Improved alerting for SCEP
Configuration Manager allows the creation of subscriptions to alerts for the following Endpoint Protection events:
- Malware outbreak - the same malware detected on multiple computers
- Multiple malware detected on one computer
- Same malware repeatedly detected on one computer
The ability to subscribe to alerts for these events is useful, but this feature could be improved.
Can you give more examples? Definitely want to innovate in these areas.
Something we would like improved here is the ability to set up a subscription for the Antimalware Overall Status and History report for the last 7 days. At present, customers have to go in and edit the report, as per:
By default, if you set up a subscription, it will have a static start date.
See https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/11635377-scep-malware-alerts-customized for what I believe is a better definition of the flexibility and customizability for SCEP alert capabilities most of us are looking for. We can customize many notifications in SCOM to include or remove content gathered by the agent on a specific incident. Being able to create custom or refine existing alert rules would put SCEP on par with every other major AV suite out there like Symantec and McAfee does. We should also be able to specify parties which should receive such alerts individually. This should be fast tracked to the next release if not a feature patch. This is a major pivot point for governmental orgs that need to know what is happening, severity of it, what was done, when it happened or frequency, or other data that our cyber security teams deem necessary to evaluate the threat. The current alerting is insufficient to make an informed determination.
one more sample... we got many PUA:Win32/MyWebSearch -> these are succeeded and quarantine, so we do no action further...
but these PUA:Win32/MyWebSearch are 95% of our virus-mailbox, so others may go under. its just desensitizing to look to that mailbox
Ryan Steele commented
Well, I feel a bit silly. I discovered recently that you can in fact specify a "Malware detection threshold" when you configure a "Malware detected" alert, so you will only get notified if remediation fails. It would still be nice to be able to customize which threat categories will trigger the alert, however.
Charles Herrington commented
Something I have run across a couple times now is definitions getting out of date. An alert when clients are at risk would be great.
Kristian Baggerød commented
Are there any plans for a more realtime reporting for malware outbreaks etc?
The email reporting from config mgr works great, but people who have been working with
other AV-products thinks the SCEP is lacking real time reporting.
Ryan Steele commented
I just need to be able to configure alerts so an email is only sent when I need to take action. I got about five alerts yesterday because SCEP blocked a number of Axpergle variants (likely being served by an ad network) on multiple computers. I don't need to know about this.
On the other hand, we had a case where some encryption malware was running on only one of our machines and was detected while it was partway through encrypting the files. It would have been nice to have been notified about that.
Joe Robinson commented
My use case would be an alert that only triggered when SCEP tried to remove something and failed. We currently have alerts sent for every infection. I would like to be able to send infects that couldn't be dealt with to a specific team to investigate with a higher priority.
Shawn Fuller commented
I would like to be able to customize the alert emails. Being able to put keywords in the title to allow routing by a ticketing system.
Erling B. Kjeldsen commented
It would be great to get updated SCOM MP's for SCEP - Haven't seen any updates the last couple of years. That way we could also integrate with SCSM - from SCOM :-)