AV Defender Security Event service
The AV Defender Security Event service reports on security events when they are detected on a device that has AV Defender installed. The service applies to both the Managed AV Defender Security Event and the Unmanaged AV Defender Security Event.
The retention of the Security Event Data is 90 days (no setting to change this value).
This service cannot use Self Healing.
|Service Type||Custom API|
|Instances on a Device||1|
|Supported Systems/Applications||Any device with AV Defender installed.|
|Device Class||Workstation - Windows, Laptop - Windows, Server - Windows|
|Monitored By||Windows agents|
|Scan Interval||5 minutes|
Configure this service by selecting the detection types that AV Defender are reporting on, then choose the actions to take on detected security threats.
Configure the AV Defender Event service
- Click View > All Devices in the navigation pane.
- In the Name column, click the device that you want to edit a service.
- Click the Monitor > Status tabs.
- In the Service column, click the AV Defender Security Event service.
- Click the Service Details tab.
- Under Malware Detection Type, select the detection types in the left-hand column that you want to monitor.
- Click > to move the type to the right-hand column.
- Under Monitoring Actions, select the actions and status you want returned by the AV Defender Security Event service based on the column where the action is listed as:
- To return a Normal status, click Move to Normal
- To return a Warning status, click Move to Warning
- To return a Failed status, click Move to Failed
- Click OK.
Most detected phishing events correspond to items that have been handled by the client. Any that get through are part of an email archive, or because a reboot is required. In both cases, the malware has been contained, so there's no reason for alarm. If an alarm keeps reappearing, there may be something that the client has not yet detected.
Notification numeric values
Notifications for the AV Defender Security Event service use numeric values to report different elements of security events with the values mapped as follows by default:
|Malware Type||Malware Threat Type||Malware State||Malware Taken Actions|
1 = File
2 = HTTP
3 = Cookie
4 = POP3
5 = SMTP
6 = Process
7 = Boot Sector
8 = Registry
9 = Stream
0 = Virus
1 = Spyware
2 = Adware
3 = Spam
4 = Rootkit
5 = Diar
6 = Application
7 = Archive Bomb
1 = Present
2 = Deleted
3 = Blocked
4 = Quarantined
5 = Cleaned
1 = Deny/Ignore
3 = Disinfect
5 = Delete
7 or 9 = Move To Quarantine
10 = Disinfect Only