Configuring "Very Infected Computer" alert parameters

Applies To: Forefront Client Security

The single parameter you can configure for detecting a very infected computer is how many occurrences of malware trigger an alert. The default is five infections by the same malware within a single day. It is recommended that you use the default parameter value; however, you can change the value to reflect your security standards. For example, a bank might want to lower the value, while an Internet cafe might want to raise the value.

Using the MOM Administrator console, you can configure the parameter.

To change the "Very Infected Computer" alert threshold

  1. On the collection server, open the MOM Administrator console, expand the Microsoft Operations Manager tree, click Management Packs, click Rule Groups, click Microsoft Forefront Client Security, click Host Alerts, click Alert Level X, and then click Event Rules.

  2. Double-click Very Infected computer Parameters - Alert Level X.

  3. Click the Responses tab, and then under Response, double-click the entry.

  4. Under Script parameters, double-click Event Count Threshold.

  5. In the Value box, type the number of infection occurrences that should trigger a "Very Infected Computer" alert (if the infections occur within a single day).

  6. Click OK three times, and then right-click the Management Packs node and select Commit Configuration Change. MOM implements the changes you made.