Symbolic name:
+MALWAREPROTECTION_SCAN_STARTED
+Remove
Update the definitions then verify that the removal was successful.
Message:
+An antimalware scan started. +
+Clean
Update the definitions then verify that the remediation was successful.
Description:
++
-
+
- Scan ID: <ID number of the relevant scan.> +
- Scan Type: <Scan type>, for example:
-
+
- Antivirus +
- Antispyware +
- Antimalware +
+ - Scan Parameters: <Scan parameters>, for example:
-
+
- Full scan +
- Quick scan +
- Customer scan +
+ - Scan Resources: <Resources (such as files/directories/BHO) that were scanned.> +
- User: <Domain>\<User> +
Quarantine
Update the definitions and verify that the user has permission to access the necessary resources.
Symbolic name:
+MALWAREPROTECTION_SCAN_COMPLETED
+Allow
Verify that the user has permission to access the necessary resources.
Message:
+An antimalware scan finished.
+Description:
++
-
+
- Scan ID: <ID number of the relevant scan.> +
- Scan Type: <Scan type>, for example:
-
+
- Antivirus +
- Antispyware +
- Antimalware +
+ - Scan Parameters: <Scan parameters>, for example:
-
+
- Full scan +
- Quick scan +
- Customer scan +
+ - User: <Domain>\<User> +
- Scan Time: <The duration of a scan.> +
Symbolic name:
+MALWAREPROTECTION_SCAN_CANCELLED +
+Message:
+An antimalware scan was stopped before it finished. +
+Description:
++
-
+
- Scan ID: <ID number of the relevant scan.> +
- Scan Type: <Scan type>, for example:
-
+
- Antivirus +
- Antispyware +
- Antimalware +
+ - Scan Parameters: <Scan parameters>, for example:
-
+
- Full scan +
- Quick scan +
- Customer scan +
+ - User: <Domain>\<User> +
- Scan Time: <The duration of a scan.> +
Symbolic name:
+MALWAREPROTECTION_SCAN_PAUSED +
+Message:
+An antimalware scan was paused. +
+Description:
++
-
+
- Scan ID: <ID number of the relevant scan.> +
- Scan Type: <Scan type>, for example:
-
+
- Antivirus +
- Antispyware +
- Antimalware +
+ - Scan Parameters: <Scan parameters>, for example:
-
+
- Full scan +
- Quick scan +
- Customer scan +
+ - User: <Domain>\<User> +
Symbolic name:
+MALWAREPROTECTION_SCAN_RESUMED +
+Message:
+An antimalware scan was resumed. +
+Description:
++
-
+
- Scan ID: <ID number of the relevant scan.> +
- Scan Type: <Scan type>, for example:
-
+
- Antivirus +
- Antispyware +
- Antimalware +
+ - Scan Parameters: <Scan parameters>, for example:
-
+
- Full scan +
- Quick scan +
- Customer scan +
+ - User: <Domain>\<User> +
Symbolic name:
+MALWAREPROTECTION_SCAN_FAILED +
+Message:
+An antimalware scan failed. +
+Description:
++
-
+
- Scan ID: <ID number of the relevant scan.> +
- Scan Type: <Scan type>, for example:
-
+
- Antivirus +
- Antispyware +
- Antimalware +
+ - Scan Parameters: <Scan parameters>, for example:
-
+
- Full scan +
- Quick scan +
- Customer scan +
+ - User: <Domain>\<User> +
- Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
User action:
+The Windows Defender client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error. + +
+To troubleshoot this event: +
-
+
- Run the scan again. +
- If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code. +
- Contact Microsoft Technical Support. + +
Symbolic name:
+MALWAREPROTECTION_MALWARE_DETECTED +
+Message:
+The antimalware engine found malware or other potentially unwanted software. +
+Description:
++
For more information please see the following:
+-
+
- Name: <Threat name> +
- ID: <Threat ID> +
- Severity: <Severity>, for example:
-
+
- Low +
- Moderate +
- High +
- Severe +
+ - Category: <Category description>, for example, any threat or malware type. +
- Path: <File path> +
- Detection Origin: <Detection origin>, for example:
-
+
- Unknown +
- Local computer +
- Network share +
- Internet +
- Incoming traffic +
- Outgoing traffic +
+ - Detection Type: <Detection type>, for example:
-
+
- Heuristics +
- Generic +
- Concrete +
- Dynamic signature +
+ - Detection Source: <Detection source> for example:
-
+
- User: user initiated +
- System: system initiated +
- Real-time: real-time component initiated +
- IOAV: IE Downloads and Outlook Express Attachments initiated +
- NIS: Network inspection system +
- IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls +
- Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence +
- Remote attestation +
+ - Status: <Status> +
- User: <Domain>\<User> +
- Process Name: <Process in the PID> +
- Signature Version: <Definition version> +
- Engine Version: <Antimalware Engine version> +
Symbolic name:
+MALWAREPROTECTION_MALWARE_ACTION_TAKEN +
+Message:
+The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. +
+Description:
++
Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:
+-
+
- User: <Domain>\<User> +
- Name: <Threat name> +
- ID: <Threat ID> +
- Severity: <Severity>, for example:
-
+
- Low +
- Moderate +
- High +
- Severe +
+ - Category: <Category description>, for example, any threat or malware type. +
- Action: <Action>, for example:
-
+
- Clean: The resource was cleaned +
- Quarantine: The resource was quarantined +
- Remove: The resource was deleted +
- Allow: The resource was allowed to execute/exist +
- User defined: User defined action which is normally one from this list of actions that the user has specified +
- No action: No action +
- Block: The resource was blocked from executing +
+ - Status: <Status> +
- Signature Version: <Definition version> +
- Engine Version: <Antimalware Engine version> +
Symbolic name:
+MALWAREPROTECTION_MALWARE_ACTION_FAILED
+Message:
+The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.
+Description:
++
Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:
+-
+
- User: <Domain>\<User> +
- Name: <Threat name> +
- ID: <Threat ID> +
- Severity: <Severity>, for example:
-
+
- Low +
- Moderate +
- High +
- Severe +
+ - Category: <Category description>, for example, any threat or malware type. +
- Path: <File path> +
- Action: <Action>, for example:
-
+
- Clean: The resource was cleaned +
- Quarantine: The resource was quarantined +
- Remove: The resource was deleted +
- Allow: The resource was allowed to execute/exist +
- User defined: User defined action which is normally one from this list of actions that the user has specified +
- No action: No action +
- Block: The resource was blocked from executing +
+ - Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
- Status: <Status> +
- Signature Version: <Definition version> +
- Engine Version: <Antimalware Engine version> +
Symbolic name:
+MALWAREPROTECTION_QUARANTINE_RESTORE +
+Message:
+The antimalware platform restored an item from quarantine. +
+Description:
++
Windows Defender has restored an item from quarantine. For more information please see the following:
+-
+
- Name: <Threat name> +
- ID: <Threat ID> +
- Severity: <Severity>, for example:
-
+
- Low +
- Moderate +
- High +
- Severe +
+ - Category: <Category description>, for example, any threat or malware type. +
- Path: <File path> +
- User: <Domain>\<User> +
- Signature Version: <Definition version> +
- Engine Version: <Antimalware Engine version> +
Symbolic name:
+MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED +
+Message:
+The antimalware platform could not restore an item from quarantine. +
+Description:
++
Windows Defender has encountered an error trying to restore an item from quarantine. For more information please see the following:
+-
+
- Name: <Threat name> +
- ID: <Threat ID> +
- Severity: <Severity>, for example:
-
+
- Low +
- Moderate +
- High +
- Severe +
+ - Category: <Category description>, for example, any threat or malware type. +
- Path: <File path> +
- User: <Domain>\<User> +
- Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
- Signature Version: <Definition version> +
- Engine Version: <Antimalware Engine version> +
Symbolic name:
+MALWAREPROTECTION_QUARANTINE_DELETE
+Message:
+The antimalware platform deleted an item from quarantine. +
+Description:
++
Windows Defender has deleted an item from quarantine. +For more information please see the following:
+-
+
- Name: <Threat name> +
- ID: <Threat ID> +
- Severity: <Severity>, for example:
-
+
- Low +
- Moderate +
- High +
- Severe +
+ - Category: <Category description>, for example, any threat or malware type. +
- Path: <File path> +
- User: <Domain>\<User> +
- Signature Version: <Definition version> +
- Engine Version: <Antimalware Engine version> +
Symbolic name:
+MALWAREPROTECTION_QUARANTINE_DELETE_FAILED +
+Message:
+The antimalware platform could not delete an item from quarantine.
+Description:
++
Windows Defender has encountered an error trying to delete an item from quarantine. +For more information please see the following:
+-
+
- Name: <Threat name> +
- ID: <Threat ID> +
- Severity: <Severity>, for example:
-
+
- Low +
- Moderate +
- High +
- Severe +
+ - Category: <Category description>, for example, any threat or malware type. +
- Path: <File path> +
- User: <Domain>\<User> +
- Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
- Signature Version: <Definition version> +
- Engine Version: <Antimalware Engine version> +
Symbolic name:
+MALWAREPROTECTION_MALWARE_HISTORY_DELETE +
+Message:
+The antimalware platform deleted history of malware and other potentially unwanted software.
+Description:
++
Windows Defender has removed history of malware and other potentially unwanted software.
+-
+
- Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time. +
- User: <Domain>\<User> +
Symbolic name:
+MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED +
+Message:
+The antimalware platform could not delete history of malware and other potentially unwanted software.
+Description:
++
Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.
+-
+
- Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time. +
- User: <Domain>\<User> +
- Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
Symbolic name:
+MALWAREPROTECTION_BEHAVIOR_DETECTED +
+Message:
+The antimalware platform detected suspicious behavior.
+Description:
++
Windows Defender has detected a suspicious behavior. +For more information please see the following:
+-
+
- Name: <Threat name> +
- ID: <Threat ID> +
- Severity: <Severity>, for example:
-
+
- Low +
- Moderate +
- High +
- Severe +
+ - Category: <Category description>, for example, any threat or malware type. +
- Path: <File path> +
- Detection Origin: <Detection origin>, for example:
+
-
+
- Unknown +
- Local computer +
- Network share +
- Internet +
- Incoming traffic +
- Outgoing traffic +
+ - Detection Type: <Detection type>, for example:
-
+
- Heuristics +
- Generic +
- Concrete +
- Dynamic signature +
+ - Detection Source: <Detection source> for example:
-
+
- User: user initiated +
- System: system initiated +
- Real-time: real-time component initiated +
- IOAV: IE Downloads and Outlook Express Attachments initiated +
- NIS: Network inspection system +
- IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls +
- Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence +
- Remote attestation +
+ - Status: <Status> +
- User: <Domain>\<User> +
- Process Name: <Process in the PID> +
- Signature ID: Enumeration matching severity. +
- Signature Version: <Definition version> +
- Engine Version: <Antimalware Engine version> +
- Fidelity Label: +
- Target File Name: <File name> +Name of the file. +
Symbolic name:
+MALWAREPROTECTION_STATE_MALWARE_DETECTED
+Message:
+The antimalware platform detected malware or other potentially unwanted software. +
+Description:
++
Windows Defender has detected malware or other potentially unwanted software. +For more information please see the following:
+-
+
- Name: <Threat name> +
- ID: <Threat ID> +
- Severity: <Severity>, for example:
-
+
- Low +
- Moderate +
- High +
- Severe +
+ - Category: <Category description>, for example, any threat or malware type. +
- Path: <File path> +
- Detection Origin: <Detection origin>, for example:
+
-
+
- Unknown +
- Local computer +
- Network share +
- Internet +
- Incoming traffic +
- Outgoing traffic +
+ - Detection Type: <Detection type>, for example:
-
+
- Heuristics +
- Generic +
- Concrete +
- Dynamic signature +
+ - Detection Source: <Detection source> for example:
-
+
- User: user initiated +
- System: system initiated +
- Real-time: real-time component initiated +
- IOAV: IE Downloads and Outlook Express Attachments initiated +
- NIS: Network inspection system +
- IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls +
- Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence +
- Remote attestation +
+ - User: <Domain>\<User> +
- Process Name: <Process in the PID> +
- Signature Version: <Definition version> +
- Engine Version: <Antimalware Engine version> +
User action:
+No action is required. Windows Defender can suspend and take routine action on this threat. If you want to remove the threat manually, in the Windows Defender interface, click Clean Computer.
+Symbolic name:
+MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN +
+Message:
+The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. +
+Description:
++
Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. +For more information please see the following:
+-
+
- Name: <Threat name> +
- ID: <Threat ID> +
- Severity: <Severity>, for example:
-
+
- Low +
- Moderate +
- High +
- Severe +
+ - Category: <Category description>, for example, any threat or malware type. +
- Path: <File path> +
- Detection Origin: <Detection origin>, for example:
+
-
+
- Unknown +
- Local computer +
- Network share +
- Internet +
- Incoming traffic +
- Outgoing traffic +
+ - Detection Type: <Detection type>, for example:
-
+
- Heuristics +
- Generic +
- Concrete +
- Dynamic signature +
+ - Detection Source: <Detection source> for example:
-
+
- User: user initiated +
- System: system initiated +
- Real-time: real-time component initiated +
- IOAV: IE Downloads and Outlook Express Attachments initiated +
- NIS: Network inspection system +
- IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls +
- Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence +
- Remote attestation +
+ - User: <Domain>\<User> +
- Process Name: <Process in the PID> +
- Action: <Action>, for example:
-
+
- Clean: The resource was cleaned +
- Quarantine: The resource was quarantined +
- Remove: The resource was deleted +
- Allow: The resource was allowed to execute/exist +
- User defined: User defined action which is normally one from this list of actions that the user has specified +
- No action: No action +
- Block: The resource was blocked from executing +
+ - Action Status: <Description of additional actions> +
- Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
- Signature Version: <Definition version> +
- Engine Version: <Antimalware Engine version> +
User action:
+No action is necessary. Windows Defender removed or quarantined a threat.
+Symbolic name:
+MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED
+Message:
+The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed. +
+Description:
++
Windows Defender has encountered a non-critical error when taking action on malware or other potentially unwanted software. +For more information please see the following:
+-
+
- Name: <Threat name> +
- ID: <Threat ID> +
- Severity: <Severity>, for example:
-
+
- Low +
- Moderate +
- High +
- Severe +
+ - Category: <Category description>, for example, any threat or malware type. +
- Path: <File path> +
- Detection Origin: <Detection origin>, for example:
+
-
+
- Unknown +
- Local computer +
- Network share +
- Internet +
- Incoming traffic +
- Outgoing traffic +
+ - Detection Type: <Detection type>, for example:
-
+
- Heuristics +
- Generic +
- Concrete +
- Dynamic signature +
+ - Detection Source: <Detection source> for example:
-
+
- User: user initiated +
- System: system initiated +
- Real-time: real-time component initiated +
- IOAV: IE Downloads and Outlook Express Attachments initiated +
- NIS: Network inspection system +
- IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls +
- Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence +
- Remote attestation +
+ - User: <Domain>\<User> +
- Process Name: <Process in the PID> +
- Action: <Action>, for example:
-
+
- Clean: The resource was cleaned +
- Quarantine: The resource was quarantined +
- Remove: The resource was deleted +
- Allow: The resource was allowed to execute/exist +
- User defined: User defined action which is normally one from this list of actions that the user has specified +
- No action: No action +
- Block: The resource was blocked from executing +
+ - Action Status: <Description of additional actions> +
- Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
- Signature Version: <Definition version> +
- Engine Version: <Antimalware Engine version> +
User action:
+No action is necessary. Windows Defender failed to complete a task related to the malware remediation. This is not a critical failure.
+Symbolic name:
+MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED +
+Message:
+The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.
+Description:
++
Windows Defender has encountered a critical error when taking action on malware or other potentially unwanted software. +For more information please see the following:
+-
+
- Name: <Threat name> +
- ID: <Threat ID> +
- Severity: <Severity>, for example:
-
+
- Low +
- Moderate +
- High +
- Severe +
+ - Category: <Category description>, for example, any threat or malware type. +
- Path: <File path> +
- Detection Origin: <Detection origin>, for example:
+
-
+
- Unknown +
- Local computer +
- Network share +
- Internet +
- Incoming traffic +
- Outgoing traffic +
+ - Detection Type: <Detection type>, for example:
-
+
- Heuristics +
- Generic +
- Concrete +
- Dynamic signature +
+ - Detection Source: <Detection source> for example:
-
+
- User: user initiated +
- System: system initiated +
- Real-time: real-time component initiated +
- IOAV: IE Downloads and Outlook Express Attachments initiated +
- NIS: Network inspection system +
- IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls +
- Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence +
- Remote attestation +
+ - User: <Domain>\<User> +
- Process Name: <Process in the PID> +
- Action: <Action>, for example:
-
+
- Clean: The resource was cleaned +
- Quarantine: The resource was quarantined +
- Remove: The resource was deleted +
- Allow: The resource was allowed to execute/exist +
- User defined: User defined action which is normally one from this list of actions that the user has specified +
- No action: No action +
- Block: The resource was blocked from executing +
+ - Action Status: <Description of additional actions> +
- Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
- Signature Version: <Definition version> +
- Engine Version: <Antimalware Engine version> +
User action:
+The Windows Defender client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant User action steps below.
+| Action | +User action | +
|---|---|
|
+ Remove + |
+
+ Update the definitions then verify that the removal was successful. + |
+
|
+ Clean + |
+
+ Update the definitions then verify that the remediation was successful. + |
+
|
+ Quarantine + |
+
+ Update the definitions and verify that the user has permission to access the necessary resources. + |
+
|
+ Allow + |
+
+ Verify that the user has permission to access the necessary resources. + |
+
+
If this event persists:
-
+
- Run the scan again. +
- If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code. +
- Contact Microsoft Technical Support. + +
Symbolic name:
+MALWAREPROTECTION_THREAT_HASH
+Message:
+Windows Defender has deduced the hashes for a threat resource.
+Description:
++
Windows Defender client is up and running in a healthy state.
+-
+
- Current Platform Version: <Current platform version> +
- Threat Resource Path: <Path> +
- Hashes: <Hashes> +
Symbolic name:
+MALWAREPROTECTION_SERVICE_HEALTHY
+Message:
+If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state. +
+Description:
++
Windows Defender client is up and running in a healthy state.
+-
+
- Platform Version: <Current platform version> +
- Signature Version: <Definition version> +
- Engine Version: <Antimalware Engine version> +
User action:
+No action is necessary. The Windows Defenderclient is in a healthy state. This event is reported on an hourly basis.
+Symbolic name:
+MALWAREPROTECTION_SIGNATURE_UPDATED +
+Message:
+The antimalware definitions updated successfully. +
+Description:
++
Windows Defender signature version has been updated.
+-
+
- Current Signature Version: <Current signature version> +
- Previous Signature Version: <Previous signature version> +
- Signature Type: <Signature type>, for example:
-
+
- Antivirus +
- Antispyware +
- Antimalware +
- Network Inspection System +
+ - Update Type: <Update type>, either Full or Delta. +
- User: <Domain>\<User> +
- Current Engine Version: <Current engine version> +
- Previous Engine Version: <Previous engine version> +
User action:
+No action is necessary. The Windows Defender client is in a healthy state. This event is reported when signatures are successfully updated.
+Symbolic name:
+MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED
+Message:
+The antimalware definition update failed. +
+Description:
++
Windows Defender has encountered an error trying to update signatures.
+-
+
- New Signature Version: <New version number> +
- Previous Signature Version: <Previous signature version> +
- Update Source: <Update source>, for example:
+
-
+
- Signature update folder +
- Internal definition update server +
- Microsoft Update Server +
- File share +
- Microsoft Malware Protection Center (MMPC) +
+ - Update Stage: <Update stage>, for example:
+
-
+
- Search +
- Download +
- Install +
+ - Source Path: File share name for Universal Naming Convention (UNC), server name for Windows Server Update Services (WSUS)/Microsoft Update/ADL. +
- Signature Type: <Signature type>, for example:
-
+
- Antivirus +
- Antispyware +
- Antimalware +
- Network Inspection System +
+ - Update Type: <Update type>, either Full or Delta. +
- User: <Domain>\<User> +
- Current Engine Version: <Current engine version> +
- Previous Engine Version: <Previous engine version> +
- Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
User action:
+This error occurs when there is a problem updating definitions.
+To troubleshoot this event: +
-
+
- Update the definitions. Either:
-
+
- Click the Update definitions button on the Update tab in Windows Defender.
Or,
+
+ - Download the latest definitions from the Microsoft Malware Protection Center.
+
+
Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.
+
+
+ - Click the Update definitions button on the Update tab in Windows Defender.
- Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error. +
- Contact Microsoft Technical Support. + +
Symbolic name:
+MALWAREPROTECTION_ENGINE_UPDATED
+Message:
+The antimalware engine updated successfully. +
+Description:
++
Windows Defender engine version has been updated.
+-
+
- Current Engine Version: <Current engine version> +
- Previous Engine Version: <Previous engine version> +
- Engine Type: <Engine type>, either antimalware engine or Network Inspection System engine. +
- User: <Domain>\<User> +
User action:
+No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the antimalware engine is successfully updated.
+Symbolic name:
+MALWAREPROTECTION_ENGINE_UPDATE_FAILED
+Message:
+The antimalware engine update failed. +
+Description:
++
Windows Defender has encountered an error trying to update the engine.
+-
+
- New Engine Version: +
- Previous Engine Version: <Previous engine version> +
- Engine Type: <Engine type>, either antimalware engine or Network Inspection System engine. +
- User: <Domain>\<User> +
- Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
User action:
+The Windows Defender client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.
+To troubleshoot this event: +
-
+
- Update the definitions. Either:
-
+
- Click the Update definitions button on the Update tab in Windows Defender.
Or,
+
+ - Download the latest definitions from the Microsoft Malware Protection Center.
+
+
Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.
+
+
+ - Click the Update definitions button on the Update tab in Windows Defender.
- Contact Microsoft Technical Support. + +
Symbolic name:
+MALWAREPROTECTION_SIGNATURE_REVERSION
+Message:
+There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.
+Description:
++
Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
+-
+
- Signatures Attempted: +
- Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
- Signature Version: <Definition version> +
- Engine Version: <Antimalware engine version> +
User action:
+The Windows Defender client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Windows Defender will attempt to revert back to a known-good set of definitions.
+To troubleshoot this event: +
-
+
- Restart the computer and try again. +
- Download the latest definitions from the Microsoft Malware Protection Center.
+
+
Note: The size of the definitions file downloaded from the Microsoft Malware Protection Center can exceed 60 MB and should not be used as a long-term solution for updating definitions.
+
+ - Contact Microsoft Technical Support. + +
Symbolic name:
+MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE
+Message:
+The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.
+Description:
++
Windows Defender could not load antimalware engine because current platform version is not supported. Windows Defender will revert back to the last known-good engine and a platform update will be attempted.
+-
+
- Current Platform Version: <Current platform version> +
Symbolic name:
+MALWAREPROTECTION_PLATFORM_UPDATE_FAILED +
+Message:
+The platform update failed. +
+Description:
++
Windows Defender has encountered an error trying to update the platform.
+-
+
- Current Platform Version: <Current platform version> +
- Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
Symbolic name:
+MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE
+Message:
+The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.
+Description:
++
Windows Defender will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Windows Defender platform to maintain the best level of protection available.
+-
+
- Current Platform Version: <Current platform version> +
Symbolic name:
+MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED +
+Message:
+The antimalware engine used the Dynamic Signature Service to get additional definitions. +
+Description:
++
Windows Defender used Dynamic Signature Service to retrieve additional signatures to help protect your machine.
+-
+
- Current Signature Version: <Current signature version> +
- Signature Type: <Signature type>, for example:
-
+
- Antivirus +
- Antispyware +
- Antimalware +
- Network Inspection System +
+ - Current Engine Version: <Current engine version> +
- Dynamic Signature Type: <Dynamic signature type>, for example:
+
-
+
- Version +
- Timestamp +
- No limit +
- Duration +
+ - Persistence Path: <Path> +
- Dynamic Signature Version: <Version number> +
- Dynamic Signature Compilation Timestamp: <Timestamp> +
- Persistence Limit Type: <Persistence limit type>, for example:
+
-
+
- VDM version +
- Timestamp +
- No limit +
+ - Persistence Limit: Persistence limit of the fastpath signature. +
Symbolic name:
+MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED +
+Message:
+The Dynamic Signature Service deleted the out-of-date dynamic definitions. +
+Description:
++
Windows Defender used Dynamic Signature Service to discard obsolete signatures.
+-
+
- Current Signature Version: <Current signature version> +
- Signature Type: <Signature type>, for example:
-
+
- Antivirus +
- Antispyware +
- Antimalware +
- Network Inspection System +
+ - Current Engine Version: <Current engine version> +
- Dynamic Signature Type: <Dynamic signature type>, for example:
+
-
+
- Version +
- Timestamp +
- No limit +
- Duration +
+ - Persistence Path: <Path> +
- Dynamic Signature Version: <Version number> +
- Dynamic Signature Compilation Timestamp: <Timestamp> +
- Removal Reason: +
- Persistence Limit Type: <Persistence limit type>, for example:
+
-
+
- VDM version +
- Timestamp +
- No limit +
+ - Persistence Limit: Persistence limit of the fastpath signature. +
User action:
+No action is necessary. The Windows Defender client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions.
+Symbolic name:
+MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED +
+Message:
+The antimalware engine encountered an error when trying to use the Dynamic Signature Service. +
+Description:
++
Windows Defender has encountered an error trying to use Dynamic Signature Service.
+-
+
- Current Signature Version: <Current signature version> +
- Signature Type: <Signature type>, for example:
-
+
- Antivirus +
- Antispyware +
- Antimalware +
- Network Inspection System +
+ - Current Engine Version: <Current engine version> +
- Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
- Dynamic Signature Type: <Dynamic signature type>, for example:
+
-
+
- Version +
- Timestamp +
- No limit +
- Duration +
+ - Persistence Path: <Path> +
- Dynamic Signature Version: <Version number> +
- Dynamic Signature Compilation Timestamp: <Timestamp> +
- Persistence Limit Type: <Persistence limit type>, for example:
+
-
+
- VDM version +
- Timestamp +
- No limit +
+ - Persistence Limit: Persistence limit of the fastpath signature. +
User action:
+Check your Internet connectivity settings.
+Symbolic name:
+MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL +
+Message:
+The Dynamic Signature Service deleted all dynamic definitions. +
+Description:
++
Windows Defender discarded all Dynamic Signature Service signatures.
+-
+
- Current Signature Version: <Current signature version> +
Symbolic name:
+MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED +
+Message:
+The antimalware engine downloaded a clean file. +
+Description:
++
Windows Defender downloaded a clean file.
+-
+
- Filename: <File name> +Name of the file. +
- Current Signature Version: <Current signature version> +
- Current Engine Version: <Current engine version> +
Symbolic name:
+MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED
+Message:
+The antimalware engine failed to download a clean file. +
+Description:
++
Windows Defender has encountered an error trying to download a clean file.
+-
+
- Filename: <File name> +Name of the file. +
- Current Signature Version: <Current signature version> +
- Current Engine Version: <Current engine version> +
- Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
User action:
+Check your Internet connectivity settings. +
+The Windows Defender client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. +
+Symbolic name:
+MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED
+Message:
+The antimalware engine was downloaded and is configured to run offline on the next system restart.
+Description:
+Windows Defender downloaded and configured Windows Defender Offline to run on the next reboot.
+Symbolic name:
+MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED +
+Message:
+The antimalware engine was unable to download and configure an offline scan.
+Description:
++
Windows Defender has encountered an error trying to download and configure Windows Defender Offline.
+-
+
- Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
Symbolic name:
+MALWAREPROTECTION_OS_EXPIRING +
+Message:
+Antimalware support for this operating system version will soon end. +
+Description:
+The support for your operating system will expire shortly. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
+Symbolic name:
+MALWAREPROTECTION_OS_EOL +
+Message:
+Antimalware support for this operating system has ended. You must upgrade the operating system for continued support. +
+Description:
+The support for your operating system has expired. Running Windows Defender on an out of support operating system is not an adequate solution to protect against threats.
+Symbolic name:
+MALWAREPROTECTION_PROTECTION_EOL +
+Message:
+The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware. +
+Description:
+The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
+Symbolic name:
+MALWAREPROTECTION_RTP_FEATURE_FAILURE +
+Message:
+Real-time protection encountered an error and failed.
+Description:
++
Windows Defender Real-Time Protection feature has encountered an error and failed.
+-
+
- Feature: <Feature>, for example:
+
-
+
- On Access +
- Internet Explorer downloads and Microsoft Outlook Express attachments +
- Behavior monitoring +
- Network Inspection System +
+ - Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +
- Reason: The reason Windows Defender real-time protection has restarted a feature. +
User action:
+You should restart the system then run a full scan because it’s possible the system was not protected for some time. +
+The Windows Defender client’s real-time protection feature encountered an error because one of the services failed to start. +
+If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. +
+Symbolic name:
+MALWAREPROTECTION_RTP_FEATURE_RECOVERED
+Message:
+Real-time protection recovered from a failure. We recommend running a full system scan when you see this error. +
+Description:
++
Windows Defender Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.
+-
+
- Feature: <Feature>, for example:
+
-
+
- On Access +
- IE downloads and Outlook Express attachments +
- Behavior monitoring +
- Network Inspection System +
+ - Reason: The reason Windows Defender real-time protection has restarted a feature. +
User action:
+The real-time protection feature has restarted. If this event happens again, contact Microsoft Technical Support.
+Symbolic name:
+MALWAREPROTECTION_RTP_ENABLED +
+Message:
+Real-time protection is enabled. +
+Description:
+Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was enabled.
+Symbolic name:
+MALWAREPROTECTION_RTP_DISABLED
+Message:
+Real-time protection is disabled. +
+Description:
+Windows Defender Real-time Protection scanning for malware and other potentially unwanted software was disabled.
+Symbolic name:
+MALWAREPROTECTION_RTP_FEATURE_CONFIGURED +
+Message:
+The real-time protection configuration changed. +
+Description:
++
Windows Defender Real-time Protection feature configuration has changed.
+-
+
- Feature: <Feature>, for example:
+
-
+
- On Access +
- IE downloads and Outlook Express attachments +
- Behavior monitoring +
- Network Inspection System +
+ - Configuration: +
Symbolic name:
+MALWAREPROTECTION_CONFIG_CHANGED +
+Message:
+The antimalware platform configuration changed.
+Description:
++
Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
+-
+
- Old value: <Old value number> +Old Windows Defender configuration value. +
- New value: <New value number> +New Windows Defender configuration value. +
Symbolic name:
+MALWAREPROTECTION_ENGINE_FAILURE
+Message:
+The antimalware engine encountered an error and failed.
+Description:
++
Windows Defender engine has been terminated due to an unexpected error.
+-
+
- Failure Type: <Failure type>, for example: +Crash +or Hang +
- Exception Code: <Error code> +
- Resource: <Resource> +
User action:
+To troubleshoot this event:
-
+
- Try to restart the service.
-
+
- For antimalware, antivirus and spyware, at an elevated command prompt, type net stop msmpsvc, and then type net start msmpsvc to restart the antimalware engine. +
- For the Network Inspection System, at an elevated command prompt, type net start nissrv, and then type net start nissrv to restart the Network Inspection System engine by using the NiSSRV.exe file. + + + + +
+ - If it fails in the same way, look up the error code by accessing the Microsoft Support Site and entering the error number in the Search box, and contact Microsoft Technical Support. +
User action:
+The Windows Defender client engine stopped due to an unexpected error.
+To troubleshoot this event: +
-
+
- Run the scan again. +
- If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code. +
- Contact Microsoft Technical Support. + +
Symbolic name:
+MALWAREPROTECTION_ANTISPYWARE_ENABLED +
+Message:
+Scanning for malware and other potentially unwanted software is enabled. +
+Description:
+Windows Defender scanning for malware and other potentially unwanted software has been enabled.
+Symbolic name:
+MALWAREPROTECTION_ANTISPYWARE_DISABLED +
+Message:
+Scanning for malware and other potentially unwanted software is disabled.
+Description:
+Windows Defender scanning for malware and other potentially unwanted software is disabled.
+Symbolic name:
+MALWAREPROTECTION_ANTIVIRUS_ENABLED
+Message:
+Scanning for viruses is enabled.
+Description:
+Windows Defender scanning for viruses has been enabled.
+Symbolic name:
+MALWAREPROTECTION_ANTIVIRUS_DISABLED +
+Message:
+Scanning for viruses is disabled. +
+Description:
+Windows Defender scanning for viruses is disabled.
+Symbolic name:
+MALWAREPROTECTION_EXPIRATION_WARNING_STATE +
+Message:
+The antimalware platform will expire soon. +
+Description:
++
Windows Defender has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software.
+-
+
- Expiration Reason: The reason Windows Defender will expire. +
- Expiration Date: The date Windows Defender will expire. +
Symbolic name:
+MALWAREPROTECTION_DISABLED_EXPIRED_STATE +
+Message:
+The antimalware platform is expired. +
+Description::
++
Windows Defender grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled.
+-
+
- Expiration Reason: +
- Expiration Date: +
- Error Code: <Error code> +Result code associated with threat status. Standard HRESULT values. +
- Error Description: <Error description> +Description of the error. +