locked
Forefront Malware not being reported RRS feed

  • Question

  • Hello all,
    I've recently added a new office to out Forefront deployment, and notice something unusual; if I drill down through "computers summary" report to a particular individual computer, I see a malware as below -

    "

    11/03/2009 18:08:05

    1006

    Microsoft Forefront Client Security scan has detected spyware or other potentially unwanted software.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/FakeXPA&threatid=2147610319
    Scan ID: {08DA080E-EAC4-4D18-BDB9-13AE980B285C}
    Scan Type: AntiMalware
    Scan Parameters: Full Scan
    User: NT AUTHORITY\NETWORK SERVICE
    Name: Trojan:Win32/FakeXPA
    ID: 2147610319
    Severity: High
    Category: Trojan
    Path Found: file:C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\XBVFPLGY\InstallAVg_77018101[1].exe
    Detection Type: Concrete

     
    Yet this event has not issued an alert as normal "concrete" events do. My alert level is set to 3 which has not changed.
    Any ideas as to where the issue could be would be much appreciated
    thanks
    Howard
    Friday, March 13, 2009 10:44 AM

All replies

  • Try to update your deployment and policies , there might be delay in update reproting, if that won't help contact Forefront Support team. Also make sure client fully registered in Active Directory .
    Friday, July 23, 2010 8:38 AM
  • I've got the exact same problem with these 1006 event IDs. They do not generate an email alert and the scheduled (Full) scans that find these DO NOT clean them. If a manual full scan is run then action is taken. I also have policy alert level set to 3.
    Friday, February 4, 2011 8:23 PM