Configuring "Malware Outbreak" alert parameters

Applies To: Forefront Client Security

You can configure two parameters that control whether the console issues alerts about malware outbreaks. It is recommended that you use the default parameters; however, the parameters you can configure are:

• Check frequency—How often the console checks for a malware outbreak. Consider changing this parameter when the workload of your MOM server is too high.

• Occurrence threshold—The minimum number of malware discoveries that will generate the alert. Consider changing this parameter when you receive many more outbreak alerts than is useful.

  Note

  Alerts about malware outbreaks may occur too often when computers are protected by a policy set for a higher alert level than is necessary. Before changing the parameters for malware outbreaks, check the alert level of the policies protecting computers affected by an outbreak. If the alert level is too high, lower it and see if the number of alerts about malware outbreaks falls to an acceptable level.

Each check for a malware outbreak is assigned to a time slot, which determines the frequency and the time window of the check. You can configure the frequency of the check but not the time window. To be counted as part of an outbreak, malware occurrences must be within the time window of a check.

You should never set the check frequency greater than the size of the time window. If you do, the console may not take some malware data into consideration when checking for an outbreak.

The following table shows the default values for occurrence thresholds and the time slots to which each alert level is assigned.

Default values for check frequencies and check time windows are shown in the following table.

Changing occurrence thresholds

Using the MOM Administrator console, you can configure the occurrence thresholds for malware outbreaks. There are separate rules for each protection type (scheduled scan and real-time protection), for each outbreak alert level (2, 3, 4, and 5), and for global outbreak alerts, which count the threats in all alert levels.

To configure an occurrence threshold

1. On the collection server, open the MOM Administrator console, expand the Microsoft Operations Manager tree, click Management Packs, click Rule Groups, click Microsoft Forefront Client Security, click Server Alerts, and then click Event Rules.

2. Double-click the malware outbreak event type for which you want to change the occurrence threshold.

3. In the Event Rules Properties dialog box, click the Criteria tab.

4. Click Advanced.

5. Under Process only data that matches all these criteria, select Parameter 6 and click Remove.

6. In the Value box, type the new occurrence threshold. You must enter eight digits. At the beginning of the new threshold value, add as many zeros as needed to make the entry eight digits.

7. Click Add to list, click Close, and then click OK.

8. Right-click the Management Packs node and click Commit Configuration Change. MOM implements the changes you made.

Changing the frequency of checks

Using the MOM Administrator console, you can configure the frequency of checks for malware outbreaks. There are separate rules for each time slot.

To change the frequency of checks

1. On the collection server, open the MOM Administrator console, expand the Microsoft Operations Manager tree, click Management Packs, click Rule Groups, click Microsoft Forefront Client Security, click Server Behaviors, and then click Event Rules.

2. Double-click the time slot for which you want to change the frequency.

3. In the Event Rules Properties dialog box, click the Data Provider tab.

4. Click Modify.

5. In the Generate event time box, type the new frequency (the unit is minutes). Do not make the frequency greater than the time window of the scan. Click OK.

6. In the Event Rules Properties dialog box, click OK.

7. Right-click the Management Packs node and click Commit Configuration Change. MOM implements the changes you made.