3004 detection event issues

This topic contains the following sections:

Numerous 3004 events are logged with no corresponding action-taken events

3004 event is logged with no corresponding action event

Numerous 3004 events are logged with no corresponding action-taken events

You may receive a large number of detection events (3004) from the Real Time Protection component of the Client Security agent, with no corresponding action-taken events (3005 or 3006).

Background

This can occur if the Windows Indexing Service acts on a disk location that has malware on it and there is no user logged on to the computer. The auto-clean procedure of the Client Security agent requires interaction with the desktop, which is not possible if no one is logged on.

Solution

Have the user log on to the computer and run a quick scan.

3004 event is logged with no corresponding action event

You may see periodic instances of the Malware Detected event (3004) logged without a corresponding action succeeded (3005) or failed (3006). Additionally, the status field in the 3004 events indicates that the thread is suspended.

Background

When a user attempts to access malware through Microsoft Internet Explorer®, the Client Security agent is called to evaluate the file. After the agent detects the malware (generating a 3004 event), Internet Explorer deletes the file before it can be cleaned by the agent, thereby skipping the 3005 event.

Solution

There is no action required on the part of the administrator, because the malware was removed.