Archive

Archive for the ‘reports’ Category

Forefront Endpoint Protection (FEP) 2010: FEP Reports may not display properly

May 19th, 2011 No comments

From Angela Latimer, CSS

If you are using Forefront Endpoint Protection (FEP) 2010, you may have tried running one of the three default FEP reports and noticed that not all areas or sub-reports display properly. You may see an error in processing the reporting data or retrieving the data, similar to the error displayed below:

Error while trying to run the Antimalware Activity Report:

clip_image002

We found this error was due to the installed version of Microsoft SQL Server not being up-to-date with the latest Cumulative Update package. Cumulative Update packages contain hot fixes that address issues in the currently installed version of Microsoft SQL Server which may be versions ranging from Release to Manufacturing (RTM), Service Pack (SP), or Feature Release (R).

In digging into the details of the error related to FEP reports not displaying properly, we found the following errors in the System Center Configuration Manager Console and/or in the %drive%:\Program Files (x86)\Microsoft Configuration Manager\Logs\SRSRP.log file, reporting Error ID 7403 related to the health of SRS Reporting Point thread:

STATMSG: ID=7403 SEV=E LEV=M SOURCE=”SMS Server” COMP=”SMS_SRS_REPORTING_POINT” SYS= SITE= PID=2880 TID=5572 GMTDATE=Wed Oct 21 17:57:26.302 2009 ISTR0=”HACM01″ ISTR1=”” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 SMS_SRS_REPORTING_POINT 10/21/2009 10:57:26 AM 5572 (0x15C4)  
Failures reported during periodic health check by the SRS Server . Will retry check in 57 minutes SMS_SRS_REPORTING_POINT 10/21/2009 10:57:26 AM 5572 (0x15C4)

In the two environments we discovered this issue, Microsoft SQL Server 2008 and SQL Server 2008 R2 were running, but had NOT had the Cumulative Update package installed. As soon as this update was installed, the FEP reports began displaying properly.

At the time of this blog, these are the most current Cumulative Update Packages for Microsoft SQL Server 2008 and 2008 R2. However, you should do a Bing search to ensure you are always installing the latest version.



Categories: FEP, FEP 2010, reporting, reports, SQL Server reporting services, Troubleshooting Tags:

Monitoring Forefront Endpoint Protection 2010 – Security alerts

November 15th, 2010 Comments off

In previous posts, I’ve described the monitoring experience in Forefront Endpoint Protection 2010 (FEP) Release Candidate. Those descriptions includes the FEP dashboard as well as built-in reports. In real life, however, no one expects an administrator to stare at the dashboard and wait for something to happen. Instead, administrators expect to get notified when security incidents are detected.

FEP security alerts are used to detect incidents about which administrators want to get notified. When designing FEP alerts, we’ve used the following guidelines:

  1. Important – Administrators should be actively notified on FEP alerts (by email notification).
  2. Actionable – There should be a recommended action associated with each alert.
  3. Timely – Administrators should be notified on security incidents in a timely manner.
  4. Manageable – Enable administrators to control the number of alerts issued per day.
  5. Correct – Avoid false positives by providing threshold based alerts
The following alert types are provided with FEP 2010:

Alert Name

Scenario

Configuration

Recommended action

Malware Detection

Malware was detected on a computer. This alert is triggered based on mitigation. 

  • Collection to monitor
  • Detection level (sensitivity) based on the result of FEP mitigation.

Navigate to FEP computer details report to identify the malware(s) detected on the computer.

Malware Outbreak

A malware is spreading across the organization. This alert is triggered based on number of detections.

Number of computers detected with the same malware in 24 hours.

Navigate to FEP malware detail report to learn more about the malware and see the list of infected computers.

Repeated Malware Detection

A computer is being repeatedly infected by the same malware. This alert is triggered based on number of repeated detections.

  • Collection to monitor
  • Number of repeated detections
  • Time interval for detection

Navigate to FEP computer details report to learn more about the computer as well as the malware

Multiple Malware Detection

A computer is being infected with multiple malware types. This alert is triggered based on number of malware detections on a single computer. 

  • Collection to monitor
  • Number of different malware types
  • Time interval for detection

Navigate to FEP computer details report to learn more about the computer as well as the malware types

Tip: In addition to email notifications, FEP alerts are kept as event log entries in the FEP server as well as in the FEP DB. These event logs are useful when alert forwarding is required (e.g. Operations Manager, SNMP).

clip_image002

Ziv Rafalovich,
Senior Program Manager

Categories: FEP, fep console, FEP dashboard, FEP2010, reports Tags: