I moved this to VSE for a quicker response.
I've seen messages that steer people toward calling helpdesk, or even individuals.
I've seen messages that say something like "Don't move, we're coming to you - if we're not there in 5 minutes continue with other work but leave this message alone".
In most cases that I recall, there's no message provided for the User, it's suppressed. If you're getting an On Access Scanner detection, it means there is malware we know about - and it means we've denied access to the file; whether the action taken by us results in "cleaned" or "deleted" or "Clean failed/Delete failed", there was a "denied access" that occurred first. So you can be confident that particular threat is not active - but, it could be a clue that some other malware we _don't_ know about just tried to drop malware we _do_ know about.
I suspect that's why I've seen messages like the 2nd example. Detection notifications are worth following up on; it seems like a question of Data Information Security vs. the cost to maintain the desired level of confidence in that security.
I would say much more on this about what I'd really like to have happen if I had a say in educating Users about information security, but that's off topic.
sorry for my english
we have decided for our domains (9000 WKS 1200 SRV) to never display a message for a OAS action. it's denied and it's ok like that. We are following each alert from the epo in real time and we will act if necessary. Displaying a message for OAS is a time consuming process for everyone as the user panics, then call the helpdesk etc.....
Our message states that malware has been detected, and to contact our SOC. It should always be up to the SOC to determine how to proceed.