email administrator for infected systems?
In our current environment we are running TrendMicro OfficeScan version 6. When a workstation encounters a virus, OfficeScan immediately notifies via e-mail the A/V administrator indicating username and machine name and other pertinent information concerning the virus. We are looking for the same functionality in FFCS.
We introduced a test virus (eicar.com) to a Vista workstation with FFCS installed. FFCS detected the test virus and allowed the user to take appropriate action. This was also indicated in the Forefront reporting feature. However, we also need to receive immediate notification via email when such an event occurs anywhere among our 600+ workstations.
Most application that we administer have direct, built-in SMTP notification features that allow set up and testing of the notification process without having to have prior knowledge of what Event ID to filter.
Does FFCS have this capability, and if so, what are the steps to set it up. Other than what you send me yesterday concerning the setup steps in MOM?
All Replies
Hi Stuart,
FCS can certainly do this. I'm not sure what you mean by "Other than what you send me yesterday concerning the setup steps in MOM?"
MOM will be the product that will generate and send the email to the admins when such an incident occurs on one of your workstations.
If you want to receive alerts even if the action peformed by FCS means that the virus was cleaned successfully, you will need to ensure that your policy is using Alert Level 4, 3 will only notify you of an unsuccessful clean.
Once that is done, in MOM configure the email server in the settings section, and then in notifications add in the relevant email address want to send alerts to under the Forefront Client Security notifications group.
MOM takes a few mins to then apply the change, but you should then start receiving alerts
Hope this helps
cheers
Chris
Thanks for your help!
But, where can I get steps for where you wrote the following
"Once that is done, in MOM configure the email server in the settings section, and then in notifications add in the relevant email address want to send alerts to under the Forefront Client Security notifications group."?
hey stuart,
hope this answers your question:
from my blog: Cofigure E-Mail Notifications in Forefront Client Security - Step-By-Step Guide
Hi Stuart,
Here's the steps
1. Set the Email Server details - MOM admin Console, Administration, Global Settings. Go into Email Server and configure the server name, and the reply address
2. Again in MOM admin console, goto Management Packs, Notification, Notification Groups and you should see "Client Security Notification Group"
Goto the properties of this, and add "new operators" for anyone you wish to receive an email
Ensure they are in the "Group Operators" column when done to have them sent an email
3. Commit the config change to make it go through by right clicking at "Management Packs" and choose "Commit Configuration Change"
You should then start getting email alerts for issues !
Again, make sure you have the policy set to Alert Level 4 to ensure you get emails of successful cleans
cheers
Chris
How strange, that post from Yaniv wasn't there when i posted the above !!
with screenshots, so nice and clear !
Thanks Yaniv
Chris
Not a problem...
I have several of those in my blog... :-)
- Hi Chris,
I used all the great information you provded here, and I only have one quesiton. now when you said "If you want to receive alerts even if the action peformed by FCS means that the virus was cleaned successfully, you will need to ensure that your policy is using Alert Level 4, 3 will only notify you of an unsuccessful clean."
where do I find these settings to make sure I get alerted for all levels and then of course I'll change them later to be alerted only for 3 and 4?
Thanks
Mohsen
