Microsoft

System Center Configuration Manager Feedback

Suggestion box powered by UserVoice

How can we improve Configuration Manager?

Add "source IP" filed in SCEP alert to indicate malware infection source for worms

I suggest to add the “source IP” field to indicate where the worm like malware comes from, especially for Ransomware WannaCrypt.

We know that Wannacrypt exploits vulnerability in SMBv1 to spread as worm, so in such scenarios, if the detection alert can have an attribute about which source computer exploits the vulnerability and drops the malware payload, that would be great help to customer locating the source computer. This applies to other worms.

Expected detection from 3rd party AM product
======
=== Event Details ===
Event ID: 147613895128
Start Time: 21 Sep 2017 10:25:47 CST
End Time: 21 Sep 2017 10:25:47 CST
Manager Receipt Time: 21 Sep 2017 10:26:38 CST Generator Name: Virus - Virus Propagation Host
Priority: 8
Correlated Event Count: 1
 
Attacker Host Name: CNXXXXXXXX
Attacker Address: 10.140.159.173
Attacker User Name: cnXXXXXX
Target Host Name: ACXXXXXXX
Target Address: 10.143.17.210
Target User Name: appXXXXX
 
File Name: G:\public\anna liu\UltraEdit\KeyGen.exe
 
Name: Unwanted program, clean error, deleted

7 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Frank shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    0 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...

      Feedback and Knowledge Base