Windows-itpro-docs: Missing multiple events July 2020
These events are not listed
2051
Windows Defender Antivirus has encountered an error trying to upload a suspicious file for further analysis.
Filename: C:\Users\webinstall.exe
Sha256: xxxx
Current Signature Version: AV: 1.319.1664.0, AS: 1.319.1664.0
Current Engine Version: 1.1.17200.2
Error code: 0x80004005
2050
Windows Defender Antivirus has uploaded a file for further analysis.
Filename: C:\x.exe
Sha256: xxxxx
1134
Windows Defender Antivirus has audited an operation.
For more information please contact your IT administrator.
Policy Version: 637288895701269235-73b5984e3ddc2bb8b144066f210ce8e2d77169d0
Policy Rule ID: 6abb5bf8-7ae6-4f97-9c9a-9fcb60c0f230:6b2c3c43-f1fd-4949-97e8-f93e3c3a91e4
Enforcement Level: Audit
Audit Reason: 0
Timestamp: 7/22/2020 9:53:29 AM
Action Type: CopyToClipboard
Process: EXCEL.EXE
Source: \Device\HarddiskVolume4\V11.xlsm
Target: N/A
Session ID: 1
User SID: x
Signature Version: 1.319.2024.0
Engine Version: 1.1.17200.2
Product Version: 4.18.2006.10
Additional Defender channel events missing
Network protection | Windows Defender (Operational) | 1125 | Event when Network protection fires in Audit-mode
Network protection | Windows Defender (Operational) | 1126 | Event when Network protection fires in Block-mode
Controlled folder access | Windows Defender (Operational) | 5007 | Event when settings are changed
Controlled folder access | Windows Defender (Operational) | 1124 | Audited Controlled folder access event
Controlled folder access | Windows Defender (Operational) | 1123 | Blocked Controlled folder access event
Controlled folder access | Windows Defender (Operational) | 1127 | Blocked Controlled folder access sector write block event
Controlled folder access | Windows Defender (Operational) | 1128 | Audited Controlled folder access sector write block event
Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode
Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 8b83044c-6803-4a48-92f5-c32465f86d03
- Version Independent ID: c44626c5-7aa2-15e2-a532-a83ec88ab7da
- Content: Microsoft Defender AV event IDs and error codes - Windows security
- Content Source: windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
- Product: w10
- Technology: windows
- GitHub Login: @denisebmsft
- Microsoft Alias: deniseb
SwiftOnSecurity
All 3 comments
Hello @SwiftOnSecurity - Thank you for your feedback here. I couldn't find any of the errors you have mentioned with Windows defender. Can you please confirm the Windows 10 and Windows Defender version when they appear.
Thanks
Imran.
joinimran
on 20 Nov 2020
Hello @swiftonsecurity - Did you get a chance to confirm the Windows 10 and Windows Defender version when these have appeared. Without any solid information, this information can not be added to the document.
@e0i - FYI&A Please.
Thanks
Imran.
joinimran
on 27 Dec 2020
Looks like we may need to ask the team to get that information from the developers (or refuted in case there is incorrect information anywhere in the ticket comment).
Anyway, even if the messages look authentic, only event 1134 comes with Signature Version (1.319.2024.0), Engine Version (1.1.17200.2), and Product Version (4.18.2006.10).
2051 is followed by [Current Signature Version: AV: 1.319.1664.0, AS: 1.319.1664.0] and [Current Engine Version: 1.1.17200.2]
The remaining event and the additional list does not contain this information, so we can't create any Pull Request to have the document updated without OS Version & Build.
illfated
on 28 Dec 2020
Related issues
RAJU2529
·
3Comments
LanceMcCarthy
·
3Comments
illfated
·
3Comments
arcotek-ltd
·
3Comments
thohun
·
3Comments
Most helpful comment
Hello @swiftonsecurity - Did you get a chance to confirm the Windows 10 and Windows Defender version when these have appeared. Without any solid information, this information can not be added to the document.
@e0i - FYI&A Please.
Thanks
Imran.