Dear Syaff,
Hello! Welcome to the Microsoft Community.
In Microsoft Defender alerts, when you see two records (unmatched and matched) about malware detection policies in "Related events", the following is a detailed explanation:
1. Event meaning analysis
(1) First record: Unmatched + Action = "Blank"
During the initial scan or first detection, the system found that a file or process triggered the detection rule, but according to the current policy settings, the conditions for executing the action were not fully met. For example:
- A file may be marked as "potential risk" but does not meet the threat threshold.
- The policy may have set exceptions (such as whitelist paths, specific signature exclusions), resulting in temporary non-processing.
- Further analysis or user confirmation is required (such as manual scanning before the action is triggered).
Action Blank:
Indicates that no action (such as deletion, isolation) is performed at this time, and only the event is recorded for subsequent analysis.
(2) The second record: Matched + Actions = Trash
In subsequent detection (such as deep scanning, behavior monitoring), the system confirms that the file or process fully meets the definition of the malware policy and triggers the preset action.
Action "Trash":
Usually means that the file is moved to the quarantine area (Quarantine) or directly deleted (depending on the policy configuration) to prevent the malicious code from running.
- Why are there two records?
- Phase-based detection mechanism: Defender may first perform a quick scan (mark suspicious items but not process them for the time being), and then confirm the threat level through advanced analysis (such as sandbox, machine learning model) before taking action.
- Policy level coverage: Some policies may set "only record the first detection, and deal with it after the second confirmation" (to avoid false positives affecting normal files).
3. Is there any need for attention?
- Normal process: If the final action is Trash and the threat is cleared, it means that Defender has successfully intercepted the malicious file and no additional operation is required.
- Situations that require attention:
- If the "unmatched → matched" cycle appears multiple times, it may indicate that the malware is trying to bypass detection (such as variant files).
- Check whether the quarantined files are false positives (especially critical system files), and restore and add exceptions if necessary.
- Recommended actions
- View file details: Click on the event log to view the specific information. If you have any impression of this file, such as if you downloaded it manually, consider whether to delete it.
- Check the source: If the file comes from an external device or download, you need to trace the source to avoid reinfection.
Summary: The two records show that Defender completed threat detection and disposal in stages and finally successfully intercepted the malicious file. If the system runs normally and there are no false positives, there is usually no need to worry.
In addition, you can also use Defender or other antivirus software to perform a full scan to see if there are other vulnerabilities or viruses.
Best wishes
Pyke.D | Microsoft Community Support Specialist
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
