Redagować

Udostępnij przez

MPTHREAT_INFO structure

Contains information about a threat.

Syntax

typedef struct tagMPTHREAT_INFO {
  MPTHREAT_ID           ThreatID;
  GUID                  DetectionID;
  MP_MIDL_STRING LPWSTR Name;
  MPTHREAT_TYPE         ThreatType;
  MPTHREAT_SEVERITY     ThreatCriticality;
  MPTHREAT_CATEGORY     ThreatCategory;
  DWORD                 ThreatShortDescriptionID;
  DWORD                 ThreatAdviseDescriptionID;
  MPTHREAT_STATUS       ThreatStatus;
  DWORD                 SuggestedActionCount;
  MPTHREAT_ACTION       SuggestedActionArray[MP_MAX_SUGGESTIONS];
  DWORD                 ResourceCount;
  PMPRESOURCE_INFO      *ResourceList[ResourceCount];
  ULARGE_INTEGER        ThreatStatusTime;
  HRESULT               ThreatStatusCode;
  MPTHREAT_DETECTION    ThreatDetection;
  GUID                  QuarantineGuid;
  MPEXECUTION_STATUS    ExecutionStatus;
  union {
    PMPTHREAT_INFOEX_UNUSED   pKnownBad;
    PMPTHREAT_INFOEX_BEHAVIOR pBehavior;
    PMPTHREAT_INFOEX_UNUSED   pUnknown;
    PMPTHREAT_INFOEX_UNUSED   pKnownGood;
    PMPTHREAT_INFOEX_NIS      pNis;
  } Data;
  MPDETECTION_STATE     State;
  MP_MIDL_STRING LPWSTR DetectionUser;
  MPSOURCE              DetectionSource;
  MP_MIDL_STRING LPWSTR ProcessName;
  MPDETECTION_ORIGIN    DetectionOrigin;
  DWORD                 reserved1;
  ULARGE_INTEGER        DetectionTime;
  MPEXECUTION_STATUS    PreExecutionStatus;
  ULARGE_INTEGER        RemediationTime;
  MPEXECUTION_STATUS    PostExecutionStatus;
  BOOL                  CriticalFailure;
  DWORD                 NonCriticalReason;
  MP_MIDL_STRING LPWSTR RemediationUser;
  DWORD                 RemediationResourceCount;
  PMPRESOURCE_INFO      RemediationResourceList[RemediationResourceCount];
  BOOL                  FailureResolved;
  MPRESOLVED_REASON     ResolvedReason;
  DWORD                 AdditionalActions;
  DWORD                 ResolvedActions;
  DWORD                 dwThreatStatusFlag;
} MPTHREAT_INFO, *PMPTHREAT_INFO;

Members

ThreatID

Type: MPTHREAT_ID

Threat identifier. Upper bit is set to identify antivirus-related threats.

DetectionID

Type: GUID

Detection ID.

Name

Type: MP_MIDL_STRING LPWSTR

Threat name.

ThreatType

Type: MPTHREAT_TYPE

Threat type. Used to differentiate among different threat types such as known bad, unknown, or known good. See MPTHREAT_TYPE.

ThreatCriticality

Type: MPTHREAT_SEVERITY

Threat criticality. See MPTHREAT_SEVERITY.

ThreatCategory

Type: MPTHREAT_CATEGORY

Threat category, such as a trojan or a keylogger. See MPTHREAT_CATEGORY.

ThreatShortDescriptionID

Type: DWORD

Threat short description ID.

ThreatAdviseDescriptionID

Type: DWORD

Threat advise description ID.

ThreatStatus

Type: MPTHREAT_STATUS

Threat status such as detected, cleaned, or quarantined. See MPTHREAT_STATUS.

SuggestedActionCount

Type: DWORD

Count of suggested actions in SuggestedActionArray.

SuggestedActionArray

Type: MPTHREAT_ACTION[MP_MAX_SUGGESTIONS]

Array of suggested actions. See MPTHREAT_ACTION.

ResourceCount

Type: DWORD

Count of resources in ResourceList.

ResourceList

Type: PMPRESOURCE_INFO*

List of resources identified with the threat. See MPRESOURCE_INFO.

ThreatStatusTime

Type: ULARGE_INTEGER

Time when threat status last changed.

ThreatStatusCode

Type: HRESULT

Status code associated with the threat status.

ThreatDetection

Type: MPTHREAT_DETECTION

Threat detection type, such as concrete, suspicious, or generic. See MPTHREAT_DETECTION.

QuarantineGuid

Type: GUID

Quarantine guid.

ExecutionStatus

Type: MPEXECUTION_STATUS

Execution status of the threat, such as not known, blocked, or active. See MPEXECUTION_STATUS.

Data

Extra information. The pointer to the appropriate structure depends on the value of ThreatType.

pKnownBad

Type: PMPTHREAT_INFOEX_UNUSED

When ThreatType == MPTHREAT_TYPE_KNOWNBAD. See MPTHREAT_INFOEX_UNUSED.

pBehavior

Type: PMPTHREAT_INFOEX_BEHAVIOR

When ThreatType == MPTHREAT_TYPE_BEHAVIOR. See MPTHREAT_INFOEX_BEHAVIOR.

pUnknown

Type: PMPTHREAT_INFOEX_UNUSED

When ThreatType == MPTHREAT_TYPE_UNKNOWN. See MPTHREAT_INFOEX_UNUSED.

pKnownGood

Type: PMPTHREAT_INFOEX_UNUSED

When ThreatType == MPTHREAT_TYPE_KNOWNGOOD. See MPTHREAT_INFOEX_UNUSED.

pNis

Type: PMPTHREAT_INFOEX_NIS

When ThreatType == MPTHREAT_TYPE_NIS. See MPTHREAT_INFOEX_NIS.

State

Type: MPDETECTION_STATE

The current state of the detection. See MPDETECTION_STATE.

DetectionUser

Type: MP_MIDL_STRING LPWSTR

The user associated with the detection, in the format "domain/user".

DetectionSource

Type: MPSOURCE

The source of the detection. See MPSOURCE.

ProcessName

Type: MP_MIDL_STRING LPWSTR

Process name associated with the detection.

DetectionOrigin

Type: MPDETECTION_ORIGIN

The origin of the detection, such as local or network. See MPDETECTION_ORIGIN.

reserved1

Type: DWORD

Reserved metadata about the detection.

DetectionTime

Type: ULARGE_INTEGER

The time of the initial detection.

PreExecutionStatus

Type: MPEXECUTION_STATUS

Execution status right before remediation. See MPEXECUTION_STATUS.

RemediationTime

Type: ULARGE_INTEGER

The time remediation occured.

PostExecutionStatus

Type: MPEXECUTION_STATUS

Execution status after remediation. See MPEXECUTION_STATUS.

CriticalFailure

Type: BOOL

True if the remediation failure was critical.

NonCriticalReason

Type: DWORD

The reason the remediation failure is not critical. This is not guaranteed to be supported in the future.

RemediationUser

Type: MP_MIDL_STRING LPWSTR

User that requested the remediation, in the format "domain/user".

RemediationResourceCount

Type: DWORD

Count of resources in RemediationResourceList.

RemediationResourceList

Type: PMPRESOURCE_INFO[RemediationResourceCount]

List of resources that failed during remediation. See MPRESOURCE_INFO.

FailureResolved

Type: BOOL

True if remediation failure been resolved. This will move the bucket to either complete or an additional action.

ResolvedReason

Type: MPRESOLVED_REASON

Reason for remediation failure being resolved. This is the reason the detection moved from failed to additional action or finished. See MPRESOLVED_REASON.

AdditionalActions

Type: DWORD

Are additional actions required.

ResolvedActions

Type: DWORD

Any additional actions that have been performed.

dwThreatStatusFlag

Type: DWORD

Additonal information about the threat detection.

Requirements

Requirement Value
Minimum supported client
 Windows 8 [desktop apps only]
Minimum supported server
 Windows Server 2012 [desktop apps only]
Header
MpClient.h

See also

MpFreeMemory

MpThreatEnumerate

MpThreatQuery

MPDETECTION_ORIGIN

MPDETECTION_STATE

MPEXECUTION_STATUS

MPRESOLVED_REASON

MPRESOURCE_INFO

MPSOURCE

MPTHREAT_ACTION

MPTHREAT_CATEGORY

MPTHREAT_DETECTION

MPTHREAT_INFOEX_BEHAVIOR

MPTHREAT_INFOEX_NIS

MPTHREAT_INFOEX_UNUSED

MPTHREAT_SEVERITY

MPTHREAT_STATUS

MPTHREAT_TYPE

  • Last updated on