Forefront Endpoint Protection in SCCM 2012
Microsoft has been in the anti malware/virus business for a couple of years now. Going back to the first version of Windows Defender and going on today with the most used antivirus product on the market (Which is free) Microsoft Security Essentials. Microsoft likes to label its security product as Forefront, their Forefront products are not only based on anti-malware/virus but also consists of Forefront TMG (Threat Management Gateway formally called ISA server) And Forefront UAG ( User Access Gateway ) Which is their Network Edge Security products.
Microsoft also has a their own anti-virus/malware product for enterprise businesses, which is called Forefront Endpoint Protection (Which is basically a converted Security Essentials, with added management capabilities)
Now with System Center 2012 release, Microsoft has a different approach. They have included the endpoint protection service with Configmgr 2012. Therefore now you can manage forefront via SCCM console.
Not sure where Microsoft is headed with this, since if a business wants Forefront they would need to invest in SCCM as well (Even if they don’t need it). On the other hand, Microsoft can now brag about having a system that does everything. Maybe its something they needed to compete with Symantec Altiris ? (Just a thought)
Let’s take a look at how you setup Forefront in ConfigMgr, and how you can manage it.
First you have to install the Endpoint Protection role via the console.
After that is done, you would need to alter the default client policy (Since by default it is disabled )
In my case I have created a custom client policy which I intend to use.
I open the policy and change the following settings,
After I have changes these, I have to deploy the client settings to a computer collection that I wish to have forefront installed.
So I right click the policy and choose “Deploy”
When you now install a agent on a computer that resides within that collection, I will get SCEP installed.
If you watch the install log ccmsetup.log you will find multiple references to scep.exe file.
NOTE: That you need to restart the computer eventually for the installation to finish
After the installation is complete, you will get a new icon down in the system tray.
That looks like this ( It might say “At risk” but this is because it only has the installed definitions.
Now that you have installed scep you also need to change the policy for how scep is going to function.
Since in the previous Client Policy all you did was install the scep software on the client.
Head over to Assets and Compliance –> Endpoint Protection –> Antimalware Policies (There you will have a default client policy, which is the only we are going to alter, since this applies to all SCEP agents in the site)
You can also choose import a policy, Forefront comes with a bunch of premade policies that Microsoft has created.
But lets alter the policy, and see what we need.
First pane is about scans. The values you see here are the defaults (So im going to leave it at that )
Next is the Scan settings, this is also default values ( You should change it to scan removavle storage devices ) Now a days many business computers gets infected by an employees usb drive.
Next is the default actions. If SCEP find the signature of a know virus which is under the category of “Severe” the recommend action attatched to that virus is run (Which is most cases is delete/remove)
Next is Exclusion settings (Here you need to figure out, on what computers is this policy going to be deployed? )
If you have a SharePoint servers, it would need different Exclusion settings from a Terminal Server or Exchange.
Next is Advanced, the default values here is also recommended. We don’t want to bug the user with notifications about updates every 2 hours, or scans happening.
Next is the Threat Override here you can define for instance if you have multiple users that are installed Cain & Abel, SCEP will automatically place it into quarantine, here you can create an override so that users can use the tool.
Next are the definition updates, here you set the settings for how the client updates.
By default there are 4 sources where the client is allowed to get updates from.
3: Microsoft Update
4: Microsoft Malware Protection Center
After you are done with the settings Click OK.
It might take some time before the policy is updated on the computer.
You can watch the EndpointProtectionAgent.log file under C:\windows\ccm\logs
And for the purpose of this demo I wanted to test the SCEP agent and see what happens and how it interacts with the SCCM console when a virus appears on a computers.
So therefore I turned to EICAR.
EICAR is a test file to test the response of computer (AV) programs
What you need to do is open notepad
Enter this value
Save it as EICAR.COM and see what happens
And the agent responded instantly, before I was able to finish writing it had automatically removed the file
So now I am interested to see if the console saw that the virus appeared. therefore im going to use the report functionality,
Go over to the Monitoring tab –> Reporting –> Reports.
You can see that by default it includes 6 “Endpoint Protection” reports.
Im going to view the Antimalware Activity Report.
And there we go, the info has already been exported to the system.