Using Alerts to Monitor Malware Detections

  • Article

Applies To: Forefront Endpoint Protection

Alerts in Forefront Endpoint Protection (FEP) provide administrators with information about malware outbreaks. Administrators can view alerts in two ways:

  • Through events in the Windows Event Viewer

  • Optionally, by e-mail

There are two varieties of alerts:

  • Alerts that apply per collection (and any child collections of the parent collection). You can create multiple alerts, but a collection can only be assigned one of each alert type.

  • A global alert for malware outbreaks, which triggers based on any collection.

By default, alerts in FEP are not enabled, and you must configure e-mail settings in order for the e-mail option to work. Additionally, in a hierarchical Configuration Manager topology where you have FEP installed on both the child site and the parent site, you should configure alerts at the child site to notify administrators who can take action on the alerts.

The following table lists the alerts available in FEP.

Alert type Description Default trigger threshold when enabled

Malware Outbreak Alert

When enabled, an alert of this type is triggered when a fast-spreading malware is detected in your organization. You configure the threshold for a fast-spreading malware in your organization by setting the number of unique computers infected by a particular malware in 24 hours.
  • Number of computers with the same malware detected: 100

Malware Detection Alerts

After the alert is created, an alert of this type is triggered when the following conditions are met:

  • Malware is detected on a computer that is a member of the specified parent collection, or one of its child collections.

  • The malware detection falls within the specified detection level for the alert.
  • No parent collections are specified by default

  • Select detection level: High

Repeated Malware Detection Alerts

After the alert is created, an alert of this type is triggered when the following conditions are met:

  • The same malware is detected on a computer that is a member of the specified parent collection, or one of its child collections.

  • The number of detections of the same malware meets the specified number of detections in the alert configuration.

  • The number of detections occurred within the interval specified in the alert configuration.
  • No parent collections are specified by default

  • Number of the same malware detected: 4

  • Interval: 24 hours

Multiple Malware Detection Alerts

After the alert is created, an alert of this type is triggered when the following conditions are met:

  • Multiple types of malware are detected on a computer that is a member of the specified parent collection, or one of its child collections.

  • The number of malware detected meets the specified number of detections in the alert configuration.

  • The number of detections occurred within the interval specified in the alert configuration.
  • No parent collections are specified by default

  • Number of malware types detected: 4

  • Interval: 24 hours

To create and configure per-collection alerts

  1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then expand Alerts.

  2. Click one of the per-collection alerts (Malware Detection, Repeated Malware Detection, or Multiple Malware Detection), and then in the Actions pane, click the New action.

  3. To configure the alert, set the options you need according to the following table.

    Alert name Option Description

    Malware Detection Alert

    Enter parent collection

    Click Browse to specify the parent collection to monitor. The parent collection and any child collections are monitored for this alert configuration.

    Select detection level

    Specifies the computer state that can trigger an alert. Valid detection levels are described in the following list:

    • High: Malware is detected—The alert is triggered when there are one or more computers in the specified collection on which any malware is detected, regardless of the action taken by the Forefront Endpoint Protection client.

    • Medium: Action is required—The alert is triggered when there are one or more computers in the specified collection on which malware is detected and manual action is required on the Forefront Endpoint Protection client in order to complete the malware removal.

    • Low: Malware is active—The alert is triggered when there are one or more computers in the specified collection on which malware is detected and is still active.

    Repeated Malware Detection Alert

    Enter parent collection

    Click Browse to specify the parent collection to monitor. The parent collection and any child collections are monitored for this alert configuration.

    Number of the same malware detected

    Specifies the number of detections of the same malware on a computer that is a member of the specified parent collection, or one of its child collections.

    Interval

    Specifies the interval during which the number of detections must occur.

    Multiple Malware Detection Alerts

    Enter parent collection

    Click Browse to specify the parent collection to monitor. The parent collection and any child collections are monitored for this alert configuration.

    Number of malware types detected

    Specifies the number of different types of malware that must be detected on a computer that is a member of the specified parent collection, or one of its child collections.

    Interval

    Specifies the interval during which the number of detections must occur.

  4. For all alerts, in the When an alert is raised, send an e-mail message to the following recipients box, type an e-mail address, and then click Add. To send the alert to multiple e-mail addresses, repeat this step.

  5. When finished, click OK.

Important

You must enable the e-mail settings in Configuration Manager before Forefront Endpoint Protection will send e-mail notifications.

To enable and configure the global Malware Outbreak alert

  1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then expand Alerts.

  2. Click Malware Outbreak Alert, and then in the details pane, double-click Malware Outbreak Alert.

  3. In the Malware Outbreak Alert Properties dialog box, select the Enable alert check box.

  4. Next to Number of computers with the same malware detected, type the number of computers on which the same malware must be detected in order to trigger this alert.

  5. In the When an alert is raised, send an e-mail message to the following recipients box, type an e-mail address, and then click Add. To send the alert to multiple e-mail addresses, repeat this step.

  6. When finished, click OK.

To configure e-mail settings

  1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then click Alerts.

  2. In the Actions pane, click E-mail Settings.

  3. To enable alerts to be sent by e-mail, select the E-mail alert notification check box.

  4. In the SMTP Server box, type the fully qualified domain name (FQDN) of your SMTP server.

    If your SMTP server uses a port other than the default port, in the Port box, type or select the port number.

  5. Under Authentication method, select the option for the credential type to use to authenticate the connection to the SMTP server.

    Important

    It is recommended that you use Integrated Windows Authentication as the authentication method. When you choose Integrated Windows Authentication, the computer account of the FEP server is used to authenticate to the SMTP server. Otherwise, you must ensure that the selected credentials must exist on the specified SMTP server for authentication to succeed.

    To view the service credentials, in Windows Services, right-click Forefront Endpoint Protection Monitoring Service, click Properties, and then click Log On.

  6. In the E-mail from address box, type the e-mail address from which Forefront Endpoint Protection alerts are sent, and then click OK.

    Note

    To test the SMTP settings, instead of clicking OK, click Test and Close. This adds a test e-mail to the e-mail queue that is periodically processed by the Forefront Endpoint Protection Monitoring Service.

To view alerts in the Windows Event Viewer

  1. In the Windows Event Viewer, expand Applications and Services Logs, and then click Forefront Endpoint Protection.

  2. Double-click the alert you want to view.