AV Defender Behavioral Scan Events service

The AV Defender Behavioral Scan Events service reports on security-related issues that AV Defender has detected and neutralized.

Basic service information

Service Type API
Max instances on each device 1
Supported Systems/Applications Any Windows device that has AV Defender installed.
Supported Device class Laptops – Windows, Servers – Windows, Workstations - Windows
Monitored By Windows agents


Issue Corrective Action
Misconfigured Confirm that AV Defender has been successfully installed on the device.


The AV Defender Behavioral Events service is designed to monitor in near-real time for items blocked by the Behavioral Analysis module of AV Defender. The service will trigger a failure or warning based on the type of the event that was blocked.

The service is an event-based service. As such, the service will always show a Normal status in the N-central UI, as Failed and Warning states only last long enough to trigger a notification. This behavior allows the AV Defender Behavioral Events service to generate multiple notifications or tickets if more than one event is detected within a scan interval.

This service should always be associated with a notification profile that has a zero minute delay, to ensure that all events detected by the service generate a notification or ticket.


There are four possible Scans that the AV Defender Behavioral Scan Events service can analyze:

  • IDS Application Blocked
  • AVC Application Blocked
  • AVC Exploit Blocked
  • Other

The only available actions to monitor is “Blocked”. By default, The AV Defender Behavior Scan Events triggers a failure when any of the four event types return a Blocked action.