Question about SCCM CB Alerts

[cylonsurfer]

I have configured a number of Malware alerts in SCCM CB and have tested them against a test client which I infected with the EICar test file. The configured alerts all trigger as expected and fire off emails to the addresses I have specified - which is great. However once triggered these alerts seem to remain in a state of 'Active' under 'Monitoring' > 'Overveiw' > 'Alerts' > 'All Alerts' / 'Active Alerts' despite the malware being successfully removed from the client via Endpoint Protection and the client reporting a remediation status of 'Cleaned' back to SCCM.

I can see no way to dismiss these alerts or manually mark them as resolved - what do I do with them and should they automatically change state once the issue that triggered them has been resolved? It's been over 48 hours since the Malware was detected (and removed) by Endpoint and the alert triggered in SCCM.

Edited January 17, 2018 by cylonsurfer

[cylonsurfer]

Is there seriously no one that knows anything about SCCM Alerts? I've looked everywhere on the web and can find nothing to indicate what we should be doing with SCCM alerts once they have triggered - do you all just live with them cluttering up the alerts dashboard?

[cylonsurfer]

Anyone here using SCCM CB that would kindly comment?

[anyweb]

hi are you saying your alert status has not changed since you posted originally ? what version of sccm cb are you on ?

[cylonsurfer]

Thats correct - the alerts, once triggered remain active even although the malware which triggered the alert was cleaned and I can see no way to manually dismiss the alerts and they do not appear to be resolving automatically.

We're currently on version: 1706 - Site Version: 5.00.8540.1000

[anyweb]

according to this link the following actions are available for alerts

Quote

 

You can take one of the following actions when Configuration Manager generates an alert:

Resolve the condition that caused the alert, for example, you resolve a network issue or a configuration issue that generated the alert. After Configuration Manager detects that the issue no longer exists, the alert state changes to Cancel.

If the alert is a known issue, you can postpone the alert for a specific length of time. At that time, Configuration Manager updates the alert to its current state.

You can postpone an alert only when it is active.

You can edit the Comment of an alert so that other administrative users can see that you are aware of the alert. For example, in the comment you can identify how to resolve the condition, provide information about the current status of the condition, or explain why you postponed the alert.

 

So have your alerts state changed to cancel ? can you show a screenshot ?

cheers

niall

[cylonsurfer]

Thanks,

No the alert status is still active for each for alerts, the state has not changed to 'cancel'.