AV Defender Behavioral Scan Events service
The AV Defender Behavioral Scan Events service reports on security-related issues that AV Defender has detected and neutralized.
Basic service information
|Max instances on each device||1|
|Supported Systems/Applications||Any Windows device that has AV Defender installed.|
|Supported Device class||Laptops – Windows, Servers – Windows, Workstations - Windows|
|Monitored By||Windows agents|
|Misconfigured||Confirm that AV Defender has been successfully installed on the device.|
The AV Defender Behavioral Events service is designed to monitor in near-real time for items blocked by the Behavioral Analysis module of AV Defender. The service will trigger a failure or warning based on the type of the event that was blocked.
The service is an event-based service. As such, the service will always show a Normal status in the N-central UI, as Failed and Warning states only last long enough to trigger a notification. This behavior allows the AV Defender Behavioral Events service to generate multiple notifications or tickets if more than one event is detected within a scan interval.
This service should always be associated with a notification profile that has a zero minute delay, to ensure that all events detected by the service generate a notification or ticket.
There are four possible Scans that the AV Defender Behavioral Scan Events service can analyze:
- IDS Application Blocked
- AVC Application Blocked
- AVC Exploit Blocked
The only available actions to monitor is “Blocked”. By default, The AV Defender Behavior Scan Events triggers a failure when any of the four event types return a Blocked action.