Home
  •  

Additional Actions Pending

Microsoft.FEP.ProtectedServer.PendingAdditionalActions.Monitor (UnitMonitor)

This monitor tracks whether additional actions must be performed after malware has been blocked and removed from a computer.

Knowledge Base article:

Summary

Some types of malware may require additional actions to confirm their complete removal from the computer.

Configuration

It is advised to keep this alert turned on with the default configuration.

Resolutions

Follow the alert description. You may be required to launch a full scan, run an offline scan tool, perform manual steps, or restart the computer. You can restart a computer by using a recovery task in Health Explorer.

Element properties:

TargetMicrosoft.FEP.ProtectedServer
Parent MonitorMicrosoft.FEP.ProtectedServer.FEP.Aggregate.Monitor
CategorySecurityHealth
EnabledTrue
Alert GenerateTrue
Alert SeverityMatchMonitorHealth
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.FEP.SecurityRootCause.MalwareActivity.PendingAdditionalActionsMonitorType
RemotableTrue
AccessibilityPublic
Alert Message
Malware Cleaned: Additional Action Required
The Forefront Endpoint Protection client successfully blocked malware on this computer. The computer is protected, but additional action is required to completely remove the malware.

Additional Actions: {6}

Malware Details:
Threat Name: {0}
Detection Time (GMT): {1}
Malware Severity: {2}
Category: {3}
More Information: {4}
Path: {5}
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.FEP.ProtectedServer.PendingAdditionalActions.Monitor" Accessibility="Public" Enabled="true" Target="FEPLibrary!Microsoft.FEP.ProtectedServer" ParentMonitorID="Microsoft.FEP.ProtectedServer.FEP.Aggregate.Monitor" Remotable="true" Priority="Normal" TypeID="FEPLibrary!Microsoft.FEP.SecurityRootCause.MalwareActivity.PendingAdditionalActionsMonitorType" ConfirmDelivery="true">

  <Category>SecurityHealth</Category>

  <AlertSettings AlertMessage="Microsoft.FEP.ProtectedServer.PendingAdditionalActions.Monitor.Alert">

    <AlertOnState>Warning</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>MatchMonitorHealth</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/Property[@Name='PendingActionThreatName']$</AlertParameter1>

      <AlertParameter2>$Data/Context/Property[@Name='PendingActionDetectionTime']$</AlertParameter2>

      <AlertParameter3>$Data/Context/Property[@Name='PendingActionSeverity']$</AlertParameter3>

      <AlertParameter4>$Data/Context/Property[@Name='PendingActionCategory']$</AlertParameter4>

      <AlertParameter5>$Data/Context/Property[@Name='PendingActionFWLink']$</AlertParameter5>

      <AlertParameter6>$Data/Context/Property[@Name='PendingActionPath']$</AlertParameter6>

      <AlertParameter7>$Data/Context/Property[@Name='PendingActionAdditionalActions']$</AlertParameter7>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="NoPendingActions" MonitorTypeStateID="NoPendingActions" HealthState="Success"/>

    <OperationalState ID="PendingActions" MonitorTypeStateID="PendingActions" HealthState="Warning"/>

  </OperationalStates>

  <Configuration>

    <TimeoutSeconds>600</TimeoutSeconds>

  </Configuration>

</UnitMonitor>