FEP Alert Timing

  • Article

Forefront Endpoint Protection FEP provides actionable alerts on security events to desktop administrators. The time it takes to receive these alerts depends on multiple settings. The following information explains the alert process and the associated timing for alerts to be delivered to the administrator.

Warning

While you can change some of the following values, the change might adversely affect the Configuration Manager environment and the Forefront Endpoint Protection environment.

Each FEP alert originates as an event on a FEP client computer. When malware is detected on a FEP client computer, the following actions occur:

  • Event ID 1116 is logged in the event log of the computer on which the malware is detected, and the malware is suspended. Depending on the action results, the FEP client logs one of the following events:

    1. Event ID 1117 is logged when an action is taken.

    2. Event ID 1118 is logged when an action fails.

    3. Event ID 1119 is logged when an action experiences a non-critical failure.

    4. If no manual action is taken by the end user after a prescribed period of time, Event ID 1117 is logged.

  • The FEP client calls the Desired Configuration Management (DCM) agent. The DCM agent evaluates the baselines assigned to the client computer and creates an XML report in the form of a state message.

    • The FEP client creates a report in the .\root\Microsoft\SecurityClient WMI namespace by using the Malware and AntimalwareInfectionStatus classes.

    • By default, state messages are sent to the Configuration Manager management point every 15 minutes.

    • If the client recently reported a state message, the next state message will not be sent until the next 15 minute period.

    • This state message is stored in the Configuration Manager database.

  • On the instance of SQL Server that hosts the Configuration Manager database, a SQL Server Agent job transfers data from the Configuration Manager database to the FEP reporting database.

    • The SQL Server job is named **FEP_GetNewData_FEPDW_**XXX, where XXX is your Configuration Manager site code.

    • This job runs every 15 minutes; however, the load on your database server might increase the time it takes for this job to complete.

  • The Forefront Endpoint Monitoring service checks the FEP reporting database for events that trigger an alert.

    • The Forefront Endpoint Monitoring service appears on the task list of the database server as FEPSrv.

    • The FEPSrv service checks the database every 2 minutes.