Event ID 3004 — Real-Time Protection Detection

Applies To: Windows Server 2008

Real-Time Protection helps to protect users by examining auto-start extensibility points (ASEP), where spyware or other potentially unwanted software tends to install itself. If Windows Defender Real-Time Protection detects spyware or other potentially unwanted software, Windows Defender will stop the installation and raise an alert. When Windows Defender raises an alert, a decision must be made to remove the software or allow it to continue to run on your computer. If Windows Defender incorrectly identified legitimate software, you can allow it to run on the computer.

Event Details

Product: Windows Defender
ID: 3004
Source: Microsoft-Windows-Windows Defender
Version: 1.1
Symbolic Name: MALWAREPROTECTION_RTP_MALWARE_DETECTED
Message: %1 Real-Time Protection agent has detected spyware or other potentially unwanted software.
For more information please see the following:
%15
%tScan ID:%b%3
%tUser:%b%8\%9
%tName:%b%11
%tID:%b%12
%tSeverity ID:%b%13
%tCategory ID:%b%14
%tPath Found:%b%16
%tAlert Type:%b%18
%tDetection Type: %b%22

Resolve

Remove or allow spyware or other potentially unwanted software

If Real-Time Protection (RTP) detects spyware or other potentially unwanted software, Windows Defender will present you with an alert. If you are not sure whether RTP identified spyware or other potentially unwanted software, you can use the Advice section or click View more information about this item online in the alert. The alerts are listed in the Windows Defender History.

To perform this procedure, you must be a member of the Users group, or you must have been delegated the appropriate authority.

To remove spyware or other potentially unwanted software by using Windows Defender:

  1. In the Scan Results window of Windows Defender under the action column, click Remove. However, if the identified application is not spyware or other potentially unwanted software, click Ignore to ignore the alert for this scan, or click Always Allow to ignore this alert in the current scan and all future Windows Defender scans.
  2. Click Apply Actions.
  3. Under Scan Results, wait for Actions completed to display, and then close Windows Defender.

Verify

When Windows Defender takes an action on spyware or other potentially unwanted software, an entry is created in the Windows Defender History. To verify that the spyware or other potentially unwanted software was successfully removed from your computer, you should verify that an entry was created in the Windows Defender History and that the appropriate action was taken.

To perform this procedure, you must be a member of the Users group, or you must have been delegated the appropriate authority.

To verify that the spyware or other potentially unwanted software was successfully removed:

  1. Click Start, point to All Programs, and then click Windows Defender.
  2. Click History.
  3. Under Programs and Actions, verify that the Action Taken column says Remove.
  4. Verify that the Status column says Succeeded.
  5. Close Windows Defender.

Note: If you clicked Ignore or Always Allow for the action in the Windows Defender alert, the Action Taken column will display either Ignore or Always Allow.

Real-Time Protection Detection

Windows Defender