Monitoring performance and health

 

Applies to: Forefront Protection 2010 for SharePoint

You can monitor your Microsoft Forefront Protection 2010 for SharePoint (FPSP) environment by viewing statistics and health monitoring reports. In the Forefront Protection 2010 for SharePoint Administrator Console, click Monitoring and under Server Security Views, click Dashboard.

In the Server Security Views - Dashboard pane, you can view the following information:

  • The name of the computer running SharePoint.

  • Health monitors. You can monitor the health of your scan jobs, services, engines, and licensing.

  • Summary performance monitors. For each scan job type, there is a pie chart showing the number of scanned files that contained malware and the number of scanned files that matched each filter type (file and keyword). The total number of files scanned is also listed along with the date and time that the data was last refreshed.

Monitoring the health of your system

You can monitor the health of FPSP by viewing the health monitors at the top of the Dashboard. There are four types of health monitors:

  • Scan Jobs—Monitors the current state of your scan jobs.

  • Services—Monitors the current state of FPSP services.

  • Engines—Monitors the current state of your scan engines.

  • Licensing—Monitors the current state of your FPSP license.

Viewing health item details

Each of the monitors has an associated Show details link. To see the underlying details, click Show details. This displays summary icons and underlying details.

The summary icons are as follows:

  • Healthy—A green circle with a check mark. This indicates good health and that no action is required.

  • Warning—A yellow triangle with an exclamation mark. This indicates a less than ideal situation that likely bears close monitoring.

  • Error—A red circle with an "X". This indicates an error that may require fixing.

  • Unknown—A question mark. This indicates that FPSP has not yet reached the scheduled health check interval, is not able to determine the current health, or that the item is not defined for your system. An event is generated as soon as FPSP determines the health status.

The underlying details are as follows:

  • Health Point—Tells you what is being monitored, for example Realtime scan SP processes.

  • Last Refresh—Tells you the last time the health point was checked.

  • Message—Tells you the current status of the health point being monitored, including information about any problems that the monitor encountered.

Note

If FPSP either has not yet reached the scheduled health check interval or was not able to determine the current health of the health point, there is no message. A message is generated as soon as FPSP determines the health status.

About the health points

Note

To ensure that you are viewing the most current data, under the Actions section, you can click Refresh

These are the scan job health points that FPSP monitors and the recommended resolution when a health point is not green (healthy):

Health Point Meaning Resolution

Selected realtime engine initialization

Monitors whether all engines selected for the realtime scan have been initialized.

Ensure that the HTTP proxy server is configured properly, that there are no network issues, and that the Universal Naming Convention (UNC) configuration settings are appropriate.

Realtime scan enabled

Monitors whether the realtime scan has been enabled.

Using the Forefront Protection 2010 for SharePoint Administrator Console or the Forefront Management Shell, check that the realtime scan is not bypassed.

In the Antivirus Settings of SharePoint Central Administration, make sure that Scan documents on upload and Scan documents on download are enabled.

Realtime scan processes

Monitors whether the realtime scan processes are running normally.

Restart the World Wide Web Publishing Service.

SharePoint service hooked

Monitors whether the SharePoint service is running and the Forefront VSAPI Library is registered.

Analyze the event log for details regarding the error.

Selected scheduled engine initialization

Monitors whether all engines selected for the scheduled scan have been initialized.

Ensure that the HTTP proxy server is configured properly, that there are no network issues, and that the UNC configuration settings are appropriate.

These are the services health points that FPSP monitors and the recommended resolution when a health point is not green (healthy):

Health Point Meaning Resolution

Available disk space

Monitors the amount of disk space remaining.

Clear disk space on the server running SharePoint and FPSP.

Eventing service

Monitors whether the eventing service is functioning.

Start the Microsoft Forefront Server Protection Eventing service.

E-mail pickup service

Monitors whether the mail pickup service is functioning.

Start the Microsoft Forefront Server Protection Mail Pickup service.

FPSP controller service

Monitors the FPSP controller service.

Start the Microsoft Forefront Server Protection Controller for SharePoint service.

These are the engines health points that FPSP monitors and the recommended resolution when a health point is not green (healthy):

Health Point Meaning Resolution

All engine updates enabled

Monitors whether the engines that were selected for updating were successfully updated.

Ensure that the HTTP proxy server is configured properly, that there are no network issues, and that the UNC configuration settings are appropriate.

Selected engines updated

Monitors whether the engines that were selected for scan jobs were also selected for updates.

Ensure that the engines selected for updating match the engines selected for scanning.

Selected engines update period

Monitors whether the engines that were selected for updating were updated recently.

Ensure that the HTTP proxy server is configured properly, that there are no network issues, and that the UNC configuration settings are appropriate.

This is the licensing health point that FPSP monitors and the recommended resolution when a health point is not green (healthy)::

Health Point Meaning Resolution

License status

Monitors whether your license is still valid, is nearing expiration, or has expired.

Enter the product key in the FPSP Administrator Console or by entering Windows PowerShell commands in the Forefront Management Shell.

If you do not have a product key, contact your Microsoft sales representative or visit the Pricing and Licensing site.

Viewing engine summary information

You can monitor engine summary information for FPSP by viewing the Engines health monitor, and then selecting Engine Summary.

In the Engine Summary dialog box, you can view the following information about engine and definition updates:

  • Engine—The scan engine, for example Microsoft Antimalware Engine.

  • In Use—Indicates whether the engine is in use with a scan job.

  • Updates Enabled—Indicates whether updating is enabled (Yes) or disabled (No) for the engine.

  • Engine Version—The version of the engine.

  • Definition Version—The version of the malware definition files currently in use by the engine. (This data may not be available for every engine.)

  • Last Update—The date and time of the last successful or failed update of the engine or definition files. Failed updates appear in red text.

  • Last Check—The date and time of the last check made for a new engine or definition update.

Note

You can sort any of the columns alphabetically by clicking the column's heading. For information about changing how the engine and definition files are updated, see Configuring engine and definition updates.

Customizing the Dashboard view

You can customize which items appear on the Server Security Views – Dashboard pane.

To customize the Dashboard view

  1. In the Actions section, click Control Gallery.

  2. In the Control Gallery dialog box, select which items you want to appear on the Server Security Views – Dashboard pane. A check mark next to the item indicates that it is displayed; no check mark indicates that it is hidden (you can also click the red X box, associated with each item, to remove it from the view).

    By default, the Scheduled Scan Summary, On-Demand Scan Summary, Health Monitors, and Realtime Scan Summary are displayed.

  3. Click Exit to close the Control Gallery dialog box.

Monitoring performance by viewing statistics

You can monitor the performance of FPSP by viewing the statistics on the Dashboard. If you need the statistics broken down further, you can view detailed malware statistics and detailed filtering statistics.

Note

Statistics data (for instance, the total number of files that were scanned) is accumulated from the time you begin using FPSP, unless you reset the data as explained later in this topic.

Viewing detailed malware statistics

To see statistics about files with malware, click Monitoring and under Server Security Views, click Malware Details. In the Server Security Views - Malware Details pane, the details are broken out by scan job type: realtime, on-demand, and scheduled. You can sort any of the columns by clicking its heading. To ensure that you are viewing the most current data, under the Actions section, you can click Refresh.

The following details are given:

  • Files scanned—The total number of files that were scanned.

  • Malware detected in files—The total number of files that were detected as containing malware.

  • Files suspended—The total number of files that were suspended due to malware detections. This data is only for realtime scans.

  • Files cleaned—The total number of files that were cleaned due to malware detections.

  • Files deleted—The total number of files that were replaced with deletion text due to malware detections. This data is only for scheduled and on-demand scans.

  • Files skipped (detection only)—The total number of files that were detected and logged as containing malware, but with no other action taken.

  • Files quarantined—The total number of files that were quarantined due to malware detections.

  • File parts scanned—The total number of file parts (for example, files included within container files) that were scanned.

  • Malware detected in file parts—The total number of file parts that were detected as containing malware.

  • File parts suspended—The total number of file parts that were suspended due to malware detections. This data is only for realtime scans.

  • File parts deleted—The total number of file parts that were replaced with deletion text due to malware detections.

  • File parts cleaned—The total number of file parts that were cleaned due to malware detections.

  • File parts skipped (detection only)—The total number of file parts that were detected and logged as containing malware, but with no other action taken.

  • File parts quarantined—The total number of file parts that were quarantined due to malware detections.

Viewing detailed filtering statistics

To see statistics about files that matched filters, click Monitoring and under Server Security Views, click Filtering Details. In the Server Security Views - Filtering Details pane, the details for file filter matches and keyword filter matches are broken out by scan job type: realtime, on-demand, and scheduled. You can sort any of the columns by clicking its heading. To ensure that you are viewing the most current data, under the Actions section, you can click Refresh.

The following details are given:

-
Files scanned—The total number of files that were scanned.

-
Files containing filter matches—The total number of files that matched filters.

-
Files suspended due to filter matches—The total number of files suspended due to filter matches. This data only applies to realtime scans.

-
Files deleted due to filter matches—The total number of files deleted and replaced with deletion text due to filter matches. This data only applies to scheduled and on-demand scans.

-
Files skipped due to filter matches (detection only)—The total number of files detected and logged due to filter matches, with no other action taken.

-
Filter matches quarantined as entire files—The total number of entire files quarantined due to filter matches.

-
File parts scanned—The total number of file parts (for example, files included within container files) that were scanned.

-
File parts containing filter matches—The total number of file parts that matched filters.

-
File parts suspended due to filter matches—The total number of file parts suspended due to filter matches. This data only applies to realtime scans.

-
File parts deleted due to filter matches—The total number of file parts deleted and replaced with deletion text due to filter matches. This data only applies to scheduled and on-demand scans.

-
File parts skipped due to filter matches (detection only)—The total number of file parts detected and logged due to filter matches, with no other action taken.

-
Filter matches quarantined as individual file parts—The total number of individual file parts quarantined due to filter matches.

Resetting statistics data

You can reset malware and filtering statistics in order to begin a fresh count.

  • In the Server Security Views - Malware Details pane or in the Server Security Views - Filtering Details pane, in the Actions section, click the action to Clear Realtime Scan Statistics, Clear Scheduled Scan Statistics, or Clear On-Demand Scan Statistics. Regardless of which pane you are in, this clears the statistics for both malware and filtering.

    Clicking these actions clears all malware and filtering data for the selected scan job. Depending on which Action option you selected, the statistics for the Dashboard and the associated details reports (Malware Details and Filtering Details) are reset to zero.

  • To reset all statistics (malware and filtering) for all scan jobs, in the Server Security Views - Dashboard pane, in the Actions section, click the action to Clear All Statistics.