Documentation forServer & Application Monitor
Monitoring your applications and environment is a key capability of Hybrid Cloud Observability and is also available in a standalone module, Server & Application Monitor (SAM). Hybrid Cloud Observability and SAM are built on the self-hosted SolarWinds Platform.

Microsoft Forefront Endpoint Protection 2010 (Client)

Use this SAM application monitor template to monitor the status of Microsoft Forefront Endpoint Protection (FEP) 2010 client installed on a Windows machine by using PowerShell and Event monitors.

Prerequisites

WinRM must be installed and properly configured on the target server and WMI access to the target server.

Credentials

Windows Administrator on the target server.

Component monitors

All event monitors should return values of zero. Returned values other than zero may indicate an abnormality. If you believe an abnormality exists, examine the Windows System log for details.

Antimalware Health and Firewall Status

This monitor returns the anti-malware health and firewall status of FEP client.

Returned values:

  • 0 – Service is disabled.
  • 1 – Service is enabled.
  • 255 – Script cannot check the service status from WMI.

This component returns the status of the following services:

  • Antivirus Enabled – This component returns the status of Antivirus component.
  • Antispyware Enabled – This component returns the status of Antispyware component.
  • Protection Enabled – This component returns the status of FEP protection technology.
  • Behavior Monitor Enabled – This component returns the status of the behavior monitor.
  • NIS Enabled – This component returns the status of the Network Inspection System (NIS).
  • Firewall Enabled – This component returns the status of the Windows Firewall.
  • Firewall Service Running – This component returns the status of the Windows Firewall service.

Antimalware Infection Status

This monitor returns antimalware infection status of FEP client.

Returned values:

  • 0 – Action not required.
  • 1 – Action required.
  • 255 – Script cannot check the action status from WMI.

This component returns the status of the following services:

  • Pending Full Scan – This component returns whether there is a need for a full scan due to a threat action.
  • Pending Manual Steps – This component returns whether there is a need for manual steps due to a threat action.
  • Pending Offline Scan – This component returns whether there is a need for an offline scan.
  • Pending Reboot – This component returns whether there is a need for a reboot due to a threat action.

Days passed from last definition update

This component monitor returns the number of days that have passed from the last definition update of the antivirus and antispyware modules. In the message field, this component returns the date of the last installed update.

Microsoft Antimalware Service

This monitors returns the CPU and memory usage of the Microsoft Antimalware service. This service helps protect users from malware and other potentially unwanted software.

Event: Scan encountered error and stopped

This monitor returns the number of events when the Forefront Endpoint Protection client scan has encountered an error and stopped.

Event ID: 1005.

This error record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error. Try to run the scan again. If it fails in the same way, look up the error code.

Event: Malware or other potentially unwanted soft detected

This monitor returns the number of events when the Forefront Endpoint Protection has detected malware or other potentially unwanted software.

Event ID: 1116.

No user action is required. Forefront Endpoint Protection can suspend and take routine action on this threat. To remove the virus manually, in the Forefront Endpoint Protection interface, click Clean Computer.

Events: Error when taking action on malware

This monitor returns the number of events when the Forefront Endpoint Protection client has encountered a non-critical or critical error when taking action on malware or other potentially unwanted software.

Event ID: 1118, 1119.

Perform a signature update and then verify that the quarantine succeeded and that the user has permission to access the necessary resources.

Events: Error during signature or engine updating

This monitor returns the number of events when the Forefront Endpoint Protection client has encountered an error trying to update signatures or the engine.

Event ID: 2001, 2003.

If you are having problems updating definitions, the following steps can help:

  • Ensure your configuration for definition updates is correct;
  • Check your WSUS configuration settings.
  • Try to update the definitions manually by downloading the full definitions files.

If you are having problems updating the engine, the following steps can help:

  • Restart the computer and try again.
  • Check the configuration of definition updates.
  • Manually download the latest definitions from the Microsoft Malware Protection Center.

Event: Error during signature reverting

This monitor returns the number of events when the Forefront Endpoint Protection client has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.

Event ID: 2004.

This error can occur if the Forefront Endpoint Protection client has encountered an error while trying to load the definitions or if the file is corrupt. Forefront Endpoint Protection client will attempt to revert back to a known-good set of definitions. You should restart the computer and check the configuration of definition updates.

Event: Error during using Dynamic Signature Service

This monitor returns the number of events when the Forefront Endpoint Protection client has encountered an error trying to use the Dynamic Signature Service.

Event ID: 2012.

This error is likely caused by a network connectivity issue. Check your Internet connectivity settings.

Event: Real-Time Protection feature error

This monitor returns the number of events when the Endpoint Protection client Real-Time Protection feature has encountered an error and failed.

Event ID: 3002.

Try to restart the following two services: Antimalware engine and NIS engine.

Event: Client engine terminated due to error

This monitor returns the number of events when the Forefront Endpoint Protection client engine has been terminated due to an unexpected error.

Event ID: 5008.

Try to restart the following two services: Antimalware engine and NIS engine.