Currently SCCM lets you enable/disable some settings like the newer feature of PUA. It does not allow for alerts of malware and Endpoint Protection to be configured independently. Just because I want it detected, may not mean I wanted it reported on. We like PUA's being detected, but we do not want to be alerted on PUA, because we get too many each week, most of which are valid installers we use. We do not want to exclude them, because a new version of the .exe may have something we are not aware of. I would like to see alerts for malware granular enough that we can determine which classes of malware we get alerted on. Perhaps I want to be alerted to virus, worm, Trojan, but not PUA (or PUP). Some classes I would want to perhaps control independently would be worm, virus, Trojan, adware, spyware, ransomware, Rootkit, PUA (or PUP), and possibly keylogger. This list may not be all inclusive of every type of malware but its a good start. PUA is a low threat so we would not want to be alerted. We may want to alert out network team to any worms, so they may want a separate alert for worm specific infections. Ransomware may need to go to our security department. Each category may potentially have a different type of alert setup or may rank differently. We may have a daily alert sent out one way, and then a weekly alert sent out differently.

Hi all,

I found two strange things in the 'Antimalware overall status and history' SCEP report.

The first (Overall Endpoint Protection status and history part):
(q1_a.png, q1_b.png, q1_c.png included)
The problem is that when the daily data goes to the historical table the ‘inactive’ and the ‘not installed’ counters will be the same. For instance, if I have 50 inactive clients they will be represented as with 50 ‘not installed’ too. Or customer was nerves about this statistic, because no machine can go into the production network without SCEP, but they see lots of ‘not installed’ in the report. This bug was in the first SCCM 2012 R2 build to, and the current branch is affected as well. If you see the screenshots you will found out that in the q1_a the client count is more than 300 but in reality the customer has 300 clients only, and the ‘inactive’ and the ‘not installed’ rectangles are always same, you can follow this in the q1_c.png easier.

The second (Definition status on computers part):
(q2.png included)
The other oddity is with the signature updates. There was an issue with the new firewall of our customer and the SCCM server could not connect to MS Update sites to download the new SCEP updates. The clients should go to the red zone (‘From 3 through 7 days’ state) but most of them stayed on the Current status…
I made some drillings into the report and the SQL tables (yes, not supported…) and find out what the problem can be.
I made the SQL query below, and exported the Current state to an excel sheet, then the two dataview were vlookuped.
SELECT VRS.Name0
,VRS.Active0
,VCC.ClientActiveStatus
,AVS.LastMessageTime
,AVS.LastMessageSerialNumber
,AVS.Enabled
,AVS.Version
,AVS.ProductStatus
,AVS.AntivirusSignatureUpdateDateTime
,AVS.AntispywareSignatureUpdateDateTime
,AVS.AntivirusSignatureAge
,AVS.AntispywareSignatureAge
,datediff(day,AVS.AntivirusSignatureUpdateDateTime,GETDATE()) 'Days after last contact'
,AVS.AntivirusSignatureVersion
,AVS.AntispywareSignatureVersion
FROM EP_AntimalwareHealthStatus AHS
inner join V_R_system VRS on AHS.MachineID=VRS.ResourceID
inner join v_CH_ClientSummary VCC on VRS.ResourceID=VCC.ResourceID
order by VCC.ClientActiveStatus,VRS.Name0

The problem is that the computer said the update age not the SCCM counted from the last reported(!) update time and the current date. Because it doesn’t do it, I found a machine which has a broken SCCM agent who could stay the machine account in active state but the SCEP part could not report anything.
So according to the client the 1.229.385.0 signature was up to date, but the 1.245.140.0 was the last.
The other less bad scenario that some clients report they are on Current and they sent it with the last status updates 2 days ago.
Summarizing if the client could be on active state the report will show what the client says but I think the SCCM server should count the reported update intervals from the real current date and the last update date because the clients are always lying … :o)

Best regards, M

Currently, the Update button in SCEP does not perform any function when you want to use the SUP as a definition source. Per: https://support.microsoft.com/en-us/kb/2831244 - When you click Update in the SCEP UI, the client looks for a FallbackOrder registry key in HKLM\Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates. The client will check each update source in the FallbackOrder registry key in the order that they are listed until it locates a source that has available definitions. If it goes through all sources without detecting available definitions, it returns an error and the update attempt is unsuccessful. Configuration Manager is never listed in the FallbackOrder registry key, as the SCEP client does not recognize a Configuration Manger Software Update Point agent (and associated infrastructure) as a valid definition source and cannot pull definitions from Configuration Manager.

The SCEP Client needs to be updated to recognize the SUP as a valid definition source - rather than having to open the ConfigMgr Control Panel window, and running a "Software Deployment and Evaluation" cycle. Running the SDEC is a labor intensive operation for the WUAHandler and Software Updates agent on the client, requires a full sync of the WSUS info, which puts additional load on the WSUS server.

We have encountered quite a few false positives since converting to Endpoint via SCCM. So far the biggest problem has been submitting a false positive report to MS (one that will actually get listened to at least). We should have the ability from within the console to submit a file or report detailing a false positive and receive data on whether or not that file is rated as a threat with current virus definitions. If the Endpoint team is going to speak proudly of its low false positive rate, they should make it much easier for an Enterprise client to notify them of a new occurrence.

Configuration Manager allows the creation of subscriptions to alerts for the following Endpoint Protection events:

* Malware outbreak - the same malware detected on multiple computers
* Multiple malware detected on one computer
* Same malware repeatedly detected on one computer

The ability to subscribe to alerts for these events is useful, but this feature could be improved.

For example, I don't need to be alerted when malicious JavaScript on a website is repeatedly detected and blocked on a user's computer, but there is no way to filter notifications for a specific class of threats. On the other hand, I do want to be alerted when remediation of a single infection on a single machine fails, but this is not possible either.