none
Configuration Manager - Alerting 'Never Triggered' RRS feed

  • Question

  • I have configured a collection to alert on malware detection and have created a subscription for that alert. When I download the eicar test virus, endpoint protection detects it, yet the alert shows 'Never Triggred'. Oddly enough, if I highlight the alert in the console and select the machines tab it shows that the virus was detected. Any thoughts?

    To configure alerts, I used this article: http://technet.microsoft.com/en-us/library/hh508782.aspx

    Thanks in advance.

    Monday, July 23, 2012 3:43 PM

All replies

  • Just to make sure: have you refreshed the console (F5) on the alerts node?

    Torsten Meringer | http://www.mssccmfaq.de

    Monday, July 23, 2012 3:49 PM
    Moderator
  • Do you hyave the e-mail configured correctly?

    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund

    Monday, July 23, 2012 3:58 PM
    Moderator
  • Yep, it still displays as never triggered:

    Monday, July 23, 2012 4:18 PM
  • Yes, when I test my SMTP connection, I receive a test email.
    Monday, July 23, 2012 4:20 PM
  • I am having the exact same problem, anyone have a solution?

    Thanks

    Thursday, September 13, 2012 5:00 PM
  • One thing i should mention is that i am seeing:

    Endpoint Protection Manager failed to generate malware detection alerts for type:"31". Verify that the site database is configured correctly. Error code returned is:"0x87d20002".

    Messages when i look at the componenet status messages for SMS_ENDPOINT_PROTECTION_MANAGER, the odd thing is this used to work back in July and now it doesnt. The only things that i have done in the meantime that could have possibly caused this are as follows:

    1. I detached and migrated the SCCM Database to a different partition on my SQL server. Everything seem sfine though as i was able to connect to the database, and all of my reporting seems to be functioning correctly.

    2. I ran some in place SQL updates, moved from SQL Server 2008 to SQL Server 2008 R2 SP1, however this is a supported edition of SQL for SCCM 2012. I did have a slight issue where the SCCM database instance suddenyl started using a dynamic port....i removed this and ensured the static port was set and my server was able to connect again.

    This is wrecking my head, we use this functionality to e-mail our offsite computer technicians malware alerts, it is a rather important feature in our orgnaization and the fact that we are having so much trouble with something so simple truly puzzles me.

    I would appreciate any assistance anyone could provide. I have scoured the net trying to find some troubleshooting documentation for this feature and i have been able to come up with nothing. I also checked the hotfix posting's for SCCM 2012 and none seem to mention any type of issue as i have described above. Also CU 1 mentions nothing about an issue exhibiting the above behaviour...i am at a loss

    Thanks 


    • Edited by Binarymine Thursday, September 13, 2012 5:22 PM
    Thursday, September 13, 2012 5:19 PM
  • I don't know if that fixes your problem or if you already have seen that kb article: http://support.microsoft.com/kb/2709082, but you have to execute some SQL statements after moving the database.

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, September 13, 2012 5:28 PM
    Moderator
  • Hi Torsten,

    Thank you for the response. I actually encounterd the issue in the KB you referenced about a half hour after migrating the database lol. I ran those commands against my SCCM databse CM_H48.

    On my SQL server i have the following databases:

    CM_H48
    ReportServer$SCCM2012
    ReportServer$SCCM2012TempDB
    SUSDB

    what i am unsure of is if the commands in the KB you linked need to be run on these databases as well? Also does "sa" need to be the owner of all the databases? Currently it is the owner of only the CM_H48 Database. I have an elevated account that i use for all SCCM administration that is currently the owner of the 3 additional databases.

    I am tempted to try changing the owner of the other 3 to see what would happen, but i wouldnt mind confirmation that it would actually fix it first.

    Thank you for your help so far

    Thursday, September 13, 2012 6:07 PM
  • Does anyone have anything further they could provide as suggestions, this issue is still outstanding for us

    Wednesday, September 19, 2012 3:42 PM
  • One thing i should mention is that i am seeing:

    Endpoint Protection Manager failed to generate malware detection alerts for type:"31". Verify that the site database is configured correctly. Error code returned is:"0x87d20002".

    Messages when i look at the componenet status messages for SMS_ENDPOINT_PROTECTION_MANAGER, the odd thing is this used to work back in July and now it doesnt. The only things that i have done in the meantime that could have possibly caused this are as follows:

    1. I detached and migrated the SCCM Database to a different partition on my SQL server. Everything seem sfine though as i was able to connect to the database, and all of my reporting seems to be functioning correctly.

    2. I ran some in place SQL updates, moved from SQL Server 2008 to SQL Server 2008 R2 SP1, however this is a supported edition of SQL for SCCM 2012. I did have a slight issue where the SCCM database instance suddenyl started using a dynamic port....i removed this and ensured the static port was set and my server was able to connect again.

    This is wrecking my head, we use this functionality to e-mail our offsite computer technicians malware alerts, it is a rather important feature in our orgnaization and the fact that we are having so much trouble with something so simple truly puzzles me.

    I would appreciate any assistance anyone could provide. I have scoured the net trying to find some troubleshooting documentation for this feature and i have been able to come up with nothing. I also checked the hotfix posting's for SCCM 2012 and none seem to mention any type of issue as i have described above. Also CU 1 mentions nothing about an issue exhibiting the above behaviour...i am at a loss

    Thanks 

    We also migrated our database to a new server, it was around that time email alerts stopped working. 
    Wednesday, September 19, 2012 9:14 PM
  • Might be making some actual progress on this. I had one of oure SQL guys look at some of the tables in our site database through SQL Management Studio. On the dbo.AlertForTrigger database there are numerouse entrieds listed with "NULL" as the value. As a test we created an alert subscription for malware detections and ran a query on the said table using the following

    SELECT * FROM alertfortrigger

    As soon as the alert was created and we refreshed the query a new entry full of nothing but null values was present. To test a theory, our SQL guy ran an update query statement on the alertfortrigger table to set rulestate=1, alertstate=a, and evaluationsitenumber=1. He came up with these values based on what prior non-null value entries contained. Low and behold....any alert that he ran the statement on began sending email alerts.

    So now im really confused...what the heck is going on here, its as though sccm does not have permission to write to some portions of the sql database. What worries me the most, is if sccm is haveing issues writing to this table then how can i be sure it doesnt have issue writing to other portions.

    "TID Orion" could you confirm on your end whether the above applies to you as well?

    Thanks

    • Proposed as answer by martin1963 Thursday, November 5, 2015 10:26 PM
    Monday, September 24, 2012 2:24 PM
  • Great find! I can confirm that modifying a database record works. In our case, I went into the console > monitoring > alerts and then right clicked on the columns to view "Alert ID". In the database, I found the corresponding ID that relates to malware detection and changed the "AlertState" from X to A. After that we received an email for the alert.
    Tuesday, September 25, 2012 12:05 AM
  • Thanks but it is only a workaround as any new alert created will contain the same null information and will require a direct database edit to fix it. I would love it if someone could provide an actual fix to the original issue. Still at a loss as to what might ahve caused it in the first place, i still consider this outstanding.
    Tuesday, September 25, 2012 1:29 AM
  • Just call Microsoft CSS then. Otherwise they will not be aware of the problem and can't provide a fix.


    Torsten Meringer | http://www.mssccmfaq.de

    Tuesday, September 25, 2012 7:10 PM
    Moderator
  • This will sound like a stupid question, but i have never contacted CSS in my life. Is there not a $259.00 support cost to this. If that is the case i will need to get apporval for it. We have a software assurance agreement with MS under our provincial government, however i have no idea what our support call alotment is if any.

    Thanks

    Tuesday, September 25, 2012 9:02 PM
  • If it's truly a bug, you will not be charged.

    Jason | http://blog.configmgrftw.com

    Tuesday, September 25, 2012 9:14 PM
  • Was there a resolution to this issue? I'm experiencing the same issue at a clients.<o:p></o:p>

    All Alerts created are set to 'Never Triggered', however all the reports are showign the EICAR test file as being detected. If I modify the alert in the database, changing the AlertState to A, then the alert is triggered and the Alert State in the console shows 'Active'.<o:p></o:p>


    Friday, November 16, 2012 3:25 AM
  • Hi Johno,

    No resolution yet, however i have submitted it to Microsoft Support and they are filing it as a bug. They were able to replicate the issue in a test environment and have confirmed that it seems to be the result of a database detach and re-attach. I will post back here when i recieve any information regarding a possible fix. For now i would suggest you configure your alerts they way you want them and run the above query work-around against the table to to get them responding. It has worked for both TID_Orion and myself.

    Thanks

    Monday, November 19, 2012 3:13 PM
  • Based on the information you provided I was able to fix all my alerts.

    First I found all my RuleStates that were incorrect looking for the NULL value:

            SELECT AlertID FROM alertfortrigger where RuleState IS NULL

    after I got the list of all alerts that were not working, I copied the list of AlertID 's and put them into a text editor where using copy/paste I was able to create commands to fix them all.

    for example:

    update alertfortrigger set rulestate = 1, alertstate = 'A', evaluationsitenumber = 1 where AlertID = 16777218
    update alertfortrigger set rulestate = 1, alertstate = 'A', evaluationsitenumber = 1 where AlertID = 16777219
    update alertfortrigger set rulestate = 1, alertstate = 'A', evaluationsitenumber = 1 where AlertID = 16777220
    update alertfortrigger set rulestate = 1, alertstate = 'A', evaluationsitenumber = 1 where AlertID = 16777221
    update alertfortrigger set rulestate = 1, alertstate = 'A', evaluationsitenumber = 1 where AlertID = 16777222
    update alertfortrigger set rulestate = 1, alertstate = 'A', evaluationsitenumber = 1 where AlertID = 16777223

    and on and on...

    then I ran it in SQL and from that point forward even NEW alerts worked correctly.

    I hope that helps


    • Edited by Anavar Smith Tuesday, November 12, 2013 6:16 PM formatting
    • Proposed as answer by SirUlu Tuesday, August 14, 2018 12:54 PM
    Tuesday, November 12, 2013 6:15 PM
  • This fix worked for me, thank you so much!
    Thursday, November 5, 2015 10:26 PM
  • Old post but still helpful with 1802.
    • Edited by SirUlu Tuesday, August 14, 2018 12:56 PM
    Tuesday, August 14, 2018 12:55 PM