Appendix 7. Application events in the Kaspersky Security Center event log

Support

Support for business applications

Kaspersky Endpoint Security 11 for Windows

Appendices

Appendix 7. Application events in the Kaspersky Security Center event log

July 20, 2023

ID 214871

Information about the operation of each Kaspersky Endpoint Security component, data encryption events, the completion of each scan task, update task and integrity check task, and the overall operation of the application is recorded in the Kaspersky Security Center event log.

Events of Kaspersky Endpoint Security for Windows

Event ID	Description	Settings	Enabled by default
`GNRL_EV_VIRUS_FOUND`	Malicious object detected.	`GNRL_EA_PARAM_1` is the hash of the object (SHA256). `GNRL_EA_PARAM_2` is the name of the object. `GNRL_EA_PARAM_5` is the name of the object according to Kaspersky classification. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_8` is the type of the threat, for example, `Trojware`. `GNRL_EA_PARAM_9` is additional information about the detected object: Application component (`engine`). `1` – File Threat Protection. `2` – Mail Threat Protection. `3` – Web Threat Protection. `6` – Host Intrusion Prevention. `7` – Firewall. `8` – Behavior Detection. `9` – Exploit Prevention. `10` – Virus Scan task. `11` – AMSI Protection. Threat detection technology (`method`). `1` – Machine learning. `2` – Kaspersky Security Network. `3` – Expert analysis. `4` – Behavior analysis. `5` – Automatic analysis. `6` – Kaspersky Sandbox. Threat detected by Private KSN (`denylist`): `true` or `false`. EDR version. Threat identifier in EDR. MD5 hash of the object.
`GNRL_EV_SUSPICIOUS_OBJECT_FOUND`	Detected legitimate software that can be used by criminals to harm your computer or personal data	`GNRL_EA_PARAM_1` is the hash of the object (SHA256). `GNRL_EA_PARAM_2` is the name of the object. `GNRL_EA_PARAM_5` is the name of the threat, for example, `EICAR-Test-File`. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_8` is the type of the threat, for example, `Trojware`.
`GNRL_EV_OBJECT_CURED`	Object disinfected.	`GNRL_EA_PARAM_1` is the hash of the object (SHA256). `GNRL_EA_PARAM_2` is the name of the object. `GNRL_EA_PARAM_3` is the creation date of the object (optional). `GNRL_EA_PARAM_5` is the name of the object according to Kaspersky classification. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_8` is the type of the threat, for example, `Trojware`. `GNRL_EA_PARAM_9` is additional information about the detected object: Application component (`engine`). Threat detection technology (`method`). Threat detected by Private KSN (`denylist`): `true` or `false`. EDR version. Threat identifier in EDR. MD5 hash of the object.
`GNRL_EV_OBJECT_DELETED`	Object deleted.	`GNRL_EA_PARAM_1` is the hash of the object (SHA256). `GNRL_EA_PARAM_2` is the name of the object. `GNRL_EA_PARAM_3` is the creation date of the object (optional). `GNRL_EA_PARAM_5` is the name of the object according to Kaspersky classification. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_8` is the type of the threat, for example, `Trojware`. `GNRL_EA_PARAM_9` is additional information about the detected object: Application component (`engine`). Threat detection technology (`method`). Threat detected by Private KSN (`denylist`): `true` or `false`. EDR version. Threat identifier in EDR. MD5 hash of the object.
`GNRL_EV_OBJECT_NOTCURED`	Disinfection not possible.	`GNRL_EA_PARAM_1` is the hash of the object (SHA256). `GNRL_EA_PARAM_2` is the name of the object. `GNRL_EA_PARAM_3` is the creation date of the object (optional). `GNRL_EA_PARAM_5` is the name of the object according to Kaspersky classification. `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_9` is additional information about the detected object: Application component (`engine`). Threat detection technology (`method`). Threat detected by Private KSN (`denylist`): `true` or `false`. EDR version. Threat identifier in EDR. MD5 hash of the object.
`GNRL_EV_PASSWD_ARCHIVE_FOUND`	Password-protected archive detected.	`GNRL_EA_PARAM_2` is the name of the object. `GNRL_EA_PARAM_3` is the creation date of the object (optional). `GNRL_EA_PARAM_7` is the name of the session user. `GNRL_EA_PARAM_9` is additional information about the detected object: Application component (`engine`). Threat detection technology (`method`). Threat detected by Private KSN (denylist): true or false.	–
`GNRL_EV_ATTACK_DETECTED`	Network attack detected (Network Threat Protection).	`GNRL_EA_PARAM_1` is the name of the attack. `GNRL_EA_PARAM_2` is the protocol. `GNRL_EA_PARAM_3` is the IP address of the computer acting as the source of the network attack. The IP address is indicated in the byte order of the host. For example, `2886729929` for `172.16.0.201`. `GNRL_EA_PARAM_4` is the port number. `GNRL_EA_PARAM_5` is an IPv6 address, for example, `12B012B012B012B012B012B012B012B0`. `GNRL_EA_PARAM_6` is the IP address of the computer targeted by the network attack. The IP address is indicated in the byte order of the host. For example, `2886729929` for `172.16.0.201`.
`GNRL_EV_APPLICATION_LAUNCHED`	Application startup allowed (Application Control).	`GNRL_EA_PARAM_2` is the time of the last start of the application in the special format for Kaspersky Security Center. `GNRL_EA_PARAM_3` is the total number of times the application was started. `GNRL_EA_PARAM_4` is the account security identifier (SID). `GNRL_EA_PARAM_5` is the application category ID (optional). `GNRL_EA_PARAM_6` is the name of the session user.	–
`GNRL_EV_APPLICATION_LAUNCH_DENIED`	Application startup prohibited (Application Control).	`GNRL_EA_PARAM_2` is the name of the session user. `GNRL_EA_PARAM_3` is the manually created category identifier. `GNRL_EA_PARAM_4` is the application category ID (optional). `GNRL_EA_PARAM_5` is information about the digital signature of the application. `GNRL_EA_PARAM_6` is the name of the executable file of the application (for example, chrome.exe). `GNRL_EA_PARAM_7` is the path to the executable file. `GNRL_EA_PARAM_8` is the hash of the object (SHA256). `GNRL_EA_PARAM_9` is the version of the application that the user is trying to run.
`GNRL_EV_APP_LAUNCH_TESTED_DENIED`	Application startup prohibited in test mode (Application Control).	`GNRL_EA_PARAM_2` is the name of the session user. `GNRL_EA_PARAM_3` is the manually created category identifier. `GNRL_EA_PARAM_4` is the account security identifier (SID). `GNRL_EA_PARAM_5` is information about the digital signature of the application. `GNRL_EA_PARAM_6` is the name of the executable file of the application (for example, chrome.exe). `GNRL_EA_PARAM_7` is the path to the executable file. `GNRL_EA_PARAM_8` is the hash of the object (SHA256). `GNRL_EA_PARAM_9` is the version of the application that the user is trying to run.
`GNRL_EV_APP_LAUNCH_TESTED_ALLOW`	Application startup allowed in test mode (Application Control).	`GNRL_EA_PARAM_2` is the name of the session user. `GNRL_EA_PARAM_3` is the manually created category identifier. `GNRL_EA_PARAM_4` is the account security identifier (SID). `GNRL_EA_PARAM_5` is the application category ID (optional).	–
`GNRL_EV_AC_USER_REQUEST`	Application startup blockage message to administrator (Application Control).	`c_er_descr` is the message to user. `GNRL_EA_PARAM_2` is the name of the session user. `GNRL_EA_PARAM_6` is the name of the executable file of the application (for example, chrome.exe). `GNRL_EA_PARAM_7` is the path to the executable file. `GNRL_EA_PARAM_8` is the hash of the object (SHA256). `GNRL_EA_PARAM_9` is the version of the application that the user is trying to run.
`GNRL_EV_WEB_URL_BLOCKED`	Access denied (Web Control).	`GNRL_EA_PARAM_1` is the URL. `GNRL_EA_PARAM_2` is the name of the session user. `GNRL_EA_PARAM_3` is the name of the Web Control rule.
`GNRL_EV_WEB_URL_WARNING`	Warning about undesirable content (Web Control).	`GNRL_EA_PARAM_1` is the URL. `GNRL_EA_PARAM_2` is the name of the session user. `GNRL_EA_PARAM_3` is the name of the Web Control rule.
`GNRL_EV_WC_USER_REQUEST`	Web page access blockage message to administrator (Web Control).	`c_er_descr` is the message to user. `GNRL_EA_PARAM_1` is the URL. `GNRL_EA_PARAM_2` is the name of the session user.
`GNRL_EV_DC_USER_REQUEST`	Device access blockage message to administrator (Device Control).	`c_er_descr` is the message to user. `GNRL_EA_PARAM_1` is the Hardware ID (HWID). `GNRL_EA_PARAM_2` is the name of the session user.
`GNRL_EV_DEVCTRL_DEV_PLUGGED`	Device plugged (Device Control).	`GNRL_EA_PARAM_1` is the Hardware ID (HWID). `GNRL_EA_PARAM_2` is the name of the session user.	–
`GNRL_EV_DEVCTRL_DEV_UNPLUGGED`	Device unplugged (Device Control).	`GNRL_EA_PARAM_1` is the Hardware ID (HWID). `GNRL_EA_PARAM_2` is the name of the session user.	–
`GNRL_EV_DEVCTRL_DEV_PLUG_DENIED`	Plugged device blocked (Device Control).	`GNRL_EA_PARAM_1` is the Hardware ID (HWID). `GNRL_EA_PARAM_2` is the name of the session user.	–

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.