Managing "Malware Outbreak" alerts

Applies To: Forefront Client Security

To protect your organization against the spread of a malware infection, Client Security monitors occurrences of the same malware on many computers. When it analyzes malware infection events, it looks for multiple infections in computers that are protected by policies in the same alert level or globally across all alert levels. Client Security also separately analyzes malware events arising from real-time protection and from scheduled scans.

When Client Security issues a "Malware Outbreak" alert, you should act quickly to prevent the spread of malware. Likely causes of malware outbreaks in your organization are the following:

  • An outbreak of new malware is occurring on the Internet.

  • A worm is spreading inside your organization.

Although it is recommended that you use the default parameters for triggering "Malware Outbreak" alerts, you can configure the settings. For more information, see Configuring "Malware Outbreak" alert parameters.

Resolving a "Malware Outbreak" alert

Client Security may have successfully responded to the malware on all clients, but it is recommended that you closely investigate each instance of the malware to ensure that the response was appropriate.

To resolve a "Malware Outbreak" alert

  1. Use the alert to research the software found and follow any removal instructions, as appropriate.

    • Use the link in the Properties tab to view the Malware Detail report and learn about the software found and the action taken.

    • Determine if there is an entry for the software in the Microsoft Malicious Software Encyclopedia.

  2. Decide whether the software detected is unwanted.

    If the software is acceptable, edit the policies and on the Overrides tab, set a default action that permits this software. For more information, see Overriding default responses to malware.

    If the software is unacceptable, take the following actions, as appropriate:

    • Ensure that Client Security client software and definitions are up to date on all clients. Use the Deployment Summary report to determine what versions of software and definitions are deployed. For more information, see Viewing and printing reports.

    • Perform a full scan of all managed computers. For more information, see Scanning managed computers now.

    • Use the information in the report and the Microsoft Malicious Software Encyclopedia to determine how to prevent the spread of the malware on your network. Depending on the type of malware, steps may include actions such as blocking traffic over specific ports or tightening security policies on your e-mail servers.

    • If the malware remains on your network, use what you learned in stepĀ 1 to determine how to proceed with removing the malware.

    • Confirm that the affected computers were not harmed. If a computer was harmed, repair it.