This table details the Windows event log descriptions for StellarProtect.
|
Event ID |
Level |
Category |
Event |
Details |
|---|---|---|---|---|
|
256 |
Information |
System |
Service has started. |
|
|
257 |
Information |
System |
Policy has been applied successfully. (Version: %version%) |
|
|
258 |
Information |
System |
Patch has been applied. File Name: %file_name% |
|
|
259 |
Information |
System |
Patching in progress |
After the earlier-applied patch is completed, the system will automatically try to apply this patch: %deferred_file_name%. |
|
513 |
Information |
intelli_av |
Application vault update was successful |
|
|
514 |
Information |
intelli_av |
Real Time Scan has been enabled. |
|
|
515 |
Information |
intelli_av |
A scheduled scan has started. |
|
|
516 |
Information |
intelli_av |
A scheduled scan has ended. |
Folders scanned: %1 Symbolic links: %2 Regular files: %3 Files scanned: %4 Files passed: %5 Threats detected: %6 |
|
517 |
Information |
intelli_av |
A manually launched scan has started. |
|
|
518 |
Information |
intelli_av |
A manually launched scan has ended. |
Folders scanned: %1 Symbolic links: %2 Regular files: %3 Files scanned: %4 Files passed: %5 Threats detected: %6 |
|
519 |
Information |
intelli_av |
A scheduled scan has been enabled. |
Next scan will be on %NextScan%. |
|
520 |
Information |
intelli_av |
A scheduled scan has been disabled. |
|
|
521 |
Information |
intelli_av |
A scan manually launched by local user has started. |
|
|
522 |
Information |
intelli_av |
A scan manually launched by local user has ended. |
Folders scanned: %1 Symbolic links: %2 Regular files: %3 Files scanned: %4 Files passed: %5 Threats detected: %6 |
|
768 |
Information |
anomaly_detect |
Operations Behavior Anomaly Detection (Script Behavior) has been enabled. |
Mode: %Mode% Level: %Level% Learning time: %LearningTime% day(s) |
|
769 |
Information |
anomaly_detect |
Script behavior has been added to the Situational Awareness baseline. |
Access User: %USERNAME% ID: %ID% Target Process: %PATH% %ARGUMENT% Parent Process 1: %PATH% %ARGUMENT% Parent Process 2: %PATH% %ARGUMENT% Parent Process 3: %PATH% %ARGUMENT% Parent Process 4: %PATH% %ARGUMENT% |
|
770 |
Information |
anomaly_detect |
A script behavior has been excluded from the Situational Awareness baseline. |
ID: %ID% Target Process: %PATH% %ARGUMENT% Parent Process 1: %PATH% %ARGUMENT% Parent Process 2: %PATH% %ARGUMENT% Parent Process 3: %PATH% %ARGUMENT% Parent Process 4: %PATH% %ARGUMENT% |
|
771 |
Information |
anomaly_detect |
Operations Behavior Anomaly Detection (User Login) has been enabled. |
Mode: %Mode% Level: %Level% Learning time: %LearningTime% day(s) |
|
772 |
Information |
anomaly_detect |
Operations Behavior Anomaly Detection (Application Behavior) has been enabled. |
Mode: %Mode% Level: %Level% Learning time: %LearningTime% day(s) |
|
773 |
Information |
anomaly_detect |
A user login account has been added to the Situational Awareness baseline. |
Domain: %Domain% Account: %Account% Login Type: %LoginType% Source IP: %IP% |
|
774 |
Information |
anomaly_detect |
A user login account has been excluded from the Situational Awareness baseline. |
Domain: %Domain% Account: %Account% Login Type: %LoginType% Source IP: %IP% |
|
775 |
Information |
anomaly_detect |
An application has been added to the Situational Awareness baseline. |
Application Path: %Path% |
|
776 |
Information |
anomaly_detect |
An application has been excluded from the Situational Awareness baseline. |
Application Path: %Path% |
|
784 |
Information |
anomaly_detect |
DLL Injection Prevention has been enabled. |
|
|
1280 |
Information |
device_control |
Device Control has been enabled. |
|
|
1281 |
Information |
device_control |
Trusted USB device has been added. |
Vendor ID: %HEX% Product ID: %HEX% Serial Number: %STRING% Type: permanent or one time |
|
1282 |
Information |
device_control |
Trusted USB device has been removed. |
Vendor ID: %HEX% Product ID: %HEX% Serial Number: %STRING% |
|
1792 |
Information |
lockdown |
File access has been allowed: %PATH% |
Access Image Path: %PATH% Access User: %USERNAME% Mode: %MODE% List: %LIST% |
|
1793 |
Information |
lockdown |
A new file has been added to Approved List in Maintenance Mode. |
Path: %PATH% Hash: %SHA256_HEXSTR% |
|
1794 |
Information |
lockdown |
The hash of an existing file in Approved List has been updated in Maintenance Mode. |
Path: %PATH% Hash: %SHA256_HEXSTR% |
|
1795 |
Information |
lockdown |
Approved List initialization has started. |
|
|
1796 |
Information |
lockdown |
Approved List initialization has completed |
Count: %COUNT% |
|
1797 |
Information |
lockdown |
Application Lockdown has been enabled |
Mode: %MODE% |
|
1798 |
Information |
lockdown |
DLL/Driver Lockdown has been enabled. |
|
|
1799 |
Information |
lockdown |
Script Lockdown has been enabled. |
|
|
1800 |
Information |
lockdown |
Intelligent Runtime Learning has been enabled. |
|
|
2048 |
Information |
update |
Component update has started. |
|
|
2049 |
Information |
update |
Component update has ended. |
|
|
2050 |
Information |
update |
Scheduled component update has been enabled. Next update will be on %NEXT_UPDATE_LOCAL_TIME_STR% (agent's local system time). |
|
|
2051 |
Information |
update |
Scheduled component update has been disabled. |
|
|
3840 |
Information |
misc |
User account has been enabled. |
|
|
3841 |
Information |
misc |
User account has been disabled. |
|
|
3842 |
Information |
misc |
User password has been changed. |
|
|
4352 |
Warning |
system |
Service has stopped. |
|
|
4353 |
Warning |
system |
Unable to apply policy (Version: %version%) |
|
|
4354 |
Warning |
system |
Unable to update file. |
Source Path: %src_path% Destination Path: %dst_path% Error Code: %err_code% |
|
4355 |
Warning |
system |
Unable to apply patch. |
File Name: %file_name% Error Code: %err_code% |
|
4609 |
Warning |
intelli_av |
Incoming Files Scanned, Action Taken by Antivirus: %PATH% |
Incoming files were scanned by antivirus. Action was taken according to settings. File Path: %PATH% File Hash: %STRING% Threat Type: %STRING% Threat Name: %STRING% Action Result: %INTEGER% Quarantine Path: %PATH% |
|
4610 |
Warning |
intelli_av |
Incoming Files Scanned, Action Taken by Next-Generation Antivirus: %PATH% |
Incoming files were scanned by next-generation antivirus. Action was taken according to settings. File Path: %PATH% File Hash: %STRING% Threat Type: %STRING% Threat Name: %STRING% Action Result: %INTEGER% Quarantine Path: %PATH% |
|
4611 |
Warning |
intelli_av |
Local Files Scanned, Action Taken by Antivirus: %PATH% |
Local files were scanned by antivirus. Action was taken according to settings. File Path: %PATH% File Hash: %STRING% Threat Type: %STRING% Threat Name: %STRING% Action Result: %INTEGER% Quarantine Path: %PATH% |
|
4612 |
Warning |
intelli_av |
Local Files Scanned, Action Taken by Next-Generation Antivirus: %PATH% |
Local files were scanned by next-generation antivirus. Action was taken according to settings. File Path: %PATH% File Hash: %STRING% Threat Type: %STRING% Threat Name: %STRING% Action Result: %INTEGER% Quarantine Path: %PATH% |
|
4613 |
Warning |
intelli_av |
Suspicious Program Execution Blocked |
Suspicious program execution was blocked. File Path: %PATH% File Hash: %STRING% |
|
4614 |
Warning |
intelli_av |
Suspicious Program Currently Running |
Suspicious program is currently running. Process ID: %PID% File Path: %PATH% File Hash: %STRING% File Credibility: %STRING% |
|
4615 |
Warning |
intelli_av |
Application Execution Blocked By Antivirus |
Application execution was blocked by antivirus. Process Image Path: %PATH% File Hash: %STRING% Threat Type: %STRING% Threat Name: %STRING% |
|
4617 |
Warning |
intelli_av |
Application Execution Blocked By Next-Generation Antivirus |
Application execution was blocked by next-generation antivirus. Process Image Path: %PATH% File Hash: %STRING% Threat Type: %STRING% Threat Name: %STRING% |
|
4864 |
Warning |
anomaly_detect |
Operations Behavior Anomaly Detection (Script Behavior) has been disabled. |
|
|
4865 |
Warning |
anomaly_detect |
Script Behavior has been allowed by Operations Behavior Anomaly Detection: %PATH% |
Access User: %USERNAME% Parent Process 1: %PATH% %ARGUMENT% Parent Process 2: %PATH% %ARGUMENT% Parent Process 3: %PATH% %ARGUMENT% Parent Process 4: %PATH% %ARGUMENT% Mode: %Mode% Level: %LEVEL% |
|
4866 |
Warning |
anomaly_detect |
Script Behavior has been blocked by Operations Behavior Anomaly Detection: %PATH% |
Access User: %USERNAME% Parent Process 1: %PATH% %ARGUMENT% Parent Process 2: %PATH% %ARGUMENT% Parent Process 3: %PATH% %ARGUMENT% Parent Process 4: %PATH% %ARGUMENT% Mode: %Mode% Level: %LEVEL% |
|
4867 |
warning |
anomaly_detect |
Operations Behavior Anomaly Detection (User Login) has been disabled. |
|
|
4868 |
warning |
anomaly_detect |
Operations Behavior Anomaly Detection (Application Behavior) has been disabled. |
|
|
4869 |
warning |
anomaly_detect |
A user login failure has been detected by Operations Behavior Anomaly Detection. |
Domain: %Domain% Account: %Account% Login Type: %LoginType% Source IP: %IP% |
|
4870 |
warning |
anomaly_detect |
An abnormal user login has been detected by Operations Behavior Anomaly Detection. |
Domain: %Domain% Account: %Account% Login Type: %LoginType% Source IP: %IP% |
|
4871 |
warning |
anomaly_detect |
Suspicious application behavior has been detected by Operations Behavior Anomaly Detection. |
Program Path: %Path% Program Hash: %SHA256% Program Size: %Size% Certificate: %CertificateSigner% Vendor: %VendorName% Product: %Product% |
|
4872 |
warning |
anomaly_detect |
An unrecognized application has been detected by Operations Behavior Anomaly Detection. |
PID: %PID% Program Path: %Path% Program Hash: %SHA256% Program Size: %Size% Certificate: %CertificateSigner% Vendor: %VendorName% Product: %Product% |
|
4873 |
warning |
anomaly_detect |
Malicious application behavior has been detected by Operations Behavior Anomaly Detection |
Program Path: %Path% Program Hash: %SHA256% Program Size: %Size% Certificate: %CertificateSigner% Vendor: %VendorName% Product: %Product% |
|
4880 |
Warning |
anomaly_detect |
DLL Injection Prevention has been disabled. |
|
|
5120 |
Warning |
change_control |
Change to an ICS file was blocked by OT Application Safeguard. |
Blocked Process: %PATH% Target File: %PATH% |
|
5121 |
Warning |
change_control |
Manipulation to existing ICS process was blocked by OT Application Safeguard. |
Blocked Process: %PATH% Target Process: %PATH% |
|
5376 |
Warning |
device_control |
Device Control has been disabled. |
|
|
5377 |
Warning |
device_control |
USB access has been blocked: %PATH% |
Access Image Path: %PATH% Access User: %USERNAME% Vendor ID: %HEX% Product ID: %HEX% Serial Number: %STRING% |
|
5888 |
Warning |
lockdown |
File access has been allowed: %PATH% |
Access Image Path: %PATH% Access User: %USERNAME% Mode: %MODE% Reason: %ALLOWED_REASON% File hash allowed: %SHA256_HEXSTR%%THROTTLING_INFO_MSG% |
|
5889 |
Warning |
lockdown |
File access has been blocked: C:\object_file_path |
Access Image Path: %PATH% Access User: %USERNAME% Mode: %MODE% Reason: %BLOCKED_REASON% File hash blocked: %SHA256_HEXSTR%%THROTTLING_INFO_MSG% |
|
5890 |
Warning |
lockdown |
Unable to add to or update Approved List: %PATH% |
|
|
5891 |
Warning |
lockdown |
Application Lockdown has been disabled |
|
|
5892 |
Warning |
lockdown |
DLL/Driver Lockdown has been disabled. |
|
|
5893 |
Warning |
lockdown |
Script Lockdown has been disabled. |
|
|
5894 |
Warning |
lockdown |
Intelligent Runtime Learning has been disabled. |
|
|
5895 |
Warning |
lockdown |
Approved List initialization has been canceled. |
|
|
8706 |
Critical |
intelli_av |
Real-Time Scan has been disabled. |
|
|
9216 |
Critical |
change_control |
The Maintenance Mode has now started. |
|
| 9217 |
Critical |
change_control |
The Maintenance Mode has now ended. |