Jump to content


anyweb

using System Center 2012 Configuration Manager - Part 6. Adding the Endpoint Protection role, configure Alerts and custom Antimalware Policies.

Recommended Posts

In http://www.windows-noob.com/forums/index.php?/topic/5452-using-system-center-2012-configuration-manager-part-1-installation-cas/'>Part 1 of this series we created our new LAB, we got the System Center 2012 Configuration Manager ISO and extracted it, then copied it to our Active Directory server. We then created the System Management container in AD, delegated permissions to the container, extended the Schema for Configuration Manager. We then opened TCP ports 1433 and 4022 for SQL replication between sites, installed some prerequisites like .NET Framework 4.0, added some features and then downloaded and installed SQL Server 2008 R2 SP1 CU6. We then configured SQL Server using SQL Server Management Studio for security and memory configurations prior to running the Configuration Manager 2012 setup to assess server readiness. Finally we installed a central administration site (CAS).

In http://www.windows-noob.com/forums/index.php?/topic/5506-using-system-center-2012-configuration-manager-part-2-install-the-primary-server-p01/'>Part 2 we setup our Primary server with SQL Server 2008 R2 SP1 CU6. We then installed Configuration Manager 2012 on our primary server (P01) and verified that it was replicating to our central administration site (CAS) server. Then we configured Discovery methods for our Hierarchy and then configure Boundaries and Boundary Groups. In http://www.windows-noob.com/forums/index.php?/topic/5605-using-system-center-2012-configuration-manager-part-3-configuring-discovery-and-boundaries/'>Part 3 we configured Discovery methods and configured boundaries and created a boundary group, we then configured them for Automatic Site Assignment and Content Location.

In http://www.windows-noob.com/forums/index.php?/topic/5678-using-system-center-2012-configuration-manager-part-4-adding-roles-and-configuring-custom-client-device-settings-and-custom-client-user-settings/'>Part 4 we added the Application Catalog roles to our Hierarchy. We then configured Custom Client Device Settings and then deployed those settings to the All Systems collection on site P01. After that we created Custom Client User Settings and deployed them to the All Users collection in order to allow users to define their own User and Device affinity settings.

In http://www.windows-noob.com/forums/index.php?/topic/5683-using-system-center-2012-configuration-manager-part-5-adding-wsus-adding-the-sup-role-deploying-the-configuration-manager-client-agent/'>Part 5 we installed the WSUS server role (it is required for the Software Update Point role). We then installed the Software Update Point role on our CAS and Primary servers and we configured the SUP to support ConfigMgr Client Agent deployment which is a recommended Best Practice method of deploying the Configuration Manager Client Agent. Now we will prepare our server for the Endpoint Protection Point role, and install that role before configuring custom client device settings and custom antimalware policies. We will then deploy those custom client device settings and custom antimalware policies to our newly created Endpoint Protection collections.

Tip: This is a long post and it will take you some time to complete, please give yourself a few hours to go through it all.

Below is an Introduction to Endpoint Protection in Configuration Manager, for more info see the following on Technet - http://technet.microsoft.com/en-us/library/hh508781.aspx'>http://technet.micro...y/hh508781.aspx

When you use Endpoint Protection with Configuration Manager, you benefit from the following:

  • You can configure antimalware policies and Windows Firewall settings to selected groups of computers, by using custom antimalware policies and client settings.
  • You can use Configuration Manager software updates to download the latest antimalware definition files to keep client computers up-to-date.
  • You can send email notifications, use in-console monitoring, and view reports to keep administrative users informed when malware is detected on client computers.

Endpoint Protection installs its own client, which is in addition to the Configuration Manager client. The Endpoint Protection client has the following capabilities:

  • Malware and Spyware detection and remediation.
  • Rootkit detection and remediation.
  • Critical vulnerability assessment and automatic definition and engine updates.
  • Integrated Windows Firewall management.
  • Network vulnerability detection via Network Inspection System.

Tip: Chapter 16 of the recently released book entitled http://www.amazon.com/System-Configuration-Manager-Unleashed-ebook/dp/B008LW61JI/'>System Center 2012 Configuration Manager Unleashed by SAMS publishing covers Endpoint Protection in much greater detail than this post, I'd highly recommend you read it, and of course I have to mention that as I wrote it ! :-)

Step 1. Prepare our Hierarchy by creating Endpoint Protection Folders.
Note: Perform the following on the CAS server as SMSadmin

In order to make management of our Endpoint Protection devices easier we will create some new Folders. This will facilitate targeting unique custom Antimalware policies and custom client settings to target different types of computers, for example you may want to target different File and Process exclusions to your SQL servers as compared to your Hyper-V host servers.

As Folders and Collections are http://technet.microsoft.com/en-us/library/gg712990.aspx'>Global data everything we create on the CAS will be replicated to our child Primary. On the CAS server select the Assets and Compliance workspace and right click on Device Collections, choose Create Folder.

Create Folder.png

Give the folder a suitable name such as Endpoint Protection.

folder name.png

Once created we can see our new Endpoint Protection folder by clicking on the small triangle to the left of Device Collections, this triangle informs us that there are more things to see under Device Collections.

click on the triangle.png

Click on the triangle and it reveals our new Endpoint Protection folder.

triangle expanded.png

Now we will create some additional Folders underneath our top most Endpoint Protection folder, this will allow us to separate Servers from Desktops and Laptops. Select the Endpoint Protection folder, right click and choose Folder, Create Folder.

create folder under Endpoint Protection folder.png

The first folder will be called Endpoint Protection Managed Clients

Endpoint Protection Managed Clients.png

repeat the above process and create another folder called Endpoint Protection Managed Servers.

Endpoint Protection Managed Servers.png

Once done, you can now click on the small triangle beside our Endpoint Protection folder, and review our new folders.

Endpoint Protection folders.png

Next we will populate these folders with some new collections.

Step 2. Create Endpoint Protection Device Collections to categorize computers.
Note: Perform the following on the CAS server as SMSadmin

Expand our Endpoint Protection Managed Clients folder and right click, select Create Device Collection.

create device collection.png

Create two new collections with no membership rules and limited to the All Systems collection:

  • Endpoint Protection Managed Desktops
  • Endpoint Protection Managed Laptops

new collections.png

so we end up with the following under our Endpoint Protection Managed Clients folder.

endpoint protection managed clients collections.png

Using the above method, create the following collections under our Endpoint Protection Managed Servers folder. The exact number of server collections is up to you, create what you need for your organization, the list below is a suggestion of typical server roles and makes it easy for you to target custom antimalware policies and custom client device settings to those unique server roles in your organization. Add the collections you need in your organization (Note that some Windows server roles which you use may not be listed below, if that is the case then simply create your own).

  • Endpoint Protection Managed Servers - Configuration Manager
  • Endpoint Protection Managed Servers - DHCP
  • Endpoint Protection Managed Servers - IIS
  • Endpoint Protection Managed Servers - Domain Controller
  • Endpoint Protection Managed Servers - Exchange
  • Endpoint Protection Managed Servers - File Server
  • Endpoint Protection Managed Servers - Hyper-V
  • Endpoint Protection Managed Servers - IIS
  • Endpoint Protection Managed Servers - Operations Manager
  • Endpoint Protection Managed Servers - SharePoint
  • Endpoint Protection Managed Servers - SQL Server 2008

Once you have created your new collections, the Endpoint Protection Managed Servers collections should look like this:

collections created.png

Tip: if you don't want to manually enter all this information you could create a Powershell script to achieve the same thing, here's a http://www.sepago.de/d/david/2012/02/25/microsoft-configuration-manager-2012-and-powershell-ae-part-2'>sample script to do help you (Powershell knowledge required).

At the moment our new collections are all empty and that's ok, you can populate them however you want, either using direct membership or queries. Do make sure that the correct type of device is in the collection in question so that when we target our custom device settings and custom antimalware policies to those collections that the correct devices are receiving the correct antimalware settings/policies.

Step 3. Enable the Endpoint Protection role
Note: Perform the following on the CAS server as SMSadmin

The Endpoint Protection point site system role must be installed before you can use Endpoint Protection or before you can create custom Endpoint Protection client settings. It must be installed on one site system server only and it must be installed at the top of the hierarchy on a central administration site or a standalone primary site. As we have a hierarchy consisting of a CAS and child Primary, we will install the role on our CAS server. If you are following this guide and using only a standalone primary server then you must install the Endpoint Protection role on that server.

In the Administration workspace, expand Overview and expand Site Configuration, select Servers and Site System Roles. Right click on our CAS server and select Add Site System Roles.

add site system roles.png

make any changes necessary on the Add Site System roles Wizard screen and click next,

add site system roles wizard.png

Select the Endpoint Protection point role and take note of the popup screen, we have already configured our SUP to Synchronise Definition Updates in http://www.windows-noob.com/forums/index.php?/topic/5683-using-system-center-2012-configuration-manager-part-5-adding-wsus-adding-the-sup-role-deploying-the-configuration-manager-client-agent/'>Part 5 of this series however if you have not completed that part yet please review it now, or alternatively you'll have to remove Configuration Manager as an update source in your Custom Antimalware Policies.

configuration manager pop up for endpoint protection point role.png

Accept the Endpoint Protection License based on your License aggreement with Microsoft

EULA.png

and select your MAPS membership type which applies to your entire heirarchy as the default setting (this can be changed for all custom antimalware policies later). Select Advanced Membership.

 

Note: By joining MAPS, you will be able to avail of the dynamic signature service' http://technet.microsoft.com/en-us/library/hh508770.aspx

Join Microsoft Active Protection Service, to help to keep your computers more secure by supplying Microsoft with malware samples that can help Microsoft to keep antimalware definitions more up-to-date. Additionally, when you join Microsoft Active Protection Service, the Endpoint Protection client can use the dynamic signature service to download new definitions before they are published to Windows Update.

 

MAPS advanced membership.png

click your way through the rest of the wizard.

Within a few minutes you'll see the Endpoint Protection client (SCEP Client) appear in the system tray of your CAS Server.

SCEP client installed.png

Note: The installation of the SCEP client on the CAS server is normal behaviour and is expected. You must have the SCEP client installed on your ConfigMgr Server hosting the Endpoint Protection role. This SCEP client is used to convert Animalware IDs in the Configuration Manager database and can co-locate with another Antivirus solution on this server if necessary. This SCEP client is currrently unmanaged and does not scan for malware and does not use real time protection unless you target this server with custom antimalware policies and custom client settings which enable this functionality.

Tip: you can review the EPSetup.log located at D:\Program Files\Microsoft Configuration Manager\Logs on the server to monitor role installation progress. Look for the line which states Installation was successful to reflect a succesful installation of the Endpoint Protection Point role.

installation was successful.png

Step 4. Configure Alerts for Endpoint Protection.
Note: Perform the following on the CAS server as SMSadmin

You can configure Endpoint Protection alerts in System Center 2012 Configuration Manager to notify administrative users when specific security events occur in your hierarchy. Notifications display in the Endpoint Protection dashboard in the Configuration Manager console, in reports, and you can configure them to be emailed to specified recipients. - Technet: http://technet.microsoft.com/en-us/library/hh508782.aspx'>http://technet.micro...y/hh508782.aspx.

Configure Email Notification (Optional)

If there is a malware breakout in your organization, you'd want to be notified as soon as possible, provided that there are no issues with your email servers or firewalls you can get email notification in minutes of an outbreak provided that you have first configured email notification. You will need access to an SMTP server to configure Email Notification Alerts. In the configmgr console, click on Administration, expand Overview and expand Site Configuration, select Sites and click on Settings in the ribbon and click on Configure Site Components and select Email Notification.

email notification.png

Enter your desired settings for SMTP and click Apply. You can test your SMTP settings also by clicking on Test SMTP server. This will give you feedback as to whether the email was sent or not or whether there were problems contacting the SMTP server.

test smtp.png

As long as the test above didn't show any warning or error, now is a good time to check the inbox of the email address you specified in the test email recipient field, you should see a new (blank) email with the following Subject:

"This is a Test Email for Alert Notification Sent from System Center 2012 Configuration Manager.‏"

 

Configure Alerts for device Collections
Note:- You cannot configure alerts for User Collections.

Next we will configure alerts for our Endpoint Protection device collections. In this example we will use our Endpoint Protection Managed Servers - Configuration Manager collection however you should repeat this process for each collection that you want to monitor for alerts in the Configuration Manager console, via the http://www.niallbrady.com/2012/06/27/how-can-i-view-hidden-endpoint-protection-reports-in-system-center-2012-configuration-manager/'>Endpoint Protection Reports and of course the Endpoint Protection Dashboard.

In Assets and Compliance, browse to the Endpoint Protection Managed Servers folder, and select the Endpoint Protection Managed Servers - Configuration Manager collection. Right click and choose properties. Click on the Alerts tab and place a checkmark in View this collection in the Endpoint Protection Dashboard and place a checkmark in those headings that interest you for client status and Endpoint Protection.

add alerts on collection.png

you can further configure the alert severity or other options (depending on the type of alert selected) in the Alerts screen once you've applied the above settings. In the example below the Repeated malware detection alert settings are listed.

repeated malware detection alert.png

Once you've configured all the Endpoint Protection collections for Alerting, you can review Endpoint Protection dashboard (System Center 2012 Endpoint Protection Status) in the Monitoring workspace and select one of our 13 collections from the drop down menu. The information provided will change as data flows in once we deploy custom client device settings and custom antimalware policies to our Endpoint Protection collections.

Collections with alerts enabled.png


Step 5. Add Forefront Endpoint Protection 2010 as a product and sync the SUP
Note: Perform the following on the CAS server as SMSadmin

If you want your clients to get their definition updates from Configuration Manager, then you'll need to configure your Software Update Point accordingly. Our SUP is already setup and configured as in http://www.windows-noob.com/forums/index.php?/topic/5683-using-system-center-2012-configuration-manager-part-5-adding-wsus-adding-the-sup-role-deploying-the-configuration-manager-client-agent/'>Part 5, which means it will check for definition updates and synchronize with Microsoft on a schedule of once per day, however we need to add the Forefront Endpoint Protection 2010 product to our list of products to sync against otherwise we won't see any Definition Updates appearing in our Software Update Point. In the Administration workspace, select Site Configuration, Sites, select our CAS server, and in the ribbon click on Settings, Configure Site Components, and select Software Update Point from the list.

software update point component.png

Select the Products tab, scroll down to Forefront and select Forefront Endpoint Protection 2010, click Apply.

Forefront Endpoint Protection 2010 product.png

Next we will force a sync to Microsoft, select the Software Library workspace, select Software Updates, right click on All Software Updates and choose Synchronize Software Updates. Answer Yes to the popup.

synchronize software updates.png

Tip: Review the wsyncmgr.log on the CAS server in D:\Program Files\Microsoft Configuration Manager\Logs to confirm that the sync has successfully completed. Look for a line that states Sync Succeeded. If it fails to sync make sure that the Update Services service on CAS has started.

sync succeeded.png


Step 6. Configure SUP to deliver Definition Updates using an Automatic Deployment Rule
Note: Perform the following on the CAS server as SMSadmin

Before starting this step create a folder on D:\sources\WindowsUpdates\EndpointProtection on the CAS server to store our Endpoint Protection definition Updates. Our sources folder is shared as sources.

In the Configuration Manager console, click Software Library, expand Software Updates and click right click on Automatic Deployment Rules and choose Create Automatic Deployment Rule,

Create AutoDeployment Rule.png

Fill in the details as below, for name use ADR: Endpoint Protection, the naming is important, think weeks, months, years ahead when you are searching for that Automatic Deployment Rule you or someone else created, prepending ADR: Endpoint Protection will easily separate these ADR's from other ADR's created by you or other admins for patch Tuesday software updates for example.

For target collection choose the collection you want to target with these definition updates, in our example we will select the Endpoint Protection Managed Desktops collection.

ADR Endpoint Protection.png

On the Deployment Settings page of the wizard select Minimal from the Detail level drop-down list and then click Next, this reduces the content of State Messages returned and thus reduces Configuration Manager server load.

Deployment Settings.png

on the Software Updates page select Date Released or Revised, choose Last 1 day, and select Products, then select Forefront Protection 2010 from the list of available products.

last 1 day.png

for Evaluation Schedule, click on Customize and set it to run every 1 days,

Tip: notice that the Synchronization Schedule is listed below, make sure that the SUP synchronizes at least 2 hours before you evaluate for Forefront Endpoint Protection definition updates, there is no point checking for updates if we haven't synchronized yet.

Evaluation Schedule.png

for Deployment Schedule set Time based on: UTC if you want all clients in the hierarchy to install the latest definitions at the same time, this setting is a recommended best practice. For software available select 2 hours to allow sufficient time for the Deployment to reach all Distribution Points and select As soon as possible for the installation Deadline.

Note: Software update deadlines are randomized over a 2-hour period to prevent all clients from requesting an update at the same time.

Deployment Schedule.png

for the User Visual Experience select Hide from the drop down menu as we don't want our users informed of new Definition Updates daily and supress restarts on Servers.

User Experience.png

for Alerts enable the option to generate an alert, set the compliance percentage to be equal to the SLA you expect for that site, in this example we'll select 85%.

Alerts.png

for Download Settings we want to be sure that our clients get these malware definitions regardless of whether they are on a slow site boundaries or not, so we will set both options accordingly.

Download Settings.png

For Deployment Package we need to create a new Deployment Package, give it a suitable name like Endpoint Protection Definition Updates and point it to a previously created shared folder (\\cas\sources\WindowsUpdates\EndpointProtection).

Note: Make sure that \\cas\sources\WindowsUpdates\EndpointProtection exists otherwise the wizard will fail below when it tries to download as the network path won't exist. After running the ADR once, retire it by right clicking on the rule and select Disable (or delete) and create a new ADR except this time point the deployment package to the package which is now created called Endpoint Protection Definition Updates.

deployment package.png

For Distribution Points click on the drop down Add button and select distribution point, select our distribution point on our primary server (P01) and click ok.

distribution points.png

click your way through the rest of the Wizard until you reach the summary screen but before finishing the wizard click on save as template in order to speed up entering values in the remaining ADR's you'll be creating.

save as template.png

once done, complete the wizard and the template is ready for use the next time you create a new ADR.

Note: You must repeat the above process for each collection you want to target with Endpoint Protection definition updates delivered from Configuration Manager using an Automatic Deployment Rule.

Below is a screenshot showing the 13 additional ADR's I've created, note how the first ADR is disabled (that was used for creating the deployment package).

13 ADRs.png

Step 7. Configure custom antimalware policies
Note: Perform the following on the CAS server as SMSadmin.

Antimalware Policies for Endpoint Protection define how and where the computers get their definition updates, how and when to scan for malware, what to do when it's detected and a multitude of additional options. You can create many custom antimalware policies and target them (Deployment) to your Endpoint Protection collections. Microsoft provides several built-in policies out of the box that you can simply import and then deploy to your chosen collection.

Tip: Do not configure the default client AntiMalware Policy unless you are sure that you want these applied to all computers in your hierarchy. Custom antimalware policies always take precedence over Default antimalware policies as they have a higher priority.

On your CAS (you could do this action also on your Primary server P01 as AntiMalware Policies are Global Data and replicate accordingly), click Assets and Compliance, click Endpoint Protection, select Antimalware Policies. In the ribbon select Create Antimalware Policy

create custom antimalware policy.png

give the policy a suitable name like Custom Antimalware Policy - Endpoint Protection Managed Servers - Configuration Manager

custom antimalware policy - endpoint protection  managed servers - configuration manager.png

 

Tip: If you want to set the definition updates source to be a UNC file share then read this post.

I won't go into details about the specific settings you should enter, every customer is different. If you want details of what is recommended for a server or desktop then either import the built-in policies and use them, change them, merge them, examine them, or read Chapter 16 of the System Center 2012 Configuration Manager Unleashed book, or review this page on http://technet.microsoft.com/en-us/library/hh508785.aspx'>Technet.

Tip: Do you want your mobile clients to be patched regardless of whether they can contact your Configuration Manager server or not ? if so, select both Windows Update as well as Configuration Manager as sources. In addition you can increase the frequency of checking for updates to a few times a day even though Configuration Manager (in RTM) can only sync once a day, if you have a source pointing to Windows Update and a working internet connection then your clients can get patched against malware three times per day. The screenshot below is for your mobile clients (not necessarily for your Configuration Manager servers themselves).

definition updates sources.png

Once your custom Endpoint Protection antimalware policy is created, right click on it, and choose Deploy

Deploy.png

Target the policy to the appropriate collection - job done, now repeat the above process for each Endpoint Protection collection you created. In the screenshot below a custom antimalware policy is being deployed to the Endpoint Protection Managed Servers - Configuration Manager collection where i've placed both our CAS and P01 servers.

Deploy to Configuration Manager.png

TIP: you can merge two or more policies together to blend the settings, for example import an SQL Server 2008 policy and a Configuration Manager 2012 policy and you'll get a suitable custom antimalware policy for your Configuration Manager 2012 servers which have SQL on box.

Step 8. Configure custom device settings
Note: Perform the following on the CAS server as SMSadmin.

The above actions are all well and good but will do nothing until the clients receive policy to tell them that they are managed by Endpoint Protection. That is done via client settings in particular the Endpoint Protection section. Custom Client Device settings always take priority over the Default Client Settings. So lets create a brand new custom client device settings.

Note: Do not configure the default client settings (for Endpoint Protection) unless you are sure that you want them applied to all computers in your hierarchy.

On your CAS Server (or the Primary server P01 as this is Global data), in the Administration workspace, right click on Client Settings and choose Create custom client device settings.

create custom client device settings.png

give it a suitable name like Custom Client Device Settings - Endpoint Protection Managed Servers - Configuration Manager and select Endpoint Protection from the list of options in the left pane.

custom device settings.png

 

set Manage Endpoint Protection Client on client computers to True if you want to manage your computers..

True.png

 

Note: Since Configuration Manager 2012 SP1 was released the Client settings have some new options, be aware that the first of these options may mean that your SCEP client does not install based on how you have configured those options, so please review these additional options if using Configuration Manager 2012 Sp1 (see below).

 

Custom client Device Settings updated since SP1.png

click ok when done, right click on the new custom settings and choose Deploy

 

deploy custom client settings.png

 

select our Endpoint Protection Managed Servers - Configuration Manager collection and continue through the wizard until completion.

 

 

Step 9. Verify it's working on a client
Note: Perform the following on a computer that is in a collection targetted with the custom client settings and custom antimalware policy

 

Logon to a computer in the Endpoint Protection Managed Servers - Configuration Manager collection and startup the System Center Endpoint Protection gui, click on help to see details about what policy is applied (RTM)

 

policy name.png

 

or check the registry to find out which policies are merged (SP1).

 

Note: If you are using System Center 2012 Configuration Manager Service Pack 1 then the SCEP client UI displays the Antimalware Policy differently, see this post for details.

 

Troubleshooting:

After the SCEP client is installed it will at first appear to be in an unmanaged state (until all policies are received and processed). As a result it will probably look as follows just after it has been installed.

real time protection off and out of date.png

To speed things up you can open up the Configuration Manager client on that computer and click on the Actions tab, trigger a Machine Policy Retrieval and Evaluation Cycle (or wait until the alloted time for policy to refresh on the clients occurs).

actions tab.png

Once the clients have received and processed all policy, they will attempt to update the Antivirus Definitions from the sources listed in our custom antimalware policies, and once applied the SCEP client will look it's familiar Green. In the example screenshot below the SCEP client has updated itself to the latest available definition updates on my Configuration Manager server, and they were last synced (to the internet) 2 days ago. As this is a lab I have the ability to enable/disable internet for those computers and the last internet access available on my SUP was two days ago.

created 2 days ago.png

What this shows you is it's working perfectly, it has received it's custom Antimalware policy, it has updated itself using the SUP as the source and taken the latest available definition updates that were on the SUP.

The following Log files will also aid in troubleshooting definition updates retrieval. Browse to C:\Windows\Temp and look for the following log files...:-

  • MpCmdRun.Log
  • MpSigStub.Log

To get extensive logfiles open an administrative command prompt and CD to the following directory on the client,

C:\Program Files\Microsoft Security Client\Antimalware

and execute the following command

MpCmdRun.exe -getfiles

the following will be output

mpcmdrun.png

the log files are store in C:\ProgramData\Microsoft\Microsoft Antimalware\Support and that directory in turn will contain a CAB file (MPSupportFiles.cab) which has several relevant log files to examine.

As a final note, review the WUAHandler.log on the computer in question to see that it is indeed checking for the Endpoint Protection definition updates, as per the screenshot below. If it is not pulling Definition Updates from Configuration Manager then WUAHandler.log will reveal the reason why (probably a group policy causing a conflict).

update (missing) Definition Update for Microsoft Endpoint Protection.png

 

 

If you are having issues with the client installing or getting the Endpoint Protection role installed please refer to the following http://technet.microsoft.com/en-us/library/hh427342.aspx#BKMK_EPLog'>Endpoint Protection Log files.

  • EndpointProtectionAgent.log - Records details about the installation of the Endpoint Protection client and the application of antimalware policy to that client.
  • EPCtrlMgr.log - Records details about the synchronization of malware threat information from the Endpoint Protection role server into the Configuration Manager database.
  • EPMgr.log - Monitors the status of the Endpoint Protection site system role.
  • EPSetup.log - Provides information about the installation of the Endpoint Protection site system role.

 

Recommended Reading:

Introduction to Endpoint Protection in Configuration Manager - http://technet.microsoft.com/en-us/library/hh508781.aspx
Planning for Endpoint Protection in Configuration Manager - http://technet.microsoft.com/en-us/library/hh508763.aspx
Configuring Endpoint Protection in Configuration Manager - http://technet.microsoft.com/en-us/library/hh508764.aspx

Prerequisites for Endpoint Protection in Configuration Manager - http://technet.microsoft.com/en-us/library/hh508780.aspx
Best Practices for Endpoint Protection in Configuration Manager - http://technet.microsoft.com/en-us/library/hh508771.aspx
Administrator Workflow for Endpoint Protection in Configuration Manager - http://technet.microsoft.com/en-us/library/hh526775.aspx

Please continue to the next post in this series.

Share this post


Link to post
Share on other sites

Hey Dude,

 

This my first post, I think this is an awesome guide! however, following the deployment of the endpoint client to my workstations\servers, I have noticed that the endpoint client, disabled remote desktop through the firewall, I have looked through the firewall policies on config manager and can't find anything, so I can allow this, it's going to be a nightmare opening all that up on all workstations, is there not a way where the endpoint protection uses the same config as previous (e.g. current rules on windows firewall)

 

any help?

 

Cheers,

 

Alex.

Share this post


Link to post
Share on other sites

Great tutorials!

Question:

First you made an ADR which deploys the definition updates to the clients. The time specified here is 2 AM (two hours after SUP).

Later, when you define the custom Endpoint protection policy, there is the option to specify an update interval and source:

http://www.windows-noob.com/forums/index.php?app=core&module=attach&section=attach&attach_rel_module=post&attach_id=7929

 

Should I only enable 'Updates distributed from Configuration Manager' here?

And what does the 'Check for Endpoint definition's interval do? I mean, you created an ADR already, doesn't these two conflict which each other?

The ADR pushes the updates to the clients, so there is no need to check it from here?

Share this post


Link to post
Share on other sites

the ADR does not push the updates to the clients, it merely makes the policy available to the clients informing them at their next policy update that these definition updates are available, the ADR also places these updates in the Deployment Package on whatever distribution points you selected,

 

if the clients receive that policy and if they have the source selected as Configmgr (amongst others) then they can retrieve the definition updates via ConfigMgr. When you define additional sources you do so for 'failover', plus as ConfigMgr 2012 RTM sync's the sup only once per day and SCEP updates are released at least three times per day you may want to configure the SCEP antimalware client policy to use other source as i explained,

 

good luck :)

Share this post


Link to post
Share on other sites

I am having some wierd issues with Forefront e-mail Alerts, they worked perfectly in 2007 once i got by the configuration hurdles, however in 2012 i cannot for the life of me figure out why they are not working:

 

I have deployed a client policy for forefront and confirmed that the policy is applying

 

I have deployed a default antimalware policy and it is applying as well.

 

I have confirmed that my smtp settings are working and that i can send a test e-mail

 

I have configured antimalware detection and outbreak alerts on the collection of which my test box is a member.

 

I have configured a subscription to the said alerts and assigned my email as the recipient

 

When i download the eicar test file from http://eicar.org/86-...tended-use.html it is immediately detected by forefront, within about 20-40 seconds it is removed and reported as such under the malware detection alert. However no e-mail alert is being triggered and sent to my account...i cannot for the life of me figure out why as in my opinion the alert trigger criteria is being met...

 

Any ideas as to why this would not be working?

 

Thanks

Share this post


Link to post
Share on other sites

I have done some more digging and it seems that each time i try and generate an elert, this is logged under componenet status for SMS_ENDPOINT_PRTECTION_MANAGER:

 

Endpoint Protection Manager failed to generate malware detection alerts for type:"31". Verify that the site database is configured correctly. Error code returned is:"0x87d20002".

 

I removed and re-added the forefront protection role on my primary site server and this problem still has not been resolved

 

Any ideas...i am desperate

Share this post


Link to post
Share on other sites

Hello,

In antiwalware policy, when I select just "updates distributed from Configuration Manager" the Endpoint protection update doesn't work.

in MpCmdRun.log, I see that update tries to access on internet. I have the folowing error:

 

MpCmdRun: Command Line: "c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob -UnmanagedUpdate

Start Time: ‎di ‎sep ‎18 ‎2012 19:26:55

 

Start: Signatures Update Service

Update Started

Search Started (MU/WU update) (Path: http://www.microsoft.com)...

If i select "updates distributed from WSUS. The update is working fine.

 

Could you advice?

 

Thanks in advance.

Share this post


Link to post
Share on other sites

I have exactly the same error : for update my Forefront Client, i must use "WSUS Update"

 

I think there is a mistake in this tutorial because if you to update FEP via SCCM, you must create a Software Update point on your server, and this role represent a WSUS point. That's why you muste select "WSUS Update".

 

But i don't understand the selection : "Update from Configuration Manager" in the policy of Malware Default"

 

Yo

Share this post


Link to post
Share on other sites

Hi,

 

I don't have CAS server.

My configuration:

  1. WSUS SERVER: Sotfware Update point.
  2. SCCM SERVER (primary site): Endpoint Protection point and Distribution point.

Which kind of logs do you want?

 

Below: the windowsupdate.log from start of manual :

 

2012-09-21 14:05:29:879 1744 197c Misc =========== Logging initialized (build: 7.6.7600.256, tz: +0200) ===========

2012-09-21 14:05:29:879 1744 197c Misc = Process: C:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe

2012-09-21 14:05:29:879 1744 197c Misc = Module: C:\Windows\system32\wuapi.dll

2012-09-21 14:05:29:879 1744 197c COMAPI -------------

2012-09-21 14:05:29:879 1744 197c COMAPI -- START -- COMAPI: Search [ClientId = System Center 2012 Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]

2012-09-21 14:05:29:879 1744 197c COMAPI ---------

2012-09-21 14:05:29:949 884 ff8 Agent *************

2012-09-21 14:05:29:949 884 ff8 Agent ** START ** Agent: Finding updates [CallerId = System Center 2012 Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]

2012-09-21 14:05:29:950 884 ff8 Agent *********

2012-09-21 14:05:29:950 884 ff8 Agent * Online = Yes; Ignore download priority = No

2012-09-21 14:05:29:950 884 ff8 Agent * Criteria = "(IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains 'a38c835c-2950-4e87-86cc-6911a52c34a3' and CategoryIDs contains 'e0789628-ce08-4437-be74-2495b842f43b')"

2012-09-21 14:05:29:950 884 ff8 Agent * ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service

2012-09-21 14:05:29:950 884 ff8 Agent * Search Scope = {Machine}

2012-09-21 14:05:29:950 1744 197c COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = System Center 2012 Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]

2012-09-21 14:05:30:000 884 ff8 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:

2012-09-21 14:05:30:038 884 ff8 Misc Microsoft signed: Yes

2012-09-21 14:06:35:311 884 ff8 Misc WARNING: Send failed with hr = 80072ee2.

2012-09-21 14:06:35:311 884 ff8 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>

2012-09-21 14:06:35:311 884 ff8 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2

2012-09-21 14:06:35:311 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2

2012-09-21 14:06:35:311 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2

2012-09-21 14:06:35:311 884 ff8 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2

2012-09-21 14:07:40:585 884 ff8 Misc WARNING: Send failed with hr = 80072ee2.

2012-09-21 14:07:40:585 884 ff8 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>

2012-09-21 14:07:40:585 884 ff8 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2

2012-09-21 14:07:40:585 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2

2012-09-21 14:07:40:585 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2

2012-09-21 14:07:40:585 884 ff8 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2

2012-09-21 14:08:45:866 884 ff8 Misc WARNING: Send failed with hr = 80072ee2.

2012-09-21 14:08:45:866 884 ff8 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>

2012-09-21 14:08:45:866 884 ff8 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2

2012-09-21 14:08:45:866 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2

2012-09-21 14:08:45:866 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2

2012-09-21 14:08:45:866 884 ff8 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2

2012-09-21 14:09:51:138 884 ff8 Misc WARNING: Send failed with hr = 80072ee2.

2012-09-21 14:09:51:138 884 ff8 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>

2012-09-21 14:09:51:138 884 ff8 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2

2012-09-21 14:09:51:138 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2

2012-09-21 14:09:51:138 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2

2012-09-21 14:09:51:138 884 ff8 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2

2012-09-21 14:09:51:138 884 ff8 Misc WARNING: DownloadFileInternal failed for http://download.windowsupdate.com/v9/1/windowsupdate/redir/muv4wuredir.cab: error 0x80072ee2

2012-09-21 14:09:51:138 884 ff8 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:

2012-09-21 14:09:51:141 884 ff8 Misc Microsoft signed: Yes

2012-09-21 14:10:35:395 884 ff8 Misc WARNING: Send failed with hr = 80072ee2.

2012-09-21 14:10:35:395 884 ff8 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>

2012-09-21 14:10:35:395 884 ff8 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2

2012-09-21 14:10:35:395 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2

2012-09-21 14:10:35:395 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2

2012-09-21 14:10:35:395 884 ff8 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2

2012-09-21 14:11:19:654 884 ff8 Misc WARNING: Send failed with hr = 80072ee2.

2012-09-21 14:11:19:654 884 ff8 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>

2012-09-21 14:11:19:654 884 ff8 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2

2012-09-21 14:11:19:654 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2

2012-09-21 14:11:19:654 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2

2012-09-21 14:11:19:654 884 ff8 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2

2012-09-21 14:12:03:920 884 ff8 Misc WARNING: Send failed with hr = 80072ee2.

2012-09-21 14:12:03:920 884 ff8 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>

2012-09-21 14:12:03:920 884 ff8 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2

2012-09-21 14:12:03:920 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2

2012-09-21 14:12:03:920 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2

2012-09-21 14:12:03:920 884 ff8 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2

2012-09-21 14:12:48:176 884 ff8 Misc WARNING: Send failed with hr = 80072ee2.

2012-09-21 14:12:48:176 884 ff8 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>

2012-09-21 14:12:48:176 884 ff8 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://download.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2

2012-09-21 14:12:48:176 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2

2012-09-21 14:12:48:176 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2

2012-09-21 14:12:48:176 884 ff8 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2

2012-09-21 14:12:48:176 884 ff8 Misc WARNING: DownloadFileInternal failed for http://download.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab: error 0x80072ee2

2012-09-21 14:12:48:176 884 ff8 Misc Validating signature for C:\Windows\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:

2012-09-21 14:12:48:179 884 ff8 Misc Microsoft signed: Yes

2012-09-21 14:13:11:438 884 ff8 Misc WARNING: Send failed with hr = 80072ee2.

2012-09-21 14:13:11:438 884 ff8 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>

2012-09-21 14:13:11:438 884 ff8 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2

2012-09-21 14:13:11:438 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2

2012-09-21 14:13:11:438 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2

2012-09-21 14:13:11:438 884 ff8 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2

2012-09-21 14:13:34:698 884 ff8 Misc WARNING: Send failed with hr = 80072ee2.

2012-09-21 14:13:34:698 884 ff8 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>

2012-09-21 14:13:34:698 884 ff8 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2

2012-09-21 14:13:34:698 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2

2012-09-21 14:13:34:698 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2

2012-09-21 14:13:34:698 884 ff8 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2

2012-09-21 14:13:57:958 884 ff8 Misc WARNING: Send failed with hr = 80072ee2.

2012-09-21 14:13:57:958 884 ff8 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>

2012-09-21 14:13:57:958 884 ff8 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2

2012-09-21 14:13:57:958 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2

2012-09-21 14:13:57:958 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2

2012-09-21 14:13:57:958 884 ff8 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2

2012-09-21 14:14:21:220 884 ff8 Misc WARNING: Send failed with hr = 80072ee2.

2012-09-21 14:14:21:220 884 ff8 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <>

2012-09-21 14:14:21:220 884 ff8 Misc WARNING: WinHttp: SendRequestUsingProxy failed for <http://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab>. error 0x80072ee2

2012-09-21 14:14:21:220 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation MakeRequest failed. error 0x80072ee2

2012-09-21 14:14:21:220 884 ff8 Misc WARNING: WinHttp: SendRequestToServerForFileInformation failed with 0x80072ee2

2012-09-21 14:14:21:220 884 ff8 Misc WARNING: WinHttp: ShouldFileBeDownloaded failed with 0x80072ee2

2012-09-21 14:14:21:220 884 ff8 Misc WARNING: DownloadFileInternal failed for http://www.update.microsoft.com/v9/1/windowsupdate/redir/muv4wuredir.cab: error 0x80072ee2

2012-09-21 14:14:21:220 884 ff8 Agent WARNING: Failed to obtain the authorization cab URLs, hr=0x80072ee2

2012-09-21 14:14:21:220 884 ff8 Agent * WARNING: Online service registration/service ID resolution failed, hr=0x80072EE2

2012-09-21 14:14:21:314 884 ff8 Agent * WARNING: Exit code = 0x80072EE2

2012-09-21 14:14:21:314 884 ff8 Agent *********

2012-09-21 14:14:21:314 884 ff8 Agent ** END ** Agent: Finding updates [CallerId = System Center 2012 Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]

2012-09-21 14:14:21:314 884 ff8 Agent *************

2012-09-21 14:14:21:314 884 ff8 Agent WARNING: WU client failed Searching for update with error 0x80072ee2

2012-09-21 14:14:21:315 1744 f70 COMAPI >>-- RESUMED -- COMAPI: Search [ClientId = System Center 2012 Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]

2012-09-21 14:14:21:316 1744 f70 COMAPI - Updates found = 0

2012-09-21 14:14:21:316 1744 f70 COMAPI - WARNING: Exit code = 0x00000000, Result code = 0x80072EE2

2012-09-21 14:14:21:316 1744 f70 COMAPI ---------

2012-09-21 14:14:21:316 1744 f70 COMAPI -- END -- COMAPI: Search [ClientId = System Center 2012 Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]

2012-09-21 14:14:21:316 1744 f70 COMAPI -------------

2012-09-21 14:14:21:316 1744 434 COMAPI WARNING: Operation failed due to earlier error, hr=80072EE2

2012-09-21 14:14:21:316 1744 434 COMAPI FATAL: Unable to complete asynchronous search. (hr=80072EE2)

2012-09-21 14:14:26:335 884 ff8 Report REPORT EVENT: {D1C5A894-8C00-4B4F-853B-7EE51A386FD3} 2012-09-21 14:14:21:314+0200 1 148 101 {00000000-0000-0000-0000-000000000000} 0 80072ee2 System Center 2012 Endpoint Pro Failure Software Synchronization Windows Update Client failed to detect with error 0x80072ee2.

2012-09-21 14:14:26:390 884 ff8 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8

2012-09-21 14:14:26:390 884 ff8 Report WER Report sent: 7.6.7600.256 0x80072ee2 00000000-0000-0000-0000-000000000000 Scan 101 Unmanaged

2012-09-21 14:14:26:390 884 ff8 Report CWERReporter finishing event handling. (00000000)

 

 

Thanks in advance.

 

cheers,

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.