First, I've seen this question asked a few times, however those that asked it, never replied so those threads were closed awhile ago. And there was never really an answer. But I need one!

I'm trying to better understand the FEP report because it's part of my daily duties now to monitor all the companies machines for infections. 

What happens, is when I run the Infected Computer report, I get the list of infected machines.  For the most part, the 

Remediation Status reads None. However, on occasion it will read as Cleaned. 

However, when you click on a computer that shows infected, the Action is listed usually as either Quarantined or Removed, with the occasional None.

So my question is, if the infection was quaranined or removed, then why does the main report page, that shows the 

Remediation Status not reflect the fact that that paticular machine has been cleaned? Or does this look at something else all together different?

In the first screenshot above, all of those machines listed were in fact cleaned automaticlly. However only one has a 

Remediation Status of Cleaned.  

I am using SCCM 2012 R2 in case the info is needed. 

Thanks in advanced. 

The Remediation Status column in the report is being populated from the ComputerStatus column in the v_GS_AntimalwareInfectionStatus database view. On the client end, the corresponding value is stored in WMI under

namespace: root\Microsoft\SecurityClient

Class: AntimalwareInfectionStatus

Property: ComputerStatus

The possible values are

0 - Unknown
1 - None
2 - Cleaned
3 - Pending
4 - Failed

I think the difference between "None" and "Cleaned" primarily has to do with timing. A system that has had a malware infection and was cleaned, will report a "Cleaned" ComputerStatus value, but only for a certain period of time, and then it will revert back to "None".

There is another property in the same WMI class called RecentlyCleanedDetections, which lists items detected within the last 24 hours. It may be the case that while RecentlyCleanedDetections is not empty (meaning a detection occurred within the last 24 hours), ComputerStatus changes to "Cleaned" but after 24 hours have passed with no further items detected, the RecentlyCleanedDetections property is emptied and the ComputerStatus property changes to "None".

I don't have any inside information of anything, this is just my best guess based on my observations. Hope it helps.

• Edited by KevinMJohnston 9 hours 13 minutes ago

The Remediation Status column in the report is being populated from the ComputerStatus column in the v_GS_AntimalwareInfectionStatus database view. On the client end, the corresponding value is stored in WMI under

namespace: root\Microsoft\SecurityClient

Class: AntimalwareInfectionStatus

Property: ComputerStatus

The possible values are

0 - Unknown
1 - None
2 - Cleaned
3 - Pending
4 - Failed

I think the difference between "None" and "Cleaned" primarily has to do with timing. A system that has had a malware infection and was cleaned, will report a "Cleaned" ComputerStatus value, but only for a certain period of time, and then it will revert back to "None".

There is another property in the same WMI class called RecentlyCleanedDetections, which lists items detected within the last 24 hours. It may be the case that while RecentlyCleanedDetections is not empty (meaning a detection occurred within the last 24 hours), ComputerStatus changes to "Cleaned" but after 24 hours have passed with no further items detected, the RecentlyCleanedDetections property is emptied and the ComputerStatus property changes to "None".

I don't have any inside information of anything, this is just my best guess based on my observations. Hope it helps.

• Edited by KevinMJohnston Thursday, June 11, 2015 10:11 PM

The Remediation Status column in the report is being populated from the ComputerStatus column in the v_GS_AntimalwareInfectionStatus database view. On the client end, the corresponding value is stored in WMI under

namespace: root\Microsoft\SecurityClient

Class: AntimalwareInfectionStatus

Property: ComputerStatus

The possible values are

0 - Unknown
1 - None
2 - Cleaned
3 - Pending
4 - Failed

I think the difference between "None" and "Cleaned" primarily has to do with timing. A system that has had a malware infection and was cleaned, will report a "Cleaned" ComputerStatus value, but only for a certain period of time, and then it will revert back to "None".

There is another property in the same WMI class called RecentlyCleanedDetections, which lists items detected within the last 24 hours. It may be the case that while RecentlyCleanedDetections is not empty (meaning a detection occurred within the last 24 hours), ComputerStatus changes to "Cleaned" but after 24 hours have passed with no further items detected, the RecentlyCleanedDetections property is emptied and the ComputerStatus property changes to "None".

I don't have any inside information of anything, this is just my best guess based on my observations. Hope it helps.

• Edited by KevinMJohnston Thursday, June 11, 2015 10:11 PM

The Remediation Status column in the report is being populated from the ComputerStatus column in the v_GS_AntimalwareInfectionStatus database view. On the client end, the corresponding value is stored in WMI under

namespace: root\Microsoft\SecurityClient

Class: AntimalwareInfectionStatus

Property: ComputerStatus

The possible values are

0 - Unknown
1 - None
2 - Cleaned
3 - Pending
4 - Failed

I think the difference between "None" and "Cleaned" primarily has to do with timing. A system that has had a malware infection and was cleaned, will report a "Cleaned" ComputerStatus value, but only for a certain period of time, and then it will revert back to "None".

There is another property in the same WMI class called RecentlyCleanedDetections, which lists items detected within the last 24 hours. It may be the case that while RecentlyCleanedDetections is not empty (meaning a detection occurred within the last 24 hours), ComputerStatus changes to "Cleaned" but after 24 hours have passed with no further items detected, the RecentlyCleanedDetections property is emptied and the ComputerStatus property changes to "None".

I don't have any inside information of anything, this is just my best guess based on my observations. Hope it helps.

• Edited by KevinMJohnston Thursday, June 11, 2015 10:11 PM

The Remediation Status column in the report is being populated from the ComputerStatus column in the v_GS_AntimalwareInfectionStatus database view. On the client end, the corresponding value is stored in WMI under

namespace: root\Microsoft\SecurityClient

Class: AntimalwareInfectionStatus

Property: ComputerStatus

The possible values are

0 - Unknown
1 - None
2 - Cleaned
3 - Pending
4 - Failed

I think the difference between "None" and "Cleaned" primarily has to do with timing. A system that has had a malware infection and was cleaned, will report a "Cleaned" ComputerStatus value, but only for a certain period of time, and then it will revert back to "None".

There is another property in the same WMI class called RecentlyCleanedDetections, which lists items detected within the last 24 hours. It may be the case that while RecentlyCleanedDetections is not empty (meaning a detection occurred within the last 24 hours), ComputerStatus changes to "Cleaned" but after 24 hours have passed with no further items detected, the RecentlyCleanedDetections property is emptied and the ComputerStatus property changes to "None".

I don't have any inside information of anything, this is just my best guess based on my observations. Hope it helps.

• Edited by KevinMJohnston Thursday, June 11, 2015 10:11 PM
• Marked as answer by rrice2004 8 hours 34 minutes ago

The Remediation Status column in the report is being populated from the ComputerStatus column in the v_GS_AntimalwareInfectionStatus database view. On the client end, the corresponding value is stored in WMI under

namespace: root\Microsoft\SecurityClient

Class: AntimalwareInfectionStatus

Property: ComputerStatus

The possible values are

0 - Unknown
1 - None
2 - Cleaned
3 - Pending
4 - Failed

I think the difference between "None" and "Cleaned" primarily has to do with timing. A system that has had a malware infection and was cleaned, will report a "Cleaned" ComputerStatus value, but only for a certain period of time, and then it will revert back to "None".

There is another property in the same WMI class called RecentlyCleanedDetections, which lists items detected within the last 24 hours. It may be the case that while RecentlyCleanedDetections is not empty (meaning a detection occurred within the last 24 hours), ComputerStatus changes to "Cleaned" but after 24 hours have passed with no further items detected, the RecentlyCleanedDetections property is emptied and the ComputerStatus property changes to "None".

I don't have any inside information of anything, this is just my best guess based on my observations. Hope it helps.

• Edited by KevinMJohnston Thursday, June 11, 2015 10:11 PM
• Marked as answer by rrice2004 Monday, June 22, 2015 10:47 PM

Kevin,

Thank you for the reply.  i like your observation. And it makes sense to me, up to a point. And i'll say why.

Looking at this mornings report, which is emailed to me every morning at 8am, I had two machines listed as being infected. One machines was listed as None for the Remediation Status and the other was listed as Cleaned. 

Now, I looked at the time of detection on both machines. Machines A is reporting it detected the infection at 3:12pm on the 11th. And Machine B reported that it detected the infection at 7:07pm. 

Now, when checking each machine individually, both show the Action as Removed and the State as Success. But only Machine B shows Remediation Status of cleaned on the main reports page. 

Now manually checking each machine, FEP did in fact quarintine the infection on both machines and no other traces of anything were found. 

So if it is a 24hr rule or guideline, the report came through well before the 24hr limit. 

I am definitley not ruling out your observation, as again, it makes sense. I just need to find a way to widdle that down a bit more.