Export (0) Print
Expand All

3004 detection event issues

This topic contains the following sections:

Numerous 3004 events are logged with no corresponding action-taken events

3004 event is logged with no corresponding action event

You may receive a large number of detection events (3004) from the Real Time Protection component of the Client Security agent, with no corresponding action-taken events (3005 or 3006).


This can occur if the Windows Indexing Service acts on a disk location that has malware on it and there is no user logged on to the computer. The auto-clean procedure of the Client Security agent requires interaction with the desktop, which is not possible if no one is logged on.


Have the user log on to the computer and run a quick scan.

You may see periodic instances of the Malware Detected event (3004) logged without a corresponding action succeeded (3005) or failed (3006). Additionally, the status field in the 3004 events indicates that the thread is suspended.


When a user attempts to access malware through Microsoft Internet Explorer®, the Client Security agent is called to evaluate the file. After the agent detects the malware (generating a 3004 event), Internet Explorer deletes the file before it can be cleaned by the agent, thereby skipping the 3005 event.


There is no action required on the part of the administrator, because the malware was removed.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2015 Microsoft