Export (0) Print
Expand All

Investigating Malware Activity in Windows Intune

Updated: November 1, 2013

Applies To: Windows Intune

The Windows Intune administrator console lets you easily find malicious software that needs follow-up so that you can take appropriate action. A malicious software instance needs follow-up if its current status is one of the following: Malware active, Action failed, Manual steps needed, Full scan needed, or Restart needed. For more information, see Malware Alert Levels in Windows Intune. This state is indicated by a Critical icon in the Windows Intune administrator console. Malicious software, or malware, that needs follow-up should be investigated immediately.

  1. Open the Windows Intune administrator console.

  2. In the workspace shortcuts pane, click the Endpoint Protection icon.

  3. In the navigation pane, click Overview if it is not already selected.

  4. The Endpoint Protection Overview page appears and displays issues sorted by severity, starting with Critical issues. The issues are displayed as links.

  5. Do one of the following:

    • To focus your investigation first on which malicious software needs follow-up, under Malware Status, click Malware instances that need follow-up. A list of relevant malicious software appears.

      In the Follow-Up Needed column, click the number next to the malicious software that you want to investigate. The Computers tab of the Properties page for the malicious software opens, displaying a list of computers that have the malicious software.

    • To focus your investigation first on which computers have malicious software that needs follow-up, under Computer Status, click Computers with malware that need follow-up. A list of relevant computers appears.

      In the Follow-Up needed column, click the number next to the computer that you want to investigate. The Malware tab of the computer Properties page opens, displaying a list of relevant malicious software that was found on the computer.

      You can right-click the malicious software instance, and then click View Properties to open the relevant properties page for the malicious software, or click Learn about this Malware to review a relevant Microsoft Malware Protection Center topic. Click Copy Text to copy the information that is displayed in the list for the selected malicious software instance to another location.

  6. For each computer or malicious software instance in the list, the Current Status column indicates whether the malicious software is active on the computer, the action failed (the malicious software could not be removed from the client computer), manual steps are needed, a full scan is needed, or a client computer restart is needed.

    The Malware Execution column indicates whether the malicious software was running on the client computer when the software was detected, was blocked from running on the client computer, or an administrator- or user-initiated full system scan was run and the malicious software was not detected again (indicated by Unknown status).

  7. In the preview pane, review recommended actions, current status, and general information for the malicious software instance.

  8. Complete any recommended actions to resolve the malicious software. For example, it may be recommended that you do the following:

    • Click Learn about this malware to review a Microsoft Malware Protection topic about the malicious software.

    • Click Run a full scan to initiate a full system scan on the computer on which the malicious software was detected. Running a full system scan will cause the current status for the malicious software instance to change to Recently Resolved. For information about full system scans, see Running a Windows Intune Endpoint Protection Scan.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft