Microsoft

System Center Configuration Manager Feedback

Suggestion box powered by UserVoice

How can we improve Configuration Manager?

Improved alerting for SCEP

Configuration Manager allows the creation of subscriptions to alerts for the following Endpoint Protection events:

* Malware outbreak - the same malware detected on multiple computers
* Multiple malware detected on one computer
* Same malware repeatedly detected on one computer

The ability to subscribe to alerts for these events is useful, but this feature could be improved.

For example, I don't need to be alerted when malicious JavaScript on a website is repeatedly detected and blocked on a user's computer, but there is no way to filter notifications for a specific class of threats. On the other hand, I do want to be alerted when remediation of a single infection on a single machine fails, but this is not possible either.

31 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
You have left! (?) (thinking…)
Ryan Steele shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

9 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
Submitting...
  • Adrian commented  ·   ·  Flag as inappropriate

    See https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/11635377-scep-malware-alerts-customized for what I believe is a better definition of the flexibility and customizability for SCEP alert capabilities most of us are looking for. We can customize many notifications in SCOM to include or remove content gathered by the agent on a specific incident. Being able to create custom or refine existing alert rules would put SCEP on par with every other major AV suite out there like Symantec and McAfee does. We should also be able to specify parties which should receive such alerts individually. This should be fast tracked to the next release if not a feature patch. This is a major pivot point for governmental orgs that need to know what is happening, severity of it, what was done, when it happened or frequency, or other data that our cyber security teams deem necessary to evaluate the threat. The current alerting is insufficient to make an informed determination.

  • Anonymous commented  ·   ·  Flag as inappropriate

    one more sample... we got many PUA:Win32/MyWebSearch -> these are succeeded and quarantine, so we do no action further...
    but these PUA:Win32/MyWebSearch are 95% of our virus-mailbox, so others may go under. its just desensitizing to look to that mailbox

  • Ryan Steele commented  ·   ·  Flag as inappropriate

    Well, I feel a bit silly. I discovered recently that you can in fact specify a "Malware detection threshold" when you configure a "Malware detected" alert, so you will only get notified if remediation fails. It would still be nice to be able to customize which threat categories will trigger the alert, however.

  • Kristian Baggerød commented  ·   ·  Flag as inappropriate

    Are there any plans for a more realtime reporting for malware outbreaks etc?
    The email reporting from config mgr works great, but people who have been working with
    other AV-products thinks the SCEP is lacking real time reporting.

  • Ryan Steele commented  ·   ·  Flag as inappropriate

    I just need to be able to configure alerts so an email is only sent when I need to take action. I got about five alerts yesterday because SCEP blocked a number of Axpergle variants (likely being served by an ad network) on multiple computers. I don't need to know about this.

    On the other hand, we had a case where some encryption malware was running on only one of our machines and was detected while it was partway through encrypting the files. It would have been nice to have been notified about that.

  • Joe Robinson commented  ·   ·  Flag as inappropriate

    My use case would be an alert that only triggered when SCEP tried to remove something and failed. We currently have alerts sent for every infection. I would like to be able to send infects that couldn't be dealt with to a specific team to investigate with a higher priority.

  • Shawn Fuller commented  ·   ·  Flag as inappropriate

    I would like to be able to customize the alert emails. Being able to put keywords in the title to allow routing by a ticketing system.

  • Erling B. Kjeldsen commented  ·   ·  Flag as inappropriate

    It would be great to get updated SCOM MP's for SCEP - Haven't seen any updates the last couple of years. That way we could also integrate with SCSM - from SCOM :-)

Feedback and Knowledge Base