Mastering System Center 2012 R2 Configuration Manager (2014)
Chapter 15. System Center Endpoint Protection
System Center Configuration Manager 2007 provided the ability to integrate with Microsoft Forefront Endpoint Protection 2010. Forefront Endpoint Protection (FEP) is Microsoft’s industry-leading security and antimalware product, and the integration with Configuration Manager 2007 allowed administrators to easily manage and control its configuration.
The Forefront Endpoint Protection product has been updated for 2012, and the new version is called System Center 2012 Endpoint Protection (SCEP). As you will see in this chapter, the integration between Endpoint Protection and Configuration Manager is carried forward and greatly enhanced in the System Center 2012 versions of the products.
In this chapter, you will learn to
· Differentiate between FEP and SCEP
· Deploy and configure the System Center 2012 Endpoint Protection site system and client
· Create and assign an SCEP policy
Differences between FEP and SCEP
Before taking a closer look at System Center 2012 Endpoint Protection, let’s take a moment to review some of the key differences between Forefront Endpoint Protection 2010 and System Center 2012 Endpoint Protection:
· FEP used two separate databases to store data, FEP_DB and FEP_DW. SCEP uses the ConfigMgr site database to store all data.
· FEP required a separate client to be deployed and installed on each managed computer. SCEP includes the endpoint client software as part of the ConfigMgr 2012 client install media, and the SCEP client is enabled and configured in the ConfigMgr 2012 console.
· FEP had a delay between when a malware event occurred at a client, such as virus detection, and when that information was made available to the ConfigMgr 2007 administrator. ConfigMgr 2012 has new internal processes that work to greatly reduce the time that elapses between the event and the alerting and reporting.
· Delegating the administration of FEP was a challenge in ConfigMgr 2007. In ConfigMgr 2012, the role-based security model allows the ConfigMgr administrator to easily delegate the SCEP-related functions to a specific person or group without providing those users with access to other areas of ConfigMgr.
What Is Malware?
We will use the term malware a great deal in this chapter, so it’s probably a good idea to define that word.
Malware is short for malicious software, which is basically software, code, or scripts that are typically designed to perform invasive, destructive actions on a computer. Some malware attempts to delete files or corrupt the operating system, while others may attempt to steal personal or corporate data. Malware includes items such as computer viruses, worms, Trojan horses, adware, and some rootkits. Antimalware software (such as SCEP) is software designed to detect, block, and remove malware.
Additional Benefits of SCEP
Now that we have identified some of the key differences between the FEP 2010 and SCEP products, let’s take a look at some of the additional benefits of the SCEP product. We will expand on these in the remainder of the chapter.
Deployment
The deployment and configuration of SCEP are managed in the ConfigMgr 2012 console. Because of the tight integration with ConfigMgr 2012, SCEP is easily deployable to environments of any size. The ConfigMgr administrator enables SCEP in ConfigMgr 2012 by deploying the new Endpoint Protection Point site system role, enabling the Endpoint Protection client, and then configuring the antimalware policies. SCEP also includes several policy templates that provide recommended antimalware configurations for standard workloads. These templates are generally ready to deploy but can be customized to meet the specific needs of the organization if needed. You can also export policies that were created in FEP 2010 and import them into SCEP.
Protection
SCEP provides ConfigMgr administrators with the ability to ensure that their computer infrastructure is safe and secure from malware attacks. The SCEP product protects the computer infrastructure by detecting and blocking malware and also by providing management of Windows Firewall. SCEP ensures that the computers are protected from many known exploits and vulnerabilities, and SCEP is backed by the Microsoft Security Response Center and the Microsoft SpyNet community. For more information on the Microsoft Security Response Center visit
http://www.microsoft.com/security/msrc
SpyNet Is Now MAPS
Before moving on, we should discuss the Microsoft Active Protection Service. In FEP 2010 this feature was referred to as Microsoft SpyNet but is now referred to as the Microsoft Active Protection Service (MAPS).
MAPS is a cloud-based service that allows the endpoint client on a computer to report data about programs that exhibit suspicious behavior to the Microsoft Malware Protection Center (MMPC). Once the data is submitted to the MMPC, it can be analyzed and researched by engineers. Once the data has been analyzed, information about the behavior can be included in a new definition update and deployed to computers around the world via FEP or SCEP. This feature is sometimes referred to as the Dynamic Signature Service.
When you configure the Endpoint Protection site system, you will need to define how MAPS should be configured for your environment.
As you can see in the following illustration, there are three available choices for the Microsoft Active Protection Service:
· Do not join MAPS
If you choose this option, it means that information will not be sent from the managed computers to Microsoft. You will not be alerted if software that is currently unclassified is detected in the environment.
· Basic Membership
If you choose the Basic Membership option, SCEP will submit information to Microsoft about potentially unsafe software or software that has not yet been analyzed for risks.
· Advanced Membership
If you choose the Advanced Membership option, SCEP will submit more detailed information about detected software and will also alert you if software has been detected that has not yet been analyzed for issues or risks. This option also collects additional information from the computers, including IP address and operating system.
You can change the membership setting at any time by making the change in the Forefront Endpoint Protection site system properties. You can also override this sitewide setting with a custom antimalware policy if needed.
Monitoring
ConfigMgr 2012 includes several enhancements around the monitoring and the reporting of the health and status of the environment. This is especially true for the Endpoint Protection feature of ConfigMgr 2012.
One key improvement is the manner and speed in which endpoint protection activity (such as a malware event on a workstation) is sent to the site servers for monitoring purposes. In FEP 2010 there was some delay before malware outbreaks were made visible to the ConfigMgr administrator. The extent of that delay varied, depending on how FEP and ConfigMgr 2007 were configured, but with some scenarios it might have taken 30 minutes or more before the ConfigMgr administrator was aware of the malware activity.
In ConfigMgr 2012 a new mechanism has been implemented that greatly reduces the delay in getting endpoint malware activity data from the client to the site servers. This new client communication channel uses state messages to deliver malware activity information to the site server in almost real time. As a result, the ConfigMgr 2012 administrator will typically become aware of malware activity within just a few minutes of it taking place. ConfigMgr 2012 uses this channel for all endpoint-related operations as well as the Download Computer Policy client action. You will learn more about the fast channel later in the chapter.
Security
The role-based security model in ConfigMgr 2012 greatly simplifies the process of defining access for administrative users. The ConfigMgr 2012 security role that is related to the SCEP feature is the Endpoint Protection Manager. This security role provides the administrative user with the ability to create, modify, and delete security policies. Administrative users with this security role can also manage the security policies that are assigned to collections, monitor the status of SCEP, and execute remediation tasks on managed computers.
One possible use of this role is to assign it to the corporate IT security department and allow them to manage the configuration of SCEP without giving them access to other areas of ConfigMgr.
Now that you understand some of the features of System Center 2012 Endpoint Protection, let’s take a closer look at the product.
Endpoint Protection Site System Role
System Center 2012 Configuration Manager introduces a new site system role, the Endpoint Protection Point site system role. This role must be installed and configured before you can use Endpoint Protection in ConfigMgr 2012. Also, the role must be installed at the top of the ConfigMgr 2012 hierarchy, which will be the Central Administration Site (CAS) if one exists. If the environment does not have a CAS, then the role will be installed on the standalone primary site.
Can SCEP Be Used in an Unmanaged Scenario?
Since you are reading this book, it is likely that you plan to use SCEP with ConfigMgr 2012 in a managed scenario and receive the many benefits of the integration between the two products.
However, SCEP can also be used in an unmanaged scenario, where ConfigMgr 2012 is not used to centrally administer, maintain, and monitor the configuration of SCEP. This scenario has some limitations but may be useful in environments where either ConfigMgr 2012 is not installed or the ConfigMgr client cannot be installed on computers.
In the unmanaged scenario, ConfigMgr 2012 is not available to deploy the SCEP clients and policies or update the SCEP definition files. An alternative is to use Active Directory Group Policy objects (GPOs) to deploy the SCEP client and policies and use Microsoft Update, Windows Server Update Services (WSUS), or the Microsoft Malware Protection Center (MMPC) to update the definition files. This same approach was available for FEP 2010, and Microsoft released a set of tools called Forefront Endpoint Protection 2010 Tools to assist with the configuration. It is possible that Microsoft will release a similar toolset for SCEP. One advantage of the GPO approach over the integrated ConfigMgr scenario is that group policies are dynamically merged when applied at the computer, allowing the administrator to maintain fewer group policies.
Another limitation of the unmanaged SCEP scenario is that you have no ability to receive real-time notification in the event of a malware outbreak in the environment, and you also have no ability to determine whether the SCEP clients are using outdated definition files. One possible exception is if the environment uses System Center 2012 Operations Manager (SCOM). If SCOM is in place, and the affected computers have the SCOM agent installed, the administrator may receive malware activity and outdated definition file status as SCOM alerts via an Endpoint Protection security management pack. A management pack was provided for FEP 2010 (Forefront Endpoint Protection 2010 Security Management Pack), and it’s likely that Microsoft will provide a management pack for SCEP. However, SCOM is typically used only to monitor servers, and it’s likely that your desktops and laptops will not have the SCOM agent installed.
As you can see, in some scenarios using SCEP in an unmanaged configuration may be useful, but the approach has some limitations. Also, you will need to contact your Microsoft account team or software reseller to determine the SCEP licensing requirements for this scenario.
The installation and configuration of the role are fairly straightforward:
1. In the Configuration Manager console, select Administration ⇒ Overview ⇒ Site Configuration ⇒ Servers And Site System Roles.
2. Select the Central Administration Server (or the standalone primary site server), right-click, and select Add Site System Roles. The Add Site System Roles Wizard opens.
3. On the General page, specify the settings for the site system server. Click Next.
4. Select the proxy settings; then click Next.
5. On the next screen, select Endpoint Protection Point from the list of available roles and click Next. See Figure 15.1.
Figure 15.1 Selecting the Endpoint Protection Point role
6. On the Specify Endpoint Protection License Page, accept the Endpoint Protection license terms and click Next.
The Endpoint Protection Client License
Note that you must accept the license agreement in order to install the Endpoint Protection Point role. As with FEP 2010, the Endpoint Protection client license is part of the Microsoft core Client Access License (CAL). However, the license for the Endpoint Protection site server is not part of the core CAL and has specific licensing requirements. Contact your Microsoft account team or software reseller for additional information on the licensing requirements for SCEP.
7. Choose the Print License Terms option if you would like to review the license terms before agreeing to them. Click Next.
8. On the Specify Microsoft Active Protection Service membership type window, choose the membership option you require for your environment and click Next.
9. On the Confirm Settings page, click Next and then click Close once the role has been successfully installed.
10.You can monitor the status of the installation of the role in the EPMgr.log and EPSetup.log files on the site server.
Show Me the Logs!
The SMS and ConfigMgr products have always had detailed, informative logs, and ConfigMgr 2012 is no different. The relevant logs for SCEP are discussed here:
On the SCEP Site System
The SCEP site system log files are in the standard location for ConfigMgr 2012 site server logs (\Program Files\Microsoft Configuration Manager\Logs), and there are three logs related to SCEP:
· EPCtrlMgr.log records information about the sync of malware threat data from the SCEP site system role to the ConfigMgr database.
· EPMgr.log monitors the status of the SCEP role.
· EPSetup.log records information about the installation of the SCEP role on the site server.
On the SCEP Clients
The SCEP client log files are located in \Program Files\SMS_CCM\Logs on the ConfigMgr 2012 site servers and in \Windows\CCM\Logs for ConfigMgr clients. There is one log related specifically to SCEP: EndpointProtectionAgent.log. This logs details the installation of the SCEP client and the application of antimalware policy.
Endpoint Protection Client Agent
Once the Endpoint Protection Point site system role has been enabled and configured, you need to enable and configure the System Center 2012 Endpoint Protection client agent. The installation media for the endpoint client is distributed to the managed devices as part of the ConfigMgr 2012 client install media. The name of the file is SCEPInstall.exe, and it can be found in the CCMSETUP folder (C:\Windows\CCMSETUP) on the client. Although the SCEP client install media is copied to the CCMSETUP folder during the ConfigMgr 2012 client install, SCEP won’t actually be installed on managed devices until the Endpoint Protection client is enabled and configured in an assigned client settings policy. Also note that the Endpoint Protection client cannot be enabled until the Endpoint Protection site system role is enabled.
You have two choices on how to enable and configure the SCEP client.
· You can make changes to the default client settings policy and enable and configure SCEP there.
· You can create a new, separate settings policy that enables and configures SCEP.
If you wanted every ConfigMgr 2012 client to be configured with the same settings, then you might modify the default client settings, but it’s possible that you may want different client setting configurations for different types of devices. For example, you may want any required reboots as a result of the SCEP client install to be suppressed on servers but not be suppressed for desktop devices. So, you may need multiple client settings policies in order to handle certain scenarios.
If you decide to modify the default client settings for the SCEP configuration, you will need to do the following:
1. Open the ConfigMgr 2012 console and choose Administration ⇒ Overview ⇒ Client Settings.
2. Select the Default Client Settings entry and choose Properties from the ribbon.
3. Select the Endpoint Protection setting and set the required configuration. See Figure 15.2.
Figure 15.2 Endpoint Protection default settings
If you want to create a separate client settings policy for SCEP, follow these steps:
1. Open the ConfigMgr 2012 console and choose Administration ⇒ Overview ⇒ Client Settings.
2. Click Create Custom Client Device Settings in the ribbon.
3. Give the custom device settings a name and description.
4. Select Endpoint Protection as the custom setting to be enforced on the client devices. See Figure 15.3.
Figure 15.3 Selecting the Endpoint Protection custom setting
5. Click the Endpoint Protection option on the left side of the window. This will open the Endpoint Protection configuration settings. See Figure 15.4.
Figure 15.4 Configuring Endpoint Protection settings
6. Set the required configuration settings, and click OK.
7. Deploy the new client settings policy to a collection.
After creating the client settings policy for SCEP, don’t forget to assign the policy to a collection:
1. Select the policy you created.
2. Choose Deploy from the ribbon.
3. Select the appropriate collection.
Regardless of whether you modify the default client settings or create a new client setting for SCEP, the options that can be configured are the same. As an administrator, you can do the following:
· Define whether the SCEP client should be installed and also if it should be managed.
· Determine if previously installed antimalware software should be automatically removed (see the following list).
· Define if any required reboots after enabling SCEP will be suppressed.
· Disable alternate sources for the initial definition update.
The list of products that can be replaced by SCEP may change somewhat, but the following were the supported titles for removal at the time this book was written:
· Symantec AntiVirus Corporate Edition version 10
· Symantec Endpoint Protection version 11
· Symantec Endpoint Protection Small Business Edition version 12
· McAfee VirusScan Enterprise version 8
· Trend Micro OfficeScan
· Microsoft Forefront Codename Stirling Beta 2
· Microsoft Forefront Codename Stirling Beta 3
· Microsoft Forefront Client Security v1
· Microsoft Security Essentials v1
· Microsoft Security Essentials 2010
· Microsoft Forefront Endpoint Protection 2010
· Microsoft Security Center Online v1
Use this website to obtain an updated list of products that can be removed:
http://technet.microsoft.com/en-us/library/gg682067.aspx
If you have an antimalware product installed in the environment that is not on this list, you may need to deploy a removal package for that product. In that scenario, make sure you coordinate the removal of the old product and the enabling and deployment of the SCEP client and minimize the amount of time that the computer is not protected by antimalware software.
SCEP also supports Mac-based clients as well as Linux/Unix-based clients. The SCEP client installation files for these platforms is available on the Microsoft Volume Licensing website: www.microsoft.com/Licensing/.
The supported Macintosh operating systems are as follows:
· Mac OS X 10.8 (Mountain Lion)
· Mac OS X 10.7 (Lion)
· Mac OS X 10.6 (Snow Leopard)
Note: The SCEP client for the Macintosh operating systems is supported on computers that use the Intel 32-bit and 64-bit chipsets.
The supported Linux/Unix-based operating systems are these:
· RedHat Enterprise Linux (RHEL): versions 6, 5, and 4 (x64 and x86)
· SuSE Linux Enterprise Server (SLES): versions 11, 10, and 9 (x64 and x86)
· CentOS: versions 6 and 5
· Debian: versions 6 and 5
· Ubuntu: versions 12.04 and 10.04
· Oracle Linux: versions 6 and 5
Endpoint Protection Policies
SCEP has two policy types:
1. Antimalware The antimalware policy is used to define the antimalware settings that will be applied to the endpoint client.
2. Windows Firewall The Windows Firewall policy can be used to control the configuration of Windows Firewall on managed computers.
Both types of Endpoint Protection policies can be created and modified in the ConfigMgr 2012 console.
Antimalware Policy
ConfigMgr 2012 includes a default antimalware policy (Default Client Malware Policy) that can be modified. However, you should understand that changes made to that policy will be applied to all managed computers in the environment. Instead, the ConfigMgr administrator may decide to create a custom policy (or policies), and those policy settings would override the default client policy.
The following configuration changes can be made in the antimalware policy:
1. Scheduled Scans This option defines various information about the antimalware scan, including when the scan should occur, when the definition files should be updated, and if CPU usage should be limited. See Figure 15.5.
Figure 15.5 Configuring the Scheduled Scans settings
Quick Scan or Full Scan?
The Scheduled Scans option allows you to configure when quick and full scans occur. But what is the difference between a quick scan and a full scan?
A quick scan does a check on locations where malware likes to hide in memory and on the hard drive. A quick scan should take only a few minutes, and performing the quick scan daily is a good practice.
A full scan checks all of the files on the hard disk and also checks memory and all programs that are currently active. This scan is more intensive and uses more resources on the computer, so performance on the computer may be impacted somewhat. This scan should typically be performed weekly and at a time when the computer will be on but not in use.
In the event of an active malware outbreak, you can trigger a quick or a full scan or a definition file download from the ConfigMgr 2012 console. The specified action will utilize the client communication channel and should take place immediately if the client is accessible. To trigger the scan or definition file download action, follow these steps:
a. Select Assets And Compliance ⇒ Overview ⇒ Device Collections.
b. Right-click the appropriate collection.
c. Select Endpoint Protection, and choose the appropriate action (Full Scan, Quick Scan, or Download Definition), as shown in the following illustration.
This will initiate an antimalware scan or definition download against the member computers of the collection.
2. Scan Settings This option defines what types of items should be scanned and also defines whether the end user can change the scan settings (Figure 15.6).
Figure 15.6 Configuring the Scan Settings
3. Default Actions This option defines the action that will be taken on threats based on their classification (Figure 15.7).
Figure 15.7 Configuring the Default Actions settings
4. Real-Time Protection This option defines the configuration of real-time protection and scanning (Figure 15.8).
Figure 15.8 Configuring the Real-Time Protection settings
5. Exclusion Settings This option defines any files, folders, file types, or processes that should be excluded from malware scanning (Figure 15.9). Note that excluding items may increase the risk of malware not being detected on a computer.
Figure 15.9 Configuring the Exclusion Settings
6. Advanced This option provides the ability to customize advanced settings, including interaction with users, how long quarantined files should be retained, and so on (Figure 15.10).
Figure 15.10 Configuring the Advanced settings
7. Threat Overrides This option allows you to add threat names to the threat list (Figure 15.11).
Figure 15.11 Configuring the Threat Overrides settings
8. Microsoft Active Protection Service This option allows you to configure MAPS (Figure 15.12).
Figure 15.12 Configuring the MAPS settings
9. Definition Updates This option allows you to configure how Endpoint Protection clients will receive definition updates (Figure 15.13).
Figure 15.13 Configuring the Definition Updates settings
ConfigMgr 2012 includes a number of predefined antimalware policy templates for several Microsoft products, including ConfigMgr 2007 and 2012, SQL 2005 and 2008, Exchange Server, and Windows. The complete list of policies that are provided with ConfigMgr 2012 can be viewed in the following folder on the ConfigMgr 2012 site server:
..\Microsoft Configuration Manager\AdminConsole\XmlStorage\EPTemplates
These policies apply settings that are optimized for a particular product or feature and can easily be imported and used in the environment. You can also import antimalware policies that were created in FEP 2010.
In ConfigMgr 2012 you can also merge policies by taking a default policy and merging it with another policy. This scenario may be useful if you want to use the default client policy but apply some specific file or folder exclusions that were included in one of the policies that was imported.
Windows Firewall Policy
The SCEP feature of ConfigMgr 2012 can also be used to manage the Windows Firewall policies for managed computers. ConfigMgr 2012 does not include a default Windows Firewall policy, and there is no ability to import or export a policy, but you can easily create a new policy in the ConfigMgr 2012 console.
As you can see in Figure 15.14, the Windows Firewall policy configuration is straightforward. You can create a new Windows Firewall policy in the ConfigMgr 2012 console and configure the policy to enable/disable the firewall, to block incoming connections, and also to define user communication. Once you have configured the policy, you can then deploy it to a collection.
Figure 15.14 Configuring Windows Firewall policy
You may notice that there are three profile types: domain, public, and private. These profiles are related to the network that the user or computer is connected to.
1. Domain The domain profile will be applied if the connection is authenticated to a domain controller for the domain of which the user or computer is a member. By default, all other network connections are initially classified as public networks, and Windows asks the user to identify the network as either public or private.
2. Public The public profile is intended for use in public locations (such as airports and coffee shops).
3. Private The private network location is typically intended for use in a home or office.
Assigning Policy
The Default Client Malware Policy is automatically applied to all of the computers managed by ConfigMgr 2012. If you create a custom policy and assign it to a collection, the settings in the custom policy will override the settings that are defined in the default policy.
Use the following steps to assign a custom antimalware policy to a collection:
1. Open the ConfigMgr 2012 console and choose Assets And Compliance ⇒ Overview ⇒ Endpoint Protection ⇒ Antimalware Policies.
2. Select the custom policy and choose Deploy from the ribbon.
3. Select the collection, and click OK.
The next time the ConfigMgr 2012 clients in the targeted collection retrieve policy (every 60 minutes by default), they will apply the SCEP client settings that were established in the policy. If two custom policies have different values configured for the same settings, the policy with the highest Order value will be applied. You can adjust the order in the ConfigMgr console by right-clicking the custom policy and selecting Increase Priority or Decrease Priority. See Figure 15.15.
Figure 15.15 Increasing policy priority
Default Order Value
The order for the Default Client Malware Policy has a default value of 10,000 and cannot be changed.
Definition Files
As discussed in Chapter 9, “Software Updates,” ConfigMgr 2012 provides the ability to automatically download and deploy security updates to managed computers using a feature called Automatic Deployment Rules (ADR). These rules can be used for monthly security updates (Patch Tuesday, for example), and they can also be used for SCEP definition file updates. The SCEP definition files are updated several times a day, and you need an automated solution like ADR to handle the download and deployment of the updated files as they become available. For more information on how to create automatic deployment rules, refer to the software updates chapter in this book.
Once the automatic deployment rules for SCEP have been configured, you may want to verify that the automatic deployment rules are working properly for the SCEP definition updates. The following process will ensure that the clients have the latest definition files.
The first question is what is the latest version of the Endpoint Protection definition files? Checking the Microsoft Malware Protection Center website
http://www.microsoft.com/security/portal/Definitions/HowToForeFront.aspx
is one quick method to provide that answer.
As you can see in Figure 15.16, the latest Forefront definition update that was available at the time this image was captured is 1.161.1740.0. So you now know how to tell which version of the definition file the environment should be using.
Figure 15.16 Obtaining the definition update version
If you open the ConfigMgr 2012 console and choose Software Library ⇒ Overview ⇒ Software Updates ⇒ All Software Updates, you can view the list of software updates in the catalog. If you search for “endpoint,” you can look for software updates that have a matching title and focus on the SCEP definition files.
Expect to see several definition files listed, but only one should typically be current and active (the green arrow indicates the current definition file). As you can see in Figure 15.17, the version of that file is 1.161.1740.0, so all of your clients should be using that version of the definition file. Note that superseded updates have yellow arrows and the expired definition files have a black X.
Figure 15.17 Definition update status
You now know that the endpoint clients should be using version 1.161.1740.0 of the definition file. If you open the SCEP client on a managed workstation, you can check the definition file that is currently being used by the client. See Figure 15.18.
Figure 15.18 Verifying SCEP client definition version
As you can see, this client is using the correct version of the definition file. If the definition file is an older version, it’s possible that the client hasn’t triggered the process yet to get the latest definition file. You could click Update and force the client to obtain the latest file. If the client still does not have the latest definition file, then you may need to troubleshoot the issue further and determine why the client is unable to retrieve the updated content.
Alerts
The ability to create alerts is new in ConfigMgr 2012. Alerts can be used to notify a ConfigMgr administrative user when specific events (such as a malware outbreak) have occurred in the environment. The administrator can view alerts in the ConfigMgr 2012 console, in reports, and also via email subscriptions. The ability to display alerts in the console or via email is especially important for SCEP-related events because it allows the administrator to quickly become aware of a malware event.
ConfigMgr 2012 Alerts vs. SCOM Alerts
The alert feature in ConfigMgr 2012 should not be confused with the alerting that is provided in the System Center Operations Manager product.
SCEP alerts are configured in the device collection properties. You cannot configure user collections for alerts. ConfigMgr 2012 has alerts for various issues and conditions and includes four alerts related specifically to malware:
1. Malware Detection An alert is generated if a managed computer in the specified collection has malware.
2. Malware Outbreak An alert is generated when a certain percentage of managed computers in the specified collection have malware detected.
3. Repeated Malware Detection An alert is generated if specific malware is detected more than a certain number of times over a certain number of hours in a specified collection.
4. Multiple Malware Detection An alert is generated if more than a specified number of malware types are detected over a given period for a specified collection.
In order to receive alerts you must enable a device collection to send alerts. The following is the process:
1. In the ConfigMgr 2012 console, select the device collection that should be configured to send alerts, and select Properties from the ribbon.
In this example we will select a collection named Dallas Computers.
2. In the collection properties window, select the Alerts tab. See Figure 15.19.
Figure 15.19 Alerts tab in the collection properties
3. Enable the View This Collection In The Endpoint Protection Dashboard option, and click Add to specify alert thresholds.
Enabling a Collection
Until you enable a collection to be viewed, the System Center 2012 Endpoint Protection Status node in the Monitoring workspace of the ConfigMgr 2012 console will be blank, and a message will appear: “No collections have been configured to display in Endpoint Protection status.”
When you click Add to specify alert thresholds, the Add New Collection Alerts window will appear, and all of the items will be unchecked by default. The needs of the administrative users may vary, but we will assume for this scenario that all of the alert conditions are needed in the environment.
4. Select each option and click OK (Figure 15.20).
Figure 15.20 Enabling collection alerts
5. If you want to customize the thresholds, you can, but for now use the default settings and click OK (Figure 15.21).
Figure 15.21 Setting alert thresholds
At this point you have configured the devices in a collection to generate alerts if the alert conditions are met. Those alerts can be viewed in the console, viewed in reports, and also sent via email subscriptions.
ConfigMgr Can Send You Email
In ConfigMgr 2012 you can configure an SMTP server that will be used to email Endpoint Protection alerts to administrative users. Follow these steps:
1. In the ConfigMgr 2012 console, choose Administration ⇒ Overview ⇒ Site Configuration ⇒ Sites.
2. Select the CAS (or standalone primary site server) and click Settings ⇒ Configure Site Components ⇒ Email Notification.
3. Enable the email notification option, as shown in the following illustration, enter the required email settings for your environment, and click Apply.
You also have the option to test the SMTP server and verify that the configuration is set properly.
4. Configure alert email subscriptions in the Monitoring workspace by choosing Monitoring ⇒ Overview ⇒ Alerts ⇒ Subscriptions and select Create Subscription in the ribbon.
Reporting
ConfigMgr 2012 has several reports related to the Endpoint Protection products. There are currently six reports in the Endpoint Protection category:
1. Antimalware Activity Report This report shows an overview of antimalware activity and is shown in Figure 15.22.
Figure 15.22 Antimalware Activity Report
2. Antimalware Overall Status And History This report shows an overall status of antimalware activity over a specified period.
3. Computer Malware Details This report shows the endpoint client status and antimalware activity.
4. Infected Computers This report shows a list of computers with a particular threat detected.
5. Top Users By Threats This report lists the users with the highest number of detected threats.
6. User Threat List This report shows the list of threats found under a particular user account.
Client Notifications
Many activities in Configuration Manager are pull-based and use polling intervals and scheduled intervals to define when processes take place. This is acceptable for many features in Configuration Manager, but in the case of an outbreak of malware in an environment, an administrator may need to take immediate action on the managed clients and not wait for a policy cycle to occur. Configuration Manager accomplishes this expedited communication process by creating a client notification channel between the site server and the managed clients. This “fast” channel is used for all endpoint-related activities as well as the computer policy download client action. This channel is a push-based communication process and allows a Configuration Manager administrator to take immediate action against clients, like forcing clients to perform a scan to look for malware. The client notification channel is supported only on Windows devices.
The client notification process consists of several parts. The Notification Manager component exists on the Configuration Manager site server and the notification server exists on the management points. The notification agent is part of the Configuration Manager client. The notification agent on the client initiates a persistent connection with the notification server and will attempt to use TCP mode first and then fallback to HTTP if TCP mode fails. Once the connection is established, the notification agent will send a keep-alive message every 15 minutes to maintain the connection with the notification server. The default TCP port is 10123.
The following are the related Configuration Manager logs for the client notification channel components:
Notification Manager: ..\Microsoft Configuration Manager\Logs\bgbmgr.log
Notification Server: ..\Microsoft Configuration Manager\Logs\BgbServer.log
Notification Agent: C:\Windows\ccm\logs\CcmNotificationAgent.log
For example, if you use the Configuration Manager console to trigger a quick malware scan against a client computer, you can monitor the client communication channel request via the CcmNotificationAgent.log on the client and the status of the endpoint scan via theEndpointProtectionAgent.log. See Figure 15.23.
Figure 15.23 Notification Agent log and Endpoint Protection log
We will use the remainder of this chapter to work through a real-world scenario and show SCEP in action.
Let’s Deploy Some Malware!
You are the ConfigMgr 2012 administrator at a company, and you have been telling your fellow IT department personnel about all of the great features that have been added to the ConfigMgr product. You are especially excited about the Endpoint Protection feature and the security against malware that it provides.
Your manager has asked you to demonstrate to the team how the SCEP feature works. You decide it would be a great demo to actually deploy malware to the environment and have ConfigMgr 2012 identify the outbreak and remediate it. Seems a bit risky, right? And where do you get a virus so that you can prove SCEP works? Download some questionable files from the Internet or click on that email attachment from an unknown person? Not likely. It would be much safer to use a test virus, a piece of software that looks like malware but doesn’t actually cause any damage.
One option is to use the antimalware test file that was created by the IT security research organization called EICAR (you can read more about them at www.eicar.org). The EICAR test file that they provide on their website looks like a virus or malware to antimalware software, but it is completely safe and benign. The test file simulates a malware attack but does not harm the computer in any way. However, just to be safe, you decide to perform this demo in your ConfigMgr 2012 test environment that is separated from the production network.
Using the EICAR antimalware test file, in a test ConfigMgr 2012 environment that is not connected to the production network, you can safely simulate the occurrence of a malware event on a managed computer without actually damaging the computer or causing a malware outbreak panic.
Note: Before using this tool, visit the EICAR website and make sure you read through all of the documentation and disclaimers for the use of the tool.
Run the Test!
You are now ready to run the demo for your team.
1. Log onto the Windows computer that will become your “infected” workstation, launch the EICAR malware test file, and then monitor the results.
First, you see by the green status window that SCEP on the Windows computer detected malware and is taking action to remove it.
The antimalware policy for this environment was configured to quarantine threats, but you could also configure it to automatically remove them.
2. Look at the SCEP client on the computer, choose the History tab, and see the malware activity. You can view the name of the detected malware item, the alert level, the date and time the event occurred, and the action that was taken.
But What Happened on the Site Server?
You saw SCEP on the Windows computer flag the EICAR test file as malware and immediately quarantine the malware. But what would you see at the site server level? How would the built-in monitoring make you aware of the issue? Follow these steps to find out:
1. Open System Center 2012 Endpoint Protection Status in the ConfigMgr 2012 console (Monitoring ⇒ Overview ⇒ Endpoint Protection Status ⇒ System Center 2012 R2 Endpoint Protection Status).
2. Select the collection (All Systems in this case) to see the overall status for the environment, including the number and percentage of clients that were affected by malware (one computer in this test). You can also view the top 5 malware by number of computers and the status of the definition files on managed computers in this window.
3. You could open the Alerts section of the Monitoring workspace to view the alerts that were generated as a result of the EICAR malware test being executed on the client, and if you have configured email subscriptions, you would have received those alerts as emails.
4. You can also use the endpoint reports to view the status of the environment. Select the Antimalware Activity Report to view the overall status. You can clearly see the total number of remediations, the number of antimalware incidents, and so on.
Summary
You were able to demonstrate the effectiveness of the System Center 2012 Endpoint Protection feature of ConfigMgr 2012 to your peers, and they gave you a standing ovation — and bought you lunch.
The Bottom Line
1. Differentiate between FEP and SCEP. There are several differences between FEP and SCEP, including the architecture and the deployment process.
1. Master It Where does SCEP store its data?
2. Deploy and configure the System Center 2012 Endpoint Protection site system and client. The three main components of enabling SCEP are as follows:
· Install and configure the Endpoint Protection site system.
· Enable and configure the SCEP client.
· Configure the antimalware policies.
4. Master It Do you need to create a package or application to deploy the SCEP client?
3. Create and assign an SCEP policy. SCEP has two types of policy:
· Antimalware
· Windows Firewall
4. The antimalware policy is used to define the antimalware settings, while the Windows Firewall policy can be used to control the configuration of Windows Firewall on managed computers. Both types of Endpoint Protection policies are created and modified in the ConfigMgr 2012 console.
0. Master It If you modify the default client antimalware policy and also create a custom antimalware policy with different values for the settings and apply it to a collection, which settings will be applied?