locked
Get Operations Manager Warnings Alerts to reflect the correct URL (computername rather than LocalHost) RRS feed

  • Question

  • Hi,

    We get Operations Manager Alerts sent to a communal IT email  box. However the URL in the messages is always pointing to http://localhost/reportserver:

    Severity:  Warning

    Status:  New

    Source:  Microsoft Forefront Client Security Threat ID = 2147637651

    Name:  Computer Infected - Successful Response (Alert Level 5)

    Description:  Client Security has detected and successfully responded to the following threat:

                - Threat name: Trojan:Win32/Opachki.C

                    - Performed action: Remove

     

            To investigate and resolve this incident:

                1.                Review the security status of the computer that was infected. Consult the Computer Detail report:

                     http://localhost/ReportServer?/Microsoft%20Operations%20Manager%20Reporting/Microsoft%20Forefront%

                2.                Learn more about the threat and its mitigation. Consult the Microsoft Malicious Software Encyclopedia:

                     http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Opachki.C

                3.                Identify other computers infected with this malware. Consult the Malware Detail Report:

                     http://localhost/ReportServer?/

     

    >>>How can I get it to point to the forefront server's actual computername so these can be opened from any computer and not just the forefront server (or without manually substituting the forefront server name for localhost)? I looked in notifications on the admin console and in the global setting but don't see where I can change this.

    Monday, August 30, 2010 9:32 PM

All replies

  • Hello Donia,

    In the spirit of trying the easiest things first, can you re-run the Configuration Wizard on the management server and ensure that the URLs specified there are server names and not localhost?  Here are the steps:  http://technet.microsoft.com/en-us/library/bb404215.aspx, you will likely need to do step #3 to launch the wizard.  You should be able to generated test alerts by detecting the EICAR test file at www.eicar.org on a test client at that alert level.

    If that doesn't work, perhaps you can run the following query against the Collection Database to see if the URLs are incorrect for reportServerVRoot or webApplicationVRoot?

       Select

     

    * from OnePoint.dbo.ReportingSettings

    Thanks,
    Craig

     


    Forefront Client Security Support
    Friday, September 3, 2010 1:30 PM
  • Thanks Craig--those were both great suggestions! There is still no change in the emails, though.

    I reran the config wizard and noted the report URLs do show the actual forefront computername, rather than "localhost" I then opened an Eicar.txt file and looked to see the email that would result. (It showed "localhost" rather than the computername, as below):

            To investigate and resolve this incident:

                1.                Review the security status of the computer that was infected. Consult the Computer Detail report:

                     http://localhost/ReportServer?/

    >>>I then ran the query against OnePoint, and rather than localhost it also shows the correct computername path for ReportServerVRoot (http://FOREFRONTCOMPUTERNAME//ReportServer) and WebApplicationVRoot (http://FOREFRONTCOMPUTERNAME//Reports/Pages/Folder.aspx?ItemPath=%)

    It still annoyingly shows localhost everywhere in the email rather than the forefront computername.

    Thanks for your help!

    Friday, September 3, 2010 3:11 PM