AV Defender Behavioral Scan Events service

The AV Defender Behavioral Scan Events service reports on security-related issues that AV Defender has detected and neutralized.

Basic service information

Service TypeAPI
Max instances on each device1
Supported Systems/ApplicationsAny Windows device that has AV Defender installed.
Supported Device classLaptops – Windows, Servers – Windows, Workstations - Windows
Monitored ByWindows agents


IssueCorrective Action
MisconfiguredConfirm that AV Defender has been successfully installed on the device.


The AV Defender Behavioral Events service is designed to monitor in near-real time for items blocked by the Behavioral Analysis module of AV Defender. The service will trigger a failure or warning based on the type of the event that was blocked.

The service is an event-based service. As such, the service will always show a Normal status in the N-central UI, as Failed and Warning states only last long enough to trigger a notification. This behavior allows the AV Defender Behavioral Events service to generate multiple notifications or tickets if more than one event is detected within a scan interval.

This service should always be associated with a notification profile that has a zero minute delay, to ensure that all events detected by the service generate a notification or ticket.


There are four possible Scans that the AV Defender Behavioral Scan Events service can analyze:

  • IDS Application Blocked
  • AVC Application Blocked
  • AVC Exploit Blocked
  • Other

The only available actions to monitor is “Blocked”. By default, The AV Defender Behavior Scan Events triggers a failure when any of the four event types return a Blocked action.