none
Endpoint protection Enable/Disable Logs?

    Question

  • Hi,

    I would like to know where's the log for System Center Endpoint Protection when it is being enabled/disabled. Some servers on our system is always alerting that it is being disabled but when i check it, it's enabled. I would like to know if someone is disabling it or it's a miscommunication between our servers and the SCOM server. thanks!

    Wednesday, January 31, 2018 2:48 AM

Answers

All replies

  • Do you mean that a specific component like real-time protection scanning is being disabled or do you mean the Microsoft Antimalware service itself is being disabled? Either way, you should be able find the answer in the Event Viewer System log. Look for

    Source: Microsoft Antimalware

    Or, if the service itself is being disabled, look for

    Source: Service Control Manager

    Event ID: 7040

    "The start type of the Microsoft Antimalware Service service was changed from auto start to disabled"

    https://ccmcache.wordpress.com/ | @kevmjohnston

    Wednesday, January 31, 2018 2:58 PM
  • Thanks Kevin!

    I've checked both,

    from the source 'Microsoft Antimalware' this is all i can see. 

    "Microsoft Antimalware Real-Time Protection feature has encountered an error and failed.
    Feature: On Access
    Error Code: 0x80004005
    Error description: Unspecified error 
    Reason: The filter driver skipped scanning items and is in pass through mode. This may be due to low resource conditions.

    Event ID: 3002"

    The time of the event log is different from the Alert from our SCOM monitoring. also there are some days that no alert was triggered. 

    I don't see anything from the source 'Service Control Manager' that's about the endpoing protection


    Monday, February 5, 2018 9:18 AM
  • Are you running the latest anti-malware platform version?

    https://blogs.technet.microsoft.com/configurationmgr/2017/03/16/anti-malware-platform-support/


    https://ccmcache.wordpress.com/ | @kevmjohnston

    Monday, February 5, 2018 2:54 PM
  • this is the current SCEP installed

    Antimalware Client Version: 4.5.216.0
    Engine Version: 1.1.14500.5
    Antivirus definition: 1.261.761.0
    Antispyware definition: 1.261.761.0
    Network Inspection System Engine Version: 2.1.14202.0
    Network Inspection System Definition Version: 118.2.0.0

    Tuesday, February 6, 2018 1:10 AM
  • Per the documentation link in my previous comment, that version is unsupported. You should update to the latest version (currently 4.10.209.0):

    https://support.microsoft.com/en-us/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie


    https://ccmcache.wordpress.com/ | @kevmjohnston

    • Marked as answer by JkSinchioco Thursday, March 1, 2018 3:06 AM
    Tuesday, February 6, 2018 8:02 AM
  • You are right Kevin, It should be updated with Latest version...
    • Edited by Alaina Jodi Saturday, April 7, 2018 10:31 AM
    Saturday, April 7, 2018 10:30 AM