While FEP has great reporting features available in the SCCM console and through SQL Reporting Services it’s completely possible that you might find yourself attempting to troubleshoot a malware issue without access to either resource. Fortunately Microsoft has added a set of detailed client side logs for you to make use of.
The log we will be focusing on today is the MPlog, which you can locate in the “C:\ProgramData\Microsoft\Microsoft Antimalware\Support” directory. (Note: This directory is hidden by default). Below are some examples of how the MPlog can be useful to you.
Tip 1: Determine where a client is pulling definition updates from
Since FEP has the capability to allow clients to pull definition updates from multiple sources, it is definitely a best practice to configure your FEP policies to do so. This will help to insure your clients stay up to date even if one update resource becomes unavailable. The three basic update mechanisms are WSUS/SUP, UNC file shares and Microsoft Updates.
The problem is if you’ve built your policies with multiple update sources it’s not immediately apparent where your client got its last update from. Neither the definition tab on a local client or the Antimalware Protection Summary Report is going to show you where an update was obtained from. Fortunately this information is recorded in a client’s MPlog.
To quickly find where a client has been pulling updates from, open the MPlog and hit Control F, in the find window type in the word “via” and hit find next. You should see an entry similar to this “Signature updated via InternalDefinitionUpdateServer on Sat Jan 01 2011 17:43:18”.
This tells me my client successfully pulled an update from my WSUS server. If you continue to search to the end of the log, you’ll be able to find the last time your client updated its definitions and which update source was used.
Tip 2: Quickly Find Past Malware Detection
The MPlog also records malware detections. This might come in handy if you’re troubleshooting a system that has been taken offline due to a suspected infection. Too quickly parse through the log and find past detections press Control F and type “Threat Name” and click find next. If there has been a detected infection you should see an entry similar to this: “Threat Name:Rogue:Win32/badvirus”. If you scroll down a bit you should also be able to see the path of the infected file and the action that the FEP client took to resolve it.
If you have any questions about client side logs in FEP, please leave a comment below.