Appendix 7. Application events in the Kaspersky Security Center event log

Support

Support for business applications

Kaspersky Endpoint Security 11 for Windows

Appendices

Appendix 7. Application events in the Kaspersky Security Center event log

July 20, 2023

ID 214871

Information about the operation of each Kaspersky Endpoint Security component, data encryption events, the completion of each scan task, update task and integrity check task, and the overall operation of the application is recorded in the Kaspersky Security Center event log.

Kaspersky Endpoint Security generates events of the following types: general events and specific events. Specific events are created only by Kaspersky Endpoint Security for Windows. Specific events have a simple ID, such as 000000cb. Specific events contain the following required parameters:

GNRL_EA_DESCRIPTION is the content of the event.
GNRL_EA_ID is the service ID of the event.
GNRL_EA_SEVERITY is the status of the event. 1 – Informational message (), 2 – Warning (), 3 – Functional failure (), 4 – Critical ().
EVENT_TYPE_DISPLAY_NAME is the title of the event.
TASK_DISPLAY_NAME is the name of the application component that initiated the event.

General events can be created by Kaspersky Endpoint Security for Windows as well as other Kaspersky applications (for example, Kaspersky Security for Windows Server). General events have a more complex ID, such as GNRL_EV_VIRUS_FOUND. In addition to required settings, general events contain advanced settings.

Expand all | Collapse all

List of specific events of Kaspersky Endpoint Security for Windows

Event ID	Description	Enabled by default
`00000065`	Internal task error.	–
`000000cb`	License has almost expired.	–
`000000cc`	License expires soon.
`000008cd`	Wipe task statistics.
`000000ce`	Databases are missing or corrupted.	–
`000000cf`	Databases are extremely out of date.
`000000d0`	Databases are out of date.
`000000d1`	Application autorun is disabled.
`000000d2`	Automatic updates are disabled.
`000000d3`	Self-Defense is disabled.
`000000d4`	Task cannot be performed.
`000000d5`	The operation with application resources is blocked by Self-Defense.
`000000d6`	Protection components are disabled.
`000000d7`	Computer is running in safe mode.	–
`000000d8`	There are unprocessed files.
`000000d9`	Report cleared.
`000000da`	Application settings changed.
`000000db`	Group policy applied.
`000000dc`	Group policy disabled.
`000000dd`	Task started.
`000000de`	Task stopped.
`000000df`	Task completed.
`000000e1`	Computer restart required.
`000000e2`	The license allows the use of components that have not been installed.
`000000e3`	All application components that are defined by the license have been installed and run in normal mode.	–
`000000e6`	Incorrect reserve key.
`000000e7`	Active threat detected. Advanced Disinfection must be started.
`000000e8`	Advanced Disinfection started.
`000000e9`	Advanced Disinfection completed.
`000000ee`	Subscription settings have changed.
`000000ef`	Subscription has been renewed.
`000000f0`	Subscription expires soon.
`000000f5`	Processing of some OS functions is disabled.
`00000134`	A backup copy of the object was created.
`00000136`	Cannot create a backup copy.
`00000139`	Cannot be deleted.
`0000013a`	Object not processed.
`0000013d`	Processing error.
`00000140`	Object encrypted.	–
`00000141`	Object corrupted.	–
`00000143`	Object will be deleted on restart.
`00000144`	Object will be disinfected on restart.
`00000147`	Overwritten by a copy that was disinfected earlier.	–
`00000149`	Object renamed.
`0000014c`	Information about detected object.
`0000014f`	Object restored from Backup.
`00000150`	Cannot restore object from Backup.
`00000154`	Object is on the Private KSN allowlist.
`00000157`	Not enough space in Quarantine storage.
`00000158`	Quarantine storage is almost out of space.
`00000159`	Object restored from Quarantine.
`0000015a`	Object not restored from Quarantine.
`0000015b`	Object deleted from Quarantine.
`0000015c`	Object not deleted from Quarantine.
`00000172`	Link is on the Private KSN allowlist.
`00000191`	Application placed in the trusted group.
`00000192`	Application placed in restricted group.
`00000193`	Host Intrusion Prevention was triggered.
`000001c4`	Process terminated.
`000001c5`	Cannot terminate the process.	–
`000001c7`	Rollback completed.
`000001c9`	File restored.
`000001ca`	Registry value restored.
`000001cb`	Registry value deleted.	–
`000002c3`	Error in task settings. Task settings not applied.
`000002c4`	Task settings applied successfully.
`000002c6`	Prohibited process was started before Kaspersky Endpoint Security for Windows was started.
`000002f2`	Undesirable content was accessed after a warning.	–
`000002f4`	Allowed page opened.	–
`00000321`	Operation with the device allowed.	–
`00000323`	Temporary access to device activated.
`00000329`	Network connection blocked.
`00000385`	Started applying file encryption/decryption rules.
`00000386`	Finished applying file encryption/decryption rules.
`00000388`	Error applying file encryption/decryption rules.
`000003a3`	Error creating encrypted package.
`000003b7`	Error enabling portable mode.
`000003b9`	Error disabling portable mode.
`000003f3`	Error updating component.
`000003f4`	Error distributing component updates.	–
`000003f7`	Network update error.	–
`000003f8`	Operation canceled by the user.
`000003f9`	Cannot start two tasks at the same time.
`000003fa`	Error verifying application databases and modules.
`000003fb`	Error in interaction with Kaspersky Security Center.
`000003fc`	No available updates.	–
`000003fd`	Not all components were updated.
`000003fe`	Update distribution completed successfully.	–
`000003ff`	Update completed successfully, update distribution failed.	–
`00000519`	Error encrypting/decrypting device.
`0000051a`	User has opted out of the encryption policy.
`0000051e`	Encryption module loaded.	–
`0000051f`	Failed to load encryption module.
`00000520`	Policy cannot be applied.
`00000532`	New Authentication Agent account created.	–
`00000533`	Authentication Agent account deleted.	–
`00000534`	Authentication Agent account password changed.	–
`00000535`	Successful Authentication Agent login.	–
`00000536`	Failed Authentication Agent login attempt.	–
`00000539`	Account not added. This account already exists.	–
`0000053a`	Account not modified. This account does not exist.	–
`0000053b`	Account not deleted. This account does not exist.	–
`0000053c`	The task for managing Authentication Agent accounts ended with an error.
`0000053d`	FDE upgrade successful.
`0000053e`	FDE upgrade failed.
`0000053f`	FDE upgrade rollback successful.
`00000540`	Encryption upgrade rollback completed with an error (for more details, see Kaspersky Endpoint Security for Windows Online Help).
`00000541`	Failed to install or upgrade Kaspersky Disk Encryption drivers in the WinRE image.
`00000542`	Failed to uninstall Kaspersky Disk Encryption drivers from the WinRE image.
`0000055a`	BitLocker recovery key was changed.
`0000055b`	BitLocker password/PIN was changed.
`0000055c`	BitLocker recovery key was saved to a removable drive.
`00000579`	Error changing application components.
`0000057a`	Application components successfully changed.
`0000057b`	Restart required to complete the task.
`000007d0`	Enter a user name and password.
`000007d1`	Suspicious network activity detected.
`000007d2`	System module signature check failed.
`000007d3`	Encrypted connection terminated.	–
`000007e4`	Participation in KSN is enabled.
`000007e5`	Participation in KSN is disabled.
`000007e6`	KSN servers available.
`000007e7`	KSN servers unavailable.
`000007e8`	The application works and processes data under relevant laws and uses the appropriate infrastructure.
`00000802`	Keyboard authorized.
`00000803`	Keyboard not authorized.
`00000804`	Keyboard authorization error.
`00000834`	Kaspersky Anti Targeted Attack Platform server unavailable.
`00000835`	Endpoint Sensor connected to server.
`00000836`	Connection to the Kaspersky Anti Targeted Attack Platform server restored.
`00000837`	Processing of tasks from the Kaspersky Anti Targeted Attack Platform server is inactive.
`00000838`	Tasks from the Kaspersky Anti Targeted Attack Platform server are being processed.
`00000839`	Application startup was blocked.
`0000083a`	Document opening was blocked.
`0000083b`	Network activity of all third-party applications is blocked.
`0000083c`	Network traffic unblocked.
`0000083d`	File is quarantined on the Kaspersky Anti Targeted Attack Platform server by administrator.
`0000083e`	File was restored from quarantine on the Kaspersky Anti Targeted Attack Platform server by the administrator.
`0000083f`	File or stream was deleted by the Kaspersky Anti Targeted Attack Platform server administrator.
`0000083e`	File was restored from quarantine on the Kaspersky Anti Targeted Attack Platform server by the administrator.
`00000840`	All processes started from a file image or stream were terminated.
`00000841`	Application started.
`00000869`	Patch installation failed.
`0000086c`	Patch rollback failed.
`00000898`	AMSI request blocked.
`000008cc`	Error deleting an object.
`000009f8`	Process allowed to run, event logged.
`000009f9`	Object startup blocked.
`000009fa`	Object allowed to run, event logged.
`000009fb`	Object quarantined (Endpoint Detection and Response).
`000009fc`	Object not quarantined (Endpoint Detection and Response).
`000009fd`	Object deleted (Endpoint Detection and Response).
`000009fe`	Object will be deleted after restart (Endpoint Detection and Response).
`00000a2a`	Object quarantined (Kaspersky Sandbox).
`00000a2b`	Object not quarantined(Kaspersky Sandbox).
`00000a2d`	Object will be deleted after restart (Kaspersky Sandbox).
`00000a2f`	An internal error has occurred.
`00000a34`	Total size of scan tasks exceeded the limit.
`00000a35`	Invalid Kaspersky Sandbox server certificate.
`00000a36`	The Kaspersky Sandbox node is unavailable.
`00000a39`	Failed to process an object in Kaspersky Sandbox.
`00000a3c`	Kaspersky Sandbox license verification failed.
`00000a5b`	IOC found.
`00000a5c`	IOC Scan started.
`00000a5d`	IOC Scan completed.
`00000a8c`	Network isolation.
`00000a8d`	Termination of network isolation.

List of general events

Event ID		Description	Settings	Enabled by default
`GNRL_EV_VIRUS_FOUND`		Malicious object detected.	`GNRL_EA_PARAM_1` is the hash of the object (SHA256). `GNRL_EA_PARAM_2` is the name of the object. `GNRL_EA_PARAM_5` is the name of the threat in accordance with Kaspersky classification, for example, `EICAR-Test-File`. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_8` is the type of the threat, for example, `Trojware`. `GNRL_EA_PARAM_9` is additional information about the detected object: Application component (`engine`). `1` – File Threat Protection. `2` – Mail Threat Protection. `3` – Web Threat Protection. `6` – Host Intrusion Prevention. `7` – Firewall. `8` – Behavior Detection. `9` – Exploit Prevention. `10` – Virus Scan task. `11` – AMSI Protection. Threat detection technology (`method`). `1` – Machine learning. `2` – Kaspersky Security Network. `3` – Expert analysis. `4` – Behavior analysis. `5` – Automatic analysis. `6` – Kaspersky Sandbox. Threat detected by Private KSN (`denylist`): `true` or `false`. EDR version. Threat identifier in EDR. MD5 hash of the object.
`GNRL_EV_VIRUS_FOUND_BY_KSN`		Malicious object detected (KSN).	`GNRL_EA_PARAM_1` is the hash of the object (SHA256). `GNRL_EA_PARAM_2` is the name of the object. `GNRL_EA_PARAM_5` is the name of the threat in accordance with Kaspersky classification, for example, `EICAR-Test-File`. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_8` is the type of the threat, for example, `Trojware`. `GNRL_EA_PARAM_9` is additional information about the detected object: Application component (`engine`). Threat detection technology (`method`). Threat detected by Private KSN (`denylist`): `true` or `false`. EDR version. Threat identifier in EDR. MD5 hash of the object.
`GNRL_EV_VIRUS_FOUND_AND_BLOCKED`		Dangerous link blocked (Web Threat Protection).	`GNRL_EA_PARAM_2` is the path to the object. `GNRL_EA_PARAM_5` is the name of the object according to Kaspersky classification. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_8` is the type of the threat, for example, `Trojware`. `GNRL_EA_PARAM_9` is additional information about the detected object: Application component (`engine`). Threat detection technology (`method`). Threat detected by Private KSN (`denylist`): `true` or `false`.
`GNRL_EV_VIRUS_FOUND_AND_REPORTED`		Dangerous link opened (Web Threat Protection).	`GNRL_EA_PARAM_2` is the path to the object. `GNRL_EA_PARAM_5` is the name of the object according to Kaspersky classification. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_8` is the type of the threat, for example, `Trojware`. `GNRL_EA_PARAM_9` is additional information about the detected object: Application component (`engine`). Threat detection technology (`method`). Threat detected by Private KSN (`denylist`): `true` or `false`.
`GNRL_EV_VIRUS_FOUND_AND_PASSED`		Previously opened dangerous link detected (Web Threat Protection).	`GNRL_EA_PARAM_2` is the path to the object. `GNRL_EA_PARAM_5` is the name of the object according to Kaspersky classification. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_8` is the type of the threat, for example, `Trojware`. GNRL_EA_PARAM_9 is additional information about the detected object: Application component (`engine`). Threat detection technology (`method`). Threat detected by Private KSN (`denylist`): `true` or `false`.
`GNRL_EV_SUSPICIOUS_OBJECT_FOUND`		Detected legitimate software that can be used by criminals to harm your computer or personal data	`GNRL_EA_PARAM_1` is the hash of the object (SHA256). `GNRL_EA_PARAM_2` is the name of the object. `GNRL_EA_PARAM_5` is the name of the threat in accordance with Kaspersky classification, for example, `EICAR-Test-File`. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_8` is the type of the threat, for example, `Trojware`.
`GNRL_EV_OBJECT_CURED`		Object disinfected.	`GNRL_EA_PARAM_1` is the hash of the object (SHA256). `GNRL_EA_PARAM_2` is the name of the object. `GNRL_EA_PARAM_3` is the creation date of the object (optional). `GNRL_EA_PARAM_5` is the name of the threat in accordance with Kaspersky classification, for example, `EICAR-Test-File`. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_8` is the type of the threat, for example, `Trojware`. `GNRL_EA_PARAM_9` is additional information about the detected object: Application component (`engine`). Threat detection technology (`method`). Threat detected by Private KSN (`denylist`): `true` or `false`. EDR version. Threat identifier in EDR. MD5 hash of the object.
`GNRL_EV_OBJECT_DELETED`		Object deleted.	`GNRL_EA_PARAM_1` is the hash of the object (SHA256). `GNRL_EA_PARAM_2` is the name of the object. `GNRL_EA_PARAM_3` is the creation date of the object (optional). `GNRL_EA_PARAM_5` is the name of the threat in accordance with Kaspersky classification, for example, `EICAR-Test-File`. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_8` is the type of the threat, for example, `Trojware`. `GNRL_EA_PARAM_9` is additional information about the detected object: Application component (`engine`). Threat detection technology (`method`). Threat detected by Private KSN (`denylist`): `true` or `false`. EDR version. Threat identifier in EDR. MD5 hash of the object.
`GNRL_EV_OBJECT_NOTCURED`		Disinfection not possible.	`GNRL_EA_PARAM_1` is the hash of the object (SHA256). `GNRL_EA_PARAM_2` is the name of the object. `GNRL_EA_PARAM_3` is the creation date of the object (optional). `GNRL_EA_PARAM_5` is the name of the threat in accordance with Kaspersky classification, for example, `EICAR-Test-File`. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_9` is additional information about the detected object: Application component (`engine`). Threat detection technology (`method`). Threat detected by Private KSN (`denylist`): `true` or `false`. EDR version. Threat identifier in EDR. MD5 hash of the object.
`GNRL_EV_OBJECT_BLOCKED`		Object download was blocked.	`GNRL_EA_PARAM_1` is the hash of the object (SHA256). `GNRL_EA_PARAM_2` is the name of the object. `GNRL_EA_PARAM_5` is the name of the threat in accordance with Kaspersky classification, for example, `EICAR-Test-File`. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_8` is the type of the threat, for example, `Trojware`. `GNRL_EA_PARAM_9` is additional information about the detected object: Application component (`engine`). Threat detection technology (`method`). Threat detected by Private KSN (`denylist`): `true` or `false`. EDR version. Threat identifier in EDR. MD5 hash of the object.
`GNRL_EV_OBJECT_REPORTED`		Object not processed (Mail Threat Protection). The object scan result has been sent to a third-party application (AMSI Protection).	`GNRL_EA_PARAM_1` is the hash of the object (SHA256). `GNRL_EA_PARAM_2` is the name of the object. `GNRL_EA_PARAM_5` is the name of the threat in accordance with Kaspersky classification, for example, `EICAR-Test-File`. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_8` is the type of the threat, for example, `Trojware`. `GNRL_EA_PARAM_9` is additional information about the detected object: Application component (`engine`). Threat detection technology (`method`). Threat detected by Private KSN (`denylist`): `true` or `false`. EDR version. Threat identifier in EDR. MD5 hash of the object.
`GNRL_EV_PASSWD_ARCHIVE_FOUND`		Password-protected archive detected.	`GNRL_EA_PARAM_2` is the name of the object. `GNRL_EA_PARAM_3` is the creation date of the object (optional). `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_9` is additional information about the detected object: Application component (`engine`). Threat detection technology (`method`). Threat detected by Private KSN (denylist): true or false.
`GNRL_EV_ATTACK_DETECTED`		Network attack detected (Network Threat Protection).	`GNRL_EA_PARAM_1` is the name of the attack. `GNRL_EA_PARAM_2` is the protocol. `GNRL_EA_PARAM_3` is the IP address of the computer acting as the source of the network attack. The IP address is indicated in the byte order of the host. For example, `2886729929` for `172.16.0.201`. `GNRL_EA_PARAM_4` is the port number. `GNRL_EA_PARAM_5` is an IPv6 address, for example, `12B012B012B012B012B012B012B012B0`. `GNRL_EA_PARAM_6` is the IP address of the computer targeted by the network attack. The IP address is indicated in the byte order of the host. For example, `2886729929` for `172.16.0.201`.
`GNRL_EV_LICENSE_EXPIRATION`		End User License Agreement violated.	–
`GNRL_EV_APPLICATION_LAUNCHED`		Application startup allowed (Application Control).	`GNRL_EA_PARAM_2` is the time of the last start of the application in the special format for Kaspersky Security Center. `GNRL_EA_PARAM_3` is the total number of times the application was started. `GNRL_EA_PARAM_4` is the account security identifier (SID). `GNRL_EA_PARAM_5` is the application category ID (optional). `GNRL_EA_PARAM_6` is the name of the session user.	–
`GNRL_EV_APPLICATION_LAUNCH_DENIED`		Application startup prohibited (Application Control).	`GNRL_EA_PARAM_2` is the name of the session user. `GNRL_EA_PARAM_3` is the manually created category identifier. `GNRL_EA_PARAM_4` is the application category ID (optional). `GNRL_EA_PARAM_5` is information about the digital signature of the application. `GNRL_EA_PARAM_6` is the name of the executable file of the application (for example, chrome.exe). `GNRL_EA_PARAM_7` is the path to the executable file. `GNRL_EA_PARAM_8` is the hash of the object (SHA256). `GNRL_EA_PARAM_9` is the version of the application that the user is trying to run.
`GNRL_EV_APP_INCIDENT_OCCURED`		Kaspersky Sandbox asynchronous alert.	`GNRL_EA_PARAM_1` is the Kaspersky Sandbox component settings `GNRL_EA_PARAM_2` is the path to the object. `GNRL_EA_PARAM_3` is the incident ID. `GNRL_EA_PARAM_4` is the hash of the object (SHA256).
`GNRL_EV_APP_LAUNCH_TESTED_DENIED`		Application startup prohibited in test mode (Application Control).	`GNRL_EA_PARAM_2` is the name of the session user. `GNRL_EA_PARAM_3` is the manually created category identifier. `GNRL_EA_PARAM_4` is the account security identifier (SID). `GNRL_EA_PARAM_5` is information about the digital signature of the application. `GNRL_EA_PARAM_6` is the name of the executable file of the application (for example, chrome.exe). `GNRL_EA_PARAM_7` is the path to the executable file. `GNRL_EA_PARAM_8` is the hash of the object (SHA256). `GNRL_EA_PARAM_9` is the version of the application that the user is trying to run.
`GNRL_EV_APP_LAUNCH_TESTED_ALLOW`		Application startup allowed in test mode (Application Control).	`GNRL_EA_PARAM_2` is the name of the session user. `GNRL_EA_PARAM_3` is the manually created category identifier. `GNRL_EA_PARAM_4` is the account security identifier (SID). `GNRL_EA_PARAM_5` is the application category ID (optional).	–
`GNRL_EV_AC_USER_REQUEST`		Application startup blockage message to administrator (Application Control).	`GNRL_EA_DESCRIPTION` is the message to user. `GNRL_EA_PARAM_2` is the name of the session user. `GNRL_EA_PARAM_6` is the name of the executable file of the application (for example, chrome.exe). `GNRL_EA_PARAM_7` is the path to the executable file. `GNRL_EA_PARAM_8` is the hash of the object (SHA256). `GNRL_EA_PARAM_9` is the version of the application that the user is trying to run.
`GNRL_EV_WEB_URL_BLOCKED`		Access denied (Web Control).	`GNRL_EA_PARAM_1` is the URL. `GNRL_EA_PARAM_2` is the name of the session user. `GNRL_EA_PARAM_3` is the name of the Web Control rule.
`GNRL_EV_WEB_URL_BLOCKED_BY_KSN`		Access denied by KSN (Web Control).	`GNRL_EA_PARAM_1` is the URL. `GNRL_EA_PARAM_2` is the name of the session user. `GNRL_EA_PARAM_3` is the name of the Web Control rule.
`GNRL_EV_WEB_URL_WARNING`		Warning about undesirable content (Web Control).	`GNRL_EA_PARAM_1` is the URL. `GNRL_EA_PARAM_2` is the name of the session user. `GNRL_EA_PARAM_3` is the name of the Web Control rule.
`GNRL_EV_WC_USER_REQUEST`		Web page access blockage message to administrator (Web Control).	`GNRL_EA_DESCRIPTION` is the message to user. `GNRL_EA_PARAM_1` is the URL. `GNRL_EA_PARAM_2` is the name of the session user.
`GNRL_EV_DC_USER_REQUEST`		Device access blockage message to administrator (Device Control).	`c_er_descr` is the message to user. `GNRL_EA_PARAM_1` is the Hardware ID (HWID). `GNRL_EA_PARAM_2` is the name of the session user.
`GNRL_EV_DEVCTRL_DEV_PLUGGED`		Device plugged (Device Control).	`GNRL_EA_PARAM_1` is the Hardware ID (HWID). `GNRL_EA_PARAM_2` is the name of the session user.
`GNRL_EV_DEVCTRL_DEV_UNPLUGGED`		Device unplugged (Device Control).	`GNRL_EA_PARAM_1` is the Hardware ID (HWID). `GNRL_EA_PARAM_2` is the name of the session user.
`GNRL_EV_DEVCTRL_DEV_PLUG_DENIED`		Plugged device blocked (Device Control).	`GNRL_EA_PARAM_1` is the Hardware ID (HWID). `GNRL_EA_PARAM_2` is the name of the session user.
`GNRL_EV_ADSEC_DETECT`	/	Process action blocked / Process action skipped (Adaptive Anomaly Control).	`GNRL_EA_PARAM_1` is the name of the Adaptive Anomaly Control rule. `GNRL_EA_PARAM_2` is the ID of the heuristic rule. `GNRL_EA_PARAM_3` is the name of the session user. `GNRL_EA_PARAM_4` is the source process. `GNRL_EA_PARAM_5` is the source object. `GNRL_EA_PARAM_6` is the target process. `GNRL_EA_PARAM_7` is the target object. `GNRL_EA_PARAM_8` is additional information about the detected object: Hashes of source process / object and target process / object. Process blocked (`verdict_type`): `true` or `false`. User security ID (SID).
`GNRL_EV_ADSEC_USER_REQUEST`		Application activity blockage message to administrator (Adaptive Anomaly Control).	`GNRL_EA_DESCRIPTION` is the message to user. `GNRL_EA_PARAM_1` is the name of the Adaptive Anomaly Control rule. `GNRL_EA_PARAM_2` is the ID of the heuristic rule. `GNRL_EA_PARAM_3` is the name of the session user. `GNRL_EA_PARAM_4` is the source process. `GNRL_EA_PARAM_5` is the source object. `GNRL_EA_PARAM_6` is the target process. `GNRL_EA_PARAM_7` is the target object. `GNRL_EA_PARAM_8` is additional information about the detected object: Hashes of source process / object and target process / object. Process blocked (`verdict_type`): `true` or `false`. User security ID (SID).
`GNRL_EV_ENCRYPTION_DATAACCESS_VIOLATION`		File access blocked.	`GNRL_EA_PARAM_1` is the target object. `GNRL_EA_PARAM_2` is the name of the session user. `GNRL_EA_PARAM_3` is the name of the executable file (for example, chrome.exe) of the application, which is trying to gain access to the file.	–
`GNRL_EV_ENCRYPTION_ERROR`		File encryption/decryption error.	`GNRL_EA_PARAM_1` is the path to the file. `GNRL_EA_PARAM_2` is the cause of the error. `GNRL_EA_PARAM_3` is the device type.
`GNRL_EV_DEVCTRL_DEV_PLUG_DENIED`		Operation with the device prohibited	`GNRL_EA_PARAM_1` is the Hardware ID (HWID). `GNRL_EA_PARAM_2` is the name of the session user.
`GNRL_EV_USB_FILE_OPERATION`		File operation performed (Device Control).	`GNRL_EA_PARAM_1` is the file operation (write or delete). `GNRL_EA_PARAM_2` is the path to the file. `GNRL_EA_PARAM_3` is the name of the device. `GNRL_EA_PARAM_4` is the name of the session user. `GNRL_EA_PARAM_5` is the Hardware ID (HWID).	–
`GNRL_EV_HST_CMD_RESULT`		Task results.	`GNRL_EA_PARAM_1` is the command ID. `GNRL_EA_PARAM_2` is the command execution status: `1` means the command was executed successfully `2` means the command was not executed `3` means the command was successfully deleted `4` means the command was not deleted `GNRL_EA_PARAM_3` is the description of the command result and reasons of faults.

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.