Troubleshooting OMS Security Real Time Protection Status – Part 1


In some circumstances IT administrators may face issues when monitoring real time protections status using OMS Security and Audit dashboard. In this troubleshooting scenario a Windows Sever 2012 computer with Microsoft System Center Endpoint Protection installed and Real Time Protection enabled is reported in OMS Console as the real time protection was not enabled. Although the steps that follows are using Windows Sever 2012 computer as example, this issue may also occur in Windows Server 2008 or Windows 7 SP1.

Cause

Microsoft System Center Endpoint Protection is detected, but ProtectionStatusRank equal to 270 - No Real Time Protection as shown below:

7-6-16-1

Troubleshooting steps

  • Verify if all monitoring are enabled, see example below:

7-6-16-2

  • Noticed that the "Behavior Monitor" is disabled and this is the reason for the 270

Solution

Enable all Monitors via SCEP management console as shown below:

7-6-16-3

Authors

Mark Waitser, Senior Software Engineer (OMS Security Team)

Yuri Diogenes

 

If you use Facebook, you may want to join the Microsoft OMS Facebook site. If you want to learn more about Windows PowerShell, visit the Hey, Scripting Guy Blog.

If you would like to get a free Microsoft Operations Management Suite (#MSOMS) subscription so that you can test it out, you can do so from here. You can also get a free subscription for Microsoft Azure as well by selecting this link.

Comments (7)

  1. Des says:

    I am seeing this issue with Azure VMs that have the Anti-Malware extension enabled but you cannot make any changes to the SCEP settings so will this issue be fixed by the Azure Team?

    1. James says:

      @Yuri
      I think Des means this issue of "Real Time Protection enabled is reported in OMS Console as the real time protection was not enabled" is also affecting those of us using the Azure Anti Malware extension in Azure VMs. However as the Anti Malware extension has its GUI disabled by the extension plugin there is no way to change its settings to enable all monitors. I have this issue in my environment as well. I cant see anything in that article link that explains how to pass these monitor settings to the anti malware config during provisioning?

      1. @James
        You can enable the UI by using the procedure described in the article below:
        https://blogs.msdn.microsoft.com/azuresecurity/2016/03/09/enabling-microsoft-antimalware-user-interface-post-deployment/

        After enabling the UI, you can enable the controls.

  2. Two things, first I like this article, but would like to see what module you are using as it doesn't show up in the image. Second, The posted solution doesn't work in Azure, and the suggestions in the comments section are silly. Why, if realtime is enabled when I deploy the extension, am I getting this error message? Additionally, the server I got the error on had been running for weeks without error and now it's throwing this error.

    And my stated resolution is to push a special xml to allow me to open the GUI on the machine in Azure? That's silly, why can't I push something in PowerShell to fix this, to my knowledge if I enable Realtime, I would think all monitors would then be ticked, I assume that is what is happening on the other machines in this subscription that are not throwing this error and have the same extension pushed in the same method.

  3. Hello Yuri,
    Thank you for the articlet, in Azure we are having the same issue. The following is the MProtComputerStatus:

    AMEngineVersion : 1.1.13407.0
    AMProductVersion : 4.10.209.0
    AMServiceEnabled : True
    AMServiceVersion : 4.10.209.0
    AntispywareEnabled : True
    AntispywareSignatureAge : 0
    AntispywareSignatureLastUpdated : 1/14/2017 1:46:39 AM
    AntispywareSignatureVersion : 1.235.383.0
    AntivirusEnabled : True
    AntivirusSignatureAge : 0
    AntivirusSignatureLastUpdated : 1/14/2017 1:46:39 AM
    AntivirusSignatureVersion : 1.235.383.0
    BehaviorMonitorEnabled : True
    ComputerID : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    ComputerState : 0
    FullScanAge : 4294967295
    FullScanEndTime :
    FullScanStartTime :
    IoavProtectionEnabled : True
    LastFullScanSource : 0
    LastQuickScanSource : 0
    NISEnabled : True
    NISEngineVersion : 2.1.12706.0
    NISSignatureAge : 0
    NISSignatureLastUpdated : 1/14/2017 12:25:12 AM
    NISSignatureVersion : 116.72.0.0
    OnAccessProtectionEnabled : True
    QuickScanAge : 4294967295
    QuickScanEndTime :
    QuickScanStartTime :
    RealTimeProtectionEnabled : True
    RealTimeScanDirection : 0
    PSComputerName :

    However around 12:01 real time protection is temporary disabled:

    AntiMalware Collection Script scan : DeviceName:XXXXXXXXXX, Tool:System Center Endpoint Protection, Signature:0.0.0.0, ScanDate:01/14/2017 00:00:57, DateCollected:01/14/2017 00:00:57, ProtectionStatusRank:270, ProtectionStatus:No real time protection, ProtectionStatusDetails:Antispyware; Antivirus;, ThreatStatusRank:150, ThreatStatus:No threats detected, ThreatStatusDetails:, Threat:, DetectionId:XXXXXXXXXXXXXXXXX

    However on the next check in when the health script runs, the protection is enabled. At first thought I believe there was another process that is temporary disabling, however I could not locate one. Can you provide any suggestion as to what windows process could cause real time protection to be disabled temporary?

    Thanks for your help.
    -Chris

Skip to main content