© 2010 Microsoft Corporation. All rights reserved.

Welcome
This Excel workbook demonstrates how to consume FEP data from the Operations Manager data warehouse with an external tool.
The workbook is provided "as-is" with no warranty or support, and confers no rights.

Before you use this workbook, you must import the FEP Reporting Management Pack into your Operations Manager RMS. This managemen
on the Microsoft web site. Note that this requires that Reporting is enabled (with all prerequisites) for Operations Manager.
Management Pack: http://pinpoint.microsoft.com/en-US/systemcenter/managementpackcatalog
Operations Manager Reporting: http://technet.microsoft.com/en-us/library/bb432143.aspx, http://technet.microsoft.com/en-us/library/dd788945

These instructions describe how to use the sample PivotTables and PivotCharts in this spreadsheet, with your Forefront Endpoint Protection d

Configuring Connections
1. In the Ribbon, select the "Data" tab.
2. In the Data ribbon, select "Refresh All"
3. Wait about 15 seconds. You will get an error message that a connection could not be opened to the database. Click OK.

4. You'll be presented with a SQL Server Login dialog box. Type the correct name of the SQL Server where your Operations Manager Data W
5. Repeat steps 3 and 4 two more times as the other connections in the spreadsheet are refreshed.
6. There will be a slight delay, and then the PivotTables and PivotCharts will refresh with your data.

If you did not encounter any errors in the steps above, then save this workbook. The new connection properties will be saved and you will not
"Refresh" button in the data ribbon whenever you want to retrieve updated information from the database.

If you encountered a problem, then close this workbook without saving, and start again.

Depending on how your SQL Server is configured, you might have to change other properties like authentication settings. Your SQL databas
information you need to connect.
3. Change the data source for the provided samples:
Select a Pivot Table in one of the worksheets in this workbook.
Navigate to the "Data" ribbon.
Click the "Properties" option provided in the "Data" ribbon to open the "External Data Properties page"

Clieck the "Connection properties" icon to open the connection properties pane
Go to the definition tab and browse for the connection file with the one you've just created
Click the "Refresh All" command provided in the "Data" menu bar
If you prefer to generate your own custom reports using the FEP views in the Operations Manager Data Warehouse, the schema for each of the views is in

vwFEPHealthAndDeploymentStatus

Field Name Description

RowId Key into Event.vEvent table in the Operations Manager Data Warehouse
Host FQDN of computer

TimeStamp Date/time value representing time that the record was written to the data warehouse

Enumerated value describing deployment status.

Valid values are:
• Unknown
• Never installed
• Removed
• Installation cancelled by user
DeploymentState • Reboot required
Enumerated value describing state of AM protection.
Valid values are:
• Unknown
• On
ProtectionStatus • Off
Elapsed time in days since the last quick scan was performed on the computer. 0 if
LastQuickScanAge no data is available.
Elapsed time in days since the last full scan was performed on the computer. 0 if no
LastFullScanAge data is available.
Enumerated value describing state of real-time protection.
Valid values are:
• Unknown
• On
RTPStatus • Off

Enumerated value describing state of Windows Firewall.

Valid values are:
• Unknown
• Uninstalled
• On
FirewallStatus • Off
Enumerated value describing state of Network Inspection System.
Valid values are:
• Unknown
• Not Supported
• On
NISStatus • Off
AVSignaturesAge Number of days since last AV signature update.
ASSignaturesAge Number of days since last AS signature update.
AVSignaturesLastUpdateTime Timestamp when antivirus signatures were last updated.
ASSignaturesLastUpdateTime Timestamp when antispyware signatures were last updated.
EngineVersion Version of AM engine
FEPClientVersion Version of FEP client
AVSignaturesVersion Version of active antivirus signatures.
ASSignaturesVersion Version of active antispyware signatures.
NISSignaturesVersion Version of active Network Inspection System signatures.
 Policy name of FEP XML policy which is applied to the machine. Note that this
does not contain information about group policies that are applied to the machine.
ActiveFEPPolicy Group policy settings override FEP policy settings when there is a conflict.
FEPPolicyAppliedTime Timestamp of last application of FEP XML policy to the machine.

vwFEPSecurityIncidents

Field Name Description

Type Type of incident
RowID Key into Event.vEvent table in the Operations Manager Data Warehouse
Name Descriptive information about incident.
Description Not Used
TimeStamp Date/time of security incident
SchemaVersion Database schema version

Enumerated value describing severity of incident.

Severity
ObserverHost
ObserverUser
ObserverProductName
ObserverProductVersion
ObserverProtectionType
ObserverProtectionVersion
ObserverProtectionSignatureVersion
Valid values are:
• Unknown
• Low
• Moderate
• High
• Severe
Name of computer where incident occurred.
Name of logged on user when incident occurred, if the detection was in a process
associated with a logged on user.
Product name of protection product that detected the incident.
Product version of protection product that detected the incident.
Type of protection technology that detected the incident.
Protection engine version information.
Protection definitions version information.

Enumerated value describing method of detection.

Valid values are:
• Unknown
• User Initiated Scan
• System Initiated Scan
• Real-Time Protection
ObserverDetection • IE Downloads and Outlook Express Attachments
ObserverDetectionTime Local time of detection on machine where incident occurred.
ActorHost Not Used
ActorUser Not Used
ActorProcess Not Used
ActorResource Not Used
ActionType Type of security incident.
TargetHost Name of computer where incident occurred.
Name of logged on user when incident occurred, if the detection was in a process
TargetUser associated with a logged on user.
TargetProcess Name of process which was attempting to access infected file.
TargetResource Name of infected file.
ClassificationType Threat name of detected malware. Not implemented in RC release.
 • Dialer
• MonitoringSoftware
• BrowserModifier
• Cookie
• BrowserPlugin
• AolExploit
• Nuker
• SecurityDisabler
• JokeProgram
• HostileActivexControl
• SoftwareBundler
• StealthNotifier
• SettingsModifier
• Toolbar
• RemoteControlSoftware
• TrojanFtp
• PotentialUnwantedSoftware
• IcqExploit
• TrojanTelnet
• Exploit
• FileSharingProgram
• MalwareCreationTool
• RemoteControlSoftware
• Tool
• TrojanDenialOfService
• TrojanDropper
• TrojanMassmailer
• TrojanMonitoringSoftware
• TrojanProxyServer
• Virus
• Known
• Unknown
• Spp
• Behavior
• Vulnerability
ClassificationCategory • Policy
Threat ID of detected malware. This can be used to look up the malware on the
Microsoft Malware Protection Center malware encyclopedia at
ClassificationID http://www.microsoft.com/security/portal/Threat/Encyclopedia/Browse.aspx

Enumerated value describing severity of detected threat.

Valid values are:
• Unknown
• Low
• Moderate
• High
ClassificationSeverity • Severe
RemediationType Enumerated value describing type of remediation that was performed.
Enumerated string containing a Boolean value describing whether the remediation
action was successful.
Valid values are:
• True
RemediationResult • False
RemediationErrorCode Error encountered during remediation.
RemediationPendingAction Enumerated value describing action remaining to complete remediation
 Enumerated string containing a Boolean value describing whether malware is active
on the system.
Valid values are:
• True
IsActiveMalware • False
ema for each of the views is included below.

SQL Datatype Contents

uniqueidentifier GUID in string form
nvarchar(255) String (FQDN)

datetime DateTime

nvarchar(max) String (enumeration)

nvarchar(max) String (enumeration)

int Integer

int Integer

nvarchar(max) String (enumeration)

nvarchar(max) String (enumeration)

nvarchar(max) String (enumeration)

int Integer
int Integer
datetime DateTime
datetime DateTime
nvarchar(max) String (version number)
nvarchar(max) String (version number)
nvarchar(max) String (version number)
nvarchar(max) String (version number)
nvarchar(max) String (version number)
nvarchar(max) String
datetime DateTime

SQL Datatype Contents

nvarchar(max) String constant "SecurityIncident"
uniqueidentifier GUID in string form
nvarchar(max) String constant "MalwareInfection"
nvarchar(max) String constant “NotImplemented”
datetime DateTime
nvarchar(max) String constant “1.0”

nvarchar(max) String (enumeration)

nvarchar(max) String (FQDN)

nvarchar(max) String (domain\user)

nvarchar(max) String constant “ForefrontEndpointProtection”
nvarchar(max) String (version number)
nvarchar(max) String constant “AM”
nvarchar(max) String (version number)
nvarchar(max) String (version number)

nvarchar(max) String (enumeration)

datetime DateTime
nvarchar(max) String constant NULL
nvarchar(max) String constant NULL
nvarchar(max) String constant NULL
nvarchar(max) String constant NULL
nvarchar(max) String constant "MalwareInfection"
nvarchar(max) String (FQDN)

nvarchar(max) String (domain\user)

nvarchar(max) String (image path name)
nvarchar(max) String (fully pathed file name)
nvarchar(max) String (name of the malware)
nvarchar(max) String (enumeration)

nvarchar(max) String (integer)

nvarchar(max) String (enumeration)

nvarchar(max) String (enumeration)

nvarchar(max) String (enumeration)

nvarchar(max) String (hexadecimal DWORD error code)
nvarchar(max) String (enumeration)
nvarchar(max) String (enumeration)
 Forefront Endpoint Protection 2010
Agent State Reporting
30

25

20

15 Column Labels Installed

Restart Required
10 Uninstalled

0
5-Oct 6-Oct 7-Oct 8-Oct 9-Oct 10- 11- 12- 13- 14- 15- 16- 17- 18- 19- Grand
Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Total

Count of Deployment State Column Labels

Row Labels Installed Restart Required Uninstalled Grand Total
5-Oct 1 1 1 3
6-Oct 1 1 2
7-Oct 1 1 2
8-Oct 1 1 2
9-Oct 1 1 2
10-Oct 1 1 2
11-Oct 1 1 2
12-Oct 1 2 3
13-Oct 1 1 2
14-Oct 3 3
15-Oct 3 3
16-Oct 3 3
17-Oct 3 3
18-Oct 3 3
19-Oct 3 3
Grand Total 27 1 10 38
 abels Installed
Required
ed
 Forefront Endpoint Protection 2010
Real-Time Protection History
2.5

1.5
Column Labels On
Unknown
1
Off

0.5

0
5-Oct 6-Oct 7-Oct 8-Oct 9-Oct 10- 11- 12- 13- 14- 15- 16- 17- 18- 19-
Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct

Count of RTP Status Column Labels

Row Labels On Unknown Off Grand Total
5-Oct 1 2 3
6-Oct 1 1 2
7-Oct 1 1 2
8-Oct 1 1 2
9-Oct 1 1 2
10-Oct 1 1 2
11-Oct 1 1 2
12-Oct 1 2 3
13-Oct 1 1 2
14-Oct 2 1 3
15-Oct 2 1 3
16-Oct 2 1 3
17-Oct 2 1 3
18-Oct 2 1 3
19-Oct 2 1 3
 n Labels On
own
 Forefront Endpoint Protection 2010
Real-Time Protection Status

5-Oct

On
Unknown
Off
Grand Total

Count of RTP Status Column Labels

Row Labels 5-Oct 6-Oct 7-Oct 8-Oct 9-Oct 10-Oct 11-Oct 12-Oct 13-Oct 14-Oct
On 1 1 1 1 1 1 1 1 2
Unknown 2 1 1 1 1 1 1 2 1
Off 1 1
Grand Total 3 2 2 2 2 2 2 3 2 3
15-Oct 16-Oct 17-Oct 18-Oct 19-Oct Grand Total
2 2 2 2 2 20
11
1 1 1 1 1 7
3 3 3 3 3 38
 Client Version History
Number of Clients
1.7
1.3
0.9
0.5
0.1
5- 6- 7- 8- 9- 10- 11- 12- 13- 14- 15- 16- 17- 18- 19-
Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct
C 2 1 1 1 1 1 1 2 1 NaN NaN NaN NaN NaN NaN
o
l
u
m
n
L
a
b
e
l
s
1 1 1 1 1 1 NaN NaN NaN 1 1 1 1 1 1
2
.
0
.
4
8
8
.
0
NaN NaN NaN NaN NaN NaN 1 1 1 1 1 1 1 1 1
2
.
0
.
4
9
8
.
0
NaN NaN NaN NaN NaN NaN NaN NaN NaN 1 1 1 1 1 1
2
.
0
.
5
1
0
.
0

Count of Client Version Column Labels

Row Labels 2.0.488.0 2.0.498.0 2.0.510.0 Grand Total
5-Oct 2 1 3
6-Oct 1 1 2
7-Oct 1 1 2
8-Oct 1 1 2
9-Oct 1 1 2
10-Oct 1 1 2
11-Oct 1 1 2
12-Oct 2 1 3
13-Oct 1 1 2
14-Oct 1 1 1 3
15-Oct 1 1 1 3
16-Oct 1 1 1 3
17-Oct 1 1 1 3
18-Oct 1 1 1 3
19-Oct 1 1 1 3
 Forefront Endpoint Protection 2010
Malware Infections, by Computer

Threat Name (All)

Threat Category (All)
Threat Severity (All)
Remediation Error Code (All)
Remediation Pending Action (All)
Remediation Type (All)
Remediation Result (All)

Row Labels Number of Detections First Detection

CONTOSO-DC.Contoso.com 1 11/14/10 1:56 PM
CONTOSO-EXCHANGE.Contoso.com 1 11/5/10 3:15 AM
CONTOSO-SHAREPOINT.Contoso.com 2 11/2/10 10:34 AM
Grand Total 4 11/2/10 10:34 AM
nt Protection 2010
ons, by Computer

Most Recent Detection

11/14/10 1:56 PM
11/5/10 3:15 AM
11/4/10 9:53 PM
11/14/10 1:56 PM
 Forefront Endpoint Protection 2010
Malware Infections by Threat

Threat Category (All)

Threat Severity (All)
Remediation Type (All)
Detection Type (All)

Row Labels Number of Detections First Detection

Backdoor:Win32/Ginwui.A 1 11/4/10 9:53 PM
Worm:Win32/Stuxnet.B 1 11/2/10 10:34 AM
Virus:Win32/Virut.BB 1 11/5/10 3:15 AM
TrojanDownloader:Win32/Troxen 1 11/14/10 1:56 PM
Grand Total 4 11/2/10 10:34 AM
int Protection 2010
ctions by Threat

Most Recent Detection

11/4/10 9:53 PM
11/2/10 10:34 AM
11/5/10 3:15 AM
11/14/10 1:56 PM
11/14/10 1:56 PM
 Forefront Endpoint Protection 2010
All Malware Detections
Timestamp ObserverHost ObserverUser ObserverProductVersion
11/4/2010 21:53 CONTOSO-SHAREPOINT.Contoso.com Contoso\User 2.0.635.0
11/2/2010 10:34 CONTOSO-SHAREPOINT.Contoso.com Contoso\User 2.0.635.0
11/5/2010 3:15 CONTOSO-EXCHANGE.Contoso.com Contoso\User 2.0.635.0
11/14/2010 13:56 CONTOSO-DC.Contoso.com Contoso\User 2.0.635.0
ObserverProtectionVersion
AM: 1.1.6301.0, NIS: 2.0.5850.0
AM: 1.1.6301.0, NIS: 2.0.5850.0
AM: 1.1.6301.0, NIS: 2.0.5850.0
AM: 1.1.6301.0, NIS: 2.0.5850.0
ObserverProtectionSignatureVersion
AV: 1.93.1865.0, AS: 1.93.1865.0, NIS: 8.37.0.0
AV: 1.93.1877.0, AS: 1.93.1877.0, NIS: 8.57.0.0
AV: 1.93.1877.0, AS: 1.93.1877.0, NIS: 8.57.0.0
AV: 1.93.1877.0, AS: 1.93.1877.0, NIS: 8.57.0.0
ObserverDetection ObserverDetectionTime
IE Downloads and Outlook Express Attachments 11/4/2010 21:53
Real-Time Protection 11/2/2010 10:33
Real-Time Protection 11/5/2010 3:13
Real-Time Protection 11/14/2010 13:56
TargetProcess
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Windows\System32\PingPong.exe
C:\Windows\explorer.exe
TargetResource
file:_C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\FakeAntiVirus.exe
file:_F:\~wtr4141.tmp
process:_C:\Windows\System32\PingPong.exe
file:_C:\Downloads\XBoxEmulator.exe
ClassificationType ClassificationCategory ClassificationID
Backdoor:Win32/Ginwui.A Backdoor 2147428523
Worm:Win32/Stuxnet.B Worm 2147429675
Virus:Win32/Virut.BB Virus 2147429675
TrojanDownloader:Win32/Troxen TrojanDownloader 2147428459
ClassificationSeverity RemediationType RemediationResult RemediationErrorCode
Severe Remove True 0x00000000
Severe Remove True 0x00000000
Severe Remove True 0x00000000
Severe Remove True 0x00000000
RemediationPendingAction IsActiveMalware
0 False
0 False
0 False
0 False