Logs of “Microsoft Security Essentials”

This section is intended for intermediate to advanced users, and may not frequently be needed. The purpose of this specific section, about the logs of MSE, is largely to provide some technical reference, rather than to be a guide for most average users.

Logs using standard operating system logging methods

The System event log may have the following events.

Source of “Microsoft Antimalware”, warning with Event ID 1006 or 1116

This sort of event log entry may be created when malware is detected.

Here is an example of some rendered text from an actual 1116 event.

Microsoft Antimalware has detected malware or other potentially unwanted software.
 For more information please see the following:
  Name: Trojan:Win32/Bumat!rts
  ID: 2147626069
  Category: Trojan
  Path: file:_C:\Users\User\AppData\Local\Temp\clamav-0f2de5c64d9839dad4ab5526e3f58897.0000130c.clamtmp;file:_C:\Users\User\AppData\Local\Temp\clamav-78349cfea9c3ded84fe972e8b563826a.0000130c.clamtmp;file:_C:\Users\User\AppData\Local\Temp\clamav-f5e2d0fb9c324a5a9bf20095952f8818.0000130c.clamtmp
  Detection Origin: Local machine
  Detection Type: Concrete
  Detection Source: Real-Time Protection
  User: User-PC\User
  Process Name: C:\Program Files (x86)\ClamWin\bin\clamscan.exe
  Signature Version: AV: 1.163.326.0, AS: 1.163.326.0, NIS:
  Engine Version: AM: 1.1.10100.0, NIS: 2.1.10003.0

Note: This is a rendered version of the text that would show up in Event Viewer. The XML version simply shows a lot of these details in “<DATA” tags, and so really is not more meaningful to view.

Three files were detected by this event, and a single hyperlink was made for those three files. That hyperlink does not work: clicking on the hyperlink will bring up an error message. (Part of that message notes, “Event Viewr cannot open this link.”)

In this example, the “Real-Time Protection” had a problem with a running program. That running program is shown in the “Process Name” field. The Anti-Virus scanner named “ClamWin”, which was probably run through usage of a program named “Clam Sentinel”, was performing some work. MSE interfered with that work.

Source of “Microsoft Antimalware”, informational event with Event ID 5009
Example: “Microsoft Antimalware has restored an item from quarantine.” The event will show a location for the file, and a hyperlink to the type of threat with which the file has been identified.
Source of “Microsoft Antimalware”, informational event with Event ID 1117
This has been seen when quarantining an object. The first part of the description may be, “Microsoft Antimalware has taken action to protect this machine from malware or other potentially unwanted software.”
Source of “Microsoft Antimalware”, informational event with Event ID 5007

This can happen when changes are made. Some examples:

An action is taken

The log from the event will note what the action was. If the action was “Allow”, there may also be another event noting the change in configuration. An action of “Remove” indicates that the user selected to remove the threat or clean the computer. The action may also say “Quarantine”.

A change in configuration
For example, if malicious software is allowed, or previously allowed software is removed from the allow list. An example of some text from the event is: “Microsoft Antimalware Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.” The change may involve the registry key HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\Threats\ThreatIDDefaultAction.
Source of “Microsoft Antimalware”, informational event with Event ID 2000
Example text: “Microsoft Antimalware signature version has been updated.”
Source of “Microsoft Antimalware”, “Error” event with Event ID 2001
Example: “Microsoft Antimalware has encountered an error trying to update signatures.” As an example of what caused this, a lack of a working Internet connection when the “Update” button is pressed in the graphics graphical user interface can lead to this. It may also reference “Error code: 0x8024402c”.
An available command
In the location where “Microsoft Security Essentials” was installed to, which may be “C:\Program Files\Microsoft Security Essentials”, there may be a program called MpCmdRun.exe which has a -GetFiles parameter. Running this from the command line may be useful.
Look underneath %Allusersprofile% (which may be “C:\ProgramData”. Specifically then, under Windows XP, look under “.\Application Data\”, and from any supported operating system, then look under the current location for Microsoft. There may be a “Microsoft Antimalware” (which, had a “Definition Updates” folder prior to the uninstall), and there may be a “Microsoft Security Essentials\Support”. They might be about 13MB in there after the software has been uninstalled.
The program's main graphical user interface includes a “History” tab. Events may be removed from this tab, so it may not be wise to count on that tab showing a full history, particularly when multiple people have used the computer.