Endpoint Protection

Configuration Manager 2007 provided Endpoint Protection as an add-on. In the newest release of Configuration Manager 2012 and 2012 R2, this is a built-in feature. Endpoint Protection allows IT administrators to monitor and control the security state of the client workstations from one console and perform easy administration tasks.

Integrating client management and client security in one console cuts down costs. IT administrators now focus on end-to-end security tasks and manage, report, and react to issues with clients from a common console. The best features of Endpoint Protection are as follows:

• Licensing: To implement Endpoint Protection, you need to have a license to use it. The license is called Core Client Access License or CAL.
• Customizable: You can create custom client settings and target different device collections. You can find preconfigured malware policies to speed up the deployment process.
• Separate client: Endpoint Protection uses a different client from the one that the Configuration Manager uses. The functionalities of the System Center Endpoint Protection client are:
  • Easy to deploy
  • Autouninstallation of third-party software
  • Malware and spyware detection and remediation
  • Rootkit detection and remediation
  • Vulnerability assessment and automatic definition updates
  • Integrated with the Windows firewall
  • Network vulnerability detection using a network inspection system

In System Center Configuration Manager 2012 and 2012 R2, in order to configure Endpoint Protection, you need to enable the site system role. You do not have to run a separate installer, and you also don't need a different console. You can go to the Monitoring section and see the Endpoint Protection menu. The administration of Endpoint Protection is very simple because it is role-based. You can create security roles and assign them to specific users from your company. System Center Endpoint Protection, on a target client machine, is installed together with the Configuration Manager client. If no other malware policy exists, the default malware policy is included in it. This happens when System Center Endpoint Protection is enabled in the default client settings. Endpoint Protection uses the same database as the Configuration Manager, so you do not need to install a separate database. Endpoint Protection uses real-time e-mail notifications.

Prerequisites for Endpoint Protection

Before installing Endpoint Protection, you have to fulfill these prerequisites:

• Windows Server Update Services are required if you are using the Configuration Manager software update point role to deliver antimalware definition updates.
• If you want to deploy firewall policies to Windows Server 2008 or Windows Vista SP1, you must install this hotfix:

  http://support.microsoft.com/kb/971800

• One of the options for client computers to synchronize antimalware definition updates is to have Internet access.
• The Endpoint Protection site system role must be running on your central administration site or on a primary site and on a site system server only.
• A software update point must be installed and configured in order to deliver definitions and updates.
• You must install reporting services and the reporting services point to display Endpoint Protection reports.
• Security permissions must be defined to manage Endpoint Protection. There is a built-in security role called Endpoint Protection Manager; this grants permissions to define and monitor security policies.

Planning for Endpoint Protection

Enabling Endpoint Protection point site system role is very easy, but you should carefully plan how you will deploy agents in your hierarchy. It is strongly recommended that you don't use the default client settings, as this will propagate them to all the clients.

Creating client settings and antimalware policies

A best practice is to create custom client settings for Endpoint Protection and to deploy them to a collection that is created only for Endpoint Protection. You can create many custom client settings for Endpoint Protection to target computers with settings suited for function and purpose. Also, a good practice is to create different policies for servers and clients because you want to configure them in a way such that you can ignore or bypass certain Windows processes, processors, and disk load that would degrade the server's performance. You should create different antimalware policies for the different server platforms they target. Microsoft also provides server-specific antimalware policies that you can import and customize according to your needs. A good example of one of these policies is the built-in policy for Configuration Manager 2012, which is SCEP12_Default_ConfigMgr2012.xml. This policy combines the default server's workload policy settings with settings that are optimized for System Center 2012 Configuration Manager, in particular the settings for file and folder exclusions. The logic here is that server-specific roles do certain things repeatedly and consistently, and you want your antimalware solution to exclude certain processes and files that are regularly used by that specific server role.

A failure to add these exclusions can affect the server performance and cause additional issues, such as loss of communication and network issues.

Deploying to a test collection

Prior to the initial setup of Endpoint Protection in your hierarchy, you should always deploy the agent to a test collection in order to test the settings. This will verify that your custom client settings and antimalware policies function properly on the target system. A definition or an engine update can cause problems on the client computer. Usually, these problems manifest with a blue screen of death or some hardware scenarios. Some updates even block files that might be vital to the business. When you face this kind of a scenario, you can deploy a script through packages/programs. The script should run the following code:

mpcmdrun.exe –removedefinitions [All]

This will remove any updates and will revert to the previous definition. Also, make sure that you prevent the client from installing the updates again. Endpoint Protection in System Center Configuration Manager 2012 does not contain any of the collections that Manager 2007 came with. Those collections were used to sort computers with malware-related issues into predefined locked-query based collections. You could not edit or view the queries in such collections; however, third parties later released the contents of these queries online in an Excel format, just in case you want to recreate the collections. You don't have to create these collections in System Center 2012 Endpoint Protection; the Endpoint Protection status dashboard replaces this functionality by letting you see the malware and operational state of the entire selected collection. These items are clickable, allowing the administrator to drill down into reports or take recommended actions. Here are the malware remediation status items that are viewable in the dashboard:

• Remediation failed
• Full scan required
• Restart required
• Offline scan required
• Client settings modified by malware
• Malware remediated in the last 24 hours

In addition to the functionality in the dashboard, you can easily build collections based on the new Endpoint Protection classes; these are the same classes as the ones used in the predefined FEP 2010 collections, making those collections unnecessary as you can easily build your own. You have to create separate custom client and antimalware policies and then target device collections. To do this, you can create folders specific to Endpoint Protection, such as:

• Endpoint Protection managed client computers
• Endpoint Protection managed server

After this, you can put a device collection into these folders and target them with different custom client settings and antimalware policies. Servers are critical to the organization, so you should create multiple server device collections to separate different server roles. This is a best practice because SQL Server should be treated differently than Hyper-V hosts or other types of servers, for example, a Web server.

The suggested device collection name for Windows client computers is Endpoint Protection Managed Desktop and Laptops, which can be created in the Endpoint Protection managed client computers' folder that we talked about earlier. Use these device collections only for Endpoint Protection, and create other device collections for other deployments. Here is a list of the suggested collections:

• Endpoint Protection Managed Servers – Domain Controller
• Endpoint Protection Managed Servers – Exchange
• Endpoint Protection Managed Servers – Operations Manager
• Endpoint Protection Managed Servers – Configuration Manager
• Endpoint Protection Managed Servers – SQL 2008
• Endpoint Protection Managed Servers – File Server
• Endpoint Protection Managed Servers – Service Manager
• Endpoint Protection Managed Servers – Data Protection Manager
• Endpoint Protection Managed Servers – IIS Web Server
• Endpoint Protection Managed Servers – Hyper-V
• Endpoint Protection Managed Servers – Terminal Server
• Endpoint Protection Managed Servers – Other Servers

You should place all of the device collections in the Endpoint Protection Managed Servers folder and target them with antimalware policies that best suit them. The key point here is to target specific server roles with customized antimalware rule sets configured to allow optimum performance and availability, even when they are protected via Endpoint Protection. The SCEP client can handle servers in multiple device collections targeted by multiple antimalware policies; however, the policy with the highest priority takes precedence. You can also mix policies for different server roles and combine them into one.

Installing the Endpoint Protection role

Prior to installing the Endpoint Protection role, you must determine its place in the Configuration Manager hierarchy. If you have multiple sites in your hierarchy, you have to install the role on top of these sites in your Central Administration site. If you have a standalone primary site, you have to install the role on it. The Endpoint Protection role can be installed only on one site system server in the Configuration Manager hierarchy. When you enable the Endpoint Protection role, the following actions are performed:

• You are presented with the EULA or the end user's license agreement
• The default Microsoft active protection service configuration is set
• The System Center Endpoint Protection client is installed on the server hosting the role

When you enable the Endpoint Protection role, the Endpoint Protection client is installed on the machine hosting this role. This client is used to download and host the definition file. The server then pools this client and gets the malware data into the database. The client doesn't have scans and services enabled, so it can run together with other antimalware solutions on the server. The following example is for a hierarchy containing multiple sites:

1. Go to the Administration section. In the navigation tree on the left-hand side, select Overview and expand Site Configuration. Then, select Servers and Site System Roles. Here, you will be able to see all the installed site systems:
   
2. Select the CAS site server or the standalone primary server and right-click on it. Select Add Site System Roles.
3. When you reach the system role page of the add site system role wizard or create site system server wizard, select Endpoint Protection point. The wizard looks for the Software Update Point role. If it is not installed, you need to install it. If you choose to go through without the software update point, then you have to adjust the default antimalware policy to prevent it from retrieving updates from Configuration Manager:
   
4. On the Endpoint Protection page, you must accept the license terms and continue with the wizard.
5. On the Microsoft active protection service page, you can choose from the following three options available:
   • I do not want to join Microsoft active protection service
   • Basic membership
   • Advanced membership

   Microsoft active protection service or MAPS, formerly known as SpyNet, allows you to send information to Microsoft about the software you detect. This data is used for the creation of new definitions that improve the security and protection levels of your infrastructure. The second option allows you to join the information exchange. With advanced membership, MAPS sends more detailed information about the detected software and alerts the user. A best practice is to choose basic membership because it provides you with a higher level of security.

6. Go through the remaining steps of the wizard. You can change MAPS's membership settings if you go to the Administration section and navigate to Overview | Site Configuration | Server and Site Systems. Select the site server from the list, right click on the Endpoint Protection point, and select Properties in the details pane at the bottom. You can verify the successful installation of the Endpoint Protection role by taking a look at the EPsetup.log file contained in the server's logfile directory for any errors. Here, you should see lines similar to the following:

   SMSEP Setup Started....
   Installing the SMSEP
   Unable to query registry key
   (SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client),
   return (0x00000002) means EP client is NOT installed
   Installation was successful.
   

Setting up a software update point for Endpoint Protection

If you want to use the software update point role to synchronize and use software updates in order to automatically download and deploy definition updates to your Endpoint Protection client, you must configure it properly. It allows you to synchronize with the Microsoft Windows update on a predefined schedule in order to enable protection for your client machines. It downloads the latest antimalware and engine updates in an automated way. After the download, the updates need to be deployed. This can be done by creating automatic deployment rules. This is an optional way of doing it; you can also perform the tasks manually.

Configuring the SUP to synchronize definition updates

In order to deliver the Endpoint Protection engine and definition updates from the software update point, you must ensure that it is configured to synchronize Definition Updates, as shown in the following screenshot:

Here, you can configure which updates will be synchronized by the SUP. Also, select the Forefront Endpoint Protection 2010 product, which is listed in the Products tab, as shown in the following screenshot:

Don't get confused by the version mismatch between System Center Configuration Manager 2012 and Endpoint Protection 2010 because the Endpoint Protection 2010 Version is included in the Configuration Manager 2012 Version.

Endpoint Protection definition updates are released several times per day, so you should configure them for download at least once per day. To configure SUP with these changes on the Central Administration site or the standalone primary site, perform the following steps:

1. Go to the Administration workspace.
2. Navigate to Overview | Site Configuration | Sites and from the list, select CAS. Click on Settings in the ribbon bar. Select configure site components from the drop-down menu and click on software update point.
3. Select the Classification tab, check Definition Updates, and click on Apply.
4. Select the Products tab and check Forefront Endpoint Protection 2010 from the list.
5. Select the Sync Schedule tab and adjust the schedule to Simple Schedule for every 1 days. To set the actual time, go to Custom Schedule.
6. Click on OK to initiate the synchronization as soon as possible.

Creating autodeployment rules for definition updates

The software update point is used for the new autodeployment rules feature. This eliminates the need to approve updates in WSUS. They can also be easily scaled. This feature gives instructions to automatically download and deploy specific software updates on a predefined schedule. To configure Automatic Deploy Rules (ADR) for Endpoint Protection, perform the following steps:

1. Go to the Software Library workspace.
2. Select Software Updates and expand all the software updates. Right click on it and choose Run Synchronization. You can verify that the synchronization is complete at the site by the following methods:
   • Review Software Update Point Synchronization Status in the Monitoring workspace. Verify that the synchronization status is completed.
   • Review SMS_WSUS_SYNC_MANAGER and look for the message ID 6702, WSUS. Verify that the synchronization status is completed.
   • Review the WSUSsyncmgr.log file and look for Sync Succeeded.
3. Expand Software Updates and select Automatic Deployment Rules.
4. In the ribbon bar, click on Create Automatic Deployment Rule. This starts the automatic deployment rule wizard.

   Here, you can give the rule a name, such as ADR: Endpoint protection managed client computers, and point it to a collection you want to target. As you will update this collection regularly, select Add to an existing Software Update Group, as shown in the following screenshot:

   
5. The Deployment Settings page of the wizard lets you select Use Wake-on-LAN to wake up the client machines for the required deployments. This is useful when you need to deploy updates during the night, when the client machines are turned off. Starting with Configuration Manager R2, you can define templates. These templates have preconfigured settings for Definition Updates:
   • On the Software Updates page, you can choose the parameters you want to check when ADR runs.
   • In the Evaluation Schedule section, click on Customize and set it run every 1 days. Also, make sure that the ADR schedule does not exceed the SUP schedule because you will evaluate for new definitions and your SUP synchronizes once per day.
   • In the Deployment Schedule screen, you can set the time based on UTC. This allows clients to install updates at the same time. This setting is a recommended best practice.
   • On the User Experience page, you can hide the definition update notifications because they can occur frequently. Select Hide in the software center, and select all the notifications from the drop-down menu.
   • On the Alerts page, you can enable options to generate alerts according to your SLA agreement.
   • On the Download Settings page, you can specify the download settings for these definition updates.

   On the Deployment Package page, there are two options:

   • Select deployment package: You can use this option when you have a deployment package already created
   • Create a new definition package: You can use this option when you want to create a new deployment package
6. Go through the rest of the wizard and review the summary. You can wait for the ADR to run automatically or you can run it manually. If it runs successfully, it will display Last Error Description of Success and Last Error Code 0x00000000. This can also be disabled and enabled at any time.

Working with antimalware policies

Antimalware policies define how the SCEP client is configured for key security behaviors, such as scheduled scans, scan settings, actions to be taken if malware is found, real-time protection, behavior monitoring, exclusion settings, where to get the definition updates from, and much more. These topics are discussed in the following sections.

Understanding the default antimalware policy

The default client antimalware policy is the policy applied to the client at initial installation. The settings that are contained in this policy are divided into sections. Each section has the following configurable options:

• Scheduled scans: This option allows you to specify whether to run scans on target computers or not. There are two options under this setting: full scan and quick scan. A full scan takes more time to complete because it scans everything and everywhere. You can set the day and time for the full scan setting. You can also configure the target computer to look for updates before the full scan and to perform the full scan only when the client is idle.
• Scan settings: Here, you can define whether you want to scan e-mails, attachments, archived files, or removable devices. You can also scan network drives, but make sure that they are on a fast network because the scan will take longer to finish.
• Default actions: In Endpoint Protection, four levels are defined for the malware: severe, high, medium, and low. When malware is detected, it is rated with one of these levels. When malware with a severe risk level is detected, you can set a default action to be applied.
• Real-time protection: This setting lets you scan files and processes in real time. To enable real-time protection, just set it to true in the default antimalware policy.
• Exclusion settings: These are very important because they let you mark folders that will not be part of the scanning process. These folders are used by a known application and processes that perform read and write operations in them so that you know that they are not suspicious and you can exclude them from the scan.
• Advanced: The advanced settings allow you to create a system restore point before the target computer is cleaned of the malware. You can set up notifications for the end users, when users need to perform certain actions.
• Threat overrides: Regarding threat overrides, there are three options: allow, remove, or quarantine. These actions are applied when certain types of malware or virus is detected.
• Definition updates: This setting defines how frequently the System Center Endpoint Protection agent will update definitions. You can set different update intervals for definition updates, such as in specific hours or at a specific time of the day. You can also set the source for the updates. It can be Configuration Manager, UNC file share, WSUS, Microsoft update, or Microsoft Malware Protection Center.

Creating a custom antimalware policy

In every section of the antimalware policy, you will find the statement custom policies override the default policy. This is a reminder that a best practice is to always create a custom policy and configure it according to your needs. After you create the policy, be sure to test it on some device collection containing computers.

Importing and merging antimalware policies

As mentioned earlier, there are several examples of antimalware policies provided by Microsoft. You can import them and combine them together to create a new policy. To import a policy, you have to do the following:

1. Go to the Assets and Compliance section. From the navigation tree, navigate to Overview | Endpoint Protection | Antimalware Policies.
2. From the ribbon bar, select Import.
3. Select the policy you want to import.
4. When the import is complete, the policy is opened for editing. When you finish editing, click on OK. The imported policy is now available and appears in the console.

Merging policies

Merging policies can be very useful. Consider a server that has several functions and that each of these functions has a different antimalware policy. If you merge all of these policies, you will get one policy for this kind of server. To merge policies, do the following:

1. Go to Assets and Compliance and from the navigation tree, expand Overview. Select Endpoint Protection and then click on Antimalware Policies.
2. Select all the policies you want to merge and click on Merge from the ribbon bar, as shown in the following screenshot:
   
3. You will have to enter a new policy name.
4. You have to select a base policy. This is the policy from which the overall antimalware policy settings are taken and are merged with the exclusion of the other policies selected.
5. The merged policy appears in the console and is ready for deployment. The original policies also remain in the console.

Configuring alerts for Endpoint Protection

Alerts can be very useful when specific events occur in the hierarchy, and you can notify responsible users when malware is detected. Alerts are displayed in the Monitoring section under the alerts node. A best practice is to set up e-mail notifications because IT administrators might not always be in front of the Configuration Manager console. Most IT administrators have mobile phones that can send and receive e-mails directly from the phone. This is important because they can receive the e-mail in real time and respond accordingly.

Configuring e-mail notifications

In order to configure e-mail notifications, you must have an SMTP server in your infrastructure. In a multisite hierarchy, you only need to specify the e-mail server at the top, that is, the CAS. An e-mail notification by itself will not alert IT administrators if malware is detected. You also need to configure alert subscriptions to be notified by e-mail for specific alerts. Different e-mail addresses can be specified, and this is a recommended practice to receive e-mail notifications. By having more than one person receive the e-mail alerts, you have more chances to minimize the effects of the malware. To configure e-mail notifications, do the following:

1. Go to the Administration workspace.
2. Navigate to Overview | Site Configuration | Sites. Select Settings from the ribbon bar, click on Configure Site Components, and choose Email Notification:
   
3. Enter the FQDN or the IP address of the SMTP server and specify the SMTP port. Select None if the server doesn't require authentication; if it requires authentication, enter an account to authenticate. You need to specify the sender address, which might not exist; however, if you want people to reply to it, you need a real e-mail address:
   
4. To test the SMTP server, click on Test SMTP Server…. Enter a test e-mail recipient address and click on Send Test Email. If everything is configured properly, the e-mail will reach the destination address and the message Testing email was sent successfully please check your mailbox will be displayed.

An e-mail notification alert consists of the following:

• The from address: This is the address that you specify in the sender address for e-mail alerts
• The subject of the e-mail, which consists of three pieces of information:
  • Description
  • Type of alert
  • Collection name
• Depending on the alert, the body of the e-mail will contain information about the breakout and might include information about the collection name, malware name, and successful remediation

Alert subscriptions

Alert subscriptions allow you to specify users who will receive e-mails when malware breakout occurs, but only if e-mail notifications are configured. For each subscription, you can specify multiple e-mail addresses. Each subscription can contain one or more criteria. To set up an alert subscription, do the following:

1. Go to the Monitoring section.
2. From the navigation tree, go to Overview | Alerts | Subscriptions.
3. From the ribbon bar, select Create Subscription and Give it a Name.
4. Select the e-mail language from the drop-down menu.
5. Choose Alert from the list. There are four types of alerts available:
   • Generate an alert when malware is detected
   • The same malware is detected on multiple computers
   • The same malware is detected repeatedly on a computer
   • Multiple types of malware are detected on a computer

   You need to select the type of alert and determine whether it is applicable to the device collection you want to monitor.