|
|
|
|
|
 |
TipSafe Lock event logging can be customized by doing the following:
|
|
Event ID
|
Task Category
|
Level
|
Description
|
|---|---|---|---|
|
1000
|
System
|
Information
|
Service started.
|
|
1001
|
System
|
Warning
|
Service stopped.
|
|
1002
|
System
|
Information
|
Application Lockdown Turned On.
|
|
1003
|
System
|
Warning
|
Application Lockdown Turned Off.
|
|
1004
|
System
|
Information
|
Disabled.
|
|
1005
|
System
|
Information
|
Administrator password changed.
|
|
1006
|
System
|
Information
|
Restricted User password changed.
|
|
1007
|
System
|
Information
|
Restricted User account enabled.
|
|
1008
|
System
|
Information
|
Restricted User account disabled.
|
|
1009
|
System
|
Information
|
Product activated.
|
|
1010
|
System
|
Information
|
Product deactivated.
|
|
1011
|
System
|
Warning
|
License Expired. Grace period enabled.
|
|
1012
|
System
|
Warning
|
License Expired. Grace period ended.
|
|
1013
|
System
|
Information
|
Product configuration import started: <full_path>
|
|
1014
|
System
|
Information
|
Product configuration import complete: <full_path>
|
|
1015
|
System
|
Information
|
Product configuration exported to: <full_path>
|
|
1016
|
System
|
Information
|
USB Malware Protection set to Allow.
|
|
1017
|
System
|
Information
|
USB Malware Protection set to Block.
|
|
1018
|
System
|
Information
|
USB Malware Protection enabled.
|
|
1019
|
System
|
Warning
|
USB Malware Protection disabled.
|
|
1020
|
System
|
Information
|
Network Virus Protection set to Allow.
|
|
1021
|
System
|
Information
|
Network Virus Protection set to Block.
|
|
1022
|
System
|
Information
|
Network Virus Protection enabled.
|
|
1023
|
System
|
Warning
|
Network Virus Protection disabled.
|
|
1025
|
System
|
Information
|
Memory Randomization enabled.
|
|
1026
|
System
|
Warning
|
Memory Randomization disabled.
|
|
1027
|
System
|
Information
|
API Hooking Prevention set to Allow.
|
|
1028
|
System
|
Information
|
API Hooking Prevention set to Block.
|
|
1029
|
System
|
Information
|
API Hooking Prevention enabled.
|
|
1030
|
System
|
Warning
|
API Hooking Prevention disabled.
|
|
1031
|
System
|
Information
|
DLL Injection Prevention set to Allow.
|
|
1032
|
System
|
Information
|
DLL Injection Prevention set to Block.
|
|
1033
|
System
|
Information
|
DLL Injection Prevention enabled.
|
|
1034
|
System
|
Warning
|
DLL Injection Prevention disabled.
|
|
1035
|
System
|
Information
|
Auto Trusted Update enabled.
|
|
1036
|
System
|
Information
|
Auto Trusted Update disabled.
|
|
1037
|
System
|
Information
|
DLL/Driver Lockdown enabled.
|
|
1038
|
System
|
Warning
|
DLL/Driver Lockdown disabled.
|
|
1039
|
System
|
Information
|
Script Lockdown enabled.
|
|
1040
|
System
|
Warning
|
Script Lockdown disabled.
|
|
1041
|
System
|
Information
|
Script added.
[Details]
File extension: <extension>
Interpreter: <interpreter>
|
|
1042
|
System
|
Information
|
Script removed.
[Details]
File extension: <extension>
Interpreter: <interpreter>
|
|
1044
|
System
|
Information
|
Exception path enabled.
|
|
1045
|
System
|
Information
|
Exception path disabled.
|
|
1046
|
System
|
Information
|
Event Log settings changed.
[Details]
Windows Event Log: <ON|off>
System Log: <on|OFF>
Exception Path Log: <ON|off>
Write Protection Log: <ON|off>
List Log: <ON|off>
Approved Access Log: <ON|off>
DLL Driver Log: <on|OFF>
Trusted Updater Log: <ON|off>
Exception Path Log: <ON|off>
Trusted Certification Log: <ON|off>
Write Protection Log: <ON|off>
Blocked Access Log: <ON|off>
USB Malware Protection Log: <on|OFF>
Execution Prevention Log: <on|OFF>
Network Virus Protection Log: <on|OFF>
Integrity Monitoring Log File Created Log: <ON|off>
File Modified Log: <ON|off>
File Deleted Log: <ON|off>
File Renamed Log: <ON|off>
RegValue Modified Log: <ON|off>
RegValue Deleted Log: <ON|off>
RegKey Created Log: <ON|off>
RegKey Deleted Log: <ON|off>
RegKey Renamed Log: <ON|off>
Debug Log: <on|OFF>
|
|
1047
|
System
|
Information
|
Trusted certificate enabled.
|
|
1048
|
System
|
Information
|
Trusted certificate disabled.
|
|
1049
|
System
|
Information
|
Write Protection enabled.
|
|
1050
|
System
|
Warning
|
Write Protection disabled.
|
|
1051
|
System
|
Information
|
Write Protection set to Allow.
|
|
1052
|
System
|
Information
|
Write Protection set to Block.
|
|
1055
|
System
|
Information
|
Added file to Write Protection List.
Path: <full_path>
|
|
1056
|
System
|
Information
|
Removed file from Write Protection List.
Path: <full_path>
|
|
1057
|
System
|
Information
|
Added file to Write Protection Exception List
Path: <full_path>
Process: <process>
|
|
1058
|
System
|
Information
|
Removed file from Write Protection Exception List.
Path: <full_path>
Process: <process>
|
|
1059
|
System
|
Information
|
Added folder to Write Protection List.
Path: <full_path>
Scope: Folder
|
|
1060
|
System
|
Information
|
Removed folder from Write Protection List.
Path: <full_path>
Scope: Folder
|
|
1061
|
System
|
Information
|
Added folder to Write Protection Exception List.
Path: <full_path>
Scope: Folder
Process: <process>
|
|
1062
|
System
|
Information
|
Removed folder from Write Protection Exception List.
Path: <full_path>
Scope: Folder
Process: <process>
|
|
1063
|
System
|
Information
|
Added registry value to Write Protection List.
Registry Key: <reg_key>
Registry Value Name: <reg_value>
|
|
1064
|
System
|
Information
|
Removed registry value from Write Protection List.
Registry Key: <reg_key>
Registry Value Name: <reg_value>
|
|
1065
|
System
|
Information
|
Added registry value to Write Protection Exception List.
Registry Key: <reg_key>
Registry Value Name: <reg_value>
Process: <process>
|
|
1066
|
System
|
Information
|
Removed registry value from Write Protection Exception List.
Registry Key: <reg_key>
Registry Value Name: <reg_value>
Process: <process>
|
|
1067
|
System
|
Information
|
Added registry key to Write Protection List.
Registry Key: <reg_key>
Scope: Registry Key
|
|
1068
|
System
|
Information
|
Removed registry key from Write Protection List.
Registry Key: <reg_key>
Scope: Registry Key
|
|
1069
|
System
|
Information
|
Added registry key to Write Protection Exception List.
Registry Key: <reg_key>
Scope: Registry Key
Process: <process>
|
|
1070
|
System
|
Information
|
Removed registry key from Write Protection Exception List.
Registry Key: <reg_key>
Scope: Registry Key
Process: <process>
|
|
1071
|
System
|
Information
|
Custom Action set to Ignore.
|
|
1072
|
System
|
Information
|
Custom Action set to Quarantine.
|
|
1073
|
System
|
Information
|
Custom Action set to Ask Intelligent Manager.
|
|
1074
|
System
|
Information
|
Quarantined file is restored.
[Details]
Original Location: <full_path>
Source: <source>
|
|
1075
|
System
|
Information
|
Quarantined file is deleted.
[Details]
Original Location: <full_path>
Source: <source>
|
|
1076
|
System
|
Information
|
Integrity Monitoring enabled.
|
|
1077
|
System
|
Information
|
Integrity Monitoring disabled.
|
|
1078
|
System
|
Information
|
Root cause analysis report failed.
[Details]
Access Image Path: <full_path>
|
|
1079
|
System
|
Information
|
Server certificate imported: <full_path>
|
|
1080
|
System
|
Information
|
Server certificate exported to: <full_path>
|
|
1081
|
System
|
Information
|
Managed mode configuration imported: <full_path>
|
|
1082
|
System
|
Information
|
Managed mode configuration exported to: <full_path>
|
|
1083
|
System
|
Information
|
Managed mode enabled.
|
|
1084
|
System
|
Information
|
Managed mode disabled.
|
|
1085
|
System
|
Information
|
When Write Protection is enabled, it includes the Write Protection List and the Approved
List.
|
|
1086
|
System
|
Warning
|
When Write Protection is enabled, it includes the Write Protection List only.
|
|
1087
|
System
|
Information
|
Event log settings changed.
|
|
1088
|
System
|
Information
|
Windows Update Support enabled.
|
|
1089
|
System
|
Information
|
Windows Update Support disabled.
|
|
1094
|
System
|
Information
|
Trend Micro Safe Lock
updated.
File applied: <file_name>
|
|
1096
|
System
|
Information
|
Trusted Hash List enabled.
|
|
1097
|
System
|
Information
|
Trusted Hash List disabled.
|
|
1098
|
System
|
Information
|
Event log settings changed.
|
|
1500
|
List
|
Information
|
Trusted Update started.
|
|
1501
|
List
|
Information
|
Trusted Update stopped.
|
|
1502
|
List
|
Information
|
Approved List import started: <full_path>
|
|
1503
|
List
|
Information
|
Approved List import complete: <full_path>
|
|
1504
|
List
|
Information
|
Approved List exported to: <full_path>
|
|
1505
|
List
|
Information
|
Added to Approved List: <full_path>
|
|
1506
|
List
|
Information
|
Added to Trusted Update List: <full_path>
|
|
1507
|
List
|
Information
|
Removed from Approved List: <full_path>
|
|
1508
|
List
|
Information
|
Removed from Trusted Update List: <full_path>
|
|
1509
|
List
|
Information
|
Approved List updated: <full_path>
|
|
1510
|
List
|
Information
|
Trusted Update List updated: <full_path>
|
|
1511
|
List
|
Warning
|
Unable to add to or update Approved List: <full_path>
|
|
1512
|
List
|
Warning
|
Unable to add to or update Trusted Update List: <full_path>
|
|
1513
|
List
|
Information
|
Added to Exception Path List.
[Details]
Type: <exception_path_type>
Path: <exception_path>
|
|
1514
|
List
|
Information
|
Removed from Exception Path List.
[Details]
Type: <exception_path_type>
Path: <exception_path>
|
|
1515
|
List
|
Information
|
Added to Trusted Certificate List.
[Details]
Label: <label>
Hash: <hash_value>
Type: <type>
Subject: <subject>
Issuer: <issuer>
|
|
1516
|
List
|
Information
|
Removed from Trusted Certificate List.
[Details]
Label: <label>
Hash: <hash_value>
Type: <type>
Subject: <subject>
Issuer: <issuer>
|
|
1517
|
System
|
Information
|
Hash value added to the Trusted Hash List.
[Details]
Label: <label>
Hash: <hash_value>
Type: <type>
Add to Approved List: <yes|no>
Path: <file_path>
Note: <note>
|
|
1518
|
System
|
Information
|
Hash value removed from the Trusted Hash List.
[Details]
Label: <label>
Hash: <hash_value>
Type: <type>
Add to Approved List: <yes|no>
Path: <file_path>
Note: <note>
|
|
2000
|
Access Approved
|
Information
|
File access allowed: <full_path>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
List: <list>
|
|
2001
|
Access Approved
|
Warning
|
File access allowed: <full_path>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2002
|
Access Approved
|
Warning
|
File access allowed: <full_path>
Unable to get the file path while checking the Approved List.
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2003
|
Access Approved
|
Warning
|
File access allowed: <full_path>
Unable to calculate hash while checking the Approved List.
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2004
|
Access Approved
|
Warning
|
File access allowed: <full_path>
Unable to get notifications to monitor process.
|
|
2005
|
Access Approved
|
Warning
|
File access allowed: <full_path>
Unable to add process to non exception list.
|
|
2006
|
Access Approved
|
Information
|
File access allowed: <full_path>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2007
|
Access Approved
|
Warning
|
File access allowed: <full_path>
An error occurred while checking the Exception Path List.
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2008
|
Access Approved
|
Warning
|
File access allowed: <full_path>
An error occurred while checking the Trusted Certificate List.
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2011
|
Access Approved
|
Information
|
Trusted registry value access allowed.
Registry Key: <reg_key>
Registry Value Name: <reg_value>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2012
|
Access Approved
|
Information
|
Trusted registry key access allowed.
Registry Key: <reg_key>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2013
|
Access Approved
|
Information
|
Change of File/Folder allowed by Exception List: <full_path>
[Details]
Access Image Path: Access User: <user_name>
Mode: <mode>
|
|
2015
|
Access Approved
|
Information
|
Change of Registry Value allowed by Exception List.
Registry Key: <reg_key>
Registry Value Name: <reg_value>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2016
|
Access Approved
|
Information
|
Change of Registry Key allowed by Exception List.
Registry Key: <reg_key>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2017
|
Access Approved
|
Warning
|
Change of File/Folder allowed: <full_path>
[Details]
Access Image Path: <full_path>
Access User: <user_name> Mode: <mode>
|
|
2019
|
Access Approved
|
Warning
|
Change of Registry Value allowed.
Registry Key: <reg_key>
Registry Value Name: <reg_value>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2020
|
Access Approved
|
Warning
|
Change of Registry Key allowed.
Registry Key: <reg_key>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2021
|
Access Approved
|
Warning
|
File access allowed: <full_path>
An error occurred while checking the Trusted Hash List.
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2503
|
Access Blocked
|
Warning
|
Change of File/Folder blocked: <full_path>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2505
|
Access Blocked
|
Warning
|
Change of Registry Value blocked.
Registry Key: <reg_key>
Registry Value Name: <reg_value>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2506
|
Access Blocked
|
Warning
|
Change of Registry Key blocked.
Registry Key: <reg_key>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
2507
|
Access Blocked
|
Information
|
Specified action is taken: <full_path>
[Details]
Action: <action>
Source: <source>
|
|
2508
|
Access Blocked
|
Warning
|
Failed to take specified action: <full_path>
[Details]
Action: <action>
Source: <source>
|
|
2509
|
Access Blocked
|
Warning
|
File access blocked: <full_path>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
Reason: Not in Approved List
|
|
2510
|
Access Blocked
|
Warning
|
File access blocked: <full_path>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
Reason: Hash does not match expected value
|
|
2511
|
Access Blocked
|
Information
|
Change of File/Folder blocked: <full_path>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Mode: <mode>
|
|
3000
|
USB Malware Protection
|
Warning
|
Device access allowed: <full_path>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Device Type: <type>
|
|
3001
|
USB Malware Protection
|
Warning
|
Device access blocked: <full_path>
[Details]
Access Image Path: <full_path>
Access User: <user_name>
Device Type: <type>
|
|
3500
|
Network Virus Protection
|
Warning
|
Network virus allowed: <name>
[Details]
Protocol: TCP
Source IP Address: <ip_address>
Source Port: <port>
Destination IP Address: <ip_address>
Destination Port: <port>
|
|
3501
|
Network Virus Protection
|
Warning
|
Network virus blocked: <name>
[Details]
Protocol: TCP
Source IP Address: <ip_address>
Source Port: <port>
Destination IP Address: <ip_address>
Destination Port: <port>
|
|
4002
|
Process Protection Event
|
Warning
|
API Hooking allowed: <full_path>
[Details]
Threat Image Path: <full_path>
Threat User: <user_name>
|
|
4003
|
Process Protection Event
|
Warning
|
API Hooking blocked: <full_path>
[Details]
Threat Image Path: <full_path>
Threat User: <user_name>
|
|
4004
|
Process Protection Event
|
Warning
|
DLL Injection allowed: <full_path>
[Details]
Threat Image Path: <full_path>
Threat User: <user_name>
|
|
4005
|
Process Protection Event
|
Warning
|
DLL Injection blocked: <full_path>
[Details]
Threat Image Path: <full_path>
Threat User: <user_name>
|
|
4500
|
Changes in System
|
Information
|
File/Folder created: <full_path>
[Details]
Access Image Path: <full_path>
Access Process ID: <proc_id>
Access User: <user_name>
|
|
4501
|
Changes in System
|
Information
|
File modified: <full_path>
[Details]
Access Image Path: <full_path>
Access Process ID: <proc_id>
Access User: <user_name>
|
|
4502
|
Changes in System
|
Information
|
File/Folder deleted: <full_path>
[Details]
Access Image Path: <full_path>
Access Process ID: <proc_id>
Access User: <user_name>
|
|
4503
|
Changes in System
|
Information
|
File/Folder renamed: <full_path>
New path: <full_path>
[Details]
Access Image Path: <full_path>
Access Process ID: <proc_id>
Access User: <user_name>
|
|
4504
|
Changes in System
|
Information
|
Registry Value modified.
Registry Key: <reg_key>
Registry Value Name: <reg_value>
Registry Value Type: <reg_value_type>
[Details]
Access Image Path: <full_path>
Access Process ID: <proc_id>
Access User: <user_name>
|
|
4505
|
Changes in System
|
Information
|
Registry Value deleted.
Registry Key: <reg_key>
Registry Value Name: <reg_value>
[Details]
Access Image Path: <full_path>
Access Process ID: <proc_id>
Access User: <user_name>
|
|
4506
|
Changes in System
|
Information
|
Registry Key created.
Registry Key: <reg_key>
[Details]
Access Image Path: <full_path>
Access Process ID: <proc_id>
Access User: <user_name>
|
|
4507
|
Changes in System
|
Information
|
Registry Key deleted.
Registry Key: <reg_key>
[Details]
Access Image Path: <full_path>
Access Process ID: <proc_id>
Access User: <user_name>
|
|
4508
|
Changes in System
|
Information
|
Registry Key renamed.
Registry Key: <reg_key>
New Registry Key: <reg_key>
[Details]
Access Image Path: <full_path>
Access Process ID: <proc_id>
Access User: <user_name>
|