Microsoft-Filtering-FIPFS
67 events across 2 channels
Event ID 1: Unicode=Prop_UnicodeString Ansi=Prop_AnsiString Int8=Prop_Int8 UInt8=Prop_UInt8 Int16=Prop_Int16 UInt16=Prop_UInt16 Int32=Prop_Int32 UInt32=Prop_UInt32 Int64=Prop_Int64 UInt64=Prop_UInt64 Float=Pro...
#Description
Unicode=Prop_UnicodeString Ansi=Prop_AnsiString Int8=Prop_Int8 UInt8=Prop_UInt8 Int16=Prop_Int16 UInt16=Prop_UInt16 Int32=Prop_Int32 UInt32=Prop_UInt32 Int64=Prop_Int64 UInt64=Prop_UInt64 Float=Prop_Float Double=Prop_Double Boolean=Prop_Boolean GUID=Prop_GUID Pointer=Prop_Pointer FILETIME=Prop_FILETIME SYSTEMTIME=Prop_SYSTEMTIME SID_Length=Prop_SID_Length SID=Prop_SID Binary=Prop_Binary Hex32=Prop_HexInt32 Hex64=Prop_HexInt64
Fields #
| Name | Description |
|---|---|
Prop_UnicodeString | |
Prop_AnsiString | |
Prop_Int8 | |
Prop_UInt8 | |
Prop_Int16 | |
Prop_UInt16 | |
Prop_Int32 | |
Prop_UInt32 | |
Prop_Int64 | |
Prop_UInt64 | |
Prop_Float | |
Prop_Double | |
Prop_Boolean | |
Prop_GUID | |
Prop_Pointer | |
Prop_FILETIME | |
Prop_SYSTEMTIME | |
Prop_SID_Length | |
Prop_SID | |
Prop_Binary | |
Prop_HexInt32 | |
Prop_HexInt64 |
Event ID 1022: The FIP-FS version: MajorVersion.
#Description
The FIP-FS version: MajorVersion.MinorVersion
Fields #
| Name | Description |
|---|---|
MajorVersion | |
MinorVersion |
Event ID 1023: The FIP-FS Service Pack version: SpVersion.
#Description
The FIP-FS Service Pack version: SpVersion
Fields #
| Name | Description |
|---|---|
SpVersion |
Event ID 1100: The FIP-FS Filtering Management Service started.
#Description
The FIP-FS Filtering Management Service started.
Event ID 1101: The FIP-FS Filtering Management Service stopped.
#Description
The FIP-FS Filtering Management Service stopped.
Event ID 1102: MS Filtering Engine Update process is running.
#Description
MS Filtering Engine Update process is running.
Event ID 1103: MS Filtering Engine Update process has stopped.
#Description
MS Filtering Engine Update process has stopped.
Event ID 1104: The FIP-FS Filtering Management Service failed initialization.
#Description
The FIP-FS Filtering Management Service failed initialization. Error: ErrorCode. Error Details: ErrorDetails
Fields #
| Name | Description |
|---|---|
ErrorCode | |
ErrorDetails |
Event ID 1105: The MS Filtering Engine Update process failed initialization.
#Description
The MS Filtering Engine Update process failed initialization. Error: ErrorCode. Error Details: ErrorDetails
Fields #
| Name | Description |
|---|---|
ErrorCode | |
ErrorDetails |
Event ID 1106: The FIP-FS Scan Process failed initialization.
#Description
The FIP-FS Scan Process failed initialization. Error: ErrorCode. Error Details: ErrorDetails
Fields #
| Name | Description |
|---|---|
ErrorCode | |
ErrorDetails |
Event ID 1107: A FIP-FS Scan Process has been created.
#Description
A FIP-FS Scan Process has been created. PID=PID
Fields #
| Name | Description |
|---|---|
PID |
Event ID 1108: MS Filtering Engine Update process has terminated unexpectedly.
#Description
MS Filtering Engine Update process has terminated unexpectedly.
Event ID 1109: The MS Filtering Engine Update process has been configured as a Redistribution Server (RedistributionMode).
#Description
The MS Filtering Engine Update process has been configured as a Redistribution Server (RedistributionMode).
Fields #
| Name | Description |
|---|---|
RedistributionMode |
Event ID 1110: Valid Engines: EngineName.
#Description
Valid Engines: EngineName
Fields #
| Name | Description |
|---|---|
EngineName |
Event ID 1111: Failed to connect to Engine Update service with error: Hresult, trying again every 30 seconds.
#Description
Failed to connect to Engine Update service with error: Hresult, trying again every 30 seconds. Engines will not be updated until the Engine Update service is started.
Fields #
| Name | Description |
|---|---|
Hresult |
Event ID 1113: The scan process with PID: PID was terminated.
#Description
The scan process with PID: PID was terminated. Reason: Reason.
Fields #
| Name | Description |
|---|---|
PID | |
Reason |
Event ID 1120: The initialization of the SharePoint VSAPI failed.
#Description
The initialization of the SharePoint VSAPI failed. Error Details: ErrorDetails. ErrorLocation.
Fields #
| Name | Description |
|---|---|
ErrorDetails | |
ErrorLocation |
Event ID 1121: The SharePoint scan call failed.
#Description
The SharePoint scan call failed. Error: ErrorCode. CorrelationID: ErrorDetails
Fields #
| Name | Description |
|---|---|
ErrorCode | |
ErrorDetails |
Event ID 1122: Detection: DetectionType Name: DetectionName File: DetectionFile Correlation ID: CorrelationID Direction: Direction.
#Description
Detection: DetectionType Name: DetectionName File: DetectionFile Correlation ID: CorrelationID Direction: Direction
Fields #
| Name | Description |
|---|---|
DetectionType | |
DetectionName | |
DetectionFile | |
CorrelationID | |
Direction |
Event ID 1123: Clean is not currently supported.
#Description
Clean is not currently supported. Please check SharePoint's Antivirus settings to make sure "Attempt to clean infected documents" is not selected. Correlation ID: CorrelationID
Fields #
| Name | Description |
|---|---|
CorrelationID |
Event ID 1124: The initialization of the SharePoint VSAPI Succeeded.
#Description
The initialization of the SharePoint VSAPI Succeeded.
Event ID 1125: The SharePoint VSAPI correctly read the configuration file.
#Description
The SharePoint VSAPI correctly read the configuration file
Event ID 1126: The SharePoint VSAPI failed to read the configuration file.
#Description
The SharePoint VSAPI failed to read the configuration file. Reverting to default settings. Error: Error
Fields #
| Name | Description |
|---|---|
Error |
Event ID 1127: The FIP-FS Filtering Management Service was unable to acquire a scanner within the specified timeout.
#Description
The FIP-FS Filtering Management Service was unable to acquire a scanner within the specified timeout. The process will be terminated.
Event ID 1128: Timed out due to deadlocked I/O operation.
#Description
Timed out due to deadlocked I/O operation. Current count %d. File name: %s
Fields #
| Name | Description |
|---|---|
HangCount | |
FileName |
Event ID 1129: Maximum deadlocked I/O exceeded.
#Description
Maximum deadlocked I/O exceeded
Event ID 1130: Terminating process due to excessive blocked I/O operations.
#Description
Terminating process due to excessive blocked I/O operations.
Event ID 2200: The FIP-FS configuration file "FilePath" is missing.
#Description
The FIP-FS configuration file "FilePath" is missing.
Fields #
| Name | Description |
|---|---|
FilePath |
Event ID 2201: The current permissions for the FIP-FS configuration file "FilePath" may be incorrect; access was denied.
#Description
The current permissions for the FIP-FS configuration file "FilePath" may be incorrect; access was denied.
Fields #
| Name | Description |
|---|---|
FilePath |
Event ID 2202: The FIP-FS Configuration server returned catastrophic error Hresult.
#Description
The FIP-FS Configuration server returned catastrophic error Hresult
Fields #
| Name | Description |
|---|---|
Hresult |
Event ID 2203: A FIP-FS Scan process returned error ErrorCode PID: PID Msg: ErrorDetails ID: ID.
#Description
A FIP-FS Scan process returned error ErrorCode PID: PID Msg: ErrorDetails ID: ID
Fields #
| Name | Description |
|---|---|
ErrorCode | |
PID | |
ErrorDetails | |
ID |
Event ID 2206: The FIP-FS File Navigator encountered a fatal error ErrorCode on the file "Filename".
#Description
The FIP-FS File Navigator encountered a fatal error ErrorCode on the file "Filename". Error Detail: ErrorDetails.
Fields #
| Name | Description |
|---|---|
ErrorCode | |
Filename | |
ErrorDetails |
Event ID 2208: FIP-FS PowerShell task encountered terminating error.
#Description
FIP-FS PowerShell task encountered terminating error. Task: Task Stage: TaskStage Username: Username Message: ErrorMsg Details: ErrorDetails
Fields #
| Name | Description |
|---|---|
Task | |
TaskStage | |
Username | |
ErrorMsg | |
ErrorDetails |
Event ID 2209: The FMS process returned a catastrophic error Hresult.
#Description
The FMS process returned a catastrophic error Hresult
Fields #
| Name | Description |
|---|---|
Hresult |
Event ID 2210: A Scan Process restarted because it exceeds the limit of Scan Process Recovery Life Time threshold.
#Description
A Scan Process restarted because it exceeds the limit of Scan Process Recovery Life Time threshold. The policy configuration value is ThresholdValue, the actual value at the time of policy evaluation is EvaluatedValue.
Fields #
| Name | Description |
|---|---|
ThresholdValue | |
EvaluatedValue |
Event ID 2211: A Scan Process restarted because it exceeds the limit of Scan Process Recovery Memory Max threshold.
#Description
A Scan Process restarted because it exceeds the limit of Scan Process Recovery Memory Max threshold.
Event ID 2212: A Scan Process restarted because it exceeds the limit of Scan Process Recovery Heuristic Policy: PolicyName.
#Description
A Scan Process restarted because it exceeds the limit of Scan Process Recovery Heuristic Policy: PolicyName. The Percentage value is Percentage, the SampleSize value at the time of policy evaluation is SampleSize.
Fields #
| Name | Description |
|---|---|
PolicyName | |
Percentage | |
SampleSize |
Event ID 2213: A scan request timed out.
#Description
A scan request timed out. ID=ID, WorkloadID=WorkloadID, PID=PID
Fields #
| Name | Description |
|---|---|
ID | |
WorkloadID | |
PID |
Event ID 5300: The FIP-FS "EngineName" Scan Engine failed to load.
#Description
The FIP-FS "EngineName" Scan Engine failed to load. PID: PID, Error Code: ErrorCode. Error Description: ErrorDescription.
Fields #
| Name | Description |
|---|---|
EngineName | |
PID | |
ErrorCode | |
ErrorDescription |
Event ID 5302: The FIP-FS "EngineName" Scan Engine (version EngineVersion) was stuck in a READ or WRITE loop while trying to scan or clean file "File".
#Description
The FIP-FS "EngineName" Scan Engine (version EngineVersion) was stuck in a READ or WRITE loop while trying to scan or clean file "File".
Fields #
| Name | Description |
|---|---|
EngineName | |
EngineVersion | |
File |
Event ID 5303: The FIP-FS "EngineName" Scan Engine EngineName (version EngineVersion) returned error ErrorCode while scanning file "File".
#Description
The FIP-FS "EngineName" Scan Engine EngineName (version EngineVersion) returned error ErrorCode while scanning file "File".
Fields #
| Name | Description |
|---|---|
EngineName | |
EngineVersion | |
ErrorCode | |
File |
Event ID 5304: A scan request failed due to a fatal engine error.
#Description
A scan request failed due to a fatal engine error.
Event ID 5305: FIP-FS encountered a text extraction error, type: Type, error: ErrorCode.
#Description
FIP-FS encountered a text extraction error, type: Type, error: ErrorCode. This will result in a subsequent filtering failure.
Fields #
| Name | Description |
|---|---|
Type | |
ErrorCode |
Event ID 6022: MS Filtering Engine Update process has detected a custom engine update configuration for EngineName.
#Description
MS Filtering Engine Update process has detected a custom engine update configuration for EngineName.
Fields #
| Name | Description |
|---|---|
EngineName |
Event ID 6023: MS Filtering Engine Update process has not detected any new scan engine updates.
#Description
MS Filtering Engine Update process has not detected any new scan engine updates. Scan Engine: EngineName Update Path: UpdatePath
Fields #
| Name | Description |
|---|---|
EngineName | |
UpdatePath |
Example Event #
{
"system": {
"provider": "Microsoft-Filtering-FIPFS",
"guid": "{1be3a000-ea09-4ab8-b0a0-30bbb6793d80}",
"event_source_name": "",
"event_id": 6023,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-09 21:26:05.896011+00:00",
"event_record_id": 4854,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 12908,
"thread_id": 13600
},
"channel": "Application",
"computer": "EX-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"EngineName": "Microsoft",
"UpdatePath": "http://amupdatedl.microsoft.com/server/amupdate"
},
"message": "MS Filtering Engine Update process has not detected any new scan engine updates. \n Scan Engine: Microsoft \n Update Path: http://amupdatedl.microsoft.com/server/amupdate "
}
Event ID 6024: MS Filtering Engine Update process is checking for new engine updates.
#Description
MS Filtering Engine Update process is checking for new engine updates. Scan Engine: EngineName Update Path: UpdatePath
Fields #
| Name | Description |
|---|---|
EngineName | |
UpdatePath |
Example Event #
{
"system": {
"provider": "Microsoft-Filtering-FIPFS",
"guid": "{1be3a000-ea09-4ab8-b0a0-30bbb6793d80}",
"event_source_name": "",
"event_id": 6024,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-09 21:25:59.994614+00:00",
"event_record_id": 4853,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 12908,
"thread_id": 13600
},
"channel": "Application",
"computer": "EX-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"EngineName": "Microsoft",
"UpdatePath": "http://amupdatedl.microsoft.com/server/amupdate"
},
"message": "MS Filtering Engine Update process is checking for new engine updates.\n Scan Engine: Microsoft \n Update Path: http://amupdatedl.microsoft.com/server/amupdate"
}
Event ID 6025: MS Filtering Engine Update process has detected that a new engine is available.
#Description
MS Filtering Engine Update process has detected that a new engine is available. Engine name:EngineName
Fields #
| Name | Description |
|---|---|
EngineName |
Event ID 6026: MS Filtering Engine Update process has detected that EngineName engine is being deprecated and will not be available after Date.
#Description
MS Filtering Engine Update process has detected that EngineName engine is being deprecated and will not be available after Date. For more information, see the following knowledge base article: KBArticle
Fields #
| Name | Description |
|---|---|
EngineName | |
Date | |
KBArticle |
Event ID 6027: MS Filtering Engine Update process was unsuccessful to download the engine update for EngineName from UpdatePathType Update Path.
#Description
MS Filtering Engine Update process was unsuccessful to download the engine update for EngineName from UpdatePathType Update Path. Update Path:UpdatePath UpdateVersion:UpdateVersion Reason:Reason
Fields #
| Name | Description |
|---|---|
EngineName | |
UpdatePath | |
UpdateVersion | |
Reason | |
UpdatePathType |
Event ID 6030: MS Filtering Engine Update process is attempting to download a scan engine update.
#Description
MS Filtering Engine Update process is attempting to download a scan engine update. Scan Engine: EngineName Update Path: UpdatePath.
Fields #
| Name | Description |
|---|---|
EngineName | |
UpdatePath |
Event ID 6031: MS Filtering Engine Update process has successfully downloaded updates for EngineName.
#Description
MS Filtering Engine Update process has successfully downloaded updates for EngineName.
Fields #
| Name | Description |
|---|---|
EngineName |
Event ID 6032: MS Filtering Engine Update process has timed out on the download of an update for EngineName engine.
#Description
MS Filtering Engine Update process has timed out on the download of an update for EngineName engine.
Fields #
| Name | Description |
|---|---|
EngineName |
Event ID 6033: MS Filtering Engine Update process performed a successful scan engine update.
#Description
MS Filtering Engine Update process performed a successful scan engine update. Scan Engine: EngineName Update Path: UpdatePath Last Update time:LastUpdated Engine Version:EngineVersion Signature Version: SignatureVersion
Fields #
| Name | Description |
|---|---|
EngineName | |
UpdatePath | |
LastUpdated | |
EngineVersion | |
SignatureVersion |
Event ID 6034: MS Filtering Engine Update process is testing the EngineName scan engine update.
#Description
MS Filtering Engine Update process is testing the EngineName scan engine update
Fields #
| Name | Description |
|---|---|
EngineName |
Event ID 6035: MS Filtering Engine Update process was unsuccessful in testing an engine update.
#Description
MS Filtering Engine Update process was unsuccessful in testing an engine update. Engine: EngineName LastCheckedTime:LastChecked
Fields #
| Name | Description |
|---|---|
EngineName | |
LastChecked |
Event ID 6036: MS Filtering Engine Update process has successfully committed and handed off updates for EngineName Last Checked:LastChecked Last Updated:LastUpdated Engine Version:EngineVersion Signa...
#Description
MS Filtering Engine Update process has successfully committed and handed off updates for EngineName Last Checked:LastChecked Last Updated:LastUpdated Engine Version:EngineVersion Signature Version:SignatureVersion Update Version:UpdateVersion Last Definition Update:LastDefinitionsUpdate Update Path:UpdatePath
Fields #
| Name | Description |
|---|---|
EngineName | |
LastChecked | |
LastUpdated | |
EngineVersion | |
SignatureVersion | |
UpdateVersion | |
LastDefinitionsUpdate | |
UpdatePath |
Event ID 6037: MS Filtering Engine Update process was unable to hand off updates for EngineName.
#Description
MS Filtering Engine Update process was unable to hand off updates for EngineName.
Fields #
| Name | Description |
|---|---|
EngineName |
Event ID 6039: EngineName engine download is in progress.
#Description
EngineName engine download is in progress. So this download job is being aborted.
Fields #
| Name | Description |
|---|---|
EngineName |
Event ID 7001: All the engines selected in the FPS configuration for scanning have been enabled for signature updates.
#Description
All the engines selected in the FPS configuration for scanning have been enabled for signature updates.
Event ID 7002: Not all engines selected for scanning on the MS Filtering Core have been enabled for signature updates.
#Description
Not all engines selected for scanning on the MS Filtering Core have been enabled for signature updates.
Event ID 7003: MS Filtering Engine Update process has successfully scheduled all update jobs.
#Description
MS Filtering Engine Update process has successfully scheduled all update jobs.
Example Event #
{
"system": {
"provider": "Microsoft-Filtering-FIPFS",
"guid": "{1be3a000-ea09-4ab8-b0a0-30bbb6793d80}",
"event_source_name": "",
"event_id": 7003,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-05-09 21:25:59.366760+00:00",
"event_record_id": 4852,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 12908,
"thread_id": 24196
},
"channel": "Application",
"computer": "EX-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {},
"message": "MS Filtering Engine Update process has successfully scheduled all update jobs."
}
Event ID 7004: MS Filtering Engine Update process was unsuccessful in scheduling update jobs for all engines Engines: EngineName.
#Description
MS Filtering Engine Update process was unsuccessful in scheduling update jobs for all engines Engines: EngineName
Fields #
| Name | Description |
|---|---|
EngineName |
Event ID 7005: MS Filtering Engine Update process has detected that EngineName engine is being deprecated and will not be available after Date.
#Description
MS Filtering Engine Update process has detected that EngineName engine is being deprecated and will not be available after Date. For more information, see the following knowledge base article: KBArticle
Fields #
| Name | Description |
|---|---|
EngineName | |
Date | |
KBArticle |
Event ID 7006: MS Filtering Engine Update process has detected that EngineName engine is obsolete.
#Description
MS Filtering Engine Update process has detected that EngineName engine is obsolete. For more information, see the following knowledge base article: KBArticle
Fields #
| Name | Description |
|---|---|
EngineName | |
KBArticle |
Event ID 7007: MS Filtering Core has detected that EngineName engine is obsolete and being used for scanning in the product.
#Description
MS Filtering Core has detected that EngineName engine is obsolete and being used for scanning in the product.
Fields #
| Name | Description |
|---|---|
EngineName |
Event ID 7008: The antivirus scanning has been disabled.
#Description
The antivirus scanning has been disabled.
Event ID 7009: The Engine License Info is unavailable or corrupt.
#Description
The Engine License Info is unavailable or corrupt.