Rules

  • Article

 

Rules monitor the Forefront Security products, engine updating, scan jobs, and Forefront Security services. They examine events generated by those processes to determine if alerts should be generated. Rules also retrieve statistics for scan jobs. There are several different kinds of rules included with FFSMP.

Rule Group Hierarchy - Forefront Security for Exchange Server

All rules are stored in a rule group hierarchy in the Management Packs/Rule Groups folder in the Administrator Console.

Microsoft Forefront Server Security

The top-level group. It acts as a container for the rule groups under it:

  • Microsoft Forefront Security for Exchange Server

    Contains subgroups with all the rule types that monitor events specific to agent systems.

    • Exchange Scan Job Monitoring - All Servers

      Contains common rules for scan jobs and performance counter events that collect data about scan rates and detection statistics for all agent systems.

    • Exchange Scan Job Monitoring - Hub Transport, Hub Transport/Mailbox, Edge Transport

      Contains a set of rules for scan jobs and performance counter events that collect data about scan rates and detection statistics for agent systems that are hub transport servers, hub transport/mailbox servers, and edge transport servers.

    • Exchange Scan Job Monitoring - Hub Transport/Mailbox, Mailbox, Public Folders

      Contains a set of rules for scan jobs and performance counter events that collect data about scan rates and detection statistics for agent systems that are mailbox servers and public folder servers. It also contains additional rules for monitoring scan jobs on hub transport/mailbox servers.

    • Service Monitoring - All Servers

      Contains common rules for monitoring services for all agent systems.

    • Service Monitoring - Hub Transport/Mailbox, Mailbox, Public Folders

      Contains a set of rules for monitoring services on hub transport/mailbox servers, mailbox servers, and public folder servers.

    • Service Monitoring - Hub Transport, Hub Transport/Mailbox, Edge Transport

      Contains a set of rules for monitoring services on hub transport servers and edge transport servers. It also contains additional rules for monitoring services on hub transport/mailbox servers.

    • Engine Update Monitoring - All Servers

      Contains a set of rules for monitoring engine and Worm List updates on agent systems.

Rule Group Hierarchy - Forefront Security for SharePoint

All rules are stored in a rule group hierarchy in the Management Packs/Rule Groups folder in the Administrator Console.

Microsoft Forefront Server Security

The top-level group. It acts as a container for the rule groups under it:

  • Microsoft Forefront Security for SharePoint

    Contains subgroups with all the rule types that monitor events specific to agent systems.

    • Engine Update Monitoring

      Contains a set of rules for monitoring engine updates on agent systems.

    • Scan Job Monitoring

      Contains common rules for scan jobs and performance counter events that collect data about scan rates and detection statistics for all agent systems.

    • Service Monitoring

      Contains a set of rules for monitoring services for all agent systems.

Rule Types

There are three types of rules included within each rule group in MOM 2005. Rules can be viewed in the Operator Console and modified in the Administrator Console.

  • Event Rules. Examine events that occur on agent systems and determine if an alert should be prepared. These can be events written to Windows event logs by the Windows components being monitored, or they can be events that are generated by MOM itself. The events and any alerts generated from them are stored in the MOM database.

  • Alert Rules. Examine generated alerts and determine if a notification should be prepared.

  • Performance Rules. Retrieve performance data from agent systems. MOM stores performance data in the MOM database.

Event Rules

Event rules examine events that occurred on managed servers. The MOM Agents retrieve the events and store them in the MOM database. The event rules then examine them and display logged information about errors and significant events from the agent systems.

Event rules can be classified by data source: Provider-Based Event Rules, Collection Event Rules, and Alert Event Rules.

Provider-Based Event Rules

Provider-based event rules use four provider types as data sources:

  • The Windows Event Log

  • The Windows System Event Log

  • The Forefront Security ProgramLog.txt or Forefront SP ProgramLog.txt file (depending on the agent system)

  • Timed Event

With the exception of the Timed Event provider, the event rules are configured based on certain criteria, including Event Source, Event ID Number, and Description Text.

Collection Event Rules

Collection event rules are typically used for non-critical informational events that may be of interest to operators, such as services starting and stopping, scan tasks being enabled and disabled, and engine update events. They only generate event entries in the Event Views of the MOM Operator Console and store the event parameters in the MOM database.

Alert Event Rules

Alert event rules examine events and, if warranted, generate an alert record. The alert record is posted in the Alert Views of the MOM Operator Console and is also stored in the MOM database. The creation of an alert record is, in itself, an event that causes the generation of an event entry in the Event Views of the MOM Operator Console.

When an alert event rule generates an alert, it passes certain properties to it:

  • Alert Severity. Possible values include “Critical Error”, “Error”, “Warning”, or “Information”. The value depends upon the perceived severity of the event that caused the alert to be generated. A “Critical Error” indicates a potentially dangerous loss of service.

  • CustomField1. All event rules that generate an alert insert Microsoft Forefront Security Server in this field.

  • CustomField2. Event rules in the Forefront Security for Exchange Server rule group insert a value of Microsoft Forefront Security for Exchange Server in this field. Event rules in the Forefront Security for SharePoint rule group insert a value of Forefront Security for SharePoint in this field. Event rules in the Engine Update Monitoring “common” rule group leave this field blank.

  • CustomField3. Specifies the rule group origin of the Event Rule that created the alert record. For example, an event rule that generates an alert from the Engine Update Monitoring rule group inserts a value of “EngineUpdateFailure” in this field.

These custom field values are used as criteria when building alert views in the MOM Operator Console. This is explained in more detail in Views.

Alert Rules

Alert rules examine the alerts generated by alert event rules to determine if a notification needs to be prepared.

There is a single alert rule included in each active rule group in the Microsoft Forefront Security hierarchy. Each is configured to trigger a notification to the Forefront Security Administration Group when an alert with a severity level of “Critical Error” is generated.

Notification methods and notification group membership need to be configured and implemented by the managers of the MOM environment.

Performance Rules

Performance rules retrieve statistics for all scan jobs, in the following categories:

  • Total number of messages, attachments, or documents scanned

  • Rate of scanning (number of messages or documents scanned per second)

  • Total number of messages purged (Forefront Security for Exchange Server)

  • Total number of documents blocked (Forefront Security for SharePoint)

  • Total number of messages, attachments, or documents detected

  • Total number of attachments or documents cleaned

  • Total number of attachments deleted (Forefront Security for Exchange Server)

  • Total number of messages tagged in Subject Line (Forefront Security for Exchange Server)

These performance rules are located in the following rule groups:

  • The Microsoft Forefront Security Server\Forefront Security for Exchange Server\Exchange Scan Job Monitoring rule group has performance rules for Realtime and Manual Scan Jobs.

  • The Microsoft Forefront Security Server rule group has a performance rule for Manual Scan jobs.

  • The Microsoft Forefront Server Security\Forefront Security for SharePoint\Scan Job Monitoring rule group has performance rules for Realtime and Manual Scan Jobs.

Performance Counter Providers

Performance rules in MOM require Windows Performance Counter providers to supply the sampled data. The providers included with the Microsoft Forefront Server Security Management Pack for MOM 2005 are configured to a sample rate of 1800 seconds (30 minutes), with the exception of the providers used to determine scanning rates and processor times for the scan jobs, which are configured to a sample rate of 300 seconds (5 minutes).

Note

The scanning statistics counters report “Total” counts. Counter values will continue to increase until the totals are reset. To reset the totals from the Forefront Server Security Administrator console, select Incidents from the REPORT shuttle. Reset the counters for each Scan Job using the (X) controls in the statistics table.

Rules Knowledge Base

All rules contained in the Microsoft Forefront Server Security Management Pack for MOM 2005 have a Knowledge Base entry containing a summary or description of the event. This entry explains the event’s significance and may also contain possible causes and resolutions.

Knowledge Base entries can be viewed through the MOM Administrator and MOM Operator Consoles.

To view a Knowledge Base entry

  1. Select a rule.

  2. Right-click the rule. A shortcut menu appears.

  3. Choose Properties from the shortcut menu.

  4. Click the Knowledge Base tab.