当 Microsoft Forefront Endpoint Protection 客户端报告已清除恶意软件时生成警报。
此规则跟踪成功的恶意软件清除操作。
建议您使用默认配置保持此规则为打开状态。
如果客户端报告它成功清除了恶意软件,则此规则将生成一条信息警报。
| Target | Microsoft.FEP.ProtectedServer | ||
| Category | Custom | ||
| Enabled | True | ||
| Alert Generate | True | ||
| Alert Severity | Information | ||
| Alert Priority | Low | ||
| Remotable | True | ||
| Alert Message |
|
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| EventsDS | DataSource | Microsoft.FEP.ProtectedServer.MalwareCleanedEventDS | Default |
| GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
Home
CHS <Rule ID="Microsoft.FEP.MalwareCleanedAlertRule" Enabled="true" Target="FEPLibrary!Microsoft.FEP.ProtectedServer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Custom</Category>
<DataSources>
<DataSource ID="EventsDS" TypeID="FEPLibrary!Microsoft.FEP.ProtectedServer.MalwareCleanedEventDS"/>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="Health!System.Health.GenerateAlert">
<Priority>0</Priority>
<Severity>0</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.FEP.MalwareCleanedAlertRule.Alert"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Target/Property[Type="FEPLibrary!Microsoft.FEP.ProtectedServer"]/ServerId$</AlertParameter1>
<AlertParameter2>$Data/Params/Param[4]$</AlertParameter2>
<!-- Detection Time -->
<AlertParameter3>$Data/Params/Param[8]$</AlertParameter3>
<!-- Threat Name -->
<AlertParameter4>$Data/Params/Param[22]$</AlertParameter4>
<!-- Path -->
<AlertParameter5>$Data/Params/Param[13]$</AlertParameter5>
<!-- FW Link -->
<AlertParameter6>$Data/Params/Param[10]$</AlertParameter6>
<!-- Severity -->
<AlertParameter7>$Data/Params/Param[12]$</AlertParameter7>
<!-- Category -->
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/Params/Param[8]$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>