kaspersky Endpoint Security component, data encryption events, the completion of each scan task, update task and integrity check task, and the overall operation of the application is recorded in the Kaspersky Security Center event log.
Kaspersky Endpoint Security generates events of the following types: general events and specific events. Specific events are created only by Kaspersky Endpoint Security for Windows. Specific events have a simple ID, such as 000000cb
. Specific events contain the following required parameters:
GNRL_EA_DESCRIPTION
is the content of the event.GNRL_EA_ID
is the service ID of the event.GNRL_EA_SEVERITY
is the status of the event.1
– Informational message (),2
– Warning (),3
– Functional failure (),4
– Critical ().EVENT_TYPE_DISPLAY_NAME
is the title of the event.TASK_DISPLAY_NAME
is the name of the application component that initiated the event.
General events can be created by Kaspersky Endpoint Security for Windows as well as other Kaspersky applications (for example, Kaspersky Security for Windows Server). General events have a more complex ID, such as GNRL_EV_VIRUS_FOUND
. In addition to required settings, general events contain advanced settings.
List of specific events of Kaspersky Endpoint Security for Windows
Event ID |
| Description | Enabled by default |
---|---|---|---|
| Internal task error. | – | |
| License has almost expired. | – | |
| License expires soon. | ||
| Wipe task statistics. | ||
| Databases are missing or corrupted. | – | |
| Databases are extremely out of date. | ||
| Databases are out of date. | ||
| Application autorun is disabled. | ||
| Automatic updates are disabled. | ||
| Self-Defense is disabled. | ||
| Task cannot be performed. | ||
| The operation with application resources is blocked by Self-Defense. | ||
| Protection components are disabled. | ||
| Computer is running in safe mode. | – | |
| There are unprocessed files. | ||
| Report cleared. | ||
| Application settings changed. | ||
| Group policy applied. | ||
| Group policy disabled. | ||
| Task started. | ||
| Task stopped. | ||
| Task completed. | ||
| Computer restart required. | ||
| The license allows the use of components that have not been installed. | ||
| All application components that are defined by the license have been installed and run in normal mode. | – | |
| Incorrect reserve key. | ||
| Active threat detected. Advanced Disinfection must be started. | ||
| Advanced Disinfection started. | ||
| Advanced Disinfection completed. | ||
| Subscription settings have changed. | ||
| Subscription has been renewed. | ||
| Subscription expires soon. | ||
| Processing of some OS functions is disabled. | ||
| A backup copy of the object was created. | ||
| Cannot create a backup copy. | ||
| Cannot be deleted. | ||
| Object not processed. | ||
| Processing error. | ||
| Object encrypted. | – | |
| Object corrupted. | – | |
| Object will be deleted on restart. | ||
| Object will be disinfected on restart. | ||
| Overwritten by a copy that was disinfected earlier. | – | |
| Object renamed. | ||
| Information about detected object. | ||
| Object restored from Backup. | ||
| Cannot restore object from Backup. | ||
| Object is on the Private KSN allowlist. | ||
| Not enough space in Quarantine storage. | ||
| Quarantine storage is almost out of space. | ||
| Object restored from Quarantine. | ||
| Object not restored from Quarantine. | ||
| Object deleted from Quarantine. | ||
| Object not deleted from Quarantine. | ||
| Link is on the Private KSN allowlist. | ||
| Application placed in the trusted group. | ||
| Application placed in restricted group. | ||
| Host Intrusion Prevention was triggered. | ||
| Process terminated. | ||
| Cannot terminate the process. | – | |
| Rollback completed. | ||
| File restored. | ||
| Registry value restored. | ||
| Registry value deleted. | – | |
| Error in task settings. Task settings not applied. | ||
| Task settings applied successfully. | ||
| Prohibited process was started before Kaspersky Endpoint Security for Windows was started. | ||
| Undesirable content was accessed after a warning. | – | |
| Allowed page opened. | – | |
| Operation with the device allowed. | – | |
| Temporary access to device activated. | ||
| Network connection blocked. | ||
| Started applying file encryption/decryption rules. | ||
| Finished applying file encryption/decryption rules. | ||
| Error applying file encryption/decryption rules. | ||
| Error creating encrypted package. | ||
| Error enabling portable mode. | ||
| Error disabling portable mode. | ||
| Error updating component. | ||
| Error distributing component updates. | – | |
| Network update error. | – | |
| Operation canceled by the user. | ||
| Cannot start two tasks at the same time. | ||
| Error verifying application databases and modules. | ||
| Error in interaction with Kaspersky Security Center. | ||
| No available updates. | – | |
| Not all components were updated. | ||
| Update distribution completed successfully. | – | |
| Update completed successfully, update distribution failed. | – | |
| Error encrypting/decrypting device. | ||
| User has opted out of the encryption policy. | ||
| Encryption module loaded. | – | |
| Failed to load encryption module. | ||
| Policy cannot be applied. | ||
| New Authentication Agent account created. | – | |
| Authentication Agent account deleted. | – | |
| Authentication Agent account password changed. | – | |
| Successful Authentication Agent login. | – | |
| Failed Authentication Agent login attempt. | – | |
| Account not added. This account already exists. | – | |
| Account not modified. This account does not exist. | – | |
| Account not deleted. This account does not exist. | – | |
| The task for managing Authentication Agent accounts ended with an error. | ||
| FDE upgrade successful. | ||
| FDE upgrade failed. | ||
| FDE upgrade rollback successful. | ||
| Encryption upgrade rollback completed with an error (for more details, see Kaspersky Endpoint Security for Windows Online Help). | ||
| Failed to install or upgrade Kaspersky Disk Encryption drivers in the WinRE image. | ||
| Failed to uninstall Kaspersky Disk Encryption drivers from the WinRE image. | ||
| BitLocker recovery key was changed. | ||
| BitLocker password/PIN was changed. | ||
| BitLocker recovery key was saved to a removable drive. | ||
| Error changing application components. | ||
| Application components successfully changed. | ||
| Restart required to complete the task. | ||
| Enter a user name and password. | ||
| Suspicious network activity detected. | ||
| System module signature check failed. | ||
| Encrypted connection terminated. | – | |
| Participation in KSN is enabled. | ||
| Participation in KSN is disabled. | ||
| KSN servers available. | ||
| KSN servers unavailable. | ||
| The application works and processes data under relevant laws and uses the appropriate infrastructure. | ||
| Keyboard authorized. | ||
| Keyboard not authorized. | ||
| Keyboard authorization error. | ||
| Kaspersky Anti Targeted Attack Platform server unavailable. | ||
| Endpoint Sensor connected to server. | ||
| Connection to the Kaspersky Anti Targeted Attack Platform server restored. | ||
| Processing of tasks from the Kaspersky Anti Targeted Attack Platform server is inactive. | ||
| Tasks from the Kaspersky Anti Targeted Attack Platform server are being processed. | ||
| Application startup was blocked. | ||
| Document opening was blocked. | ||
| Network activity of all third-party applications is blocked. | ||
| Network traffic unblocked. | ||
| File is quarantined on the Kaspersky Anti Targeted Attack Platform server by administrator. | ||
| File was restored from quarantine on the Kaspersky Anti Targeted Attack Platform server by the administrator. | ||
| File or stream was deleted by the Kaspersky Anti Targeted Attack Platform server administrator. | ||
| File was restored from quarantine on the Kaspersky Anti Targeted Attack Platform server by the administrator. | ||
| All processes started from a file image or stream were terminated. | ||
| Application started. | ||
| Patch installation failed. | ||
| Patch rollback failed. | ||
| AMSI request blocked. | ||
| Error deleting an object. | ||
| Process allowed to run, event logged. | ||
| Object startup blocked. | ||
| Object allowed to run, event logged. | ||
| Object quarantined (Endpoint Detection and Response). | ||
| Object not quarantined (Endpoint Detection and Response). | ||
| Object deleted (Endpoint Detection and Response). | ||
| Object will be deleted after restart (Endpoint Detection and Response). | ||
| Object quarantined (Kaspersky Sandbox). | ||
| Object not quarantined(Kaspersky Sandbox). | ||
| Object will be deleted after restart (Kaspersky Sandbox). | ||
| An internal error has occurred. | ||
| Total size of scan tasks exceeded the limit. | ||
| Invalid Kaspersky Sandbox server certificate. | ||
| The Kaspersky Sandbox node is unavailable. | ||
| Failed to process an object in Kaspersky Sandbox. | ||
| Kaspersky Sandbox license verification failed. | ||
| IOC found. | ||
| IOC Scan started. | ||
| IOC Scan completed. | ||
| Network isolation. | ||
| Termination of network isolation. |
Event ID |
| Description | Settings | Enabled by default |
---|---|---|---|---|
| Malicious object detected. |
| ||
| Malicious object detected (KSN). |
| ||
| Dangerous link blocked (Web Threat Protection). |
| ||
| Dangerous link opened (Web Threat Protection). |
| ||
| Previously opened dangerous link detected (Web Threat Protection). |
| ||
| Detected legitimate software that can be used by criminals to harm your computer or personal data |
| ||
| Object disinfected. |
| ||
| Object deleted. |
| ||
| Disinfection not possible. |
| ||
| Object download was blocked. |
| ||
| Object not processed (Mail Threat Protection). The object scan result has been sent to a third-party application (AMSI Protection). |
| ||
| Password-protected archive detected. |
| ||
| Network attack detected (Network Threat Protection). |
| ||
| End User License Agreement violated. | – | ||
| Application startup allowed (Application Control). |
| – | |
| Application startup prohibited (Application Control). |
| ||
| Kaspersky Sandbox asynchronous alert. |
| ||
| Application startup prohibited in test mode (Application Control). |
| ||
| Application startup allowed in test mode (Application Control). |
| – | |
| Application startup blockage message to administrator (Application Control). |
| ||
| Access denied (Web Control). |
| ||
| Access denied by KSN (Web Control). |
| ||
| Warning about undesirable content (Web Control). |
| ||
| Web page access blockage message to administrator (Web Control). |
| ||
| Device access blockage message to administrator (Device Control). |
| ||
| Device plugged (Device Control). |
| ||
| Device unplugged (Device Control). |
| ||
| Plugged device blocked (Device Control). |
| ||
| / | Process action blocked / Process action skipped (Adaptive Anomaly Control). |
| |
| Application activity blockage message to administrator (Adaptive Anomaly Control). |
| ||
| File access blocked. |
| – | |
| File encryption/decryption error. |
| ||
| Operation with the device prohibited |
|
| |
| File operation performed (Device Control). |
| – | |
| Task results. |
|