More granular settings for Endpoint Protection alerts for malware detection and alerting.
Currently SCCM lets you enable/disable some settings like the newer feature of PUA. It does not allow for alerts of malware and Endpoint Protection to be configured independently. Just because I want it detected, may not mean I wanted it reported on. We like PUA's being detected, but we do not want to be alerted on PUA, because we get too many each week, most of which are valid installers we use. We do not want to exclude them, because a new version of the .exe may have something we are not aware of. I would like to see alerts for malware granular enough that we can determine which classes of malware we get alerted on. Perhaps I want to be alerted to virus, worm, Trojan, but not PUA (or PUP). Some classes I would want to perhaps control independently would be worm, virus, Trojan, adware, spyware, ransomware, Rootkit, PUA (or PUP), and possibly keylogger. This list may not be all inclusive of every type of malware but its a good start. PUA is a low threat so we would not want to be alerted. We may want to alert out network team to any worms, so they may want a separate alert for worm specific infections. Ransomware may need to go to our security department. Each category may potentially have a different type of alert setup or may rank differently. We may have a daily alert sent out one way, and then a weekly alert sent out differently.

2 comments
-
Julius commented
There are time these alerts cause problems and lead to engineer exhaustion fatigue related to a million PUA detections. Usually all in one night and about once a year it seems. Would be nice for Microsoft to do something about it finally.
-
Anonymous commented
I agree with this idea. I want to know in the console when things are detected, but my malware alert subscriptions are causing fatigue with all the PUA alerts I get from a few school districts we manage. We haven't yet removed admin rights from the users (working on it...) in those districts so seeing AskToolbar is a problem for them, not me and I don't want to be alerted to it.