Change Control and Application Control events

This table provides a detailed list of all Change Control and Application Control events.

Event names with a suffix (_UPDATE) indicate that events are generated in Update mode.

In the Event type column, these abbreviations indicate the applicable type for the event.

  • SC — Solidcore client-related event
  • CCChange Control event
  • ACApplication Control event

Event ID (on endpoints) Threat event ID (on McAfee ePO) Event name Event display string Solidcore client severity McAfee ePO severity Event type
1 20700 BOOTING_DISABLED Booted in Disabled mode Warning Warning SC
2 20701 BOOTING_ENABLED Booted in Enabled mode Info Information SC
3 20702

BOOTING_UPDATE

_MODE

Booted in Update mode Info Information SC
4 20703 ENABLED_DEFERRED Enabled On Reboot Info Information SC
5 20704 DISABLED_DEFERRED Disabled On Reboot Warning Warning SC
6 20705 BEGIN_UPDATE Opened Update Mode Info Information SC
7 20706 END_UPDATE Closed Update Mode Info Information SC
8 20707 COMMAND_EXECUTED Command Executed Info Information SC
15 20714 REG_KEY_CREATED Registry Created Info Information CC
16 20715 REG_KEY_DELETED Registry Deleted Info Information CC
18 20717 REG_VALUE_DELETED Registry Deleted Info Information CC
19 20718 PROCESS_TERMINATED Process Terminated Major Error AC
20 20719 WRITE_DENIED File Write Denied Major Error CC
21 20720 EXECUTION_DENIED Execution Denied Major Error AC
29 20728

PROCESS_TERMINATED

_UNAUTH_SYSCALL

Process Terminated Major Error AC
30 20729

PROCESS_TERMINATED

_UNAUTH_API

Process Terminated Major Error AC
31 20730

MODULE_LOADING

_FAILED

Module Loading Failed Major Error SC
41 20740 FILE_ATTR_SET File Attribute Set Info Information CC
42 20741 FILE_ATTR_CLEAR File Attribute Cleared Info Information CC
43 20742 FILE_ATTR

_SET_UPDATE

File Attribute Set Info Information CC
44 20743 FILE_ATTR

_CLEAR_UPDATE

File Attribute Cleared Info Information CC
49 20748 REG_VALUE

_WRITE_DENIED

Registry Write Denied Major Error CC
50 20749 REG_KEY

_WRITE_DENIED

Registry Write Denied Major Error CC
51 20750 REG_KEY

_CREATED_UPDATE

Registry Created Info Information CC
52 20751

REG_KEY

_DELETED_UPDATE

Registry Deleted Info Information CC
54 20753

REG_VALUE

_DELETED_UPDATE

Registry Deleted Info Information CC
56 20755 OWNER_MODIFIED File Ownership Changed Info Information CC
57 20756 OWNER_MODIFIED

_UPDATE

File Ownership Changed Info Information CC
61 20760 PROCESS_HIJACKED Process Hijack Attempted Major Error AC
62 20761 INVENTORY_CORRUPT Inventory Corrupted Critical Critical AC
63 20762

BOOTING_DISABLED

_SAFEMODE

Booted in Disabled mode Warning Warning SC
64 20763

BOOTING_DISABLED

_INTERNAL_ERROR

Booted in Disabled mode Critical Critical SC
70 20769 FILE_CREATED File Created Info Information CC
71 20770 FILE_DELETED File Deleted Info Information CC
72 20771 FILE_MODIFIED File Modified Info Information CC
73 20772 FILE_ATTR_MODIFIED File Attribute Modified Info Information CC
74 20773 FILE_RENAMED File Renamed Info Information CC
75 20774 FILE_CREATED

_UPDATE

File Created Info Information CC
76 20775 FILE_DELETED

_UPDATE

File Deleted Info Information CC
77 20776 FILE_MODIFIED

_UPDATE

File Modified Info Information CC
78 20777

FILE_ATTR

_MODIFIED_UPDATE

File Attribute Modified Info Information CC
79 20778 FILE_RENAMED

_UPDATE

File Renamed Info Information CC
80 20779 FILE_SOLIDIFIED File Solidified Info Information AC
82 20781 FILE_UNSOLIDIFIED File Unsolidified Info Information AC
84 20783 ACL_MODIFIED File Acl Modified Info Information CC
85 20784 ACL_MODIFIED_UPDATE File Acl Modified Info Information CC
86 20785 PROCESS_STARTED Process Started Info Information CC
87 20786 PROCESS_EXITED Process Exited Info Information CC
88 20787 TRIAL_EXPIRED Trial license expired Major Error SC
89 20788 READ_DENIED File Read Denied Major Error CC
90 20789 USER_LOGON

_SUCCESS

User Logged On Info Information CC
91 20790 USER_LOGON_FAIL User Logon Failed Info Information CC
92 20791 USER_LOGOFF User Logged Off Info Information CC
93 20792

USER_ACCOUNT

_CREATED

User Account Created Info Information CC
94 20793

USER_ACCOUNT

_DELETED

User Account Deleted Info Information CC
95 20794

USER_ACCOUNT

_MODIFIED

User Account Modified Info Information CC
96 20795

PKG_MODIFICATION

_PREVENTED

Installation Denied Critical Critical AC
97 20796

PKG_MODIFICATION

_ALLOWED_UPDATE

Installation Allowed Info Information AC
98 20797

PKG_MODIFICATION

_PREVENTED_2

Installation Denied Critical Critical AC
99 20798 NX_VIOLATION

_DETECTED

Nx Violation Detected Critical Critical AC
100 20799 REG_VALUE

_MODIFIED

Registry Modified Info Information CC
101 20800

REG_VALUE

_MODIFIED_UPDATE

Registry Modified Info Information CC
102 20801 UPDATE_MODE

_DEFERRED

Update Mode On Reboot Info Information SC
103 20802 FILE_READ_UPDATE File read in update mode Info Information CC
106 20805 STREAM_CREATED Alternate Data Stream Created Info Information CC
107 20806 STREAM_DELETED Alternate Data Stream Deleted Info Information CC
108 20807 STREAM_MODIFIED Alternate Data Stream Modified Info Information CC
109 20808 STREAM_ATTR

_MODIFIED

Attribute Modified in Data Stream Info Information CC
110 20809 STREAM_CREATED

_UPDATE

Alternate Data Stream Created Info Information CC
111 20810 STREAM_DELETED

_UPDATE

Alternate Data Stream Deleted Info Information CC
112 20811 STREAM_MODIFIED

_UPDATE

Alternate Data Stream Modified Info Information CC
113 20812

STREAM_ATTR

_MODIFIED_UPDATE

Attribute Modified in Data Stream Info Information CC
114 20813 STREAM_ATTR_SET Attribute Added in Data Stream Info Information CC
115 20814 STREAM_ATTR_CLEAR Attribute Cleared in Data Stream Info Information CC
116 20815

STREAM_ATTR

_SET_UPDATE

Attribute Added in Data Stream Info Information CC
117 20816

STREAM_ATTR

_CLEAR_UPDATE

Attribute Cleared in Data Stream Info Information CC
118 20817 STREAM_RENAMED Alternate Data Stream Renamed Info Information CC
119 20818 STREAM_RENAMED

_UPDATE

Alternate Data Stream Renamed Info Information CC
120 20819 BEGIN_OBSERVE Start Observe Mode Info Information AC
121 20820 BEGIN_OBSERVE

_DEFERRED

Start Observe Mode On Reboot Info Information AC
122 20821 END_OBSERVE End Observe Mode Info Information AC
123 20822 END_OBSERVE

_DEFERRED

End Observe Mode On Reboot Info Information AC
124 20823

INITIAL_SCAN

_TASK_COMPLETED

Initial Scan Completed Info Information AC
125 20824 BOOTING_OBSERVE Booted in Observe Mode Info Information AC
126 20825 ACTX_ALLOW_INSTALL ActiveX installation Allowed Info Information AC
127 20826 ACTX_INSTALL

_PREVENTED

ActiveX installation Prevented Major Error AC
129 20828 VASR_VIOLATION

_DETECTED

VASR Violation Detected Critical Critical AC
131 20830

THROTTLING_STARTED

Data Throttled Major Warning SC
132 20831 THROTTLING_CACHE

_FULL

Data Dropped Major Error SC
Not applicable (server-side event) 20950 THREAT_DETECTED (1) Malicious File Found -

Based on reputation.(2)

CC, AC
Not applicable (server-side event) 20951 ASSUMED_THREAT _NOT_PRESENT * Malicious File is Trusted -

Based on reputation.

CC, AC
Not applicable (server-side event) 20952 OBSERVATION_THRESHOLD _EXCEEDED * Observation Threshold Exceeded - Warning CC, AC
Not applicable (server-side event) 20953 OBSERVATION_REQUEST _THRESHOLD_EXCEEDED * Observation Request Threshold Exceeded - Warning CC, AC
Not applicable (server-side event) 20954 DATA_CONGESTION_DETECTED Data Congestion Detected - Warning CC, AC
Not applicable (server-side event) 20955 CLOGGED_DATA_DELETED Clogged Data Deleted - Warning CC, AC
133 20832 LOCAL_CLI_ACCESS_DISABLED Disabled Local CLI Access Major Error CC, AC
134 20833 LOCAL_CLI_RECOVER_SUCCESS Recovered Local CLI Info Information CC, AC
135 20834 LOCAL_CLI_RECOVER_FAILED Unable to Recover Local CLI Info Information CC, AC
136 20835 OBSERVED_FILE_EXECUTION Observed File Execution Info Information AC
137 20836 PREVENTED_FILE_EXECUTION Prevented File Execution Major Error AC
138 20837 INVENTORY_RECOVERED Recovered Inventory Critical Error AC
139 20838 INVENTORY_RECOVER_FAILED Unable to Recover Inventory Critical Error AC
140 20839 BLOCKED_PROCESS_INTERACTIVE_MODE Blocked Interactive Mode of Process Critical Error AC
1 This event is displayed only on the Threat Event Log page.
2 The McAfee ePO severity for this event is based on reputation value. If the reputation value is Known Malicious, Most Likely Malicious, or Might be Malicious, the severity value is Alert, Critical, or Error, respectively. If the reputation value is Unknown, the severity value is Warning. Also, if the reputation value is Might be Trusted, Most Likely Trusted, or Known Trusted, the severity value is Warning, Notice, or Information, respectively.