Appendix 6. Application events
Information about the operation of each Kaspersky Endpoint Security component, data encryption events, the completion of each malware scan task, update task and integrity check task, and the overall operation of the application is recorded in the Kaspersky Security Center event log and Windows event log.
Kaspersky Endpoint Security generates events of the following types: general events and specific events. Specific events are created only by Kaspersky Endpoint Security for Windows. Specific events have a simple ID, such as 000000cb
. Specific events contain the following required parameters:
GNRL_EA_DESCRIPTION
is the content of the event.GNRL_EA_ID
is the service ID of the event.GNRL_EA_SEVERITY
is the status of the event.1
– Informational message ,2
– Warning ,3
– Functional failure ,4
– Critical .EVENT_TYPE_DISPLAY_NAME
is the title of the event.TASK_DISPLAY_NAME
is the name of the application component that initiated the event.
General events can be created by Kaspersky Endpoint Security for Windows as well as other Kaspersky applications (for example, Kaspersky Security for Windows Server). General events have a more complex ID, such as GNRL_EV_VIRUS_FOUND
. In addition to required settings, general events contain advanced settings.
Critical events
End User License Agreement violated
Databases are missing or corrupted
Databases are extremely out of date
Application autorun is disabled
Active threat detected. Advanced Disinfection should be started
Not enough space in Quarantine storage
Object not restored from Quarantine
Object not deleted from Quarantine
The application established a connection to a website with an untrusted certificate
Failed to verify an encrypted connection. The domain is added to the list of exclusions
Malicious object detected (local bases)
Malicious object detected (KSN)
Previously opened dangerous link detected
Application startup prohibited
Prohibited process was started before Kaspersky Endpoint Security startup
Operation with the device prohibited
Error distributing component updates
Cannot start two tasks at the same time
Error verifying application databases and modules
Error in interaction with Kaspersky Security Center
Not all components were updated
Update completed successfully, update distribution failed
Error applying file encryption / decryption rules
File encryption / decryption error
Error creating encrypted package
Error encrypting / decrypting device
Could not load encryption module
The task for managing Authentication Agent accounts ended with an error
Kaspersky Anti Targeted Attack Platform server unavailable
Object not quarantined (Kaspersky Sandbox)
Invalid Kaspersky Sandbox server certificate
The Kaspersky Sandbox node is unavailable
An error occurred while processing the object in Kaspersky Sandbox
Maximum load to Kaspersky Sandbox is exceeded
Kaspersky Sandbox license verification failed
Object not quarantined (Endpoint Detection and Response)
Process startup is not blocked
Script execution is not blocked
Error changing application components
There are patterns of a possible brute-force attack in the system
There are patterns of a possible Windows Event Log abuse
Atypical actions detected on behalf of a new service installed
Atypical logon that uses explicit credentials detected
There are patterns of a possible Kerberos forged PAC (MS14-068) attack in the system
Suspicious changes detected in the privileged built-in Administrators group
There is an atypical activity detected during a network logon session
Atypical event occurs too often. Event aggregation started
Report on an atypical event for the aggregation period
Functional failure
Invalid task settings. Settings not applied
Warning
Application crashed during previous session
Automatic updates are disabled
Protection components are disabled
Computer is running in safe mode
Quit and reopen the application to complete updating
The license allows the use of components that have not been installed
Advanced Disinfection completed
Cannot restore object from Backup
Suspicious network activity detected
Encrypted connection terminated
Processing of some OS functions is disabled
Quarantine storage is almost out of space
Object will be disinfected on restart
Object will be deleted on restart
Object deleted according to settings
The object scan result has been sent to a third-party application
Task settings applied successfully
Warning about undesirable content (local bases)
Warning about undesirable content (KSN)
Undesirable content was accessed after a warning
Temporary access to the device activated
Operation cancelled by the user
User has opted out of the encryption policy
Interrupted applying file encryption / decryption rules
File encryption / decryption interrupted
Device encryption / decryption interrupted
Failed to install or upgrade Kaspersky Disk Encryption drivers in the WinRE image
Application startup was blocked
Process was terminated by the Kaspersky Anti Targeted Attack Platform server administrator
The application was terminated by the Kaspersky Anti Targeted Attack Platform server administrator
File or stream was deleted by the Kaspersky Anti Targeted Attack Platform server administrator
File was quarantined on the Kaspersky Anti Targeted Attack Platform server by administrator
Network activity of all third-party applications is blocked
Network activity of all third-party applications is unblocked
Object will be deleted after restart (Kaspersky Sandbox)
Total size of scan tasks exceeded the limit
Object startup allowed, event logged
Process startup allowed, event logged
Object will be deleted after restart (Endpoint Detection and Response)
Termination of network isolation
Restart required to complete the task
Application startup blockage message to administrator
Device access blockage message to administrator
Web page access blockage message to administrator
Application activity blockage message to administrator
Object changes too often. Event aggregation started
Report on object modification for the aggregation period
Monitoring scope includes incorrect objects
Informational message
Self-Defense restricted access to the protected resource
Subscription settings have changed
The application works and processes data under relevant laws and uses the appropriate infrastructure
Object restored from Quarantine
Object deleted from Quarantine
A backup copy of the object was created
Overwritten by a copy that was disinfected earlier
Password-protected archive detected
Information about detected object
The object is in the Private KSN allowlist
The link is in the Private KSN allowlist
Application placed in the trusted group
Application placed in restricted group
Host Intrusion Prevention was triggered
Application startup prohibited in test mode
Application startup allowed in test mode
A page that is allowed was opened
Operation with the device allowed
Update distribution completed successfully
File rolled back due to update error
Creating the list of files to download
Started applying file encryption / decryption rules
Finished applying file encryption / decryption rules
Resumed applying file encryption / decryption rules
File encryption / decryption started
File encryption / decryption completed
File has not been encrypted because it is an exclusion
Device encryption / decryption started
Device encryption / decryption completed
Device encryption / decryption resumed
Device encryption / decryption process has been switched to active mode
Device encryption / decryption process has been switched to passive mode
New Authentication Agent account created
Authentication Agent account deleted
Authentication Agent account password changed
Successful Authentication Agent login
Failed Authentication Agent login attempt
Hard drive accessed using the procedure of requesting access to encrypted devices
Account was not added. This account already exists
Account was not modified. This account does not exist
Account was not deleted. This account does not exist
FDE upgrade rollback successful
Failed to uninstall Kaspersky Disk Encryption drivers from the WinRE image
BitLocker recovery key was changed
BitLocker password / PIN was changed
BitLocker recovery key was saved to a removable drive
Processing of tasks from the Kaspersky Anti Targeted Attack Platform server is inactive
Endpoint Sensor connected to server
Connection to the Kaspersky Anti Targeted Attack Platform server restored
Tasks from the Kaspersky Anti Targeted Attack Platform server are being processed
Object quarantined (Kaspersky Sandbox)
Object deleted (Kaspersky Sandbox)
Object quarantined (Endpoint Detection and Response)
Object deleted (Endpoint Detection and Response)
Application components successfully changed