The Event...
Recently a colleague asked me to build a monitor for a file server that was running Forefront Client Security. The idea is that the monitor can be used to generate an alert that is used to notify our security team for remediation. I don't routinely have viruses on any of the systems that I run so I didn't know whether Forefront Client Security would generate any events that we could use to generate the alert or feed the subscription. Naturally the first question that I have is "Where can I find a test file that Forefront will detect as a virus?". After a short Google search, I find a post that indicates that the
EICAR test file can be used.
<event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="FCSAM" />
<EventID Qualifiers="0">3004</EventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-08-05T15:02:37.000000000Z" />
<EventRecordID>5565</EventRecordID>
<Channel>System</Channel>
<Computer>hostname.domain.com</Computer>
<Security />
</System>
<EventData>
<Data>%%830</Data>
<Data>1.5.1981.0</Data>
<Data>{0241B15E-FF55-4937-A417-CC72198D3A9F}</Data>
<Data>10</Data>
<Data>%%843</Data>
<Data />
<Data>C:\Program Files (x86)\Internet Explorer\iexplore.exe</Data>
<Data>domain</Data>
<Data>username</Data>
<Data>SID</Data>
<Data>Virus:DOS/EICAR_Test_File</Data>
<Data>2147519003</Data>
<Data>5</Data>
<Data>42</Data>
<Data>http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003</Data>
<Data>file:C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LFQVJNIJ\eicar[1].com</Data>
<Data />
<Data />
<Data>4</Data>
<Data>%%814</Data>
<Data>0</Data>
<Data>%%823</Data>
<Data />
<Data />
<Data>Severe</Data>
<Data>Virus</Data>
<Data />
<Data />
</EventData>
</event>
Before I even have a chance to choose a file path for saving the file, ForeFront Client Security has already detected the file as a virus. Poking around in the event logs, these events are created in Windows Logs\System and are from the source FCSAM with ID 3004. Now that we have sufficiently covered the Forefront event that is logged, the big question is how to create the monitor and generate the alert.
The Monitor...
The background of the monitor is that Operations is not interested in remediation of the file server, so the alerts that are generated should not last very long in the "Active Alerts" view and should be sent directly to the security team for review and remediation.
Without actually writing a management pack in the Authoring console, this monitor can be created from the Authoring tab of the Operations console. Under Management Packs\Monitors we will use the "Create a Monitor" action item to create a new unit monitor in an appropriate management pack.
In the first part of the wizard, select Windows Events\Simple Event Detection\Timer Reset and select an appropriate management pack. Click Next.
Pick a valid name and description. I used the name "Forefront Client Security Realtime Monitoring Virus alert" and a description describing the monitor. For target, select "Windows Computer" (or another target as appropriate). The parent monitor is likely going to be Entity Health\Security. Click Next
Select the System Event log and click Next. Configure Event Id "3004" and Source "FCSAM". Click Next. Specify a short wait time, I used 10 seconds. Click Next.
Under the "Configure Health" step, configure the "Event Raised" condition to trigger a health state of "Warning" and the "Timer Event Raised" to trigger a health state of "Healthy." Then configure the monitor to generate an alert when it is in the "Warning" state. The monitor is now set up to alert if a virus is found.
The subscription...
The next step is to create a new subscription. This assumes that the appropriate channels and subscribers have been created. Under the Administration tab of the Operations Console, create a new Subscription by either right clicking any node of the navigation tree and selecting "New subscription..." or clicking the Subscriptions node and "New..." in the actions pane.
Select an appropriate name and description for the subscription. Under the "Criteria" step, select "created by specific rules or monitors (e.g., sources)" and search for and select the monitor that we created in the previous section. Select the appropriate subscribers, channels, and configure the appropriate information and create the subscription.
Alternative Method Not Using SCOM...
If you don't want to use SCOM and want to use the native event log functionality in Windows to generate the email. This can be done by right clicking the event in the "System" log in the event viewer and selecting "Attach a Task To this Event..." **Note that this event needs to appear at least once in the event log, so you will need to manually generate it with the EICAR test file referenced above.
Note that
this procedure will need to be followed to include the event text in the email. Note that the wevutil script will likely follow
del %temp%\query.txt
wevtutil qe System "/q:*[System [(EventID=3004)]]" /f:text /rd:true /c:1 > %temp%\query.txt
and the %temp%\query.txt file will still be included as the attachment to the email.