SCEP Antimalware detection history view does not show accurate remediation detail
The v_AM_NormalizedDetectionHistory view in the SCCM database does not accurately reflect the RemediationType for detected threats. It almost always shows NoAction, even though the threat was quarantined or removed.
We are using this view to report status to our SIEM system, and our security team would prefer that it actually show how the threat was remediated.
Bradley Fox commented
We are seeing the same issue, bump on fixing this as an alert is much less useful when I have to go to each machine to verify the malware was actually remediated.
Ben Ridley commented
Hi all, for anyone who is experiencing this issue, we raised a premier support ticket months ago. Eventually, the product development team confirmed the issue as a bug and have said it will be fixed in the next release.
I am currently dealing with the same issue.
We are experiencing this behavior as well. Exactly as stated, and the alerts show NoAction 95 percent of the time. We need more clear status on these. Defender is doing it's job, so we should see the remediation status reflect this.
I've also experienced this issue - And the alerts being sent out by Endpoint Protection almost always say "NoAction", when we check them closer they have been quarantined. Why is this?