2 Replies Latest reply on Apr 8, 2010 2:11 PM by Mr_Security

    Asset Baseline Monitor Issue

      I am trying to see how the Asset Baseline Monitor works. I have the task set to run immediately at the very top (My Organization), however, I don't see any new activity under Reporting, Asset Baseline Monitor, Activity, Activity by type:

      New running services
      Services stopped and removed.

      Keys modified
      Keys removed
      New keys
      New subkeys
      Subkeys removed

      Deleted group memberships
      Delected local users
      New group memberships
      New local users

      I have a weekly scan scheduled for the intital baseline, then from what I understand this was supposed to detect any changes from the prior week to the system. However nothing is populating in the above fields

      Also, when I run an OD (On-demand Scan) nothing is populated as well.

      *The task is set as enabled at the top (My Organization).

      Any suggestions????
        • 1. Asset Baseline Monitor
          Have you ran the Scan Errors query?
          • 2. Re: Asset Baseline Monitor Issue

            You should be running a Baseline  Scan on whatever interval you choose (we use 30 days).  Then you should have another task that runs daily called Activity Scan and this will pick up any changes from your baseline.  If you are just running just the Baseline Scan then everytime you run that scan you are establishing a new baseline so you are saying that everything running on it at the time of that scan is valid.  The Activity Scan is like a differential, so it will compare the current settings against the baseline you had set and then report all of the differences.  Then (in ePO 4.0) you go to Reporting > Asset Baseline Monitor and you should see any registry key changes, user or group changes, and new services being started or stopped.   I know its about a year late, but maybe it will help someone else who comes across the same problem.