Very infected and re-infected computers
Applies To: Forefront Client Security
Client Security detects when specific computers become infected frequently or have multiple malware infections. In either event, Client Security creates an alert. For details about how to view alerts, see Viewing alerts.
About "Very Infected Computer" alerts
Client Security generates a "Very Infected Computer" alert when a single computer has reported many occurrences of malware infections in a single day. By default, five malware infections is the minimum number of infections (detected within a single day) that will trigger this alert. Although it is recommended that you use the default setting, you can change the number of occurrences that triggers this alert. For more information, see Configuring "Very Infected Computer" alert parameters.
Likely causes for this alert are as follows:
A single attacker is using multiple malware threats to try to compromise the computer.
Another vulnerability allows multiple malware infections.
A user on the computer repeatedly causes malware infections.
About "Re-Infected Computer" alerts
Client Security generates a "Re-Infected Computer" alert when a single computer has reported many occurrences of the same malware in the past three days. By default, three infections by the same malware is the minimum number of infections (detected within three days) that will trigger this alert. Although it is recommended that you use the default setting, you can change the number of occurrences that triggers this alert. For more information, see Configuring "Re-Infected Computer" alert parameters.
Likely causes for this alert are as follows:
Another vulnerability allows a specific malware threat to re-infect a computer.
A user on the computer repeatedly causes infection by the malware.
Client Security does not fully mitigate the threat.
Malware severities and alert levels
The alert level of the policy that protects a computer determines the severity level necessary to trigger a "Very Infected Computer" or "Re-Infected Computer" alert. Only infections with the severities included for the specific alert level are counted toward triggering the alert. The following table correlates the alert levels with the corresponding malware severities counted.
| Alert level | Malware severities counted |
|---|---|
5 |
Severe, high, elevated, moderate, and low |
4 |
Severe, high, elevated |
3 |
Severe, high |
2 |
Severe |
1 |
Not applicable—These alerts are not issued for computers in alert level 1. |
Working with a re-infected or very infected computer
To resolve a "Very Infected Computer" or a "Re-Infected Computer" alert, you must first resolve each malware infection on the computer. For more information, see Working with an infected computer.
After you have resolved the individual infections, investigate why the computer has been infected frequently. Consider the following:
If you suspect the malware came from your network, start a scan on all client computers.
If you suspect the malware infected the computer due to user actions, such as clicking links in instant messages or visiting suspicious Web sites, educate users about the risks of malware and how to avoid infection.
If the malware came from outside your network, investigate ways of preventing re-infection. For example, you can use an edge firewall, such as Microsoft Internet Security and Acceleration (ISA) Server, to block traffic from sources that are likely to have been the source of the malware. You could also update your e-mail servers' malware protection, using a program such as Microsoft Antigen.