Kaspersky Security events in Windows Event Log

This section contains information about basic events in the application operation that are recorded to Windows Event Log. Events related to the Kaspersky Security operation are recorded to Windows Event Log by KSCM8 (Kaspersky Security service). Each of those events has a respective fixed event code. Events in this table are sorted by event code in ascending order.

Main events in the application operation

Event code

Task category

Event importance level

Description

1000

Updates

Error

Such an event is logged if the application detects that the Anti-Virus databases were last updated more than 24 hours ago. The event record specifies the database type and release date.

Warning

Such an event is logged if the application detects that the Anti-Spam databases were last updated more than five hours ago. The event record specifies the database type and release date.

1001

AntivirusScanner

Info

Such event is logged if the application detects an infected, corrupted, or protected object, or an attached file that meets the attachment filtering criteria, and if the workspace of the Notifications node has the Log the following events to Windows Event Log check box selected for the relevant notification types.

1004

Licensing

Warning

Such an event is logged if the Log events to Windows Event Log and Kaspersky Security Center Event Log check box is selected in the Notifications node, the Notify about license expiration in advance (days before) setting is configured, and the license expires soon. The event record specifies the key, the license expiration date, and the number of days left until this date.

1005

Licensing

Error

Such an event is logged if the Log events to Windows Event Log and Kaspersky Security Center Event Log check box is selected in the Notifications node and the license has expired. The event record specifies the key and the license expiration date.

1007

Licensing

Error

Such an event is logged if the Log events to Windows Event Log and Kaspersky Security Center Event Log check box is selected in the Notifications node and an active key is not detected.

1008

Updates

Info

Such an event is logged if the application databases have been updated to the latest version. The event record specifies the database type and release date.

1009

AntispamScanner;

AntivirusMailboxAgent;

AntivirusTransportAgent;

AttachmentFiltering;

Dlp.

Error

Such an event is logged if the application registers any errors in the operation of a component. The event record specifies the component name and the error description.

Warning

Such an event is logged if the application registers the disabling of a component. The event record specifies the component name.

Info

Such an event is logged if the application registers the enabling of a component. The event record specifies the component name.

1010

Database;

DlpDatabase.

Error

Such an event is logged if an error occurred on the SQL server and the database is not available anymore. The event record specifies the database name, the SQL server name, and the error description.

Info

Such an event is logged if access to the SQL database is restored and all errors are fixed. The event record specifies the database name and the SQL server name.

1011

AntivirusScanner

Info

Such an event is logged if the user requested the background scan to run. The event record specifies the user account.

1012

AntivirusScanner

Info

Such an event is logged if the user requested the background scan to stop. The event record specifies the user account.

1013

AntivirusScanner

Info

Such an event is logged if the on-demand scan has been run manually or automatically (by schedule). The event record specifies the run type.

1014

AntivirusScanner

Info

Such an event is logged if the background scan was stopped. The event record specifies the reason for the scan stop.

1015

Licensing

Warning

Such an event is logged if the Log events to Windows Event Log and Kaspersky Security Center Event Log check box is selected in the Notifications node and the application was not able to update the license status. The event record specifies the key, the license expiration date, and the number of days left until the application switches to limited functionality mode.

1016

Licensing

Error

Such an event is logged if the Log events to Windows Event Log and Kaspersky Security Center Event Log check box is selected in the Notifications node, the application was not able to update the license status, and the license update period has expired. The event record provides a description of the cause of the error.

1025

AntispamScanner

Info

Such an event is logged if the Spam check box is selected in the Notifications node for the Spam messages event in the Notification settings section, and the application has detected a message containing spam or potential spam. The event record provides information about the message.

1026

AntispamScanner

Info

Such an event is logged if the Mass mail check box is selected in the Notifications node for the Spam messages event in the Notification settings section, and the application has detected a message containing mass mail. The event record provides information about the message.

1027

AntispamScanner

Info

Such an event is logged if the Phishing check box is selected in the Notifications node for the Spam messages event in the Notification settings section, and the application has detected a message containing a phishing link. The event record provides information about the message.

11010

Infrastructure

Info

Such an event is logged if the Management Console has been run. The event record specifies the account of the user who has run the Management Console.

11011

Infrastructure

Info

Such an event is logged if the Management Console was closed. The event record specifies the account of the user who closed the Management Console.

11020

Infrastructure

Error

Such an event is logged if an application component switched to restricted scan mode. The event record specifies the component name and the time it switched to restricted scan mode.

16000

Dlp

Warning

Such an event is logged if the Log events to Windows Event Log and Kaspersky Security Center Event Log setting is defined in the DLP Module policy and the application detected an email message that violated the security policy.

16012

Dlp

Warning

Such an event is logged if the security officer attempted to save an incident-attached object to disk.

16013

Dlp

Warning

Such an event is logged if the security officer archived some incidents.

16014

Dlp

Warning

Such an event is logged if the security officer attempted to send incident details to his or her email address.

16100

Dlp

Info

Such an event is logged if Kaspersky Lab categories were updated during the application database update. The event record specifies the names of categories that have been modified, as well as their brief descriptions.

2055

Licensing

Error

Such an event is logged if the Log events to Windows Event Log and Kaspersky Security Center Event Log check box is selected in the Notifications node and an error occurred during automatic update of the license status. The event record provides a description of the cause of the error.

30000

Configuration

Info

Such an event is logged if some of the application settings have been modified. The event record specifies the account of the user who modified the settings, the modification scope (for example, Anti-Spam), and the new values of the settings.

31000

Licensing

Info

Such an event is logged if the Log events to Windows Event Log and Kaspersky Security Center Event Log check box is selected in the Notifications node, and the key status, license expiration date, and number of users or license type have changed. The event record specifies the key, the license type, the license expiration date, and the number of license users.

31022

Licensing

Info

Such an event is logged if the Log events to Windows Event Log and Kaspersky Security Center Event Log check box is selected in the Notifications node and the user has performed an action on the Security Server key or the DLP Module key. The event record specifies the user account.

42404

Backup

Info

Such an event is logged if an object was deleted from Backup. The event record specifies detailed information about the object and the user account, if the object was deleted by a user. The application deletes an object according to the Backup settings.

42405

Backup

Info

Such an event is logged if the user sent a possibly infected object from Backup to Kaspersky Lab for examination. The event record specifies the user account and the object details.

42406

Backup

Info

Such an event is logged if the user sent an object from Backup to some recipients. The event record specifies the user account and the object details.

42421

Backup

Info

Such an event is logged if the user sent an object from Backup to Kaspersky Lab for examination but the application identified this object as spam by mistake. The event record specifies the user account and the object details.

42422

Backup

Info

Such an event is logged if the user saved an object from Backup to disk. The event record specifies the user account and the object details.

42706

Updates

Error

Such an event is logged if an update of the application databases fails. The event record specifies the database type and the error description.

42707

Updates

Info

Such an event is logged if an application database update error is fixed and the databases are successfully updated. The event record specifies the database type and release date.

48808

AntispamScanner

Info

Such an event is logged if the application detected an outgoing email message containing spam or phishing content. The event record contains information about the message.

Page top