Appendix 6. Application events in the Windows Event Log
Information about the operation of each Kaspersky Endpoint Security component, data encryption events, the performance of each scan task, the update task and integrity check task, and the overall operation of the application is recorded in the Windows Event Log.
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| End User License Agreement violated | |
| License has almost expired | – |
| License expires soon | – |
| Databases are missing or corrupted | – |
| Databases are extremely out of date | – |
| Databases are out of date | – |
| Application autorun is disabled | – |
| Automatic updates are disabled | – |
| Self-Defense is disabled | – |
| Task cannot run | – |
| The operation with application resources is blocked by Self-Defense | – |
| Protection components are disabled | – |
| Computer is running in safe mode | – |
| There are unprocessed files | – |
| Report cleared | |
| Application settings changed | |
| Group policy applied | |
| Group policy disabled | – |
| Task started | – |
| Task stopped | – |
| Task completed | – |
| Restart the application to complete the update | – |
| Computer restart required | |
| The license allows the use of components that have not been installed | – |
| Installed components match the license | – |
| Activation error | |
| Incorrect reserve activation code | – |
| Active threat detected Advanced Disinfection must be started | – |
| Advanced Disinfection started | – |
| Advanced Disinfection completed | – |
| Application started | |
| Application stopped | |
| Application crashed during previous session | |
| License expires soon | |
| Subscription settings have changed | |
| Subscription has been renewed | |
| Object restored from Backup | |
| Cannot restore object from Backup | |
| Processing of some OS functions is disabled | |
| Encrypted connection terminated | |
| Task settings applied successfully | – |
| Object restored from Backup | |
| Enter a user name and password | – |
| Suspicious network activity detected | – |
| Participation in KSN is enabled | – |
| Participation in KSN is disabled | – |
| KSN servers available | – |
| KSN servers unavailable | – |
| The application works and processes data under relevant laws and uses the appropriate infrastructure | |
| All application components that are defined by the license have been installed and run in normal mode | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Detected legitimate software that can be used by intruders to damage your computer or personal data | – |
| Object deleted | – |
| A backup copy of the object was created | – |
| Cannot create a backup copy | – |
| Cannot be deleted | – |
| Object will be deleted on restart | – |
| Object renamed | – |
| Blocked | – |
| Process terminated | – |
| Cannot terminate the process | – |
| Rollback completed | – |
| Registry value restored | – |
| Registry value deleted | – |
| File/code execution blocked | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Malicious object detected | – |
| Blocked | – |
| Rollback completed | – |
| Object will be deleted on restart | – |
| Object deleted | – |
| Object renamed | – |
| File restored | – |
| Registry value restored | – |
| Registry value deleted | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Object processed | – |
| Malicious object detected | – |
| Detected legitimate software that can be used by intruders to damage your computer or personal data | – |
| Object disinfected | – |
| Object deleted | – |
| A backup copy of the object was created | – |
| Cannot create a backup copy | – |
| Disinfection not possible | – |
| Cannot be deleted | – |
| Object not processed | – |
| Object skipped | – |
| Processing error | |
| Archive detected | – |
| Packed object detected | – |
| Object encrypted | – |
| Object corrupted | – |
| Password-protected archive detected | – |
| Object will be deleted on restart | – |
| Object will be disinfected on restart | – |
| Overwritten by a copy that was disinfected earlier | – |
| Information about detected object | – |
| Object restored from Backup | – |
| Cannot restore object from Backup | |
| Object is on the Private KSN allowlist | |
| Application placed in the trusted group | – |
| Application placed in restricted group | – |
| Host Intrusion Prevention was triggered | – |
| Process terminated | – |
| Cannot terminate the process | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Malicious object detected | |
| Processing error | |
| Cannot restore object from Backup | |
| Object is on the Private KSN allowlist | |
| Object processed | – |
| Object disinfected | – |
| Object deleted | – |
| A backup copy of the object was created | – |
| Cannot create a backup copy | – |
| Disinfection not possible | – |
| Cannot be deleted | – |
| Object not processed | – |
| Object skipped | – |
| Archive detected | – |
| Packed object detected | – |
| Object encrypted | – |
| Object corrupted | – |
| Password-protected archive detected | – |
| Object will be deleted on restart | – |
| Object will be disinfected on restart | – |
| Overwritten by a copy that was disinfected earlier | – |
| Detected legitimate software that can be used by intruders to damage your computer or personal data | – |
| Object renamed | – |
| Object restored from Backup | – |
| Process terminated | – |
| Cannot terminate the process | – |
| Information about detected object | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Object processed | – |
| Malicious object detected | |
| Detected legitimate software that can be used by intruders to damage your computer or personal data | – |
| Processing error | |
| Archive detected | – |
| Packed object detected | – |
| Object corrupted | – |
| Password-protected archive detected | – |
| Object renamed | – |
| Dangerous link blocked | |
| Previously opened dangerous link detected | |
| Previously opened malicious link detected | |
| Dangerous link opened | |
| Object download was blocked | – |
| Link is on the Private KSN allowlist | |
| Object is on the Private KSN allowlist | |
| Information about detected object | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Object processed | – |
| Object disinfected | – |
| Malicious object detected | |
| Processing error | |
| Object is on the Private KSN allowlist | |
| Object deleted | – |
| A backup copy of the object was created | – |
| Disinfection not possible | – |
| Object not processed | – |
| Archive detected | – |
| Packed object detected | – |
| Object corrupted | – |
| Password-protected archive detected | – |
| Object renamed | – |
| Detected legitimate software that can be used by intruders to damage your computer | – |
| Information about detected object | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Network activity allowed | – |
| Network activity blocked | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Network attack detected | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Keyboard authorized | – |
| Keyboard not authorized | |
| Keyboard authorization error |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Object processed | – |
| Malicious object detected | |
| Detected legitimate software that can be used by intruders to damage your computer or personal data | – |
| Object not processed | – |
| Object skipped | – |
| Processing error | |
| Archive detected | – |
| Packed object detected | – |
| Object encrypted | – |
| Object corrupted | – |
| Password-protected archive detected | – |
| The object scan result has been sent to a third-party application | – |
| Object renamed | – |
| Information about detected object | – |
| Object is on the Private KSN allowlist | |
| AMSI request blocked |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Application startup allowed | – |
| Application startup prohibited | – |
| Application startup prohibited in test mode | – |
| Application startup allowed in test mode | – |
| Error in task settings. Task settings not applied | – |
| Prohibited process was started before Kaspersky Endpoint Security for Windows was started | – |
| Task settings applied successfully | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Operation with the device allowed | – |
| Operation with the device prohibited | – |
| Temporary access to device activated | |
| File operation performed | – |
| Network connection blocked | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Access allowed | – |
| Access blocked | – |
| Warning about undesirable content | – |
| Undesirable content was accessed after a warning | – |
| Allowed page opened | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Complaint of blocked application activity | – |
| Process action skipped | – |
| Process action blocked |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Error applying file encryption/decryption rules | |
| File encryption/decryption error | |
| Error encrypting/decrypting device | |
| Error creating encrypted package | |
| Error enabling portable mode | |
| Error disabling portable mode | |
| Failed to load encryption module | |
| The task for managing Authentication Agent accounts ended with an error | |
| Policy cannot be applied | |
| FDE upgrade failed | |
| FDE upgrade rollback successful | |
| Failed to install or upgrade Kaspersky Disk Encryption drivers in the WinRE image | |
| Failed to uninstall Kaspersky Disk Encryption drivers from the WinRE image | |
| BitLocker recovery key was changed | |
| Started applying file encryption/decryption rules | – |
| Finished applying file encryption/decryption rules | – |
| Interrupted applying file encryption/decryption rules | – |
| Resumed applying file encryption/decryption rules | – |
| File encryption/decryption started | – |
| File encryption/decryption completed | – |
| File has not been encrypted because it is an exclusion | – |
| File encryption/decryption interrupted | – |
| Device encryption/decryption started | – |
| Device encryption/decryption completed | – |
| Device is not encrypted | – |
| Device encryption/decryption interrupted | – |
| Device encryption/decryption resumed | – |
| Drive encryption/decryption process has been switched to passive mode | – |
| Device encryption/decryption process has been switched to active mode | – |
| User has opted out of the encryption policy | – |
| File access blocked | |
| Portable mode enabled | – |
| Portable mode disabled | – |
| New Authentication Agent account created | – |
| Account not added. This account already exists | – |
| Account not modified. This account does not exist | – |
| Account not deleted. This account does not exist | – |
| Authentication Agent account deleted | – |
| Authentication Agent account password changed | – |
| Failed Authentication Agent login attempt | – |
| Successful Authentication Agent login | – |
| Hard drive accessed using the procedure of requesting access to encrypted devices | – |
| Failed attempt to access the hard drive using the procedure of requesting access to encrypted devices | – |
| Encryption module loaded | – |
| Full Disk Encryption upgrade rollback completed with an error | |
| FDE upgrade successful | |
| Authentication Agent account password changed | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Kaspersky Anti Targeted Attack Platform server unavailable | – |
| Application startup was blocked | |
| Document opening was blocked | |
| Tasks from the Kaspersky Anti Targeted Attack Platform server are being processed | – |
| Processing of tasks from the Kaspersky Anti Targeted Attack Platform server is inactive | – |
| Endpoint Sensors connected to server | – |
| Connection to the Kaspersky Anti Targeted Attack Platform server restored | – |
| All processes started from a file image or stream were terminated | |
| Application started | |
| File or stream was deleted by the Kaspersky Anti Targeted Attack Platform server administrator | |
| File was restored from quarantine on the Kaspersky Anti Targeted Attack Platform server by the administrator | |
| File is quarantined on the Kaspersky Anti Targeted Attack Platform server by administrator | |
| Network activity of all third-party applications is blocked | |
| Network activity of all third-party applications is unblocked |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Malicious object detected | |
| Object restored from Backup | |
| Cannot restore object from Backup | |
| Object is on the Private KSN allowlist | |
| Object processed | – |
| Object renamed | – |
| Object disinfected | – |
| Object deleted | – |
| A backup copy of the object was created | – |
| Cannot create a backup copy | – |
| Disinfection not possible | – |
| Cannot be deleted | – |
| Object not processed | – |
| Object skipped | – |
| Processing error | – |
| Archive detected | – |
| Packed object detected | – |
| Object encrypted | – |
| Object corrupted | – |
| Password-protected archive detected | – |
| Object will be deleted on restart | – |
| Object will be disinfected on restart | – |
| Overwritten by a copy that was disinfected earlier | – |
| Detected legitimate software that can be used by intruders to damage your computer or personal data | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| System module signature check failed | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| An internal error has occurred | |
| Update source selected | – |
| Proxy server selected | – |
| File download | – |
| File downloaded | – |
| File installed | – |
| File updated | – |
| File rolled back due to update error | – |
| Updating files | – |
| Distributing updates | – |
| Rolling back files | – |
| Error updating component | – |
| Error distributing component updates | – |
| Creating the list of files to download | – |
| Local update error | – |
| Operation canceled by the user | – |
| Cannot start two tasks at the same time | – |
| Error verifying application databases and modules | – |
| Error in interaction with Kaspersky Security Center | – |
| No available updates | – |
| Not all components were updated | – |
| Update distribution completed successfully | – |
| Update completed successfully, update distribution failed | – |
| Patch installation failed | – |
| Patch rollback failed | – |
| Downloading patches | – |
| Installing patches | – |
| Patch installed | – |
| Rolling back patch | – |
| Patch rolled back | – |
Codes of events
Event ID | Description | Enabled by default |
---|---|---|
| Task completed | – |
| Task started | – |
| Task stopped | – |
| The object cannot be deleted | – |
| Wipe task statistics | – |
| Object deleted | – |