惡意軟體已清除警告規則

Microsoft.SCEP.Linux.MalwareCleanedAlertRule (Rule)

當 System Center 2012 Endpoint Protection 用戶端報告已清除的惡意軟體時，系統會產生警告。

Knowledge Base article:

摘要

此規則會追蹤成功的惡意軟體清除作業。

配置

建議您保持此規則的開啟狀態，並採用預設配置。

原因

當用戶端報告已成功清除惡意軟體時，此規則會產生資訊警告。

Element properties:

Target	Microsoft.SCEP.Linux.ProtectedServer
Category	SecurityHealth
Enabled	True
Alert Generate	True
Remotable	True

Member Modules:

ID	Module Type	TypeId	RunAs
SCXLog	DataSource	Microsoft.SCEP.Linux.SCXLog.MalwareEvent.DS	Default
Mapper	ConditionDetection	System.Event.GenericDataMapper	Default
Alert	WriteAction	System.Health.GenerateAlert	Default

Source Code:

<Rule ID="Microsoft.SCEP.Linux.MalwareCleanedAlertRule" Enabled="true" Target="SCEPLinuxLibrary!Microsoft.SCEP.Linux.ProtectedServer" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>SecurityHealth</Category>

  <DataSources>

    <DataSource ID="SCXLog" TypeID="SCEPLinuxLibrary!Microsoft.SCEP.Linux.SCXLog.MalwareEvent.DS">

      <Host>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</Host>

      <LogFile>/var/log/scep/eventlog_scom.dat</LogFile>

      <RegExpFilter>^event=malware, .*status=clean.*$</RegExpFilter>

    </DataSource>

  </DataSources>

  <ConditionDetection ID="Mapper" TypeID="System!System.Event.GenericDataMapper">

    <EventOriginId>$MPElement$</EventOriginId>

    <PublisherId>$MPElement$</PublisherId>

    <PublisherName>System Center 2012 Endpoint Protection for Unix/Linux</PublisherName>

    <Channel>Application</Channel>

    <LoggingComputer>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</LoggingComputer>

    <EventNumber>4001</EventNumber>

    <EventCategory>0</EventCategory>

    <EventLevel>1</EventLevel>

    <UserName/>

    <Params/>

  </ConditionDetection>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>$Data/EventData/DataItem/Property[@Name='AlertPriority']$</Priority>

      <Severity>$Data/EventData/DataItem/Property[@Name='AlertSeverity']$</Severity>

      <AlertMessageId>$MPElement[Name="AlertMessageIDdbc3762134394677bf2d86b384524b21"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Target/Property[Type="SCEPLinuxLibrary!Microsoft.SCEP.Linux.ProtectedServer"]/ComputerId$</AlertParameter1>

        <AlertParameter2>$Data/EventData/DataItem/Property[@Name='DetectionTime']$</AlertParameter2>

        <AlertParameter3>$Data/EventData/DataItem/Property[@Name='MalwareName']$</AlertParameter3>

        <AlertParameter4>$Data/EventData/DataItem/Property[@Name='MalwareLocation']$</AlertParameter4>

        <AlertParameter5>$Data/EventData/DataItem/Property[@Name='MalwareSeverity']$</AlertParameter5>

        <AlertParameter6>$Data/EventData/DataItem/Property[@Name='MalwareCategory']$</AlertParameter6>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/EventData/DataItem/Property[@Name='MalwareName']$</SuppressionValue>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>