Responding to flooding detection

  • Article

Applies To: Forefront Client Security

Flood detection ensures that an attacker cannot perform a denial of service (DoS) attack by flooding the MOM server in your Client Security infrastructure. Such an attack would require compromising a MOM agent or spoofing a client computer.

Flood detection monitors the number of events that client computers send to the MOM server during the past four days. If a client computer sends more event messages than is allowed or sends a message containing more parameters than is allowed, the flood detection feature generates a "Flooding Detected" alert. To protect the server, the flood detection feature may also disconnect the client computer by moving it into the Pending Machine list. This causes the MOM server to stop monitoring events from the flooding computer.

Another possible cause for a "Flooding Detected" alert is when an automatic service repeatedly tries to access an infected resource that real-time protection is blocking.

Note

It is recommended that you use the default settings that control when Client Security issues a "Flooding Detected" alert; however, you can configure some of the settings. For more information, see Configuring "Flooding Detected" alert parameters.

To respond to a "Flooding Detected" alert

  1. Ensure that the flooding computer is disconnected from the Client Security collection server. To do so, in the MOM Administrator console, expand Microsoft Operations Manager, click Administration, click Computers, click Agent-managed Computers, and then look for the computer.

    • If it is listed, right-click it and select Force to Unmanaged Management Mode.

    • If it isn’t listed, the collection server automatically disconnected the computer and you can find it in Pending Actions.

  2. Determine the cause of the incident and investigate why the computer generated many events or an oversized event message:

    1. To view the Computer Detail report and learn about the events reported by this computer and its overall security status, use the link on the Properties tab of the alert.

    2. Review the events reported from the computer in the MOM Operator console. Determine if there are events with more than 40 parameters.

  3. Resolve the issues that you find:

    • If there is a software issue that is causing the flooding, determine the root cause and fix it.

    • If there was an attack, take action to protect your organization from the attack and repair the computer.

  4. After you have resolved the issues, reconnect the computer to the Client Security collection server:

    1. Restart the MOM service on the flooding computer. To do so, at a command prompt enter the following commands:

      net stop mom

      net start mom

    2. Approve the computer in the MOM Administrator console. To do so, expand Microsoft Operations Manager, click Administration, click Computers, click Pending Actions, right-click the computer, and then click Approve.

  5. It is recommended that you enable the automatic approval of newly installed agents. To do so:

    1. On the Client Security collection server, open the MOM Administrator console and expand Microsoft Operations Manager, click Management Packs, click Rule Groups, click Microsoft Forefront Client Security, click Server Behaviors, and then click Event Rules.

    2. Double-click Run Flood Detection.

    3. In the Event Rules Properties dialog box, click the Responses tab.

    4. Double-click the script.

    5. In the Launch a Script dialog box, double-click the Auto-Approve Pending Computers script parameter.

    6. In the Edit Script Parameter dialog box, type true in the Value box.

    7. Click OK three times, and then right-click the Management Packs node and click Commit Configuration Change. MOM implements the changes you made.