Appendix 6. Application events

Information about the operation of each Kaspersky Endpoint Security component, data encryption events, the completion of each malware scan task, update task and integrity check task, and the overall operation of the application is recorded in the Kaspersky Security Center event log and Windows event log.

Kaspersky Endpoint Security generates events of the following types: general events and specific events. Specific events are created only by Kaspersky Endpoint Security for Windows. Specific events have a simple ID, such as 000000cb. Specific events contain the following required parameters:

General events can be created by Kaspersky Endpoint Security for Windows as well as other Kaspersky applications (for example, Kaspersky Security for Windows Server). General events have a more complex ID, such as GNRL_EV_VIRUS_FOUND. In addition to required settings, general events contain advanced settings.

Expand all | Collapse all

Critical events

End User License Agreement violated

License has almost expired

Databases are missing or corrupted

Databases are extremely out of date

Application autorun is disabled

Activation error

Active threat detected. Advanced Disinfection should be started

KSN servers unavailable

Not enough space in Quarantine storage

Object not restored from Quarantine

Object not deleted from Quarantine

The application established a connection to a website with an untrusted certificate

Failed to verify an encrypted connection. The domain is added to the list of exclusions

Malicious object detected (local bases)

Malicious object detected (KSN)

Disinfection impossible

Cannot be deleted

Processing error

Process terminated

Unable to terminate process

Dangerous link blocked

Dangerous link opened

Previously opened dangerous link detected

Process action blocked

Keyboard not authorized

AMSI request was blocked

Network activity blocked

Network attack detected

Application startup prohibited

Prohibited process was started before Kaspersky Endpoint Security startup

Access denied (local bases)

Access denied (KSN)

Operation with the device prohibited

Network connection blocked

Error updating component

Error distributing component updates

Local update error

Network update error

Cannot start two tasks at the same time

Error verifying application databases and modules

Error in interaction with Kaspersky Security Center

Not all components were updated

Update completed successfully, update distribution failed

Internal task error

Patch installation failed

Patch rollback failed

Error applying file encryption / decryption rules

File encryption / decryption error

File access blocked

Error enabling portable mode

Error disabling portable mode

Error creating encrypted package

Error encrypting / decrypting device

Could not load encryption module

The task for managing Authentication Agent accounts ended with an error

Policy cannot be applied

FDE upgrade failed

FDE upgrade rollback failed (for more information, please refer to the Kaspersky Endpoint Security for Windows Online Help)

Kaspersky Anti Targeted Attack Platform server unavailable

Failed to delete object

Object not quarantined (Kaspersky Sandbox)

An internal error occurred

Invalid Kaspersky Sandbox server certificate

The Kaspersky Sandbox node is unavailable

An error occurred while processing the object in Kaspersky Sandbox

Maximum load to Kaspersky Sandbox is exceeded

IOC found

Kaspersky Sandbox license verification failed

Object startup blocked

Process startup blocked

Script execution blocked

Object not quarantined (Endpoint Detection and Response)

Process startup is not blocked

Object is not blocked

Script execution is not blocked

Error changing application components

There are patterns of a possible brute-force attack in the system

There are patterns of a possible Windows Event Log abuse

Atypical actions detected on behalf of a new service installed

Atypical logon that uses explicit credentials detected

There are patterns of a possible Kerberos forged PAC (MS14-068) attack in the system

Suspicious changes detected in the privileged built-in Administrators group

There is an atypical activity detected during a network logon session

Log Inspection rule triggered

Atypical event occurs too often. Event aggregation started

Report on an atypical event for the aggregation period

Functional failure

Task cannot be performed

Invalid task settings. Settings not applied

Warning

Application crashed during previous session

License expires soon

Databases are out of date

Automatic updates are disabled

Self-Defense is disabled

Protection components are disabled

Computer is running in safe mode

There are unprocessed files

Group policy applied

Task stopped

Quit and reopen the application to complete updating

Computer restart required

The license allows the use of components that have not been installed

Advanced Disinfection started

Advanced Disinfection completed

Incorrect reserve key

Subscription expires soon

Blocked

Cannot restore object from Backup

Suspicious network activity detected

Encrypted connection terminated

Participation in KSN disabled

Processing of some OS functions is disabled

Quarantine storage is almost out of space

Network connection blocked

Cannot create a backup copy

Object not processed

Object encrypted

Object corrupted

Legitimate software that can be used by intruders to damage your computer or personal data was detected (local bases)

Legitimate software that can be used by intruders to damage your computer or personal data was detected (KSN)

Object deleted

Object disinfected

Object will be disinfected on restart

Object will be deleted on restart

Object deleted according to settings

Rollback completed

Object download was blocked

Keyboard authorization error

The object scan result has been sent to a third-party application

Task settings applied successfully

Warning about undesirable content (local bases)

Warning about undesirable content (KSN)

Undesirable content was accessed after a warning

Temporary access to the device activated

Operation cancelled by the user

User has opted out of the encryption policy

Interrupted applying file encryption / decryption rules

File encryption / decryption interrupted

Device encryption / decryption interrupted

Failed to install or upgrade Kaspersky Disk Encryption drivers in the WinRE image

Module signature check failed

Application startup was blocked

Document opening was blocked

Process was terminated by the Kaspersky Anti Targeted Attack Platform server administrator

The application was terminated by the Kaspersky Anti Targeted Attack Platform server administrator

File or stream was deleted by the Kaspersky Anti Targeted Attack Platform server administrator

File was restored from quarantine on the Kaspersky Anti Targeted Attack Platform server by the administrator

File was quarantined on the Kaspersky Anti Targeted Attack Platform server by administrator

Network activity of all third-party applications is blocked

Network activity of all third-party applications is unblocked

Object will be deleted after restart (Kaspersky Sandbox)

Total size of scan tasks exceeded the limit

Object startup allowed, event logged

Process startup allowed, event logged

Object will be deleted after restart (Endpoint Detection and Response)

Network isolation

Termination of network isolation

Restart required to complete the task

Application startup blockage message to administrator

Device access blockage message to administrator

Web page access blockage message to administrator

Device connection blocked

Application activity blockage message to administrator

File modified

Object changes too often. Event aggregation started

Report on object modification for the aggregation period

Monitoring scope includes incorrect objects

Informational message

Application started

Application stopped

Self-Defense restricted access to the protected resource

Report cleared

Group policy disabled

Application settings changed

Task started

Task completed

All application components that are defined by the license have been installed and run in normal mode

Subscription settings have changed

Subscription has been renewed

Object restored from Backup

User name and password input

Participation in KSN enabled

KSN servers available

The application works and processes data under relevant laws and uses the appropriate infrastructure

Object restored from Quarantine

Object deleted from Quarantine

A backup copy of the object was created

Overwritten by a copy that was disinfected earlier

Password-protected archive detected

Information about detected object

The object is in the Private KSN allowlist

Object renamed

Object processed

Object skipped

Archive detected

Packed object detected

Link processed

Application startup allowed

Update source is selected

Proxy server is selected

The link is in the Private KSN allowlist

Application placed in the trusted group

Application placed in restricted group

Host Intrusion Prevention was triggered

File restored

Registry value restored

Registry value deleted

Process action skipped

Keyboard authorized

Network activity allowed

Application startup prohibited in test mode

Application startup allowed in test mode

A page that is allowed was opened

Operation with the device allowed

File operation performed

No available updates

Update distribution completed successfully

Downloading files

File downloaded

File installed

File updated

File rolled back due to update error

Updating files

Distributing updates

Rolling back files

Creating the list of files to download

Downloading patches

Installing patch

Patch installed

Rolling back patch

Patch rolled back

Started applying file encryption / decryption rules

Finished applying file encryption / decryption rules

Resumed applying file encryption / decryption rules

File encryption / decryption started

File encryption / decryption completed

File has not been encrypted because it is an exclusion

Portable mode enabled

Portable mode disabled

Device encryption / decryption started

Device encryption / decryption completed

Device encryption / decryption resumed

Device is not encrypted

Device encryption / decryption process has been switched to active mode

Device encryption / decryption process has been switched to passive mode

Encryption module loaded

New Authentication Agent account created

Authentication Agent account deleted

Authentication Agent account password changed

Successful Authentication Agent login

Failed Authentication Agent login attempt

Hard drive accessed using the procedure of requesting access to encrypted devices

Failed attempt to access the hard drive using the procedure of requesting access to encrypted devices

Account was not added. This account already exists

Account was not modified. This account does not exist

Account was not deleted. This account does not exist

FDE upgrade successful

FDE upgrade rollback successful

Failed to uninstall Kaspersky Disk Encryption drivers from the WinRE image

BitLocker recovery key was changed

BitLocker password / PIN was changed

BitLocker recovery key was saved to a removable drive

Processing of tasks from the Kaspersky Anti Targeted Attack Platform server is inactive

Endpoint Sensor connected to server

Connection to the Kaspersky Anti Targeted Attack Platform server restored

Tasks from the Kaspersky Anti Targeted Attack Platform server are being processed

Object deleted

Wipe task statistics

Object quarantined (Kaspersky Sandbox)

Object deleted (Kaspersky Sandbox)

IOC Scan started

IOC Scan completed

Object quarantined (Endpoint Detection and Response)

Object deleted (Endpoint Detection and Response)

Application components successfully changed

Asynchronous Kaspersky Sandbox detection

Device is connected

Device is disconnected

Error removing the previous version of the application

Page top