Addressing "Malware On Network" alerts

Published: December 16, 2009

Applies To: Forefront Client Security

When Client Security detects malware, it may create a "Malware On Network" alert in addition to the "Computer Infected" alert, depending on the alert level of the infected computer. Both alerts indicate whether Client Security successfully completed the actions dictated by the policy.

Unlike a "Computer Infected" alert, a "Malware On Network" alert encourages you to consider the malware from the perspective of your whole organization's security. Rather than advising you to repair and secure the infected computer, it advises you to consider how to prevent the malware from recurring or from spreading to other computers.

To resolve a "Malware On Network" alert

  1. Resolve each malware infection on the computer. For more information, see Working with an infected computer. In particular, for this type of alert:

    • Determine if there is an entry for the malware in the Microsoft Malicious Software Encyclopedia, and then learn about any global mitigations that can protect your organization from this malware, such as closing a firewall port.

    • View the Malware Detail report. To learn about the malware found and the action attempted, use the link on the Properties tab of the alert.

  2. Decide whether the software detected is unwanted.

    If the software is acceptable, edit the policy and on the Overrides tab, set a different default action for this software. For more information, see Overriding default responses to malware.

    If the software is unacceptable, take the following actions, as appropriate:

    • If the infected resource is on a read-only share on a different computer than the one that reported the infection, then you should identify the server that the file is on, troubleshoot why that server is not detecting the malware, ensure that real-time protection is enabled on that server, and ensure that the server has regularly scheduled full scans.

    • If the infected resource is on a read-only media, then remove the media and avoid using it.

    • Ensure that Client Security client software and definitions are up to date on all clients. Use the Deployment Summary report to determine what versions of software and definitions are deployed. For more information, see Viewing and printing reports.

    • Investigate how the computer became infected with this software and take steps to prevent new infections from occurring in the same manner.

    • Scan the network again. For more information, see Scanning managed computers now.

    • Use what you learned about the software while performing step 1 to determine how to prevent the propagation of the software on your network. Depending on the type of software, steps may include actions such as blocking traffic over specific ports or tightening security policies on your e-mail servers.

    • If the default action for this software was to leave the software on the computer (such as quarantining the software) and this is unacceptable, edit the policy and on the Overrides tab, set a different default action for this software. For more information, see Overriding default responses to malware.

 
Show: