Working with monitors

 

Applies to: Forefront Protection 2010 for SharePoint

Monitors are used to determine the health state of an application feature and are an integral part of the health model. Generally speaking, monitors are the "intelligence" of Microsoft System Center Operations Manager 2007 (Operations Manager 2007), determining whether your application is healthy.

Monitors are state machines that show a state of healthy (green), warning (yellow), or unhealthy (red). The monitor's state changes in response to the information that it receives.

In the Microsoft Forefront Server Protection Management Pack for Operations Manager 2007, monitors examine the Forefront Protection 2010 for SharePoint (FPSP) product, including engine updates, scan jobs, and services. They examine events generated by those processes to determine if alerts should be generated or if the health state should be changed. Some monitors (called performance monitors) retrieve statistics for scan jobs. There are several different kinds of monitors included with the Microsoft Forefront Server Protection Management Pack.

All monitors are stored in the Authoring space of the System Center Operations console, in the Management Packs Objects node. They monitor events specific to the particular type of server. There are several categories of monitors for FPSP.

Viewing the Knowledge Base for monitors

All monitors contained in Operations Manager 2007 have a Knowledge Base entry containing a summary or description of the event. This entry explains the event's significance, possible causes, and possible resolutions. For a list of all event codes, see Event ID codes.

Knowledge Base entries can be viewed through the Operations Manager 2007 Operations Console.

To view a Knowledge Base entry for a monitor

  1. In the Monitoring space, in the Microsoft Forefront Server Protection 2010 \ Forefront Protection for SharePoint \ State node, double-click in the State column for any server.

  2. In the Health Explorer dialog box, click any health monitor on the left to display its Knowledge Base entry on the right.

Monitor reference

There are several categories of monitors for Microsoft Forefront Protection 2010 for SharePoint (FPSP).

Antimalware engine monitors

These are the monitors that keep track of potential problems with antimalware engines.

Display name

Antimalware Engines Update Enabled Monitor

Description

Checks if updating for the antimalware engines is enabled.

Alert message

The antimalware engines selected for scanning are disabled for updating.

Causes

There are antimalware engines selected for scanning that are not enabled for updating.

Resolution

Change the engines selected for updating to match the ones selected for scanning.

Display name

Antimalware Engines Update Success Rate

Description

Checks the percentage of antimalware engines successfully updated in the last attempt.

Alert message

Some antimalware engines enabled for updates were not successfully updated at the last attempt.

Causes

Network throughput issues.

Low bandwidth.

Issues with the server providing definition updates.

Resolution

Ensure that the HTTP proxy server is configured properly.

Ensure that there are no network issues.

Ensure that the Universal Naming Convention (UNC) configuration settings are appropriate.

Display name

Antimalware Engines Last Update Time Monitor

Description

Checks if the antimalware engines enabled for updates have been updated in the last five days.

Alert message

Some antimalware engines enabled for updates have not been updated successfully in the last five days.

Causes

Network throughput issues.

Low bandwidth.

Issues with Rapid Update Server.

The antivirus vendor has not provided updates in a week (very unlikely).

Resolution

Ensure that the HTTP proxy server is configured properly.

Ensure that there are no network issues.

Ensure that the UNC configuration settings are appropriate.

License monitors

These are the monitors that keep track of potential problems with licenses.

Display name

License State Monitor

Description

Checks if the Forefront Server Protection license is about to expire or has expired.

Alert message

The Forefront Server Protection license is about to expire or has expired.

Causes

A product key has not been entered.

Your license has expired and a new product key has not been purchased.

Resolution

Enter the product key from the Forefront Server Protection Administrator console or Forefront Management Shell.

If you do not have a product key, contact your Microsoft sales representative or visit the Pricing and Licensing site.

Services monitors

These are the monitors that keep track of potential problems with services.

Display name

FSCController Service State Monitor

Description

Checks if the FSCController service is running.

Alert message

Microsoft Forefront Server Protection service is not running.

Causes

Not applicable

Resolution

Restart the SharePoint services:

1. Stop all SharePoint services and make sure all the Forefront services are offline.

2. Start SharePoint services. Make sure Forefront is completely started.

Display name

FSSPController Service State Monitor

Description

Checks if the FSSPController service is running.

Alert message

Microsoft Forefront Server Protection Controller for SharePoint service is not running.

Causes

Not applicable

Resolution

Start the Microsoft Forefront Server Protection Controller for SharePoint service.

Display name

Eventing Service State Monitor

Description

Checks if the FSCEventing service is running.

Alert message

Microsoft Forefront Server Protection Eventing Service is not running.

Causes

Not applicable

Resolution

Start the Microsoft Forefront Server Protection Eventing Service.

Display name

FSEMailPickup Service State Monitor

Description

Checks if the FSEMailPickup service is running.

Alert message

Forefront Server Protection Mail Pickup Service is not running.

Causes

Not applicable

Resolution

Start the Microsoft Forefront Server Protection Mail Pickup Service.

Workload integration monitors

These are the monitors that keep track of potential problems with hooking into SharePoint.

Display name

Workload Integration State Monitor

Description

Checks if the w3wp service is running and the Forefront VSAPI library is registered.

Alert message

Forefront Protection 2010 for SharePoint is not hooked into SharePoint properly.

Causes

The Forefront VSAPI library is not registered with SharePoint correctly.

Resolution

Analyze the Event Log for details regarding the error.

Realtime scan monitors

These are the monitors that keep track of potential problems with the Realtime scan.

Display name

Realtime Scan Filter Engine Loading Monitor

Description

Checks if the filter engine is loaded correctly by the Realtime scan job.

Alert message

The filter engine is not loaded successfully for the Realtime scan job.

Causes

Damaged or inaccessible filter engine.

Resolution

Reinstall FPSP

Display name

Realtime Scan Engines Initialization Monitor

Description

Checks if the antimalware engines selected for the Realtime scan job have been initialized successfully.

Alert message

Some antimalware scan engines have not initialized successfully for the Realtime scan job.

Causes

It is possible that the engine subfolder has been deleted. It is recreated after a successful engine update.

Resolution

Make sure the HTTP proxy server is configured properly.

Make sure that there are no network issues.

Make sure that the UNC configuration settings are appropriate.

Display name

Realtime Scan Enabled State Monitor

Description

Checks if the Realtime scan job is enabled properly.

Alert message

Realtime scan is not enabled properly.

Causes

The Realtime scan job is bypassed.

  • VSAPI scanning on upload is disabled.

  • VSAPI scanning on download is disabled.

Resolution

Using the Forefront Protection 2010 for SharePoint Administrator Console or through Forefront Management Shell, check that the Realtime scan job is not bypassed.

  • In “Antivirus” settings of SharePoint Central Administration, make sure that “Scan documents on upload” is enabled.

  • In “Antivirus” settings of SharePoint Central Administration, make sure that “Scan documents on download” is enabled.

Display name

Realtime Scanning Processes State Monitor

Description

Checks if the Realtime scanning processes are running normally.

Alert message

There are Realtime scanning processes that did not restart properly.

Causes

It could be that the server was overloaded and could not start a new process in a timely fashion.

Resolution

Recycle w3wp services.

Scheduled scan monitors

These are the monitors that keep track of potential problems with the scheduled scan.

Display name

Scheduled Scan Filter Engine Loading Monitor

Description

Checks if the filter engine is loaded correctly by the Scheduled and On-Demand scan jobs.

Alert message

The filter engine is not loaded successfully for the Scheduled or On-Demand scan job.

Causes

Damaged or inaccessible filter engine.

Resolution

Uninstall and then reinstall FPSP.

Display name

Scheduled Scan Loading Monitor

Description

Checks if the Scheduled and On-Demand scan jobs have been loaded successfully.

Alert message

The Scheduled or On-Demand scan job did not load successfully.

Causes

This may occur when FPSP is unable to access the SharePoint database because:

The SharePoint database is offline.

The SharePoint access account that was entered during the SharePoint installation has expired or the password has been updated.

Resolution

Ensure that the SharePoint database is online.

Update the "Log on as" account for the "Microsoft Forefront Server Security Controller for SharePoint" service.

Display name

Scheduled Scan Termination Monitor

Description

Checks if the Scheduled and On-Demand scans ended successfully.

Alert message

The Scheduled or On-Demand scan failed to complete.

Causes

This may occur when FPSP is unable to access the SharePoint database because:

The SharePoint database is offline.

The SharePoint access account that was entered during the SharePoint installation has expired or the password has been updated.

Resolution

Ensure that the SharePoint database is online.

Update the "Log on as" account for the "Microsoft Forefront Server Security Controller for SharePoint" service.

Display name

Scheduled Scan Engines Initialization Monitor

Description

Checks if the antimalware engines selected for the Scheduled and On-Demand scan jobs have been initialized successfully.

Alert message

No antimalware scan engines have initialized successfully for the Scheduled or On-Demand scan job.

Causes

It could be that the engine subfolder has been deleted.

Resolution

Ensure that the HTTP proxy server is configured properly.

Ensure that there are no network issues.

Ensure that the UNC configuration settings are appropriate.