Skip to main content

windows event log

  • February 29, 2016
  • 5 replies
  • 453 views

  • Fresh Face
  • 3 replies
When WSA detects a malicious file, does a record show up in the windows event log?
 
I would like to setup a scheduled task that occurs when a malicious file is detected.  Any idea how this could be performed?

5 replies

Baldrick
Gold VIP
  • Gold VIP
  • 16060 replies
  • February 29, 2016
Hi nxte
 
Welcome to the Community Forums.
 
I do not think that WSA logs such activity in the Windows Event Log and I do not see a reason as to why it should as it is not a WIndows Event. It does log this in it in the WSA Threat Log but I suspect that this is of no use to you unless you are able to produce a program that can read the Log file and then action something when such an event is noted as recorded.
 
Regards, Baldrick

  • Author
  • Fresh Face
  • 3 replies
  • March 4, 2016
I understand WSA is not a native windows application, but windows does allow you to register an application as a security event source. 
 
'Windows allows applications to report their own security events to the security log by registering through Authorization Manager with LSA as a security event source using the AuthzRegisterSecurityEventSource function. "
 
This would then make it easier to setup scheduled tasks or dump information into a SEIM. 
 

Baldrick
Gold VIP
  • Gold VIP
  • 16060 replies
  • March 4, 2016
Hi nxte
 
Well, that is interesting but if you would like to see if you can get this into the product than the best bet is to wander over the to the Feature Request forum (or from the top of any Community page) and open a new Feature Request, so that users can review, comment and if they would like to support your idea with kudos. The Development Team regulalrly review the requests and this by far the best way to get attention on your requirement.
 
Regards, Baldrick

  • Author
  • Fresh Face
  • 3 replies
  • March 4, 2016
Thanks for the tip!

Baldrick
Gold VIP
  • Gold VIP
  • 16060 replies
  • March 4, 2016
You are most welcome...good luck with the feature request. ;)

Reply