Re: [ossec-list] Apache Rules don't Trigger Active Response

[dan (ddp)]

On Wed, May 18, 2016 at 2:33 PM, Patrick Müller
 wrote:
> Hi guys.
>
>
> My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed via
> ports.
>
>
> I have this custom configuration for a active reponse which block web
> attacks.
>
>
>   
>
>   ipfw-www
>
> local
>
> 43200
>
> 30202,31151
>
>   
>
>
> This is my test with logtest
>
>
> **Phase 1: Completed pre-decoding.
>
>full event: '[Wed May 18 10:50:29.541536 2016] [:error] [pid 1173]
> [client ip:54252] [client ip] ModSecurity: Access denied with code 403
> (phase 2). Match of "rx
> (^/file?file=/etc/cccam.cfg$|event=update_asl_config|^/etc/(?:js/|?)|^/index.php?module=asl=|^/etc/img/)"
> against "REQUEST_URI" required. [file
> "/usr/local/etc/apache24/Includes/modsecurity2/activated_rules/10_asl_rules.conf"]
> [line "219"] [id "390709"] [rev "26"] [msg "Atomicorp.com WAF Rules: Attempt
> to access protected file remotely"] [data "../etc/"] [severity "CRITICAL"]
> [hostname "site-name"] [uri "/home/home.php"] [unique_id
> "VzxzJZKkXAIAAASV6VUH"]'
>
>hostname: 'host'
>
>program_name: '(null)'
>
>log: the same of full event
>
>
> **Phase 2: Completed decoding.
>
>decoder: 'apache-errorlog'
>

There is no IP address for your script to block (assuming it needs one).

>
> **Phase 3: Completed filtering (rules).
>
>Rule id: '30202'
>
>Level: '10'
>
>Description: 'Multiple attempts blocked by Mod Security.'
>
> **Alert to be generated.
>
>
> My problem no in file that execute the action to block, because the rule
> 31151 work.
>
>
> My alert in active-reponse.
> /usr/local/ossec-hids/active-response/bin/ipfw-www.sh add - ip
> 1463590617.6659091 31151
>
>
> Debug mode of logtest
>
>
> 2016/05/18 15:09:13 4 : rule:30202, level 10, timeout: 0
>
> 2016/05/18 15:09:14 3 : rule:31151, level 9, timeout: 0
>
>
>
> If the logtest can decode correctly my event log and know the rule, the
> active response work for others rules, where is my error? Why the rule to
> block this action don’t work?
>
>
> Any idea is welcome. Thanks
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Apache Rules don't Trigger Active Response

[Patrick Müller]

Hi guys.


My configuration is Freebsd-10.2 with ossec-hids-local-2.8.3 installed via
ports.


I have this custom configuration for a active reponse which block web
attacks.


  

  ipfw-www

local

43200

*30202,31151*

  


*This is my test with logtest *


**Phase 1: Completed pre-decoding.

   full event: '[Wed May 18 10:50:29.541536 2016] [:error] [pid 1173]
[client ip:54252] [client ip] ModSecurity: Access denied with code 403
(phase 2). Match of "rx
(^/file?file=/etc/cccam.cfg$|event=update_asl_config|^/etc/(?:js/|?)|^/index.php?module=asl=|^/etc/img/)"
against "REQUEST_URI" required. [file
"/usr/local/etc/apache24/Includes/modsecurity2/activated_rules/10_asl_rules.conf"]
[line "219"] [id "390709"] [rev "26"] [msg "Atomicorp.com WAF Rules:
Attempt to access protected file remotely"] [data "../etc/"] [severity
"CRITICAL"] [hostname "site-name"] [uri "/home/home.php"] [unique_id
"VzxzJZKkXAIAAASV6VUH"]'

   hostname: 'host'

   program_name: '(null)'

   log: the same of full event


**Phase 2: Completed decoding.

   decoder: 'apache-errorlog'


**Phase 3: Completed filtering (rules).

*   Rule id: '30202'*

   Level: '10'

   Description: 'Multiple attempts blocked by Mod Security.'

**Alert to be generated.


*My problem no in file that execute the action to block, because the rule
31151 work. *


My alert in active-reponse.
/usr/local/ossec-hids/active-response/bin/ipfw-www.sh add - ip
1463590617.6659091 *31151*


*Debug mode of logtest *


*2016/05/18 15:09:13 4 : rule:30202, level 10, timeout: 0*

*2016/05/18 15:09:14 3 : rule:31151, level 9, timeout: 0*



If the logtest can decode correctly my event log and know the rule, the
active response work for others rules, where is my error? Why the rule to
block this action don’t work?

Any idea is welcome. Thanks

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Windows Defender Decoder ?

[Rob B]

Nice!  Thanks Pedro!  I've got it now..

Cheers.


On Wednesday, May 18, 2016 at 10:09:14 AM UTC-4, Pedro S wrote:
>
> Hi Rob,
>
> *extra_data *is another allowed field used by OSSEC decoders to extract 
> information from the event, once it is extracted you can match the field 
> content in order to create a rule.
> The content of extra_data depends on the decoder which extracted it, in 
> Windows decoders  
> could
>  
> be for example: Win source, Parent Image, Protocol, Signature, Start 
> function...
>
> Best regards,
>
> Pedro S.
>
> On Tuesday, May 17, 2016 at 5:32:25 PM UTC+2, Rob B wrote:
>>
>> Thanks Brent.! Funny enough, that day I figured it out and built a 
>> whole bunch very similar to your list.  Seems to be working very nicely, as 
>> now I find myself leaning to creating some down right creative 
>> composites  (finally)
>>
>> I've been looking for some reference material on the  tag? 
>>  How is this used properly?
>>
>>
>>
>> Cheers!   Rob
>>
>>
>> On Monday, May 16, 2016 at 5:22:08 PM UTC-4, Brent Morris wrote:
>>>
>>> Rob - can you post your OSSEC version of the log?  I can check my rules. 
>>>  These are a culmination of gleaned rules that I updated some time back 
>>> with new event IDs.  Yours is covered in there  but I would like to 
>>> test it against a valid OSSEC log.  So if you can post it from the OSSEC 
>>> logs, that'd be great.
>>>
>>> Here they are..
>>>
>>> 
>>> 
>>> 
>>> 
>>>   
>>> windows
>>> 18101,18102,18103
>>> ^Microsoft Antimalware
>>> Grouping of Microsoft Security Essentials 
>>> rules.
>>>   
>>>
>>>   
>>> 720001
>>> ^1118$|^1119$
>>> virus,
>>> Microsoft Security Essentials - Virus detected, but 
>>> unable to remove.
>>>   
>>>   
>>> 720001
>>> ^1117$
>>> virus,
>>> Microsoft Security Essentials - Virus detected and 
>>> properly removed.
>>>   
>>>
>>>   
>>> 720001
>>> ^1119$|^1118$|^1117$|^1116$
>>> virus,
>>> Microsoft Security Essentials - Virus 
>>> detected.
>>>   
>>>
>>>   
>>> 720001
>>> ^1015$
>>> virus,
>>> Microsoft Security Essentials - Suspicious activity 
>>> detected.
>>>   
>>>
>>>
>>>   
>>> 720001
>>> ^5007$
>>> Microsoft Security Essentials - Configuration 
>>> changed.
>>> policy_changed,
>>>   
>>>   
>>> 720001
>>> ^5008$
>>> Microsoft Security Essentials - Service 
>>> failed.
>>>   
>>>   
>>> 720001
>>> ^3002$
>>> Microsoft Security Essentials - Real time protection 
>>> failed.
>>>   
>>>   
>>> 720001
>>> ^2012$
>>> Microsoft Security Essentials - Cannot use Dynamic 
>>> Signature Service.
>>>   
>>>   
>>> 720001
>>> ^2004$
>>> Microsoft Security Essentials - Loading definitions 
>>> failed. Using last good set.
>>>   
>>>   
>>> 720001
>>> ^2003$
>>> Microsoft Security Essentials - Engine update 
>>> failed.
>>>   
>>>   
>>> 720001
>>> ^2001$
>>> Microsoft Security Essentials - Definitions update 
>>> failed.
>>>   
>>>   
>>> 720001
>>> ^1005$
>>> Microsoft Security Essentials - Scan error. Scan has 
>>> stopped.
>>>   
>>>   
>>> 720001
>>> ^1002$
>>> Microsoft Security Essentials - Scan stopped before 
>>> completion.
>>>   
>>>
>>>   
>>>   
>>>   
>>> 720012
>>> Virus:DOS/EICAR_Test_File
>>> alert_by_email
>>> Microsoft Security Essentials - EICAR test file 
>>> detected.
>>>   
>>>   
>>> 720011
>>> Virus:DOS/EICAR_Test_File
>>> alert_by_email
>>> Microsoft Security Essentials - EICAR test file 
>>> removed.
>>>   
>>>   
>>> 720010
>>> Virus:DOS/EICAR_Test_File
>>> alert_by_email
>>> Microsoft Security Essentials - EICAR test file 
>>> detected, but removal failed.
>>>   
>>>
>>>   
>>>   
>>> 720001
>>> ^2000$
>>> Microsoft Security Essentials - Signature database 
>>> updated.
>>>   
>>>   
>>> 720001
>>> ^2002$
>>> Microsoft Security Essentials - Scan engine 
>>> updated.
>>>   
>>>   
>>> 720001
>>> ^1000$|^1001$
>>> Microsoft Security Essentials - Scan started or 
>>> stopped.
>>>   
>>>   
>>> 720001
>>> ^1013$
>>> Microsoft Security Essentials - History 
>>> cleared.
>>>   
>>>
>>>   
>>>   
>>> 720011
>>> Multiple Microsoft Security Essentials AV warnings 
>>> detected.
>>>   
>>>   
>>> 720012
>>> Multiple Microsoft Security Essentials AV warnings 
>>> detected.
>>>   
>>>
>>>  
>>>
>>>
>>> On Friday, April 22, 2016 at 1:16:22 PM UTC-7, Rob B wrote:

 Hello All,

Does anyone have a decoder for Windows Defender floating around out 
 there??

 Im having a heck of a time...   Here is the event channel event example 
 if anyone is curious or can help:  (Win10 box)

 Log Name:  Microsoft-Windows-Windows Defender/Operational
 Source:

Re: [ossec-list] Ossec rules matching order and other

[Jesus Linares]

Hi Issam,

regarding to the rule order, OSSEC checks a rule and its childs 
recursively. Try to launch *ossec-logtest* with argument *-v*:

log: '2014 Dec 20 09:29:47 WinEvtLog: Microsoft-Windows-Sysmon/Operational: 
INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: 
WIN-U93G48C7BOP: Process Create:  UtcTime: 12/20/2014 2:29 PM  ProcessGuid: 
{-87DB-5495--001045F25A00}  ProcessId: 3048  Image: 
C:\Windows\system32\svchost.exe  CommandLine: 
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Administrator\Desktop\ossec.log 
 User: WIN-U93G48C7BOP\Administrator  LogonGuid: 
{-84B8-5494--0020CB330200}  LogonId: 0x233CB 
 TerminalSessionId: 1  IntegrityLevel: High  HashType: SHA1  Hash: 
9FEF303BEDF8430403915951564E0D9888F6F365  ParentProcessGuid: 
{-84B9-5494--0010BE4A0200}  ParentProcessId: 848  ParentImage: 
C:\Windows\Explorer.EXE  ParentCommandLine: C:\Windows\Explorer.EXE'


**Phase 2: Completed decoding.
   decoder: 'windows'
   status: 'C:\Windows\system32\svchost.exe'
   dstuser: 'WIN-U93G48C7BOP\Administrator'
   url: '9FEF303BEDF8430403915951564E0D9888F6F365'
   extra_data: 'C:\Windows\Explorer.EXE'


**Rule debugging:
Trying rule: 6 - Generic template for all windows rules.
   *Rule 6 matched.
   *Trying child rules.
Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
Trying rule: 18100 - Group of windows rules.
   *Rule 18100 matched.
   *Trying child rules.
Trying rule: 18101 - Windows informational event.
Trying rule: 18102 - Windows warning event.
Trying rule: 18104 - Windows audit success event.
Trying rule: 184666 - Sysmon - Suspicious Process - svchost.exe
   *Rule 184666 matched.
   *Trying child rules.
Trying rule: 184667 - Sysmon - Legitimate Parent Image - svchost.exe


**Phase 3: Completed filtering (rules).
   Rule id: '184666'
   Level: '12'
   Description: 'Sysmon - Suspicious Process - svchost.exe'
**Alert to be generated.


Regards.

On Wednesday, May 18, 2016 at 5:18:28 PM UTC+2, dan (ddpbsd) wrote:
>
> On Wed, May 18, 2016 at 10:47 AM, Issam Aouad Tabet 
>  wrote: 
> > Hey everyone, 
> > 
> > I am windering if anyone can help me with these two questions: 
> > 
> > 1. I am using ossec-logtest file to test my rules in order to match with 
> > some Windows logs. Does anyone know in which order are the rules tested? 
> > It seems it is not ID number order.. 
> > 
> > 2. Here is the default predefined rule that mathes all windows events: 
> >  
> >
> > windows 
> > Group of windows rules. 
> >
> > 
> > How is this being linked with windows events logs decoder in 
> > ossec/etc/decoder.xml? Can anyone explain why is this matching all 
> windows 
> > events? Is it through the category tag? Because there is no "match" 
> tag.. 
> > 
>
> Yes, it's the category tag. Here's the windows decoder: 
>  
>   windows 
>   ^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: 
> |^WinEvtLog:  
>   ^\.+: (\w+)\((\d+)\): (\.+):  
>   (\.+): \.+: (\S+):  
>   status, id, extra_data, user, system_name 
>   name, location, user, system_name 
>  
>
> The  option sets log messages that match that decoder to "windows." 
> The rules use that as a category. So basically anything that matches 
> the windows decoder should automagically trigger rule 18100. 
> This is preferable to just matching the decoder, because a number of 
> decoders can set the same type. 
>
> > Thanks a lot!! 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ossec rules matching order and other

[dan (ddp)]

On Wed, May 18, 2016 at 10:47 AM, Issam Aouad Tabet
 wrote:
> Hey everyone,
>
> I am windering if anyone can help me with these two questions:
>
> 1. I am using ossec-logtest file to test my rules in order to match with
> some Windows logs. Does anyone know in which order are the rules tested?
> It seems it is not ID number order..
>
> 2. Here is the default predefined rule that mathes all windows events:
> 
>   
> windows
> Group of windows rules.
>   
>
> How is this being linked with windows events logs decoder in
> ossec/etc/decoder.xml? Can anyone explain why is this matching all windows
> events? Is it through the category tag? Because there is no "match" tag..
>

Yes, it's the category tag. Here's the windows decoder:

  windows
  ^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog:
|^WinEvtLog: 
  ^\.+: (\w+)\((\d+)\): (\.+): 
  (\.+): \.+: (\S+): 
  status, id, extra_data, user, system_name
  name, location, user, system_name


The  option sets log messages that match that decoder to "windows."
The rules use that as a category. So basically anything that matches
the windows decoder should automagically trigger rule 18100.
This is preferable to just matching the decoder, because a number of
decoders can set the same type.

> Thanks a lot!!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Ossec rules matching order and other

[Issam Aouad Tabet]

Hey everyone,

I am windering if anyone can help me with these two questions:

1. I am using ossec-logtest file to test my rules in order to match with 
some Windows logs. Does anyone know in which order are the rules tested?
It seems it is not ID number order..

2. Here is the default predefined rule that mathes all windows events:

  
windows
Group of windows rules.
  

How is this being linked with windows events logs decoder in 
ossec/etc/decoder.xml? Can anyone explain why is this matching all windows 
events? Is it through the category tag? Because there is no "match" tag..

Thanks a lot!!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Duplicated counter

[Pedro S]

Hi,

Your configuration is working properly on my environment, what Windows 
version are you running?

EventChannel Bookmark 

 identifies 
an event in a channel or log file, bookmarks are created by OSSEC in order 
to subscribe to a event list.
I can see on my lab how the bookmark is created first on tmp/ folder and 
then it is moved to bookmarks/ folder.

Tracing your errors, first one prompts when OSSEC try to rename the 
bookmark tmp file, function *rename_ex *(1 

 
& 2 
),
 
second error 

 
is a consequence of the first error.

I can assume the file not longer exist on that folder or OSSEC does not 
have enough permissions to move/rename it, try to run *uninstall.exe *and 
start from scratch installing again OSSEC, if does not work, try to grant 
permissions to group "Administrators".


Best regards,

Pedro S.


On Monday, May 16, 2016 at 2:07:57 PM UTC+2, Abdulvehhab Agin wrote:
>
> Hi Pedro,
>
>
> My ossec.conf and internal_options.conf is attached.
>
>
> I set remoted.verify_msg_id=0 to ignore Duplicated error
>
>
> 13 Mayıs 2016 Cuma 19:57:57 UTC+3 tarihinde Pedro S yazdı:
>>
>> Just to be sure, the variable I was talking about is:
>>
>> # Verify msg id (set to 0 to disable it)
>>> remoted.verify_msg_id=1
>>
>>
>> At /var/ossec/etc/internal_options.conf
>>
>>
>> Best regards,
>>
>> Pedro S.
>>
>>
>> On Friday, May 13, 2016 at 3:53:20 PM UTC+2, Pedro S wrote:
>>>
>>> Hi,
>>>
>>> I don't think *verify_msg *will be related with those errors.
>>>
>>> It seems like those files (EventChannel bookmarks) not longer exist in 
>>> tmp folder or OSSEC does not have enough permissions, try to reinstall the 
>>> agent.
>>> If you prefer, paste here your EventChannel queries so I can test them 
>>> in my labs.
>>>
>>> Best regards,
>>>
>>> Pedro S.
>>>
>>>
>>>
>>> On Fri, May 13, 2016 at 1:37 PM, Abdulvehhab Agin  
>>> wrote:
>>>
 When i change verify_msg_id=0; *i have lots of error in ossec log*




 2016/05/13 14:33:17 ossec-agent: ERROR: Could not move 
 (tmp/Security-a06404) to (bookmarks/Security) which returned (5)
 2016/05/13 14:33:17 ossec-agent: ERROR: Could not rename_ex() temporary 
 bookmark (tmp/Security-a06404) to (bookmarks/Security) for (Security)
 2016/05/13 14:33:17 ossec-agent: ERROR: Could not move 
 (tmp/Security-a06404) to (bookmarks/Security) which returned (5)
 2016/05/13 14:33:17 ossec-agent: ERROR: Could not rename_ex() temporary 
 bookmark (tmp/Security-a06404) to (bookmarks/Security) for (Security)
 2016/05/13 14:33:17 ossec-agent: ERROR: Could not move 
 (tmp/Security-a06404) to (bookmarks/Security) which returned (5)
 2016/05/13 14:33:17 ossec-agent: ERROR: Could not rename_ex() temporary 
 bookmark (tmp/Security-a06404) to (bookmarks/Security) for (Security)



 12 Mayıs 2016 Perşembe 10:37:15 UTC+3 tarihinde Pedro S yazdı:
>
> Hi,
>
> If multiple agents are using the same key, you need to set them 
> up with their own unique key.
> If you re-installed an agent and didn't backup the rids files, 
> you should create a new key for the agent and use that.
> If you prefer to avoid any counters error, try to deactivate counters, 
> open file etc/internal_options.conf (Manager & Agent) and set 
> verify_msg_id=0.
>
>
> Regards,
>
>
> Pedro S.
>
> On Wednesday, May 11, 2016 at 10:33:00 PM UTC+2, Abdulvehhab Agin 
> wrote:
>>
>> Hi,
>>
>>
>>
>> Sometimes ossec server says *"ERROR: Duplicated counter for"* 
>> errors. Especially we have mass log, and log sending protocol is UDP, so 
>> rids counter' agent and server sometimes inconsistent;
>>
>>
>> When i see this error, I see the agent is inactive. After this; agent 
>> wont send any logs.
>>
>>
>> How can i solve this problem?
>>
>>
>> OSSEC version 2.8.3
>>
>> -- 

 --- 
 You received this message because you are subscribed to the Google 
 Groups "ossec-list" group.
 To unsubscribe from this group and stop receiving emails from it, send 
 an email to ossec-list+...@googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.

>>>
>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit 

[ossec-list] Re: Windows Defender Decoder ?

[Pedro S]

Hi Rob,

*extra_data *is another allowed field used by OSSEC decoders to extract 
information from the event, once it is extracted you can match the field 
content in order to create a rule.
The content of extra_data depends on the decoder which extracted it, in 
Windows decoders  
could
 
be for example: Win source, Parent Image, Protocol, Signature, Start 
function...

Best regards,

Pedro S.

On Tuesday, May 17, 2016 at 5:32:25 PM UTC+2, Rob B wrote:
>
> Thanks Brent.! Funny enough, that day I figured it out and built a 
> whole bunch very similar to your list.  Seems to be working very nicely, as 
> now I find myself leaning to creating some down right creative 
> composites  (finally)
>
> I've been looking for some reference material on the  tag? 
>  How is this used properly?
>
>
>
> Cheers!   Rob
>
>
> On Monday, May 16, 2016 at 5:22:08 PM UTC-4, Brent Morris wrote:
>>
>> Rob - can you post your OSSEC version of the log?  I can check my rules. 
>>  These are a culmination of gleaned rules that I updated some time back 
>> with new event IDs.  Yours is covered in there  but I would like to 
>> test it against a valid OSSEC log.  So if you can post it from the OSSEC 
>> logs, that'd be great.
>>
>> Here they are..
>>
>> 
>> 
>> 
>> 
>>   
>> windows
>> 18101,18102,18103
>> ^Microsoft Antimalware
>> Grouping of Microsoft Security Essentials 
>> rules.
>>   
>>
>>   
>> 720001
>> ^1118$|^1119$
>> virus,
>> Microsoft Security Essentials - Virus detected, but 
>> unable to remove.
>>   
>>   
>> 720001
>> ^1117$
>> virus,
>> Microsoft Security Essentials - Virus detected and 
>> properly removed.
>>   
>>
>>   
>> 720001
>> ^1119$|^1118$|^1117$|^1116$
>> virus,
>> Microsoft Security Essentials - Virus 
>> detected.
>>   
>>
>>   
>> 720001
>> ^1015$
>> virus,
>> Microsoft Security Essentials - Suspicious activity 
>> detected.
>>   
>>
>>
>>   
>> 720001
>> ^5007$
>> Microsoft Security Essentials - Configuration 
>> changed.
>> policy_changed,
>>   
>>   
>> 720001
>> ^5008$
>> Microsoft Security Essentials - Service 
>> failed.
>>   
>>   
>> 720001
>> ^3002$
>> Microsoft Security Essentials - Real time protection 
>> failed.
>>   
>>   
>> 720001
>> ^2012$
>> Microsoft Security Essentials - Cannot use Dynamic 
>> Signature Service.
>>   
>>   
>> 720001
>> ^2004$
>> Microsoft Security Essentials - Loading definitions 
>> failed. Using last good set.
>>   
>>   
>> 720001
>> ^2003$
>> Microsoft Security Essentials - Engine update 
>> failed.
>>   
>>   
>> 720001
>> ^2001$
>> Microsoft Security Essentials - Definitions update 
>> failed.
>>   
>>   
>> 720001
>> ^1005$
>> Microsoft Security Essentials - Scan error. Scan has 
>> stopped.
>>   
>>   
>> 720001
>> ^1002$
>> Microsoft Security Essentials - Scan stopped before 
>> completion.
>>   
>>
>>   
>>   
>>   
>> 720012
>> Virus:DOS/EICAR_Test_File
>> alert_by_email
>> Microsoft Security Essentials - EICAR test file 
>> detected.
>>   
>>   
>> 720011
>> Virus:DOS/EICAR_Test_File
>> alert_by_email
>> Microsoft Security Essentials - EICAR test file 
>> removed.
>>   
>>   
>> 720010
>> Virus:DOS/EICAR_Test_File
>> alert_by_email
>> Microsoft Security Essentials - EICAR test file 
>> detected, but removal failed.
>>   
>>
>>   
>>   
>> 720001
>> ^2000$
>> Microsoft Security Essentials - Signature database 
>> updated.
>>   
>>   
>> 720001
>> ^2002$
>> Microsoft Security Essentials - Scan engine 
>> updated.
>>   
>>   
>> 720001
>> ^1000$|^1001$
>> Microsoft Security Essentials - Scan started or 
>> stopped.
>>   
>>   
>> 720001
>> ^1013$
>> Microsoft Security Essentials - History 
>> cleared.
>>   
>>
>>   
>>   
>> 720011
>> Multiple Microsoft Security Essentials AV warnings 
>> detected.
>>   
>>   
>> 720012
>> Multiple Microsoft Security Essentials AV warnings 
>> detected.
>>   
>>
>>  
>>
>>
>> On Friday, April 22, 2016 at 1:16:22 PM UTC-7, Rob B wrote:
>>>
>>> Hello All,
>>>
>>>Does anyone have a decoder for Windows Defender floating around out 
>>> there??
>>>
>>> Im having a heck of a time...   Here is the event channel event example 
>>> if anyone is curious or can help:  (Win10 box)
>>>
>>> Log Name:  Microsoft-Windows-Windows Defender/Operational
>>> Source:Microsoft-Windows-Windows Defender
>>> Date:  4/22/2016 4:05:17 PM
>>> Event ID:  1116
>>> Task Category: None
>>> Level: Warning
>>> Keywords:  
>>> User:  SYSTEM
>>> Computer:  VICTIM0
>>> Description:
>>> Windows Defender has detected malware or other potentially unwanted 
>>> software.
>>>  For more