To view FPE incidents by using the Forefront Protection 2010 for Exchange Server Administrator Console, click Monitoring, and under Server Security Views, click Incidents. In the Server Security Views - Incidents pane, by default, the following information is reported for each incident. You can also customize the information that appears on the Server Security Views - Incidents pane; for more information, see Customizing the Incidents view.

Information Description

Detection Time

Date and time that the infected or filtered message was detected.

State

Action taken on the message.

Incident Category

Type of incident detected, for example Virus. A value of 7 - Incident means a miscellaneous incident, such as a timeout or an exceedingly nested file.

Incident Name

Name of the malware, name of the filter list that was matched, or name of other incident reported (for details, see Incidents reported).

Subject

Subject line of the infected or filtered message.

Folder

Name of the folder where the file was found.

Note:
To ensure that you are viewing the most current data, under the Actions section, you can click Refresh.

Viewing incident details

You can view additional details about each incident by accessing the Incident Details pane, where you can view detection details, message details, and engine details.

Note:
You can only view information in the Incident Details pane for one incident at a time. If you select multiple incidents, no details are displayed.

About detection details

When you select an incident and then click the Incident Details tab, the following detection information is reported about the incident.

Information Description

ID

Unique ID assigned to the incident, for example {700D944A-6D75-410D-A7CD-70E563134E4F}.

Detection Time

Date and time that the incident was detected.

State

Action taken on the message.

Incident Category

Type of incident detected, for example Virus. A value of 7 - Incident means a miscellaneous incident, such as a timeout or an exceedingly nested file.

Incident Name

Name of the malware, name of the filter list that was matched, or name of other incident reported (for details, see Incidents reported).

File

Name of the file that contained malware or matched a filter.

Folder

Name of the folder where the file was found.

Scan Job Name

Type of scan job (transport, realtime, scheduled, or on-demand) that detected the incident.

About message details

When you select an incident and then click the Message Details tab, the following information about the infected e-mail message is reported.

Information Description

Sent Time

Date and time that the infected or filtered message was sent.

Subject

Subject line of the infected or filtered message.

Sender Name

Name of the person who sent the infected or filtered message.

Sender Address

E-mail address of the person who sent the infected or filtered message.

Sender IP

IP address of the computer from which the infected or filtered message was sent.

Sender Host

Host name of the computer from which the infected or filtered message was sent.

Sender Location

Denotes whether the sender is internal or external to your organization. Realtime, scheduled, and on-demand scans only.

Direction

Direction the message was heading when caught by the transport scanner. Messages that are being relayed by the Edge Transport or Hub Transport server are reported as "inbound and outbound" to distinguish them from standard "inbound" and "outbound" messages.

Recipient Names

Names of the people to whom the infected or filtered message was sent.

Recipient Addresses

E-mail addresses of the people to whom the infected or filtered message was sent.

Cc Names

Names of the Cc recipients to whom the infected or filtered message was sent.

Cc Addresses

E-mail addresses of the Cc recipients to whom the infected or filtered message was sent.

Bcc Names

Names of the Bcc recipients to whom the infected or filtered message was sent.

Bcc Addresses

E-mail addresses of the Bcc recipients to whom the infected or filtered message was sent.

Message ID

Unique ID assigned to each message by Exchange.

About engine details

When you select an incident and then click the Engine Details tab, you see the following engine information for each engine that detected the incident.

Note:
This information applies only to malware detections, not filter matches.

Information Description

Engine name

Name of the engine that scanned the message.

Detection type

Type of incident detected, as reported by the engine.

Detection name

Name of the malware, as reported by the engine.

Engine version

The version of the engine.

Definition version

The version of the malware definition files currently in use by the engine. (This data is not available with every engine.)

Was cleaned

Denotes whether the message was cleaned, as reported by the engine.

Customizing the Incidents view

You can customize the FPE incidents view by performing the following tasks on the Server Security Views - Incidents pane:

  • Choosing which columns appear.

  • Specifying filter criteria in order to only display certain incident items.

  • Sorting incidents by clicking any of the columns (for example, Incident Category). This causes the incidents to be sorted by the values in that column.

These actions have no effect on the database itself, just on which records are displayed.

To customize which columns appear for incidents
  1. On the Server Security Views - Incidents pane, in the Actions section, click Choose Columns.

  2. In the Choose Columns dialog box, select which columns you want to appear on the Server Security Views - Incidents pane, and then click Apply and Close.

To filter the incidents view
  1. On the Server Security Views - Incidents pane, select the field on which you want to filter by using the Filter By option. Each choice in Filter By corresponds to one of the fields in the Server Security Views - Incidents pane.

  2. Specify your filter criteria as follows:

    If you selected a date and time field, for example Detection Time, enter the starting date and time in the Start date and Start time fields, and the ending date and time in the End date and End time fields.

    If you selected a field for which you can type a string value, for example Incident Name, Subject, or Folder, enter a string in the Filter Value field.

    Note:
    You can use prefix matches in order to broaden your filter search. For example, type th in order to include all values that begin with the letters "th".

    If you selected a field that has a fixed value, for example State or Incident Category, select a value from the Filter Value drop-down list. For example, if you select State, you can select Purged.

  3. To run the filter, click the search icon (represented by a magnifying glass).

    You can click the red X icon to cancel the filter and return to your original view.

Related Topics