Logs of “Microsoft Security Essentials”
This section is intended for intermediate to advanced users, and may not frequently be needed. The purpose of this specific section, about the logs of MSE, is largely to provide some technical reference, rather than to be a guide for most average users.
- Logs using standard operating system logging methods
The System event log may have the following events.
- Source of “Microsoft Antimalware”, warning with Event ID 1006 or 1116
This sort of event log entry may be created when malware is detected.
Here is an example of some rendered text from an actual 1116 event.
Microsoft Antimalware has detected malware or other potentially unwanted software.
For more information please see the following:
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
C:\Program Files (x86)\ClamWin\bin\clamscan.exe
Signature Version: AV: 1.163.326.0, AS: 1.163.326.0, NIS: 184.108.40.206
Engine Version: AM: 1.1.10100.0, NIS: 2.1.10003.0
Note: This is a rendered version of the text that would show up in Event Viewer. The XML version simply shows a lot of these details in “<DATA” tags, and so really is not more meaningful to view.
Three files were detected by this event, and a single hyperlink was made for those three files. That hyperlink does not work: clicking on the hyperlink will bring up an error message. (Part of that message notes, “Event Viewr cannot open this link.”)
In this example, the “Real-Time Protection” had a problem with a running program. That running program is shown in the “Process Name” field. The Anti-Virus scanner named “ClamWin”, which was probably run through usage of a program named “Clam Sentinel”, was performing some work. MSE interfered with that work.
- Source of “Microsoft Antimalware”, informational event with Event ID 5009
- Example: “Microsoft Antimalware has restored an item from quarantine.” The event will show a location for the file, and a hyperlink to the type of threat with which the file has been identified.
- Source of “Microsoft Antimalware”, informational event with Event ID 1117
- This has been seen when quarantining an object. The first part of the description may be, “Microsoft Antimalware has taken action to protect this machine from malware or other potentially unwanted software.”
- Source of “Microsoft Antimalware”, informational event with Event ID 5007
This can happen when changes are made. Some examples:
- An action is taken
The log from the event will note what the action was. If the action was “Allow”, there may also be another event noting the change in configuration. An action of “Remove” indicates that the user selected to remove the threat or clean the computer. The action may also say “Quarantine”.
- A change in configuration
- For example, if malicious software is allowed, or previously allowed software is removed from the allow list. An example of some text from the event is: “Microsoft Antimalware Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.” The change may involve the registry key HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Threats\ThreatIDDefaultAction.
- Source of “Microsoft Antimalware”, informational event with Event ID 2000
- Example text: “Microsoft Antimalware signature version has been updated.”
- Source of “Microsoft Antimalware”, “Error” event with Event ID 2001
- Example: “Microsoft Antimalware has encountered an error trying to update signatures.” As an example of what caused this, a lack of a working Internet connection when the “Update” button is pressed in the graphics graphical user interface can lead to this. It may also reference “Error code: 0x8024402c”.
- An available command
In the location
where “Microsoft Security Essentials” was installed to, which may
C:\Program Files\Microsoft Security Essentials”, there may be a program called
which has a
-GetFilesparameter. Running this from the command line may be useful.
(which may be “
C:\ProgramData”. Specifically then, under Windows XP, look under “
.\Application Data\”, and from any supported operating system, then look under the current location for Microsoft. There may be a “
Microsoft Antimalware” (which, had a “
Definition Updates” folder prior to the uninstall), and there may be a “
Microsoft Security Essentials\Support”. They might be about 13MB in there after the software has been uninstalled.
- The program's main graphical user interface includes a “History” tab. Events may be removed from this tab, so it may not be wise to count on that tab showing a full history, particularly when multiple people have used the computer.