SCEP Network Inspection System - How to interpret NISLOG.TXT

I am trying to find some information on how to interpret the NISLOG.TXT file.

From what I understand, if everything is working "OK", then you should find the NIS signatures are OFF.  However, when I look at the NISLOG files on our clients, there are currently approx. 100 active signatures, which have been active for a number of months.  I am trying to ascertain what patches - if any - need applying to the clients to fix the issues so that the NIS signatures turn off.

Note that I also find it hard to believe that our windows clients are missing so many patches.  SCCM 2012 is configured to deploy updates on a regular basis and the compliance rate for the last updates is over 90%.

I am thinking that NIS may not be working properly, as the NISLOG does not seem to have any information regarding KB updates that other post I can find suggest it should have ... below is a sample of one of the NISLOG files, showing the last 5 signatures that are ON, plus the summary information.  Any help to interpret this and advise if this is correct or if we have an issue would be great!  Many thanks.

[08/25/15-08:46:18] [On ] Sig {59a97b9d-b9f4-49d2-8e07-f6aab66e3d05} Other:Win/YahooClick.HTTP.HTTP!NIS-0000-0000 -
[08/25/15-08:46:18] [On ] Sig {f60d9da0-2863-49c5-98ee-672cd92df19a} Other:Win/YahooImp.HTTP.HTTP!NIS-0000-0000 -
[08/25/15-08:46:18] [On ] Sig {14e0ea00-37fe-4109-bd78-1cef72adf272} Other:Win/SimplifiCollect.HTTP.HTTP!NIS-0000-0000 -
[08/25/15-08:46:18] [On ] Sig {5b419168-2f04-4346-8bbd-cc673b6a4797} Other:Win/SimplifiImp.HTTP.HTTP!NIS-0000-0000 -
[08/25/15-08:46:18] [On ] Sig {30ec694c-88fe-4c8f-a3de-c53d971fcfb9} Other:Win/SimplifiClk.HTTP.HTTP!NIS-0000-0000 -
[08/25/15-08:46:18] --Signature list end--
[08/25/15-08:46:18] Signatures: Total: 100;  Enabled: 100
[08/25/15-08:46:18] Active signature breakdown: BM: 100; ZeroDay-Block: 0; ZeroDay-Detect: 0; ZeroDay-Detect-Inline: 0
[08/25/15-08:46:18] New engine version=2.1.11804.0; New signature version=115.3.0.0
[08/25/15-08:46:18] Successfully loaded new definitions, Any signature active (0/1): ZeroDay=0, BM=1
[08/25/15-08:46:18] At least one signature is active
[08/25/15-08:46:18] Connecting to the driver
[08/25/15-08:46:18] NumberOfCompletionPortThreads: 1, NubmerOfInspectionThreads: 12
[08/25/15-08:46:18] Load Definitions completed successfully.

August 25th, 2015 7:59am

Note that I also find it hard to believe that our windows clients are missing so many patches.  SCCM 2012 is configured to deploy updates on a regular basis and the compliance rate for the last updates is over 90%.

What makes you think this?
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2015 8:42am

Hi, the deployments reports in SCCM for the Software Updates show this.

August 25th, 2015 9:01am

Hi, the deployments reports in SCCM for the Software Updates show this.


But why do you think that they are wrong?
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2015 9:42am

Hi Gareth, I don't really think the deployment reports are wrong, that's sort of the point. If the clients are up to date then why are the signatures "ON" in NIS on our clients, and why have they been "ON" for a long time - as my current understanding is that the signatures should only be "ON" if NIS needs to monitor for the threat until a patch is released to address it, and when the patch is detected on a client the signatures should turn off and reduce the performance hit that NIS brings.

I am trying to understand NIS to see if we have an issue ... it could be that my current understanding is wrong and I need to be corrected! Does this make the question clearer?  Thanks.

August 25th, 2015 9:51am

I think the key factor to interpret the log is the difference between zero-day and behavior monitoring (BM) signatures. The active NIS signatures in your log are all BM related. I think you only need to worry about missing patches if the zero-day signatures are enabled.

This link has some good info related to NIS: http://blogs.technet.com/b/configmgrteam/archive/2013/06/24/enhancements-to-behavior-monitoring-and-network-inspection-system-in-the-microsoft-anti-malware-platform.aspx

Free Windows Admin Tool Kit Click here and download it now
August 25th, 2015 11:37am

Thank you Kevin.  I was thinking along the same lines .. its reassuring to have the idea backed up.  I will most likely take this as fact as assume there are no active NIS signatures unless I get any feedback to explain further.
August 26th, 2015 4:48am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics