locked
Alert but no trace on the computer? RRS feed

  • Question

  • Hello,

    In the report "Alert Summary" sent on a daily basis I have :For several computer this type of alerts:

    Re-Infected Computer (Alert Level 3), Malware - Virus:Win32/Murofet.A
    ARCHIBUS2
    CONFIGMGRDTS
    EAS02
    
    Re-Infected Computer (Alert Level 3), Malware - 2147638816
    MISYS01
    

    If I expand the computer on the report I have: 

    10/4/2010 12:10:00 PM 20003 Microsoft Forefront Client Security has identified a re-infected computer:
    Version = 1.0.1703.0
    Window start time = 10/1/2010 12:10:00 PM
    Window end time = 10/4/2010 12:10:00 PM
    Event count = 17
    Threat ID = 2147638826
    Threat name = Virus:Win32/Murofet.A 

    I checked on the computers the event logs and could not find this event 20003 anywhere in System, Security or Application.

    As it is sent to the management this is a deal.. The time span for the treport is 24 hours but in the event comments it is showing a period of 3 days, why?

    Where could I find the event?

    Thanks,
    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 Support
    Monday, October 4, 2010 8:09 PM

Answers

  • Hi,

    Thanks for the post.

    Please understand that it is MOM event ID 20003 that cannot be in System, Security or Application events, we could check it in MOM Administrator console. The detailed steps are as follows:

    On the collection server, open the MOM Administrator console, expand the Microsoft Operations Manager tree, click Management Packs, click Rule Groups, click Microsoft Forefront Client Security, click Host Alerts, click Alert Level 3, and then click Event Rules. You can find the event ID 20003.

    In addition, Client Security generates a "Re-Infected Computer" alert when a single computer has reported many occurrences of the same malware in the past three days. By default, three infections by the same malware is the minimum number of infections (detected within three days) that will trigger this alert.

    For detailed information, you could access the following links:

    http://technet.microsoft.com/en-us/library/bb418839.aspx

    Hope this helps.

    Miles

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Miles Zhang Monday, October 18, 2010 1:59 AM
    Tuesday, October 5, 2010 9:43 AM