Configuring Forefront Client Security Alerts

As the former Administrator for several other Enterprise level AV products and now a consultant for a Microsoft Consulting company, I was very interested in the configurability of alerting within Forefront Client Security (FCS). Unfortunately, there wasn’t much specific information regarding configuring this aspect and what did exist was spread out or hard to find. Now if you’re an old MOM or OpsMgr Guru, the process was probably self-evident or quickly grasped. But for the lonely AV Administrator, without interest in MOM, figuring out how to configure alerting was not an easy process, so I am sharing my revelations with you.

So you finally navigated the sometimes complicated install process for Forefront Client Security (FCS). You’ve deployed the console in one of the several configurations; probably a two server configuration (Console with separate WSUS). And you’ve deployed clients that are reporting to your Console server. Now you want to configure alerting to meet the needs of your organization.

The Alerting Process involves three components: Configuring Notifications in MOM, configuring the Client Alerting Level, and then the most important part, tuning MOM alerts.

Configure MOM Notifications

One component of FCS alerting is configuring how, when, and with whom, the MOM console communicates. There are several communication avenues, configurable users, and configurable groups.

Configure E-mail server

One of the more common and useful communication methods available is e-mail. In an FCS deployment, this requires the configuration of the e-mail server via the MOM Administrator Console. Open the Administrator Console and navigate to the Administrator > Global settings area. Open the Email Server setting and enter the appropriate settings for Server Name and Return Address (See Figure 1).

Figure 1 — Configure the Mail Server

 

Configure Operators (Contacts)

The next step in configuring alert notifications is to configure an Operator for each user (or mail-enabled group) that needs to receive notifications. These Operators will then be added to Notification Groups and the Notification Groups assigned to Alert rules. Because the Operators are essentially just e-mail address with communication configurations both individual users and mail-enabled groups can be made into Operators.

To add an Operator, open the MOM Administrator Console and navigate to the Management Packs > Notifications > Operators area. Right click on Operators and choose Create Operator. Then give the Operator a name, configure the e-mail properties (Notice the time and day restrictions), configure the Text Messaging properties, and configure the External Command properties (used for command line and other third party e-mail systems)

    

    

Figure 2 — New Operator Configuration

Configure Notification Groups

The next step in configuring alert notifications is to configure the various notification groups that you will use. A default group, "Client Security Notification Group" will already be configured and assigned to each rule in the FCS Management Pack. So anyone assigned to this group will get the default notifications.

If you have a group or individual that requires different levels or types of alerts, you will need to define them. For instance, the Help Desk team will need to be alerted to unhandled viruses, but the server team likely doesn’t care about them. On the other hand, only the Server Team needs to alerts about the Management server’s operations. Developing two groups allows you to model the notifications appropriately.

To create a Notification Group or add users to a Notification Group, open the MOM Administrator Console and navigate to the Management Packs > Notifications > Notification Groups area. To create a new group, right click the Notification Groups and choose Create Notification Group. Give the Group a name and add any Operators from those available.

    

Figure 3 — Create a Notification Group

Configure Client Alerting

The next component of alerting is setting what events are reported to the Reporting server from the clients. This is accomplished through policy settings on the reporting tab.

Alert Level

Inside each Policy there is a tab for Reporting (See Figure 4), which contains a sliding bar for Alert Level with settings 1-5. Level 1 contains the most severe events (fewer) and Level 5 contains the more common and informational evens (More events). This setting corresponds to the registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AlertLevel. Out of the box, this is set to level 3, which include a notification for the successful removal of a detected virus.

Figure 4 — FCS Policy – Reporting Tab

What is reported at each Alert Level

That of course begs the question, What events are included at each Client Alert Level? I haven’t seen a good answer to that question out in the world, but I finally discovered the answer inside the MOM Administrator Console.

Within the Administrator console, there are Rule Groups that contain the configuration for what happens when an event occurs. Turns out, this is exactly what those levels in the client policies refer to.

Level 1 Alerts

None

Level 2 Alerts

Re-Infected Computer Parameters (Alert Level 2)

Very Infected Computer (Alert Level 2)

Malware on Network – Failed Response (Alert Level 2)

Re-Infected Computer (Alert Level 2)

Very Infected Computer Parameters (Alert Level 2)

Level 3 Alerts

Malware on Network – Successful Response (Alert Level 3)

Very Infected Computer Parameters (Alert Level 3)

Re-Infected Computer Parameters (Alert Level 3)

Very Infected Computer (Alert Level 3)

Scanning Failed (Alert Level 3)

Malware on Network – Failed Response (Alert Level 3)

Re-Infected Computer (Alert Level 3)

Computer Infected – Failed Response (Alert Level 3)

Level 4 Alerts

Scanning Failed (Alert Level 4)

Computer Infected – Successful Response (Alert Level 4)

Very Infected Computer Parameters (Alert Level 4)

Re-Infected Computer Parameters (Alert Level 4)

Malware on Network – Failed Response (Alert Level 4)

Very Infected Computer (Alert Level 4)

Definition Update Failed (Alert Level 4)

Re-Infected Computer (Alert Level 4)

Service Update Failed (Alert Level 4)

Malware on Network – Successful Response (Alert Level 4)

Computer Infected – Failed Response (Alert Level 4)

Level 5 Alerts

Malware on Network – Failed Response (Alert Level 5)

Very Infected Computer Parameters (Alert Level 5)

Scanning Failed (Alert Level 5)

Very Infected Computer (Alert Level 5)

Service Update Failed (Alert Level 5)

Re-Infected Computer Parameters (Alert Level 5)

Protection Turned Off (Alert Level 5)

Computer Infected – Failed Response (Alert Level 5)

Definition Update Failed (Alert Level 5)

Computer Infected – Successful Response (Alert Level 5)

Re-Infected Computer (Alert Level 5)

Malware on Network – Successful Response (Alert Level 5)

Tuning MOM Notifications

So the final component of configuring alerting is tuning what events send a notification. Each individual rule has a response tab where multiple responses to an event can be configured, including notifications.

FCS Alert Rules

In addition to the Alert Levels, FCS includes rules for Host events, Reporting events, and (Mgmt) Server events. Not all of these have a notification response, but several do. The alerts are under the Rule Groups inside the MOM Administrator Console. To view these, open the Administrator Console and navigate to Management Packs > Rule Groups > Microsoft Forefront Client Security.

Figure 5 — FCS Management Pack Rules

Responses

 

Changing the events of a Client Alert level

 

FCS Management Pack Rules

And the final component of alerting is the Rule Groups inside the MOM Administrator Console. To view these, open the Administrator Console and navigate to Management Packs > Rule Groups > Microsoft Forefront Client Security. Each of the subfolders contain alerting rules with several options, but for the purpose of illustrating client alerting, we are going to focus on the Host Alerts and the Alert Level subfolders.

 

Leave a Reply