none
Best way to monitor SCEP through configuration manager allowing me to quickly catch an active virus or malware that was not cleaned. RRS feed

  • Question

  • Using SCCM v1810. I have set SCCM to send me email alerts for the below conditions on the all workstation clients collection.


    I have the detection threshold set to High- All detection and was thinking maybe I should set it to Low - Detected, still active??

    My director wants me to be able to catch active viruses or malware that defender was not able to clean or that was cleaned but continuously comes back so isn't really cleaned.

    With my current setting I get emails like this:

    Malware Name: Trojan:Win32/Skeeyah.G
    
    Number of infections: 1
    
    Last detection time(UTC time): 4/3/2019 6:29:51 PM
    
    These are the infections of this malware:
    
    1. Computer name: computer@domain.com
    
    Domain: domain
    
    Detection time(UTC time): 4/3/2019 6:29:51 PM Malware file path: containerfile:_C:\Users\username\Downloads\MusicDownloader.exe;file:_C:\Users\username\Downloads\MusicDownloader.exe->(inno#000001);webfile:_C:\Users\username\Downloads\MusicDownloader.exe|http://quick14.freemusicdownload.world/php/download6.php?i=8206319&e=m&b=c|pid:7960,ProcessStart:131987889253404917
    
    Remediation action: NoAction
    
    Action status: Succeeded
    
    

    You can see that it shows the remediation action is "NoAction" and that it succeeded. I go into ConfigMgr and go to Monitoring>Endpoint Protection Status>Malware Detected and then I search for "Skeeyah.G" open the All workstations clients collection and select the computername described in the email, click "Malware Detail" tab in the bottom and see the below:

    9/10 times it shows the action is Quarantined successfully but in this case the action does show no action was taken.

    My next step since it shows no action was taken would be to UNC to the filepath and see if that .exe file is still there, but if it showed quarantined successfully like it usually does I would stop there. Why does it typically show no action was taken but when I go to the computer in ConfigMgr it shows that it quarantined that threat successfully?

    With about 18,000 clients how do other people monitor SCEP? Do you do anything similar to what I am doing? This seems to be quite a hassle as I get a lot of these emails a day. Any recommendations or videos to watch on how other people do this or articles please let me know.

    Thursday, April 4, 2019 1:59 PM

All replies

  • Hi,

    The action tab shows No Action, this might occur if the computer is restarted after malware is detected and the malware is no longer detected, so if the device have restarted after quarantined successfully, it will be shown as No Action.

     
    Regards,
    Allen


    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 5, 2019 8:27 AM
  • So would you look into these every time you get an email about them or is it something I can ignore? Trying to gauge the best way for me to know what is important for me to look into and what I can ignore comfortably knowing there isnt some virus out there actively doing whatever it wants.
    Friday, April 5, 2019 12:33 PM
  • Hi,

    Sorry, I don't have a production environment so I can not show my experience.
    Have you read below example scenario? We can monitor the status of Endpoint Protection and the actions that are taken by Endpoint Protection:
    1) By using the Endpoint Protection Status node under Security in the Monitoring workspace.
    2) By using the Endpoint Protection node in the Assets and Compliance workspace.
    3) By using the built-in Configuration Manager reports.

    https://docs.microsoft.com/en-us/sccm/protect/deploy-use/scenarios-endpoint-protection

    Regards,
    Allen

    Please remember to mark the replies as answers if they help.

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 10, 2019 9:11 AM
  • Having to go and check every day is one thing, getting an alert that says that I have an active virus that is not able to be cleaned by Defender is another. There is no customization of alerts. I get a large amount of alerts a day, most of them are useless just letting me know malware has been found and no action was done and then I go and check only to find out it was successfully quarantined.

    Me having to go and check the monitoring every day is not really something I want to do. I want to be alerted when there is a problem. I don't want to be alerted when malware has been found and successfully quarantined. This just wastes my time.

    There doesnt appear to be a way to be alerted ONLY when there is malware/virus that is active and Defender failed to clean or quarantine it.

    Wednesday, April 10, 2019 2:10 PM
  • We are facing the same problem. The explanation from Microsoft lists an example when a PC was restarted and an external drive is not there. It can't be the only scenario possible. We get NoAction in almost every email alert. And when I look up the specific computer with NoAction, its last logon time was a few days ago, so it hasn't been restarted. Could NoAction mean that Windows Defender is not configured to remediate a specific malware and lets it sit on the computer? 

    Endpoint Protection took no action on the malware. This might occur if the computer is restarted after malware is detected and the malware is no longer detected; for instance, if a mapped network drive on which malware is detected is not reconnected when the computer restarts.

    Tuesday, September 17, 2019 1:34 PM