implementing endpoint protection in system center 2012 r2 ... · implementing endpoint protection...

Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager

Implementing Endpoint Protection in System

Center 2012 R2 Configuration Manager

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

The information contained in this document represents the current view of Microsoft Corporation on the

issues discussed as of the date of publication and is subject to change at any time without notice to you.

This document and its contents are provided AS IS without warranty of any kind, and should not be

interpreted as an offer or commitment on the part of Microsoft, and Microsoft cannot guarantee the

accuracy of any information presented. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN

THIS DOCUMENT.

The descriptions of other companies’ products in this proposal, if any, are provided only as a convenience

to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft

cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are

intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative

descriptions of these products, please consult their respective manufacturers.

This deliverable is provided, AS IS without warranty of any kind and MICROSOFT MAKES NO

WARRANTIES, EXPRES OR IMPLIED, OR OTHERWISE.

All trademarks are the property of their respective companies.

Printed in the United States of America

©2007 Microsoft Corporation. All rights reserved.

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the

United States and/or other countries.

The names of the actual companies and products mentioned herein may be the trademarks of their

respective owners.

Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 1

Objectives After completing this lab, you will be able to:

Configure Endpoint Protection in a Configuration Manager 2012 R2 environment

Create and deploy Endpoint Protection policies

Clean a malware infection

Report status on Endpoint Protection

Implement real-time actions in Configuration Manager 2012 R2 to

quickly respond to client issues

Prerequisites This lab requires an installed and functioning Configuration Manager 2012

R2 site server (Primary1 is the site server virtual machine image). This

lab also requires at least one Configuration Manager 2012 R2 client

(Client1 is the client computer in addition to the site server virtual

machine being installed as a client).

Estimated Time to

Complete This Lab

75 Minutes

Computers used in

this Lab Primary1

Client1

The password for the administrator account on all computers in this lab

is: password.


1 ENABLING ENDPOINT PROTECTION IN CONFIGURATION

MANAGER 2012 R2

In this exercise, you will configure Configuration Manager 2012 R2 to support System Center 2012 R2

Endpoint Protection. This feature is included in Configuration Manager 2012 R2 and provides security in

addition to the normal software update management feature within Configuration Manager, providing

enhanced security for the environment for monitoring and managing virus and malware protection

features. You will begin by configuring the location for clients to download Endpoint Protection definition

updates to use a network location instead of WSUS or Microsoft Update.

Tasks Detailed steps

Complete the following task on: Primary1

1. Start the Configuration Manager 2012 R2 console

1. On the Start menu, click Configuration Manager Console.

NOTE: The System Center 2012 R2 Configuration Manager console window

appears displaying the Assets and Compliance Overview page.

2. Configure the default malware policy for definition location

1. In the navigation pane, expand Endpoint Protection, and then click Antimalware Policies.

NOTE: The list of antimalware policies appear in the results pane. Notice that the only policy is "Default Client Malware Policy", which by default applies to all

clients. In the lab environment, you will configure the location for the client to

acquire malware definitions to use a UNC path, as no Internet access is available in the lab environment, and no definitions have been imported into

WSUS. This is necessary to provide a location for definitions for the site server after the Endpoint Protection point site system role is enabled later in this

exercise, which installs the Endpoint Protection client agent on the site system.

2. In the results pane, click Default Client Malware Policy, and then on the Ribbon, click Properties.

NOTE: The Default Antimalware Policy dialog box appears displaying the available default client malware settings.

3. In the navigation pane, click Definition updates.

NOTE: The Default Antimalware Policy dialog box appears displaying the configurable settings for antimalware definition configuration appears in the

results pane.

4. After Set sources and order for Endpoint Protection definition updates, click Set Source.

NOTE: The Configure Definition Update Sources dialog box appears

allowing you to configure the location(s) that clients can use to download

Endpoint Protection definition updates. Notice that by default, the client will first check for definitions from Configuration Manager, then WSUS, then

Microsoft Update, and finally the Microsoft Malware Protection Center for updated definitions. Notice also that access to definitions from a network path

is not enabled. You can change the order of preference for definition download

location by selecting the location, and clicking Up or Down as appropriate.

5. Click to clear Updates distributed from WSUS, Updates distributed from Microsoft Update, and Updates distributed from


Microsoft Malware Protection Center as the lab environment does not have access to the Internet, and update definitions have not been imported into the WSUS installation in the lab environment.

NOTE: It is OK to leave the selection for downloading definitions from

Configuration Manager. This will be useful for the client to get definition

updates from a Configuration Manager distribution point when you have it integrated with the software updates feature of Configuration Manager.

6. Click to select Updates from UNC file shares, and then click OK.

NOTE: The Default Antimalware Policy dialog box appears displaying the available definition update settings. Notice that the "Set sources and order for

Endpoint Protection definition updates" setting now displays "2 sources selected". You now need to specify the UNC path to access update definitions

from. Notice also that the default is that there is no UNC location specified.

7. After If UNC file shares are selected as a definition update source, specify the UNC paths, click Set Paths.

NOTE: The Configure Definition Update UNC Paths dialog box appears allowing you to configure the UNC location(s) that clients can use to download

Endpoint Protection definition updates. Notice that by default, no locations are specified.

8. In the UNC path box, type \\Primary1\EPOld and then click Add.

NOTE: The Configure Definition Update UNC Paths dialog box appears

displaying the UNC path for definition download. You can add multiple paths as necessary, however in the lab environment, we only need one path.

9. Click OK.

NOTE: The Default Antimalware Policy dialog box appears displaying the available definition update settings. Notice that the "Set sources and order for

Endpoint Protection definition updates" setting now displays "2 sources selected", and that a UNC path is now specified.

10. Click OK.

NOTE: The list of malware policies appear in the results pane. As you modified

the "Default Client Malware Policy", that is the only policy that appears. This will be used by all clients, unless overridden by a custom policy, which you will

create later in this lab.


In the following procedure, you will enable the Endpoint Protection point site system role. You will then

view log files and status messages related to the deployment of the Endpoint Protection point site system role to verify its installation. You will also view the Endpoint Protection status on the site system role

using the System Center 2012 R2 Endpoint Protection client.



1. Configure an

Endpoint Protection point site system role

1. Click the Administration workspace.

Note: The System Center 2012 R2 Configuration Manager console displays the Administration workspace Overview page.

2. In the navigation pane, expand Site Configuration, and then click Sites.

Note: The list of sites appears in the results pane. Notice that there is only one site available, that being the local site (MCM).

3. In the navigation pane, click Servers and Site System Roles.

Note: The list of site systems appear in the results pane, with the installed

roles for the selected site system displayed in the preview pane. Notice that the site only has one site system (Primary1), and that this site system does not

have the "Endpoint Protection point" site system role installed. The Endpoint Protection point site system role does not really do anything, so it is fine to

have co-located on the site server. We'll use a single server to host all roles to reduce the number of images that need to be started at one time.

4. On the Home tab of the Ribbon, click Add Site System Roles.

Note: The Add Site System Roles Wizard General dialog box appears.

Notice that the FQDN of the site server is displayed. This information was collected during Configuration Manger Setup as part of the prerequisite check

for the site server.

5. Click Next to accept the default configuration of the account to use, to not require site server initiated connections, and to not publish an Internet FQDN.

Note: The Add Site System Roles Wizard Proxy dialog box appears

allowing you to configure a proxy if the site system role requires one to access

the Internet. In your production environment, you may need to configure a proxy server and account to access the Internet. However in our lab

environment, this is not necessary.

6. Click Next to not configure proxy settings.

Note: The Add Site System Roles Wizard System Role Selection dialog

box appears displaying the list of site system roles that can be assigned to this computer. Notice that "Endpoint Protection point" appears as an available site

system role for this site system.

7. Under Available roles, click to select Endpoint Protection point.

Note: A Configuration Manager message box appears indicating that Endpoint Protection is configured to use Configuration Manager's software

update management feature to access definition files from. It also states that if the configuration of using Configuration Manager as a definition source is

enabled, you should configure a software update point.

8. Click OK, and then click Next.


NOTE: The Add Site System Roles Wizard Endpoint Protection dialog

box appears displaying the license terms for Endpoint Protection. System

Center 2012 Endpoint Protection has specific licensing requirements in addition to the standard System Center 2012 Configuration Manager license

requirements. You are only allowed to enable Endpoint protection in environments where the Endpoint Protection license has been acquired.

9. Click to select I accept the Endpoint Protection license terms, and then click Next.

NOTE: The Add Site System Roles Wizard Microsoft Active Protection Service dialog box appears allowing you to configure the options for Microsoft

Active Protection Service. If enabled, Microsoft Active Protection Service will

collect, and send to Microsoft, information about installed applications, which may then be used to help create definitions for application software. As you are

in a virtual environment, without Internet access, there is no need to enable this feature. Notice that if desired, you can choose either a basic or advanced

membership in Microsoft Active Protection Service. In a production

environment, it is recommended to join the Microsoft Active Protection Service.

10. Click Next to accept the default to join MAPS with a basic membership.

Note: The Add Site System Roles Wizard Summary dialog box appears

indicating that you have successfully completed the wizard and are ready to install this site system role.

11. Click Next.

Note: The Add Site System Roles Wizard Completion dialog box appears indicating that the wizard completed successfully.

12. Click Close.

Note: The System Center 2012 R2 Configuration Manager console window

appears displaying the site systems and installed roles for the site. Notice that you did not create a new site system for this role and still only have the site

server as a site system in the site. It will take a moment for the "Endpoint Protection point" site system role to be installed, though it is displayed in the

list of site system roles immediately. You may need to refresh the list of site

system roles on the site system to view the “Endpoint Protection point” site system role.

2. View the Endpoint Protection point installation log file

1. Open C:\Program Files\Microsoft Configuration Manager\Logs\ EPSetup.log.

NOTE: Notepad appears displaying the contents of the Configuration Manager

Endpoint Protection point site system role installation log. Notice that the log

indicates that the required OS version was detected, and that the installation was successful.

2. Close Notepad.

Note: The System Center 2012 R2 Configuration Manager console window appears displaying the Administration workspace and the list of site systems

and installed roles.

3. View the Endpoint Protection point status

1. Click the Monitoring workspace.

Note: The Monitoring workspace appears displaying the Overview page.

2. In the navigation pane, expand System Status, and then click Site Status.


messages NOTE: The list of Configuration Manager 2012 site systems and their installed

roles appears in the results pane. Notice that the “Endpoint Protection point”

appears in the list with a status of OK.

3. In the navigation pane, click Component Status.

NOTE: The list of Configuration Manager 2012 components and their current

status appears in the results pane.

4. In the results pane, click SMS_ENDPOINT_PROTECTION_MANAGER, and then on the Ribbon, click Show Messages.

NOTE: A new menu appears allowing you to specify the type of messages to

display.

5. Click All.

NOTE: The Status Messages: Set Viewing Period dialog box appears

prompting for the age of status messages to display.

6. Click OK to view messages for the past 24 hours.

NOTE: The Configuration Manager Status Message Viewer for <MCM> window appears displaying the status messages for the

SMS_ENDPOINT_PROTECTION_MANAGER component for the most recent 24 hours. Notice a message with an ID of 500. This message indicates that the

component was started.

7. Close the Configuration Manager Status Message Viewer for <MCM> window.

NOTE: The list of Configuration Manager 2012 R2 components and their current status appears in the results pane.

4. View the Endpoint Protection status using the Microsoft Forefront Endpoint Protection client

1. On the Start menu, click System Center Endpoint Protection.

NOTE: The System Center Endpoint Protection window appears. Notice that

the status is "Computer status - At risk", which indicates that the computer is

not fully protected at this point. Notice also that "Real time protection" is currently listed as "Disabled", that "Virus and spyware definitions" has a status

of "Out of date", and that no scan schedule has been defined. You will resolve all of these issues with Configuration Manager 2012 and its integration with

Endpoint Protection.

2. Close the System Center Endpoint Protection window.

NOTE: The System Center 2012 R2 Configuration Manager console window

appears displaying the components and their current status in the Monitoring

workspace.

In the following procedure, you will enable the Endpoint Protection client, which will allow scanning for

malware and viruses on client computers. The Endpoint Protection client agent is disabled by default, and can only be enabled after the "Endpoint Protection point site system role" has been installed.



1. Enable the Endpoint

1. Click the Administration workspace.


Protection client NOTE: The Administration workspace appears displaying the list of site

systems in the results pane, and the appropriate site system roles for the site

system in the preview pane. Notice that the "Endpoint Protection point" site system role is listed as a role on the only site system in our site - "Primary1".

2. In the navigation pane, click Client Settings.

NOTE: The list of client settings appears in the results pane. Notice that the only client setting is "Default Client Settings", which by default applies to all

clients. In the lab environment, you will enable the Endpoint Protection client agent in the default client settings to allow scan and data from all clients.

However, in your production environment, you could create a custom client

setting for devices, enable Endpoint Protection, and then assign the custom client setting to a collection of systems if the agent is not to be installed on all

clients managed by Configuration Manager, or you want to perform additional testing in production on a limited set of clients before enabling for all clients.

3. In the results pane, click Default Client Settings, and then on the Ribbon, click Properties.

NOTE: The Default Settings dialog box appears displaying the available

client settings.

4. In the navigation pane, click Endpoint Protection.

NOTE: The configurable settings for Endpoint Protection appear in the results

pane. Notice that by default, the Endpoint Protection client is not installed on clients.

5. In the Manage Endpoint Protection client on client computers box, click Yes.

NOTE: Additional settings for Endpoint Protection become available for configuration once managing the Endpoint Protection client has been enabled.

For the lab environment, you would also need to configure the last setting to

allow download of the initial definition from the UNC path. Notice that the "Install Endpoint Protection client on client computers" is enabled. This will

install the Endpoint Protection client agent on clients after the next system policy retrieval and evaluation cycle.

6. In the Disable alternate sources (such as Microsoft Windows Update, Microsoft Windows Server Update Services, or UNC shares) for the initial definition updates on client computers box, click No, and then click OK.

NOTE: The list of client settings appears in the results pane. As you modified

the "Default Client Settings", that is the only setting that appears. This setting, which will enable and configure the Endpoint Protection client, will be

implemented on clients at their next system policy retrieval and evaluation cycle.


In the following exercise, you will force the clients to retrieve policies. This will cause the clients to install

the Endpoint Protection client agent. For this policy retrieval process, you will use the traditional method of forcing policy retrieval from the client itself. Configuration Manager 2012 R2 includes the ability to

force policy retrieval from the Configuration Manager Console through real-time actions. You will use that method later in this lab.


Complete the following task on: Client1 and Primary1

1. Install the Endpoint Protection Client Agent

1. In Control Panel, click System and Security, and then start Configuration Manager.

NOTE: The Configuration Manager Properties dialog box appears.

2. Click the Actions tab.

NOTE: The Configuration Manager Properties dialog box displays the available actions for the client. After Endpoint Protection has been enabled as

part of the Default Client Settings, or a custom client setting, you need to

retrieve policies to install Endpoint Protection on clients.

3. Click Machine Policy Retrieval & Evaluation Cycle, and then click Run Now.

NOTE: The Configuration Manager client will request new policies, which will

include the policy related to the Endpoint Protection agent installation. A Machine Policy Retrieval & Evaluation Cycle message box appears

indicating the action was initiated, and may take several minutes to complete.

4. Click OK.

NOTE: The Configuration Manager Properties dialog box appears. It will

take a couple of minutes to install Endpoint Protection agent.

5. Click OK.

NOTE: The System Center 2012 R2 Endpoint Protection agent is installed on the client computer. It will take a moment for the agent to install. The installation

occurs locally, as the Endpoint Protection client agent installation program was previously downloaded to the computer during the installation of the

Configuration Manager client.

2. Verify the current status of the Microsoft Forefront Endpoint Protection client


NOTE: The System Center Endpoint Protection window appears displaying the

current status of the Endpoint Protection client, which is "Protected". Notice that "Real-time protection" is now set to "On" - recall previously when you viewed

this on the site server it was set to "Off". Also notice that the "Virus and spyware

definitions" status is listed as being old (created x number of days ago). Finally notice that under "Scan details", it indicates that the schedule for quick scans is

weekly, on Saturday, around 2:00pm, and that no scan has been performed yet. You will set a unique schedule in the next exercise to validate that a custom

policy overrides the default policy, as well as initiate a scan using a newer definition. If your client is not protected yet, you will perform an additional

update in the next exercise that will implement a new policy on the client

computer that will complete the installation of a newer definition policy and protect the client.



2 UPDATING THE ENDPOINT PROTECTION STATUS ON THE

CONFIGURATION MANAGER 2012 R2 CLIENT

In this exercise, you will implement a custom antimalware policy to point to a newer definition update

than the client was installed with. You will force a download of the newer definition file, and then will

force a scan of the client to get current status from the client computer – both of these actions through

the real-time actions feature of Configuration Manager 2012 R2.



1. Create a custom malware policy with a different definition download location

1. Click the Assets and Compliance workspace.

NOTE: The Assets and Compliance workspace appears displaying the list of antimalware settings appear in the results pane. Notice that the only setting is

"Default Client Malware Policy", which applies to all clients, unless overridden

by a custom client antimalware policy. In the previous exercise, you configured the "Default Client Malware Policy" to specify a specific network location to

download the initial malware definition from. You will now create a custom malware policy that specifies a different location from which to download an

updated malware definition policy.

2. On the Ribbon, click Create Antimalware Policy.

NOTE: The Create Antimalware Policy dialog box appears allowing you to configure a custom policy.

3. In the Name box, type Custom policy and then in the Description box, type Sets a new definition source location and scan schedule

4. In the list of settings in the results pane, click to select Scheduled scans and then click to select Definition updates.

NOTE: The selected nodes appear in the navigation pane.

5. In the navigation pane, click Scheduled scans.

NOTE: The Create Antimalware Policy dialog box appears allowing you to

configure the scan schedule settings.

6. In the Scan day box, click Daily.

7. In the Scan time box, click 12 AM.

NOTE: Neither of these settings are required for the lab environment. You are configuring them to allow additional settings for visual confirmation of the

implementation of the custom policy.

8. In the navigation pane, click Definition updates.

NOTE: The Create Antimalware Policy dialog box displays the current client

update settings. Notice that the current settings are from the "Default Client Malware Settings" policy as previously configured, including the definition

download from UNC path(s). You want to continue to use UNC locations,

however want to specify a different path to use for updated definition files.

9. After If UNC file shares are selected as a definition update source, specify the UNC paths, click Set Paths.



allowing you to configure the UNC location(s) that clients can use to download

Endpoint Protection definition updates. Notice that currently, the

"\\Primary1\EPOld" path is specified. This is where the old definition was stored. The newer definition file is in a different location.

10. In the UNC path box, type \\Primary1\EPNew and then click Add.

NOTE: The Configure Definition Update UNC Paths dialog box appears displaying both UNC paths for definition download. The client will check both

paths, however in the lab environment, you will remove the old path and only have the client check the new path.

11. Under Name, click \\Primary1\EPOld, and then click Remove.


displaying the new UNC paths for definition download.

12. Click OK.

NOTE: The Create Antimalware Policy dialog box appears displaying the

available policy settings.

13. Click OK.

NOTE: The list of antimalware policies appear in the results pane. You have

now created a custom policy that appears in addition to the default policy.

Custom policies are implemented on clients after being deployed to collections of client computers, which you will do next.

14. In the results pane, click Custom policy, and then on the Ribbon, click Deploy.

NOTE: The Select Collection dialog box appears displaying the available device collections that the custom policy can be assigned to.

15. Under Name, click Configuration Manager Clients, and then click OK.

NOTE: The list of antimalware policies appear in the results pane. Notice that the custom policy is displayed as having been deployed to one collection. Your

custom policy will now be implemented on the clients in the target collection

when they next implement system policies. You will force that to occur in the next procedure.

In the following procedure, you will force the clients to retrieve policies using the new real-time action.

This will cause the clients to implement the custom malware policy settings for Endpoint Protection. If

you prefer, you certainly can use the traditional method of forcing policy polling, however the lab

directions are for the new real-time action.



1. Update the

Endpoint Protection client settings through real-time actions

1. In the navigation pane, click Device Collections.

NOTE: The list of collections for the site appears in the results pane. Notice that there are six collections available, including the one you just deployed the

custom antimalware policy to.

2. In the results pane, click Configuration Manager Clients, and then on the Ribbon, click Client Notification.


NOTE: A new menu appears with two options – “Download Computer Policy”

and “Download User Policy”. The first action will force a “Machine Policy

Retrieval & Evaluation Cycle” to occur on all online clients in the target collection. This is essentially the same process you implemented earlier at the

two clients to force the installation of the System Center 2012 R2 Endpoint Protection client agent.

3. Click Download Computer Policy.

NOTE: A Configuration Manager message box appears indicating that there are three clients in the target collection, and that the update computer policy

action will be implemented as soon as possible.

4. Click OK.

NOTE: The action has been implemented, and within moments the clients will have downloaded the new computer policy that dictates a new scan schedule

and definition source update. You will view the updated configuration in the next task.

2. View the

updated Endpoint Protection client configuration

1. On the Start menu, click System Center Endpoint

Protection.

NOTE: The System Center Endpoint Protection window appears displaying the current status of the Endpoint Protection client. Notice that under "Scan details",

it indicates that the scan schedule is now for daily quick scans, around midnight. You will recall that after agent installation, it was a weekly scan around 2:00am.

This process has not initiated a definition update cycle which occurs

automatically every eight hours. You will force it to occur in the next procedure. If your scan schedule has not changed to daily at midnight, it likely means that

you downloaded policies prior to the site server having completed the policy process. Initiate another policy retrieval action, wait a moment, and check again.


In the following procedure, you will use the System Center 2012 R2 Configuration Manager console to

initiate a definition download process on the clients now that they have the updated malware policy that

points to a newer definition file. This is also a real-time action in Configuration Manager 2012 R2.



1. Force definition update downloads from the Configuration Manager console


NOTE: The Assets and Compliance workspace appears displaying the

antimalware policies in the site.

2. In the navigation pane, click Device Collections.

NOTE: The list of collections appears in the results pane. Notice that there are

six collections of devices. Four of these collections are built-in collections, with two custom collections. You will likely create custom collections in your

environments for managing clients.

2. In the results pane, click Configuration Manager Clients, and then on the Ribbon, click Endpoint Protection.

NOTE: A new menu appears. Notice that from the console you can initiate a


full or quick scan, as well as to force a definition download.

3. Click Download Definition.

NOTE: A Download Definition message box appears indicating that this

action will evaluate software update deployments, or an Endpoint Protection definition update. It also allows you to specify the definition update action

(software updates or Endpoint Protection) and to set the randomization value.

4. Under Definition update source, click Endpoint Protection client source order.

5. In the Randomize client execution time (in minutes), set the value to 0 to force the action now, and then click OK.

NOTE: The action is now delivered to the client. Within moments the clients

should download new definition files. In a production environment, you likely do want to have a randomization value to spread the load of the action on the

target clients. In the lab, given that there are only two clients available, you

specified an immediate action with no randomization.

In the following procedure, you will force the clients to retrieve policies. This will cause the clients to

download the updated Endpoint Protection definition, using the new UNC path designated in the custom

malware policy.



1. View the updated Endpoint Protection client status



current status of the Endpoint Protection client, which now should be

"Potentially unprotected". The reason for being “Potentially unprotected” is that the definitions are out of date. If your definition date and version has not

changed to daily at midnight, it likely means that you downloaded policies prior to the site server having completed the policy process. Initiate another policy

retrieval action, wait a moment, and check again.

2. Click the Update tab.

NOTE: The System Center Endpoint Protection window displays the definition

status, including definition versions, and dates when last created and checked.

Notice that the “Definitions last updated” date and time are very recent. Unfortunately without having Internet access, it is impossible to keep the

definitions up to date for these virtual images. So it is expected, for this lab environment, that the definitions will be out of date.



In the following procedure, you will use the System Center 2012 R2 Configuration Manager console to

initiate a quick scan process on the clients now that they have downloaded an updated definition file. The Endpoint Protection scans (both Quick and Full) are also real-time actions in Configuration Manager 2012

R2.



1. Force a quick

scan from the Configuration Manager console


NOTE: The Assets and Compliance workspace appears displaying the available device collections.

2. In the results pane, click Configuration Manager Clients, and then on the Ribbon, click Endpoint Protection.

NOTE: A new menu appears. Notice that from the console you can initiate a full or quick scan, as well as to force a definition download.

3. Click Quick Scan.

NOTE: A Configuration Manager message box appears indicating that this

action will impact all managed clients in the target collection, and could result in client and network performance impact. This could be the case with

collections that contain a large number of clients performing actions, such as scanning for compliance and sending state messages to the site, at the same

time.

4. Click OK.

NOTE: The System Center 2012 R2 Configuration Manager console appears

displaying the device collections. In the RTM release of Configuration Manager

2012, clients would need to retrieve policies in order to process the request to perform a quick scan. In Configuration Manager 2012 SP1 and R2, this is a

real-time action, so no further actions are necessary to complete the quick scan process.

In the following procedure, you will verify that the clients are running a quick scan as initiated through

the real-time actions of Configuration Manager 2012 R2.






current status of the Endpoint Protection client, which should be "Potentially

unprotected". It is very likely that the client is running a quick scan process at the current time, and you will notice the scan occurring on the Home tab of the

System Center Endpoint Protection window.

When the scan process has completed, you will see under "Scan details" that the

"Last scan" shows "Today" and the current time. The site server scan process

will take significantly longer to run than the remote client computer does due to


the installed software and services on each computer (the site server computer

image having a lot more software installed).



3 PROTECTING AGAINST MALWARE INFECTIONS

In this exercise, you will configure the site to generate alerts on malware and virus breakouts, including

email delivery for malware outbreaks, and then you will generate a malware infection, and clean it with

Endpoint Protection.



1. View the site properties to generate alerts for malware breakouts

1. In the System Center 2012 R2 Configuration Manager console, click the Administration workspace.

Note: The Administration workspace appears displaying the Default Client

Settings.

2. In the navigation pane, expand Site Configuration, and then click Sites.

NOTE: The list of available sites appears in the results pane. Notice that

there is only one site available, that being the local site "MCM".

3. On the Ribbon, click Settings, and then click Configure Site Components.

NOTE: A new menu appears with components that can be configured. Notice that there is a component for "Email Notification".

4. Click Email Notification.

NOTE: The Email Notification Component Properties dialog box appears allowing you to configure email settings for alert generation. If your

environment has an SMTP email server available, you can configure subscriptions to alerts to receive email messages using the properties

configured here. Notice that you can configure the FQDN of the SMTP server,

the port to use, the authentication method, and the sending email address. You then would enable email notifications on the alerts of interest, which you

will look at later in this exercise.

This lab environment does not have an email server configured, however you

will configure the email settings to experience how to configure them in your

own environments.

5. Click to select Enable email notification for alerts.

6. In the FQDN or IP Address of the SMTP server to send email alerts box, type primary1.configmgrdom.local

7. In the Sender address for email alerts box, type [email protected] and then click OK.

NOTE: The local site appears in the results pane. In your production

environment, you would configure appropriate values for the configuration for your own SMTP server implementation.

2. Configure

collections to generate alerts


Note: The Assets and Compliance workspace appears displaying the available collections in the results pane.

2. In the results pane, click Configuration Manager Clients, and then on the Ribbon, click Properties.


Note: The Configuration Manager Properties dialog box appears

displaying the general properties of the collection. Notice that there are

numerous tabs available to configure collection properties, including one for alert generation.

3. Click the Alerts tab.

Note: The Configuration Manager Clients Properties dialog box appears displaying the alert properties of the collection. Notice that by

default, there are no alerts configured for this collection.

4. Click View this collection in the Endpoint Protection dashboard, and then click Add.

Note: The Add New Collection Alerts dialog box appears allowing you to

configure alerts for client status as well as Endpoint Protection. Notice that

for Endpoint Protection, there are four conditions that can be configured to generate alerts. In your production environment, you may want to enable all

alert conditions. However in the lab environment, you will only enable the first condition, which is to generate an alert for any malware detection.

5. Under Endpoint Protection, click to select Malware is detected, and then click OK.

Note: The Configuration Manager Client Properties dialog box appears

allowing you to configure the specific conditions for this alert. Notice that the collection name is displayed as part of the “Alert Name”, and that you can

configure the alert severity and the malware detection threshold.

6. Click OK to use the default values for the alert creation.

Note: The list of collections appears in the results pane. You have now

configured a collection to generate an alert when any malware is detected on a client. You also viewed how to enable email generation for alerts, although

did not enable it as there is no SMTP email server in the lab environment.

In the next procedure, you will configure an alert subscription to generate an email when an antimalware alert is generated.

3. Configure alert subscriptions


Note: The Monitoring workspace appears displaying the Component Status

page. Notice that there is a node in the navigation pane for "Alerts".

2. In the navigation pane, expand Alerts, and then click All Alerts.

Note: The alerts for the environment appear in the results pane. Notice that there are five alerts generated currently (though none have been triggered),

one being the alert configured on the "Configuration Manager Clients" collection with a “Type” of “Malware detection”. The other four default alerts

are for database replication issues, as well as database drive space issues,

and Windows 8 sideloading activations.

3. In the navigation pane, click Subscriptions.

Note: The alert subscriptions for the environment appear in the results pane.

Notice that there are no alert subscriptions created currently.

4. On the Ribbon, click Create subscription.

Note: The New Subscription dialog box appears allowing you to configure

the recipients for the alerts selected for this subscription. You can add

multiple email addresses as recipients, using a semi-colon as the delimiter between addresses (with no spaces between the addresses).


5. In the Subscription name box, type Malware Outbreak

6. In the Email address box, type [email protected]

7. Under Selected alerts, click to select Generate alert when malware detected – Malware detection alert for collection: Configuration Manager Clients, and then click OK.

Note: The alert subscriptions for the environment appear in the results pane.

Notice that there is now one alert subscription available.

You have now prepared your site for malware alerts. You will now generate malware in the next procedure.

In the following procedure, you will attempt to access a file that will simulate a malware breakout. You

will copy these files on the client computer, and then clean the malware with Endpoint Protection on the

client.


Complete the following task on: Client1

1. Generate malware on the client

1. Start Windows Explorer, and then open the C:\MalwareFiles folder.

NOTE: The contents of the C:\MalwareFiles folder appear. Notice that there are

five files in this folder. These files are not real malware, however they contain public domain code to simulate malware for testing purposes.

2. Attempt to open Test1.txt.

NOTE: A Notepad message box appears indicating that access is denied to this

file. This is because malware is detected as a result of attempting to open the file. When the threat has been generated and detected, a System Center

Endpoint Protection message box appears indicating that attention is required, as one potential threat has been detected, and suspended. The file is

automatically cleaned, and no action is necessary.

3. Click OK, and then close Notepad.

NOTE: System Center 2012 R2 Endpoint Protection removes the threat, and the System Center Endpoint Protection dialog box is closed automatically.

When complete, the System Center Endpoint Protection dialog box appears indicating that the computer has been cleaned.

Notice that Test1.txt has been removed (quarantined) as it was detected as containing a virus.

2. View the

updated Endpoint Protection client status

1. On the Start menu, click System Center Endpoint

Protection.

NOTE: The System Center Endpoint Protection window appears displaying the current status of the Endpoint Protection client, which displays as "Potentially

unprotected".

2. Click the History tab.


NOTE: The System Center Endpoint Protection window appears allowing you to

configure the type of items to display for the Endpoint Protection client, and to

view details. You do not see any malware status on this tab, however you can view status by viewing the historical data for the client.

3. Click View details.

NOTE: The System Center Endpoint Protection window displays historical data for this client. Notice that it displays the one threat generated by accessing one

of the “Eicar_Test_File” files, including the "Alert level" of "Severe" as well as the "Action taken" of "Quarantined". Also notice the bottom portion of the window

displays the generated description and recommended actions (the default data

provided with the “Test1.txt” file definitions with this simulated virus).


NOTE: Later in this lab, you will use the Configuration Manager 2012 R2 real-

time actions to restore the quarantined files, and allow this threat. In the next exercise, you will report on malware status.


4 MONITORING ENDPOINT PROTECTION STATUS IN THE

CONFIGURATION MANAGER CONSOLE

In this exercise, you will use the Configuration Manager console to view the alert generated and alert

status for Endpoint Protection as a result of the malware outbreak.



1. View the

generated alert related to the threat outbreak


NOTE: The Assets and Compliance Overview page appears displaying the available device collections in the results pane.

2. In the navigation pane, click the Overview node.

NOTE: The Assets and Compliance Overview page appears. Notice that a critical alert has been generated with a "Category" of "Malware detection".

Notice also that the alert description indicates that malware has been

detected on a computer in the "Configuration Manager Clients" collection.

3.1. Click the Monitoring workspace.

NOTE: The Monitoring workspace appears displaying the alert subscriptions

in the results pane. Notice that there is one alert subscription available. If the lab environment had an SMTP email server, and email would have been

delivered to the email recipients configured in the alert subscription.

4.2. In the navigation pane, expand Alerts and click Active Alerts.

NOTE: The Monitoring workspace appears displaying the active alerts in the

site. Notice that there is one active alert. This is the same alert that appears

in the Overview page of the Assets and Compliance workspace.

5.3. In the results pane, click Malware detection alert for collection: Configuration Manager Clients.

NOTE: The summary information for the malware detection alert appears in

the preview pane. Notice under "Status information" is the "Occurrence Count" of "1", which indicates that the alert has only been raised one time.

6.4. In the preview pane, click the Machines tab.

NOTE: The list of computers that were involved in this alert appears in the

preview pane. Notice that the same computer "Client1.configmgrdom.local" is listed once for the malware threat detected.

You could modify alert properties, or close the alert manually if you desired to. You will now view the System Center 2012 R2 Endpoint Protection status

in the Monitoring workspace.

2. View Endpoint Protection status in the Configuration Manager console

1. In the navigation pane, expand Endpoint Protection Status.

NOTE: The navigation pane expands and displays two dashboards for

Endpoint Protection. The first dashboard (“System Center 2012 R2 Endpoint Protection Status”) is a client-centric view of the status of your clients in

terms of definitions, client health, and malware. The second dashboard (“Malware Detected”) is a malware-centric view to view status of all detected

malware.


2. In the navigation pane, click System Center 2012 R2 Endpoint Protection Status.

NOTE: The System Center 2012 R2 Endpoint Protection Status

appears in the results pane. Notice that there may out of date information on

the protection status and malware remediation, depending on the client state message delivery and processing schedules.

3. In the Collection box, click Configuration Manager Clients.

NOTE: This option displays the collection to display summarized data for the System Center 2012 R2 Endpoint Protection dashboard. "Configuration

Manager Clients" should appear by default, assuming that it is the only collection configured to be displayed in the dashboard. If no collection

appears, and the drop down list is empty, click a different node, and then

click the System Center 2012 R2 Endpoint Protection Status node.

4. On the Home tab of the Ribbon, click Run Summarization.

NOTE: The current status for Endpoint Protection is updated using the most

recently processed state messages from the client computers in the site. You will need to refresh the Endpoint Protection Status page to view the updated

data that was just summarized.

The System Center 2012 R2 Endpoint Protection Status dashboard displays the following information displayed in two categories - "Security

State" and "Operational State". For "Security State":

Endpoint Protection Client Status - a quick summary of the status of

clients - clients protected by Endpoint Protection, clients at risk,

clients where the Endpoint Protection agent is not installed, clients on non-supported platforms, inactive Configuration Manager clients, and

computers without the Configuration Manager client installed. In the

lab environment, the status will likely be “at risk” due to out of date definition files for two of the clients (you don’t have the third client in

the collection).

Malware remediation status - status of malware remediation failures,

clients that require a full scan, clients where a reboot is required,

clients where an offline scan is required, clients with settings

modified by malware, and clients with malware remediation in the past 24 hours. In the lab environment, your environment should

have one client with malware remediation in the last 24 hours.

Top 5 malware by number of computers - this displays the top five

malware detected in the past 24 hours, sorted by the number of

clients affected. In the lab environment, your display should show the one virus generated by accessing the “Eicar.Test_File” file, and

have one computer affected by that outbreak.

Also notice that the "Operational State" status is:

Operational status of clients - this view displays the status of clients

that failed the installation of the Endpoint Protection agent, the

number of clients that had issues applying the antimalware policy, the number of clients that need a reboot to complete agent

installation, and the number of unhealthy clients. In the lab

environment, you should have no issues.

Definition Status on Computers - this view displays the status of the

current definition file on individual clients, whether current, up to

three days old, up to a week old, or older than a week, as well as


any clients with no definitions installed. In the lab environment, you

may have two clients with the signatures older than seven days

(depending on the last time the lab environment was updated with new signature files) and one with no status as it is not an active

client in the site as the virtual machine is not running. Having definitions older than seven days results in the client reporting that it

is in a state of “Potentially unprotected” – as you have noticed.

Note that the System Center 2012 R2 Endpoint Protection Status dashboard

is updated automatically every 20 minutes by default, though can be updated

on demand (as you did earlier in this task).

5. Under Malware remediation status, click the blue bar in the chart after "Malware remediated in the last 24 hours".

NOTE: The Assets and Compliance workspace appears displaying a sticky

node under Devices titled "Configuration Manager Clients: Malware remediated in the past 24 hours". Notice that the results pane displays all

computers with malware detected and remediated in the past 24 hours,

which in the lab environment, should be "Client1". Notice that the results pane displays the status of Endpoint Protection on the client, with status for

"Endpoint Protection Deployment State", "Endpoint Protection Policy Application State", " Endpoint Protection Definition Last Version", " Endpoint

Protection Remediation Status", "Last Infection Time", and "Last Infected Threat".

6. In the preview pane, click the Antimalware Policies tab.

NOTE: The current status for Endpoint Protection is displayed in the preview

pane. This view is provides more details than does the results pane for Endpoint Protection status, including all antimalware policies deployed to the

client.

7. In the preview pane, click the Malware Detail tab.

NOTE: The status for Endpoint Protection malware is displayed in the

preview pane. Notice that the client has detected, and successfully

remediated, one virus.

This is simply another way to identify systems that have been infected by

malware or viruses, and view the details on the malware infection.

3. Generate reports on Endpoint Protection status


NOTE: The Monitoring workspace appears displaying the System Center

2012 R2 Endpoint Protection dashboard in the results pane.

2. In the navigation pane, expand Reporting, expand Reports, and then click Endpoint Protection.

NOTE: The list of reports in the "Endpoint Protection" category appears in

the results pane. Notice that there are six reports in this version of Configuration Manager 2012 for Endpoint Protection. The default view of

reports is sorted by report name.

3. In the results pane, click Antimalware overall status and history, and then on the Ribbon, click Run.

NOTE: The Antimalware overall status and history report window appears. This is a prompted report, and requires the collection to report

status for, as well as the date range to report on.

4. After Collection Name, click Values.

NOTE: The Parameter Value dialog box appears displaying the collection


available for reporting on. Notice that only two collections appear – “All

Systems” and “Configuration Manager Clients”.

5. Under Collection, click Configuration Manager Clients, and then click OK.

NOTE: The Antimalware overall status and history report window appears displaying the collection to display status for, as well as the default

date range to report on, which by default, is the most recent week up to today's date.

6. Click View Report.

NOTE: The Antimalware overall status and history report window appears displaying the current status for computers in the "Configuration

Manager Clients" collection, for the past week. Notice the following

information displayed in the report:

Overall Endpoint Protection status - status of clients in various

categories, such as protected, at risk (two of our clients), etc.

Malware remediation status - status of remediation of clients in

various categories, such as cleaned (notice that there was a remediation in the past 24 hours)

Operational status of Endpoint Protection clients - status of clients

with operational issues, such as installation failed (there should be no

operational issues in our lab environment)

Definition status on computers - status of the Endpoint Protection

definition, such as current (neither of our clients are current, based

on the age of the definitions in the virtual machine images)

Antimalware Policy Application status on computers - status of the

Antimalware policy on clients, such as successful (should be both our

clients)

7. Close the Antimalware overall status and history report window.


the results pane. Notice that there are six reports in this version of

Configuration Manager 2012 for Endpoint Protection. The default view of reports is sorted by report name. Since the Antimalware overall status

and history report indicated that there was a remediation in the past 24 hours, you will now view that status in another report.

8. In the results pane, click Antimalware activity report, and then on the Ribbon, click Run.

NOTE: The Antimalware activity report report window appears. This is a

prompted report, and requires the collection to report malware activity for, as well as the date range to report on.

9. After Collection Name, click Values.

NOTE: The Parameter Value dialog box appears displaying the collection available for reporting on. Notice that only two collections appear – “All

Systems” and “Configuration Manager Clients”.

10. Under Collection Name, click Configuration Manager Clients, and then click OK.

NOTE: The Antimalware activity report report window appears displaying

the collection to display malware activity for, as well as the default date

range to report on, which by default, is the most recent week up to today's date.


11. Click View Report.

NOTE: The Antimalware activity report report window appears displaying

the data for antimalware activity, for computers in the "Configuration

Manager Clients" collection, for the past week. Notice the following information displayed in the report:

That there are no computers with failed or pending remediation, with

one successful remediation

That there was one threat, with the number of affected computers

(one) and the number of incidents (one)

12. Under Total Remediations, click 1.

NOTE: The Infected computers report window appears displaying the data for Infected Computers report. Notice that the report indicates that

there was one incident on the computer “Client1.ConfigMgrDom.local”.

13. Under Computer Name, click Client1.ConfigMgrDom.local.

NOTE: The Computer malware details report window appears displaying the data for Computer malware details report. Notice the details for the

one computer that was infected.

14. Under Threat Name, click Virus:DOS/EICAR_Test_File.

NOTE: The Malware details report window appears displaying the data for

the one malware that was detected and cleaned on your client. Notice that

the report provides details on the malware, as well as the incidents detected in both tabular and graphical format, as well as listing the computers infected

by this malware.

15. Close the Malware details report window.


the results pane.


5 IMPLEMENTING REAL-TIME ACTIONS TO ALLOW THREATS

In this exercise, you will use the Configuration Manager console to allow the virus to be allowed on the

client computer, and to restore the quarantined files. This would be a scenario if a real application was

falsely identified as a threat, and blocked from running on the client computer.



1. Allow the threat and restore quarantined files


NOTE: The Monitoring workspace appears displaying the available Endpoint

Protection reports in the results pane. You ran a number of these reports in the previous exercise.

2. In the navigation pane, expand Endpoint Protection Status, and then click the Malware Detected node.

NOTE: The malware detected details appear in the results pane. Notice that

is displays the malware that has been detected on all clients in all collections, as well as additional information on the malware/virus in the preview pane.

3. In the results pane, under Collection, click Configuration Manager Clients.

NOTE: Notice the actions that are available on the Ribbon for the malware detected on clients in this collection.

Malware Details – this action will attempt to display information on this

malware from published resources on the Internet

Allow this threat – this action will send a real-time action to the client to

allow this threat to run on the computer (the “false positive” scenario)

Restore files quarantined by this threat – this action will send a real-

time action to the client to restore any files that had been previously

quarantined by the remediation of the threat

View infected clients – this action will create a ‘sticky node’ in the

Assets and Compliance workspace of the clients affected by this specific

malware/virus

4. On the Ribbon, click Allow this threat.

NOTE: An Allow this threat message box appears that this will create an

antimalware policy to allow this threat, and the policy will be deployed to the

“Configuration Manager Clients” collection. The status of this can be tracked in the “Client Operations” node in the Monitoring workspace.

5. Click OK.

NOTE: The malware detected information appears in the results pane.

6. On the Ribbon, click Restore files quarantined by this threat.

NOTE: A Restore quarantined files message box appears that this will

restore files without a dependency on the allow or exclusion job (which you just ran).

7. Click OK.

NOTE: The malware detected information appears in the results pane.


8. In the navigation pane, click Client Operations.

NOTE: The list of real-time actions implemented in the site appears in the

results pane. You will notice actions issued previously in the lab, including the

“Download Computer Policy”, “Download Definition”, and “Quick Scan” actions. All those actions should have already been summarized so you

should see that two of the three clients were successful in implementing those actions. The two new actions of “Allow threat” and “Restore

Quarantined Items” likely have not been summarized yet.

9. In the results pane, under Operation Name, click Allow threat, and then on the Ribbon, click Run Summarization.

NOTE: Any results for these actions from clients will be summarized. You will

need to refresh the Client Operations node to display updated information.

You may not have any updated status from clients yet. These are real-time actions, so you will see results fairly soon.

You will now verify that the two real-time actions were implemented on the client, and that you can now access the quarantined file.

In the following procedure, you will attempt to access a file that previously simulated a malware

breakout. This file access should be successful now that the real-time actions have been implemented on

the client.


Complete the following task on: Client1

1. Generate malware on the client

1. Start Windows Explorer, and then open the C:\MalwareFiles folder.

NOTE: The contents of the C:\MalwareFiles folder appear. Notice that there are

five files in this folder. Notice that Test1txt has been restored. This is an indication that the real-time actions have completed on the client. If “Test1.txt”

has not been restored yet, wait until it has before continuing.

2. Attempt to open Test1.txt.

NOTE: Notepad opens and displays the contents of the file. Recall that

previously, an “Access is denied” message appeared. This is an indication that

the real-time action to allow this threat has been implemented on the client.

3. Close Notepad, and then attempt to access any of the other files.

NOTE: You should be able to access any of the files in the folder now, as the

exclusion was on the threat name, which applies to all five of these files.




current status of the Endpoint Protection client, which displays as "Protected".

2. Click the History tab.

NOTE: The System Center Endpoint Protection window appears allowing you to

configure the type of items to display for the Endpoint Protection client, and to


view details. You do not see any malware status on this tab, however you can

view status by viewing the historical data for the client.

3. Click View details.

NOTE: The System Center Endpoint Protection window displays historical data for this client. Notice that the previous information regarding the threat for

“Eicar_Test_File” has been removed as it is no longer a valid threat.


NOTE: Later in this lab, you will use the Configuration Manager 2012 R2 real-

time actions to restore the quarantined files, and allow this threat. In the next exercise, you will report on malware status.

You have now successfully implemented Endpoint Protection 2012 in a Configuration Manager 2012 R2 environment. You modified the default location

to download definition files, enabled the Endpoint Protection point site system role, enabled the Endpoint Protection client agent, and installed the agent on the

client computers. You then created a custom malware policy to set custom

values for your client scan schedules, and definition download location. Finally you generated malware to be detected and remediated, including monitoring the

status on the client as well as the site server. Reports were run to display status, as well as the status was viewed in the Endpoint Protection dashboard.

System Center 2012 Endpoint Protection is a feature included with System Center 2012 Endpoint Protection, and as you have seen, very easy to

implement. You also implemented new Configuration Manager 2012 R2 features

for real-time actions and new Configuration Manager Console information regarding Endpoint Protection (new dashboard and reports).

One final thing that you’d very likely do in your production environments would be to create an automatic deployment rule to deploy any new definition updates

automatically when detected. This would download the definitions, distribute

them to the assigned distribution points, and allow the Endpoint Protection client to download the definitions from the Configuration Manager infrastructure just

as Configuration Manager clients would implement security updates deployed through Configuration Manager. You can experience the creation of automatic

deployment rules in the “Managing Microsoft Software Updates with Configuration Manager 2012” hands-on lab.

implementing endpoint protection in system center 2012 r2 ... · implementing endpoint protection...

Documents