Using Alerts to Monitor Malware Detections
Applies To: Forefront Endpoint Protection
Alerts in Forefront Endpoint Protection (FEP) provide administrators with information about malware outbreaks. Administrators can view alerts in two ways:
Through events in the Windows Event Viewer
Optionally, by e-mail
There are two varieties of alerts:
Alerts that apply per collection (and any child collections of the parent collection). You can create multiple alerts, but a collection can only be assigned one of each alert type.
A global alert for malware outbreaks, which triggers based on any collection.
By default, alerts in FEP are not enabled, and you must configure e-mail settings in order for the e-mail option to work. Additionally, in a hierarchical Configuration Manager topology where you have FEP installed on both the child site and the parent site, you should configure alerts at the child site to notify administrators who can take action on the alerts.
The following table lists the alerts available in FEP.
Alert type | Description | Default trigger threshold when enabled |
---|---|---|
Malware Outbreak Alert |
When enabled, an alert of this type is triggered when a fast-spreading malware is detected in your organization. You configure the threshold for a fast-spreading malware in your organization by setting the number of unique computers infected by a particular malware in 24 hours. |
|
Malware Detection Alerts |
After the alert is created, an alert of this type is triggered when the following conditions are met:
|
|
Repeated Malware Detection Alerts |
After the alert is created, an alert of this type is triggered when the following conditions are met:
|
|
Multiple Malware Detection Alerts |
After the alert is created, an alert of this type is triggered when the following conditions are met:
|
|
To create and configure per-collection alerts
In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then expand Alerts.
Click one of the per-collection alerts (Malware Detection, Repeated Malware Detection, or Multiple Malware Detection), and then in the Actions pane, click the New action.
To configure the alert, set the options you need according to the following table.
Alert name Option Description Malware Detection Alert
Enter parent collection
Click Browse to specify the parent collection to monitor. The parent collection and any child collections are monitored for this alert configuration.
Select detection level
Specifies the computer state that can trigger an alert. Valid detection levels are described in the following list:
-
High: Malware is detected—The alert is triggered when there are one or more computers in the specified collection on which any malware is detected, regardless of the action taken by the Forefront Endpoint Protection client.
-
Medium: Action is required—The alert is triggered when there are one or more computers in the specified collection on which malware is detected and manual action is required on the Forefront Endpoint Protection client in order to complete the malware removal.
-
Low: Malware is active—The alert is triggered when there are one or more computers in the specified collection on which malware is detected and is still active.
Repeated Malware Detection Alert
Enter parent collection
Click Browse to specify the parent collection to monitor. The parent collection and any child collections are monitored for this alert configuration.
Number of the same malware detected
Specifies the number of detections of the same malware on a computer that is a member of the specified parent collection, or one of its child collections.
Interval
Specifies the interval during which the number of detections must occur.
Multiple Malware Detection Alerts
Enter parent collection
Click Browse to specify the parent collection to monitor. The parent collection and any child collections are monitored for this alert configuration.
Number of malware types detected
Specifies the number of different types of malware that must be detected on a computer that is a member of the specified parent collection, or one of its child collections.
Interval
Specifies the interval during which the number of detections must occur.
-
High: Malware is detected—The alert is triggered when there are one or more computers in the specified collection on which any malware is detected, regardless of the action taken by the Forefront Endpoint Protection client.
For all alerts, in the When an alert is raised, send an e-mail message to the following recipients box, type an e-mail address, and then click Add. To send the alert to multiple e-mail addresses, repeat this step.
When finished, click OK.
Important
You must enable the e-mail settings in Configuration Manager before Forefront Endpoint Protection will send e-mail notifications.
To enable and configure the global Malware Outbreak alert
In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then expand Alerts.
Click Malware Outbreak Alert, and then in the details pane, double-click Malware Outbreak Alert.
In the Malware Outbreak Alert Properties dialog box, select the Enable alert check box.
Next to Number of computers with the same malware detected, type the number of computers on which the same malware must be detected in order to trigger this alert.
In the When an alert is raised, send an e-mail message to the following recipients box, type an e-mail address, and then click Add. To send the alert to multiple e-mail addresses, repeat this step.
When finished, click OK.
To configure e-mail settings
In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then click Alerts.
In the Actions pane, click E-mail Settings.
To enable alerts to be sent by e-mail, select the E-mail alert notification check box.
In the SMTP Server box, type the fully qualified domain name (FQDN) of your SMTP server.
If your SMTP server uses a port other than the default port, in the Port box, type or select the port number.
Under Authentication method, select the option for the credential type to use to authenticate the connection to the SMTP server.
Important
It is recommended that you use Integrated Windows Authentication as the authentication method. When you choose Integrated Windows Authentication, the computer account of the FEP server is used to authenticate to the SMTP server. Otherwise, you must ensure that the selected credentials must exist on the specified SMTP server for authentication to succeed.
To view the service credentials, in Windows Services, right-click Forefront Endpoint Protection Monitoring Service, click Properties, and then click Log On.In the E-mail from address box, type the e-mail address from which Forefront Endpoint Protection alerts are sent, and then click OK.
Note
To test the SMTP settings, instead of clicking OK, click Test and Close. This adds a test e-mail to the e-mail queue that is periodically processed by the Forefront Endpoint Protection Monitoring Service.
To view alerts in the Windows Event Viewer
In the Windows Event Viewer, expand Applications and Services Logs, and then click Forefront Endpoint Protection.
Double-click the alert you want to view.