Errors and events reference
Applies To: Forefront Client Security
The following tables list error codes and event IDs used by Client Security. The entries in the Reference column link directly to the topic in the Microsoft Forefront Client Security Troubleshooting Guide (https://go.microsoft.com/fwlink/?LinkId=86100), where the specific issue is discussed. The Troubleshooting Guide includes descriptions of the errors and events, including their causes and resolutions.
| Error codes | Reference |
|---|---|
3010 |
Setup wizard issues (https://go.microsoft.com/fwlink/?LinkID=86102) |
0x80026C4A |
Setup wizard issues (https://go.microsoft.com/fwlink/?LinkID=86102) |
1303 |
Setup wizard issues (https://go.microsoft.com/fwlink/?LinkID=86102) |
1920 |
(https://go.microsoft.com/fwlink/?LinkID=86103) |
1603 |
(https://go.microsoft.com/fwlink/?LinkID=86103) |
0x80070005 |
Client Security UI issues (https://go.microsoft.com/fwlink/?LinkID=86104) |
0x80080017 |
Client Security UI issues (https://go.microsoft.com/fwlink/?LinkID=86104) |
0x80080005 |
Troubleshooting definitions (https://go.microsoft.com/fwlink/?LinkId=86105) |
| Event ID | Reference |
|---|---|
81 |
(https://go.microsoft.com/fwlink/?LinkID=86106) |
3002 |
(https://go.microsoft.com/fwlink/?LinkId=86110) |
3004 |
(https://go.microsoft.com/fwlink/?LinkId=86108) |
3006 |
(https://go.microsoft.com/fwlink/?LinkId=86110) |
5000 |
(https://go.microsoft.com/fwlink/?LinkId=86110) |
5001 |
(https://go.microsoft.com/fwlink/?LinkId=86110) |
9029 |
Working with Microsoft Operations Manager (https://go.microsoft.com/fwlink/?LinkId=86107) |
10002 |
(https://go.microsoft.com/fwlink/?LinkID=86106) |
10004 |
(https://go.microsoft.com/fwlink/?LinkId=86110) |
10008 |
(https://go.microsoft.com/fwlink/?LinkID=86103) |
10016 |
(https://go.microsoft.com/fwlink/?LinkID=86106) |
10069 |
(https://go.microsoft.com/fwlink/?LinkId=86109) |
10096 |
(https://go.microsoft.com/fwlink/?LinkId=86109) |
11724 |
(https://go.microsoft.com/fwlink/?LinkId=86110) |
21268 |
Working with Microsoft Operations Manager (https://go.microsoft.com/fwlink/?LinkId=86107) |
21269 |
Working with Microsoft Operations Manager (https://go.microsoft.com/fwlink/?LinkId=86107) |
21711 |
Working with Microsoft Operations Manager (https://go.microsoft.com/fwlink/?LinkId=86107) |
22061 |
Working with Microsoft Operations Manager (https://go.microsoft.com/fwlink/?LinkId=86107) |
25100 |
Working with Microsoft Operations Manager (https://go.microsoft.com/fwlink/?LinkId=86107) |
26017 |
Working with Microsoft Operations Manager (https://go.microsoft.com/fwlink/?LinkId=86107) |
The following table is a global event list for Forefront Client Security.
| Event ID | Event type | Event name | Explanation | User action |
|---|---|---|---|---|
1000 |
Information |
MALWAREPROTECTION_SCAN_STARTED |
Microsoft Forefront Client Security has started a scan. This audit record includes the scan ID, type of scan (Antivirus, Antispyware, Antimalware), scan parameters, and user that started the scan. This event commonly occurs when a user or scheduled event starts a scan. |
None needed. |
1001 |
Information |
MALWAREPROTECTION_SCAN_COMPLETED |
Microsoft Forefront Client Security has completed a scan. This audit record includes the scan ID, type of scan (Antivirus, Antispyware, Antimalware), scan parameters, user that started the scan, and the amount of time the scan took to complete. This event commonly occurs when a user-initiated or scheduled scan is complete. |
None needed. |
1002 |
Warning |
MALWAREPROTECTION_SCAN_CANCELLED |
A Microsoft Forefront Client Security scan has been stopped before being completed. This is likely due to a user canceling an in-progress scan. This audit record includes the scan ID, type of scan (Antivirus, Antispyware, Antimalware), scan parameters, user that started the scan, and the amount of time the scan took to complete. This event occurs when a user-initiated or scheduled scan is terminated before it completes. |
Restart the scan when possible. |
1005 |
Error |
MALWAREPROTECTION_SCAN_FAILED |
Microsoft Forefront Client Security has encountered an error and terminated. This error record includes the scan ID, type of scan (Antivirus, Antispyware, Antimalware), scan parameters, user that started the scan, the error code, and a description of the error. |
Look up the error code and determine the course of action. |
1006 |
Warning |
MALWAREPROTECTION_SCAN_MALWARE_DETECTED |
A Microsoft Forefront Client Security scan has detected spyware or other potentially unwanted software. This audit record includes the scan ID, type of scan (Antivirus, Antispyware, Antimalware), scan parameters, user that started the scan, name of the potentially malware, threat ID, severity ID, category ID, and path of the potential malware. |
Perform the desired action on the threat. |
1007 |
Information |
MALWAREPROTECTION_SCAN_MALWARE_ACTION_TAKEN |
Microsoft Forefront Client Security has taken action to help protect this machine from spyware or other potentially unwanted software. This audit record includes the scan ID, scan type, scan parameters, user that started the scan, threat name, threat ID, severity ID, category ID, and the action taken (clean, remove, quarantine, ignore, ignore always, or block). This event occurs when an action is taken on detected potential malware. |
None needed. |
1008 |
Error |
MALWAREPROTECTION_MALWARE_ACTION_FAILED |
Microsoft Forefront Client Security has encountered an error while taking action on potential malware. This audit record includes the scan ID, scan type, scan parameters, user that started the scan, threat name, threat ID, severity ID, category ID, action taken (clean, remove, quarantine, ignore, ignore always, or block), error code, and a description of the encountered error. |
Look up the error code and determine the course of action. |
1009 |
Information |
MALWAREPROTECTION_QUARANTINE_RESTORE |
An item was restored from quarantine. |
None needed. |
1010 |
Error |
MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED |
An item was attempted to be restored from quarantine, but the restore could not be completed. |
Look up the error code and determine the course of action. |
2000 |
Informational |
MALWAREPROTECTION_SIGNATURE_UPDATED |
Microsoft Forefront Client Security signature version has been updated. This event occurs when updates are available and downloaded onto the local system. You can configure automatic checking and configuration to change the frequency of definition updates. This audit record includes the definition version after the update, definition version before the update, update source (schedule, user request, or definition update folder), definition type (Antivirus/Antispyware), update type (full definition refresh or minor update), current engine version, and previous engine version. |
None needed. |
2001 |
Error |
MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED |
Microsoft Forefront Client Security has encountered an error trying to update signatures. This audit record includes the current definition version, the definition version before attempting the failed update, error code, and a description of the error. This error could occur due to network connectivity issues while trying to update definitions. |
Resolve the connectivity issues and try updating again. |
2002 |
Informational |
MALWAREPROTECTION_ENGINE_UPDATED |
The Microsoft Forefront Client Security engine version has been updated. This event occurs when Microsoft Forefront Client Security is updated. This audit record includes the current engine version, the engine version before the update, the update source (Schedule, User Request or Definition Update Folder), and the user that started the application. This event occurs when a software update is available and installed. |
None needed. |
2003 |
Error |
MALWAREPROTECTION_ENGINE_UPDATE_FAILED |
The Microsoft Forefront Client Security encountered an error trying to update the engine. This event occurs when Microsoft Forefront Client Security tries to update itself but fails. This error record includes the current engine version, the engine version before the update, the update source (Schedule, User Request or Definition Update Folder), the user that started the application, the error code, and a description of the error. This event commonly occurs due to a connectivity break in the middle of an update. |
Resolve the connectivity issues and try updating again. |
2004 |
Error |
MALWAREPROTECTION_SIGNATURE_REVERSION |
Microsoft Forefront Client Security has encountered an error trying to load the definitions and will attempt reverting back to a known-good set of definitions. |
Re-download the latest definitions from the Microsoft Malware Protection Center (https://go.microsoft.com/fwlink/?LinkID=200965). |
3000 |
Informational |
MALWAREPROTECTION_RTP_STARTED |
Microsoft Forefront Client Security Real-Time Protection agents have started. This audit record includes the user that caused the agents to start. This event commonly occurs when Real-Time Protection starts; if Real-Time Protection is configured to automatically start, this is when the computer starts. |
None needed. |
3001 |
Informational |
MALWAREPROTECTION_RTP_STOPPED |
Microsoft Forefront Client Security Real-Time Protection agents have stopped. This audit record includes the user that caused the agents to stop. This event occurs when someone stops the Real-Time Protection agents. |
Verify that the Real-Time Protection agents have been intentionally stopped. Restart Microsoft Forefront Client Security Real-Time Protection to turn the agents on again. |
3002 |
Error |
MALWAREPROTECTION_RTP_AGENT_FAILURE |
Microsoft Forefront Client Security Real-Time Protection agents have encountered an error and failed to start. This error event includes the agent that was unable to start, the error code, and a description of the error. |
The event description will contain additional information about the error encountered. |
3003 |
Error |
MALWAREPROTECTION_RTP_CHECKPOINT_FAILURE |
A Microsoft Forefront Client Security Real-Time Protection checkpoint has encountered an error and failed to start. This error event includes the agent that was unable to start, the error code, and a description of the error. |
The event description will contain additional information about the error encountered. |
3004 |
Warning |
MALWAREPROTECTION_RTP_MALWARE_DETECTED |
The Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or software publisher. Microsoft Forefront Client Security can’t undo changes that you allow. |
Perform one of the following actions on the detected threat:
|
3005 |
Informational |
MALWAREPROTECTION_RTP_MALWARE_ACTION_TAKEN |
Microsoft Forefront Client Security Real-Time Protection agent has taken action to help protect this machine from spyware or other potentially unwanted software. |
None needed. |
3006 |
Error |
MALWAREPROTECTION_RTP_MALWARE_ACTION_FAILED |
Microsoft Forefront Client Security has encountered an error when taking action on spyware or other potentially unwanted software. |
The event description will contain additional information about the error encountered. |
3007 |
Informational |
MALWAREPROTECTION_RTP_AGENT_RECOVERED |
Microsoft Forefront Client Security Real-time Protection Agent has restarted. |
It is recommended that you run a full system scan to detect any items that were missed while the agent was not functioning. |
3008 |
Error |
MALWAREPROTECTION_RTP_STARTUP_FAILED |
Microsoft Forefront Client Security Real-Time Protection has encountered an error and failed to start. This error event includes the agent that was unable to start, the error code, and a description of the error. |
The event description will contain additional information about the error encountered. |
Controlled by Service Configuration Manager |
Informational |
MALWAREPROTECTION_SERVICE_STARTED |
The Microsoft Forefront Client Security service has started. |
None needed. |
Controlled by Service Configuration Manager |
Warning |
MALWAREPROTECTION_SERVICE_STOPPED |
The Microsoft Forefront Client Security service has stopped. |
Verify that the Microsoft Forefront Client Security service has been intentionally disabled. |
5000 |
Informational |
MALWAREPROTECTION_RTP_ENABLED |
Microsoft Forefront Client Security Real-Time Protection scanning for spyware or other potentially unwanted software was enabled. |
None needed. |
5001 |
Informational |
MALWAREPROTECTION_RTP_DISABLED |
Microsoft Forefront Client Security Real-Time Protection scanning for spyware or other potentially unwanted software was disabled. |
Verify that the Microsoft Forefront Client Security Real-time protection has been intentionally disabled. |
5002 |
Informational |
MALWAREPROTECTION_ONACCESS_ENABLED |
Microsoft Forefront Client Security OnAccess scanning for viruses was enabled. |
None needed. |
5003 |
Informational |
MALWAREPROTECTION_ONACCESS_DISABLED |
Microsoft Forefront Client Security OnAccess scanning for viruses was disabled. |
Verify that On-Access scanning was intentionally disabled. |
5004 |
Informational |
MALWAREPROTECTION_RTP_AGENT_CONFIGURED |
The Microsoft Forefront Client Security Real-Time Protection agent configuration has changed. This audit record includes the agent and the configuration element that have been changed. This event commonly occurs due to configuration changes by an administrator or user. This could indicate that malware has caused a configuration change. |
Verify that the configuration change was applied intentionally. |
5005 |
Informational |
MALWAREPROTECTION_RTP_CHECKPOINT_CONFIGURED |
The Microsoft Forefront Client Security Real-Time Protection checkpoint configuration has changed. This audit log includes the checkpoint and configuration element that have changed. This event commonly occurs after an administrator makes configuration changes. |
Verify that the configuration change was applied intentionally. |
5006 |
Error |
MALWAREPROTECTION_ONACCESS_FILTER_UNLOADED |
The Microsoft Forefront Client Security Antivirus OnAccess Filter is unloaded and OnAccess scanning is disabled. |
Restart the Antivirus OnAccess Filter service. |
5007 |
Informational |
MALWAREPROTECTION_CONFIG_CHANGED |
Microsoft Forefront Client Security Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. |
Verify the changes are intentional. |
5008 |
Error |
MALWAREPROTECTION_ENGINE_FAILURE |
Microsoft Forefront Client Security engine has been terminated due to an unexpected error. |
The event description will contain additional information about the error encountered. |
5009 |
Informational |
MALWAREPROTECTION_ANTISPYWARE_ENABLED |
Microsoft Forefront Client Security scanning for spyware and other potentially unwanted software has been enabled. |
None needed. |
5010 |
Informational |
MALWAREPROTECTION_ANTISPYWARE_DISABLED |
Microsoft Forefront Client Security scanning for spyware and other potentially unwanted software is disabled. |
Verify that scanning for spyware has been intentionally disabled. |
5011 |
Informational |
MALWAREPROTECTION_ANTIVIRUS_ENABLED |
Microsoft Forefront Client Security scanning for viruses has been enabled. |
None needed. |
5012 |
Informational |
MALWAREPROTECTION_ANTIVIRUS_DISABLED |
Microsoft Forefront Client Security scanning for viruses has been disabled. |
Verify that scanning for viruses has been intentionally disabled. |