Data Centers

Easy anti-malware with System Center 2012 Endpoint Protection

John Joyner explains why System Center 2012 admins might want to enable the built-in anti-malware before investing in third-party anti-malware products.

Last year, I wrote about deploying Forefront Endpoint Protection 2010 (FEP), the predecessor to System Center Endpoint Protection 2012 (SCEP). In that article I covered a brief history of FEP, its origins (Forefront Client Security, FCS) and relatives (Microsoft Security Essentials, MSE). Today, owners of Microsoft System Center 2012 management licenses for client and/or server computers already own SCEP because an endpoint protection license is included with System Center 2012. High investment in third-party anti-malware products may not be necessary for these organizations.

SCEP is a "V3" release of Microsoft's premier anti-malware client. The integration of SCEP with its management framework, System Center Configuration Manager 2012 (SCCM), is complete. The SCEP install file is now automatically installed with every SCCM agent. Your decision is when and if you will activate SCEP setup with an SCCM device setting. Installing, configuring, and updating a third-party anti-malware product, if you already own System Center, is an additional cost to carefully consider the need for.

Installing anti-malware agent could not be easier

For customers already running SCCM 2012, the useful thing is that the SCEP setup file, a single 18-MB file "SCEPInstall.exe", is pre-installed in the %windir%\ccmsetup folder of every SCCM agent. Figure A shows the setup file that can be run manually, or more likely run automatically by a SCEP policy applied to a SCCM collection of computers.

Figure A

Every SCCM agent is one click away from being a SCEP client.

Manually installing SCEP should be avoided since doing so may preclude automatic SCEP client service by SCCM. However if you need to, you can just run SCEPInstall.exe and accept the default setup options. Here is the command line to install SCEP manually with an exported SCEP policy:

SCEPInstall.exe /policy <policy_path_and_name>.xml

Deploying and managing SCEP with SCCM 2012

The right way to deploy SCEP is using the SCCM console: to configure the SCEP client to be installed, and to apply an anti-malware policy. SCEP's predecessor, FEP 2010, was integrated with, and deployed by SCCM 2007 R3. Same story with SCEP 2012 and SCCM 2012. However SCEP's integration with SCCM 2012 is completely different and requires a re-learn for SCCM 2007 and FEP 2010 administrators. SCCM 2012 has a totally new interface from SCCM 2007. The new interface has task panes and ribbons like Outlook or another System Center 2012 component, the backup application Data Protection Manager (DPM) 2012. Previously, in FEP 2010, management features were located in the FEP portion of the SCCM 2007 R3 console. Now with SCEP 2012 and SCCM 2012, features to deploy and manage SCEP are embedded in view-specific areas of the SCCM 2012 console. Figure B shows the new Endpoint Protection Status Monitoring view.

Figure B

A portion of the Endpoint Protection Status Monitoring view in SCCM 2012.

Configure Endpoint Protection in SCCM

While all the pieces and parts are there to light up SCEP in a default installation of SCCM 2012, you have to decide to deploy this feature on the SCCM server side, and on the SCCM client side. The detailed procedures are contained at this link:  http://technet.microsoft.com/en-us/library/hh508770.aspx

Here are the high-level steps to configure SCEP in SCCM:

  1. Create an Endpoint Protection point site system role in SCCM 2012. Add the site system role in the SCCM Administration workspace to an existing SCCM site.
  2. Configure the desired SCEP policy. In the Assets and Compliance workspace of the SCCM console, navigate to Endpoint Protection -> Antimalware Policies. Create a custom policy for computers, such as scanning exemptions or a schedule for performing scans.
  3. Deploy the SCEP policy to the desired SCCM collection. If you have not already done so, create an SCCM collection that defines the computers you want to install SCEP on.
    • In the Assets and Compliance space -> Endpoint Protection -> Antimalware Policies, select the anti-malware policy created in Step 2.
    • Right-click and select Deploy. Then select the collection to deploy the settings to and click OK.
  4. Configure custom SCCM client settings for SCEP. Create Custom Client Device Settings at Administration space -> Client Settings as seen in Figure C. Set the Install Endpoint Protection client to True.

    Figure C

    This custom device setting will install the SCEP client.
  5. Deploy the custom device settings to an SCCM collection.
  6. In the Administration space -> Client Settings, select the custom device settings created in Step 4.
  7. Right-click and select Deploy. Then select the collection to deploy the settings to and click OK.

Configure alerts for Endpoint Protection in SCCM

It's really important to setup SCCM 2012 to give you feedback on the alerts and condition of the Endpoint Protection service. If you have implemented System Center Operations Manager (SCOM) and imported the SCEP 2012 management pack, you may not need to, or want to enable SCCM alerting. However, except for the SCOM management pack scenario, you will want to turn on SCCM alerting for SCEP events so you know when a malware outbreak or other serious event has occurred.

The detailed procedures to enable alerts are found at this link: http://technet.microsoft.com/en-us/library/hh427334.aspx. Here are the high-level steps to enable alerting:

  1. Enable SCCM to send SMTP alerts. The location for SMTP server settings is different for SCCM 2012 and SCCM 2012 SP1.
    • SCCM 2012 (no SP1): Administration workspace, select the SCCM server, then in the Settings tab, in Configure Site Components, click Email Notification.
    • SCCM 2012 SP1: Monitoring workspace -> Alerts -> Subscriptions. On the Home tab, in the Create group, click Configure Email notification.
  2. Create an email alert notification. Monitoring workspace -> Alerts -> Subscriptions- > Create subscription. Supply the email and name information and select any of the four types of SCEP alerts you want in the email notification. Figure D shows a SCEP alert emailed from SCCM.

Figure D

An emailed Endpoint Protection alert, viewed in Microsoft Outlook. (Click to enlarge)

About

John Joyner, MCSE, CMSP, MVP Cloud and Datacenter Management, is senior architect at ClearPointe, a cloud provider of systems management services. He is co-author of the "System Center Operations Manager: Unleashed" book series from Sams Publishing, ...

0 comments

Editor's Picks