Home
  •  

Malware Cleaned Alert Rule

Microsoft.FEP.MalwareCleanedAlertRule (Rule)

Generates an alert when Microsoft Forefront Endpoint Protection client has reported on a cleaned malware.

Knowledge Base article:

Summary

This rule tracks successful malware cleanup operations.

Configuration

It is recommended that you keep this rule turned on with the default configuration.

Causes

This rule will generate an information alert if the client reports that it successfully cleaned malware.

Element properties:

TargetMicrosoft.FEP.ProtectedServer
CategoryCustom
EnabledTrue
Alert GenerateTrue
Alert SeverityInformation
Alert PriorityLow
RemotableTrue
Alert Message
Malware Cleaned
Forefront Endpoint Protection detected and cleaned malware from '{0}'. No further action is needed.

Malware Details:
Detection Time (GMT): {1}
Threat Name: {2}
Threat Location: {3}
More Information: {4}
Malware Severity: {5}
Category: {6}

Member Modules:

ID Module Type TypeId RunAs 
EventsDS DataSource Microsoft.FEP.ProtectedServer.MalwareCleanedEventDS Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.FEP.MalwareCleanedAlertRule" Enabled="true" Target="FEPLibrary!Microsoft.FEP.ProtectedServer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Custom</Category>

  <DataSources>

    <DataSource ID="EventsDS" TypeID="FEPLibrary!Microsoft.FEP.ProtectedServer.MalwareCleanedEventDS"/>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>0</Priority>

      <Severity>0</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.FEP.MalwareCleanedAlertRule.Alert"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Target/Property[Type="FEPLibrary!Microsoft.FEP.ProtectedServer"]/ServerId$</AlertParameter1>

        <AlertParameter2>$Data/Params/Param[4]$</AlertParameter2>

        <!-- Detection Time -->

        <AlertParameter3>$Data/Params/Param[8]$</AlertParameter3>

        <!-- Threat Name -->

        <AlertParameter4>$Data/Params/Param[22]$</AlertParameter4>

        <!-- Path -->

        <AlertParameter5>$Data/Params/Param[13]$</AlertParameter5>

        <!-- FW Link -->

        <AlertParameter6>$Data/Params/Param[10]$</AlertParameter6>

        <!-- Severity -->

        <AlertParameter7>$Data/Params/Param[12]$</AlertParameter7>

        <!-- Category -->

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/Params/Param[8]$</SuppressionValue>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>