SCEP Antimalware detection history view does not show accurate remediation detail
The v_AM_NormalizedDetectionHistory view in the SCCM database does not accurately reflect the RemediationType for detected threats. It almost always shows NoAction, even though the threat was quarantined or removed.
We are using this view to report status to our SIEM system, and our security team would prefer that it actually show how the threat was remediated.
Confirmed bug on SCCM 1806 (latest hotfix) with Win10 1809 and latest SCEP engine.
Unhappy SamWise commented
This problem still exists in CM 1810, with all hotfixes.
Santosh Seth commented
We are using SCCM 1806 and have handful of SCEP clients. Select * from v_AM_NormalizedDetectionHistory returns 74 records of which Remediation type of 50 is Quarantined. I have checked the remaining no action and did not find anything sucpicious. Please suggest if this has been removed?
@Ben Ridley, we have a ticket with MS as well, and they say they can't find a reference to this bug. Do you have an Id of some kind that MS provided to track this bug ?
Bradley Fox commented
We are seeing the same issue, bump on fixing this as an alert is much less useful when I have to go to each machine to verify the malware was actually remediated.
Ben Ridley commented
Hi all, for anyone who is experiencing this issue, we raised a premier support ticket months ago. Eventually, the product development team confirmed the issue as a bug and have said it will be fixed in the next release.
I am currently dealing with the same issue.
We are experiencing this behavior as well. Exactly as stated, and the alerts show NoAction 95 percent of the time. We need more clear status on these. Defender is doing it's job, so we should see the remediation status reflect this.
I've also experienced this issue - And the alerts being sent out by Endpoint Protection almost always say "NoAction", when we check them closer they have been quarantined. Why is this?