Search This Blog

Thursday, July 21, 2011

(I) Microsoft Forefront Event Log ID's

If you are a Microsoft ForeFront user and want to know an undocumented Event Log item, here you go...

You can setup email alerts and get flooded with un-actionable information, or tweak the settings to reduce the noise, which you should by the way.

But what about those of us that use SEIM or logging solutions? You can find some event ID's in TechNet, but here are two that you really need that are events you should take action on...

3007 - Forefront Endpoint Protection Alert: Malware Outbreak
3009 - Forefront Endpoint Protection Alert: Repeated Malware Detection
3010 - Forefront Endpoint Protection Alert: Multiple Malware Detection

Ignore EventID '3006 - Malware Detected' as it is just noise and not actionable as the AV client acted upon it, the three above are what's actionable.

Look for these two events from the source Fepsrv or use Wevtutil.exe to query your servers event logs for these two events.

Wevtutil qe "Forefront Endpoint Protection" /q:"*[System[(EventID=3009 or EventID=3010)]]" /r:system_name /f:text

Or look for events in the last 24 hours:

Wevtutil qe "Forefront Endpoint Protection" /q:"*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]" /r:system_name /f:text

43200000 - 12 hours
86400000 - 24 hours
129600000 - 36 hours
172800000 - 48 hours
604800000 - 7 days
2592000000 - 30 days

You can pipe it to a file ">file_name_AV.log" if you want to as well.

If you see them, take action, these are bad offenders getting repeated malware of the same kind or received multiple malware at once, either way these systems need some attention. Are they Administrators? I recommend a re-image, if not then maybe a deep scan. Create a process flow that your admins can follow when alerts occur and consider having the Forefront alerts send an email to your Help Desk solution to automatically open tickets for these items, ignore the 'a user has Malware' alerts and set 'Malware Detection Alerts' to 'Medium' to reduce some noise.

Logs have good data you can act upon if you look, find what you want and parse it out so what you see is actionable... Not hard if you do a little prep.

#InfoSec #ForeFront #eventlogs #Wevtutil