AV Defender Behavioral Scan Events service
The AV Defender Behavioral Scan Events service reports on security-related issues that AV Defender has detected and neutralized.
Basic service information
| Service Type | API |
| Max instances on each device | 1 |
| Supported Systems/Applications | Any Windows device that has AV Defender installed. |
| Supported Device class | Laptops – Windows, Servers – Windows, Workstations - Windows |
| Monitored By | Windows agents |
Troubleshooting
| Issue | Corrective Action |
|---|---|
| Misconfigured | Confirm that AV Defender has been successfully installed on the device. |
Monitoring
The AV Defender Behavioral Events service is designed to monitor in near-real time for items blocked by the Behavioral Analysis module of AV Defender. The service will trigger a failure or warning based on the type of the event that was blocked.
The service is an event-based service. As such, the service will always show a Normal status in the N-central UI, as Failed and Warning states only last long enough to trigger a notification. This behavior allows the AV Defender Behavioral Events service to generate multiple notifications or tickets if more than one event is detected within a scan interval.
This service should always be associated with a notification profile that has a zero minute delay, to ensure that all events detected by the service generate a notification or ticket.
Configuration
There are four possible Scans that the AV Defender Behavioral Scan Events service can analyze:
- IDS Application Blocked
- AVC Application Blocked
- AVC Exploit Blocked
- Other
The only available actions to monitor is “Blocked”. By default, The AV Defender Behavior Scan Events triggers a failure when any of the four event types return a Blocked action.