What should I do immediately when I see Event ID 1116?

First, check the Action Type field in the 1116 event — if it says 'Quarantine' or 'Remove', Defender blocked the threat and it may be contained. If it says 'No Action', 'Allowed', or 'Unknown', the threat ran unchecked and you have an active incident. Check Event 1117 next for the remediation outcome. Regardless of action type: isolate the affected machine from the network if possible, check Event 4688 for processes spawned around the same timestamp as the detection, look for any network connections or file writes made by the detected process before Defender caught it, and determine how the file arrived (email attachment, web download, lateral movement).

Does Event ID 1116 mean my machine is infected?

Not necessarily. 1116 means Defender detected a threat — which is a good thing. If the Action field shows 'Quarantine' and Event 1117 confirms successful remediation, the threat was likely caught before it caused harm. The concern scenarios are: detection with Action = 'No Action' or 'Allowed' (threat ran), detection of a tool like Mimikatz or a post-exploitation framework (indicates someone is already inside), or repeated detections of the same threat (may indicate re-infection from a persistent mechanism). A single 1116 for a quarantined email attachment is low priority. A 1116 for a Cobalt Strike beacon in C:\Windows\Temp with Action = 'Allowed' is an active incident.

Why does Event ID 1116 fire but the threat wasn't blocked?

Defender detected the threat signature but may have been prevented from taking action due to: exclusion paths (the file is in a Defender exclusion folder), a tamper protection race condition (the file executed before quarantine completed), a tampered Defender policy (check Event 5001 for real-time protection disabled), or an 'Allowed by policy' override set by an admin. Also check if Event 1117 follows immediately — if 1116 fires but no 1117 appears, Defender may have failed to act. If Defender exclusion paths cover the detection location, that exclusion should be audited immediately.

How do I investigate what the malware actually did after Event ID 1116?

Start with the Threat Name field — search it against public threat intelligence to understand the malware family's typical behavior (persistence mechanisms, C2 protocols, lateral movement tools). Then pivot to Event 4688 and search for processes created by the same executable path within 5 minutes before and after the 1116 timestamp — this reveals whether the malware had time to run and what it spawned. Check network events (Sysmon 3 or firewall logs) for outbound connections from the detected process. Look for new scheduled tasks (4698), services (7045), or registry run keys (4657) created around the same time — these indicate the malware established persistence before Defender caught it.

Scan your Security and Sysmon logs·Detection guides

Event ID 1116WarningMicrosoft-Windows-Windows Defender/OperationalT1204

Windows Event ID 1116 — Windows Defender — Malware Detected

Logged when Windows Defender detects a threat — malware, PUA, or suspicious file.

MITRE ATT&CK

Technique

T1204 · User Execution

Tactic

Execution

View on attack.mitre.org →

Why It Matters

A detection means malicious code reached the endpoint. Even if remediated, the detection indicates the attack vector (how it arrived), the specific threat family, and the affected path — all critical for determining scope.

Key Fields

Threat NameThe malware family identified — e.g. Trojan:Win32/Mimikatz, Ransom:Win32/WannaCrypt

Detection PathWhere the malware was found — temporary paths often indicate drive-by; startup paths indicate persistence

ActionWhat Defender did: Quarantine, Remove, Block, or No Action

Investigation Tips

1.Check the detection path — files in C:\Users\*\AppData, C:\Temp, or C:\Windows\Temp are most common for active attacks.
2.Correlate with 4688 to see what process dropped or executed the detected file.
3.If Action is No Action or Allowed, the threat was not remediated — treat as an active compromise.
4.Check 1117 (Defender action taken) to confirm what happened after detection.

Seeing Event ID 1116 in your own logs? Upload an .evtx file — EventPeeker flags windows defender — malware detected automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

1117Defender remediation action taken

4688Process that may have dropped or executed the threat

Frequently Asked Questions

What should I do immediately when I see Event ID 1116?: First, check the Action Type field in the 1116 event — if it says 'Quarantine' or 'Remove', Defender blocked the threat and it may be contained. If it says 'No Action', 'Allowed', or 'Unknown', the threat ran unchecked and you have an active incident. Check Event 1117 next for the remediation outcome. Regardless of action type: isolate the affected machine from the network if possible, check Event 4688 for processes spawned around the same timestamp as the detection, look for any network connections or file writes made by the detected process before Defender caught it, and determine how the file arrived (email attachment, web download, lateral movement).
Does Event ID 1116 mean my machine is infected?: Not necessarily. 1116 means Defender detected a threat — which is a good thing. If the Action field shows 'Quarantine' and Event 1117 confirms successful remediation, the threat was likely caught before it caused harm. The concern scenarios are: detection with Action = 'No Action' or 'Allowed' (threat ran), detection of a tool like Mimikatz or a post-exploitation framework (indicates someone is already inside), or repeated detections of the same threat (may indicate re-infection from a persistent mechanism). A single 1116 for a quarantined email attachment is low priority. A 1116 for a Cobalt Strike beacon in C:\Windows\Temp with Action = 'Allowed' is an active incident.
Why does Event ID 1116 fire but the threat wasn't blocked?: Defender detected the threat signature but may have been prevented from taking action due to: exclusion paths (the file is in a Defender exclusion folder), a tamper protection race condition (the file executed before quarantine completed), a tampered Defender policy (check Event 5001 for real-time protection disabled), or an 'Allowed by policy' override set by an admin. Also check if Event 1117 follows immediately — if 1116 fires but no 1117 appears, Defender may have failed to act. If Defender exclusion paths cover the detection location, that exclusion should be audited immediately.
How do I investigate what the malware actually did after Event ID 1116?: Start with the Threat Name field — search it against public threat intelligence to understand the malware family's typical behavior (persistence mechanisms, C2 protocols, lateral movement tools). Then pivot to Event 4688 and search for processes created by the same executable path within 5 minutes before and after the 1116 timestamp — this reveals whether the malware had time to run and what it spawned. Check network events (Sysmon 3 or firewall logs) for outbound connections from the detected process. Look for new scheduled tasks (4698), services (7045), or registry run keys (4657) created around the same time — these indicate the malware established persistence before Defender caught it.

Go deeper: the full detection guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

View the full guide for Event ID 1116 →

See Event ID 1116 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects windows defender — malware detected patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →