This table details the Windows event log descriptions for StellarProtect.
|
Event ID
|
Level
|
Category
|
Event
|
Details
|
|
256
|
Information
|
System
|
Service started
|
|
|
257
|
Information
|
System
|
Policy applied successfully (Version: %version%)
|
|
|
258
|
Information
|
System
|
Patch applied
File Name: %file_name%
|
|
|
259
|
Information
|
System
|
Patching in progress
|
After the earlier-applied patch is completed, the system will automatically try
to apply this patch: %deferred_file_name%.
|
|
513
|
Information
|
intelli_av
|
Application vault update was successful
|
|
|
514
|
Information
|
intelli_av
|
Real Time Scan enabled
|
|
|
515
|
Information
|
intelli_av
|
A scheduled scan started
|
|
|
516
|
Information
|
intelli_av
|
A scheduled scan ended
|
Folders scanned: %1
Symbolic links: %2
Regular files: %3
Files scanned: %4
Files passed: %5
Threats detected: %6
|
|
517
|
Information
|
intelli_av
|
A manually launched scan started
|
|
|
518
|
Information
|
intelli_av
|
A manually launched scan ended
|
Folders scanned: %1
Symbolic links: %2
Regular files: %3
Files scanned: %4
Files passed: %5
Threats detected: %6
|
|
519
|
Information
|
intelli_av
|
A scheduled scan enabled
|
Next scan will be on %NextScan%.
|
|
520
|
Information
|
intelli_av
|
A scheduled scan disabled
|
|
|
521
|
Information
|
intelli_av
|
A scan manually launched by local user started
|
|
|
522
|
Information
|
intelli_av
|
A scan manually launched by local user ended
|
Folders scanned: %1
Symbolic links: %2
Regular files: %3
Files scanned: %4
Files passed: %5
Threats detected: %6
|
|
523
|
Information
|
intelli_av
|
Incoming file detected malicious and quarantined successfully
|
File Path: %PATH%
File Hash: %STRING%
Threat Type: %STRING%
Threat Name: %STRING%
Quarantine Path: %PATH%
Reboot Required: %NEED_REBOOT%
|
|
524
|
Information
|
intelli_av
|
Local file detected malicious and quarantined successfully
|
File Path: %PATH%
File Hash: %STRING%
Threat Type: %STRING%
Threat Name: %STRING%
Quarantine Path: %PATH%
Reboot Required: %NEED_REBOOT%
|
|
525
|
Information
|
intelli_av
|
Malicious file execution detected. Infected executable file quarantined
successfully
|
File Path: %PATH%
File Hash: %STRING%
Threat Type: %STRING%
Threat Name: %STRING%
Quarantine Path: %PATH%
Reboot Required: %NEED_REBOOT%
|
|
768
|
Information
|
anomaly_detect
|
Operations Behavior Anomaly Detection (Script Behavior) enabled
|
Mode: %Mode%
Level: %Level%
Learning time: %LearningTime% day(s)
|
|
769
|
Information
|
anomaly_detect
|
Script behavior added to baseline
|
Access User: %USERNAME%
ID: %ID%
Target Process: %PATH% %ARGUMENT%
Parent Process 1: %PATH% %ARGUMENT%
Parent Process 2: %PATH% %ARGUMENT%
Parent Process 3: %PATH% %ARGUMENT%
Parent Process 4: %PATH% %ARGUMENT%
|
|
770
|
Information
|
anomaly_detect
|
Script behavior excluded from baseline.
|
ID: %ID%
Target Process: %PATH% %ARGUMENT%
Parent Process 1: %PATH% %ARGUMENT%
Parent Process 2: %PATH% %ARGUMENT%
Parent Process 3: %PATH% %ARGUMENT%
Parent Process 4: %PATH% %ARGUMENT%
|
|
771
|
Information
|
anomaly_detect
|
Operations Behavior Anomaly Detection (User Login) enabled
|
Mode: %Mode%
Level: %Level%
Learning time: %LearningTime% day(s)
|
|
772
|
Information
|
anomaly_detect
|
Operations Behavior Anomaly Detection (Application Behavior) enabled
|
Mode: %Mode%
Level: %Level%
Learning time: %LearningTime% day(s)
|
|
773
|
Information
|
anomaly_detect
|
Login account added to baseline
|
Domain: %Domain%
Account: %Account%
Login Type: %LoginType%
Source IP: %IP%
|
|
774
|
Information
|
anomaly_detect
|
Login account excluded from baseline
|
Domain: %Domain%
Account: %Account%
Login Type: %LoginType%
Source IP: %IP%
|
|
775
|
Information
|
anomaly_detect
|
Application added to baseline
|
Application Path: %Path%
|
|
776
|
Information
|
anomaly_detect
|
Application excluded from baseline
|
Application Path: %Path%
|
|
784
|
Information
|
anomaly_detect
|
DLL Injection Prevention enabled
|
|
|
1280
|
Information
|
device_control
|
Device Control enabled
|
|
|
1281
|
Information
|
device_control
|
USB device added into trusted device list
|
Vendor ID: %HEX%
Product ID: %HEX%
Serial Number: %STRING%
Type: permanent or one time
|
|
1282
|
Information
|
device_control
|
USB device removed from trusted device list
|
Vendor ID: %HEX%
Product ID: %HEX%
Serial Number: %STRING%
|
|
1283
|
Information
|
device_control
|
Trusted USB device connected
|
Vendor ID: %HEX%
Product ID: %HEX%
Serial Number: %STRING%
Active User: %STRING%
|
|
1284
|
Information
|
device_control
|
Trusted USB device disconnected
|
Vendor ID: %HEX%
Product ID: %HEX%
Serial Number: %STRING%
Active User: %STRING%
|
|
1792
|
Information
|
lockdown
|
File access allowed: %PATH%
|
Access Image Path: %PATH%
Access User: %USERNAME%
Mode: %MODE%
List: %LIST%
|
|
1793
|
Information
|
lockdown
|
A new file added to Approved List in Maintenance Mode.
|
Path: %PATH%
Hash: %SHA256_HEXSTR%
|
|
1794
|
Information
|
lockdown
|
The hash of an existing file in Approved List was updated in Maintenance Mode
|
Path: %PATH%
Hash: %SHA256_HEXSTR%
|
|
1795
|
Information
|
lockdown
|
Approved List initialization started
|
|
|
1796
|
Information
|
lockdown
|
Approved List initialization completed
|
Count: %COUNT%
|
|
1797
|
Information
|
lockdown
|
Application Lockdown enabled
|
Mode: %MODE%
|
|
1798
|
Information
|
lockdown
|
DLL/Driver Lockdown enabled
|
|
|
1799
|
Information
|
lockdown
|
Script Lockdown enabled
|
|
|
1800
|
Information
|
lockdown
|
Intelligent Runtime Learning enabled
|
|
|
2048
|
Information
|
update
|
Component update started
|
|
|
2049
|
Information
|
update
|
Component update ended
|
|
|
2050
|
Information
|
update
|
Scheduled component update enabled. Next update will be on
%NEXT_UPDATE_LOCAL_TIME_STR% (agent's local system time).
|
|
|
2051
|
Information
|
update
|
Scheduled component update disabled
|
|
|
2052
|
Information
|
update
|
Components updated successfully.
|
Update Source: %UPDATE_URL%
[Original Version]
%COMPONENTS_INFO%
[Updated Version]
%COMPONENTS_INFO%
|
|
3840
|
Information
|
misc
|
User account enabled
|
|
|
3841
|
Information
|
misc
|
User account disabled
|
|
|
3842
|
Information
|
misc
|
User password changed
|
|
|
4352
|
Warning
|
system
|
Service stopped
|
|
|
4353
|
Warning
|
system
|
Unable to apply policy (Version: %version%)
|
|
|
4354
|
Warning
|
system
|
Unable to update file
|
Source Path: %src_path%
Destination Path: %dst_path%
Error Code: %err_code%
|
|
4355
|
Warning
|
system
|
Unable to apply patch
|
File Name: %file_name%
Error Code: %err_code%
|
|
4609
|
Warning
|
intelli_av
|
Incoming files scanned, action taken by Antivirus: %PATH%
|
Incoming files were scanned by antivirus. Action was taken according to
settings.
File Path: %PATH%
File Hash: %STRING%
Threat Type: %STRING%
Threat Name: %STRING%
Action Result: %INTEGER%
Quarantine Path: %PATH%
|
|
4610
|
Warning
|
intelli_av
|
Incoming files scanned, action taken by Next-Generation Antivirus: %PATH%
|
Incoming files were scanned by next-generation antivirus. Action was taken
according to settings.
File Path: %PATH%
File Hash: %STRING%
Threat Type: %STRING%
Threat Name: %STRING%
Action Result: %INTEGER%
Quarantine Path: %PATH%
|
|
4611
|
Warning
|
intelli_av
|
Local files scanned, action taken by Antivirus: %PATH%
|
Local files were scanned by antivirus. Action was taken according to
settings.
File Path: %PATH%
File Hash: %STRING%
Threat Type: %STRING%
Threat Name: %STRING%
Action Result: %INTEGER%
Quarantine Path: %PATH%
|
|
4612
|
Warning
|
intelli_av
|
Local files scanned, action taken by Next-Generation Antivirus: %PATH%
|
Local files were scanned by next-generation antivirus. Action was taken according
to settings.
File Path: %PATH%
File Hash: %STRING%
Threat Type: %STRING%
Threat Name: %STRING%
Action Result: %INTEGER%
Quarantine Path: %PATH%
|
|
4613
|
Warning
|
suspicious_objects
|
Suspicious program execution blocked
|
Suspicious program execution was blocked.
File Path: %PATH%
File Hash: %STRING%
|
|
4614
|
Warning
|
suspicious_objects
|
Suspicious program currently running
|
Suspicious program is currently running.
Process ID: %PID%
File Path: %PATH%
File Hash: %STRING%
File Credibility: %STRING%
|
|
4615
|
Warning
|
intelli_av
|
Application execution blocked by Antivirus
|
Application execution was blocked by antivirus.
Process Image Path: %PATH%
File Hash: %STRING%
Threat Type: %STRING%
Threat Name: %STRING%
|
|
4617
|
Warning
|
intelli_av
|
Application execution blocked by Next-Generation Antivirus
|
Application execution was blocked by next-generation antivirus.
Process Image Path: %PATH%
File Hash: %STRING%
Threat Type: %STRING%
Threat Name: %STRING%
|
|
4618
|
Warning
|
intelli_av
|
Failed to quarantine incoming file detected malicious
|
File Path: %PATH%
File Hash: %STRING%
Threat Type: %STRING%
Threat Name: %STRING%
|
|
4619
|
Warning
|
intelli_av
|
Failed to quarantine local file detected malicious
|
File Path: %PATH%
File Hash: %STRING%
Threat Type: %STRING%
Threat Name: %STRING%
|
|
4620
|
Warning
|
intelli_av
|
Malicious file execution detected. Failed to quarantine the infected executable
file
|
File Path: %PATH%
File Hash: %STRING%
Threat Type: %STRING%
Threat Name: %STRING%
|
|
4864
|
Warning
|
anomaly_detect
|
Operations Behavior Anomaly Detection (Script Behavior) disabled
|
|
|
4865
|
Warning
|
anomaly_detect
|
Script Behavior allowed by Operations Behavior Anomaly Detection: %PATH%
%ARGUMENT%
|
Access User: %USERNAME%
Parent Process 1: %PATH% %ARGUMENT%
Parent Process 2: %PATH% %ARGUMENT%
Parent Process 3: %PATH% %ARGUMENT%
Parent Process 4: %PATH% %ARGUMENT%
Mode: %Mode%
Level: %LEVEL%
|
|
4866
|
Warning
|
anomaly_detect
|
Script Behavior blocked by Operations Behavior Anomaly Detection:%PATH%
%ARGUMENT%
|
Access User: %USERNAME%
Parent Process 1: %PATH% %ARGUMENT%
Parent Process 2: %PATH% %ARGUMENT%
Parent Process 3: %PATH% %ARGUMENT%
Parent Process 4: %PATH% %ARGUMENT%
Mode: %Mode%
Level: %LEVEL%
|
|
4867
|
warning
|
anomaly_detect
|
Operations Behavior Anomaly Detection (User Login) disabled
|
|
|
4868
|
warning
|
anomaly_detect
|
Operations Behavior Anomaly Detection (Application Behavior) disabled
|
|
|
4869
|
warning
|
anomaly_detect
|
A user login failure detected by Operations Behavior Anomaly Detection
|
Domain: %Domain%
Account: %Account%
Login Type: %LoginType%
Source IP: %IP%
|
|
4870
|
warning
|
anomaly_detect
|
An abnormal user login detected by Operations Behavior Anomaly Detection
|
Domain: %Domain%
Account: %Account%
Login Type: %LoginType%
Source IP: %IP%
|
|
4871
|
warning
|
anomaly_detect
|
Suspicious application behavior detected by Operations Behavior Anomaly
Detection
|
Program Path: %Path%
Program Hash: %SHA256%
Program Size: %Size%
Certificate: %CertificateSigner%
Vendor: %VendorName%
Product: %Product%
|
|
4872
|
warning
|
anomaly_detect
|
An unrecognized application detected by Operations Behavior Anomaly Detection
|
PID: %PID%
Program Path: %Path%
Program Hash: %SHA256%
Program Size: %Size%
Certificate: %CertificateSigner%
Vendor: %VendorName%
Product: %Product%
|
|
4873
|
warning
|
anomaly_detect
|
Malicious application behavior detected by Operations Behavior Anomaly
Detection
|
Program Path: %Path%
Program Hash: %SHA256%
Program Size: %Size%
Certificate: %CertificateSigner%
Vendor: %VendorName%
Product: %Product%
|
|
4880
|
Warning
|
anomaly_detect
|
DLL Injection Prevention disabled
|
|
|
4881
|
Warning
|
anomaly_detect
|
DLL Injection Prevention blocked: %OBJ_PATH%
|
Threat Image Path: %SUBJ_PATH%
Threat User: %USER%
|
|
5120
|
Warning
|
change_control
|
Change to an ICS file blocked by OT Application Safeguard.
|
Blocked Process: %PATH%
Target File: %PATH%
|
|
5376
|
Warning
|
device_control
|
Device Control disabled
|
|
|
5377
|
Warning
|
device_control
|
USB access blocked: %PATH%
|
Access Image Path: %PATH%
Access User: %USERNAME%
Vendor ID: %HEX%
Product ID: %HEX%
Serial Number: %STRING%
|
|
5378
|
Warning
|
device_control
|
USB autorun.inf file blocked: %PATH%
|
|
|
5379
|
Warning
|
device_control
|
Untrusted USB device connected
|
Vendor ID: %HEX%
Product ID: %HEX%
Serial Number: %STRING%
Active User: %STRING%
|
|
5380
|
Warning
|
device_control
|
Untrusted USB device disconnected
|
Vendor ID: %HEX%
Product ID: %HEX%
Serial Number: %STRING%
Active User: %STRING%
|
|
5888
|
Warning
|
lockdown
|
File access allowed: %PATH%
|
Access Image Path: %PATH%
Access User: %USERNAME%
Mode: %MODE%
Reason: %ALLOWED_REASON%
File hash allowed: %SHA256_HEXSTR%%THROTTLING_INFO_MSG%
|
|
5889
|
Warning
|
lockdown
|
File access blocked: C:\object_file_path
|
Access Image Path: %PATH%
Access User: %USERNAME%
Mode: %MODE%
Reason: %BLOCKED_REASON%
File hash blocked: %SHA256_HEXSTR%%THROTTLING_INFO_MSG%
|
|
5890
|
Warning
|
lockdown
|
Unable to add to or update Approved List: %PATH%
|
|
|
5891
|
Warning
|
lockdown
|
Application Lockdown disabled
|
|
|
5892
|
Warning
|
lockdown
|
DLL/Driver Lockdown disabled
|
|
|
5893
|
Warning
|
lockdown
|
Script Lockdown disabled
|
|
|
5894
|
Warning
|
lockdown
|
Intelligent Runtime Learning disabled
|
|
|
5895
|
Warning
|
lockdown
|
Approved List initialization canceled
|
|
|
6144
|
Warning
|
update
|
Component update unsuccessful (%AU_ERROR_CODE%)
|
Update Source: %UPDATE_URL%
[Original Version]
%COMPONENTS_INFO%
[Updated Version]
%COMPONENTS_INFO%
|
|
8448
|
Critical
|
system
|
Protection stopped manually via protection stop button or CLI
|
|
|
8449
|
Critical
|
system
|
Protection resumed
|
%REASON% could be one of the followings:
|
|
8706
|
Critical
|
intelli_av
|
Real-Time Scan disabled
|
|
|
9216
|
Critical
|
change_control
|
Maintenance Mode started
|
|
| 9217 |
Critical
|
change_control
|
Maintenance Mode ended
|