Forefront Endpoint Protection
264
Forefront Endpoint Protection Jack Cobben
-
Upload
aisha-khan -
Category
Documents
-
view
10 -
download
3
Transcript of Forefront Endpoint Protection
Forefront
Endpoint
Protection
Jack Cobben
Release Notes
Page number 1
1. Contents 2. Release Notes .................................................................................................................................. 8
Microsoft Forefront Endpoint Protection 2010 .................................................................................. 8
Running a repair on Microsoft Forefront Endpoint Protection 2010 reporting fails ...................... 8
X-axis labels not displaying properly for the Antimalware Protection Summary report ................ 8
Managing the Customer Experience Improvement Program setting on the Forefront Endpoint
Protection server ............................................................................................................................. 9
Microsoft Forefront Endpoint Protection 2010 Client Software ......................................................... 9
Managing the Customer Experience Improvement Program setting on Forefront Endpoint
Protection clients............................................................................................................................. 9
Operating system upgrade .................................................................................................................. 9
Custom scan on virtual drives in Windows XP .................................................................................. 10
Forefront Endpoint Protection does not uninstall Symantec on computers running x64 operating
systems .............................................................................................................................................. 10
Forefront Endpoint Protection Client stops reporting malware activity when the System Event Log
is full .................................................................................................................................................. 10
3. Overview ........................................................................................................................................ 10
Why Use Forefront Endpoint Protection ........................................................................................... 11
Easy to Deploy ................................................................................................................................... 11
Easy to Manage ................................................................................................................................. 11
Unified Protection ............................................................................................................................. 12
Decision Considerations for FEP and the FEP Security Management Pack ....................................... 12
4. Dashboard Overview ..................................................................................................................... 14
5. Reports Overview .......................................................................................................................... 16
6. System Requirements.................................................................................................................... 18
Prerequisites for Installing Forefront Endpoint Protection on a Server ........................................... 18
Forefront Endpoint Protection Server Prerequisites..................................................................... 18
Forefront Endpoint Protection Console Prerequisites .................................................................. 23
Prerequisites for Deploying Forefront Endpoint Protection on a Client ........................................... 23
Prerequisites for Importing the Forefront Endpoint Protection Security Management Pack .......... 25
7. Getting Started .............................................................................................................................. 25
Getting Assistance ............................................................................................................................. 26
Where to find Forefront Endpoint Protection Help and Assistance: ............................................ 26
Providing Feedback ........................................................................................................................... 27
Release Notes
Page number 2
8. Planning and Architecture ............................................................................................................. 27
Forefront Endpoint Protection 2010 ................................................................................................. 27
Forefront Endpoint Protection and High Availability .................................................................... 28
About Configuration Manager Site Topologies and FEP 2010 .......................................................... 29
Single-Site Deployment ................................................................................................................. 29
Hierarchical Deployment ............................................................................................................... 29
Forefront Endpoint Protection Installed on the Parent and Child Sites ........................................ 30
Forefront Endpoint Protection Installed on the Child Sites .......................................................... 31
About Basic Setup .............................................................................................................................. 32
Basic Topology ............................................................................................................................... 33
About Basic with Remote Reporting Database Setup ....................................................................... 33
Basic Topology with Remote Reporting Database ........................................................................ 33
FEP 2010 Security Management Pack ............................................................................................... 34
Forefront Endpoint Protection Client ................................................................................................ 34
Policies ........................................................................................................................................... 35
System Requirements.................................................................................................................... 35
Competitive Uninstall .................................................................................................................... 35
Forefront Endpoint Protection Client Deployment Options ......................................................... 36
Definition Updates ........................................................................................................................ 36
About Configuring Clients by Using Policies ...................................................................................... 37
Creating and Configuring Policies .................................................................................................. 37
Deploying Policies .......................................................................................................................... 38
Planning for Definition Updates ........................................................................................................ 41
Migrating from Forefront Client Security to Forefront Endpoint Protection .................................... 42
Client Update for Microsoft Forefront Client Security (1.0.xxxx.0) ............................................... 42
9. Server Installation .......................................................................................................................... 43
FEP 2010 ............................................................................................................................................ 43
Overview of Installing Forefront Endpoint Protection .................................................................. 43
Installation Options ....................................................................................................................... 45
Installing Using Basic Setup ........................................................................................................... 45
Prerequisites ................................................................................................................................ 46
Installing Using Basic with a Remote Reporting Database Setup .................................................. 48
Installing Using Advanced Setup ................................................................................................... 50
Release Notes
Page number 3
Validating Installation .................................................................................................................... 56
Configuring the Client Software on a Configuration Manager Site Server ................................... 59
Moving from a Public RC Version to a Retail Version .................................................................... 61
Uninstalling .................................................................................................................................... 63
FEP 2010 Security Management Pack ............................................................................................... 64
Overview of Installing the Forefront Endpoint Protection Security Management Pack ............... 65
About Agents ................................................................................................................................. 65
Extracting the FEP 2010 Security Management Pack Files ............................................................ 66
Importing the FEP 2010 Security Management Pack .................................................................... 67
Configuring Client Discovery ......................................................................................................... 68
Create a New Management Pack for Customizations ................................................................... 69
10. Client Deployment ..................................................................................................................... 70
Overview of Deploying Forefront Endpoint Protection .................................................................... 70
FEP 2010 ............................................................................................................................................ 70
Deploying by Using Configuration Manager Packages .................................................................. 72
Deploying Manually ....................................................................................................................... 74
Deploying the Client Software by Using the Command Prompt ................................................... 75
Validating Deployment .................................................................................................................. 76
Uninstalling .................................................................................................................................... 78
Enforcing the Client Software Deployment ....................................................................................... 80
Deploying the FEP Client Software to a FEP Collection ................................................................. 80
To create a reinstall advertisement .............................................................................................. 81
11. Operations ................................................................................................................................. 82
Configuring Client Settings by Using Policies .................................................................................... 82
FEP Policies .................................................................................................................................... 83
Creating a Policy ............................................................................................................................ 83
Duplicating a Policy ....................................................................................................................... 84
Editing a Policy ............................................................................................................................... 85
Exporting a Policy .......................................................................................................................... 87
Importing a Policy .......................................................................................................................... 88
Setting Policy Precedence ............................................................................................................. 88
Assigning a Policy to Endpoint Computers .................................................................................... 89
Using Group Policy with FEP .......................................................................................................... 91
Release Notes
Page number 4
Converting FEP Policies to Group Policy ........................................................................................ 91
Merging Settings from Multiple Policy Files .................................................................................. 92
Exporting Policy Settings to a FEP Policy File ................................................................................ 94
Configuring and Viewing FEP Group Policy Settings ..................................................................... 94
FEP Policy Templates ......................................................................................................................... 96
About Preconfigured Policy Templates ......................................................................................... 96
Applying Policies from the Command Prompt .............................................................................. 98
Updating Policies from the Command Prompt ........................................................................... 101
Common Tasks ................................................................................................................................ 102
Running an Endpoint Protection Scan ......................................................................................... 102
Managing Windows Firewall Protection ..................................................................................... 104
Retrieving the Effective Endpoint Protection Settings ................................................................ 106
Forcing Definition Updates .......................................................................................................... 106
Configuring Definition Updates ....................................................................................................... 108
Configuring Update Synchronization .......................................................................................... 109
Microsoft Update Definition Updates ......................................................................................... 111
File-Share-Based Definition Updates ........................................................................................... 111
FEP Monitoring ................................................................................................................................ 113
Monitoring Client Status by Using the Dashboard ...................................................................... 114
Using Alerts to Monitor Malware Detections ............................................................................. 116
Using Desired Configuration Management to Monitor Client Compliance ................................ 120
FEP 2010 Security Management Pack Monitoring .......................................................................... 125
Security Considerations ............................................................................................................... 127
Health Rollup ............................................................................................................................... 127
Object Classes .............................................................................................................................. 129
About Discovery .......................................................................................................................... 130
About Views................................................................................................................................. 132
About Monitors ........................................................................................................................... 133
Monitoring Using Overrides ........................................................................................................ 134
About Rules ................................................................................................................................. 135
About Alerts ................................................................................................................................. 136
About Tasks ................................................................................................................................. 136
Placing Objects in Maintenance Mode ........................................................................................ 138
Release Notes
Page number 5
Configuring Notification Settings ................................................................................................ 138
FEP 2010 Reports............................................................................................................................. 138
Forefront Endpoint Protection Security Reports......................................................................... 138
Command options ....................................................................................................................... 141
Operational Reports .................................................................................................................... 141
Displaying Computers Infected by a Specific Malware ............................................................... 144
Displaying Recent Malware Infections ........................................................................................ 145
Subscribing to Reports ................................................................................................................ 145
FEP 2010 Security Management Pack Reporting ............................................................................ 146
FEP Health and Deployment Status Schema ............................................................................... 146
FEP Security Incidents schema .................................................................................................... 149
Disaster Recovery for FEP 2010 on Configuration Manager ........................................................... 155
Backup ........................................................................................................................................ 155
Restore ....................................................................................................................................... 156
Automating Day-to-Day Tasks by Using Windows PowerShell ....................................................... 157
Deploying or Removing the FEP Client Software ........................................................................ 157
Assigning and Unassigning FEP Policies to Collections ................................................................ 159
Automating Desired Configuration Management ....................................................................... 163
Automating the FEP Dashboard .................................................................................................. 167
Automating Tasks on Client Computers ...................................................................................... 170
Automating FEP Reports ............................................................................................................. 174
12. Troubleshooting ...................................................................................................................... 177
Using the FEP Best Practices Analyzer ............................................................................................. 178
Troubleshooting FEP and Configuration Manager .......................................................................... 179
FEP Log Files ................................................................................................................................ 180
Troubleshooting the FEP Security Management Pack and Operations Manager ........................... 182
13. Technical Reference ................................................................................................................ 183
FEP 2010 Policy - Default Settings ................................................................................................... 183
Antimalware Settings .................................................................................................................. 183
Updates Settings .......................................................................................................................... 193
Windows Firewall Settings .......................................................................................................... 194
Security Management Pack Monitors ............................................................................................. 195
Forefront Endpoint Protection 2010 Security Management Pack Monitors .............................. 195
Release Notes
Page number 6
Security Management Pack Tasks ................................................................................................... 196
Forefront Endpoint Protection 2010 Security Management Pack Tasks .................................... 196
FEP ADMX Reference....................................................................................................................... 198
FEP2010 Client Help ........................................................................................................................ 231
Welcome to Microsoft Forefront Endpoint Protection ............................................................... 231
Why do I need antivirus and antispyware software? .................................................................. 232
How can I tell if my computer is infected with malicious software? .......................................... 233
What should I do if Forefront Endpoint Protection detects malicious software on my computer?
..................................................................................................................................................... 233
Using Forefront Endpoint Protection to remove potentially harmful software ......................... 234
Frequently asked questions about malicious software ............................................................... 235
How to help prevent malicious software infections ................................................................... 236
How to help prevent malicious software infections ................................................................... 237
Getting started ................................................................................................................................ 237
Understanding alert levels .......................................................................................................... 237
What are recommended actions? ............................................................................................... 239
Applying default actions to detected items ................................................................................ 239
Scanning for viruses, spyware, and other potentially unwanted software .................................... 239
To scan the areas of your computer that malicious software is most likely to infect (Quick scan)
..................................................................................................................................................... 240
To scan all areas of your computer (Full scan) ............................................................................ 240
To scan specific areas of your computer only (Custom scan) ..................................................... 240
Running a custom scan ................................................................................................................ 240
To scan a specific file or folder (right-click scan) ......................................................................... 240
Running a right-click scan ............................................................................................................ 240
Scheduling scans .......................................................................................................................... 240
When is the best time to run a scan on my computer? .............................................................. 241
Responding to potential threats after a scan .............................................................................. 242
How can I view a scan's progress? .............................................................................................. 242
What are advanced scanning options? ....................................................................................... 242
Excluding items from a scan ........................................................................................................ 243
What's real-time protection? .......................................................................................................... 244
Understanding real-time protection options .............................................................................. 244
Turning real-time protection on and off ..................................................................................... 245
Release Notes
Page number 7
How do I know that Forefront Endpoint Protection is running on my computer? ......................... 246
How to set up Forefront Endpoint Protection alerts .................................................................. 247
What are virus and spyware definitions? ........................................................................................ 247
How do I keep virus and spyware definitions up to date? .......................................................... 247
Running a scan using the latest updates ..................................................................................... 248
How do I remove or restore items quarantined by Forefront Endpoint Protection? ..................... 248
To remove or restore quarantined items .................................................................................... 248
How do I add or remove items from the Forefront Endpoint Protection allowed list? .............. 249
How do I view or clear the history in Forefront Endpoint Protection? ....................................... 249
What if I want to download or run a program that Forefront Endpoint Protection detects as
potentially harmful? .................................................................................................................... 250
Privacy settings for detected items ............................................................................................. 250
What is the Microsoft SpyNet Community? .................................................................................... 251
Reporting suspicious software to Microsoft SpyNet ................................................................... 251
Changing your Microsoft SpyNet community membership ........................................................ 251
Where can I find the Forefront Endpoint Protection privacy statement? .................................. 252
Where can I find the Forefront Endpoint Protection license agreement? .................................. 252
Troubleshooting .............................................................................................................................. 252
Troubleshooting Update Issues ................................................................................................... 252
I can't start the Forefront Endpoint Protection service .............................................................. 255
I can't install Forefront Endpoint Protection ............................................................................... 257
I can't connect to the Internet issue (General topic) .................................................................. 260
Error “0x8*******” encountered while virus and spyware definition updates or product
upgrades ...................................................................................................................................... 262
Forefront Endpoint Protection detects a threat but can't remediate it ..................................... 262
Release Notes
Page number 8
2. Release Notes
These release notes contain information that is required to successfully install, deploy and use
Microsoft® Forefront® Endpoint Protection. They contain information that is not available in the
product documentation.
Microsoft Forefront Endpoint Protection 2010
Running a repair on Microsoft Forefront Endpoint Protection 2010 reporting fails
The user account used to run a repair on Forefront Endpoint Protection Reporting must be assigned
the Content Manager SQL Server Reporting Services role.
For more information about the Content Manager SQL Server Reporting role, see Content Manager
Role (http://go.microsoft.com/fwlink/?LinkId=207653) in the SQL Server Books Online.
Note:
When User Account Control (UAC) is enabled on the SQL Server Reporting Services server, the
role assignment cannot be inherited from the following groups or repair will fail:
• Administrators—local group
• Domain Administrators—domain group
X-axis labels not displaying properly for the Antimalware Protection Summary report
In some circumstances, when running the Antimalware Protection Summary report, the x-axis labels
do not display properly. This occurs only when running Microsoft SQL Server® 2008 or SQL Server
2008 R2 reporting services.
Install one of the following SQL Server cumulative updates to fix the report:
• Cumulative Update package 3 for SQL Server 2008 R2
(http://go.microsoft.com/fwlink/?LinkId=204839)
• Cumulative update package 10 for SQL 2008 Service Pack 1
(http://go.microsoft.com/fwlink/?LinkId=204840)
Note:
It is recommended that you install the SQL Server cumulative update prior to installing Forefront
Endpoint Protection. If the SQL Server cumulative update is installed after Forefront Endpoint
Protection was installed, you will need to run a repair on the Microsoft Forefront Endpoint
Protection 2010 Reporting component.
Release Notes
Page number 9
Managing the Customer Experience Improvement Program setting on the Forefront
Endpoint Protection server
After installing Forefront Endpoint Protection you cannot change your membership in the Customer
Experience Improvement Program (CEIP) through the user interface.
To manually configure the CEIP setting, modify the following registry key on the Forefront Endpoint
Protection server:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Forefront Endpoint Protection
2010\config\SqmEnabled
• Setting the registry key to 1 joins the CEIP.
• Setting the registry key to 0 removes membership in the CEIP.
For the change to take effect you need to restart the computer.
Microsoft Forefront Endpoint Protection 2010 Client Software
Managing the Customer Experience Improvement Program setting on Forefront Endpoint
Protection clients
Forefront Endpoint Protection clients automatically join the Customer Experience Improvement
Program (CEIP). Users can modify this setting; however, the administrator cannot control the CEIP
setting via a Forefront Endpoint Protection policy created in the Configuration Manager console.
To configure the CEIP setting, create the following registry key on the Forefront Endpoint Protection
client computer:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft AntiMalware\Miscellaneous
Configuration\SqmConsentApprove
• Setting the registry key to 1 joins the CEIP (default).
• Setting the registry key to 0 removes membership in the CEIP.
After the registry key has been created, the user can no longer change this setting from the Forefront
Endpoint Protection client.
For the change to take effect you need to restart the computer.
Operating system upgrade
After the operating system on a client computer is upgraded, the Forefront Endpoint Protection
client software no longer functions as expected. To avoid this, you must uninstall the Forefront
Endpoint Protection client software before running the operating system upgrade.
This applies to the following operating system upgrade paths:
• Windows XP to Windows Vista®
• Windows Vista to Windows Vista SP1, Windows Vista SP2, or Windows® 7
Overview
Page number 10
Custom scan on virtual drives in Windows XP
On computers running Windows XP, malware residing on a virtual drive is not be detected during a
custom scan of the virtual drive. A virtual drive is created by applications using Application
Virtualization (App-V) technology, like Microsoft Office 2010. Quick scans and full scans properly
detect the malware.
Forefront Endpoint Protection does not uninstall Symantec on computers
running x64 operating systems
The Forefront Endpoint Protection client software does not uninstall the Symantec Antivirus
Corporate Edition client on computers running a 64-bit operating system. On these computers, you
need to manually uninstall Symantec software before deploying the Forefront Endpoint Protection
client software.
Forefront Endpoint Protection Client stops reporting malware activity when
the System Event Log is full
Client malware activity incidents are reported from the client to the Forefront Endpoint Protection
server based on the entries in the System event log. If the System event log is full and no new events
can be written, no new malware activity is reported to the Forefront Endpoint Protection server.
It is recommended that you configure the properties of the System event log to overwrite events
when needed, so that new events can be written and are not lost.
3. Overview Microsoft® Forefront® Endpoint Protection 2010 (FEP) is a security and antimalware solution
integrated into System Center Configuration Manager 2007, and the Forefront Endpoint Protection
Security Management Pack is a security and antimalware management solution for servers and
critical, high-priority computers, integrated into System Center Operations Manager 2007. Together,
they are a software solution that provides security and antimalware management for desktops,
portable computers, and servers. Together they provide a lower total cost-of-ownership enterprise
solution that enables desktop administrators in your organization to add security management to
their day-to-day operations, within a familiar framework and without requiring specialized security
knowledge.
FEP and the FEP Security Management Pack leverage the familiar administrative experience of
managing and monitoring endpoints. They improve visibility for identifying and remediating
potentially vulnerable endpoints while lowering ownership costs by using existing infrastructure for
both endpoint management and security.
The FEP client software deploys effortlessly to hundreds of thousands of endpoints by using existing
System Center Configuration Manager agents, and provides highly accurate detection of known and
unknown threats, as well as actively protecting against network-level attacks by managing basic
Windows Firewall configurations.
FEP and the FEP Security Management Pack provide the following features:
Overview
Page number 11
• Integration with your existing system management infrastructure
• Proven antimalware engine
• Reporting functionality
• In FEP, policy-based antimalware management
• In FEP, Firewall management
• Seamless migration from previous antivirus solutions
Why Use Forefront Endpoint Protection
Forefront Endpoint Protection and the FEP Security Management Pack provide seamless integration
with the management products you use on a daily basis.
The key benefits are described below.
Easy to Deploy
Forefront Endpoint Protection makes it easy for desktop administrators to roll out a large-scale
endpoint protection solution to all user desktops and portable computers, while the FEP Security
Management Pack makes it simple to roll out real-time alerting and reporting for servers and critical,
high-priority client computers.
FEP comes complete with policy templates, for both recommended client configurations and typical
server workloads, which are ready to use right out-of-the box, taking the guesswork out of security
management. While no advanced customization is required, it is easy to customize policies to meet
the needs of your organization. Forefront Endpoint Protection supports deployments that are built
on the familiar System Center Configuration Manager software distribution infrastructure, while the
FEP Security Management Pack, built on System Center Operations Manager, supports servers and
critical high-priority client computers. Using Forefront Endpoint Protection, you can deploy the client
• Across various topologies to support non-domain-joined computers, endpoints at different
branch offices, in addition to unmanaged (stand-alone) clients.
• To seamlessly upgrade or replace previously installed security solutions.
• On various Windows® operating systems.
Easy to Manage
Forefront Endpoint Protection and the FEP Security Management Pack offer both the desktop
administrator and the server administrator a streamlined security management experience. Built on
the familiar System Center interfaces, it gives administrators simplified access to the information and
tools they need in order to keep their enterprise secure and running, including the following:
• In FEP, policy-based administration
• Remediation capabilities including scanning and updating definitions on client computers
Overview
Page number 12
• Current and historical reporting that enables administrators to answer critical security
questions, such as:
• What percentage of computers are currently protected?
• Is antivirus software installed and turned on?
• Are the latest definitions installed?
• What malware was detected in the organization?
• What computers currently have malware activity?
• How can I improve my organizational security?
Forefront Endpoint Protection is built on System Center Configuration Manager, and the FEP Security
Management Pack is built on System Center Operations Manager.
Unified Protection
Forefront Endpoint Protection delivers a single-agent, multithreat protection for desktops, portable
computers, and the FEP Security Management Pack provides management of servers and critical
high-priority client computers. Backed by a world-class response center and a dedicated community
(Microsoft SpyNet®) serving millions of users, the FEP client includes:
• Antimalware and antispyware
• Rootkit detection and remediation
• Critical vulnerability assessment and automatic updates
• Integrated Windows Firewall management
• Network Inspection System
The FEP client helps users stay secure and productive both at work and on the go with a lightweight,
easy-to-use interface. It is built on the same antimalware engine as Microsoft Security Essentials
(MSE), which has been delighting millions of consumers with low false positives and high catch rates.
Whenever possible, the FEP client automatically solves security issues as they occur without
disturbing users, so users can stay safe and continue with their work without contacting their
desktop administrators.
Decision Considerations for FEP and the FEP Security Management Pack
Both FEP and the FEP Security Management Pack provide best-of-breed security protection for
desktops, portable computers, and servers. You can implement either FEP or the FEP Security
Management Pack, or you can implement both to take advantage of the features of each.
Choosing when to implement each requires that you evaluate your security needs. Consider the
questions in the following table.
Overview
Page number 13
If Then
You are already using System Center
Configuration Manager to manage your
enterprise
You can easily implement Forefront Endpoint
Protection to integrate security into your computer
management solution.
You are using System Center Operations
Manager to manage your data center
You can implement the FEP Security Management
Pack to monitor your servers and critical high-priority
computers.
You need real-time reporting and
monitoring for any of your computers or
servers
The FEP Security Management Pack can provide real-
time monitoring and alerting for the servers (and high-
priority client computers) you designate.
You are using the Desired Configuration
Management (DCM) feature in
Configuration Manager
Forefront Endpoint Protection provides additional
DCM checks that allow you to report on the status of
security areas within your Configuration Manager
environment.
You are managing any branch offices or
non-domain-joined clients
Configuration Manager supports both of these
scenarios, and Forefront Endpoint Protection, built on
Configuration Manager, can take full advantage of this
support.
The desktop administrators in your
organization are responsible for desktop
security
If you have implemented Configuration Manager for
desktop administration, your desktop administrators
can work within the familiar interface of Configuration
Manager.
You need historical reporting for malware
events
Both Forefront Endpoint Protection and the FEP
Security Management Pack are an option for you. Both
maintain a historical record of malware information in
your organization.
Dashboard Overview
Page number 14
4. Dashboard Overview The Forefront Endpoint Protection dashboard provides key information for tracking the status of
client software deployments, antimalware activity, definition updates, policy distributions, and client
software compliance. The dashboard contains several summary areas displayed on a single page, and
works by querying the Configuration Manager Site database, and using the resulting data sets to
present key metrics in a graphical format.
The Forefront Endpoint Protection dashboard is located in the Configuration Manager console, in the
following path in the tree:
Site Database / Computer Management / Forefront Endpoint Protection
The following table describes the summary areas displayed in the Forefront Endpoint Protection
dashboard:
Summary area Description
Client
Deployment
Status
This area displays the following information:
• The number of computers in your organization to which the client
software was not targeted.
• The number of computers in your organization to which the client
software is targeted.
The set of computers to which the client software is targeted is
divided into the following deployment states:
• Removed
• Failed
• Pending
• Out of date
• Deployed
Protection
Status
This area displays the reporting status for the FEP client software.
There are three possible status values:
• Protection service off—The number of computers on which the FEP
antimalware service is turned off.
• Not reporting—The number of computers to which the FEP client has
Dashboard Overview
Page number 15
been deployed, but have not sent a status report back to the
Configuration Manager server in the past 14 days.
• Healthy—The number of computers running the FEP client software
and have sent a status report back to the Configuration Manager
server in the past 14 days.
Security Status This area displays information about malware activity in your organization.
The possible states of the FEP client software are as follows:
• Infected—The number of computers on which the FEP client software
has detected active malware.
• Restart required—The number of computers running the FEP client
software that require a restart in order to complete malware cleaning.
• Full scan required—The number of computers running the FEP client
software that require a full scan.
• Recent malware activity (Last 24 hours)— – The number of
computers on which the FEP client software detected and cleaned
malware within the last 24 hours.
Definition Status This area displays information about the age of the FEP antimalware
definitions on the client computers. Computers are listed according to the age
category into which the definitions fall.
The following is a list of possible categories:
• Older than 1 week—The number of client computers with definitions
more than 1 week old.
• Up to 7 days old—The number of client computers with definitions up
to 1 week old.
• Up to 3 days old—The number of client computers with definitions up
to 3 days old.
• Up to date—The number of client computers with up-to-date
definitions.
Data for this dashboard area is collected by Configuration Manager Desired
Configuration Manager (DCM) baselines. For more information about DCM
baselines and Forefront Endpoint Protection, see Using Desired Configuration
Management to Monitor Client Compliance.
Reports Overview
Page number 16
Policy
Distribution
Status
This area displays information about the possible policy distribution states for
the FEP client software.
The following is a list of the possible states:
• Failed—The number of computers to which a policy could not be
deployed.
• Pending—The number of computers to which a policy is in the process
of being deployed.
• Distributed—The number of computers to which a policy was
successfully deployed.
Forefront
Endpoint
Protection
Baselines
This area displays summary status information for FEP client compliance with
FEP configuration baselines. For more information, see Using Desired
Configuration Management to Monitor Client Compliance.
5. Reports Overview Reporting in Forefront Endpoint Protection is integrated into the Configuration Manager console. The
information is gathered using the standard Configuration Manager data collection mechanism and is
stored in the Forefront Endpoint Protection reporting database. Since this information is gathered at
scheduled intervals, reports may not reflect the most recent information.
Forefront Endpoint Protection presents the information gathered in the reporting database in
summary and detailed reports, and contain links that can be clicked to view the related reports.
There are several predefined reports located under the Forefront Endpoint Protection Reports node
and under the standard Configuration Manager Reporting node. Reports broadly divide into security
reports and operational reports respectively.
The following table is a list of the available reports.
Report name Description Type
Antimalware Activity
Report
This report provides an overview of antimalware status,
malware alerts, and malware detections.
Security
Antimalware
Protection Summary
Report
This report provides an overview of antimalware
deployment and health.
Security
Reports Overview
Page number 17
Malware Details
Report
This report displays further details about a specific
malware.
Security
Computer List Report This report displays a list of computers that can be filtered
by collection, name, protection status, security state,
antimalware signature version, detected malware, and
last antimalware scan time.
Security
Computer Details
Report
This report displays further details about a specific
computer.
Security
Deployment
Overview
This report displays the breakdown of the Microsoft
Forefront Endpoint Protection 2010 client deployment
status per collection.
Operational
Deployment for a
specific collection
This report displays the breakdown of the Microsoft
Forefront Endpoint Protection 2010 client deployment
status for a specific collection.
Operational
Computers with a
specific deployment
state
This report displays a list of computers in a collection and
the specific deployment state.
Operational
Policy Distribution
Overview
This report displays the breakdown of policy distribution
states per collection. The report will only enumerate
computers with Microsoft Forefront Endpoint Protection
2010 deployed.
Operational
Policy Distribution for
a specific collection
This report displays the policy distribution states for a
specific collection.
Operational
Computers with a
specific policy
distribution state
This report displays a list of computers in a collection and
the specific policy state.
Operational
FEP information for a
specific computer
This report displays a summary of Forefront Endpoint
Protection information for a specific computer.
Operational
System Requirements
Page number 18
6. System Requirements To get started with Microsoft Forefront Endpoint Protection 2010, your computers must meet the
minimum requirements for installing the Forefront Endpoint Protection server and deploying the
Forefront Endpoint Protection client. Use the following topics to help you prepare the computers in
your environment:
• Prerequisites for Installing Forefront Endpoint Protection on a Server
• Prerequisites for Deploying Forefront Endpoint Protection on a Client
• Prerequisites for Importing the Forefront Endpoint Protection Security Management Pack
Prerequisites for Installing Forefront Endpoint Protection on a Server
The Forefront Endpoint Protection Setup wizard includes a prerequisites verification that checks that
the prerequisites are already installed before you continue with the installation. If the prerequisites
verification check identifies missing prerequisites, the check points you to locations where you can
download and install the required components.
Forefront Endpoint Protection Server Prerequisites
The following table is the list of minimum requirements for installing the Forefront Endpoint
Protection server.
Prerequi
site Minimum requirements Notes
Memory 2 GB of RAM
Available
disk
space
• Forefront Endpoint
Protection server: 600 MB
• Forefront Endpoint
Protection database: 1.25
GB
• Forefront Endpoint
Protection reporting
database: 1.25 GB
For large scale deployments comprised of more
than 10,000 client computers, on the computer
running Microsoft SQL Server® where the
Forefront Endpoint Protection reporting database
resides, the tempdb must be configured with a
500 GB Logical Unit Number (LUN) for its data file.
For more information about configuring the
tempdb data file, see Optimizing tempdb
Performance
(http://go.microsoft.com/fwlink/?LinkId=206862).
Operatin
g system
• Windows Server® 2003
Standard, Enterprise, or
Datacenter Edition Service
Pack 2 (x86 or x64), or
• Windows Server 2008
System Requirements
Page number 19
Standard, Enterprise, or
Datacenter Service Pack 1
(x86 or x64), or
• Windows Server 2008 R2
Standard, Enterprise, or
Datacenter (x64)
Databas
e servers
• Microsoft SQL Server 2005
Standard or Enterprise
Edition Service Pack 3 (x86
or x64), or
• Microsoft SQL Server 2008
Standard or Enterprise (x86
or x64), or
• Microsoft SQL Server 2008
R2 Standard or Enterprise
(x86 or x64)
• When using an RTM release of SQL Server
2008, make sure that the default instance
is defined. If the default instance is not
defined, reporting and alerting does not
function, because data cannot flow up to
the Configuration Manager site server.
• Verify that all computers that are running
SQL Server are joined to the domain, that
the user account running Setup is a
member of sysadmin SQL server role, and
that all SQL Server services are running.
Additionally, in nonclustered SQL Server
environments, the SQL Server services
should be configured to start
automatically.
• The user account running Setup will be set
as the owner of the following SQL Server
databases and jobs:
• FEPDB_XXX (database)
• FEPDW_XXX (database)
• FEP_DataWarehouseMaintenance
_FEPDW_XXX (job)
• FEP_DB_Maintenance_FEPDB_XX
X (job)
• FEP_GetNewData_FEPDW_XXX
(job)
• FEP_GetNewDataOnInstall_FEPD
W_XXX (job)
System Requirements
Page number 20
Addition
al
require
ments
for
installing
Forefron
t
Endpoint
Protecti
on
reportin
g
database
• SQL Server Analysis
Services
• SQL Server Integration
Services
• SQL Server Reporting
Services
• SQL Server Agent
• For SQL Server Analysis Services, the user
account running Setup, or a domain group
that it is a member of, must belong to the
server administrator role on your specified
SQL Server Analysis Server. For more
information, see Analysis Server
Properties Dialog Box
(http://go.microsoft.com/fwlink/?LinkID=
204204).
• The Forefront Endpoint Protection
reporting database and server running
SQL Server Analysis Services must be
installed on the same SQL Server instance.
• On the computer that is running SQL
Server Analysis Services, the following
ports must be open for incoming traffic:
• SQL Server (TCP 1433)
• SQL Server Analysis Services (TCP
2383)
For more information, see Configuring the
Windows Firewall to Allow SQL Server Access
(http://go.microsoft.com/fwlink/?LinkId=128365).
• For Forefront Endpoint Protection
reporting to function, you must make sure
that the Forefront Endpoint Protection
client that is installed as part of Forefront
Endpoint Protection has access to
definition updates via the Configuration
Manager client agent, Windows Server
Update Services, or Microsoft Update.
Addition
al
require
ments
for
installing
Forefron
t
• The name you entered in
the SQL Network Name
box for your SQL Server
cluster must be registered
in the domain.
• SQL Server Integration
Services must be installed
System Requirements
Page number 21
Endpoint
Protecti
on
reportin
g
database
on a SQL
Server
cluster
on all nodes and must be
part of the cluster group.
Configur
ation
Manager
• Microsoft System Center
Configuration Manager
2007 Service Pack 2
installed with default roles,
and either
• Microsoft System
Center
Configuration
Manager 2007 R2
installed and
configured to use
SQL Server
Reporting Services,
or
• Microsoft System
Center
Configuration
Manager 2007 R3
installed and
configured to use
SQL Server
Reporting Services
• The following client agents
are installed and
configured:
• Hardware
Inventory
• Software
Distribution
System Requirements
Page number 22
• Desired
Configuration
Management
Addition
al
require
ments
• No other version of
Forefront Endpoint
Protection is installed
• Microsoft Windows
Installer version 3.1
• Microsoft .Net Framework
3.5 Service Pack 1
• Configuration Manager
Hotfix KB2271736
(http://go.microsoft.com/f
wlink/?LinkId=203936)
• SQL Server Analysis
Management Objects
• The computer where Setup
is run is not pending a
restart from a previous
install or update
• The user account running
Setup is a domain account
for the domain of which
the Forefront Endpoint
Protection server is a
member, has local
administrative credentials,
and has Configuration
Manager administrative
credentials
• You must install SQL Server Analysis
Management Objects on the computer
where Setup is run when the Forefront
Endpoint Protection reporting database is
being installed on a remote computer.
• You can download the SQL Server Analysis
Management Objects for your version of
SQL Server from the following locations:
• For SQL Server 2008 R2, visit
Microsoft SQL Server 2008 R2
Feature Pack
(http://go.microsoft.com/fwlink/?
LinkId=206861), go to the
Microsoft SQL Server 2008 R2
Analysis Management Objects
section, and download the
appropriate file based on your
system architecture.
• For SQL Server 2008, visit
Microsoft SQL Server 2008
Feature Pack
(http://go.microsoft.com/fwlink/?
LinkId=206625), go to the
Microsoft Analysis Management
Objects section, and download
the appropriate file based on your
system architecture.
• For SQL Server 2005, visit Feature
Pack for Microsoft SQL Server
2005
(http://go.microsoft.com/fwlink/?
LinkId=206624), go to the
Microsoft SQL Server 2005
Management Objects Collection
section, and download the
appropriate file based on your
System Requirements
Page number 23
system architecture.
Forefront Endpoint Protection Console Prerequisites
The following table is the list of minimum requirements for installing the Forefront Endpoint
Protection console.
Prerequisite Minimum requirements
Configuration
Manager
• Microsoft System Center Configuration Manager 2007 Service Pack 2
Console, or
• Microsoft System Center Configuration Manager 2007 R2, or
• Microsoft System Center Configuration Manager 2007 R3
Additional
requirements
• Microsoft .Net Framework 3.5 Service Pack 1
• Configuration Manager Hotfix KB2271736
(http://go.microsoft.com/fwlink/?LinkId=203936)
• The computer running Setup is not pending a restart from a previous
install or update
• The user account running Setup is a domain account for the domain of
which the Forefront Endpoint Protection server is a member, has local
administrative credentials, and has Configuration Manager
administrative credentials
Prerequisites for Deploying Forefront Endpoint Protection on a Client
The following table is a list of the prerequisites for deploying the Forefront Endpoint Protection on
client computers.
Prerequisite Requirement
Configuration
Manager
A Microsoft System Center Configuration Manager 2007 site that has Forefront
Endpoint Protection server installed.
Note:
If you have client computers that do not require the central deployment
and management features of Forefront Endpoint Protection server, and you
System Requirements
Page number 24
intend to manually install the Forefront Endpoint Protection client, the
Configuration Manager prerequisites stated for client computers are not
required. For more information, see Deploying the Client Software by Using
the Command Prompt.
Operating
system
• Windows 7 (x86 or x64), or
• Windows 7 XP mode, or
• Windows Vista® (x86 or x64) or later versions, or
• Windows XP Service Pack 2 (x86 or x64) or later versions, or
• Windows Server 2008 R2 (x64) or later versions, or
• Windows Server 2008 R2 Server Core (x64), or
• Windows Server 2008 (x86 or x64) or later versions, or
• Windows Server 2003 Service Pack 2 (x86 or x64) or later versions, or
• Windows Server 2003 R2 (x86 or x64) or later versions
Note:
On the following operating systems, the Forefront Endpoint Protection
client software can be installed manually. However, policies cannot be
applied to them, nor can they be centrally managed by Forefront Endpoint
Protection.
• Windows 7 Starter
• Windows 7 Home Premium
• Windows Vista Basic
• Windows Vista Home Premium
• Windows XP Home Edition
Available disk
space
255 MB
Additional • Windows Installer 3.1 or later versions
Getting Started
Page number 25
requirements • Filter manager rollup package for Windows XP Service Pack 2 (x86)
KB914882 (http://go.microsoft.com/fwlink/?LinkID=207000)
Competitive
uninstall
The client installation checks for and uninstalls the following existing
antimalware clients:
• Symantec Endpoint Protection version 11
• Symantec Corporate Edition version 10
• McAfee VirusScan Enterprise version 8.5 and version 8.7 and its agent
• Forefront Client Security version 1 and the Operations Manager agent
• TrendMicro OfficeScan version 8 and version 10
Prerequisites for Importing the Forefront Endpoint Protection Security
Management Pack
The following table lists the minimum requirements for importing the Forefront Endpoint Protection
Security Management Pack.
Prerequisite Minimum requirement
System Center Operations Manager
2007
• System Center Operations Manager 2007 R2
The following table lists the minimum requirements for the Reporting management pack for use with
the Forefront Endpoint Protection Security Management Pack.
Prerequisite Minimum requirement
Reporting
components
• Reporting components must be installed for System Center
Operations Manager 2007 R2 in order to use the Reporting feature.
7. Getting Started Before deploying Microsoft Forefront Endpoint Protection 2010, you should read the documentation
carefully and plan your deployment according to your business needs. If planned correctly, Forefront
Endpoint Protection can reduce your administrative overhead and total cost of ownership. If
Forefront Endpoint Protection is deployed without sufficient planning you can disrupt your whole
Getting Started
Page number 26
network, because Forefront Endpoint Protection has the potential to affect every computer in your
organization.
Because Forefront Endpoint Protection is built on System Center Configuration Manager, you should
be familiar with Configuration Manager before you deploy Forefront Endpoint Protection. For more
information, see System Center Configuration Manager 2007
(http://go.microsoft.com/fwlink/?LinkId=111469).
Because the FEP Security Management Pack is built on System Center Operations Manager, you
should be familiar with Operations Manager before deploying the FEP Security Management Pack.
For more information, see System Center Operations Manager R2
(http://go.microsoft.com/fwlink/?LinkId=205692).
Note:
If you are new to Forefront Endpoint Protection, you should experiment in a test network
environment before you deploy the product.
Next Steps
• Plan the Forefront Endpoint Protection installation. For more information, see Planning and
Architecture.
• Install Forefront Endpoint Protection on your Configuration Manager Site server. For more
information, see FEP 2010.
• Import the FEP Security Management Pack on your Operations Manager server. For more
information, see FEP 2010 Security Management Pack.
• Deploy Forefront Endpoint Protection policies and clients. For more information, see Client
Deployment.
• Learn about routine operations. For more information, see Operations.
Getting Assistance
The Forefront Endpoint Protection online help and assistance options are available to you when
you're planning, deploying, administering, and troubleshooting Forefront Endpoint Protection.
Where to find Forefront Endpoint Protection Help and Assistance:
• Forefront Endpoint Protection TechNet Library
(http://go.microsoft.com/fwlink/?LinkId=188968). The FEP TechNet library contains the most
up-to-date product documentation. This documentation is updated as Forefront Endpoint
Protection features evolve and new troubleshooting information becomes available.
• Forefront Endpoint Security Blog (http://go.microsoft.com/fwlink/?LinkId=196676). The
Forefront Endpoint Security blog contains technical articles written by the Forefront
Endpoint Protection team, in addition to product announcements and updates.
Planning and Architecture
Page number 27
• Forefront Endpoint Protection Forum (http://go.microsoft.com/fwlink/?LinkId=196677). The
forum provides a place to discuss Forefront Endpoint Protection with customers and
Forefront Endpoint Protection team members. The Forefront Endpoint Protection forum is
an excellent way to interact with the Forefront Endpoint Protection team and with other
customers worldwide.
• The Forefront Endpoint Protection section of the TechNet Wiki
(http://go.microsoft.com/fwlink/?LinkId=196679). The TechNet Wiki contains community-
generated content about various Microsoft products, including Forefront Endpoint
Protection. Through the use of the TechNet Wiki, you can share your knowledge and
experience with other members of the community.
Providing Feedback
• Your feedback about Microsoft Forefront Endpoint Protection 2010 will be greatly
appreciated and will help Microsoft improve Forefront Endpoint Protection. Please submit all
feedback to the Forefront Endpoint Protection Forum
(http://go.microsoft.com/fwlink/?LinkId=188968).
8. Planning and Architecture The content in this section is designed to help you plan your Microsoft Forefront Endpoint
Protection 2010 installation and the infrastructure required to support it.
Before you install Forefront Endpoint Protection, it is recommended that you review the
following sections:
• Planning Your Deployment
• Migrating from Forefront Client Security to Forefront Endpoint Protection
Forefront Endpoint Protection 2010
Forefront Endpoint Protection easily installs into your existing Configuration Manager 2007
deployment. The Forefront Endpoint Protection server installation process automatically installs the
required components to the correct servers based upon the Configuration Manager deployment.
The following is a list of items that are installed during Forefront Endpoint Protection Setup.
Installation item Description
Forefront Endpoint Protection
Site Server Extensions for
Configuration Manager
The Forefront Endpoint Protection Site server extensions for
Configuration Manager.
Forefront Endpoint Protection
Console Extensions for
The Forefront Endpoint Protection extensions to the
Configuration Manager management console add views to
Planning and Architecture
Page number 28
Configuration Manager manage and monitor Forefront Endpoint Protection client
deployments.
Forefront Endpoint Protection
Database
An auxiliary database used by Forefront Endpoint Protection.
Forefront Endpoint Protection
Reporting role
Provides historical reports on Forefront Endpoint Protection
client malware activity and client protection status.
Forefront Endpoint Protection
Reporting database
The database for storing Forefront Endpoint Protection client
protection status and malware activity historical data.
Forefront Endpoint Protection
Security Client
The Forefront Endpoint Protection client is installed for access
to antimalware metadata.
The following items are installed during the installation of Forefront Endpoint Protection Site Server
Extensions for Configuration Manager:
• The FEP – Deployment package.
• The FEP – Policies package.
• The FEP – Operations package.
• Forefront Endpoint Protection Operations tasks are added to the Configuration Manager
right-click context menu, and the Actions pane for a computer objects.
• Forefront Endpoint Protection desired configuration management configuration baselines
and configuration items.
• Forefront Endpoint Protection related collections.
• Forefront Endpoint Protection client deployment and policy distribution reports are added to
Configuration Manager reporting.
Forefront Endpoint Protection and High Availability
Forefront Endpoint Protection is installed on top of Configuration Manager and is dependent on the
availability of the Configuration Manager services. The following items are Forefront Endpoint
Protection server deployment recommendations for high availability:
• Use clustered SQL Server for the Forefront Endpoint Protection reporting database.
• Use the System Center Operations Manager Forefront Endpoint Protection Monitoring
Management Pack to monitor Forefront Endpoint Protection services.
Planning and Architecture
Page number 29
About Configuration Manager Site Topologies and FEP 2010
Forefront Endpoint Protection can be deployed to a Configuration Manager stand-alone (single) site
or to a hierarchical site environment. Installation of Forefront Endpoint Protection on secondary sites
is not supported. For more information about Configuration Manager sites, see Understanding
Configuration Manager Sites (http://go.microsoft.com/fwlink/?LinkId=196956).
Single-Site Deployment
In a single-site Configuration Manager deployment, Forefront Endpoint Protection is installed on the
Configuration Manager site server. The Configuration Manager administrator will perform the
following tasks from the Configuration Manager console:
• Create or modify Forefront Endpoint Protection policies.
• Assign Forefront Endpoint Protection policies to collections.
• Deploy Forefront Endpoint Protection clients to collections.
• Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection dashboard.
• Configure Forefront Endpoint Protection alerts.
• Assign the Forefront Endpoint Protection Desired Configuration Management baselines to
collections.
Hierarchical Deployment
In a hierarchical Configuration Manager deployment, there is a parent site that has one or more sites
(children) attached to it in the hierarchy. A parent site contains pertinent information about its
lower-level sites and it can control many operations at the child sites. A site that has no parent site is
known as a central site. For more information about planning and deploying Configuration Manager,
see Planning and Deploying the Server Infrastructure for Configuration Manager 2007 (
http://go.microsoft.com/fwlink/?LinkId=196960).
Forefront Endpoint Protection can be installed in the following combinations:
• Parent and child sites
• Parent site
• Child sites
The administrative control requirements will determine where Forefront Endpoint Protection should
be installed:
• For centralized policy creation and control, install Forefront Endpoint Protection on the
parent site. When Forefront Endpoint Protection is also installed on the child sites, policies
are replicated from the parent site to the child sites. Installing Forefront Endpoint Protection
on the child sites allows the administrator to view the FEP dashboard when connected to the
child site via the Configuration Manager console.
Planning and Architecture
Page number 30
• To view the Forefront Endpoint Protection Dashboard when connected to a child site via the
Configuration Manager console, you must install FEP on the child site.
• For decentralized policy creation and control, install Forefront Endpoint Protection on the
child sites. You can optionally install the Forefront Endpoint Protection Reporting role at the
parent site for centralized company-wide reporting.
Forefront Endpoint Protection Installed on the Parent and Child Sites
In this deployment, the Forefront Endpoint Protection site server extension components are
replicated to the child sites. The creation and management of Forefront Endpoint Protection policies
is managed centrally by the administrator of the parent site. The administrator at the child site will
see the Forefront Endpoint Protection policies from the parent site, but cannot create, modify, or
delete policies.
The following table lists the Forefront Endpoint Protection tasks that can be accomplished when
Forefront Endpoint Protection has been installed on the parent and child sites.
Task
Parent
site
Child
sites
Deploy Forefront Endpoint Protection clients to collections Yes Yes
Create or modify Forefront Endpoint Protection policies Yes No
Assign Forefront Endpoint Protection policies to collections Yes Yes
Monitor Forefront Endpoint Protection client deployment and policy
deployment progress
Yes Yes
Monitor Forefront Endpoint Protection via the Forefront Endpoint
Protection dashboard
Yes Yes
Forefront Endpoint Protection Reporting Yes Yes
Configure Forefront Endpoint Protection alerts Yes Yes
Forefront Endpoint Protection Operations Yes Yes
Important:
• At a child site there are two FEP – Deployment packages, one from the parent site and
Planning and Architecture
Page number 31
one from the child site. When deploying the Forefront Endpoint Protection client
software from the child site you must deploy using the software package from the parent
site. The first three letters of the software package Package ID indicates from which site
the software package originates.
• When Forefront Endpoint Protection is installed on the child site first and you install
Forefront Endpoint Protection on the parent site after, the FEP – Policies package on the
client site is disabled and the FEP – Policies package from the parent site is propagated to
the child site. Policies created on the child site no longer exist. Before installing Forefront
Endpoint Protection on the parent site, it is recommended that you export the policies
from the child site. After installing Forefront Endpoint Protection on the parent site you
can import the policies on the parent site. For more information about import and
exporting policies, see Exporting a Policy and Importing a Policy.
• Uninstalling Forefront Endpoint Protection on the parent site while Forefront Endpoint
Protection is also installed on child sites disrupts Forefront Endpoint Protection
functionality of the child sites. Repair the Forefront Endpoint Protection installation on
each child site after Forefront Endpoint Protection is uninstalled from the parent site.
• FEP clients deployed at the child sites appear only in the following Client Deployment
Status categories at the parent site:
• Deployed
• Out of date
The reason for this is that the information for these categories is based on Configuration Manager
hardware inventory data that the parent site receives from the child sites.
The information for the following deployment categories is based on Configuration Manager
advertisements: Removed, Failed, and Pending. Since the parent site is not able to see the
advertisements created at a child site, deployment information for these categories is not
displayed at the parent site. Full deployment status for FEP client software deployed at child sites
can be viewed at the child site.
• Policy distribution status for FEP policies assigned to collections at a child site can take up
to 24 hours to display at the parent site.
Forefront Endpoint Protection Installed on the Child Sites
In this deployment the administrator at each site needs to manage an independent set of Forefront
Endpoint Protection policies. Site administrators can share policies by exporting and importing
Forefront Endpoint Protection policies from one site to another. For more information about
exporting and importing Forefront Endpoint Protection policies, see Exporting a Policy and Importing
a Policy.
Planning and Architecture
Page number 32
Note:
You can optionally install the Forefront Endpoint Protection Reporting role at the parent site for
centralized company-wide reporting.
The following table lists the Forefront Endpoint Protection tasks that can be accomplished when
Forefront Endpoint Protection has been installed at the child sites and Forefront Endpoint Protection
Reporting role has been installed at the parent site.
Task
Parent
site
Child
sites
Deploy Forefront Endpoint Protection clients to collections No Yes
Create or modify Forefront Endpoint Protection policies No Yes
Assign Forefront Endpoint Protection policies to collections No Yes
Monitor Forefront Endpoint Protection via the Forefront Endpoint
Protection dashboard
No Yes
Forefront Endpoint Protection Reporting Yes Yes
Configure Forefront Endpoint Protection alerts No Yes
Forefront Endpoint Protection Operations No Yes
Note:
Tasks performed on a child site only affect the devices of that child site.
About Basic Setup
This topic will describe the location of the various Forefront Endpoint Protection components that
are installed when you select the Basic topology option in the Forefront Endpoint Protection Setup
wizard.
Planning and Architecture
Page number 33
Basic Topology
The Basic topology setup wizard option installs the Forefront Endpoint Protection components based
upon the Configuration Manager deployment.
No additional hardware is required for this deployment path. The existing Configuration Manager
servers will be used. Use this setup option when there is sufficient capacity on the computer running
Microsoft SQL Server.
The following table lists the location where each of the Forefront Endpoint Protection components
will be installed.
Component Where installed
Forefront Endpoint Protection Database SQL Server and instance used for the
Configuration Manager database.
Forefront Endpoint Protection Site Server
Extensions for Configuration Manager
Configuration Manager site server.
Forefront Endpoint Protection Console
Extensions for Configuration Manager
Configuration Manager site server.
Forefront Endpoint Protection Reporting role SQL Server used for the Configuration Manager
reporting services.
Forefront Endpoint Protection Reporting
database
SQL Server and instance used for the
Configuration Manager database.
Forefront Endpoint Protection Security Client The Forefront Endpoint Protection client is
installed for access to malware metadata.
For more information about installing Forefront Endpoint Protection using the Basic topology option,
see Installing Using Basic Setup.
About Basic with Remote Reporting Database Setup
This topic will describe the location of the various Forefront Endpoint Protection components that
are installed when you select the Basic topology with remote reporting database option in the
Forefront Endpoint Protection Setup wizard.
Basic Topology with Remote Reporting Database
The Basic topology with remote reporting database setup wizard option installs the Forefront
Endpoint Protection components based upon the Configuration Manager deployment and allows you
to specify another Microsoft SQL Server for the Forefront Endpoint Protection Reporting database.
Planning and Architecture
Page number 34
When using this wizard you need to have another Microsoft SQL Server already installed and ready
for use.
Use this option when your existing SQL Server is nearing capacity or you want to separate the
Forefront Endpoint Protection reporting data from the Configuration Manager data.
The following table lists the location where each of the Forefront Endpoint Protection components
will be installed.
Component Where installed
Forefront Endpoint Protection Database SQL Server and instance used for the
Configuration Manager database
Forefront Endpoint Protection Site Server
Extensions for Configuration Manager
Configuration Manager site server
Forefront Endpoint Protection Console Extensions
for Configuration Manager
Configuration Manager site server
Forefront Endpoint Protection Reporting role SQL Server specified during setup
Forefront Endpoint Protection Reporting database SQL Server specified during setup
For more information about installing Forefront Endpoint Protection using the Basic topology with
remote reporting database option, see Installing Using Basic with a Remote Reporting Database
Setup.
FEP 2010 Security Management Pack
The Forefront Endpoint Protection Security Management Pack is easy to import into your existing
System Center Operations Manager environment. For information about the prerequisites for this
management pack, see Prerequisites for Importing the Forefront Endpoint Protection Security
Management Pack. For information about importing this management pack, see Importing the FEP
2010 Security Management Pack.
Forefront Endpoint Protection Client
Forefront Endpoint Protection client deployment refers to the installation and configuration of the
Forefront Endpoint Protection client software in your enterprise. Before deploying the Forefront
Endpoint Protection client software to computers in your production environment, learn about the
deployment process (for more information, see Client Deployment), create a deployment plan based
on your organization’s security requirements, test your plan in a lab environment, and once you are
confident in your plan, proceed to deploy the Forefront Endpoint Protection client software in your
production environment.
Planning and Architecture
Page number 35
When planning your deployment, take into consideration the information in the following sections.
Policies
Create Forefront Endpoint Protection policies to match your organization's security settings and
apply them to Forefront Endpoint Protection clients. For more information, see About Configuring
Clients by Using Policies.
System Requirements
Before deploying the Forefront Endpoint Protection client software, make sure that your client
computers meet the minimum system requirements for installation. For more information, see
Prerequisites for Deploying Forefront Endpoint Protection on a Client.
The Forefront Endpoint Protection client software requires that you install a Network Inspection
System hotfix on client computers running one of the following operating systems:
• Windows Vista Service Pack 1 (SP1)
• Windows Vista Service Pack 2 (SP2)
• Windows 7
• Windows Server 2008
• Windows Server 2008 Service Pack 2 (SP2)
• Windows Server 2008 R2
If this hotfix is not already installed on the computer, the Forefront Endpoint Protection client
deployment package installs it. Since this hotfix requires the computer to be restarted, consider
downloading hotfix KB981889 (http://go.microsoft.com/fwlink/?LinkID=204112) and deploying it to
client computers before deploying the Forefront Endpoint Protection client.
Note:
Network Inspection System (NIS) on the Forefront Endpoint Protection client does not function
until the client computer is restarted; however, the antimalware protection functions as normal
without a computer restart.
Competitive Uninstall
The Forefront Endpoint Protection client deployment package checks for and uninstalls the existing
antimalware client. For a list of antimalware clients that are uninstalled, see Prerequisites for
Deploying Forefront Endpoint Protection on a Client.
The following is a list of issues that can interfere with uninstalling an existing antimalware client:
• If the previously installed antimalware client has a tamper-protection feature enabled, for
example, if the software is password protected, you need to disable that tamper protection
Planning and Architecture
Page number 36
before you can install Forefront Endpoint Protection. Otherwise, the Forefront Endpoint
Protection installation program will not be able to uninstall the existing antimalware client.
See the documentation for the previously installed antimalware client for information about
tamper protection or other settings you may need to configure before you can successfully
uninstall the software.
• If the existing antimalware client is in use by another process when the Forefront Endpoint
Protection installation program attempts to uninstall it, the uninstall can fail, and in this
instance, the Forefront Endpoint Protection client will not be installed.
• If you use a mechanism to automatically distribute and install antimalware to your client
computers, you need to disable automatic installation before you install Forefront Endpoint
Protection. For example, if you use Windows Server Update Services (WSUS) to distribute
Forefront Client Security (FCS) to your endpoints, before you install Forefront Endpoint
Protection, you need to configure WSUS to not automatically reinstall FCS.
Forefront Endpoint Protection Client Deployment Options
The Forefront Endpoint Protection client software can be deployed in two ways, both of which can
be used to deploy Forefront Endpoint Protection to client computers in your organization. For more
information on client deployment methods, see FEP 2010.
You can use Configuration Manager distribution to centrally manage and monitor the deployment of
Forefront Endpoint Protection to client computers in your existing infrastructure. With this method,
you can control to which Configuration Manager collections the client is deployed, and utilize the
provided reports to determine deployment status or investigate information about computers on
which the client failed to deploy and why.
If you are not using Configuration Manager, have computers that are not managed by Configuration
Manager, or you prefer an alternative distribution method, you can manually deploy Forefront
Endpoint Protection to client computers. In this scenario, you can apply Forefront Endpoint
Protection policies using Setup command line switches. For more information on manually deploying
Forefront Endpoint Protection with policies, see Deploying the Client Software by Using the
Command Prompt.
Definition Updates
Configure the Forefront Endpoint Protection client software to check for updates from multiple
sources. For more information, see Configuring Definition Updates.
Definition update
method More information
Configuration
Manager/WSUS
For more information about configuring WSUS for definition updates, see
Software Updates and Windows Server Update Services Definition
Updates.
Planning and Architecture
Page number 37
Microsoft Update For more information about configuring Microsoft Updates, see
Microsoft Update Definition Updates.
File share For more information about configuring a file share for definition
updates, see File-Share-Based Definition Updates.
About Configuring Clients by Using Policies
Client configuration in Forefront Endpoint Protection can be accomplished in a variety of ways. While
it is possible to configure each client by logging on locally, this is typically not practical and can be
labor intensive. Additionally, it is a challenge to configure consistent settings for large numbers of
clients if you attempt to configure all of the desired settings locally.
In order to help make client configuration consistent and reliable, you are provided with two ways to
author policies and four ways to deploy policies. The way you elect to configure clients can be based
on your existing environment or you may want to create the necessary environment in order to
deploy client settings based on factors such as policy merge behavior or ease of deployment.
If you are running a server operating system, you can use preconfigured policy templates that
contain optimized settings. Additionally, you can use the Forefront Endpoint Protection Group Policy
Tool in order to convert policies that are in XML format into a format that can be used by Group
Policy. You can also use this tool to merge existing policies into a single policy or to export the FEP
configuration settings from a Group Policy object (GPO) into a policy that can be applied to a
computer or server locally or by script. For more information about the Forefront Endpoint
Protection Group Policy Tool, see Converting FEP Policies to Group Policy. For more information
about preconfigured policy templates for FEP on Configuration Manager, see Creating a Policy. For
more information about preconfigured policy templates for the Forefront Endpoint Protection
Security Management Pack, see About Preconfigured Policy Templates.
Creating and Configuring Policies
Authoring policies consists of both creating a policy and then configuring the settings that you want
to deploy to the clients that will receive the policy. Each authoring method produces an output in a
different format. The method by which you author a policy may determine the method by which you
can deploy a policy. The two methods available for authoring policies are Configuration Manager
with Forefront Endpoint Protection installed, and by using the Group Policy Editor along with the FEP
ADMX. For more information about creating and configuring policies by using Configuration Manager
with Forefront Endpoint Protection installed, see FEP Policies. For more information about creating
policies by using the Forefront Endpoint Protection Group Policy Tool, see Using Group Policy with
FEP. For more information about the policy settings that are available through the FEP ADMX, see the
FEP ADMX Reference.
You can author policies by using the following methods.
Planning and Architecture
Page number 38
Authoring method Policy can be applied by using Additional information
Configuration
Manager with
Forefront
Endpoint
Protection
installed
• Configuration Manager with
Forefront Endpoint Protection
installed.
• Group Policy. Export the policy
from Configuration Manager and
then use the Forefront Endpoint
Protection Group Policy Tool to
import the exported FEP policy
into a Group Policy object.
• Script (exported policies).
• FEP client installation (exported
policies).
• Policy settings can be
exported by using
Configuration
Manager with
Forefront Endpoint
Protection installed.
• Exported file format is
XML.
• Fewer granular policy
settings are available
to configure than
when using GPEDIT
with the FEP ADMX.
GPEDIT with the
FEP ADMX
• Group Policy.
• Script.
• FEP client installation.
• Policy settings can be
exported by using the
Forefront Endpoint
Protection Group
Policy Tool.
• Exported file format is
XML.
• Granular policy
settings are available
with the FEP ADMX.
Deploying Policies
In order to apply configurations to clients, Forefront Endpoint Protection provides four ways to
deploy policies. You can decide on a single way to deploy policies or use a combination of ways. For
example, if you typically use Group Policy to configure and deploy policies, you might want to
continue to use that method in order to deploy FEP policies. Or, you may prefer to use Configuration
Manager in order to manage your FEP client settings. Additionally, you might also have non-domain-
joined servers that also must receive policy settings. You can install policy settings locally on those
servers, or install them by using a script.
Warning:
Planning and Architecture
Page number 39
It is not recommended to use both Configuration Manager and Group Policy in order to apply
policy settings on the same client. Because Configuration Manager writes to the local policy of the
computer, policy configurations deployed via Group Policy will take precedence over any
conflicting FEP local policy settings.
You can deploy policies by using the following methods.
Policy
deployment
method
Policy settings
merge behavior Policies authored by Additional information
Configuration
Manager with
Forefront
Endpoint
Protection
installed
Policy merging is
not available.
• Only by Configuration
Manager with
Forefront Endpoint
Protection installed.
• Only one policy
can be applied to
a computer at
any given time.
• FEP policies are
written to the
local policy
settings.
• If FEP GPO policy
settings are also
applied to the
same computer.
Any conflicting
FEP GPO policy
settings will take
precedence over
settings that are
configured by FEP
policy.
Group Policy Policy merging is
available.
• GPEDIT and ADMX.
• Settings contained in
FEP policy XML files
can be imported by
using the Forefront
Endpoint Protection
Group Policy Tool.
• Policies merge
according to
Group Policy
precedence order
and policy
filtering.
• FEP GPO policy
Planning and Architecture
Page number 40
settings take
precedence over
local policy
settings.
MSI install with
parameter
switch
Policy merging is
available by using
the Forefront
Endpoint
Protection Group
Policy Tool to
merge settings
contained in
multiple policy
files. The merged
settings can then
be exported to a
single XML file.
• The exported XML
policy file from
Configuration
Manager with
Forefront Endpoint
Protection installed.
• Preconfigured policies
from the Microsoft
Download Center.
• Policy settings
exported from Group
Policy to an XML
policy file by using the
Forefront Endpoint
Protection Group
Policy Tool.
• FEP settings are
written to the
local policy.
• FEP GPO policy
settings take
precedence over
the local policy
settings.
Script Policy merging is
available by using
the Forefront
Endpoint
Protection Group
Policy Tool to
merge settings
contained in
multiple policy
files. The merged
settings can then
be exported to a
single XML file.
• The exported XML
policy file from
Configuration
Manager with
Forefront Endpoint
Protection installed.
• Preconfigured policies
from the Microsoft
Download Center.
• Policy settings
exported from Group
Policy to an XML
policy file by using the
Forefront Endpoint
Protection Group
Policy Tool.
• FEP settings are
written to the
local policy.
• FEP GPO policy
settings take
precedence over
the local policy
settings.
Planning and Architecture
Page number 41
Planning for Definition Updates
Computers running the FEP client software automatically check for definition updates according to
the schedule defined by the policy that is deployed to them.
When you are planning for definition updates in your environment, you should consider the
following factors:
• For Software Update or Windows Server Update Services definition updates:
• Ensure you have configured your network to allow communication between the
computer running Windows Server Update Services (WSUS) and the internet. For
more information about how to configure your network for WSUS, see Configure the
Network (http://go.microsoft.com/fwlink/?LinkId=206718) in the WSUS
documentation.
• You must either manually approve each definition update downloaded from
Microsoft Update to your WSUS server, or you can configure an automatic approval
rule. For more information about automatic approval rules, see Software Updates
and Windows Server Update Services Definition Updates.
• You should consider branch office locations and WSUS server locations. If you have
client computers distributed among branch offices, depending on the network
connection speed and utilization, it may be more efficient to configure those client
computers to retrieve definition updates directly from Microsoft Update.
• For Microsoft Update definition updates:
• If you plan to support direct update via Microsoft Update, ensure that you have the
appropriate network ports opened for communication to the Microsoft Update
servers.
Tip:
To ensure that your client computers always have the latest definition updates, you should enable
direct updates via Microsoft Update for all client computers, not just portable computers. For
more information about configuring client computers Microsoft Update, see Microsoft Update
Definition Updates.
• For File-Share-Based definition updates:
• When you configure clients to check a file share for definition updates, by default,
clients check the file share first, before checking WSUS or Microsoft Update. This
order can be changed. For more information, see Configuring Definition Updates.
• Ensure that the client computers connecting to the share in which you stored the
definition files have Read permissions.
Planning and Architecture
Page number 42
• There are two files to download for each architecture (either x86 or x64):
• The antimalware definitions
• The network-based exploit definitions
Ensure you download both files for both architectures, and then save those files without renaming
them according to the steps described in File-Share-Based Definition Updates.
Migrating from Forefront Client Security to Forefront Endpoint Protection
The management infrastructure of Forefront Endpoint Protection (FEP) is built on the System Center
family of products, while the management infrastructure of Forefront Client Security (FCS) runs on a
customized version of Microsoft Operations Manager 2005.
Because the management infrastructure on which these programs run is different, you cannot
directly upgrade from FCS to FEP. In order to migrate from FCS to FEP, you must perform the
following steps:
1. In the FCS console, document the settings for each policy you want to preserve for FEP.
2. In WSUS, unapprove all of the FCS client installation packages. These packages are listed as
follows:
• Classification: Updates
• Product: Forefront Client Security
The updates have names in the following format:
Client Update for Microsoft Forefront Client Security (1.0.xxxx.0)
where xxxx is the specific build number for each package. You must unapprove all of the updates.
Caution:
You should not uninstall the FCS client software. Doing so would leave your client computers
unprotected. When you deploy the FEP client software, the FEP client software uninstalls the FCS
client software for you.
3. Install a new FEP installation on a System Center Configuration Manager server. For steps
explaining how to do this, see FEP 2010.
4. Create FEP policies that contain the settings that you want to continue to enforce on your
client computers. For more information about FEP policies, see Configuring Client Settings by
Using Policies.
5. Deploy the FEP client software to the computers in your organization that are running the
FCS client software. For steps on how to deploy the FEP client software, see FEP 2010.
Server Installation
Page number 43
The FEP client software uninstalls the FCS client software before installing. For more
information, see FEP 2010.
Important:
The uninstall of the FCS client software also uninstalls the Microsoft Operations Manager 2005
agent.
6. After you confirm that all computers running the FCS client software are successfully running
the FEP client software, you should undeploy the FCS policies. In the FCS console, undeploy
the policy you created to install the FCS client software. For more information about
monitoring FEP client software deployment, see Validating Deployment. For more
information about undeploying FCS policies, see Removing an existing installation of Client
Security (http://go.microsoft.com/fwlink/?LinkId=206850).
Important:
If you uninstall the FCS management infrastructure (the management, collection, collection
database, reporting, and reporting database roles), the data stored in the reporting database is
no longer accessible.
In order to preserve the historical reporting information stored in the FCS reporting database, you
should not uninstall your FCS management infrastructure until you no longer need this data.
9. Server Installation The Microsoft Forefront Endpoint Protection 2010 installation content helps you install Forefront
Endpoint Protection using the supported topologies. This section includes the following main topics:
• FEP 2010
• FEP 2010 Security Management Pack
FEP 2010
Installation of Microsoft Forefront Endpoint Protection 2010 consists of downloading Forefront
Endpoint Protection, verifying prerequisites, installing the Forefront Endpoint Protection server, and
validating that the installation was successful.
The steps required to install Forefront Endpoint Protection are described in this section.
Overview of Installing Forefront Endpoint Protection
Install Forefront Endpoint Protection by completing the following steps in order:
• Step 1—Download and expand Forefront Endpoint Protection from the Forefront Endpoint
Protection download page (http://go.microsoft.com/fwlink/?LinkID=196678).
Server Installation
Page number 44
Important:
The path to where Setup files are located must only contain ASCII characters.
• Step 2—Verify that your environment meets the prerequisites. For more information, see
Prerequisites for Installing Forefront Endpoint Protection on a Server.
Important:
If you are installing Forefront Endpoint Protection on a server using one of the following
topologies, the Forefront Endpoint Protection client software is deployed on the computer where
Setup is run:
• Basic topology
• Basic topology with remote reporting database
• Advanced topology with FEP 2010 Reporting and Alerts
Therefore, before proceeding with this installation, you need to verify that the computer where
Setup is run also meets the client software’s prerequisites. For more information, see
Prerequisites for Deploying Forefront Endpoint Protection on a Client.
Additionally, the deployment of the client software can require the computer to be restarted. If
you are prompted to restart your computer, you must wait for Setup to complete before
restarting.
• Step 3—Install the Forefront Endpoint Protection server. For more information, see
Installation Options.
Warning:
If you are installing the Forefront Endpoint Protection databases on a SQL Server cluster and the
active cluster node fails during installation, Setup can fail to complete as expected.
Important:
If Setup is run on a Configuration Manager site server with the Configuration Manager agent
running and the topology specified in Step 2 requires the Forefront Endpoint Protection client to
be installed, the customized settings need to be reapplied to the Forefront Endpoint Protection
client. For more information, see Configuring the Client Software on a Configuration Manager Site
Server.
Server Installation
Page number 45
Note:
If you select to update from Microsoft Update when finishing Setup, the wizard can take several
minutes to close and appears as if it is frozen.
• Step 4—Validate that the installation succeeded. For more information, see Validating
Installation.
Installation Options
This section provides procedures to help you install Forefront Endpoint Protection. You can choose
from several different installation topologies, or you can install one or more stand-alone instances of
the Forefront Endpoint Protection console. For more information about topologies, see Choosing
Your Setup.
The following table is a list of step-by-step procedures for installing Forefront Endpoint Protection.
Procedure Description
Installing Using
Basic Setup
This procedure details the steps for installing Forefront Endpoint Protection
based on the Configuration Manager deployment.
Installing Using
Basic with a
Remote Reporting
Database Setup
This procedure details the steps for installing Forefront Endpoint Protection
based on the Configuration Manager deployment. In addition, you can
specify an alternative Microsoft SQL Server computer name for the
Forefront Endpoint Protection reporting configuration.
Installing Using
Advanced Setup
This procedure details the steps for installing Forefront Endpoint Protection
based on the Configuration Manager deployment and lets you specify the
features that you want to install. In addition, you can specify alternative
Microsoft SQL Server computer names for the Forefront Endpoint
Protection database and reporting configuration settings.
Installing Using Basic Setup
This topic provides the step-by-step procedure to install Forefront Endpoint Protection using a basic
topology.
Server Installation
Page number 46
Prerequisites
Before you install Forefront Endpoint Protection server, make sure that your environment meets all
the minimum requirements. For more information, see Prerequisites for Installing Forefront Endpoint
Protection on a Server.
To install the Forefront Endpoint Protection server
1. Insert the Forefront Endpoint Protection DVD into the DVD drive, or manually run splash.hta
from the autorun folder in the root of the DVD.
2. Select your preferred language, and then click FEP 2010.
The Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.
3. On the Welcome page:
a. In the Name box, type your name.
b. In the Organization box, type the name of your organization, and then click Next.
4. On the Microsoft Software License Terms page, review the license agreement. If you accept
the terms and conditions, select the I accept the software license terms check box, and then
click Next.
5. On the Installation Options page, select Basic topology, and then click Next.
6. On the Reporting Configuration page, under SQL Reporting Services reporting execution
account:
a. In the URL box, verify the URL of your reporting server.
b. In the User name box, verify the name of user account that is used to connect to the
reporting server.
Note:
If you specify a domain administrator account, a warning message appears.
c. In the Password box, type the password for the specified user account, and then click
Next.
7. On the Updates and Customer Experience Options page:
• If you want to update your Forefront Endpoint Protection installation automatically,
select the Use Microsoft Update to keep my products up to date check box.
• If you want to participate in improving the product by anonymously providing
hardware and usage information, select the Join the Customer Experience
Improvement Program option, and then click Next.
Server Installation
Page number 47
8. On the Microsoft SpyNet Policy Configuration page:
• If you want to participate in improving the antimalware abilities of the Forefront
Endpoint Protection client by providing basic telemetry information about detected
malware, select the Join Microsoft SpyNet check box, and then click Basic SpyNet
membership. This option is selected by default.
• If, in addition to the basic SpyNet membership, you want provide advanced
telemetry information about potential malware, select the Join Microsoft SpyNet
check box, click Advanced SpyNet membership, and then click Next.
Important:
These options affect the settings in the Forefront Endpoint Protection default policies. For
information about modifying policies, see Configuring Client Settings by Using Policies.
9. On the Installation Location page, specify the root folder for the installation, and then click
Next.
10. On the Prerequisites Verification page, review the verification results, and then click Next. If
there are verifications that failed, in the row of each failed verification, in the Details column,
click More to determine the cause, and then take appropriate action.
11. On the Setup Summary page, review the details, and then click Install.
The Installation page shows the installation progress of each installation item. When the installation
successfully completes, click Next.
Important:
If you are prompted to restart your computer, you must wait for Setup to complete before
restarting.
12. On the Installation Complete page, click Finish.
Important:
As part of the Forefront Endpoint Protection installation, the Forefront Endpoint Protection client
is installed with customized settings on the Configuration Manager Site Server. If the
Configuration Manager agent is installed on this server, or you did not install Configuration
Manager or SQL Server using the default locations, or you did not use the default SQL Server
instance, you must recreate or modify the customized settings. For more information, see
Configuring the Client Software on a Configuration Manager Site Server.
Server Installation
Page number 48
Next Steps
Once you have completed the installation, you should validate the installation. For more information,
see Validating Installation.
Installing Using Basic with a Remote Reporting Database Setup
This topic provides the step-by-step procedure to install Forefront Endpoint Protection using a basic
topology with remote reporting database.
Prerequisites
Before you install Forefront Endpoint Protection server, make sure that your environment meets all
the minimum requirements. For more information, see Prerequisites for Installing Forefront Endpoint
Protection on a Server.
To install the Forefront Endpoint Protection server
1. Insert the Forefront Endpoint Protection DVD into the DVD drive, or manually run splash.hta
from the autorun folder in the root of the DVD.
2. Select your preferred language, and then click FEP 2010.
The Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.
3. On the Welcome page:
a. In the Name box, type your name.
b. In the Organization box, type the name of your organization, and then click Next.
4. On the Microsoft Software License Terms page, review the license agreement. If you accept
the terms and conditions, select the I accept the software license terms check box, and then
click Next.
5. On the Installation Options page, select Basic topology with remote reporting database,
and then click Next.
6. On the Reporting Configuration page:
a. Under Microsoft Forefront Endpoint Protection 2010 Reporting Database settings
i. In the Computer box, verify the name of the reporting database computer.
ii. In the Instance box, verify the name of the reporting database instance.
iii. In the Database name box, accept the default name of the reporting
database.
Server Installation
Page number 49
iv. If you are reinstalling and you want to reuse the existing database, select the
Reuse existing database check box.
Important:
If you select this option, you must use the original database name and verify that it exists on the
specified SQL Server instance on the specified computer.
b. Under SQL Reporting Services reporting execution account
i. In the URL box, verify the URL of your reporting server.
ii. In the User name box, verify the name of user account that is used to
connect to the reporting server.
Note:
If you specify a domain administrator account, a warning message appears.
iii. In the Password box, type the password for the specified user account, and
then click Next.
7. On the Updates and Customer Experience Options page:
• If you want to update your Forefront Endpoint Protection installation automatically,
select the Use Microsoft Update to keep my products up to date check box.
• If you want to participate in improving the product by anonymously providing
hardware and usage information, select the Join the Customer Experience
Improvement Program option, and then click Next.
8. On the Microsoft SpyNet Policy Configuration page:
• If you want to participate in improving the antimalware abilities of the Forefront
Endpoint Protection client by providing basic telemetry information about detected
malware, select the Join Microsoft SpyNet check box, and then click Basic SpyNet
membership. This option is selected by default.
• If, in addition to the basic SpyNet membership, you want to provide advanced
telemetry information about potential malware, select the Join Microsoft SpyNet
check box, click Advanced SpyNet membership, and then click Next.
Important:
These options affect the settings in the Forefront Endpoint Protection default policies. For
Server Installation
Page number 50
information about modifying policies, see Configuring Client Settings by Using Policies.
9. On the Installation Location page, specify the root folder for the installation, and then click
Next.
10. On the Prerequisites Verification page, review the verification results, and then click Next. If
there are verifications that failed, in the row of each failed verification, in the Details column,
click More to determine the cause, and then take appropriate action.
11. On the Setup Summary page, review the details, and then click Install.
The Installation page shows the installation progress of each installation item. When the installation
successfully completes, click Next.
Important:
If you are prompted to restart your computer, you must wait for Setup to complete before
restarting.
12. On the Installation Complete page, click Finish.
Important:
As part of the Forefront Endpoint Protection installation, the Forefront Endpoint Protection client
is installed with customized settings on the Configuration Manager Site Server. If the
Configuration Manager agent is installed on this server, or you did not install Configuration
Manager or SQL Server using the default locations, or you did not use the default SQL Server
instance, you must recreate or modify the customized settings. For more information, see
Configuring the Client Software on a Configuration Manager Site Server.
Next Steps
Once you have completed the installation, you should validate the installation. For more information,
see Validating Installation.
Installing Using Advanced Setup
Using advanced topology enables you to install individual Forefront Endpoint Protection features.
Since you can select one or more of these features during the advanced topology installation, the
steps relevant to each feature are described separately.
The following is a list of the step-by-step procedures for the advanced topology features:
• To install Configuration Manager Site Server FEP 2010 Extension
• To install FEP 2010 Reporting and Alerts
Server Installation
Page number 51
Warning:
If you are not installing this feature on a Configuration Manager site server, you must perform the
following on the servers running the Configuration Manager site server and Configuration
Manager WMI Provider roles:
1. Configure DCOM permissions. For more information, see How to Configure DCOM
Permissions for Configuration Manager Console Connections
(http://go.microsoft.com/fwlink/?LinkId=206626).
2. Add the computer on which you are installing Forefront Endpoint Protection
reporting to the local SMS Admins security group.
Note:
This feature installs the configuration baselines and configuration items that are used to collect
reporting and alerting data. If you are installing on a parent Configuration Manager site, the
configuration baselines and configuration items are overwritten in the children sites.
• To install Configuration Manager Console Extension for FEP 2010
Prerequisites
Before you install Forefront Endpoint Protection on a server, make sure that your environment
meets all the minimum requirements. For more information, see Prerequisites for Installing
Forefront Endpoint Protection on a Server.
To install the Configuration Manager Site Server FEP 2010 Extension
1. Insert the Forefront Endpoint Protection DVD into the DVD drive, or manually run splash.hta
from the autorun folder in the root of the DVD.
2. Select your preferred language, and then click FEP 2010.
The Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.
3. On the Welcome page:
a. In the Name box, type your name.
b. In the Organization box, type the name of your organization, and then click Next.
4. On the Microsoft Software License Terms page, review the license agreement. If you accept
the terms and conditions, select the I accept the software license terms check box, and then
click Next.
5. On the Installation Options page, select Advanced topology, and then click Next.
Server Installation
Page number 52
6. On the Advanced Topology page, select Configuration Manager Site Server FEP 2010
Extension, and then click Next.
7. On the Updates and Customer Experience Options page:
• If you want to update your Forefront Endpoint Protection installation automatically,
select the Use Microsoft Update to keep my products up to date check box.
• If you want to participate in improving the product by anonymously providing
hardware and usage information, select the Join the Customer Experience
Improvement Program option, and then click Next.
8. On the Microsoft SpyNet Policy Configuration page:
• If you want to participate in improving the antimalware abilities of the Forefront
Endpoint Protection client software by providing basic telemetry information about
detected malware, select the Join Microsoft SpyNet check box, and then click Basic
SpyNet membership. This option is selected by default.
• If, in addition to the basic SpyNet membership, you want to provide advanced
telemetry information about potential malware, select the Join Microsoft SpyNet
check box, click Advanced SpyNet membership, and then click Next.
Important:
These options affect the settings in the Forefront Endpoint Protection default policies. For
information about modifying policies, see Configuring Client Settings by Using Policies.
9. On the Installation Location page, specify the root folder for the installation, and then click
Next.
10. On the Prerequisites Verification page, review the verification results, and then click Next. If
there are verifications that failed, in the row of each failed verification, in the Details column,
click More to determine the cause, and then take appropriate action.
11. On the Setup Summary page, review the details, and then click Install.
The Installation page shows the installation progress of each installation item. When the installation
successfully completes, click Next.
12. On the Installation Complete page, click Finish.
To install FEP 2010 Reporting and Alerts
1. Insert the Forefront Endpoint Protection DVD into the DVD drive, or manually run splash.hta
from the autorun folder in the root of the DVD.
2. Select your preferred language, and then click FEP 2010.
Server Installation
Page number 53
The Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.
3. On the Welcome page:
a. In the Name box, type your name.
b. In the Organization box, type the name of your organization, and then click Next.
4. On the Microsoft Software License Terms page, review the license agreement. If you accept
the terms and conditions, select the I accept the software license terms check box, and then
click Next.
5. On the Installation Options page, select Advanced topology, and then click Next.
6. On the Advanced Topology page, select FEP 2010 Reporting and Alerts, and then click Next.
7. On the Configuration Manager Site Server Settings page, verify the name of the
Configuration Manager site server, and then click Next. If you want to view more details
about the site server, click Details.
8. On the Forefront Endpoint Protection 2010 Server Database Configuration page, verify the
name of the Forefront Endpoint Protection database, and then click Next.
9. On the Reporting Configuration page:
a. Under Microsoft Forefront Endpoint Protection 2010 Reporting Database settings:
i. In the Computer box, verify the name of the reporting database computer.
ii. In the Instance box, verify the name of the reporting database instance.
iii. In the Database name box, accept the default name of the reporting
database.
iv. If you are reinstalling and you want to reuse the existing database, select the
Reuse existing database check box.
Important:
If you select this option, you must use the original database name and verify that it exists on the
specified SQL Server instance on the specified computer.
b. Under SQL Reporting Services reporting execution account:
i. In the URL box, verify the URL of your reporting server.
ii. In the User name box, verify the name of user account that is used to
connect to the reporting server.
Server Installation
Page number 54
Note:
If you specify a domain administrator account, a warning message appears.
iii. In the Password box, type the password for the specified user account, and
then click Next.
10. On the Updates and Customer Experience Options page:
• If you want to update your Forefront Endpoint Protection installation automatically,
select the Use Microsoft Update to keep my products up to date check box.
• If you want to participate in improving the product by anonymously providing
hardware and usage information, select the Join the Customer Experience
Improvement Program option, and then click Next.
11. On the Microsoft SpyNet Policy Configuration page:
• If you want to participate in improving the antimalware abilities of the Forefront
Endpoint Protection client software by providing basic telemetry information about
detected malware, select the Join Microsoft SpyNet check box, and then click Basic
SpyNet membership. This option is selected by default.
• If, in addition to the basic SpyNet membership, you want to provide advanced
telemetry information about potential malware, select the Join Microsoft SpyNet
check box, click Advanced SpyNet membership, and then click Next.
12. On the Installation Location page, specify the root folder for the installation, and then click
Next.
13. On the Prerequisites Verification page, review the verification results, and then click Next. If
there are verifications that failed, in the row of each failed verification, in the Details column,
click More to determine the cause, and then take appropriate action.
14. On the Setup Summary page, review the details, and then click Install.
The Installation page shows the installation progress of each installation item. When the installation
successfully completes, click Next.
Important:
If you are prompted to restart your computer, you must wait for Setup to complete before
restarting.
15. On the Installation Complete page, click Finish.
Server Installation
Page number 55
Important:
As part of the FEP 2010 Reporting and Alerts installation, the Forefront Endpoint Protection client
software is installed with customized settings. If you are installing Forefront Endpoint Protection
on your Configuration Manager site server, and either the Configuration Manager agent is
installed on this server, or you did not install Configuration Manager or SQL Server using the
default locations, or you did not use the default SQL Server instance, you must recreate or modify
the customized settings. For more information, see Configuring the Client Software on a
Configuration Manager Site Server.
To install the Configuration Manager Console Extension for FEP 2010
1. Insert the Forefront Endpoint Protection DVD into the DVD drive, or manually run splash.hta
from the autorun folder in the root of the DVD.
2. Select your preferred language, and then click FEP 2010.
The Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.
3. On the Welcome page:
a. In the Name box, type your name.
b. In the Organization box, type the name of your organization, and then click Next.
4. On the Microsoft Software License Terms page, review the license agreement. If you accept
the terms and conditions, select the I accept the software license terms check box, and then
click Next.
5. On the Installation Options page, select Advanced topology, and then click Next.
6. On the Advanced Topology page, select Configuration Manager Console Extension for FEP
2010, and then click Next.
7. On the Installation Location page, specify the root folder for the installation, and then click
Next.
8. On the Prerequisites Verification page, review the verification results, and then click Next. If
there are verifications that failed, in the row of each failed verification, in the Details column,
click More to determine the cause, and then take appropriate action.
9. On the Setup Summary page, review the details, and then click Install.
The Installation page shows the installation progress of each installation item. When the installation
successfully completes, click Next.
10. On the Installation Complete page, click Finish.
Server Installation
Page number 56
Next Steps
Once you have completed the installation, you should validate the installation. For more information,
see Validating Installation.
Validating Installation
Once you have completed the installation, you can validate the installation by checking for Forefront
Endpoint Protection in the Configuration Manager console, or by examining the log files created by
Setup.
To Verify the Forefront Endpoint Protection Server Installation
1. Open the Configuration Manager console.
Note:
If the Configuration Manager console was open during the Forefront Endpoint Protection server
installation, close and then reopen the console.
2. In the Configuration Manager console, verify that the following are present:
• The Forefront Endpoint Protection collections—Expand System Center Configuration
Manager, expand Site Database, expand Computer Management, expand
Collections, expand FEP collections, and then check for the following collections:
• Definition Status
• Deployment Status
• Operations
• Policy Distribution Status
• Protection Status
• Security Status
• The Forefront Endpoint Protection packages—Expand System Center Configuration
Manager, expand Site Database, expand Computer Management, expand Software
Distribution, click Packages, and then check for the following packages in the
preview pane:
• FEP - Deployment
• FEP - Operations
• FEP - Policies
Server Installation
Page number 57
• The Forefront Endpoint Protection Desired Configuration Management configuration
baselines—Expand System Center Configuration Manager, expand Site Database,
expand Computer Management, click Desired Configuration Management, click
Configuration Baselines, and then check for the following configuration baselines in
the preview pane:
• FEP - High-Security Desktop
• FEP - Laptop
• FEP - Performance-Optimized Desktop
• FEP - Standard Desktop
• FEP Monitoring - Antimalware Status
• FEP Monitoring - Definitions and Health Status
• FEP Monitoring - Malware Activity
• FEP Monitoring - Malware Detections
• The Forefront Endpoint Protection node—Expand System Center Configuration
Manager, expand Site Database, expand Computer Management, click Forefront
Endpoint Protection, and then check for the following:
• In the preview pane, the Forefront Endpoint Protection Dashboard
• The Policies child node
• The Alerts child node
• The Reports child node
Installation Log Files
During installation, Forefront Endpoint Protection uses log files that can be helpful in locating and
resolving issues. Log files are in text format and you can view them by using a text editor.
Server log files are located in the following location:
• If you installed Forefront Endpoint Protection on Windows Server 2003,
%AllUsersProfile%\Application Data\Microsoft Forefront\Support\Server
• If you installed Forefront Endpoint Protection on Windows Server 2008,
%ProgramData%\Microsoft Forefront\Support\Server
The file names are in the following format:
LogFileName_Date_Time.log
Server Installation
Page number 58
where the following is true:
• LogFileName is the name of the log file.
• Date is the day, month, and year the log was created, in the format DDMMYYY.
• Time is the hour, minute, and second the log file was created, in the format HHMMSS.
The following table lists setup log files and the components with which they are associated.
Log file File name
Forefront Endpoint Protection Site Server Extensions FEPExt_xxx_xxx.log
Forefront Endpoint Protection Reporting Components FepReport_xxx_xxx.log
Forefront Endpoint Protection Console Extensions FEPUX_xxx_xxx.log
Forefront Endpoint Protection Setup ServerSetup_xxx_xxx.log
Client log files are, by default, located in the following location:
• If you installed Forefront Endpoint Protection on Windows XP, Windows Vista or Windows
2003, %allusersprofile%\Microsoft\Microsoft Security Client\Support
• If you installed Forefront Endpoint Protection on Windows 7 or Windows Server 2008,
%ProgramData%\Microsoft\Microsoft Security Client\Support
The following table lists setup log files and the components with which they are associated.
File name
MSSecurityClient_Setup_epp_install.log
MSSecurityClient_Setup_FEP_install.log
MSSecurityClient_Setup_mp_ambits_install.log
Server Installation
Page number 59
Configuring the Client Software on a Configuration Manager Site Server
As part of the Forefront Endpoint Protection installation on the Configuration Manager site server,
the Forefront Endpoint Protection client is installed with customized settings. In the following
situations, you must recreate or modify the Forefront Endpoint Protection client customized settings:
• If you install Forefront Endpoint Protection on a Configuration Manager site server running
the Configuration Manager agent, the customized settings are overwritten by the Default
Server Policy and can adversely affect the operation of your Configuration Manager site
server. To remediate, you must create a new policy and apply it to the Configuration
Manager site server. For more information, see “Creating and applying the customized
policy” later.
• If Configuration Manager or SQL Server is not installed in the default location, or the SQL
Server instance is not MSSQLSERVER, you must update the customized settings to reflect
your environments settings. For more information, see “Updating customized settings” later.
Creating and applying the customized policy
1. Create a new Forefront Endpoint Protection policy using the FEP Configuration Manager
2007 including Defaults template. For more information, see Creating a Policy.
2. If Microsoft SQL Server is installed on the Configuration Manager site server computer, edit
the policy, click Antimalware, click Excluded processes, and add the relevant processes from
the following table. For more information about editing policies, see Editing a Policy.
SQL
Server
version Processes
SQL
Server
2008
• %programfiles%\Microsoft SQL Server\MSSQL10. <instance>
\MSSQL\Binn\SQLServr.exe
• %programfiles%\Microsoft SQL Server\MSAS10. <instance>
\OLAP\Bin\MSMDSrv.exe
• %programfiles%\Microsoft SQL Server\MSRS10. <instance>
\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
SQL
Server
2005
• %programfiles%\Microsoft SQL
Server\MSSQL.1\MSSQL\Binn\SQLServr.exe
• %programfiles%\Microsoft SQL
Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe
• %programfiles%\Microsoft SQL Server\MSSQL.3\Reporting
Server Installation
Page number 60
Services\ReportServer\bin\ReportingServicesService.exe
where <instance> is the name of your SQL Server instance. The default SQL Server
instance is MSSQLSERVER.
3. Select an existing, or create a new, collection in which the Configuration Manager site server
is the only member. If you need to create the collection, do the following:
a. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, click Collections, and then in the Actions
pane, click New Collection.
b. Complete the New Collection Wizard that appears, as follows:
i. On the General page, type the name for the collection.
ii. On the Membership Rules page, click the icon with a computer image.
iii. Complete the Create Direct Membership Rule Wizard that appears, as
follows:
i. On the Search for Resources page, do the following:
i. In the Resource class list, click System Resource.
ii. In the Attribute name list, click Name.
iii. In the Value box, type the name of your Configuration
Manager site server computer.
ii. On the Collection Limiting page, in the Search in this collection box,
enter All Systems.
iii. On the Select Resource page, in the Resources list, select the name
of your Configuration Manager site server computer.
4. Assign the new policy to the collection. For more information, see Assigning a Policy to
Endpoint Computers.
Important:
If Configuration Manager or SQL Server is not installed in the default location, or the SQL Server
instance is not MSSQLSERVER, you must update the customized settings to reflect your
environments settings.
Updating customized settings
Server Installation
Page number 61
If Configuration Manager or SQL Server is not installed in the default location, or the SQL Server
instance is not MSSQLSERVER, you must update the customized settings to reflect your
environments settings. To update your customized settings, edit the relevant policy or the settings on
the Forefront Endpoint Protection client, and modify the paths specified in the following sections:
• Excluded files and locations
• Excluded processes
Note:
This is only required if Microsoft SQL Server is installed on the Configuration Manager site server
computer.
Moving from a Public RC Version to a Retail Version
There is no way to automatically upgrade from the Public RC version of Forefront Endpoint
Protection to the retail version of Forefront Endpoint Protection (FEP). Therefore, in order to move
from the Public RC version installed in a lab to the retail version in the same lab or a production
environment, use the following guidance:
To manually migrate from the Public RC version of FEP to the retail version of FEP
1. Save the settings of your Public RC version of FEP (Optional). To do so, complete the
following steps:
• Export your custom FEP policies. For more information, see Exporting a Policy.
• Manually record the following details:
• FEP policy assignments
• FEP policy precedence
• FEP alert e-mail settings and custom notifications
• FEP Desired Configuration Management configuration baseline assignments
2. Uninstall the Public RC version of FEP from your lab servers (optional if you are moving FEP to
a production environment). For more information, see Uninstalling.
Note:
If you want to install the retail version with a new FEP reporting database, delete the FEPDW_XXX
database on your SQL Server.
Server Installation
Page number 62
3. Install the retail version of FEP on your servers. For more information, see Server Installation.
Note:
If you are reusing the Public RC version of the FEP reporting database, you must install FEP using
one of the following installation options:
• Basic topology with remote reporting database
• Advanced topology with FEP 2010 Reporting and Alerts
4. Restore the settings from your Public RC version of FEP (Optional). To do so, complete the
following steps:
• Import the custom FEP policies you previously exported. For more information, see
Importing a Policy.
• Assign FEP policies to collections. For more information, see Assigning a Policy to
Endpoint Computers.
• Set FEP policy precedence. For more information, see Setting Policy Precedence.
• Configure FEP alert e-mail settings and create custom notifications. For more
information, see Using Alerts to Monitor Malware Detections.
• Assign Desired Configuration Management configuration baselines. For more
information, see Using Desired Configuration Management to Monitor Client
Compliance.
5. Upgrade the Public RC version of FEP on client computers. To do so, complete the following
steps:
a. Create a static collection based on the computers in the Out of Date FEP collection.
b. Uninstall the Public RC version of FEP from client computers in the static collection you
created. For more information, see Uninstalling.
c. Deploy the retail version of FEP on client computers in the static collection you created.
When you configure the deployment advertisement, it is recommended that you configure the
deployment advertisement properties as follows:
i. In the New Advertisement Wizard, on the Schedule page, next to Mandatory assignments,
click the button to create a new assignment schedule, and configure the assignment schedule to
rerun once an hour.
ii. In the Program rerun behavior list, select Rerun if failed previous attempt.
For more information, see Deploying by Using Configuration Manager Packages.
Server Installation
Page number 63
Important:
There can be a delay of up to an hour from the time a Public RC version of FEP is uninstalled from
a client computer until the retail version is installed on it. During this time, these computers are
unprotected.
Note:
After the installation package is advertised to a client computer, that computer will no longer be
visible in the FEP Out of Date collection.
d. Monitor the deployment using the Deployment Overview report, and click the links to view
the static collection you created.
Uninstalling
There can be up to four Forefront Endpoint Protection entries in the Control Panel depending on the
installation options selected during Setup. This topic provides the step-by-step procedures to
uninstall each Forefront Endpoint Protection feature from a server.
The following table is a list of the Control Panel entries.
Control Panel entry Description
Microsoft Forefront Endpoint
Protection 2010
The Forefront Endpoint Protection client software
Microsoft Forefront Endpoint
Protection 2010 Console
The Forefront Endpoint Protection console extensions
for Configuration Manager
Microsoft Forefront Endpoint
Protection 2010 Reporting
The Forefront Endpoint Protection reporting role
Microsoft Forefront Endpoint
Protection 2010 Server
The Forefront Endpoint Protection site server
extensions for Configuration Manager
To uninstall Forefront Endpoint Protection
1. In the Control Panel, select Programs and Features.
2. Select each Forefront Endpoint Protection entry, and then click Uninstall.
Server Installation
Page number 64
Note:
Uninstall does not delete the Forefront Endpoint Protection reporting database in case you want
to install Forefront Endpoint Protection again and reuse the historical data. The following files are
not deleted on the computer running SQL Server where the Forefront Endpoint Protection
reporting database resides:
• FEPDW_XXX.mdf
• FEPDW_XXX_log.ldf
If you want to delete these database files, delete the FEPDW_XXX database using the SQL Server
management console.
Known Issues
The following table is a list of known uninstall issues and their resolutions.
Issue Cause Resolution
Uninstalling Forefront Endpoint
Protection on the parent site while
Forefront Endpoint Protection is
also installed on child sites disrupts
Forefront Endpoint Protection
functionality of the child sites.
The uninstall removes elements
that are used by the child sites,
such as policies and configuration
baselines. This prevents the
transmission of dashboard,
reporting, and alerts data from
flowing up to the child sites.
Repair the Microsoft
Forefront Endpoint
Protection 2010
Reporting installation
via the Control Panel
on all of the children
sites.
Uninstalling the Forefront Endpoint
Protection site server extensions on
the Configuration Manager site
server while the Forefront Endpoint
Protection reporting role is installed
disrupts the Forefront Endpoint
Protection reporting role.
The uninstall removes the FEP
Collections node, including the
collections nodes used by the
reporting role.
Repair the Microsoft
Forefront Endpoint
Protection 2010
Reporting installation
via the Control Panel.
FEP 2010 Security Management Pack
Installing the Forefront Endpoint Protection Security Management Pack consists of downloading the
management pack, verifying the prerequisites, importing the management pack, configuring all of
the necessary discovery settings, and verifying that the agents are properly deployed.
Server Installation
Page number 65
The steps required to install the Forefront Endpoint Protection Security Management Pack are
described in this section.
Overview of Installing the Forefront Endpoint Protection Security Management Pack
Install the Forefront Endpoint Protection Security Management Pack by completing the following
steps in order:
1. Download and extract the Forefront Endpoint Protection Security Management Pack from
the Microsoft System Center Management Pack
Catalog(http://go.microsoft.com/fwlink/?LinkID=207667). For more information about the
management pack files, see Extracting the FEP 2010 Security Management Pack Files.
2. Verify that your environment meets the prerequisites. For more information, see
Prerequisites for Importing the Forefront Endpoint Protection Security Management Pack.
3. Import the Forefront Endpoint Protection Security Management Pack. For more information
about importing the management pack, see Importing the FEP 2010 Security Management
Pack.
4. Verify that agents have been correctly deployed to client computers. For more information
about agents, see About Agents.
5. Configure discovery settings. For more information about discovery, see Configuring Client
Discovery.
About Agents
The FEP 2010 Security Management Pack supports agent-managed monitoring. Agent-managed
computers have an Operations Manager service installed. This service, which appears as
HealthService in the Services list in Computer Management, is the Operations Manager agent.
Monitoring computers via agents allows access to all Operations Manager options and functionality;
therefore, the vast majority of monitoring is performed this way. In order to monitor FEP 2010
clients, each client must have the Operations Manager agent installed in addition to the FEP 2010
client.
Note:
In order to monitor FEP 2010 clients, each client must have the Operations Manager agent
installed in addition to the FEP 2010 client.
For information about deploying FEP 2010 clients, see Client Deployment.
Deploying Agents
The first step in monitoring your environment is to deploy agents. You can use any of the following
ways to deploy Operations Manager agents:
• The Discovery Wizard (through the Operations console)
Server Installation
Page number 66
• The Agent Setup Wizard
• The MOMAgent.msi program, from the command line
• Active Directory, to assign agents to a management group
For more information about working with Operations Manager agents, see Working with Agents
(http://go.microsoft.com/fwlink/?LinkId=204242).
For more information about Deploying agents, see Deploying Windows Agents
(http://go.microsoft.com/fwlink/?LinkId=204243).
Extracting the FEP 2010 Security Management Pack Files
In order to import management pack files into Operations Manager, you must first extract the files
from the fep2010 security mp.msi package. You can obtain the management pack files from the
Microsoft System Center Management Pack Catalog
(http://go.microsoft.com/fwlink/?LinkID=207667). You are not required to extract the package
locally on the Operations Manager server; however, you must be able to access the files from the
Operations Manager console in order to import them.
To Extract Management Pack Files
1. Double-click fep2010 security mp.msi.
Note:
No management pack files are installed or imported to Operations Manager during this
procedure. The wizard is used to extract files only.
2. Read and accept the license agreement, and then click Next.
3. On the Select Installation Folder page, specify the folder to which you want to extract the
management pack files, and then click Next.
4. On the Confirm Installation page, click Install to extract the package to the specified
location. On the Installation Complete page, click Close.
5. Navigate to the file location specified earlier and verify that the following files are present:
• Microsoft.FEPS.Application.mp
• Microsoft.FEPS.Library.mp
• Microsoft.FEPS.Reports.mp
Server Installation
Page number 67
Importing the FEP 2010 Security Management Pack
In order to manage clients by using the Forefront Endpoint Protection 2010 Security Management
Pack, you must first import the management pack files into System Center Operations Manager 2007
R2. Before importing the FEP 2010 Security Management Pack, verify that the prerequisites have
been met. For more information about required prerequisites, see Prerequisites for Importing the
Forefront Endpoint Protection Security Management Pack.
Warning:
In order to import the Forefront Endpoint Protection Security Management Pack, you must use an
account that is a member of the Operations Manager Administrators role for the Operations
Manager 2007 Management Group.
Tip:
Enabling detailed logs can be helpful when troubleshooting issues. In order to enable detailed
logs, you must add the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FEPS\Log] “Enabled”=dword:00000001
To import Forefront Endpoint Protection 2010 Management Packs
1. Log on to the server running System Center Operations Manager 2007 by using an account
that is a member of the Operations Manager Administrators role for the Operations Manager
2007 Management Group.
2. In the Operations console, click Administration.
Note:
If you run the Operations console on a computer that is not a Management Server, the Connect
to Server dialog box will display. In the Server name text box, type the name of the Operations
Manager 2007 Management Server to which you want to connect.
3. Right-click the Management Packs node, and then click Import Management Pack(s).
4. In the Import Management Packs dialog box, click Add, and then click Add from disk.
5. On the Online Catalog Connection dialog box, select No.
Note:
If an error message appears that states System Center Operations Manager cannot connect to the
Server Installation
Page number 68
online catalog, ignore the error and proceed with the next step.
6. In the Select Management Packs to import dialog box, change to the directory to which you
have downloaded the Microsoft.FEPS.Library.mp, Microsoft.FEPS.Reports.mp (optional),
and Microsoft.FEPS.Application.mp files. Select the files, and then click Open.
Note:
The Microsoft.FEPS.Reports.mp is required only if you want to use the Reporting feature.
7. In the Import Management Packs dialog box, verify that Microsoft.FEPS.Library.mp,
Microsoft.FEPS.Reports.mp (optional), and Microsoft.FEPS.Application.mp are present in
the list, and then click Import to begin the import process.
The Import Management Packs page displays and shows the progress for each management
pack. Each management pack is downloaded to a temporary directory, imported to the
Operations Manager, and then deleted from the temporary directory. If there is a problem at
any stage of the import process, select the management pack in the list to view the status
details.
Note:
In order to edit the list of Management Packs that you want to import, in the Import
Management Packs dialog box, click Add or Remove. After editing the list, click Import to begin
the import process.
8. In the dialog box that displays when the import process completes, verify that the icons next
to Forefront Endpoint Protection 2010 Management Pack and FEPS Reporting show
success, and then click Close.
9. Navigate to the Operations onsole. In the Operations console, click Monitoring. You can now
view the Forefront Endpoint Protection node.
For more information about importing Operations Manager management packs, see How to Import a
Management Pack in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkID=98348).
Configuring Client Discovery
In order to monitor and manage clients, they must first be identified. The discovery process in
Operations Manager is the process by which clients are identified. When a discovery is performed, an
LDAP query is generated and sent to the nearest Active Directory Directory Services domain
controller. Once the query is processed, a list of systems that match the specified parameters is
returned.
Server Installation
Page number 69
Important:
By default, the FEP Security Management Pack is configured to discover endpoints that are
running server operating systems. If you want to monitor endpoints that are running client
operating systems, you must perform the following procedure.
To configure Discovery for endpoints running client operating systems
1. In Operations Manager console, navigate to the Authoring view. In the Authoring tree,
expand Management Pack Objects, and then click Object Discoveries.
2. On the Operations Manager toolbar, click Scope. In the Look for: search box, enter Protected
Client Candidate Discovery, and then click Find Now.
3. In the results pane, right-click Protected Client Candidate Discovery, and then click
Overrides, Override the Object Discovery, For all objects of class: Windows Client.
4. In the Override Properties dialog box, in the Override-controlled parameters table, set the
following values:
• In the Enabled parameter row, in the Override column, select the check box.
• In the Enabled parameter row, in the Override Value column, select True from the
drop-down list box.
5. Click OK to close the dialog box.
For more information about object discovery, see Object Discoveries in Operation Manager 2007
(http://go.microsoft.com/fwlink/?LinkId=108505).
For more information about FEP Security Management Pack discovery, see About Discovery.
Creating a New Management Pack for Customizations
Create a New Management Pack for Customizations
Most vendor management packs are sealed so that you cannot change any of the original settings in
the management pack file. However, you can create customizations, such as overrides or new
monitoring objects, and save them to a different management pack. By default, Operations Manager
2007 saves all customizations to the Default Management Pack. As a best practice, you should
instead create a separate management pack for each sealed management pack you want to
customize.
Creating a new management pack for storing overrides has the following advantages:
• It simplifies the process of exporting customizations that were created in your test and pre-
production environments to your production environment. For example, instead of exporting
the Default Management Pack that contains customizations from multiple management
Client Deployment
Page number 70
packs, you can export just the management pack that contains customizations of a single
management pack.
• You can delete the original management pack without first needing to delete the Default
Management Pack. A management pack that contains customizations is dependent on the
original management pack. This dependency requires you to delete the management pack
with customizations before you can delete the original management pack. If all of your
customizations are saved to the Default Management Pack, you must delete the Default
Management Pack before you can delete an original management pack.
• It is easier to track and update customizations to individual management packs.
For more information about sealed and unsealed management packs, see Management Pack
Formats (http://go.microsoft.com/fwlink/?LinkId=108355). For more information about management
pack customizations and the Default Management Pack, see About Management Packs in Operations
Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=108356).
10. Client Deployment Deployment of Microsoft Forefront Endpoint Protection 2010 to client computers consists of
verifying prerequisites, uninstalling third-party antimalware products that cannot be uninstalled by
Forefront Endpoint Protection, creating and deploying Forefront Endpoint Protection policies,
configuring Forefront Endpoint Protection definition updates, deploying the Forefront Endpoint
Protection client software, and verifying that the deployment succeeded.
Forefront Endpoint Protection for clients is available as a Configuration Manager package. The steps
required to deploy Forefront Endpoint Protection to client computers, are described in this section.
Overview of Deploying Forefront Endpoint Protection
Deploy Forefront Endpoint Protection to clients, by completing the following steps, in order:
• Step One—Create Forefront Endpoint Protection policies according to your organization’s
requirements, set policy precedence, and assign policies to one or more deployment
collections. For more information, see Configuring Client Settings by Using Policies.
• Step Two—Configure Forefront Endpoint Protection definition update methods based on the
settings defined in the Forefront Endpoint Protection policies created in step one. For more
information, see Configuring Definition Updates.
• Step Three—Deploy the Forefront Endpoint Protection installation package to client
computers. For more information, see FEP 2010.
FEP 2010
Once you have finished configuring and deploying policies, you are ready to deploy Forefront
Endpoint Protection to client computers. You can deploy in two ways:
Client Deployment
Page number 71
• By distributing the client installation packages using Configuration Manager. For instructions,
see Deploying by Using Configuration Manager Packages.
• By manually running the installation wizard on the client computer. For instructions, see
Deploying Manually and Deploying the Client Software by Using the Command Prompt.
Regardless of the method you use to run the installation program, the program checks for and
uninstalls the following antimalware clients:
• Symantec Endpoint Protection version 11
• Symantec Corporate Edition version 10
• McAfee VirusScan Enterprise version 8.5 and version 8.7
• Trend Micro OfficeScan version 8.0 and version 10.0
• Forefront Client Security version 1 including the Operations Manager agent
If the previously installed antimalware client has a tamper protection feature enabled, for example, if
the software is password protected, you need to disable that tamper protection before you can
install Forefront Endpoint Protection. Otherwise, the Forefront Endpoint Protection installation
program will not be able to uninstall the existing antimalware client. See the documentation for the
previously installed antimalware client for information about tamper protection or other settings you
may need to configure before you can successfully uninstall the software.
In addition, if you use a mechanism to automatically distribute and install antimalware to your client
computers, you need to disable automatic installation before you install Forefront Endpoint
Protection. For example, if you use WSUS to distribute Forefront Client Security (FCS) to your
endpoints, before you install Forefront Endpoint Protection, you need to configure WSUS to not
automatically reinstall FCS.
Note:
• The FEP client software is automatically installed to the following folder:
%programfiles%\Microsoft Security Client
You cannot change the destination folder. Using the %programfiles% path prevents users
who are not members of the local Administrators group on the computer from tampering
with the installation of the FEP client software.
• The path to where the Setup files are located should only contain ASCII characters.
• In some cases, after you restore a computer image on which you installed the FEP client
software, the computer is displayed in Configuration Manager in the Locally Removed
collection. To resolve this problem, uninstall and reinstall the FEP client software on this
Client Deployment
Page number 72
computer.
• On servers with a large number of short network connections, such as file servers, there
may be a performance impact when the Behavior Monitoring policy setting is enabled. It
is recommended that you disable the Behavior Monitoring policy setting in the Default
Server Policy or any policy you plan to assign to servers.
To disable the Behavior Monitoring policy setting
1. In the Configuration Manager console, expand System Center Configuration
Manager, expand Site Database, expand Forefront Endpoint Protection, and
then click Policies.
2. Double-click the Default Server Policy or another policy that is assigned to
servers.
3. In the policy properties dialog box, click the Antimalware tab.
4. In the list, click Real-time protection, in the details clear the check box for Use
behavior monitoring, and then click OK to save the policy.
Deploying by Using Configuration Manager Packages
Forefront Endpoint Protection includes a Configuration Manager package that contains the Forefront
Endpoint Protection client installation program. To deploy the package, you use the Configuration
Manager software distribution feature to send the package data to one or more distribution points,
and then create advertisements that specify which collections will receive the program and the
package.
Advertising the program makes a program available to a specified collection of clients. When you
create advertisements, it is strongly recommended that you test advertised programs in a controlled
environment before you create advertisements for the clients in your site hierarchy.
There are multiple ways to distribute the Forefront Endpoint Protection client software to client
computers using the Configuration Manager tools. This topic provides the steps for one of the
deployment methods. For information about other distributions methods, see Software Distribution
in Configuration Manager (http://go.microsoft.com/fwlink/?LinkId=196839).
Important:
The Forefront Endpoint Protection server installation does not automatically add the FEP –
Deployment package to a Configuration Manager distribution point. Before the Forefront
Endpoint Protection client software can be installed, the package must be sent to a distribution
point. For more information, see How to Manage Distribution Points
Client Deployment
Page number 73
(http://go.microsoft.com/fwlink/?LinkId=205328).
To deploy Forefront Endpoint Protection 2010 client software
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, and then click Collections.
2. Right-click the collection to which you want to deploy the FEP client software to, for
example, All Systems, point to Distribute, and then click Software.
The Distribute Software to Collection Wizard opens.
3. On the Welcome page, click Next.
4. On the Package page, click Select an existing package, click Browse, click the Microsoft
Corporation FEP – Deployment 1.0 package, click OK, and then click Next.
5. On the Distribution Points page, select the distribution points for the package, and then click
Next.
Configuration Manager uses distribution points to store the files needed by the Forefront Endpoint
Protection client installation package in order for the installation program to run on client
computers. For more information, see About Distribution Points
(http://go.microsoft.com/fwlink/?LinkId=196840).
6. On the Select Program page, select the Install program, and then click Next.
7. On the Advertisement Name page, enter a name that is less than 100 characters, and then
click Next.
8. On the Advertisement Subcollection page and on the Advertisement Schedule page, make
your selections, and then click Next.
9. On the Assign Program page, select Yes, assign the program, and then click Next.
10. On the Summary page, review the Details, and then click Next.
11. On the Wizard Completed page, click Close.
12. If necessary, modify the advertisement configuration to suit your environment. For more
information, see How to Modify an Advertisement
(http://go.microsoft.com/fwlink/?LinkId=196841).
Important:
If you delete the advertisement or move a computer out of the collection targeted by the
advertisement, the following Forefront Endpoint Protection dashboard deployment status
Client Deployment
Page number 74
categories can be affected:
• Removed—Once the advertisement has completed, if the client software is
uninstalled manually, the computer will show up in the Not Targeted category
and not in the expected Removed category. For more information about
manually uninstalling the client software, see Uninstalling manually.
• Failed—If the advertisement fails to install the client software, the computer will
show up in the Not Targeted category and not in the expected Failed category.
For more information about Forefront Endpoint Protection dashboard deployment status
categories, see Dashboard Overview.
Next Steps
Once you’ve deployed the Forefront Endpoint Protection client software, you should validate the
deployment. For more information, see Validating Deployment.
Deploying Manually
In addition to deploying the Forefront Endpoint Protection client software by using Configuration
Manager, you can also run the installation program manually as described in this topic. For example,
you might want to perform a manual installation for test purposes in a lab environment, or to install
the Forefront Endpoint Protection client software to computers that do not have the Configuration
Manager agent installed.
Ensure that the installation package is accessible from the computer on which you want to install the
Forefront Endpoint Protection client software. For example, download the package to your local hard
drive or a network share.
To manually install the FEP client software by using the Setup wizard
1. Using an account that has local administrator user rights, log on to the computer on which
you want to install Forefront Endpoint Protection.
2. Browse to the location where you stored the installation package: for example, C:\Temp
folder.
3. Double-click FEPInstall.exe and follow the instructions in the wizard.
4. On the Completing the Microsoft Forefront Endpoint Protection 2010 Installation Wizard
page, select Scan my computer for potential threats after getting the latest updates. to run
a scan after downloading definition updates, and then click Finish.
If you chose to download updates and then scan the computer, the Forefront Endpoint Protection
Client launches. For more information about using the Forefront Endpoint Protection client, see the
FEP Client Help (http://go.microsoft.com/fwlink/?LinkId=206364).
Next Steps
Client Deployment
Page number 75
If the computer on which you installed Forefront Endpoint Protection is managed by Configuration
Manager, then Configuration Manager will deploy the policies assigned.
Once you’ve deployed the Forefront Endpoint Protection client, you should validate the deployment.
For more information, see Validating Deployment.
Deploying the Client Software by Using the Command Prompt
You can install the Forefront Endpoint Protection 2010 client software locally from the command
prompt. In order to do so, you must first obtain the installation file FEPInstall.exe. You can also install
the client software along with a preconfigured policy. For more information about preconfigured
policies, see About Preconfigured Policy Templates.
To install the client software from the command prompt
1. Copy FEPInstall.exe to the server on which you want to install the Forefront Endpoint
Protection client software.
2. Open an elevated command prompt, navigate to the folder where FEPInstall.exe is located,
and then run the following command, adding any additional switches as necessary:
FEPInstall.exe
Note:
For the list of FEPInstall.exe switches, see Setup Switches.
3. Follow the on-screen instructions in order to complete the client software installation and to
download the antimalware definition updates.
To install the client software along with preconfigured policy settings from the command
prompt
1. Copy FEPInstall.exe and the appropriate preconfigured policy package to the server on which
you want to install the Forefront Endpoint Protection client software. For information about
selecting the proper preconfigured policy templates, see About Preconfigured Policy
Templates.
2. Double-click the preconfigured policy package in order to extract the preconfigured policy
file templates.
3. Open an elevated command prompt, navigate to the folder where the package is extracted,
and then run the following command:
FEPInstall.exe /policy [full path]\[policy file]
Note:
Client Deployment
Page number 76
You must specify the full path for the policy location.
For example, in order to install both the client software and the policy called FEP_SQL2008.xml, run
the following command:
FEPInstall.exe /policy c:\fepspolicy\ FEP_SQL2008.xml
4. Follow the on-screen instructions in order to complete the client software installation and to
download the antimalware definition updates.
Setup Switches
The following table shows the available switches for installing the Forefront Endpoint Protection
2010 client software locally.
Switch Description
/s Specifies that a silent Setup should be performed.
/q Specifies that a silent extraction of the Setup files should be performed.
/i Specifies that a normal installation should be performed.
/noreplace Specifies that third-party software uninstallation is not performed during Setup.
/policy Specifies a policy file to be used to configure the client software during installation.
/sqmoptin Specifies that this client software installation is opted in to the Microsoft Customer Experience
Improvement Program.
Validating Deployment
You are able to see the status of the Forefront Endpoint Protection client software deployment from
the Forefront Endpoint Protection dashboard in the Configuration Manager console. A report can be
generated that shows the deployment status by collection. From this report, you have the ability to
drill down to the deployment status of a specific collection, and then to a specific computer.
Additionally, you can view the status of the advertisement in Configuration Manager.
Monitoring the client software deployment from the Forefront Endpoint Protection
dashboard
1. Open the Configuration Manager console, expand Computer Management, and select the
Forefront Endpoint Protection node.
2. The following information is available in the Client Deployment Status section:
Client Deployment
Page number 77
a. Removed—The number of computers on which the FEP client software was
previously deployed and has since been manually removed.
b. Failed—The number of computers on which the FEP client software deployment
failed.
c. Pending—The number of computers on which the FEP client software deployment
has not yet started. Computers that are not connected show as pending until the
Configuration Manager advertisement is received.
d. Out of date—The number of computers running a previous version of the FEP client
software.
e. Deployed—The number of computers where the FEP client software was successfully
installed.
Clicking the numbers next to each item brings you to the associated Forefront Endpoint Protection
collection.
Monitoring the client software deployment with Forefront Endpoint Protection reporting
1. Open the Configuration Manager console, expand Computer Management, and select the
Forefront Endpoint Protection node.
2. In the Links and Resources pane, under Web Reports, click Deployment Overview to
generate the Deployment Overview report.
• The Deployment Overview report breaks down the status of the client software
deployment by collection.
• To drill down to the Deployment for a specific collection report, click the arrow next
to the collection.
Validating the client software deployment
• To validate that the Forefront Endpoint Protection client software successfully installed on a
computer, click Start, click Control Panel, click Programs, click Programs and Features, and
then verify that Microsoft Forefront Endpoint Protection 2010 is listed.
The following table lists installation log files. By default, log files are installed in the following
locations:
• Windows 7 and Windows Server 2008, and Windows Server 2008 R2 -
%ProgramData%\Microsoft\Microsoft Security Client\Support
• Windows XP, Windows Vista, and Windows Server 2003 -
%allusersprofile%\Microsoft\Microsoft Security Client\Support
Client Deployment
Page number 78
Log file name Description
EppSetup.log Master setup log file.
MSSecurityClient_Setup_epp_install.log User interface and management
extension setup log file.
MSSecurityClient_Setup_FEP_install.log Configuration Manager management
extensions setup log file.
MSSecurityClient_Setup_mp_ambits_install.log Antimalware service setup log file.
MSSecurityClient_Setup_epploc_x86_Install or
MSSecurityClient_Setup_epploc_x64_Install
Localized resources installation log file
(specific to the architecture on the
client computer).
MSSecurityClient_Setup_amloc-%locale%_install Log file for installation of localized
resources for the antimalware service.
%locale% represents the locale for
which the install was performed.
MSSecurityClient_Setup_KB981889_Install.evtx The log file for Windows patch
installation KB981889. Only present
on Windows 7 or Windows Server
2008 R2.
MSSecurityClient_Setup_dw20shared_Install.log Log file for installation of Dr. Watson
(only installed on computers running
Windows XP, and only if not already
present).
Uninstalling
There are two ways to uninstall Forefront Endpoint Protection from client computers:
• By distributing the client uninstall package using Configuration Manager.
• By manually running the uninstall wizard on the client computer using a user account that
has local administrative credentials.
Client Deployment
Page number 79
Important:
Uninstalling Forefront Endpoint Protection does not change the firewall settings on the client
computer.
Uninstalling using Configuration Manager packages
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, and then click Collections.
2. Right-click the collection from which you want to uninstall the Forefront Endpoint Protection
client software, for example, All Systems, point to Distribute, and then click Software.
The Distribute Software to Collection Wizard opens.
3. On the Welcome page, click Next.
4. On the Package page, click Select an existing package, click Browse, click the Microsoft
Corporation FEP – Deployment 1.0 package, click OK, and then click Next.
5. On the Distribution Points page, select the distribution points for the package, and then click
Next.
Configuration Manager uses distribution points to store the files needed by the Forefront Endpoint
Protection client uninstall package in order for the uninstall program to run on client computers. For
more information, see About Distribution Points (http://go.microsoft.com/fwlink/?LinkId=196840).
6. On the Select Program page, select the Uninstall program, and then click Next.
7. On the Advertisement Name page, enter a name that is less than 100 characters, and then
click Next.
8. On the Advertisement Subcollection page and on the Advertisement Schedule page, make
your selections, and then click Next.
9. On the Assign Program page, select Yes, assign the program, and then click Next.
10. On the Summary page, review the Details, and then click Next.
11. On the Wizard Completed page, click Close.
12. If necessary, modify the advertisement configuration to suit your environment. For more
information, see How to Modify an Advertisement
(http://go.microsoft.com/fwlink/?LinkId=196841).
Uninstalling manually
1. In Control Panel, start Programs and Features.
Client Deployment
Page number 80
2. Select Microsoft Forefront Endpoint Protection 2010, and then click Uninstall.
3. On the Microsoft Forefront Endpoint Protection 2010 Uninstall Wizard that appears, click
Uninstall.
4. When the wizard completes uninstall, click Finish.
Enforcing the Client Software Deployment
If the users of the computers to which you deployed FEP have administrative privileges on those
computers, they will be able to uninstall the FEP client software. If this happens, those client
computers would be unprotected from malware and other unwanted software.
Security Note:
It is recommended that you restrict to whom you grant administrative privileges on the client
computers in your organization. Additionally, you should investigate how the FEP client software
was uninstalled on the client computers.
In order to mitigate this circumstance, you can configure Configuration Manager to rerun an
advertisement of FEP on a specific collection. By configuring the advertisement to always rerun, you
can reduce the amount of time computers in your environment may run without protection.
To complete the mitigation, you must perform the following tasks:
• Create a FEP deployment package to reinstall the FEP client software on the members of the
target collection.
• Configure the advertisement of the reinstall package to rerun.
• Assign the reinstall package to one or more collections. For more information about
deploying the FEP client software by using packages, see Deploying by Using Configuration
Manager Packages.
Warning:
There are multiple ways to mitigate this scenario. The Locally Removed collection contains all
computers from which the client software was locally uninstalled, including servers and high-
priority client computers. You should determine if you need to rerun the advertisement on all
collection members or if you need to target your rerun advertisement only on specific computers.
Deploying the FEP Client Software to a FEP Collection
One of the preconfigured collections created by the Forefront Endpoint Protection installation on
Configuration Manager is the FEP Collections\Deployment Status\Locally Removed collection.
Client Deployment
Page number 81
Computers listed in this collection previously had the FEP client software installed, but it was locally
uninstalled.
Note:
If you remove the FEP client software by using an advertisement of the FEP Deployment Uninstall
package, the client computers that receive the advertisement do not appear in the Locally
Removed collection.
You can create a new collection containing the members of the Locally Removed collection, and then
target the members of the new collection with software distribution and an advertisement.
To create a reinstall advertisement
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, expand Collections, expand FEP
Collections, and then expand Deployment Status.
2. In the tree, click Locally Removed.
3. In the details area, select the computers on which you want to reinstall the FEP client
software, right-click a selected computer, point to Distribute, and then click Software.The
Distribute Software to Resource Wizard opens.
4. In the Distribute Software to Resource Wizard, on the Welcome page, click Next.
5. On the Package page, click Select an existing package, click Browse, click the Microsoft
Corporation FEP – Deployment 1.0 package, click OK, and then in the wizard, click Next.
6. On the Distribution Points page, in the Distribution points list, select the check box next to
the distribution points to which you want to copy the package, and then click Next.
7. On the Select Program page, in the Programs list, select the Install program, and then click
Next.
8. On the Advertisement Target page, select the option for Create a new collection containing
this resource and advertise this program to the new collection, and then click Next.
9. On the New Collection page, type a name for the collection, and then click Next.
10. On the Collection Membership Rules page, in the membership rules list, ensure all the
required computers are listed, and then click Next.
11. On the Advertisement Name page, type a name for the advertisement, and then click Next.
Operations
Page number 82
Note:
Advertisement names are limited to 100 characters.
12. On the Advertisement Subcollection page, select the Advertise the program to members of
the collection and its subcollections option, and then click Next.
13. On the Advertisement Schedule page, next to Advertise the program after, set the time to
the current time, select the No, this advertisement never expires option, and then click
Next.
14. On the Assign Program page, select the Yes, assign the program option, select the Ignore
maintenance windows when running program check box, and then click Next.
15. On the Summary page, review the Details, click Next, and then on the Wizard Completed
page, click Close.
You should monitor the deployment status for the client computers in the new collection. After the
advertisement has been assigned to the computers, in this new collection, the computers are moved
into the Pending Deployment FEP collection. This is the same process that happens after you deploy
the FEP client software initially. For more information about that process, see Validating
Deployment.
11. Operations This Operations content helps you configure and use Microsoft Forefront Endpoint Protection 2010
and the FEP Security Management Pack. The content included for this version of FEP includes the
following main topics:
• Configuring Client Settings by Using Policies
• Common Tasks
• Configuring Definition Updates
• Monitoring
• Using Reports in FEP
• Disaster Recovery for FEP 2010 on Configuration Manager
• Automating Day-to-Day Tasks by Using Windows PowerShell
Configuring Client Settings by Using Policies
Forefront Endpoint Protection provides a number of ways to create, edit, and deploy configuration
settings to FEP clients. For information regarding decision points to help you determine which policy
Operations
Page number 83
authoring and deployment methods are best for your environment, see About Configuring Clients by
Using Policies.
This section includes the following main topics:
• FEP Policies
• Using Group Policy with FEP
• FEP Policy Templates
FEP Policies
FEP Policies
Forefront Endpoint Protection policies are assigned to computers running the FEP client software.
The following content will help you work with Forefront Endpoint Protection policies.
Creating a Policy
Forefront Endpoint Protection policy settings define the various configuration options of the
Forefront Endpoint Protection client software that you can manage. For example, administrators can
manage the scan schedule, the location and frequency of definition updates, and scan exclusions.
Forefront Endpoint Protection policy settings that you specify are contained in a Forefront Endpoint
Protection policy object. Policies do not affect computers running the Forefront Endpoint Protection
client software until you assign them to a Configuration Manager collection.
This section describes how to create a new Forefront Endpoint Protection policy.
To create a new policy
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, expand Forefront Endpoint
Protection, and then click Policies.
2. In the Actions pane, click New Policy. The New Policy Wizard opens.
3. On the General page, type a name for the policy, and then click Next.
4. On the Policy Type page, select the type of policy appropriate for your organization, and
then click Next.
Tip:
To select a policy template for specific server roles, select Policy template, and then select the
appropriate server role.
Note:
Operations
Page number 84
When selecting Policy template you are taken directly to the Summary page.
5. On the Scheduled Scans page, select the scan frequency and set a schedule for the
antimalware scans. For example, you could choose a Weekly quick scan every Sunday at
2:00 AM, and then click Next.
6. On the Exclusions page, add files or folders you want to exclude from scans, and then click
Next.
7. On the Updates page, select the definition update options you want use in your organization,
and then click Next.
Important:
Before deploying the policy to collections, ensure that the definition update methods selected
have been configured properly. For more information, see Configuring Definition Updates.
Important:
The order in which the FEP client software checks for definition updates can be modified after the
policy has been created. For more information about editing a policy, see Editing a Policy.
8. On the Client Configuration page, select the options that you want to allow users to modify,
and then click Next.
9. On the Summary page, review the Details, and then click Next to create the policy.
10. On the Wizard Completed page, click Close.
11. Repeat these steps for each policy you want to create.
Important:
New policies are assigned the highest precedence. For more information about changing policy
precedence, see Setting Policy Precedence.
Duplicating a Policy
If you need a new policy that is very similar to an existing Forefront Endpoint Protection policy, you
can duplicate the existing Forefront Endpoint Protection policy and edit the duplicated Forefront
Endpoint Protection policy as required, instead of creating the policy from scratch.
To duplicate a policy
Operations
Page number 85
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, expand Forefront Endpoint
Protection, and then click Policies.
2. Select the policy you want to duplicate.
3. In the Actions pane, click Copy Policy.
4. Type the name for the new policy in the New policy name field, and then click OK.
Important:
The new policy is assigned the highest precedence. For more information about changing policy
precedence, see Setting Policy Precedence.
Editing a Policy
Forefront Endpoint Protection policies contain settings that control the configuration options of the
Forefront Endpoint Protection client software. You can customize the settings of the Forefront
Endpoint Protection policy to meet your requirements.
To edit an existing policy
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, expand Forefront Endpoint
Protection, and then click Policies.
2. Double-click the policy that you want to edit.
3. In the Properties dialog box, change the options as appropriate for your organization, and
then click OK.
The following table summarizes the settings available on each page of the policy properties.
Property page Settings
General • Policy name
• Description
• Assigned collections (read-only)
• Properties (read-only)
Antimalware • Scheduled scan
Operations
Page number 86
• Default actions
• Real-time protection
• Excluded files and locations
• Excluded file types
• Excluded processes
• Advanced
• Overrides
• Microsoft SpyNet
Updates • Definition update interval
• Definition update location
• Definition update order
Windows Firewall • Manage Windows Firewall
• Firewall profile configuration
Warning:
It is recommended to clear the Enable protection against network-based exploits check box for
policies assigned to servers. This option is on the Antimalware tab under Real-time protection.
Important:
The following items can be added to the list of Excluded files and locations, however the
Forefront Endpoint Protection client software will ignore these entries:
• \\
• \
• *
• *.*
• ?:
Operations
Page number 87
• *\
• \\\\
• \\?\
Exporting a Policy
You can save the settings of a Forefront Endpoint Protection policy by exporting the policy. Exporting
the policy saves the settings of the policy in an XML file. You export policies for the following reasons:
• To back up policies
• To transfer policies from one Configuration Manager site to another
• To apply or update policies on computers that are not managed by Configuration Manager
Exporting a policy
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, expand Forefront Endpoint
Protection, and then click Policies.
2. Select the policy to be exported.
3. In the Actions pane, click Export Policy.
4. Browse to the folder in which you want to save the policy file, enter a name for the XML file,
click OK, and then click OK on the confirmation dialog box.
Note:
If you select multiple polices to be exported, you will only be prompted to select a folder to save
the polices. The policies will be exported using their existing names.
Note:
The Default Server Policy and Default Desktop Policy cannot be exported.
Operations
Page number 88
Importing a Policy
You can import policy files that have been previously exported. You can import policies for the
following reasons:
• To restore policies
• To transfer policies from another Configuration Manager site to another
Importing a Policy
1. In the destination Configuration Manager console, expand System Center Configuration
Manager, expand Site Database, expand Computer Management, expand Forefront
Endpoint Protection, and then click Policies.
2. In the Actions pane, click Import Policy.
3. Browse to the folder that contains the policy file, select the XML file, and then click Open.
Warning:
Policies must have unique names. If you already have a policy that has the name of the policy you
are importing the import will fail.
Important:
Importing policy files created with the Forefront Endpoint Protection 2010 Group Policy Tool will
fail.
Important:
Imported policies are assigned the highest policy precedence, for more information about
changing policy precedence, see Setting Policy Precedence.
Setting Policy Precedence
You can assign multiple policies to a Configuration Manager collection, and a single computer can be
a member of multiple collections that have a policy assigned. The Forefront Endpoint Protection
client software uses policy precedence to determine which policy to apply. The policy with the
highest precedence assigned to the computer is applied by the Forefront Endpoint Protection client
software.
Operations
Page number 89
To set the precedence of policies
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, expand Forefront Endpoint
Protection, and then click Policies.
2. In the Actions pane, click Edit Policy Precedence.
3. In the Edit Policy Precedence dialog box, select a policy and use the Up and Down buttons to
set the policy precedence order.
If you want to modify the precedence of additional policies, repeat this step.
4. When finished, click OK.
Note:
The precedence for the Default Server Policy and Default Desktop Policy cannot be modified.
Assigning a Policy to Endpoint Computers
To assign Forefront Endpoint Protection policies to FEP clients, you assign the FEP policy to a
Configuration Manager collection. A policy can be assigned to more than one collection if needed
and a collection can have more than one policy assigned to it.
When a Forefront Endpoint Protection client has more than one policy assigned to it, the policy with
the highest precedence is applied by the Forefront Endpoint Protection client.
This section describes how to assign a policy to a Configuration Manager collection. For more
information about Configuration Manager collections, see Collections in Configuration Manager
(http://go.microsoft.com/fwlink/?LinkId=196838) (http://go.microsoft.com/fwlink/?LinkId=196838).
To assign a policy to a collection
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, expand Forefront Endpoint
Protection, and then click Policies.
2. Right-click the policy that you want to assign, and then click Assign Policy.
Note:
You cannot assign the Default Server Policy or the Default Desktop Policy.
3. In the Assign Policy dialog box, click Add.
Operations
Page number 90
4. In the Browse Collection dialog box, select the collection to which you want to assign the
policy, and then click OK.
If you need to assign this policy to multiple collections, in the Assign Policy dialog box, for each
collection, click Add and repeat this step.
5. In the Assign Policy dialog box, click OK.
A separate Configuration Manager advertisement is created for each collection a policy is assigned
to. The advertisements are created in the Software Distribution\Advertisements\FEP Policies folder
in the Configuration Manager console.
Note:
The default assignments for the Default Server Policy and the Default Desktop Policy cannot be
modified.
After assigning Forefront Endpoint Protection policies to the proper collections you will want to make
sure that the policies are being applied.
Monitoring Forefront Endpoint Protection policy deployment
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, and click Forefront Endpoint
Protection.
2. View the Policy Distribution Status section of the Operational Statistics on the Forefront
Endpoint Protection dashboard. You might need to refresh the page to get latest
information.
3. In the Links and Resources pane under Web Reports click Policy Distribution Overview for
policy deployment information started at the collection level down to the computer level.
Note:
Only computers running the Forefront Endpoint Protection client software and the Configuration
Manager agent will be included in the results displayed in the Forefront Endpoint Protection
reports and included in the Forefront Endpoint Protection dashboard statistics.
Note:
In the About information displayed for the Forefront Endpoint Protection client software,
Operations
Page number 91
information regarding the time the FEP policy was applied is provided. The time shown for Policy
Applied is in Coordinated Universal Time (UTC).
Using Group Policy with FEP
You can configure FEP client settings by using Active Directory Group Policy and Group Policy objects
(GPOs). The following content will help you configure clients by using Forefront Endpoint Protection
GPOs, preconfigured policy templates, and the Forefront Endpoint Protection Group Policy Tool.
Converting FEP Policies to Group Policy
You can convert policy settings contained in configured FEP policies to the format that is used by
Group Policy. In order to convert policies, you must first download and install the Forefront Endpoint
Protection Group Policy Tool. This tool can be obtained from the Microsoft Download Center
(http://go.microsoft.com/fwlink/?LinkId=207729) as part of the FEP 2010 Group Policy Tools
download package. The package also contains ADMX and ADML files. Although these files are not
required in order to use the Forefront Endpoint Protection Group Policy Tool, they are required in
order to view or edit Group Policy object (GPO) policy settings. For more information about viewing
and editing policy settings, see Configuring and Viewing FEP Group Policy Settings. For information
about merging policy settings by using the Forefront Endpoint Protection Group Policy Tool, see
Merging Settings from Multiple Policy Files.
To extract and install the Forefront Endpoint Protection Group Policy Tool
1. Obtain the Forefront Endpoint Protection Group Policy Tool. This tool can be obtained from
the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=207729) and copy it
to your local computer.
2. Double-click fep2010grouppolicytools.exe to extract the files from the package.
The Forefront Endpoint Protection Group Policy Tools package includes the following files:
• fep2010.adml
• fep2010.admx
• fep2010gptool.exe
3. Locate and double-click fep2010gptool.exe to open the Forefront Endpoint Protection
Group Policy Tool.
To convert FEP policy settings to Group Policy
1. Locate and double-click fep2010gptool.exe to open the Forefront Endpoint Protection
Group Policy Tool.
2. On the Import tab, select the Domain and the name of the GPO in that domain that you want
to populate with preconfigured FEP 2010 policy settings.
Operations
Page number 92
3. Click Select Policy File. Locate and select the .xml policy file that contains the settings that
you want to import to the GPO.
4. Verify that the Clear existing Forefront Endpoint Protection settings before import check
box is selected, and then click OK to import the settings.
You can then edit and view the policy settings by using gpedit.msc. For more information about
viewing and editing policy settings, see Configuring and Viewing FEP Group Policy Settings.
Warning:
Selecting the Clear existing Forefront Endpoint Protection settings before import check box will
remove all FEP settings contained in the selected GPO and replace them with the imported FEP
policy settings. If you do not want to clear all of the existing FEP policy settings from the GPO, do
not select this check box.
To add ADMX and ADML files locally in order to view or edit policy settings
1. Navigate to the location where you extracted the ADMX and ADML files in the previous
procedure.
2. Copy the ADMX file to the %systemroot%\PolicyDefinitions\ folder.
3. Copy the ADML file to the %systemroot%\PolicyDefinitions\ language folder. For example,
en-US.
Note:
You must restart the Group Policy Object Editor after performing the preceding steps.
4. For more information about editing GPOs by using ADMX files, see Editing the Local GPO
Using ADMX files (http://go.microsoft.com/fwlink/?LinkId=203368). For more information
about editing domain-based GPOs by using ADMX files, see Editing Domain-Based GPOs
Using ADMX files (http://go.microsoft.com/fwlink/?LinkId=203369).
Merging Settings from Multiple Policy Files
You can merge policy settings from one or more FEP policies into a single Group Policy object (GPO).
This is helpful when you have settings contained in multiple FEP policies and you would like to
combine those policy settings in order to configure clients by using Group Policy. In order to merge
FEP policies to a single GPO, you must use the Forefront Endpoint Protection Group Policy Tool. For
information about how to obtain and extract this tool, see Converting FEP Policies to Group Policy.
Warning:
Operations
Page number 93
When you merge multiple policies to a single GPO, the order in which you merge the policies will
affect the outcome of the effective policy. In other words, if you merge three policies that contain
conflicting settings for a particular feature, the settings in the last policy that you merge will
overwrite any conflicting settings that are already merged or contained in the GPO.
Merging FEP policy settings from multiple FEP policy files into a GPO
1. Double-click fep2010gptool.exe to open the Forefront Endpoint Protection Group Policy
Tool.
2. On the Import tab, select the Domain and the name of the GPO in that domain that you want
to populate with preconfigured FEP policy settings.
3. Click Select Policy File. Locate and select the .xml policy file that contains the settings that
you want to import to GPO.
Warning:
Verify that the .xml policies files were not obtained as part of the
FEPServerRolePoliciesForUseWithConfigMgrUI.exe downloaded package. Merging the
preconfigured policy files created for Configuration Manager is not supported.
4. If this is the first policy that you are merging and there are no FEP policy settings that you
want to retain that already exist in the selected GPO, select the Clear existing Forefront
Endpoint Protection settings before import check box.
By selecting this check box, all of the FEP policy settings are cleared in the target GPO. Clearing all of
the previous policy settings ensures that only the FEP settings that are contained in this policy will be
present in the target GPO settings. However, if this is not the first policy that you have merged to the
selected GPO and you want to retain existing previous settings contained in that GPO, ensure that
the check box is not selected. Selecting the check box will clear any previously configured FEP policy
settings that are contained in that GPO.
Note:
Merging policy settings by using the Forefront Endpoint Protection Group Policy Tool does not
affect or impact the source FEP policy file.
5. Click Apply to merge the policy settings to the GPO.
6. Repeat the previous step in order to merge additional settings contained in FEP policies to
the selected GPO.
Operations
Page number 94
Exporting Policy Settings to a FEP Policy File
In some cases, you may want to apply policy settings contained in a Group Policy object (GPO) locally
to FEP clients. Or, you may want to export FEP policy settings from a GPO in one domain and then
import those settings to a GPO in another domain. You can export policy settings contained in a
configured FEP GPO to a FEP policy file. The FEP policy file can then be used to apply policy settings
locally to FEP clients, or be imported to a different domain. In order to export policies, you must first
download and install the Forefront Endpoint Protection Group Policy Tool. For more information
about extracting and installing the Group Policy Tool, see Converting FEP Policies to Group Policy.
To export FEP policy settings
1. Locate and double-click fep2010gptool.exe in order to open the Forefront Endpoint
Protection Group Policy Tool.
2. On the Export tab, select the Domain and the name of the Group Policy object in that
domain that contains the settings with which you want to populate the new FEP policy file.
3. Click Select Policy File. Select the location and name for the destination .xml policy file that
will contain the exported policy settings.
4. Click OK to export the FEP GPO policy settings to the .xml policy file.
For more information about how to apply FEP policy settings, see Applying Policies from the
Command Prompt.
Note:
When exporting policy settings from a configured GPO, only the FEP policy settings are exported.
If the GPO contains non-FEP policy settings, those settings will not be present in the new FEP
policy file.
Configuring and Viewing FEP Group Policy Settings
You can view and configure Forefront Endpoint Protection settings by using the Group Policy Object
Editor. Each policy setting contains parameter information specific to the feature that you want to
configure. Typically you will access the Group Policy Object Editor by selecting a Group Policy object
(GPO) from within the Group Policy Management Console (GPMC), and then selecting the edit action
for that object. For more information about the Group Policy Object Editor, see Ways to open Group
Policy Object Editor (http://go.microsoft.com/fwlink/?LinkId=203938). For information about
opening the Group Policy Object Editor as an MMC snap-in, see Open Group Policy Editor as an MMC
snap-in (http://go.microsoft.com/fwlink/?LinkId=203939).
To view FEP Group Policy settings
1. Open the Group Policy Object Editor and navigate to Local Computer Policy\Computer
Configuration\Administrative Templates\System\Forefront Endpoint Protection 2010.
Operations
Page number 95
2. Expand Forefront Endpoint Protection 2010, and click the folder that contains the settings
that you want to view.
For more information about each policy setting, in the right pane, double-click the setting that you
want to view in order to open the configuration dialog box and view the additional policy setting
information.
Important:
When viewing policy settings, the Group Policy Object Editor, the GPMC, and the RSoP snap-in
may incorrectly indicate that some values are disabled when they are actually enabled. In order to
determine whether a setting is enabled, you must open each setting individually for additional
information, and then view the value. If the value is present, the setting is enabled.
To edit FEP Group Policy object settings
1. Open Group Policy Management.
2. In the console tree, double-click Group Policy Objects in the forest and domain containing
the GPO that you want to edit.
3. Right-click the GPO, and then click Edit.
Note:
You must have Edit permissions for the GPO that you want to edit.
4. In the Group Policy Object Editor console, expand Computer Configuration\Administrative
Templates\System\Forefront Endpoint Protection 2010, and then click the folder that
contains the settings that you want to configure.
5. In the right pane, double-click the setting that you want to configure in order to open the
configuration dialog box.
6. Configure the settings that you want to deploy to computers running the FEP client software,
and then click OK.
Important:
When viewing policy settings, the Group Policy Object Editor, the GPMC, and the RSoP snap-in
may incorrectly indicate that some values are disabled when they are actually enabled. In order to
determine whether a setting is enabled, you must open each setting individually for additional
information, and then view the value. If the value is present, the setting is enabled.
Operations
Page number 96
Warning:
It is recommended that the Turn on network protection against exploits of known
vulnerabilities setting is not enabled for policies assigned to servers.
7. Deploy the policy settings to computers running the FEP client software. For more
information about how to deploy Group Policy, see Planning and Deploying Group Policy
(http://go.microsoft.com/fwlink/?LinkId=203940).
FEP Policy Templates
Forefront Endpoint Protection policy templates can be used to create policies that contain optimized
settings. The following content will help you work with Forefront Endpoint Protection policy
templates.
About Preconfigured Policy Templates
You can maintain consistent configuration settings for multiple endpoints by applying policies.
Preconfigured policy templates can help you create policies that contain optimized settings, defined
by technology. You can also apply preconfigured policy templates locally to endpoints. There are two
different download packages available. FEPServerRolePoliciesForUseWithConfigMgrUI.exe contains
policy templates for use with FEP on Configuration Manager.
FEPServerRolePoliciesForUseWithGPO.exe contains policy templates that can be used to configure
policy settings locally on endpoints, deployed via script, or imported into Group Policy.
Policy templates are in XML format and contain configuration settings that are optimized for
endpoints running specific technologies. Preconfigured policy templates are included in the
installation of FEP on Configuration Manager. Periodically, preconfigured policy templates may be
updated and new templates may be provided. The latest versions of the preconfigured FEP policy
templates are available for download from the Microsoft Download Center
(http://go.microsoft.com/fwlink/?LinkId=207730).
Note:
In order to work with the updated preconfigured policy templates by using FEP running on
Configuration Manager, you must first extract the policy files to the %programfiles%\Microsoft
Forefront\Policytemplates folder. After extracting the templates, you can then create policies
based on the template settings by using the New Policy Wizard in the Configuration Manager
console. It is important to note that when a policy is created based on a preconfigured policy
template, the policy does not automatically receive updated settings when a new version of the
policy template is extracted to the Policytemplates folder.
Operations
Page number 97
After downloading the policy template package that applies to your FEP environment and extracting
the files to their proper location, you can then select the appropriate policy template that
corresponds to the technology running on the endpoint. Each template contains different
configuration settings. For this reason, it is important that you select the policy template that
contains the policy settings that you want to apply. If you apply the settings contained in a policy
template to an endpoint for which those settings were not intended, you may make configuration
changes that will affect the performance of that endpoint.
To view specific policy template settings, you can right-click the .xml file that you want to view, and
then click Edit. Be careful not to edit the template file. Editing the preconfigured policy template files
directly is not supported. Instead, you can create a policy based on the template by using
Configuration Manager or by using the Group Policy Tool. For information about creating new FEP
policies by using templates in Configuration Manager, see Creating a Policy. For information about
creating new FEP policies from policy templates by using the FEP Group Policy Tool, see Converting
FEP Policies to Group Policy.
Preconfigured policy templates are available for endpoints running the following technologies.
Microsoft SQL Server 2005
Microsoft SQL Server 2008
Internet Information Services (IIS) 6
Internet Information Services (IIS) 7
System Center Configuration Manager 2007
System Center Configuration Manager 2007 R2
Microsoft Exchange Server 2007
Microsoft Exchange Server 2010
Microsoft Forefront Protection 2010 for Exchange Server (FPE)
Microsoft Office SharePoint® Server 2007
Microsoft SharePoint 2010
Microsoft Forefront Protection 2010 for SharePoint (FPSP)
Operations
Page number 98
Domain Controller
Active Directory Domain Services
Microsoft Hyper-V™ (host)
Terminal Services
DNS Server
DHCP Server
File Services
Microsoft Forefront Security for Exchange Server
System Center Operations Manager 2007
Server (FEP-recommended default policy settings for servers)
Applying Policies from the Command Prompt
You can apply preconfigured FEP policy templates downloaded from the Microsoft Download Center,
FEP policies exported by using the FEP Group Policy Tool, and FEP policies exported from
Configuration Manager, from the command prompt.
It is important to note that when applying FEP policies from the command prompt, the resultant
policy settings on the client are cumulative. For this reason, you must apply the policies in the proper
sequence in order to obtain the desired configuration results.
For example, if you apply one policy that sets Turn on behavior monitoring: Enabled, and also sets
Allow users to pause a scan: Enabled, and you then apply a second policy to the same server that
sets Turn on behavior monitoring: Disabled, the resulting policy settings on the client will be Turn on
URL exclusions: Disabled, and Allow users to pause a scan: Enabled. However, configurations that
were set locally on the server that do not pertain to FEP, such as enabling a screen saver, will not be
overwritten. For this reason, it is important to not only be aware of the settings in the policy
template that you are applying; you must also apply policy templates in the proper order. It is
recommended that when you apply multiple policy templates from the command prompt, you apply
the default server policy template first, and then apply additional policy templates.
Operations
Page number 99
Warning:
When applying policies to domain-joined computers, regardless of whether the policy settings are
contained in a preconfigured policy template or an exported policy file, the domain-joined
computer will not apply the settings contained in the policy until it is able to communicate with
the domain controller. Clients running the FEP software will indicate that the policy was received
and applied successfully. However, communication with the domain controller is required in
order to apply the settings contained in the policy. Settings will be immediately applied when the
domain-joined computer is able to communicate with the domain controller. This warning does
not apply to non-domain-joined clients.
Applying Preconfigured Policy Templates
There are two separate downloads available that contain preconfigured policy templates. The
FEPServerRolePoliciesForUseWithGPO.exe download contains the policy templates that you can use
in order to apply preconfigured policy settings from the command prompt. The latest version of
FEPServerRolePoliciesForUseWithGPO.exe is available for download from the Microsoft Download
Center (http://go.microsoft.com/fwlink/?LinkId=207730).
Important:
Before proceeding with these steps, verify that the client software that is installed on the
endpoint is the latest supported version. If the client software is not the latest version, uninstall
the client software, and then install both the client software and the policy. For more information
about how to install the client software at the command prompt along with a policy, see
Deploying the Client Software by Using the Command Prompt.
To apply a preconfigured policy to a client locally
1. Copy FEPInstall.exe and FEPServerRolePoliciesForUseWithGPO.exe to the server on which
you want to apply a preconfigured policy to an existing client.
2. Double-click FEPServerRolePoliciesForUseWithGPO.exe in order to extract the
preconfigured policy file templates.
3. From an elevated command prompt, navigate to the %programfiles%\Microsoft Security
Client folder, and then run the following command:
ConfigSecurityPolicy.exe [full path]\[policy file]
Important:
You must change the path to this directory and run the command from that location.
Operations
Page number 100
For example, if you want to apply a policy template named FEP_DHCP.xml to a server running DHCP,
run the following command:
ConfigSecurityPolicy.exe \\servername\share\FEP_DHCP.xml
where servername is the name of the server hosting the share, and share is the name of the shared
folder on that server.
Important:
You must always specify the full path for the policy location.
4. Wait for approximately three minutes in order for the settings to update in the user
interface, and then open the Forefront Endpoint Protection client software. Verify that the
settings defined in the policy are shown in the client software.
Applying Exported Policies
You can export policy settings to a Forefront Endpoint Protection .xml policy file by using the
Forefront Endpoint Protection Group Policy Tool or Configuration Manager, depending on the
location of the policy settings. For more information about exporting Group Policy settings, see
Exporting Policy Settings to a FEP Policy File. For more information about exporting FEP policies in
Configuration Manager, see Exporting a Policy.
Important:
Before proceeding with these steps, verify that the client software that is installed on the
endpoint is the latest supported version. If the client software is not the latest version, uninstall
the client software, and then install both the client software and the policy. For more information
about how to install the client software at the command prompt along with a policy, see
Deploying the Client Software by Using the Command Prompt.
To apply an exported policy to a client locally
1. From an elevated command prompt, navigate to the %programfiles%\Microsoft Security
Client folder, and then run the following command:
ConfigSecurityPolicy.exe [full path]\[policy file]
Important:
You must change the path to this directory and run the command from that location.
For example, if you want to apply a policy template named My_Exported_Policy.xml to a server, run
the following command:
Operations
Page number 101
ConfigSecurityPolicy.exe \\servername\share\My_Exported_Policy.xml
where servername is the name of the server hosting the share, and share is the name of the shared
folder on that server.
Note:
You must always specify the full path for the policy location.
2. Wait for approximately three minutes in order for the settings to update in the user
interface, and then open the Forefront Endpoint Protection client software. Verify that the
settings defined in the policy are shown in the client software.
Updating Policies from the Command Prompt
You can update the local policy on a client computer by using a policy template and applying that
policy template via the command prompt. Preconfigured policy templates can be obtained from the
Microsoft Download Center. For more information about preconfigured policy templates, see About
Preconfigured Policy Templates. You can also apply policy settings that have been exported from
Configuration Manager or the Forefront Endpoint Protection Group Policy Tool. For more
information about exporting policies from Configuration Manager, see Exporting a Policy. For more
information about exporting policies by using the Group Policy Tool, see Converting FEP Policies to
Group Policy.
To update the local policy on a client computer
1. From an elevated command prompt, navigate to the %programfiles%\Microsoft Security
Client folder, and then run the following command:
ConfigSecurityPolicy.exe [full path]\[policy file]
Important:
You must change the path to this directory and run the command from that location.
For example, if you want to apply the policy named FEP_DHCP.xml to a client, run the following
command:
ConfigSecurityPolicy.exe \\servername\share\FEP_DHCP.xml
where servername is the name of the server hosting the share, and share is the name of the shared
folder on that server.
Note:
You must always specify the full path for the policy location.
Operations
Page number 102
2. Wait for approximately three minutes in order for the settings to update in the user
interface, and then open the Forefront Endpoint Protection client software. Verify that the
settings defined in the policy are shown in the client software.
Common Tasks
There are certain tasks that are common in day-to-day security administration. This section provides
steps for accomplishing these tasks for each of the following attributes of Forefront Endpoint
Protection (FEP):
• Forefront Endpoint Protection
• The FEP Security Management Pack
• The FEP client
Important:
Not every common task can be performed in each feature. The features on which the task can be
performed are listed at the beginning of each set of tasks.
Running an Endpoint Protection Scan
This task applies to the following features:
• Forefront Endpoint Protection
• The FEP Security Management Pack
• The FEP client
Important:
You should configure FEP policy to ensure that scans run automatically on a regular basis.
To run a quick or full scan by using FEP
1. In the Configuration Manager console, in the tree, expand Computer Management, expand
Collections, and then navigate to the collection that contains the computer on which you
want to start a scan.
Tip:
If you know the name of the target computer, you can search for the computer in the details pane
Operations
Page number 103
when a parent collection is selected in the tree.
2. Right-click the computer name, click FEP Operations, and then click either Run Full Scan or
Run Quick Scan.
Tip:
You can target multiple computers by selecting them and then right-clicking a single computer.
To distribute the on-demand scan, Configuration Manager creates an advertisement. You can view
the properties of the advertisement by navigating to Software Distribution in the tree, and then
expanding Advertisements and FEP Operations.
The collections and advertisements created by this process are deleted the next time you run an on-
demand scan, if they are older than seven days.
Note:
Only one advertisement can run at a time on the client computer. Therefore, if an advertisement
is running on the client computer that could potentially take a while to complete (such as a full
scan on a computer with a large hard disk), subsequent advertisements are processed after that
advertisement completes.
To run a quick or full scan by using the FEP Security Management Pack
1. In the Operations Manager console, navigate to the Monitoring view, and then expand the
Monitoring tree.
2. In the Monitoring tree, under Forefront Endpoint Protection, click Endpoints with FEP.
3. In the Endpoints with FEP pane, click the name of the endpoint on which you want to start a
scan.
Note:
In order to search for an endpoint by name, enter the name (FQDN) of the endpoint in the Look
for text box, and then click Find Now.
4. In the Actions pane, expand Protection Endpoint Tasks, and then click either Quick Scan or
Full Scan.
5. In the Run Task dialog box, verify that the target is the endpoint on which you want to run
the scan and that the check box next to the target name is selected, and then click Run. The
scan runs with the default parameters.
Operations
Page number 104
Note:
The task is marked as successful after the scan is started on the targeted computer. Tasks in the
FEP Security Management Pack represent the command to run the task, not the results of the
task itself.
To run a quick or full scan locally on the FEP 2010 client
1. In the notification area of your computer, right-click the Microsoft Forefront Endpoint
Protection 2010 icon, and then click Open.
2. On the FEP Home page, select either the Quick option or Full option, and then click Scan
now. The scan may take a while, depending on the number of files and folders being
scanned.
Managing Windows Firewall Protection
This task applies to the following features:
• Forefront Endpoint Protection
• The FEP Security Management Pack
Note:
Windows XP and Windows Server 2003 only support two network locations: Domain networks
and Private networks. Any settings you configure for the Public networks location are ignored on
computers running Windows XP or Windows Server 2003.
Additionally, for both the Domain networks and the Private networks locations, setting the
Incoming connections list to Allow is ignored on computers running Windows XP.
To turn on or off Windows Firewall protection by using FEP
1. In the Configuration Manager Console, in the tree, expand Computer Management, expand
Forefront Endpoint Protection, and then click Policies.
2. Right-click the policy you want to modify, and then click Properties.
3. In the Properties dialog box, click the Windows Firewall tab.
4. On the Windows Firewall tab, click the Manage Windows Firewall check box.
5. For each of the network locations, in the Firewall State list, select the desired setting of
either On (recommended) or Off, and then click OK.
After you configure the FEP policy, if the FEP policy is already assigned to a collection, it is refreshed
within the Configuration Manager policy polling interval. You can configure the Configuration
Operations
Page number 105
Manager policy polling interval in the Computer Client Agent configuration in the Configuration
Manager console. For more information about the Computer Client Agent, see How to Configure the
Configuration Manager Computer Client Agent (http://go.microsoft.com/fwlink/?LinkId=204087).
Additionally, only one advertisement can run at a time on the client computer. Therefore, if an
advertisement is running on the client computer, the FEP policy advertisement is processed after
that advertisement completes.
Important:
When you apply a FEP policy to a collection that has more than one policy assigned, policy
precedence determines which policy takes effect on the clients in the collection. For more
information about policy precedence, see Setting Policy Precedence.
To turn on or off Windows Firewall protection by using the FEP Security Management Pack
1. In the Operations Manager console, navigate to the Monitoring view, and then expand the
Monitoring tree.
2. In the Monitoring tree, under Forefront Endpoint Protection, click Endpoints with FEP.
3. In the Endpoints with FEP pane, click the name of the endpoint on which you want to start a
scan.
Note:
In order to search for an endpoint by name, enter the name (FQDN) of the endpoint in the Look
for text box, and then click Find Now.
4. In the Actions pane, expand Protected Endpoint Tasks, and then click either Turn Windows
Firewall On or Turn Windows Firewall Off.
5. In the Run Task dialog box, verify that the target is the endpoint on which you want to run
the task and that the check box next to the target name is selected, and then click Run.
Note:
If Group Policy is used to manage the Windows Firewall settings, the FEP Security Management
Pack task fails to commit the changes to the Windows Firewall configuration. However, the task
still reports as successful, because there is no method to determine whether Group Policy is used
to manager the Windows Firewall settings.
Operations
Page number 106
Retrieving the Effective Endpoint Protection Settings
This task applies to the following feature:
• The FEP Security Management Pack
To retrieve endpoint settings by using the FEP Security Management Pack
1. In the Operations Manager console, navigate to the Monitoring view, and then expand the
Monitoring tree.
2. In the Monitoring tree, under Forefront Endpoint Protection, click Endpoints with FEP.
3. In the Endpoints with FEP pane, click the name of the endpoint from which you want to
retrieve settings.
Note:
In order to search for an endpoint by name, enter the name (FQDN) of the endpoint in the Look
for text box, and then click Find Now.
4. In the Actions pane, expand Protected Server Tasks, and then click Retrieve Endpoint
Settings.
5. In the Run Task dialog box, verify that the target is the endpoint that you want to retrieve
settings from and that the check box next to the target name is selected, and then click Run.
Forcing Definition Updates
This task applies to the following features:
• Forefront Endpoint Protection
• The FEP Security Management Pack
• The FEP client
Important:
You should configure FEP policy to ensure that definition updates run automatically on a regular
basis, and you should monitor the Definition Status area in the FEP dashboard.
To force a definition update by using FEP
1. In the Configuration Manager console, in the tree, expand Computer Management, expand
Collections, and then navigate to the collection that contains the computer on which you
want to force a definition update.
Operations
Page number 107
Tip:
If you know the name of the target computer, you can search for the computer in the details pane
when a parent collection is selected in the tree.
2. Right-click the computer name, click FEP Operations, and then click Run Antimalware
Definitions Update.
Tip:
You can target multiple computers by selecting them and then right-clicking a single computer.
To distribute the definition update request, Configuration Manager creates an advertisement. You
can view the properties of the advertisement by navigating to Software Distribution in the tree, and
then expanding Advertisements and FEP Operations.
Note:
Only one advertisement can run at a time on the client computer. Therefore, if an advertisement
is running on the client computer that could potentially take a while to complete (such as a full
scan on a computer with a large hard disk), subsequent advertisements are processed after that
advertisement completes.
To force a definition update by using the FEP Security Management Pack
1. In the Operations Manager console, navigate to the Monitoring view, and then expand the
Monitoring tree.
2. In the Monitoring tree, under Forefront Endpoint Protection, click Endpoints with FEP.
3. In the Endpoints with FEP pane, click the name of the endpoint on which you want to update
definitions.
Note:
In order to search for an endpoint by name, enter the name (FQDN) of the endpoint in the Look
for text box, and then click Find Now.
4. In the Actions pane, expand Protected Endpoint Tasks, and then click Update Antimalware
Definitions.
5. In the Run Task dialog box, verify that the target is the endpoint on which you want to run
the task and that the check box next to the target name is selected, and then click Run.
Operations
Page number 108
To update definitions locally on the FEP 2010 client
• In the FEP client software, click the Update tab, and then click the Update button.
Configuring Definition Updates
You can configure the Forefront Endpoint Protection client software to check for updates from one
or many of the following sources:
• Software Updates and Windows Server Update Services Definition Updates
• Microsoft Update Definition Updates
• File-Share-Based Definition Updates
When you configure multiple definition sources, by default the client software checks for definition
updates in the following order:
1. File share
2. Windows Server Update Services (WSUS)
3. Microsoft Update
However, you can alter both the order of this list and the definition sources checked.
To change the order of definition updates or alter the update sources
• After creating a FEP policy, right-click the policy and then click Properties.
• To change the order of definition updates, click the Updates tab, and in the list of
update sources, click the one you want to reorder, and then click either Up or Down.
• To change the definition update sources, on the Updates tab, in the list of update
sources, click the check box next to the definition update sources you want check.
Note:
If you select Updates from UNC file shares, you must configure those shares. For more
information, see File-Share-Based Definition Updates.
• When finished, click OK.
You can view the definition status for your deployed FEP clients by viewing the Definition Status area
in the Forefront Endpoint Protection dashboard. For more information about the FEP dashboard, see
Dashboard Overview.
Software Updates and Windows Server Update Services Definition Updates
Operations
Page number 109
When configuring your Forefront Endpoint Protection or FEP Security Management Pack deployment
for WSUS-based definition updates, you must perform the following tasks:
• Configure either the Software Updates area of Configuration Manager or your WSUS server
to synchronize both updates and definition updates.
• Approve the Endpoint Protection definitions in the WSUS administration console.
Configuring Update Synchronization
If you are using Forefront Endpoint Protection, you must configure Software Updates in
Configuration Manager to synchronize the appropriate updates for the FEP client.
To synchronize FEP definition updates in Configuration Manager
1. In the Configuration Manager Console, in the tree, expand Site Management, expand the
site name, expand Site Settings, and then click Component Configuration.
2. In the details pane, right-click Software Update Point Component, and then click Properties.
3. On the Classifications tab, ensure that the Definition Updates check box and the Updates
check box are selected.
4. On the Products tab, ensure that the product Forefront Endpoint Protection 2010 check box
is selected, and then click OK.
FEP client computers receive definition updates from a WSUS server. If you are using a WSUS server
that is not integrated with Configuration Manager, you must configure the definition update
synchronization in the WSUS administration console.
To synchronize FEP definition updates in WSUS
1. Using an account that has local administrator user rights, log on to the computer running
WSUS.
2. Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update
Services.
3. In the WSUS Administration console, in the tree, expand the Computers node, click Options,
and then click Products and Classifications.
4. In the Products and Classifications dialog box, on the Products tab ensure that the product
Forefront Endpoint Protection 2010 check box is selected.
5. On the Classifications tab, ensure that the Definition Updates check box and Updates check
box are selected, and then click OK.
Approving Updates
Updates for the FEP client must be approved before those updates are offered to clients requesting
the list of available updates. Clients connect to the WSUS server to check for applicable updates and
Operations
Page number 110
then request the latest approved definition updates. Updates are only offered to clients when they
are approved for installation and when the WSUS server has completed the binary download.
To approve definitions and updates in WSUS
1. Using an account that has local administrator user rights, log on to the computer running
WSUS.
2. Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update
Services.
3. In the WSUS Administration console, click Updates, and then click All Updates or the
classification of updates you want to approve.
4. On the list of updates, right-click the update or updates you want to approve for installation,
and then click Approve.
5. In the Approve Updates dialog box, click the arrow next to the computer group for which
you want to approve the updates, and then click Approved for Install.
You can also set an Automatic Approval rule for definition updates and FEP updates, which
configures WSUS to automatically approve for install any definition updates or FEP updates
downloaded by WSUS.
To configure an automatic approval rule
1. In the WSUS Administration console, click Options, and then click Automatic Approvals.
2. On the Update Rules tab, click New Rule.
3. On the Add Rule dialog box, under Step 1: Select properties, select the When an update is in
a specific classification check box.
4. Under Step 2: Edit the properties, click any classification.
5. Clear all check boxes except Definition Updates, and then click OK.
6. On the Add Rule dialog box, under Step 1: Select properties, select the When an update is in
a specific product check box.
7. Under Step 2: Edit the properties, click any product.
8. Clear all check boxes except Forefront Endpoint Protection, and then click OK.
9. In the Step 3: Specify a name box, enter a name for the Forefront Endpoint Protection
Definition Updates rule, and then click OK.
10. In the Automatic Approvals dialog box, make sure that the newly create rule Forefront
Endpoint Protection 2010 Definition Updates check box is selected and then click Run rule.
Operations
Page number 111
Note:
You should ensure you are declining older definition updates. Failing to do so may impact the
performance of both your WSUS server and possibly your client computers. By configuring
automatic approval for revisions and automatic declination of expired updates, you can
accomplish this task. For more information, see Microsoft Knowledge Base article 938947
(http://go.microsoft.com/fwlink/?LinkId=204078).
Microsoft Update Definition Updates
You use the Microsoft Update definition update option to keep definitions on mobile computers up-
to-date when they are not connected to the corporate network.
The Microsoft Update definition update option works in the same way as a normal Microsoft Update
request. If configured, the FEP client will query Microsoft Update for new definitions according to the
frequency configured in the FEP policy.
You configure clients to check for definition updates by setting a policy option.
To configure clients to check Microsoft Update
• When you create a FEP policy, on the Updates page, ensure the Enable updates from
Microsoft Update check box is selected.
• When you want to add Microsoft Update as a definition update option to an existing policy,
in the properties of the policy, click the Updates tab, and in the update source list, ensure
the Updates from Microsoft Updates check box is selected.
File-Share-Based Definition Updates
The FEP client software can be configured to check a file share for definition updates. In order to
check for updates, the client computer accounts must have read access to the file share in which you
store the definition files.
Note:
When you configure clients to check a file share for definition updates, by default clients check
the file share first, before checking WSUS or Microsoft Update. This order can be changed. For
more information, see Configuring Definition Updates.
To enable file share-based definition updates
1. When creating a FEP policy, on the Updates page, click the check box next to Enable updates
from the following UNC file share, and then in the text box, enter the Universal Naming
Convention (UNC) path to the file share.
2. To enable file share-based definition updates in an existing policy, use the following steps:
Operations
Page number 112
a. In the Configuration Manager console, expand Computer Management, expand
Forefront Endpoint Protection, and then click Policies.
b. In the details pane, right-click the policy you want to edit, and then click Properties.
c. Click the Updates tab, and then in the list of update sources, click the check box next
to Updates from UNC file shares.
d. Under File shares, click Add, and then type the UNC path to the file share.
e. If necessary, click Add again and add additional UNC paths.
Note:
You can alter the order of the list of file shares by selecting a listed path, and then, under the list,
click Up or Down.
f. When finished, click OK.
When you configure a file share for definition updates, you must download the definition updates to
certain folders in the UNC file share.
To configure a file share for definition updates
1. Download the required files from the following locations:
For x64:
• Antimalware definitions
(http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64)
• Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197094)
Note:
This file is required only if you have enabled the Enable protection against network-based
exploits check box on the Antimalware tab of a FEP policy.
For x86:
• Antimalware definitions
(http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86)
• Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197095)
Note:
Operations
Page number 113
This file is required only if you have enabled the Enable protection against network-based
exploits check box the Antimalware tab of a FEP policy.
Important:
Do not rename the files when you download
them.
2. Save the files in folders with the following names:
• The files for x64-based computers must be in a folder named x64
• The files for x86-based computers must be in a folder named x86
For example:
..\Updates\x86
...\Updates\x64
3. Ensure that each folder contains the following two files:
• Mpam-fe.exe
• Nis_full.exe
Note:
This file is required only if you have enabled the Enable protection against network-based
exploits check box on the Antimalware tab of a FEP policy.
4. Share the parent folder that contains the x64 and x86 folders.
Important:
Ensure the client computers and the domain users connecting to the share have read permissions
to the share. During an automatic update the client computer account is used to authenticate to
the share. When a user manually updates their definitions by clicking Update, that user account is
used to authenticate to the share.
FEP Monitoring
You can monitor the client computers that run the FEP client software in a number of ways. The
monitoring features of Forefront Endpoint Protection are summarized in the following table.
Operations
Page number 114
Monitoring method Description
Forefront Endpoint Protection
dashboard
Displays client deployment status, antimalware activity status,
definition status, policy distribution status, and the compliance
levels for the configured baselines in Desired Configuration
Management (DCM).
For information on how to use the Forefront Endpoint Protection
dashboard, see Monitoring Client Status by Using the Dashboard.
Forefront Endpoint Protection
alerts
The alerts node under Forefront Endpoint Protection allows you
to configure the alerts that are used to provide administrators
with information about malware outbreaks through events in the
Windows Event Viewer, or optionally by e-mail.
For information on how to use Forefront Endpoint Protection
alerts, see Using Alerts to Monitor Malware Detections.
Forefront Endpoint Protection
reports
Forefront Endpoint Protection comes with reports that allow you
to see greater detail about other key indicators for computer
health.
For more information about Forefront Endpoint Protection
reports, see Using Reports in FEP.
Forefront Endpoint Protection
baselines for Desired
Configuration Management
(DCM)
Forefront Endpoint Protection includes baselines for DCM. The
addition of Forefront Endpoint Protection baselines to DCM
allows you to assess and track the configuration compliance for
the FEP client software.
For more information about Forefront Endpoint Protection
Desired Configuration Management, see Using Desired
Configuration Management to Monitor Client Compliance.
Monitoring Client Status by Using the Dashboard
You use the Forefront Endpoint Protection (FEP) dashboard to view key information you need in
order to track, manage, and report on your organization’s antimalware health and status. For more
information, see Dashboard Overview.
Operations
Page number 115
To view the list of computers to which the Forefront Endpoint Protection client failed to
deploy
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, and then click Forefront Endpoint
Protection.
In the results pane, in the Client Deployment Status area, the statistics for client deployment display.
2. In the Client Deployment Status area, next to Failed, click the number displayed.
The Deployment Failed collection displays. This collection lists all the computers that returned a
failure on the installation package for the FEP client software.
Note:
For more information about collections in Configuration Manager, see About Collections
(http://go.microsoft.com/fwlink/?LinkId=196182) in the System Center Configuration Manager
2007 documentation.
To view malware activity status
• In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, and then click Forefront Endpoint
Protection.
In the results pane, in the Security Status area, the list of possible FEP security states displays.
The Security Status list contains information about how many computers that had malware were
cleaned, how many are actively infected, and how many computers need additional action.
About Forefront Endpoint Protection Configuration Baselines
The FEP dashboard contains a summary view of the FEP configuration baselines used to monitor and
report information about the categories of computers in your organization. In the Forefront
Endpoint Protection Baselines area, you see a summary view of each FEP configuration baseline and
the number of computers compliant or not compliant with the configuration baseline.
For more information about the FEP configuration baselines, see Using Desired Configuration
Management to Monitor Client Compliance.
Warning:
If you enable the Use Reporting Services Reports for Admin console report links option in the
Configuration Manager site report options, all FEP Desired Configuration Manager baseline
reports and report links at the bottom of the FEP dashboard do not work, and return an error. To
fix the reports, run the steps described in How to Copy Configuration Manager Reports to SQL
Operations
Page number 116
Reporting Services (http://go.microsoft.com/fwlink/?LinkId=207354) in the Configuration
Manager documentation.
Using Alerts to Monitor Malware Detections
Alerts in Forefront Endpoint Protection (FEP) provide administrators with information about malware
outbreaks. Administrators can view alerts in two ways:
• Through events in the Windows Event Viewer
• Optionally, by e-mail
There are two varieties of alerts:
• Alerts that apply per collection (and any child collections of the parent collection). You can
create multiple alerts, but a collection can only be assigned one of each alert type.
• A global alert for malware outbreaks, which triggers based on any collection.
By default, alerts in FEP are not enabled, and you must configure e-mail settings in order for the e-
mail option to work. Additionally, in a hierarchical Configuration Manager topology where you have
FEP installed on both the child site and the parent site, you should configure alerts at the child site to
notify administrators who can take action on the alerts.
The following table lists the alerts available in FEP.
Alert type Description
Default trigger threshold
when enabled
Malware
Outbreak
Alert
When enabled, an alert of this type is triggered
when a fast-spreading malware is detected in your
organization. You configure the threshold for a fast-
spreading malware in your organization by setting
the number of unique computers infected by a
particular malware in 24 hours.
• Number of
computers with
the same malware
detected: 100
Malware
Detection
Alerts
After the alert is created, an alert of this type is
triggered when the following conditions are met:
• Malware is detected on a computer that is a
member of the specified parent collection,
or one of its child collections.
• The malware detection falls within the
specified detection level for the alert.
• No parent
collections are
specified by
default
• Select detection
level: High
Operations
Page number 117
Repeated
Malware
Detection
Alerts
After the alert is created, an alert of this type is
triggered when the following conditions are met:
• The same malware is detected on a
computer that is a member of the specified
parent collection, or one of its child
collections.
• The number of detections of the same
malware detection meets the specified
number of detections in the alert
configuration.
• The number of detections occurred within
the interval specified in the alert
configuration.
• No parent
collections are
specified by
default
• Number of the
same malware
detected: 4
• Interval: 24 hours
Multiple
Malware
Detection
Alerts
After the alert is created, an alert of this type is
triggered when the following conditions are met:
• Multiple types of malware are detected on a
computer that is a member of the specified
parent collection, or one of its child
collections.
• The number of malware detected meets the
specified number of detections in the alert
configuration.
• The number of detections occurred within
the interval specified in the alert
configuration.
• No parent
collections are
specified by
default
• Number of
malware types
detected: 4
• Interval: 24 hours
To create and configure per-collection alerts
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, expand Forefront Endpoint
Protection, and then expand Alerts.
2. Click one of the per-collection alerts (Malware Detection, Repeated Malware Detection or
Multiple Malware Detection), and then in the Actions pane, click the New action.
3. To configure the alert, set the options you need according to the following table.
Alert name Option Description
Operations
Page number 118
Malware
Detection
Alert
Enter parent
collection
Click Browse to specify the parent collection to monitor. The
parent collection and any child collections are monitored for this
alert configuration.
Select
detection
level
Specifies the computer state that can trigger an alert. Valid
detection levels are described in the following list:
• High: Malware is detected—The alert is triggered
when there are one or more computers in the
specified collection on which any malware is
detected, regardless of the action taken by the
Forefront Endpoint Protection client.
• Medium: Action is required—The alert is triggered
when there are one or more computers in the
specified collection on which malware is detected
and manual action is required on the Forefront
Endpoint Protection client in order to complete
the malware removal.
• Low: Malware is active—The alert is triggered
when there are one or more computers in the
specified collection on which malware is detected
and is still active.
Repeated
Malware
Detection
Alert
Enter parent
collection
Click Browse to specify the parent collection to monitor. The
parent collection and any child collections are monitored for this
alert configuration.
Number of
the same
malware
detected
Specifies the number of detections of the same malware on a
computer that is a member of the specified parent collection, or
one of its child collections.
Interval Specifies the interval during which the number of detections must
occur.
Multiple
Malware
Detection
Alerts
Enter parent
collection
Click Browse to specify the parent collection to monitor. The
parent collection and any child collections are monitored for this
alert configuration.
Number of Specifies the number of different types of malware that must be
Operations
Page number 119
malware
types
detected
detected on a computer that is a member of the specified parent
collection, or one of its child collections.
Interval Specifies the interval during which the number of detections must
occur.
4. For all alerts, in the When an alert is raised, send an e-mail message to the following
recipients box, type an e-mail address, and then click Add. To send the alert to multiple e-
mail addresses, repeat this step.
5. When finished, click OK.
Important:
You must enable the e-mail settings in Configuration Manager before Forefront Endpoint
Protection will send e-mail notifications.
To enable and configure the global Malware Outbreak alert
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, expand Forefront Endpoint
Protection, and then expand Alerts.
2. Click Malware Outbreak Alert, and then in the details pane, double-click Malware Outbreak
Alert.
3. In the Malware Outbreak Alert Properties dialog box, select the Enable alert check box.
4. Next to Number of computers with the same malware detected, type the number of
computers on which the same malware must be detected in order to trigger this alert.
5. In the When an alert is raised, send an e-mail message to the following recipients box, type
an e-mail address, and then click Add. To send the alert to multiple e-mail addresses, repeat
this step.
6. When finished, click OK.
To configure e-mail settings
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, expand Forefront Endpoint
Protection, and then click Alerts.
2. In the Actions pane, click E-mail Settings.
3. To enable alerts to be sent by e-mail, select the E-mail alert notification check box.
Operations
Page number 120
4. In the SMTP Server box, type the fully qualified domain name (FQDN) of your SMTP server.
If your SMTP server uses a port other than the default port, in the Port box, type or select the port
number.
5. Under Authentication method, select the option for the credential type to use to
authenticate the connection to the SMTP server.
Important:
It is recommended that you use Integrated Windows Authentication as the authentication
method. When you choose Integrated Windows Authentication, the computer account of the FEP
server is used to authenticate to the SMTP server. Otherwise, you must ensure that the selected
credentials must exist on the specified SMTP server for authentication to succeed.
To view the service credentials, in Windows Services, right-click Forefront Endpoint Protection
Monitoring Service, click Properties, and then click Log On.
6. In the E-mail from address box, type the e-mail address from which Forefront Endpoint
Protection alerts are sent, and then click OK.
Note:
To test the SMTP settings, instead of clicking OK, click Test and Close. This adds a test e-mail to
the e-mail queue that is periodically processed by the Forefront Endpoint Protection Monitoring
Service.
To view alerts in the Windows Event Viewer
1. In the Windows Event Viewer, expand Applications and Services Logs, and then click
Forefront Endpoint Protection.
2. Double-click the alert you want to view.
Using Desired Configuration Management to Monitor Client Compliance
Forefront Endpoint Protection (FEP) includes Desired Configuration Management (DCM)
configuration baselines. DCM, a feature of System Center Configuration Manager, allows you to
assess computer configuration against configuration baselines. To learn more about DCM and
configuring baselines, see Desired Configuration Management in Configuration Manager
(http://go.microsoft.com/fwlink/?LinkId=206684) in the Configuration Manager documentation.
FEP provides the following predefined configuration baselines:
Note:
Operations
Page number 121
All FEP baselines are read-only.
• FEP - High-Security Desktop
• FEP - Laptop
• FEP - Performance-Optimized Desktop
• FEP - Standard Desktop
By default, these baselines are not assigned to collections. In order to see the summary results of
these baselines or any custom baselines you create and assign to the FEP dashboard, you must assign
it to a collection and then run a DCM Home Page Summarization from the DCM home page in the
Configuration Manager console. For more information about using the DCM home page, see How to
Use the Desired Configuration Management Home Page
(http://go.microsoft.com/fwlink/?LinkId=207094) in the Configuration Manager documentation.
Warning:
The following configuration baselines are used by the FEP dashboard, and you must not modify
the collections to which they are assigned:
• FEP Monitoring - Antimalware Status
• FEP Monitoring - Definitions and Health Status
• FEP Monitoring - Malware Activity
• FEP Monitoring - Malware Detections
Important:
In order to use DCM in Configuration Manager, you must enable DCM on the Configuration
Manager client agent. For more information about how to do this, see How to Enable or Disable
the Desired Configuration Manager Client Agent
(http://go.microsoft.com/fwlink/?LinkId=206661) in the Configuration Manager documentation.
Managing FEP DCM Baselines
Because FEP DCM baselines are read-only, you cannot directly modify the configuration items or
rules from which they are composed. If you need to add additional configuration items or rules to a
FEP baseline, you must first duplicate the target baseline and then edit the new baseline.
Note:
Operations
Page number 122
If you need to reduce the amount of time it takes to update information generated by a baseline
and displayed in the Forefront Endpoint Protection dashboard, you can modify the schedule of
the baseline assignment that generates that data. However, modifying the schedule of a built-in
baseline assignment could adversely impact the performance of your Configuration Manager
server.
For more information about how to modify the schedule of an assigned baseline, see How to Set
the Configuration Baseline Assignment Compliance Evaluation Schedule in Desired Configuration
Management (http://go.microsoft.com/fwlink/?LinkId=206696) in the Configuration Manager
documentation.
To duplicate a FEP baseline
1. In the Configuration Manager console, in the tree, expand System Center Configuration
Manager, expand Site Database, expand Computer Management, expand Desired
Configuration Management, and then click Configuration Baselines.
2. In the details pane, right-click the configuration baseline you want to duplicate, and then
click Duplicate.
After you duplicate the desired FEP baseline, you can edit it by right-clicking the duplicated baseline
and clicking Properties.
For more information about implementing customized DCM baselines, see the following topics in the
Configuration Manager documentation:
• How to Configure Configuration Items for Desired Configuration Management
(http://go.microsoft.com/fwlink/?LinkId=206685)
• How to Modify a Configuration Baseline in Desired Configuration Management
(http://go.microsoft.com/fwlink/?LinkId=206687)
• How to Manage Configuration Baselines and Configuration Items for Desired Configuration
Management (http://go.microsoft.com/fwlink/?LinkId=206688)
The FEP dashboard contains a list of baselines that are assigned to the category *FEP*. When you
duplicate a baseline, this category field is also duplicated. You can assign any baseline to the *FEP*
category and have its statistics appear in the FEP dashboard.
To assign a category to a baseline
1. In the Configuration Manager console, in the tree, expand System Center Configuration
Manager, expand Site Database, expand Computer Management, expand Desired
Configuration Management, and then click Configuration Baselines.
2. In the details pane, right-click the configuration baseline you want to duplication, and then
click Properties.
Operations
Page number 123
3. In the baseline properties dialog box, on the General tab, click the Categories button, and
then in the Available categories list, select the check box next to FEP, and then click OK.
4. In the baseline properties dialog box, click OK.
To see the new baseline in the FEP dashboard, after assigning the baseline to a collection, when
viewing the FEP dashboard, in the Actions pane, click Refresh.
Warning:
Configuration baseline rules should contain no more than 300 software updates. If you create a
rule with more than 300 software updates, the baseline to which the rule is assigned does not
evaluate the client computers correctly. For more information, see Microsoft Knowledge Base
article 937532 (http://go.microsoft.com/fwlink/?LinkId=207668).
Monitoring Baseline Compliance
FEP configuration baselines are composed of configuration items that are monitored and the rules
that define compliance. The configuration baselines are assigned to computers you want to monitor
by using collections and are evaluated both on a schedule and when a security incident (such as a
malware detection) occurs.
Note:
By default, no baselines are assigned to collections. In order to see baseline results in the FEP
dashboard, you must assign a baseline to a collection.
Client computers can have multiple configuration baselines assigned to them, which provides you
with a high level of control.
To assign a FEP baseline to a collection
1. In the Configuration Manager console, in the tree, expand System Center Configuration
Manager, expand Site Database, expand Computer Management, expand Desired
Configuration Management, and then click Configuration Baselines.
Tip:
To limit the list to FEP configuration baselines, in the Look for box, enter the following text, and
then click Find Now:
FEP
2. Right-click the configuration baseline you want to assign, and then click Assign to a
Collection.
Operations
Page number 124
The Assign Configuration Baseline Wizard opens.
3. On the Choose Baselines page, click Next.
4. On the Choose Collection page, click Browse, choose a collection, click OK, and then click
Next.
5. On the Set Schedule page, configure how frequently you want the Configuration Manager
client agent to evaluate compliance to the baseline. When finished, click Next.
Warning:
When setting the schedule for a baseline, you should consider how much impact the data
reporting may have on your Configuration Manager server.
6. On the Summary page, review the Details, and then click Next.
7. On the Wizard Competed page, click Close.
After you assign a baseline to a collection, the client computers in the collection evaluate their
compliance against each configuration baseline to which they are assigned, and immediately report
back the results to the site. If a client is not currently connected to the network, but has downloaded
the configuration items referenced in its assigned configuration baselines, the compliance
information will be sent on reconnection.
You can monitor the results of configuration baseline evaluation compliance from the FEP
dashboard.
Note:
Dashboard statistics are based on data gathered by Configuration Manager at scheduled intervals
and may not reflect the most recent information.
To monitor the results of the configuration baseline evaluation compliance
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, and then click Forefront Endpoint
Protection.
2. In the details pane, in the Forefront Endpoint Protection Baselines area, you can see the
compliance results of the built-in Forefront Endpoint Protection configuration baselines. The
following list summarizes the meaning of the columns:
• Baseline—The name of the FEP configuration baseline.
Operations
Page number 125
• Severity—The severity level configured in the configuration item if non-compliance is
reported or if the configuration item is not present on the client computer.
• Assigned—The number of computers that are assigned to the configuration baseline.
• Non-compliant—The number of computers that report a non-compliance status with
the selected baseline.
• Compliance—The number of computers that report a compliance status with the
selected baseline.
• Failed—The number of computers that report a failure evaluating their compliance
status with the selected baseline.
• Compliance Level (expressed as a number percentage)—The number of computers
that report a compliance status, with the selected baseline divided by the number of
computers assigned the configuration baseline, expressed as a number percentage.
Periodically viewing these results allows you to ascertain the overall compliance of computers in your
organization.
3. To view detail in the summary report of a configuration baseline, in the Forefront Endpoint
Protection Baselines area, click the link of the configuration baseline you want to view.
4. To view more detail in the report, next to each line for which you want to view more detail,
click the arrow icon.
Tip:
You can also view the compliance status of a baseline on a client computer. In the Control Panel,
open Configuration Manager, and then click the Configurations tab. Click Evaluate to run a
baseline compliance check, or click View Report to see the results of a selected compliance
report.
FEP 2010 Security Management Pack Monitoring
You can monitor the client computers that run the FEP client software in a variety of ways. The
monitoring mechanisms of Forefront Endpoint Protection Security Management Pack are
summarized in the following table.
Item Description
Object
classes
Classes identify all FEP protected and FEP unprotected clients.
For information about FEP classes, see Object Classes.
Operations
Page number 126
Discovery Discovery is the way objects are identified by Operations Manager.
For information about FEP discovery, see About Discovery.
Rules Rules perform designated operations. For example, rules can raise alerts when
security incidents occur.
For more information about FEP rules, see About Rules.
Monitors Monitors are event-driven mechanisms that collect information about
vulnerabilities and the security state of FEP clients.
For more information about FEP monitors, see About Monitors.
Views Views display health states of clients, as well as alerts and events.
For more information about FEP views, see About Views.
Alerts Alerts can indicate whether there is an issue in your environment.
For more information about FEP alerts, see About Alerts.
Tasks Tasks trigger on-demand actions that are required for fixing vulnerabilities and
security state of FEP clients.
For more information about FEP tasks, see About Tasks.
Viewing Endpoint Properties
There are two ways to view endpoint information; by using the Health Explorer and by viewing the
Details pane. If you want to view multiple properties for the same endpoint, the Details pane is the
easiest way to view these properties. However, it is important to note that the Health Explorer and
the Detail View pane are populated via different mechanisms. Properties viewed through the Health
Explorer are delivered by monitors and alerts, which are event driven. Properties viewed by using the
Detail View pane are discovery driven. This means that information that is viewed through Health
Explorer for a selected endpoint can reflect different property values than viewing the same
information by using the Detail View pane. For example, if an event occurs after the property
information is refreshed by discovery, the Health Explorer will display the latest updated information
for that property. The Detail View pane will not receive updated property information until the next
time discovery runs.
For more information about FEP monitors, see About Monitors. For more information about FEP
discovery, see About Discovery.
Operations
Page number 127
Monitoring Cluster Nodes
The Forefront Endpoint Protection client software is not cluster aware. Although it is possible to view
all nodes through Operations Manager, the passive node of a cluster cannot be monitored by using
the Forefront Endpoint Protection Security Management Pack.
Security Considerations
All discoveries, monitors, tasks and rules contained in the FEP Security Management pack run under
the Operations Manager default action account. The Operations Manager default account must be
set to run as Local System Account (LSA) in order to allow tasks to properly launch. For more
information about accounts, see Account Information for Operations Manager 2007
(http://go.microsoft.com/fwlink/?LinkId=206963). For more information about Run As Accounts and
Run As Profiles, see Run As Accounts and Run As Profiles in Operations Manager 2007
(http://go.microsoft.com/fwlink/?LinkId=206964).
Run As Profiles
The FEP Security Management Pack discoveries, monitors, and rules run under the default action
account and cannot be changed.
Low-Privilege Environments
The Forefront Endpoint Protection Security Management Pack does not support low-privilege
Operations Manager Agent deployments.
Health Rollup
Health Rollup Diagram
The following diagram displays the health rollup of the FEP Security Management Pack.
Operations
Page number 128
Operations
Page number 129
Object Classes
Each monitored object that appears in the Operations console is an instance of a particular class. The
Forefront Endpoint Protection Security Management Pack contains the following seven classes:
• Protected Server Candidate
• Protected Server
• Unprotected Server
• Antimalware Engine
• Malware Activity
• Antimalware Definitions
• Protected Servers Watcher
The diagram below outlines the object classes and the corresponding object class relationships.
Operations
Page number 130
About Discovery
In Operations Manager, the Discovery Wizard can be used in order to define a query. However, the
FEP 2010 Security Management Pack is preconfigured to target
Microsoft.Windows.Server.Computer. This query will return a True value if the FEP 2010 client is
installed on a client that is running a server operating system. If you also want to target clients that
are running computer operating systems, you must configure Operations Manager to target those
clients.
Objects the FEP Security Management Pack Discovers
The FEP Security Management Pack discovers the object types described in the following table. Not
all of the objects are automatically discovered. Use overrides to discover the object types that are
not discovered automatically. For more information about how to configure discovery to target
clients running computer operating systems, see Configuring Client Discovery.
Category Object Discovered automatically
Server Discovery Microsoft.Windows.Server.Computer Yes
Client Computer Discovery Microsoft.Windows.Client.Computer No
Discovery intervals
By default, FEP object discovery is configured to run at specified intervals. As such, it is possible that
clients will not reflect updated properties in the Details pane when viewed in the console. You can
override the default discovery interval, but it is recommended that you use caution when setting
discovery interval configurations as running discovery more frequently can impact performance.
The following table shows the default discovery intervals.
Object Default discovery (hours)
Protected Server Candidate Discovery 8
Protected Client Candidate Discovery 8
Protected Endpoint Discovery 24
Object properties
The discovery process returns information that is then displayed in the Operations Manager console.
Details for selected endpoints can be viewed in the Operations Manager console Monitoring view.
Operations
Page number 131
The following table shows the properties for discovered endpoints that are running the FEP client
software.
Protected Endpoint properties Additional information
Client version
Antimalware engine status
Real-time protection status
Real-time protection scan direction
NIS status Supported only by Windows Vista with SP1 or later
Windows Firewall status
Antivirus definitions version
Antispyware definitions version
NIS definitions version
Antivirus definitions age (days)
Antivirus definitions creation (GMT)
Antispyware definitions age (days)
Antispyware definitions creation (GMT)
Last quick scan age (days)
Last quick scan start time (GMT)
Last quick scan end time (GMT)
Operations
Page number 132
Last full scan age (days)
Last full scan start time (GMT)
Last full scan end time (GMT)
Definitions download location
Policy name
Policy set date
Failed policy name
Failed policy date
Policy failure details
Installation pending restart
Computer ID
The following table shows the properties for discovered endpoints that are not running the FEP client
software.
Unprotected Endpoint properties Additional information
Operating System Name
Deployment State
Deployment State More Information
ComputerID
About Views
In Operations Manager 2007, views are groups of managed objects that have a commonality that is
defined. When you select a view, a query is sent to the Operations Manager database and the results
Operations
Page number 133
of the query are displayed in the results pane. For more information about Operations Manager 2007
views, see Creating views (http://go.microsoft.com/fwlink/?LinkId=207057).
The Forefront Endpoint Protection Security Management Pack contains the following five views.
View Description
Active Alerts Displays all active alerts.
Dashboard Displays all protected endpoints and all active alerts.
Endpoints with FEP Displays all endpoints that have the FEP client software installed.
Endpoints without
FEP
Displays endpoints that do not have the FEP client software installed.
Security Events Displays all security events from endpoints that have the FEP client
software installed.
About Monitors
Monitors use captured data in order to determine the health state of an object. The monitor then
displays the state of the object (Healthy, Warning, or Critical). Additionally, FEP monitors can also
generate alerts. Information that is displayed by monitors is event-driven. The FEP Security
Management Pack contains four types of monitors: Vulnerability, Security State, Overall Health, and
Deployment. For more information about FEP Security Management Pack monitors, see Security
Management Pack Monitors.
Security Management Pack Monitor Types
Vulnerability monitors
Vulnerability monitors track the settings and dynamic statuses of FEP clients. These monitors can be
used to identify possible security vulnerabilities. The FEP Security Management Pack contains the
following Vulnerability monitors:
• Antimalware Engine
• Antimalware Definitions Age
• Antimalware Definitions
• Vulnerability Protection
• Real-time Protection
Operations
Page number 134
• Windows Firewall
Security State monitors
FEP Security State monitors monitor the security state of FEP clients. The FEP Security Management
Pack contains the following Security State monitors:
• Active Malware
• Additional Actions Pending
Overall Health monitor
The FEP Overall Health monitor reflects the overall health of all protected systems running FEP client
software. This monitor is not visible, but is used to generate alerts when the overall health of
monitored protected clients is unsatisfactory. The FEP Security Management Pack contains the
following Overall Health Monitor:
• Malware Outbreak
Deployment monitor
The FEP Deployment monitor reflects the deployment status of protected and unprotected clients.
This monitor can be viewed in the Endpoints without FEP view. The FEP Security Management Pack
contains the following Deployment monitor:
• Deployment Failure
Monitoring Using Overrides
Overriding a Monitor
You can use overrides to refine the settings of a monitoring object. As you fine-tune your monitors,
you can reduce the amount of alerts. However, overriding monitors should be done with caution as
you may override settings that are necessary in order to help you keep your environment secure.
Overrides can be used to adjust the configuration of Operations Manager monitoring settings for FEP
Security Management Pack monitors, attributes, object discoveries, and rules. For more information
about FEP monitors, see About Monitors.
When you create an override, you can apply it to a single managed object or to a group of managed
objects. You must have Advanced Operator user rights in order to create and edit overrides. After
you configure override settings, the Effective Value column will display the settings that the override
will enforce.
For more information about how to monitor by using overrides, see How to Monitor Using Overrides
(http://go.microsoft.com/fwlink/?LinkId=206722).
To override a monitor
1. In the Operations console, click the Authoring button.
2. In the Authoring pane, expand Management Pack Objects, and then click Monitors.
3. In the Details pane, expand an object type completely, and then click a monitor.
Operations
Page number 135
4. On the Operations Manager toolbar, click Overrides, and then point to Override the
Monitor. You can choose to override this monitor for objects of a specific type or for all
objects within a group. After you choose which group of object type to override, the
Override Properties dialog box opens, enabling you to view the default settings contained in
this monitor. You can then choose whether to override each individual setting contained in
the monitor.
Note:
If the Overrides button is not available, make sure you have selected a monitor and not a
container object in the Monitors pane.
5. Select each setting that you want to override. When you complete your changes, click OK.
About Rules
A rule collects data from various sources and then stores that data in the Operations and Data
Warehouse databases. The collected data is then made available for reporting purposes. The FEP
Security Management Pack rules not only collect data, they can also generate alerts. The FEP Security
Management Pack contains the following rules:
• Generate Cleaned Malware Alert Rule
• Generate Repeated Infection Alert Rule
• Collect Security Events Rule
To locate rule details in the Operations console
1. Open the Operations console.
2. Click the Authoring section.
3. Expand Authoring, expand Management Pack Objects, and then click Rules. There may be
multiple management packs imported to Operations Manager. Click the Management Pack
column heading to sort the rules by management pack.
4. Double-click a rule to view. On the General tab, the Rule Name field lists the rule name.
5. Click the Configuration tab, and then in the Data sources area, click View. The information
will vary, depending on the type of rule. The information may be a schedule or an interval.
Rules that collect performance data obtain the data from Performance counters. As such, the
minimum and maximum values are specific to the counter rather than the rule. To view the
parameters that you can configure by using overrides, continue to the next step in this
procedure.
6. In the Properties dialog box for the rule, click the Overrides tab.
Operations
Page number 136
7. In the Override one or more parameters of this rule through overrides section, click
Override.
8. Select For all objects of type. Override Properties displays the parameters and values that
you can configure.
About Alerts
An alert is an indication of an issue that has occurred somewhere in your environment.
Operations Manager 2007 displays FEP alerts in the Operations console in the Active Alerts view.
For information about investigating and resolving alerts, see Investigating and Resolving Alerts
(http://go.microsoft.com/fwlink/?LinkId=207074).
About Tasks
You can manually initiate tasks in order to troubleshoot individual alerts. Tasks are accessed from
the Actions pane in the System Center Operations Manager console. For a list of FEP Security
Management Pack tasks, see Security Management Pack Tasks.
Note:
The Operations Manager Web console does not support console tasks. For example, if you
want to initiate an RDP connection to a client, you must use the Operations Manager console.
You may also want to override the default settings for specific tasks. For example, when running
the Update Antimalware Definitions task, definitions will be updated based on the policy
settings that apply to the target client. You can override the default task parameters and specify
that definitions can be updated only via the UNC file share that is specified in the policy settings
for the client.
Warning:
If you run a task that conflicts with Group Policy settings that have been configured for the
target client, the conflicting configuration settings specified by the task will be overwritten by
Group Policy settings on the client. For example, if you run the task Turn Windows Firewall
On and Group Policy settings specify to disable Windows Firewall on that client, Windows
Firewall will not be enabled, even though the task reports a success status.
To view a task
1. In the Monitoring view, expand Monitoring, and then expand Forefront Endpoint
Protection. Select a view from the tree, and then locate the endpoint for which you want to
see available associated tasks.
Operations
Page number 137
2. Click the endpoint in order to highlight it.
3. In the Protected Endpoint Tasks section of the Actions pane, view the tasks available for the
selected endpoint.
Note:
If the Actions pane is not displayed, click Actions in order to display it.
To view available overrides for a task
1. In the Monitoring view, expand Monitoring, and then expand Forefront Endpoint
Protection. Select a view from the tree, and then locate the endpoint for which you want to
see available associated tasks and task overrides.
2. Click the endpoint in order to highlight it.
3. In the Protected Endpoint Tasks section of the Actions pane, click the task for which you
want to view available overrides.
4. In the Run Task dialog box, verify the selected target is correct, and then click Override in
order to view available override settings for the task.
5. When you are finished viewing the available task overrides, click Cancel to close Override
Task Parameters, and then click Cancel.
To run a task
1. In the Monitoring view, expand Monitoring, and then expand Forefront Endpoint
Protection. Select a view from the tree, and then locate the endpoint on which you want to
run a task.
2. Click the endpoint in order to highlight it.
3. In the Protected Endpoint Tasks section of the Actions pane, click the task that you want to
run.
Warning:
It is recommended that you use caution when selecting the Turn Windows Firewall On task.
Turning on Windows Firewall may impact roles and workloads that are running on servers.
4. In the Run Task dialog box, verify the selected target is correct, configure any additional
settings and overrides, and then click Run.
Operations
Page number 138
Placing Objects in Maintenance Mode
When a monitored object, such as a computer or distributed application, goes offline for
maintenance, Operations Manager 2007 detects that no agent heartbeat is being received, and as a
result, may generate numerous alerts and notifications. To prevent these alerts and notifications,
place the monitored object in maintenance mode. In maintenance mode, alerts, notifications, rules,
monitors, automatic responses, state changes, and new alerts are suppressed at the agent.
For general instructions on placing a monitored object in maintenance mode, see How to Put a
Monitored Object into Maintenance Mode in Operations Manager 2007
(http://go.microsoft.com/fwlink/?LinkId=108358).
Configuring Notification Settings
Notifications generate messages or run commands automatically when an alert is raised on a
monitored system. By default, notifications for alerts are not configured. For information about how
to configure notifications in Operations Manager, see Configuring Notification
(http://go.microsoft.com/fwlink/?LinkId=206904).
FEP 2010 Reports
Forefront Endpoint Protection reports consist of malware and health reports, and operational
reports. The section describes where the reports are located, how the reports are run, the kind of
information they provide, and the command options available for generated reports.
Forefront Endpoint Protection Security Reports
Forefront Endpoint Protection malware and health reports are located in the Reports node under the
Forefront Endpoint Protection node. These reports provide administrators with information about
the antimalware protection status of, and malware activity on, client computers where Forefront
Endpoint Protection is deployed. There are five predefined Forefront Endpoint Protection reports,
three of which are run directly from the Reports node (source reports), and two that are run by
clicking links within them.
Additionally, the Computer Details Report can be run by navigating to a collection, selecting a
computer, and then in the actions pane clicking Run FEP Computer Details Report. In this instance,
the report is filtered to display information for the selected computer.
The Protection, Deployment, Health, and Security status report sections are based on the last status
reported by the FEP client software and current collection membership, unless otherwise noted.
Malware and Antimalware activity report sections are based on historical information and
computers are displayed based on the collections of which the computer was member when the
activity occurred.
The following table contains a list of the reports.
Report name Description Accessed by Sections
Antimalware This report provides Reports • Security Alerts—Displays a
Operations
Page number 139
Activity
Report
an overview of
antimalware status,
malware alerts, and
malware detections.
node summary of raised Forefront
Endpoint Protection alerts. For
more information, see Using
Alerts to Monitor Malware
Detections.
• Security Status—Displays a
summary of computers by
Forefront Endpoint Protection
client status.
• Antimalware Activity—
Displays a dashboard of
information about all detected
malware.
• Malware Activity—Displays
lists of the top malware
infections by severity and
frequency.
Antimalware
Protection
Summary
Report
This report provides
an overview of
antimalware
deployment and
health.
Reports
node
• Antimalware Deployment and
Health—Displays a dashboard
of antimalware information.
• Security Status—Displays a
summary of computers by
Forefront Endpoint Protection
client status.
Malware
Details Report
This report displays
further details about a
specific malware.
Clicking a link
in a source
report
• Malware Details—Displays
details about the detected
malware.
• Antimalware Activity—
Displays a dashboard of
information about the
detected malware.
• Infected Computers—Displays
a list of computers that have
been infected with the
detected malware.
Operations
Page number 140
Computer List
Report
This report displays a
list of computers that
can be filtered by
collection, name,
protection status,
security state,
antimalware signature
version, detected
malware, and last
antimalware scan
time.
Reports
node or
clicking a link
in a source
report
Computer List—When you run this
report from the Reports node, it
displays a list of computers to which
the Forefront Endpoint Protection
client is deployed. When run by
clicking a link in a source report, it
displays a filtered list of computers
according to the clicked link.
Computer
Details Report
This report displays
further details about a
specific computer.
Clicking a link
in a source
report or run
directly on a
computer in
a collection
• Computer Details—Displays
details about the specified
computer.
• Protection Status—Displays
information about the status
of the Forefront Endpoint
Protection client features.
• Malware Activity—Displays a
summary of malware
information followed by a list
of malware that has been
detected on the specified
computer and its last reports
state.
Forefront Endpoint Protection reports have links that you can click to view additional data, such as
more detailed information about items in the source report. For example, you can click a malware
name in the Antimalware Activity Report (source report) to view the Malware Details Report (target
report) and display more information about this malware. The source report passes the malware
name to the target report based on which line in the source report you choose to obtain more
information.
Important:
The FEP reports only show antimalware activity; Network Inspection Service detections are not
included in the Forefront Endpoint Protection reports. Network Inspection Service detection
events are recorded to the Windows Event Log.
Operations
Page number 141
Note:
On a computer running Windows® 7 or Windows Server® 2008 R2, where the regional date and
time format is specified as Hebrew (Israel), dates and times will display in reverse format in the
Forefront Endpoint Protection console.
To resolve the issue, apply the following hotfix:
KB2030901 (http://go.microsoft.com/fwlink/?LinkId=205598)
Command options
When you run a report, you can use the menu bar commands to do the following:
• To view the report with different parameters, change the report filters accordingly, and then
click View Report.
• To search the report, in the Find box, type the search term, and then click Find.
• To use the report data in another application, in the Select a format box, select an export file
format, and then click Export.
• To view the most recent information, click Refresh.
• To print the report, click Print.
The following table lists the default settings when running reports:
Report Setting Value
Collection: All Desktops and Servers
Report time Span: Week
Operational Reports
Forefront Endpoint Protection operational reports are located in the standard Configuration
Manager Reports node under the Reporting node. These reports provide administrators with
tracking and troubleshooting information about Forefront Endpoint Protection deployments on, and
policy distribution to, client computers. There are seven predefined Forefront Endpoint Protection
reports, three of which can be run directly from the Forefront Endpoint Protection dashboard, and 4
that can be run by clicking successive links in them.
The following is a list of the reports.
Operations
Page number 142
Report name Description Accessed by Details
Deployment
Overview
This report displays the
breakdown of the
Microsoft Forefront
Endpoint Protection
2010 client deployment
status per collection.
Dashboard or
Configuration
Manager
Reports
For each collection, the following
information is provided:
• Count—The total number
of computers in the
collection.
• The number of computers
in each of the following
deployment states:
Removed, Failed,
Pending, Out of date,
Deployed, and Not
targeted.
• Deployed %—The
percentage of computers
on which the Forefront
Endpoint Protection client
has been successfully
installed.
You can click the links in the left-
hand column to view the
Deployment for a specific
collection report.
Deployment
for a specific
collection
This report displays the
breakdown of the
Microsoft Forefront
Endpoint Protection
2010 client deployment
status for a specific
collection.
Configuration
Manager
Reports
For the specified collection, for
each deployment state, the total
number of computers in that state
is displayed.
You can click the links in the left-
hand column to view the
Deployment for a specific
collection in a specific state
report.
Computers
with a specific
deployment
This report displays a list
of computers in a
collection and specific
Configuration
Manager
Reports
For the specified collection and
deployment state, for each
computer, a summary of Forefront
Endpoint Protection deployment
Operations
Page number 143
state deployment state. details is displayed.
You can click the links in the left-
hand column to view the FEP
information for a specific
computer report.
Policy
Distribution
Overview
This report displays the
breakdown of policy
distribution states per
collection. The report
will only enumerate
computers with
Microsoft Forefront
Endpoint Protection
2010 deployed.
Dashboard or
Configuration
Manager
Reports
For each collection, the following
information is provided:
• Computers—The total
number of computers in
the collection.
• The number of computers
in each of the following
distribution states: Failed,
Pending, and Distributed.
• Success %—The
percentage of computers
on which the Forefront
Endpoint Protection policy
has been successfully
applied.
You can click the links in the left-
hand column to view the Policy
Distribution for a specific
collection report.
Policy
Distribution
for a specific
collection
This report displays the
policy distribution states
for a specific collection.
Configuration
Manager
Reports
For the specified collection, for
each distribution state, the total
number of computers in that state
is displayed.
You can click the links in the left-
hand column to view the Policy
Distribution for a specific
collection in a specific state
report.
Computers
with a specific
This report displays a list
of computers in a
Configuration
Manager
For the specified collection and
deployment state, for each
Operations
Page number 144
policy
distribution
state
collection and specific
policy state.
Reports computer, a summary of Forefront
Endpoint Protection deployment
details is displayed.
You can click the links in the left-
hand column to view the FEP
information for a specific
computer report.
FEP
information
for a specific
computer
This report displays a
summary of Forefront
Endpoint Protection
information for a
specific computer.
Dashboard or
Configuration
Manager
Reports
For the specified computer, the
following details are displayed:
• The latest Forefront
Endpoint Protection
summary information.
• The network adapters on
the computer.
• Historical Forefront
Endpoint Protection client
activity information.
You can click the links in the left-
hand column to view to other
standard Configuration Manager
reports.
Displaying Computers Infected by a Specific Malware
You can use FEP reports to see an overview of antimalware status, malware alerts, and malware
detections, filtered by Configuration Manager collections.
To display a list of computers infected by a specific malware
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, expand Forefront Endpoint
Protection 2010, and then click Reports.
2. Select Antimalware Activity Report, and then in the Actions pane, click Run. The
Antimalware Activity Report opens displaying antimalware activity for the collection and
time frame specified.
3. Scroll down to the Malware Activity section, and click the malware of interest. The Malware
Details Report opens, displaying information for the selected malware.
Operations
Page number 145
4. In the Computer List section, you can see the list of computers infected by the malware you
specified.
Displaying Recent Malware Infections
You can use FEP reports to display a list of computers filtered by Forefront Endpoint Protection
security status.
To display a list of malware that has recently infected a computer
1. In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, expand Forefront Endpoint
Protection 2010, and then click Reports.
2. Select Computer List Report, and then in the Actions pane, click Run.
3. In the Security State filter, select the following items, , and then click View Report.
a. Infected
b. Action Required
c. Recent Malware activity (last 24 hours)
4. The Computer List Report displays, in the Computer List section, click a computer in the list.
The Computer Details Report opens, displaying information about the computer.
5. In the Malware Activity section, you can see the list of malware that recently infected the
computer.
Subscribing to Reports
You can subscribe to a report to have it delivered automatically. A subscription specifies the type of
delivery, delivery time, report output format, and for reports that have parameter input fields, any
user-defined parameter values that should be used in the copy of the report you receive. A report
can be delivered to either a file share or via e-mail. It is recommended that you subscribe to the
reports that you find useful to receive on a regular basis.
The following Forefront Endpoint Protection reports can be subscribed to:
• Antimalware Activity Report
• Antimalware Protection Summary Report
• Computer List Report
For more information about subscribing to a report, see How to: Subscribe to a Report (Report
Manager) (http://go.microsoft.com/fwlink/?LinkId=207013).
Operations
Page number 146
For more information about configuring SQL Server Reporting Services to support e-mail delivery of
subscriptions, see Configuring a Report Server for E-Mail Delivery
(http://go.microsoft.com/fwlink/?LinkId=207014).
FEP 2010 Security Management Pack Reporting
You can build your own report queries by using any reporting solution that can connect to the SQL
Server Data Warehouse, such as Microsoft Excel 2010 or Microsoft SQL Server Reporting Services.
Forefront Endpoint Protection sample reports in Microsoft Excel 2010 format can be downloaded
from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=207731). If you elect
to use Excel to build your report queries, it is important to note that Microsoft Excel 2010 limits the
server name in the Login dialog box to 23 characters, which will prevent any existing connections to
the Data Warehouse from refreshing. If the server name of your Data Warehouse server contains
more than 23 characters, you must open the existing connections and replace the FQDN of the server
with the NetBIOS name.
Before you can use the Reporting feature, you need to install and properly configure the required
reporting components for Operations Manager. The Reporting feature for the FEP Security
Management Pack is supported on System Center Operations Manager R2. For more information
about installing the reporting components on System Center Operations Manager R2, see the
Operations Manager 2007 Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=206502). For
information about how to create, customize, and use reports, see Creating Reports
(http://go.microsoft.com/fwlink/?LinkId=150369) in the Operations Manager 2007 R2 User’s Guide.
For information about how to manage reporting in Operations Manager, see Managing Reporting in
Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=206499).
FEP Health and Deployment Status Schema
The below table shows the schema for the FEP Health and Deployment Status view. You can
reference this table when creating custom reports.
Field Name Description SQL Datatype Format
RowId Key into Event.vEvent table in
the Operations Manager Data
Warehouse
uniqueidentifier GUID in string
form
Host FQDN of computer nvarchar(255) String (FQDN)
TimeStamp Date/time value representing
time that the record was
written to the data
warehouse
datetime DateTime
Operations
Page number 147
DeploymentState Enumerated value describing
deployment status. Valid
values are:
• Unknown
• Never installed
• Removed
• Installation canceled
by user
• Reboot required
nvarchar(max) String
(enumeration)
ProtectionStatus Enumerated value describing
state of AM protection. Valid
values are:
• Unknown
• On
• Off
nvarchar(max) String
(enumeration)
LastQuickScanAge Elapsed time in days since the
last quick scan was performed
on the computer. 0 if no data
is available.
nvarchar(max) String
(integer)
LastFullScanAge Elapsed time in days since the
last full scan was performed
on the computer. 0 if no data
is available.
nvarchar(max) String
(integer)
RTPStatus Enumerated value describing
state of real-time protection.
Valid values are:
• Unknown
• On
• Off
nvarchar(max) String
(enumeration)
Operations
Page number 148
FirewallStatus Enumerated value describing
state of Windows Firewall.
Valid values are:
• Unknown
• Uninstalled
• On
• Off
nvarchar(max) String
(enumeration)
NISStatus Enumerated value describing
state of Network Inspection
System. Valid values are:
• Unknown
• Not Supported
• On
• Off
nvarchar(max) String
(enumeration)
AVSignaturesAge Number of days since last AV
signature update.
nvarchar(max) String
(integer)
ASSignaturesAge Number of days since last AS
signature update.
nvarchar(max) String
(integer)
AVSignaturesLastUpdateTime Timestamp when antivirus
signatures were last updated.
nvarchar(max) String (ISO
8601
timestamp)
ASSignaturesLastUpdateTime Timestamp when antispyware
signatures were last updated.
nvarchar(max) String (ISO
8601
timestamp)
EngineVersion Version of AM engine nvarchar(max) String (version
number)
FEPClientVersion Version of FEP client nvarchar(max) String (version
number)
Operations
Page number 149
AVSignaturesVersion Version of active antivirus
signatures.
nvarchar(max) String (version
number)
ASSignaturesVersion Version of active antispyware
signatures.
nvarchar(max) String (version
number)
NISSignaturesVersion Version of active Network
Inspection System signatures.
nvarchar(max) String (version
number)
ActiveFEPPolicy Policy name of FEP XML policy
which is applied to the
machine. Note that this does
not contain information
about group policies that are
applied to the machine.
Group policy settings override
FEP policy settings when
there is a conflict.
nvarchar(max) String
FEPPolicyAppliedTime Timestamp of last application
of FEP XML policy to the
machine.
nvarchar(max) String (ISO
8601
timestamp)
FEP Security Incidents schema
The table below shows the FEP Security Incidents schema. You can reference this table when creating
custom reports.
Field Name Description
SQL
Datatype Format
Type Type of incident nvarchar(
max)
String constant
"SecurityIncident"
RowID Key into Event.vEvent table in the
Operations Manager Data
Warehouse
uniqueide
ntifier
GUID in string form
Name Descriptive information about
incident.
nvarchar(
max)
String constant
"MalwareInfection"
Operations
Page number 150
Description Not Used nvarchar(
max)
String constant
“NotImplemented”
TimeStamp Date/time of security incident datetime DateTime
SchemaVersion Database schema version nvarchar(
max)
String constant “1.0”
Severity Enumerated value describing
severity of incident. Valid values
are:
1. Unknown
2. Low
3. Moderate
4. High
5. Severe
nvarchar(
max)
String (enumeration)
ObserverHost Name of computer where incident
occurred.
nvarchar(
max)
String (FQDN)
ObserverUser Name of logged on user when
incident occurred, if the detection
was in a process associated with a
logged on user.
nvarchar(
max)
String (domain\user)
ObserverProductName Product name of protection
product that detected the
incident.
nvarchar(
max)
String constant
“ForefrontEndpointP
rotection”
ObserverProductVersion Product version of protection
product that detected the
incident.
nvarchar(
max)
String (version
number)
ObserverProtectionType Type of protection technology that
detected the incident.
nvarchar(
max)
String constant “AM”
ObserverProtectionVersi Protection engine version nvarchar( String (version
Operations
Page number 151
on information. max) number)
ObserverProtectionSigna
tureVersion
Protection definitions version
information.
nvarchar(
max)
String (version
number)
ObserverDetection Enumerated value describing
method of detection. Valid values
are:
• Unknown
• User Initiated Scan
• System Initiated Scan
• Real-Time Protection
• IE Downloads and Outlook
Express Attachments
nvarchar(
max)
String (enumeration)
ObserverDetectionTime Local time of detection on
machine where incident occurred.
nvarchar(
max)
String (ISO 8601
timestamp)
ActorHost Not Used nvarchar(
max)
String constant NULL
ActorUser Not Used nvarchar(
max)
String constant NULL
ActorProcess Not Used nvarchar(
max)
String constant NULL
ActorResource Not Used nvarchar(
max)
String constant NULL
ActionType Type of security incident. nvarchar(
max)
String constant
"MalwareInfection"
TargetHost Name of computer where incident
occurred.
nvarchar(
max)
String (FQDN)
Operations
Page number 152
TargetUser Name of logged on user when
incident occurred, if the detection
was in a process associated with a
logged on user.
nvarchar(
max)
String (domain\user)
TargetProcess Name of process which was
attempting to access infected file.
nvarchar(
max)
String (image path
name)
TargetResource Threat name of detected malware. nvarchar(
max)
String constant
"Threat".
ClassificationType Threat name of detected malware nvarchar(
max)
String constant
"Threat".
ClassificationCategory Enumerated value describing
threat category. Valid values are:
• Invalid
• Adware
• Spyware
• PasswordStealer
• TrojanDownloader
• Worm
• Backdoor
• RemoteAccessTrojan
• Trojan
• EmailFlooder
• KeyLogger
• Dialer
• MonitoringSoftware
• BrowserModifier
• Cookie
nvarchar(
max)
String (enumeration)
Operations
Page number 153
• BrowserPlugin
• AolExploit
• Nuker
• SecuritySisabler
• JokeProgram
• HostileActivexControl
• SoftwareBundler
• StealthNotifier
• SettingsModifier
• Toolbar
• RemoteControlSoftware
• TrojanFftp
• PotentialUnwantedSoftwa
re
• IcqExploit
• TrojanTelnet
• Exploit
• FileSharingProgram
• MalwareCreationTool
• RemoteControlSoftwareTo
ol
• TrojanDenialOfService
• TrojanDropper
• TrojanMassmailer
• TrojanMonitoringSoftware
• TrojanProxyServer
• Virus
Operations
Page number 154
• Known
• Unknown
• Spp
• Behavior
• Vulnerabiltiy
• Policy
ClassificationID Threat ID of detected malware.
This can be used to look up the
malware on the Microsoft
Malware Protection Center
(http://go.microsoft.com/fwlink/?
LinkId=206607).
nvarchar(
max)
String (integer)
ClassificationSeverity Enumerated value describing
severity of detected threat. Valid
values are:
• Unknown
• Low
• Moderate
• High
• Severe
nvarchar(
max)
String (enumeration)
RemediationType Enumerated value describing type
of remediation that was
performed.
nvarchar(
max)
String (enumeration)
RemediationResult Enumerated string containing a
Boolean value describing whether
the remediation action was
successful. Valid values are:
• True
• False
nvarchar(
max)
String (enumeration)
Operations
Page number 155
RemediationErrorCode Error encountered during
remediation.
nvarchar(
max)
String (hexadecimal
DWORD error code)
RemediationPendingActi
on
Enumerated value describing
action remaining to complete
remediation
nvarchar(
max)
String (enumeration)
IsActiveMalware Enumerated string containing a
Boolean value describing whether
malware is active on the system.
Valid values are:
• True
• False
nvarchar(
max)
String (enumeration)
Disaster Recovery for FEP 2010 on Configuration Manager
Disaster recovery refers to restoring your servers and data in the event of a partial or complete
failure due to natural or technical causes. When a server is damaged or fails, your ability to restore
that server’s functions and data depends on the actions you take before the disaster occurs.
Therefore, preparing for disaster recovery by planning both backup and recovery operations is a
necessity for enterprise solutions such as Forefront Endpoint Protection.
The steps to back up and restore Forefront Endpoint Protection are described in this section.
Backup
The operation consists of scheduling the periodic back up of data and configuration settings on
servers running Forefront Endpoint Protection features.
To back up Forefront Endpoint Protection
1. Back up the Configuration Manager site server. For more information, see Overview of
Backup and Recovery (http://go.microsoft.com/fwlink/?LinkID=206967).
Note:
The backup includes Forefront Endpoint Protection specific Configuration Manager items and
their settings, for example, Forefront Endpoint Protection policies, their assignments, and their
precedence.
2. Back up the Forefront Endpoint Protection reporting database using a SQL Server backup
solution. The default database name is FEPDW_XXX.
Operations
Page number 156
Restore
In the event of a server failure resulting in a replacement server, the recovery operations consists of
reinstalling the operating system, applications, and server configuration on the replacement server,
and then restoring the data and configuration settings. Since Forefront Endpoint Protection can be
installed using a remote reporting database, the steps for restoring are divided into two procedures
as follows:
To restore when the Configuration Manager site server fails and is replaced
1. Restore Configuration Manager. For more information, see Overview of Backup and
Recovery (http://go.microsoft.com/fwlink/?LinkID=206967).
2. Restore the Forefront Endpoint Protection reporting database (optional—only if SQL Server is
also restored)
Important:
For large-scale deployments comprised of more than 10,000 client computers, the tempdb must
be configured with a 500 GB Logical Unit Number (LUN) for its data file. For more information
about configuring the tempdb data file, see Optimizing tempdb Performance
(http://go.microsoft.com/fwlink/?LinkID=206862).
3. Install Forefront Endpoint Protection using the reuse existing database option. For more
information, see either Installing Using Basic with a Remote Reporting Database Setup or To
install FEP 2010 Reporting and Alerts.
To restore when the SQL Server system where the Forefront Endpoint Protection reporting
database resides fails and is replaced
1. Restore SQL Server and the Forefront Endpoint Protection reporting database.
Important:
For large-scale deployments comprised of more than 10,000 client computers, the tempdb must
be configured with a 500 GB Logical Unit Number (LUN) for its data file. For more information
about configuring the tempdb data file, see Optimizing tempdb Performance
(http://go.microsoft.com/fwlink/?LinkID=206862).
2. Uninstall the Forefront Endpoint Protection reporting feature from the server where it is
installed (optional—only if it is installed on a server other than the SQL Server system where
the Forefront Endpoint Protection reporting database resides). For more information, see
Uninstalling.
3. Install Forefront Endpoint Protection using the reuse existing database option. For more
information, see either Installing Using Basic with a Remote Reporting Database Setup or To
install FEP 2010 Reporting and Alerts.
Operations
Page number 157
Automating Day-to-Day Tasks by Using Windows PowerShell
In Forefront Endpoint Protection, you can automate day-to-day tasks by using Windows PowerShell
and Configuration Manager Windows Management Instrumentation (WMI) objects.
The following is a list of some of the day-to-day tasks that can be automated:
• Deploy the FEP client software to the computers in a collection or remove the FEP client from
computers in a collection.
• Assign a FEP policy to the computers in a collection
• Unassign a FEP policy from the computers in a collection
• Assign a Desired Configuration Management (DCM) baseline to the computers in a collection
• Retrieve DCM baseline results for specific computers
• Unassign a DCM baseline from the computers in a collection
• Retrieve FEP dashboard data
• Run reports
• Retrieve report data
• Run a quick or full antimalware scan
• Force a definition update
This section contains the following topics to help you automate Forefront Endpoint Protection
management by using Windows PowerShell and Configuration Manager Windows Management
Instrumentation (WMI) objects.
Deploying or Removing the FEP Client Software
Assigning and Unassigning FEP Policies to Collections
Automating Desired Configuration Management
Automating the FEP Dashboard
Automating Tasks on Client Computers
Automating FEP Reports
Deploying or Removing the FEP Client Software
You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to
automate the creation of software packages and the assignments of the software packages to
collections.
Prerequisites
Operations
Page number 158
In order to create a script similar to the example in this topic, you must have the following
prerequisite software:
• Windows PowerShell (either version 1.0 or 2.0)
The following script demonstrates how you can deploy (or remove) the FEP client to a collection. The
script defines switches to specify the Configuration Manager information needed, and uses that
information to create a mandatory advertisement of the FEP deployment package.
function CreateDeploymentAdvertisement(
$ConfigMgrServer, # Config Mgr WMI site provider to connect to. e.g. MyServer
$SiteCode, # Config Mgr site code. e.g. ABC
$CollectionID, # Target collection ID. e.g. ABC00008
$AdvertisementName, # Requested name for the deployment advertisement. e.g. Deploy
FEP
[switch]$IncludeSubCollection, # Switch to include subcollection, default is false (not include)
[switch]$Uninstall) # Switch to do uninstall. Default is Install
{
$ConfigMgrNamespace = "root\sms\site_$SiteCode"
$now = Get-Date -Format "yyyyMMddhhmmss.ffffff+***" # Config Mgr time format
$ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace) # WMI
provider full path
# Get the FEP deployment package to be used when creating the advertisement
$package = Get-WmiObject -class "SMS_Package" -filter "MifName='FEP - Deployment'" -
namespace $ConfigMgrNamespace -computername $ConfigMgrServer
# Create a new SMS advertisement instance for the FEP deployment package. The program installs
or uninstalls depending on $Uninstall switch
# For more information about the SMS_Advertisement Server WMI class, see
http://go.microsoft.com/fwlink/?LinkID=208535 on MSDN.
Operations
Page number 159
$newAdvertisement = ([WmiClass]($ConfigMgrProviderPath +
":SMS_Advertisement")).CreateInstance()
$newAdvertisement.CollectionID = $CollectionID
$newAdvertisement.PackageID = $package.PackageID
$newAdvertisement.ProgramName = if ($Uninstall) { "Uninstall" } else { "Install" }
$newAdvertisement.AdvertisementName = $AdvertisementName
$newAdvertisement.AdvertFlags = 0x02000000 -bor 0x00100000 # NO_DISPLAY |
OVERRIDE_SERVICE_WINDOWS
$newAdvertisement.RemoteClientFlags = 0x00002000 -bor 0x00000010 -bor 0x00000040 #
RERUN_IF_FAILED | DOWNLOAD_FROM_LOCAL_DISPPOINT |
DOWNLOAD_FROM_REMOTE_DISPPOINT
$newAdvertisement.IncludeSubCollection = $IncludeSubCollection
$newAdvertisement.PresentTime = $now
# Create a mandatory assignment schedule
$AssignedSchedule = ([WmiClass]($ConfigMgrProviderPath +
":SMS_ST_NonRecurring")).CreateInstance()
$AssignedSchedule.StartTime = $now
$newAdvertisement.AssignedScheduleEnabled = $true
$newAdvertisement.AssignedSchedule = $AssignedSchedule
$newAdvertisement.Put()
Write-Output "Created FEP client roll out advertisement: $AdvertisementName"
}
Assigning and Unassigning FEP Policies to Collections
You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to
automate assigning FEP policies to collections.
Operations
Page number 160
The following sections demonstrate how you can assign or unassign FEP policies to a collection. The
scripts define switches to specify the Configuration Manager information needed, and use that
information to assign the designated policy to a collection.
FEP policies are created in Configuration Manager as packages, and distributed by using mandatory
assignments.
Prerequisites
In order to create a script similar to the example in this topic, you must have the following
prerequisite software:
• Windows PowerShell (either version 1.0 or 2.0)
The following example script creates a mandatory assignment of a policy package to a specified
collection.
function AssignPolicy(
$ConfigMgrServer, # ConfigMgr WMI site provider to connect to. e.g. MyServer
$SiteCode, # ConfigMgr site code. e.g. ABC
$PolicyName, # Name of FEP policy to assign. e.g. “MyPolicy”
$CollectionID, # Collection ID to assign policy to. e.g. ABC00008
[switch]$IncludeSubCollection) # Switch to include subcollections. The default is false (not include).
{
$ConfigMgrNamespace = "root\sms\site_$SiteCode"
$now = Get-Date -Format "yyyyMMddhhmmss.ffffff+***"
$ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace)
# Get the FEP policies package to the advertisement from
$package = Get-WmiObject -class "SMS_Package" -filter "MifName='FEP - Policies'" -namespace
$ConfigMgrNamespace -computername $ConfigMgrServer
# Create a new SMS advertisement instance for the FEP policy package.
# SMS_Advertisement Server WMI Class http://msdn.microsoft.com/en-us/library/cc146108.aspx
$newAdvertisement = ([WmiClass]($ConfigMgrProviderPath +
":SMS_Advertisement")).CreateInstance()
Operations
Page number 161
$newAdvertisement.CollectionID = $CollectionID
$newAdvertisement.PackageID = $package.PackageID
$newAdvertisement.ProgramName = $PolicyName
$newAdvertisement.AdvertisementName = "Assign FEP Policy $PolicyName"
$newAdvertisement.AdvertFlags = 0x02000000 -bor 0x00100000 # NO_DISPLAY |
OVERRIDE_SERVICE_WINDOWS
$newAdvertisement.RemoteClientFlags = 0x00000800 -bor 0x00000010 -bor 0x00000040 #
RERUN_ALWAYS | DOWNLOAD_FROM_LOCAL_DISPPOINT |
DOWNLOAD_FROM_REMOTE_DISPPOINT
$newAdvertisement.IncludeSubCollection = $IncludeSubCollection
$newAdvertisement.PresentTime = $now
# Create a mandatory assignment schedule
$AssignedSchedule = ([WmiClass]($ConfigMgrProviderPath +
":SMS_ST_NonRecurring")).CreateInstance()
$AssignedSchedule.StartTime = $now
$newAdvertisement.AssignedScheduleEnabled = $true
$newAdvertisement.AssignedSchedule = $AssignedSchedule
$newAdvertisement.Put()
$newAdvertisement.Get() # Refresh new advertisement
# Add the advertisement to the FEP policies advertisement folder
# Get the container node (notice to use localized name)
$AdvertisementFolder = Get-WmiObject -class "SMS_ObjectContainerNode" -filter "Name='FEP
Policies'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
Operations
Page number 162
# Create a container item for the advertisement
$newContainerItem = ([WmiClass]($ConfigMgrProviderPath +
":SMS_ObjectContainerItem")).CreateInstance()
$newContainerItem.ContainerNodeId = $AdvertisementFolder.ContainerNodeId
$newContainerItem.InstanceKey = $newAdvertisement.AdvertisementID
$newContainerItem.Put()
Write-Output "Policy $PolicyName Assigned to $CollectionID"
}
The following example script demonstrates removal of a policy assignment from a collection of
endpoints.
function RemovePolicyAssignment(
$ConfigMgrServer, # ConfigMgr WMI site provider to connect to. e.g. MyServer
$SiteCode, # ConfigMgr site code. e.g. ABC
$PolicyName, # Name of FEP policy that its assignment should be removed. e.g. “MyPolicy”
$CollectionID) # Collection ID to remove assignment from. e.g. ABC00008
{
$ConfigMgrNamespace = "root\sms\site_$SiteCode"
# Get the FEP policies package
$package = Get-WmiObject -class "SMS_Package" -filter "MifName='FEP - Policies'" -namespace
$ConfigMgrNamespace -computername $ConfigMgrServer
# Get existing advertisements
Operations
Page number 163
$filter = "PackageID='{0}' AND ProgramName='$PolicyName' AND CollectionID='$CollectionID'" -f
$package.PackageID
$advertisements = Get-WmiObject -class "SMS_Advertisement" -filter $filter -namespace
$ConfigMgrNamespace -computername $ConfigMgrServer
if ($advertisements -eq $null)
{
Write-Output "There are no policy assignment of $PolicyName to $CollectionID."
}
else
{
Write-Output "Removing policy assignments of $PolicyName from $CollectionID."
$advertisements | Remove-WMIObject
}
}
Automating Desired Configuration Management
You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to
automate management of FEP desired configuration management (DCM) baselines.
Configuration baselines define best practices and thresholds for configuration settings. You assign
baselines to collections of computers. After the computers receive the baseline, they evaluate their
configuration against the baseline, and report their status to the Configuration Manager server.
The following sections demonstrate how you can assign or unassign FEP baselines to a collection. The
scripts define switches to specify the Configuration Manager information needed, and use that
information to assign the designated baseline to a collection.
Prerequisites
In order to create a script similar to the example in this topic, you must have the following
prerequisite software:
• Windows PowerShell (either version 1.0 or 2.0)
The following example script demonstrates how to assign a FEP DCM baseline to a target collection.
function AssignDCMBaseline(
Operations
Page number 164
$ConfigMgrServer, # ConfigMgr WMI site provider to connect to. e.g. MyServer
$SiteCode, # ConfigMgr site code. e.g. ABC
$BaselineName, # DCM Baseline localized name. e.g. “FEP - Standard Desktop”
$TargetCollectionID, # Collection ID to assign the baseline to. e.g. ABC00008
[switch]$IncludeSubCollection) # Switch to include subcollection, default is false (not include)
{
$ConfigMgrNamespace = "root\sms\site_$SiteCode"
$now = Get-Date -Format "yyyyMMddhhmmss.ffffff+***"
$ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace)
# Get the DCM baseline to assign
$CIBaseline = Get-WmiObject -Class "SMS_ConfigurationBaselineInfo" -filter
"LocalizedDisplayName='$BaselineName'" -namespace $ConfigMgrNamespace -computername
$ConfigMgrServer
# Note: it is possible to verify CI exists here (i.e. not $null and only one with name)
# Create new SMS Baseline Assignment instance
$newAssignment = ([WmiClass]($ConfigMgrProviderPath +
":SMS_BaselineAssignment")).CreateInstance()
$newAssignment.AssignedCIs = @($CIBaseline.CI_ID)
$newAssignment.TargetCollectionID = $TargetCollectionID
$newAssignment.ApplyToSubTargets = $IncludeSubCollection
$newAssignment.AssignmentAction = 2 # APPLY
$newAssignment.AssignmentName = "Assign $BaselineName to $TargetCollectionID"
$newAssignment.AssignmentDescription = ""
Operations
Page number 165
$newAssignment.DesiredConfigType = 1 # REQUIRED
$newAssignment.DPLocality = 4 # DP_DOWNLOAD_FROM_LOCAL
$newAssignment.NotifyUser = $false
$newAssignment.SendDetailedNonComplianceStatus = $true
$newAssignment.StartTime = $now
$newAssignment.SuppressReboot = 0
$newAssignment.UseGMTTimes = $false
# Create recurrent daily evaluation schedule
$AssignedSchedule = ([WmiClass]($ConfigMgrProviderPath +
":SMS_ST_RecurInterval")).CreateInstance()
$AssignedSchedule.StartTime = $now
$AssignedSchedule.DaySpan = 1
$ScheduleAsString = ([WmiClass]($ConfigMgrProviderPath +
":SMS_ScheduleMethods")).WriteToString($AssignedSchedule)
$newAssignment.EvaluationSchedule = $ScheduleAsString.StringData
$newAssignment.Put()
Write-Output "Created assignment of DCM baseline $BaselineName to collection
$TargetCollectionID"
}
The following example script demonstrates how to remove a FEP DCM baseline from a target
collection.
function RemoveDCMAssignment(
$ConfigMgrServer, # ConfigMgr WMI site provider to connect to. e.g. MyServer
Operations
Page number 166
$SiteCode, # ConfigMgr site code. e.g. ABC
$BaselineName, # DCM Baseline localized name. e.g. “FEP - Standard Desktop”
$TargetCollectionID) # Collection ID to remove the baseline assignment from. e.g. ABC00008
{
$ConfigMgrNamespace = "root\sms\site_$SiteCode"
# Get the DCM baseline to remove assignment from
$CIBaseline = Get-WmiObject -Class "SMS_ConfigurationBaselineInfo" -filter
"LocalizedDisplayName='$BaselineName'" -namespace $ConfigMgrNamespace -computername
$ConfigMgrServer
$filter = "AssignedCIs = '{0}' AND TargetCollectionID='{1}'" -f $CIBaseline.CI_ID, $TargetCollectionID
# Get the existing assignments
$assignments = Get-WmiObject -class "SMS_BaselineAssignment" -filter $filter -namespace
$ConfigMgrNamespace -computername $ConfigMgrServer
if ($assignments -eq $null)
{
Write-Output "There are no DCM baseline $BaselineName assignments to $TargetCollectionID."
}
else
{
Write-Output "Removing DCM baseline $BaselineName from collection $TargetCollectionID."
$assignments | Remove-WMIObject
}
}
The following example script demonstrates how to retrieve a Configuration Manager WMI results
object that contains compliance results for a DCM baseline assignment.
The results object contains a count of compliant computers, a count of noncompliant computers, a
count of evaluation failures, and other information relevant to DCM. For more information about the
SMS_CI_ComplianceSummary WMI class see SMS_CI_ComplianceSummary Server WMI Class
Operations
Page number 167
(http://go.microsoft.com/fwlink/?LinkId=208530) in the Configuration Manager reference
documentation on MSDN.
function GetBaselineResult(
$ConfigMgrServer, # ConfigMgr WMI site provider to connect to. e.g. MyServer
$SiteCode, # ConfigMgr site code. e.g. ABC
$BaselineName) # DCM Baseline localized name. e.g. “FEP - Standard Desktop”
{
$ConfigMgrNamespace = "root\sms\site_$SiteCode"
# Get the DCM baseline to query
$CIBaseline = Get-WmiObject -Class "SMS_ConfigurationBaselineInfo" -filter
"LocalizedDisplayName='$BaselineName'" -namespace $ConfigMgrNamespace -computername
$ConfigMgrServer
$result = Get-WmiObject -Class "SMS_CI_ComplianceSummary" -filter ("CI_ID='{0}'" -f
$CIBaseline.CI_ID) -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
return $result
}
Automating the FEP Dashboard
You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to
automate retrieval of FEP dashboard information. The FEP dashboard displays important information
about the security of your organization, such as the number of deployed clients, definition
deployment status, number of client computers infected, and number of client computers with
malware removed.
Each dashboard data set is represented by a Configuration Manager collection. The following
example script demonstrates how to obtain a count of computers that belong to a specified
collection.
Prerequisites
In order to create a script similar to the example in this topic, you must have the following
prerequisite software:
• Windows PowerShell (either version 1.0 or 2.0)
Operations
Page number 168
The following table lists the Configuration Manager collections that are used to populate the data for
the FEP dashboard. To retrieve the dashboard data via a script, you must specify the appropriate
Configuration Manager collection in the script.
Dashboard Area Collection Names
Deployment Status Deployment Succeeded
Out of Date
Deployment Failed
Deployment Pending
Locally Removed
Not Targeted
Policy Distribution Status Distribution Failed
Distribution in Progress
Policy Distributed
Definition Status Up to Date
Up to 3 Days
Up to 7 Days
Older Than 1 Week
Malware Activity Status Infected
Restart Required
Operations
Page number 169
Full Scan Required
Recent Activity
Health Status Protection Inactive
Not Reporting
Healthy
The following example script retrieves dashboard data from the FEP database for the specified
collection.
function GetDashboardInfo(
$ConfigMgrServer, # ConfigMgr WMI site provider to which to connect. e.g. MyServer
$SiteCode, # ConfigMgr site code. e.g. ABC
$CollectionName) # Collection name for which count of computers should be returned. e.g.
Infected. Use the table above to determine the collection name to query.
{
$ConfigMgrNamespace = "root\sms\site_$SiteCode"
$ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace)
# Get the SMS collection to query
$Collection = Get-WmiObject -class "SMS_Collection" -filter "Name='$CollectionName'" -
namespace $ConfigMgrNamespace -computername $ConfigMgrServer
# Get the SMS_Collection class
$SmsCollectionClass = [WmiClass]($ConfigMgrProviderPath + ":SMS_Collection")
$count = $SmsCollectionClass.GetNumResults($Collection).Result
Write-Output "Count of computers in $CollectionName is $count"
return $count
Operations
Page number 170
}
Automating Tasks on Client Computers
You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to
automate FEP tasks on client computers.
FEP tasks run from a software package named Microsoft Corporation FEP – Operations 1.0. In the
Configuration Manager console, you can right-click a computer or group of computers, point to FEP
Operations, and then select one of three actions:
• Full Scan: runs a full antimalware scan on the selected computers.
• Quick Scan: runs a quick antimalware scan on the selected computers.
• Run Definition Update: runs a definition update cycle on the selected computers.
When you run a task on a client computer or set of computers, FEP performs the following steps:
• Creates a dynamic collection
• Adds the selected computers to the collection
• Creates a mandatory assigned advertisement of the requested task from the FEP Operations
software package
Prerequisites
In order to create a script similar to the example in this topic, you must have the following
prerequisite software:
• Windows PowerShell (either version 1.0 or 2.0)
• Before you run operational tasks from a script, you should first verify that the FEP operations
package (named Microsoft Corporation FEP – Operations 1.0) distributed to your
Configuration Manager distribution points.
Note:
Cleanup of old operations components (the dynamic collections and advertisements used to
distribute the tasks) is done only when performing tasks from the Configuration Manager console.
The following example script demonstrates how to run a full scan task on a computer.
function RunFullScan(
$ConfigMgrServer, # ConfigMgr WMI site provider to connect to. e.g. MyServer
$SiteCode, # ConfigMgr site code. e.g. ABC
Operations
Page number 171
$Computers) # A computer or list of computer NetBios names on which the scan should be run.
For example: (“ComputerA”, “ComputerB”)
{
$Operation = "Full Scan" # Change the scan type by changing the phrase in the quotes to either
Quick Scan or Update Definitions.
$UtcNow =[System.DateTime]::UtcNow
$ConfigMgrNamespace = "root\sms\site_$SiteCode"
$ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace)
# Create a collection for the task
$newCollection = ([WmiClass]($ConfigMgrProviderPath + ":SMS_Collection")).CreateInstance()
$newCollection.Name = "$Operation at $UtcNow (UTC)"
$newCollection.RefreshType = 1 # Manual
$newCollection.OwnedByThisSite = $true
$newCollection.Put()
$newCollection.Get() # refresh the object
# Add the collection as a subcollection to FEP Operations
$OperationCollection = Get-WmiObject -class "SMS_Collection" -filter "Name='Operations'" -
namespace $ConfigMgrNamespace -computername $ConfigMgrServer
$CollectionToSubCollection = ([WmiClass]($ConfigMgrProviderPath +
":SMS_CollectToSubCollect")).CreateInstance()
$CollectionToSubCollection.parentCollectionID = $OperationCollection.CollectionID
$CollectionToSubCollection.subCollectionID = $newCollection.CollectionID
$CollectionToSubCollection.Put()
Operations
Page number 172
# Add computers to collection (Direct Rule)
foreach ($Computer in $Computers)
{
# For more information about the SMS_R_SYSTEM Server WMI class, see
http://go.microsoft.com/fwlink/?LinkId=208534 on MSDN.
$Client = Get-WmiObject -class "SMS_R_System" -filter ("NetbiosName = '{0}'" -f $Computer) -
namespace $ConfigMgrNamespace -computername $ConfigMgrServer
$SmsCollectionRuleDirect = ([WmiClass]($ConfigMgrProviderPath +
":SMS_CollectionRuleDirect")).CreateInstance()
$SmsCollectionRuleDirect.ResourceID = $Client.ResourceID
$SmsCollectionRuleDirect.ResourceClassName = "SMS_R_System"
$newCollection.AddMembershipRules($SmsCollectionRuleDirect)
}
# Create Quick Scan advertisement
$now = Get-Date -Format "yyyyMMddhhmmss.ffffff+***"
# Get the FEP operations package
$package = Get-WmiObject -class "SMS_Package" -filter "MifName='FEP - Operations'" -
namespace $ConfigMgrNamespace -computername $ConfigMgrServer
# Create a new advertisement for the FEP operation package.
# For more information about the SMS_Advertisement Server WMI class, see
http://go.microsoft.com/fwlink/?LinkId=208535 on MSDN.
$newAdvertisement = ([WmiClass]($ConfigMgrProviderPath +
":SMS_Advertisement")).CreateInstance()
Operations
Page number 173
$newAdvertisement.CollectionID = $CollectionID
$newAdvertisement.PackageID = $package.PackageID
$newAdvertisement.ProgramName = $Operation
$newAdvertisement.AdvertisementName = "Run $Operation at $UtcNow (UTC)"
$newAdvertisement.AdvertFlags = 0x02000000 -bor 0x00100000 # NO_DISPLAY |
OVERRIDE_SERVICE_WINDOWS
$newAdvertisement.RemoteClientFlags = 0x00000800 -bor 0x00000010 -bor 0x00000040 #
RERUN_ALWAYS | DOWNLOAD_FROM_LOCAL_DISPPOINT |
DOWNLOAD_FROM_REMOTE_DISPPOINT
$newAdvertisement.PresentTime = $now
$newAdvertisement.Priority = 1 # High
# Create a mandatory assignment schedule
$AssignedSchedule = ([WmiClass]($ConfigMgrProviderPath +
":SMS_ST_NonRecurring")).CreateInstance()
$AssignedSchedule.StartTime = $now
$newAdvertisement.AssignedScheduleEnabled = $true
$newAdvertisement.AssignedSchedule = $AssignedSchedule
$newAdvertisement.Put()
$newAdvertisement.Get()
# Add the advertisement to the FEP operations advertisement folder
# Get the container node (notice to use localized name)
$AdvertisementFolder = Get-WmiObject -class "SMS_ObjectContainerNode" -filter "Name='FEP
Operations'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
Operations
Page number 174
# Create a container item for the advertisement
$newContainerItem = ([WmiClass]($ConfigMgrProviderPath +
":SMS_ObjectContainerItem")).CreateInstance()
$newContainerItem.ContainerNodeId = $AdvertisementFolder.ContainerNodeId
$newContainerItem.InstanceKey = $newAdvertisement.AdvertisementID
$newContainerItem.Put()
Write-Output "$Operation scheduled to computers: $Computers"
}
Automating FEP Reports
You can automate retrieval of FEP reports by using Windows PowerShell.
Prerequisites
In order to create a script similar to the example in this topic, you must have the following
prerequisite software:
• Windows PowerShell 2.0
The following example script demonstrates how to retrieve a FEP computer list report as an XML
object and then display the computer list.
$ReportServer = "ReportServer.contoso.com" #Change the value in quotes to your report server
FQDN.
$SiteCode = "FEP" #Change the value in quotes to your site code.
#URI to the .asmx file on the report server – change the value in quotes to the appropriate path on
your report server.
$URI = "http://$ReportServer//ReportServer//ReportExecution2005.asmx?wsdl"
#Report Path – to retrieve a different report, replace the name of the report
Operations
Page number 175
$ReportPath = "/Forefront Endpoint Protection_$SiteCode/Antimalware/Computer List Report"
# Create the web service proxy for the reports
New-WebServiceProxy -Uri $URI -UseDefaultCredential -namespace "ReportExecution2005" | out-
null
$ReportService = new-object ReportExecution2005.ReportExecutionService
$ReportService.Credentials = [System.Net.CredentialCache]::DefaultCredentials
# Load report
$ReportService.GetType().GetMethod("LoadReport").Invoke($ReportService, @($ReportPath, $null))
| out-null
# Report Parameters
# Depending on the number of parameters being used in the report, you may need to add or remove
parameters. Specify by changing the Param1.Value line.
# Report Time Span
# 1 - Custom - Should be used along with CustomStartDate and CustomEndDate
# 2 - Day
# 3 - Week
# 4 - Month
# 5 - Quarter
# 6 - Year
$param1 = new-object ReportExecution2005.ParameterValue
$param1.Name = "ReportSpan"
$param1.Value = 3
Operations
Page number 176
# Number of computers to which to limit the report. -1 specifies that there is no limit.
$param2 = new-object ReportExecution2005.ParameterValue
$param2.Name = "NumberOfReturnedComputersParameter"
$param2.Value = -1
# Security State parameter:
# 1 - Clean
# 2 - Recent malware activity (last 24 hours)
# 3 - Action Required
# 4 - Infected
$param3 = new-object ReportExecution2005.ParameterValue
$param3.Name = "SecurityStateParameter"
$param3.Value = 2
# The following ReportScope parameter is optional; it limits the report to a single collection.
# The ID can be found in FEPDW (FEPDW_[SiteCode]) database using the following query:
# SELECT * FROM vwFEP_Common_CollectionLookupDimension
#$param4 = new-object ReportExecution2005.ParameterValue
#$param4.Name = "ReportScope"
#$param4.Value = "1002"
$parameters = [ReportExecution2005.ParameterValue[]] ($param1, $param2, $param3)
$ExecParams = $ReportService.SetExecutionParameters($parameters, "en-us");
Troubleshooting
Page number 177
# For more report parameter options, see ReportExecutionService.Render Method
(http://go.microsoft.com/fwlink/?LinkId=208533) on MSDN.
$format = "xml"
$deviceinfo = ""
$extention = ""
$mimeType = ""
$encoding = "UTF-8"
$warnings = $null
$streamIDs = $null
$ReportAsStream = $ReportService.Render($format, $deviceInfo,[ref] $extention, [ref]
$mimeType,[ref] $encoding, [ref] $warnings, [ref] $streamIDs)
$ReportAsString = [Text.Encoding]::UTF8.GetString($ReportAsStream)
$ReportAsXml = [xml]$ReportAsString.Trim()
# Access the report data using the xml object. It possible to use XPath or any XMLDocument methods
to parse the xml.
$computers = $ReportAsXml.GetElementsByTagName("Detail")
foreach ($computer in $computers)
{
Write-Host $computer.ComputerName $computer.SecurityState
}
12. Troubleshooting This troubleshooting content provides guidance for diagnosing and resolving issues you may
encounter when using Forefront Endpoint Protection.
Troubleshooting
Page number 178
Using the FEP Best Practices Analyzer
The Forefront Endpoint Protection Best Practices Analyzer (BPA) includes checks to scan both
Forefront Endpoint Protection (FEP) and Configuration Manager for configuration problems, missing
dependencies, incorrect settings, or other issues that could adversely affect the health of your FEP
installation.
Prerequisites
• The FEP BPA checks are based on the Microsoft Baseline Configuration Analyzer version 2.0
(MBCA). In order to run the FEP BPA, you must download and install the MBCA
(http://go.microsoft.com/fwlink/?LinkId=206778).
• The MBCA requires Windows PowerShell™ 2.0. Windows PowerShell 2.0 is included with
Windows Server 2008 R2, but must be installed for Windows Server 2008 or Windows Server
2003. To download Windows PowerShell 2.0, see Microsoft Knowledge Base article 968929
(http://go.microsoft.com/fwlink/?LinkId=206779)
• You must run MBCA and the FEP MBCA checks on the Configuration Manager server on
which you installed FEP.
To install the FEP BPA
1. After you download the FEP BPA, copy it to your Configuration Manager server, and then
double-click fepBPASetup.msi.
2. In the FEP 2010 Best Practices Analyzer Setup wizard, select the I accept the terms in the
license agreement check box, click Next, and then click Finish.
The FEP BPA Checks
The FEP BPA includes configuration checks for various Configuration Manager features, as well as FEP
dependencies and prerequisites that are important to FEP health.
The following table lists the check categories and describes of some of the checks included with this
release of the FEP BPA.
FEP BPA check category Description
SQL Server checks Reviews the status and configuration of the computers running
SQL Server that host the FEP databases.
Configuration Manager
Desired Configuration
Management checks
Reviews the DCM checks that are used to populate the FEP
dashboard, ensures they are assigned to collections, and checks
the configuration items for FEP are not corrupted or missing.
Troubleshooting
Page number 179
Package, policy, and
advertisement checks
Reviews FEP packages, policies, and advertisements for the
correct number (no defaults have been deleted), and that they
are correctly assigned.
Alert checks Reviews the number of FEP alerts, that they are assigned to
collections correctly, and that the SMTP port is correctly assigned
(for e-mailing of alerts).
Events and general FEP
configuration checks
Collects and displays information for recent FEP errors and
events, as well as some registry settings and a list of the FEP files
installed on the computer.
Configuration Manager
configuration checks
Reviews the status and configuration of the Configuration
Manager installation and services important to the health of FEP.
Troubleshooting FEP and Configuration Manager
Forefront Endpoint Protection (FEP) is built on Configuration Manager. Because of the tight
integration with Configuration Manager, troubleshooting common issues with FEP frequently
involves troubleshooting Configuration Manager.
You can find information about Troubleshooting Configuration Manager 2007
(http://go.microsoft.com/fwlink/?LinkId=206765) in the Configuration Manager Documentation
Library. Additionally, the table below lists various Configuration Manager troubleshooting resources
and how those resources apply to troubleshooting FEP.
Resource Description
Troubleshooting Software Distribution
(http://go.microsoft.com/fwlink/?LinkId=206762)
FEP uses the Software Distribution
feature of Configuration Manager for
the following tasks:
• Client software deployment (via
software packages)
• Policy deployment
• On-demand scans
• Forcing a definition update
Troubleshooting
Page number 180
Troubleshooting Software Updates
(http://go.microsoft.com/fwlink/?LinkId=206761)
Contains information relevant to
definition updates. By default, FEP uses
Software Updates in Configuration
Manager and WSUS to deliver definition
updates to computers running the FEP
client software.
Troubleshooting Desired Configuration Management
(http://go.microsoft.com/fwlink/?LinkId=206756)
Contains information relevant to
troubleshooting FEP and Desired
Configuration Management (DCM). DCM
is used in FEP to populate data into the
dashboard and for any custom
configuration baselines you enforce for
your collections.
FEP Log Files
Forefront Endpoint Protection (FEP) creates log files both during the installation on your
Configuration Manager server, and during day-to-day operations.
FEP Server Installation Log Files
The installation log files are listed below:
Log file name Description
FEPExt_xxx_xxx.log FEP site server extensions
FepReport_xxx_xxx.log FEP Reporting Components
FEPUX_xxx_xxx.log FEP Console Extensions
ServerSetup_xxx_xxx.log FEP Setup
You can find FEP server installation log files in the following location:
• If you installed FEP on Windows Server 2003:
%AllUsersProfile%\Application Data\Microsoft Forefront\Support\Server
Troubleshooting
Page number 181
• If you installed FEP on Windows Server 2008:
%ProgramData%\Microsoft Forefront\Support\Server
The file names use the following format:
LogFileName_Date_Time.log
where the following is true:
• LogFileName is the name of the log file.
• Date is the day, month, and year the log was created, in the format DDMMYYY.
• Time is the hour, minute, and second the log file was created, in the format HHMMSS.
FEP Server Operational Log Files
The following table lists the log files in which FEP stores operational information.
Log file name Description
SmsAdminUI.log FEP stores console-related information in this Configuration Manager
console log file. It can be found in C:\Program Files (x86)\Microsoft
Configuration Manager\AdminUI\AdminUILog. For more information
about this log file, see Troubleshooting Configuration Manager Console
Issues (http://go.microsoft.com/fwlink/?LinkId=207567) in the
Configuration Manager documentation.
FepServiceTrace.etl FEP service tracing log file. This file, stored in %ProgramData%\Microsoft
Forefront\Support\ contains binary information typically only useful to
product support personnel.
FEP Client Software Installation Log Files
The FEP client software creates log files both during installation and during day-to-day operations.
The following table lists Setup log files and the components with which they are associated.
Log file name Description
EppSetup.log Master Setup log file.
MSSecurityClient_Setup_epp_install.log User interface and management
extension Setup log file.
Troubleshooting
Page number 182
MSSecurityClient_Setup_FEP_install.log Configuration Manager management
extensions Setup log file.
MSSecurityClient_Setup_mp_ambits_install.log Antimalware service Setup log file.
MSSecurityClient_Setup_epploc_x86_Install or
MSSecurityClient_Setup_epploc_x64_Install
Localized resources installation log file
(specific to the architecture on the
client computer).
MSSecurityClient_Setup_amloc-%locale%_install Log file for installation of localized
resources for the antimalware service.
%locale% represents the locale for
which the install was performed.
MSSecurityClient_Setup_KB981889_Install.evtx The log file for Windows patch
installation KB981889. Only present
on Windows 7 or Windows Server
2008 R2.
MSSecurityClient_Setup_dw20shared_Install.log Log file for installation of Dr. Watson
(only installed on computers running
Windows XP, and only if not already
present).
You can find FEP client installation log files in the following location:
• %allusersprofile%\Microsoft\Microsoft Antimalware\Support: log files specific for the
antimalware service
• %allusersprofile%\Microsoft\Microsoft Security Client\Support: log files specific for the FEP
client software
• %windir%\WindowsUpdate.log: Windows Update log files, which include information about
definition updates
Troubleshooting the FEP Security Management Pack and Operations
Manager
The FEP Security Management Pack is built on Operations Manager, and implemented as an
Operations Manager management pack. Troubleshooting the FEP Security Management Pack
involves working with the Operations Manager Operations console and the management pack
features.
Technical Reference
Page number 183
You can view information about Managing Management Packs
(http://go.microsoft.com/fwlink/?LinkId=206769) in the Operations Manager documentation.
13. Technical Reference This technical reference provides additional information about Forefront Endpoint Protection.
FEP 2010 Policy - Default Settings
The following tables show the policy settings for the Default Server Policy, Default Desktop Policy,
and the default settings when running the New Policy Wizard for Forefront Endpoint Protection
installed on Configuration Manager. The tables match the tabs of the properties of a Forefront
Endpoint Protection policy.
Antimalware Settings
Section /
setting
Setting Default
Desktop
Policy
Default
Server
Policy
Standard
Desktop
Policy
Performance-
optimized
policy
High-
security
policy
Schedule
scan
Schedul
e type
and
time of
scan
Enabled Not
enabled
Enabled Enabled Enabled
Scan
type
Weekly
quick
scan
Not
applicable
Weekly quick
scan
Weekly quick
scan
Daily quick
scan and
weekly full
scan
Daily
scan
time
Not
applicable
Not
applicable
Not
applicable
Not applicable 2:00 AM
Weekly
scan day
Sunday Not
applicable
Saturday Saturday Saturday
Weekly
Scan
tim:
3:00 AM Not
applicable
3:00 AM 3:00 AM 3:00 AM
Check
for
Enabled Not Enabled Enabled Enabled
Technical Reference
Page number 184
definitio
n
updates
before
starting
scan
applicable
Scan
only
when
the
comput
er is not
in use
Enabled Not
applicable
Enabled Enabled Not
enabled
Random
ize
schedul
ed scan
start
times
(within
30
minutes
from
schedul
ed time)
Enabled Not
applicable
Enabled Enabled Enabled
Force a
scan
upon
restart
when
two or
more
schedul
e scans
are
missed
Not
enabled
Not
applicable
Not enabled Enabled
Limit
process
Enabled Enabled Enabled Enabled Not
Technical Reference
Page number 185
or usage
during
scans to
the
followin
g
percent
age
enabled
Percent
age
50% 30% 50% 30% Not
applicable
Allow
users on
endpoin
t
comput
ers to
configur
e
process
or usage
limits
for
scans
Not
enabled
Not
enabled
Not enabled Not enabled Not
enabled
User's
control
on
schedul
e scans
No
control
No
control
No control No control No control
Default
actions
Server Recomme
nded
action
Recomme
nded
action
Recommend
ed action
Recommended
action
Recomme
nded
action
High Recomme
nded
action
Recomme
nded
action
Recommend
ed action
Recommended
action
Recomme
nded
action
Technical Reference
Page number 186
Medium Quarantin
e
Quarantin
e
Quarantine Quarantine Quarantin
e
Low Allow Allow Allow Allow Allow
Real-time
protection
Enable
real-
time
protecti
on
Enabled Enabled Enabled Enabled Enabled
Scan
system
files
Scan
incoming
and
outgoing
files
Scan
incoming
and
outgoing
files
Scan
incoming and
outgoing files
Scan incoming
and outgoing
files
Scan
incoming
and
outgoing
files
Scan all
downloa
ded files
and
attachm
ents
Enabled Not
enabled
Enabled Enabled Enabled
Use
behavio
r
monitori
ng
Enabled Enabled
Note:
On
servers
with a
large
numbe
r of
short
networ
k
connec
tions,
such
Enabled Enabled Enabled
Technical Reference
Page number 187
as file
servers
, there
may
be a
perfor
mance
impact
when
the
Behavi
or
Monit
oring
policy
setting
is
enable
d.
Enable
protecti
on
against
network
-based
exploits
Enabled Not
enabled
Note:
It is
recom
mende
d that
you do
not
enable
this
setting
on
servers
.
Enabled Not enabled Enabled
Allow
users on
endpoin
Not
enabled
Enabled Not enabled Not enabled Not
enabled
Technical Reference
Page number 188
t
comput
er to
configur
e real-
time
protecti
on
settings
Excluded files
and locations
Files
and
location
s
%windir%
\Software
Distributi
on\Datast
ore\Datas
tore.edb
%windir%
\Software
Distributi
on\Datast
ore\logs\
Res*.log%
windir%\S
oftwareDi
stribution
\Datastor
e\Logs\Re
s*.jrs%wi
ndir%\Sof
twareDist
ribution\
Datastore
\Logs\Edb
.chk%win
dir%\Soft
wareDistri
bution\Da
tastore\L
ogs\tmp.e
db%windi
r%\Securi
%windir%
\Software
Distributi
on\Datast
ore\Datas
tore.edb
%windir%
\Software
Distributi
on\Datast
ore\logs\
Res*.log%
windir%\S
oftwareDi
stribution
\Datastor
e\Logs\Re
s*.jrs%wi
ndir%\Sof
twareDist
ribution\
Datastore
\Logs\Edb
.chk%win
dir%\Soft
wareDistri
bution\Da
tastore\L
ogs\tmp.e
db%windi
r%\Securi
%windir%\So
ftwareDistrib
ution\Datast
ore\Datastor
e.edb%windi
r%\Software
Distribution\
Datastore\lo
gs\Res*.log%
windir%\Soft
wareDistribu
tion\Datasto
re\Logs\Res*
.jrs%windir%
\SoftwareDis
tribution\Dat
astore\Logs\
Edb.chk%win
dir%\Softwar
eDistribution
\Datastore\L
ogs\tmp.edb
%windir%\Se
curity\Datab
ase\*.edb%w
indir%\Securi
ty\Database\
*.sdb%windir
%\Security\D
atabase\*.lo
g%windir%\S
%windir%\Softw
areDistribution\
Datastore\Datas
tore.edb%windi
r%\SoftwareDist
ribution\Datast
ore\logs\Res*.lo
g%windir%\Soft
wareDistributio
n\Datastore\Log
s\Res*.jrs%wind
ir%\SoftwareDis
tribution\Datast
ore\Logs\Edb.ch
k%windir%\Soft
wareDistributio
n\Datastore\Log
s\tmp.edb%win
dir%\Security\D
atabase\*.edb%
windir%\Securit
y\Database\*.sd
b%windir%\Sec
urity\Database\
*.log%windir%\
Security\Databa
se\*.chk%windir
%\Security\Data
base\*.jrs%allus
ersprofile%\NTu
ser.pol%System
%windir%\
SoftwareD
istribution
\Datastore
\Datastore
.edb%win
dir%\Soft
wareDistri
bution\Da
tastore\lo
gs\Res*.lo
g%windir
%\Softwar
eDistributi
on\Datast
ore\Logs\
Res*.jrs%
windir%\S
oftwareDi
stribution\
Datastore\
Logs\Edb.
chk%windi
r%\Softwa
reDistribut
ion\Datast
ore\Logs\t
mp.edb%
windir%\S
ecurity\Da
tabase\*.e
Technical Reference
Page number 189
ty\Databa
se\*.edb
%windir%
\Security\
Database\
*.sdb%wi
ndir%\Sec
urity\Data
base\*.lo
g%windir
%\Securit
y\Databas
e\*.chk%
windir%\S
ecurity\D
atabase\*
.jrs%allus
ersprofile
%\NTuser
.pol%Syst
emRoot%
\System3
2\GroupP
olicy\regis
try.pol
ty\Databa
se\*.edb
%windir%
\Security\
Database\
*.sdb%wi
ndir%\Sec
urity\Data
base\*.lo
g%windir
%\Securit
y\Databas
e\*.chk%
windir%\S
ecurity\D
atabase\*
.jrs%allus
ersprofile
%\NTuser
.pol%Syst
emRoot%
\System3
2\GroupP
olicy\regis
try.pol
ecurity\Data
base\*.chk%
windir%\Sec
urity\Databa
se\*.jrs%allu
sersprofile%\
NTuser.pol%
SystemRoot
%\System32\
GroupPolicy\
registry.pol
Root%\System3
2\GroupPolicy\r
egistry.pol
db%windir
%\Security
\Database
\*.sdb%wi
ndir%\Sec
urity\Data
base\*.log
%windir%\
Security\D
atabase\*.
chk%windi
r%\Securit
y\Databas
e\*.jrs%all
usersprofil
e%\NTuse
r.pol%Syst
emRoot%\
System32\
GroupPoli
cy\registry
.pol
Excluded file
types
File
types
(empty) (empty) (empty) (empty) (empty)
Excluded
processes
Process
es
(empty) (empty) (empty) (empty) (empty)
Advanced Scan
archived
files
Enabled Enabled Enabled Enabled Enabled
Scan
network
drives
when
Not
enabled
Not
enabled
Not enabled Not enabled Not
enabled
Technical Reference
Page number 190
running
a full
scan
Scan
remova
ble
storage
devices,
such as
USB
flash
drives
Not
enabled
Not
enabled
Not enabled Not enabled Not
enabled
Create a
system
restore
point
before
cleaning
comput
ers
Not
enabled
Not
enabled
Not enabled Not enabled Not
enabled
Show
notificat
ions
message
s to
users on
endpoin
t
comput
ers
when
the
need
they
need to
perform
the
followin
g
Not
enabled
Not
enabled
Not enabled Not enabled Not
enabled
Technical Reference
Page number 191
actions:
Run a
full
scan,
Downlo
ad the
latest
virus
and
spyware
definitio
ns,
Downlo
ad
Microso
ft
Standal
one
System
Sweeper
Delete
quaranti
ne files
after
(number
of days)
Not
enabled
Not
enabled
Not enabled Not enabled Not
enabled
Allow
user on
endpoin
t
comput
ers to
configur
e
quaranti
ned
delete
period
Not
enabled
Not
enabled
Not enabled Not enabled Not
enabled
Technical Reference
Page number 192
Allow
user on
endpoin
t
comput
ers to
exclude
file and
location
s, file
types,
and
process
es
Not
enabled
Enabled Not enabled Not enabled Not
enabled
Overrid
es
Select the
override
action
you want
to apply
when
Forefront
Endpoint
Protectio
n detects
a threat
with the
following
name
(empty) (empty) (empty) (empty) (
e
m
p
t
y
)
Microsoft
SpyNet
Join
Microso
ft
SpyNet
Based on
the
setting
selected
during
FEP
server
setup
Based on
the
setting
selected
during
FEP
server
setup
Based on the
setting
selected
during FEP
server setup
Based on the
setting selected
during FEP
server setup
Based on
the setting
selected
during FEP
server
setup
Allow Not Not Not enabled Not enabled Not
Technical Reference
Page number 193
users on
endpoin
t
comput
ers to
change
SpyNet
settings
enabled enabled enabled
Updates Settings
Section /
setting
Setting Default
Desktop
Policy
Default
Server Policy
Standard
Desktop
Policy
Performance-
optimized
policy
High-security
policy
Check for
definition
updates
using the
following
interval
Every
(hours)
Enabled Enabled Enabled Enabled Enabled
8 8 8 8 8
Daily
at
Not enabled Not enabled Not enabled Not enabled Not enabled
Not
applicable
Not
applicable
Not
applicable
Not
applicable
Not
applicable
Force a definition
update when
definition updates
have failed for
(days)
1 Not enabled 1 Not enabled 1
Clients will pull
updates from the
selected sources in
the order specified
below (from top to
bottom)
Updates
distributed
from
Configuration
Manager or
WSUS
Updates
from
Microsoft
Update
Updates
distributed
from
Configuration
Manager or
WSUS
Updates
from
Microsoft
Update
Updates
distributed
from
Configuration
Manager or
WSUS
Updates
from
Microsoft
Update
Updates
distributed
from
Configuration
Manager or
WSUS
Updates from
Microsoft
Update
Updates
distributed
from
Configuration
Manager or
WSUS
Updates
from
Microsoft
Update
Technical Reference
Page number 194
Windows Firewall Settings
Section
/ setting
Setting Default
Desktop
Policy
Default
Server
Policy
Standard
Desktop
Policy
Performanc
e-optimized
policy
High-security
policy
Enable Host Firewall
protection
Enabled Not
enabled
Enabled Not enabled Enabled
Domain
Network
s
Firewall
State:
On
(recommende
d)
Not
applicabl
e
On
(recommende
d)
Not
applicable
On
(recommende
d)
Incoming
connectio
ns
Block (default) Not
applicabl
e
Block (default) Not
applicable
Block (default)
Display
notificatio
n
Yes Not
applicabl
e
Yes Not
applicable
Yes
Private
Network
s
Firewall
State:
On
(recommende
d)
Not
applicabl
e
On
(recommende
d)
Not
applicable
On
(recommende
d)
Incoming
connectio
ns
Block (default) Not
applicabl
e
Block (default) Not
applicable
Block (default)
Display
notificatio
n
Yes Not
applicabl
e
Yes Not
applicable
Yes
Public
Network
s
Firewall
State:
On
(recommende
d)
Not
applicabl
e
On
(recommende
d)
Not
applicable
On
(recommende
d)
Incoming
connectio
Block (default) Not
applicabl
Block (default) Not Block (default)
Technical Reference
Page number 195
ns e applicable
Display
notificatio
n
Yes Not
applicabl
e
Yes Not
applicable
Yes
Security Management Pack Monitors
Forefront Endpoint Protection 2010 Security Management Pack Monitors
The following table shows the available monitors in the Forefront Endpoint Protection 2010 Security
Management Pack. For more information about FEP Security Management Pack monitors, see About
Monitors.
Monitor name Monitor description
Generates
alerts
Disabled
by default
Real-time
Protection
This monitor tracks the state of antimalware real-
time protection.
Yes No
Windows
Firewall
This monitor detects the Windows Firewall state. Yes Yes
Antimalware
Engine
This monitor tracks the health of the antimalware
client and service.
Yes No
Antimalware
Definitions
This monitor detects whether there is a valid
definitions file. If the definitions file is missing or
corrupt, the monitor will enter a Critical state.
Yes No
Antimalware
Definitions Age
This monitor detects whether the definition file is
out of date. If the definition file is older than three
days, the monitor will enter a Warning state. If the
definition is older than five days, the monitor will
enter a Critical state.
Yes No
Additional
Actions
This monitor tracks whether additional actions must
be performed after malware has been blocked and
Yes No
Technical Reference
Page number 196
Pending removed from a computer.
Vulnerability
Protection
This monitor detects computers that have real-time
protection turned off and, additionally, have not
performed a scan in the past three days.
No No
Malware
Outbreak
This monitor detects a malware outbreak of both
cleaned and active infections when they occur on
more than 5% (by default) of the total number of
computers in a time period of one hour (by default).
Yes No
Deployment
Failure
This monitor tracks Forefront Endpoint Protection
client installation failures and detects computers
that require a restart in order to complete the
installation.
Yes No
Active Malware This monitor tracks failed malware cleanup
operations.
Yes No
Security Management Pack Tasks
Forefront Endpoint Protection 2010 Security Management Pack Tasks
The following table shows the available tasks in the Forefront Endpoint Protection 2010 Security
Management Pack. For more information about FEP tasks, see About Tasks.
Task name Task description
Recovery
task
Full Scan This task will start a full scan on the selected endpoints. No
Quick Scan This task will start a quick scan on the selected endpoints. No
Update
Antimalware
Definitions
This task will force a definition update on the selected
endpoints.
Yes
Stop Scan This task will stop scans that were started by a task or started
manually on the client and are running on the selected
No
Technical Reference
Page number 197
endpoints. This task will not stop scheduled scans.
Enable Real-time
Protection
This task will enable real-time protection on the selected
endpoints.
No
Disable Real-time
Protection
This task will enable NIS on the selected endpoints. No
Enable NIS This task will enable NIS on the selected endpoints. No
Disable NIS This task will disable NIS on the selected endpoints. No
Turn Windows
Firewall On
This task will turn on Windows Firewall at the profile level on
the selected endpoints.
Yes
Turn Windows
Firewall Off
This task will turn off Windows Firewall at the profile level on
the selected endpoints.
No
Retrieve Endpoint
Settings
This task will retrieve all effective settings from the selected
endpoints.
No
Remote Desktop
Connection
This task will initiate a remote desktop connection to the
selected computer.
No
Restart Computer This task will initiate a restart on the selected computer
within one minute.
Recovery
Task Only
Start Antimalware
Service
This task will start the antimalware service on the selected
endpoint.
Recovery
Task Only
Important:
When a Quick Scan or a Full Scan task is successfully initiated, the task will report a Success
status. However, the success status indicates only that the scan was successfully initiated. It does
not indicate that the scan successfully completed on the client.
Technical Reference
Page number 198
FEP ADMX Reference
The table below shows the policy settings available after loading FEP ADMX files. For more
information about FEP ADMX files, see Configuring and Viewing FEP Group Policy Settings. For
information about configuring policies by using Configuration Manager, see FEP Policies.
Name Setting Title Description
Configurable
via the
Configuration
Manager
console
Forefront
Endpoint
Protection
2010
Allow
antimalware
service to
startup with
normal priority
This policy setting controls the load priority
for the antimalware service. Increasing the
load priority will allow for faster service
startup, but may impact performance.
If you enable or do not configure this
setting, the antimalware service will load as
a normal priority task.
If you disable this setting, the antimalware
service will load as a low priority task.
No
Forefront
Endpoint
Protection
2010
Turn on spyware
definitions
This policy setting allows you to manage
whether spyware definitions are used
during a scan.
If you enable or do not configure this
setting, spyware definitions will be enabled
by default and used during scans.
If you disable this setting, spyware
definitions will be disabled and will not be
used during scans.
No
Forefront
Endpoint
Protection
2010
Turn on virus
definitions
This policy setting allows you to manage
whether virus definitions are used during a
scan.
If you enable or do not configure this
setting, virus definitions will be enabled and
used during scans.
If you disable this setting, virus definitions
No
Technical Reference
Page number 199
will be disabled and will not be used during
scans.
Forefront
Endpoint
Protection
2010
Configure local
administrator
merge behavior
for lists
This policy setting controls whether or not
complex list settings configured by a local
administrator are merged with Group Policy
settings. This setting applies to lists, such as
threats and exclusions.
If you enable or do not configure this
setting, unique items defined in Group
Policy and in preference settings configured
by the local administrator will be merged
into the resulting effective policy. In the
case of conflicts, Group policy Settings will
override preference settings.
If you disable this setting, only items
defined by Group Policy will be used in the
resulting effective policy. Group Policy
settings will override preference settings
configured by the local administrator.
Yes
Forefront
Endpoint
Protection
2010
Turn on routine
remediation
This policy setting allows you to configure
routinely taking action on detected items. It
is recommended that you enable this policy.
If you enable this setting, routine
remediation will be enabled.
If you disable or do not configure this
setting, routine remediation will be
disabled.
No
Forefront
Endpoint
Protection
2010
Define
addresses to
bypass proxy
server
This policy, if defined, will prevent
antimalware from using the configured
proxy server when communicating with the
specified IP addresses. The address value
should be entered as a valid URL.
If you enable this setting, the proxy server
will be bypassed for the specified addresses.
If you disable or do not configure this
No
Technical Reference
Page number 200
setting, the proxy server will not be
bypassed for the specified addresses.
Forefront
Endpoint
Protection
2010
Define proxy
server for
connecting to
the network
This policy setting allows you to configure
the named proxy that should be used when
the client attempts to connect to the
network for definition updates and SpyNet
reporting. If the named proxy fails or if
there is no proxy specified, the following
settings will be used (in order):
1. Internet Explorer proxy settings
2. Autodetect
3. None
If you enable this setting, the proxy will be
set to the specified URL.
If you disable or do not configure this
setting, the proxy will be set according to
the order specified above.
No
Forefront
Endpoint
Protection
2010
Randomize
scheduled task
times
This policy setting allows you to enable or
disable randomization of the scheduled scan
start time and the scheduled definition
update start time. This setting is used to
distribute the resource impact of scanning.
For example, it could be used in guest
virtual machines sharing a host, to prevent
multiple guest virtual machines from
undertaking a disk-intensive operation at
the same time.
If you enable or do not configure this
setting, scheduled tasks will begin at a
random time within an interval of 30
minutes before and after the specified start
time.
If you disable this setting, scheduled tasks
will begin at the specified start time.
Yes
Technical Reference
Page number 201
Forefront
Endpoint
Protection
2010
Allow
antimalware
service to
remain running
always
This policy setting allows you to configure
whether or not the antimalware service
remains running when antivirus and
antispyware definitions are disabled. It is
recommended that this setting remain
disabled.
If you enable this setting, the antimalware
service will always remain running, even if
both antivirus and antispyware definitions
are disabled.
If you disable or do not configure this
setting, the antimalware service will be
stopped when both antivirus and
antispyware definitions are disabled. If the
computer is restarted, the service will be
started if it is set to Automatic startup. After
the service has started, there will be a check
to see if antivirus and antispyware
definitions are enabled. If at least one is
enabled, the service will remain running. If
both are disabled, the service will be
stopped.
No
Exclusions Extension
exclusions
This policy setting allows you specify a list of
file types that should be excluded from
scheduled, custom, and real-time scanning.
File types should be added under the
Options for this setting. Each entry must be
listed as a name value pair, where the name
should be a string representation of the file
type extension (such as "obj" or "lib"). The
value is not used and it is recommended
that this be set to 0.
Yes
Exclusions Path exclusions This policy setting allows you to disable
scheduled and real-time scanning for files
under the paths specified or for the fully
qualified resources specified. Paths should
be added under the Options for this setting.
Each entry must be listed as a name value
pair, where the name should be a string
Yes
Technical Reference
Page number 202
representation of a path or a fully qualified
resource name. As an example, a path might
be defined as: "c:\Windows" to exclude all
files in this directory. A fully qualified
resource name might be defined as:
"C:\Windows\App.exe". The value is not
used and it is recommended that this be set
to 0.
Exclusions Process
exclusions
This policy setting allows you to disable
scheduled and real-time scanning for any
file opened by any of the specified
processes. The process itself will not be
excluded. To exclude the process, use the
Path exclusion. Processes should be added
under the Options for this setting. Each
entry must be listed as a name value pair,
where the name should be a string
representation of the path to the process
image. Note that only executables can be
excluded. For example, a process might be
defined as: "c:\windows\app.exe". The
value is not used and it is recommended
that this be set to 0.
Yes
Network
Inspection
System
Turn on protocol
recognition
This policy setting allows you to configure
protocol recognition for network protection
against exploits of known vulnerabilities.
If you enable or do not configure this
setting, protocol recognition will be
enabled.
If you disable this setting, protocol
recognition will be disabled.
No
Network
Inspection
System
Turn on
definition
retirement
This policy setting allows you to configure
definition retirement for network
protection against exploits of known
vulnerabilities. Definition retirement checks
to see if a computer has the required
security updates necessary to protect it
against a particular vulnerability. If the
No
Technical Reference
Page number 203
system is not vulnerable to the exploit
detected by a definition, then that
definition is "retired". If all definitions for a
given protocol are retired then that protocol
is no longer parsed. Enabling this feature
helps to improve performance. On a
computer that is up-to-date with all the
latest security updates, network protection
will have no impact on network
performance.
If you enable or do not configure this
setting, definition retirement will be
enabled.
If you disable this setting, definition
retirement will be disabled.
Network
Inspection
System
Define the rate
of detection
events for
logging
This policy setting limits the rate at which
detection events for network protection
against exploits of known vulnerabilities will
be logged. Logging will be limited to not
more often than one event per the defined
interval. The interval value is defined in
minutes. The default interval is 60 minutes.
If you enable this setting, detection events
will not be logged if there is more than one
similar report (by definition GUID) in the
specified number of minutes.
If you disable or do not configure this
setting, detection events will be logged at
the default rate.
No
Network
Inspection
System
Exclusions
IP address range
exclusions
This policy, if defined, will prevent network
protection against exploits of known
vulnerabilities from inspecting the specified
IP addresses. IP addresses should be added
under the Options for this setting. Each
entry must be listed as a name value pair,
where the name should be a string
representation of an IP address range. As an
example, a range might be defined as:
No
Technical Reference
Page number 204
157.1.45.123-60.1.1.1. The value is not used
and it is recommended that this be set to 0.
Network
Inspection
System
Exclusions
Port number
exclusions
This policy setting defines a list of TCP port
numbers from which network traffic
inspection will be disabled. Port numbers
should be added under the Options for this
setting. Each entry must be listed as a name
value pair, where the name should be a
string representation of a TCP port number.
As an example, a range might be defined as:
8080. The value is not used and it is
recommended that this be set to 0.
No
Network
Inspection
System
Exclusions
Process
exclusions for
outbound traffic
This policy setting defines processes from
which outbound network traffic will not be
inspected. Process names should be added
under the Options for this setting. Each
entry must be listed as a name value pair,
where the name should be a string
representation of a process path and name.
As an example, a process might be defined
as: "C:\Windows\System32\App.exe" . The
value is not used and it is recommended
that this be set to 0.
No
Network
Inspection
System
Exclusions
Threat ID
exclusions
This policy setting defines threats which will
be excluded from detection during network
traffic inspection. Threats should be added
under the Options for this setting. Each
entry must be listed as a name value pair,
where the name should be a string
representation of a Threat ID. As an
example, a Threat ID might be defined as:
2925110632. The value is not used and it is
recommended that this be set to 0.
No
Quarantine Configure local
setting override
for the removal
of items from
Quarantine
This policy setting configures a local
override for the configuration of the
number of days items should be kept in the
Quarantine folder before being removed.
Yes
Technical Reference
Page number 205
folder This setting can only be set by Group Policy.
If you enable this setting, the local
preference setting will take priority over
Group Policy.
If you disable or do not configure this
setting, Group Policy will take priority over
the local preference setting.
Quarantine Configure
removal of items
from Quarantine
folder
This policy setting defines the number of
days items should be kept in the Quarantine
folder before being removed.
If you enable this setting, items will be
removed from the Quarantine folder after
the number of days specified.
If you disable or do not configure this
setting, items will be kept in the quarantine
folder indefinitely and will not be
automatically removed.
Yes
Real-time
Protection
Turn on
behavior
monitoring
This policy setting allows you to configure
behavior monitoring.
If you enable or do not configure this
setting, behavior monitoring will be
enabled.
If you disable this setting, behavior
monitoring will be disabled.
Yes
Real-time
Protection
Turn on
Information
Protection
Control
This policy setting allows you to configure
Information Protection Control (IPC).
If you enable this setting, IPC will be
enabled.
If you disable or do not configure this
setting, IPC will be disabled.
No
Real-time
Protection
Turn on network
protection
This policy setting allows you to configure
network protection against exploits of
Yes
Technical Reference
Page number 206
against exploits
of known
vulnerabilities
known vulnerabilities.
If you enable or do not configure this
setting, the network protection will be
enabled.
If you disable this setting, the network
protection will be disabled.
Real-time
Protection
Scan all
downloaded
files and
attachments
This policy setting allows you to configure
scanning for all downloaded files and
attachments.
If you enable or do not configure this
setting, scanning for all downloaded files
and attachments will be enabled.
If you disable this setting, scanning for all
downloaded files and attachments will be
disabled.
Yes
Real-time
Protection
Monitor file and
program activity
on your
computer
This policy setting allows you to configure
monitoring for file and program activity.
If you enable or do not configure this
setting, monitoring for file and program
activity will be enabled.
If you disable this setting, monitoring for file
and program activity will be disabled.
Yes
Real-time
Protection
Turn on raw
volume write
notifications
This policy setting controls whether raw
volume write notifications are sent to
behavior monitoring.
If you enable or do not configure this
setting, raw write notifications will be
enabled.
If you disable this setting, raw write
notifications be disabled.
No
Real-time
Protection
Turn on real-
time protection
This policy setting allows you to configure
real-time protection. This setting controls all
Yes
Technical Reference
Page number 207
real-time protection components. It is
recommended that you turn on real-time
protection.
If you enable or do not configure this
setting, real-time protection will be turned
on.
If you disable this setting, real-time
protection will be turned off.
Real-time
Protection
Turn on process
scanning
whenever real-
time protection
is enabled
This policy setting allows you to configure
process scanning when real-time protection
is turned on. This helps to catch malware
which could start when real-time protection
is turned off.
If you enable or do not configure this
setting, a process scan will be initiated when
real-time protection is turned on.
If you disable this setting, a process scan will
not be initiated when real-time protection is
turned on.
Yes
Real-time
Protection
Define the
maximum size of
downloaded
files and
attachments to
be scanned
This policy setting defines the maximum size
(in kilobytes) of downloaded files and
attachments that will be scanned.
If you enable this setting, downloaded files
and attachments smaller than the size
specified will be scanned.
If you disable or do not configure this
setting, a default size will be applied.
No
Real-time
Protection
Configure local
setting override
for turn on
behavior
monitoring
This policy setting configures a local
override for the configuration of behavior
monitoring. This setting can only be set by
Group Policy.
If you enable this setting, the local
preference setting will take priority over
Group Policy.
Yes
Technical Reference
Page number 208
If you disable or do not configure this
setting, Group Policy will take priority over
the local preference setting.
Real-time
Protection
Configure local
setting override
for monitoring
file and program
activity on your
computer
This policy setting configures a local
override for the configuration of monitoring
for file and program activity on your
computer. This setting can only be set by
Group Policy.
If you enable this setting, the local
preference setting will take priority over
Group Policy.
If you disable or do not configure this
setting, Group Policy will take priority over
the local preference setting.
Yes
Real-time
Protection
Configure local
setting override
to turn off
Intrusion
Prevention
System
This policy setting configures a local
override for the configuration of network
protection against exploits of known
vulnerabilities. This setting can only be set
by Group Policy.
If you enable this setting, the local
preference setting will take priority over
Group Policy.
If you disable or do not configure this
setting, Group Policy will take priority over
the local preference setting.
Yes
Real-time
Protection
Configure local
setting override
for scanning all
downloaded
files and
attachments
This policy setting configures a local
override for the configuration of scanning
for all downloaded files and attachments.
This setting can only be set by Group Policy.
If you enable this setting, the local
preference setting will take priority over
Group Policy.
If you disable or do not configure this
setting, Group Policy will take priority over
Yes
Technical Reference
Page number 209
the local preference setting.
Real-time
Protection
Configure local
setting override
to turn on real-
time protection
This policy setting configures a local
override for the configuration to turn on
real-time protection. This setting can only
be set by Group Policy.
If you enable this setting, the local
preference setting will take priority over
Group Policy.
If you disable or do not configure this
setting, Group Policy will take priority over
the local preference setting.
Yes
Real-time
Protection
Configure local
setting override
to turn on script
scanning
This policy setting configures a local
override for the configuration of the script
scanning browser helper object in Internet
Explorer. This setting can only be set by
Group Policy.
If you enable this setting, the local
preference setting will take priority over
Group Policy.
If you disable or do not configure this
setting, Group Policy will take priority over
the local preference setting.
Yes
Real-time
Protection
Configure local
setting override
for monitoring
for incoming and
outgoing file
activity
This policy setting configures a local
override for the configuration of monitoring
for incoming and outgoing file activity. This
setting can only be set by Group Policy.
If you enable this setting, the local
preference setting will take priority over
Group Policy.
If you disable or do not configure this
setting, Group Policy will take priority over
the local preference setting.
Yes
Real-time Configure
monitoring for
This policy setting allows you to configure
monitoring for incoming and outgoing files,
Yes
Technical Reference
Page number 210
Protection incoming and
outgoing file and
program activity
without having to turn off monitoring
entirely. It is recommended for use on
servers where there is a lot of incoming and
outgoing file activity but for performance
reasons need to have scanning disabled for
a particular scan direction. The appropriate
configuration should be evaluated based on
the server role.
Note that this configuration is only honored
for NTFS volumes. For any other file system
type, full monitoring of file and program
activity will be present on those volumes.
The options for this setting are mutually
exclusive:
1. 0 = Scan incoming and outgoing files
(default)
2. 1 = Scan incoming files only
3. 2 = Scan outgoing files only
Any other value, or if the value does not
exist, resolves to the default (0).
If you enable this setting, the specified type
of monitoring will be enabled.
If you disable or do not configure this
setting, monitoring for incoming and
outgoing files will be enabled.
Remediation Configure local
setting override
for the time of
day to run a
scheduled full
scan to
complete
remediation
This policy setting configures a local
override for the configuration of the time to
run a scheduled full scan to complete
remediation. This setting can only be set by
Group Policy.
If you enable this setting, the local
preference setting will take priority over
Group Policy.
If you disable or do not configure this
setting, Group Policy will take priority over
Yes
Technical Reference
Page number 211
the local preference setting.
Remediation Specify the day
of the week to
run a scheduled
full scan to
complete
remediation
This policy setting allows you to specify the
day of the week on which to perform a
scheduled full scan in order to complete
remediation. The scan can also be
configured to run every day or to never run
at all.
This setting can be configured with the
following ordinal number values:
• (0x0) Every Day (default)
• (0x1) Sunday
• (0x2) Monday
• (0x3) Tuesday
• (0x4) Wednesday
• (0x5) Thursday
• (0x6) Friday
• (0x7) Saturday
• (0x8) Never
If you enable this setting, a scheduled full
scan to complete remediation will run at the
frequency specified.
If you disable or do not configure this
setting, a scheduled full scan to complete
remediation will run at a default frequency.
Yes
Remediation Specify the time
of day to run a
scheduled full
scan to
complete
remediation
This policy setting allows you to specify the
time of day at which to perform a scheduled
full scan in order to complete remediation.
The time value is represented as the
number of minutes past midnight (00:00).
For example, 120 (0x78) is equivalent to
02:00 AM. The schedule is based on local
time on the computer where the scan is
Yes
Technical Reference
Page number 212
executing.
If you enable this setting, a scheduled full
scan to complete remediation will run at the
time of day specified.
If you disable or do not configure this
setting, a scheduled full scan to complete
remediation will run at a default time.
Reporting Configure time
out for
detections
requiring
additional action
This policy setting configures the time in
minutes before a detection in the
"additional action" state moves to the
"cleared" state.
No
Reporting Configure time
out for
detections in
critically failed
state
This policy setting configures the time in
minutes before a detection in the “critically
failed” state to moves to either the
“additional action” state or the “cleared”
state.
No
Reporting Configure
Watson events
This policy setting allows you to configure
whether or not Watson events are sent.
If you enable or do not configure this
setting, Watson events will be sent.
If you disable this setting, Watson events
will not be sent.
No
Reporting Configure time
out for
detections in
non-critical
failed state
This policy setting configures the time in
minutes before a detection in the "non-
critically failed" state moves to the
"cleared" state.
No
Reporting Configure time
out for
detections in
recently
remediated
This policy setting configures the time in
minutes before a detection in the
"completed" state moves to the "cleared"
state.
No
Technical Reference
Page number 213
state
Reporting Configure
Windows
software trace
preprocessor
components
This policy configures Windows software
trace preprocessor (WPP Software Tracing)
components
No
Reporting Configure WPP
tracing level
This policy allows you to configure tracing
levels for Windows software trace
preprocessor (WPP Software Tracing).
Tracing levels are defined as:
• 1 - Error
• 2 - Warning
• 3 - Info
• 4 - Debug
No
Scan Allow users to
pause scan
This policy setting allows you to manage
whether or not end users can pause a scan
in progress.
If you enable or do not configure this
setting, a new context menu will be added
to the task tray icon to allow the user to
pause a scan.
If you disable this setting, users will not be
able to pause scans.
No
Scan Specify the
maximum depth
to scan archive
files
This policy setting allows you to configure
the maximum directory depth level into
which archive files such as .ZIP or .CAB are
unpacked during scanning. The default
directory depth level is 0.
If you enable this setting, archive files will
be scanned to the directory depth level
specified.
If you disable or do not configure this
No
Technical Reference
Page number 214
setting, archive files will be scanned to the
default directory depth level.
Scan Specify the
maximum size of
archive files to
be scanned
This policy setting allows you to configure
the maximum size of archive files such as
.ZIP or .CAB that will be scanned. The value
represents file size in kilobytes (KB). The
default value is 0 and represents no limit to
archive size for scanning.
If you enable this setting, archive files less
than or equal to the size specified will be
scanned.
If you disable or do not configure this
setting, archive files will be scanned
according to the default value.
No
Scan Specify the
maximum
percentage of
CPU utilization
during a scan
This policy setting allows you to configure
the maximum percentage CPU utilization
permitted during a scan. Valid values for
this setting are a percentage represented by
the integers 5 to 100. A value of 0 indicates
that there should be no throttling of CPU
utilization. The default value is 50.
If you enable this setting, CPU utilization will
not exceed the percentage specified.
If you disable or do not configure this
setting, CPU utilization will not exceed the
default value.
Yes
Scan Check for the
latest virus and
spyware
definitions
before running a
scheduled scan
This policy setting allows you to manage
whether a check for new virus and spyware
definitions will occur before running a scan.
This setting applies to scheduled scans as
well as the command line "mpcmdrun -
SigUpdate", but it has no effect on scans
initiated manually from the user interface.
If you enable this setting, a check for new
Yes
Technical Reference
Page number 215
definitions will occur before running a scan.
If you disable this setting or do not
configure this setting, the scan will start
using the existing definitions.
Scan Scan archive
files
This policy setting allows you to configure
scans for malicious software and unwanted
software in archive files such as .ZIP or .CAB
files.
If you enable or do not configure this
setting, archive files will be scanned.
If you disable this setting, archive files will
not be scanned.
Yes
Scan Turn on catch-
up full scan
This policy setting allows you to configure
catch-up scans for scheduled full scans. A
catch-up scan is a scan that is initiated
because a regularly scheduled scan was
missed. Usually these scheduled scans are
missed because the computer was turned
off at the scheduled time.
If you enable this setting, catch-up scans for
scheduled full scans will be turned on. If a
computer is offline for two consecutive
scheduled scans, a catch-up scan is started
the next time someone logs on to the
computer. If there is no scheduled scan
configured, there will be no catch-up scan
run.
If you disable or do not configure this
setting, catch-up scans for scheduled full
scans will be turned off.
Yes
Scan Turn on catch-
up quick scan
This policy setting allows you to configure
catch-up scans for scheduled quick scans. A
catch-up scan is a scan that is initiated
because a regularly scheduled scan was
missed. Usually these scheduled scans are
missed because the computer was turned
Yes
Technical Reference
Page number 216
off at the scheduled time.
If you enable this setting, catch-up scans for
scheduled quick scans will be turned on. If a
computer is offline for two consecutive
scheduled scans, a catch-up scan is started
the next time someone logs on to the
computer. If there is no scheduled scan
configured, there will be no catch-up scan
run.
If you disable or do not configure this
setting, catch-up scans for scheduled quick
scans will be turned off.
Scan Turn on e-mail
scanning
This policy setting allows you to configure e-
mail scanning. When e-mail scanning is
enabled, the engine will parse the mailbox
and mail files, according to their specific
format, in order to analyze the mail bodies
and attachments. Several e-mail formats are
currently supported, for example: pst
(Microsoft Outlook®), dbx, mbx, mime
(Outlook Express), binhex (Mac).
If you enable this setting, e-mail scanning
will be enabled.
If you disable or do not configure this
setting, e-mail scanning will be disabled.
No
Scan Turn on
heuristics
This policy setting allows you to configure
heuristics. Suspicious detections will be
suppressed right before reporting to the
engine client. Turning off heuristics will
reduce the capability to flag new threats. It
is recommended that you do not turn off
heuristics.
If you enable or do not configure this
setting, heuristics will be enabled.
If you disable this setting, heuristics will be
disabled.
Yes
Technical Reference
Page number 217
Scan Scan packed
executables
This policy setting allows you to configure
scanning for packed executables. It is
recommended that this type of scanning
remain enabled.
If you enable or do not configure this
setting, packed executables will be scanned.
If you disable this setting, packed
executables will not be scanned.
No
Scan Scan removable
drives
This policy setting allows you to manage
whether or not to scan for malicious
software and unwanted software in the
contents of removable drives, such as USB
flash drives, when running a full scan.
If you enable this setting, removable drives
will be scanned during any type of scan.
If you disable or do not configure this
setting, removable drives will not be
scanned during a full scan. Removable
drives may still be scanned during quick
scan and custom scan.
Yes
Scan Turn on reparse
point scanning
This policy setting allows you to configure
reparse point scanning. If you allow reparse
points to be scanned, there is a possible risk
of recursion. However, the engine supports
following reparse points to a maximum
depth so at worst scanning could be slowed.
Reparse point scanning is disabled by
default and this is the recommended state
for this functionality.
If you enable this setting, reparse point
scanning will be enabled.
If you disable or do not configure this
setting, reparse point scanning will be
disabled.
No
Technical Reference
Page number 218
Scan Create a system
restore point
This policy setting allows you to create a
system restore point on the computer on a
daily basis prior to cleaning.
If you enable this setting, a system restore
point will be created.
If you disable or do not configure this
setting, a system restore point will not be
created.
Yes
Scan Run full scan on
mapped
network drives
This policy setting allows you to configure
scanning mapped network drives.
If you enable this setting, mapped network
drives will be scanned.
If you disable or do not configure this
setting, mapped network drives will not be
scanned.
Yes
Scan Scan network
files
This policy setting allows you to configure
scanning for network files. It is
recommended that you do not enable this
setting.
If you enable this setting, network files will
be scanned.
If you disable or do not configure this
setting, network files will not be scanned.
Yes
Scan Configure local
setting override
for maximum
percentage of
CPU utilization
This policy setting configures a local
override for the configuration of maximum
percentage of CPU utilization during scan.
This setting can only be set by Group Policy.
If you enable this setting, the local
preference setting will take priority over
Group Policy.
If you disable or do not configure this
setting, Group Policy will take priority over
the local preference setting.
Yes
Technical Reference
Page number 219
Scan Configure local
setting override
for the scan type
to use for a
scheduled scan
This policy setting configures a local
override for the configuration of the scan
type to use during a scheduled scan. This
setting can only be set by Group Policy.
If you enable this setting, the local
preference setting will take priority over
Group Policy.
If you disable or do not configure this
setting, Group Policy will take priority over
the local preference setting.
Yes
Scan Configure local
setting override
for schedule
scan day
This policy setting configures a local
override for the configuration of scheduled
scan day. This setting can only be set by
Group Policy.
If you enable this setting, the local
preference setting will take priority over
Group Policy.
If you disable or do not configure this
setting, Group Policy will take priority over
the local preference setting.
Yes
Scan Configure local
setting override
for scheduled
quick scan time
This policy setting configures a local
override for the configuration of scheduled
quick scan time. This setting can only be set
by Group Policy.
If you enable this setting, the local
preference setting will take priority over
Group Policy.
If you disable or do not configure this
setting, Group Policy will take priority over
the local preference setting.
Yes
Scan Block unsigned
obfuscated
executables
This policy setting allows you to manage
whether to detect and block binaries that
are obfuscated or binaries that do not have
a trusted digital signature. For the signature
on a binary to be trusted, it must chain to a
No
Technical Reference
Page number 220
code signing certificate in the Windows
Trusted Root Program.
If you enable this setting, unsigned
obfuscated executables will be blocked.
If you disable or do not configure this
setting, unsigned obfuscated executables
will not be blocked.
Scan Turn on removal
of items from
scan history
folder
This policy setting defines the number of
days items should be kept in the scan
history folder before being permanently
removed. The value represents the number
of days to keep items in the folder. If set to
zero, items will be kept forever and will not
be automatically removed. By default, the
value is set to 30 days.
If you enable this setting, items will be
removed from the scan history folder after
the number of days specified.
If you disable or do not configure this
setting, items will be kept in the scan history
folder for the default number of days.
No
Scan Specify the
interval to run
quick scans per
day
This policy setting allows you to specify an
interval at which to perform a quick scan.
The time value is represented as the
number of hours between quick scans. Valid
values range from 1 (every hour) to 24
(once per day). If set to zero, interval quick
scans will not occur. By default, this setting
is set to 0.
If you enable this setting, a quick scan will
run at the interval specified.
If you disable or do not configure this
setting, a quick scan will run at a default
time.
Yes
Technical Reference
Page number 221
Scan Start the
scheduled scan
only when
computer is on
but not in use
This policy setting allows you to configure
scheduled scans to start only when your
computer is on but not in use.
If you enable or do not configure this
setting, scheduled scans will only run when
the computer is on but not in use.
If you disable this setting, scheduled scans
will run at the scheduled time.
Yes
Scan Specify the scan
type to use for a
scheduled scan
This policy setting allows you to specify the
scan type to use during a scheduled scan.
Scan type options are:
• 1 = Quick Scan (default)
• 2 = Full Scan
If you enable this setting, the scan type will
be set to the specified value.
If you disable or do not configure this
setting, the default scan type will used.
Yes
Scan Specify the day
of the week to
run a scheduled
scan
This policy setting allows you to specify the
day of the week on which to perform a
scheduled scan. The scan can also be
configured to run every day or to never run
at all.
This setting can be configured with the
following ordinal number values:
• (0x0) Every Day (default)
• (0x1) Sunday
• (0x2) Monday
• (0x3) Tuesday
• (0x4) Wednesday
• (0x5) Thursday
• (0x6) Friday
Yes
Technical Reference
Page number 222
• (0x7) Saturday
• (0x8) Never
If you enable this setting, a scheduled scan
will run at the frequency specified.
If you disable or do not configure this
setting, a scheduled scan will run at a
default frequency.
Scan Specify the time
for a daily quick
scan
This policy setting allows you to specify the
time of day at which to perform a daily
quick scan. The time value is represented as
the number of minutes past midnight
(00:00). For example, 120 (0x78) is
equivalent to 02:00 AM. By default, this
setting is set to a time value of 2:00 AM. The
schedule is based on local time on the
computer where the scan is executing.
If you enable this setting, a daily quick scan
will run at the time of day specified.
If you disable or do not configure this
setting, a daily quick scan will run at a
default time.
Yes
Scan Specify the time
of day to run a
scheduled scan
This policy setting allows you to specify the
time of day at which to perform a scheduled
scan. The time value is represented as the
number of minutes past midnight (00:00).
For example, 120 (0x78) is equivalent to
02:00 AM. By default, this setting is set to a
time value of 2:00 AM. The schedule is
based on local time on the computer where
the scan is executing.
If you enable this setting, a scheduled scan
will run at the time of day specified.
If you disable or do not configure this
setting, a scheduled scan will run at a
default time.
Yes
Technical Reference
Page number 223
Signature
Updates
Define the
number of days
before spyware
definitions are
considered out
of date
This policy setting allows you to define the
number of days that must pass before
spyware definitions are considered out of
date. If definitions are determined to be out
of date, this state may trigger several
additional actions, including falling back to
an alternative update source or displaying a
warning icon in the user interface. By
default, this value is set to 14 days.
If you enable this setting, spyware
definitions will be considered out of date
after the number of days specified have
passed without an update.
If you disable or do not configure this
setting, spyware definitions will be
considered out of date after the default
number of days have passed without an
update.
Yes
Signature
Updates
Define the
number of days
before virus
definitions are
considered out
of date
This policy setting allows you to define the
number of days that must pass before virus
definitions are considered out of date. If
definitions are determined to be out of
date, this state may trigger several
additional actions, including falling back to
an alternative update source or displaying a
warning icon in the user interface. By
default, this value is set to 14 days.
If you enable this setting, virus definitions
will be considered out of date after the
number of days specified have passed
without an update.
If you disable or do not configure this
setting, virus definitions will be considered
out of date after the default number of days
have passed without an update.
Yes
Signature
Updates
Define file
shares for
downloading
This policy setting allows you to configure
UNC file share sources for downloading
definition updates. Sources will be
Yes
Technical Reference
Page number 224
definition
updates
contacted in the order specified. The value
of this setting should be entered as a pipe-
separated string enumerating the definition
update sources. For example: "{\\unc1 |
\\unc2 }". The list is empty by default.
If you enable this setting, the specified
sources will be contacted for definition
updates. Once definition updates have been
successfully downloaded from one specified
source, the remaining sources in the list will
not be contacted.
If you disable or do not configure this
setting, the list will remain empty by default
and no sources will be contacted.
Signature
Updates
Turn on scan
after signature
update
This policy setting allows you to configure
the automatic scan which starts after a
definition update has occurred.
If you enable or do not configure this
setting, a scan will start following a
definition update.
If you disable this setting, a scan will not
start following a definition update.
Yes
Signature
Updates
Allow definition
updates when
running on
battery power
This policy setting allows you to configure
definition updates on startup when there is
no antimalware engine present.
If you enable or do not configure this
setting, definition updates will be initiated
on startup when there is no antimalware
engine present.
If you disable this setting, definition updates
will not be initiated on startup when there is
no antimalware engine present.
Yes
Signature
Updates
Define the order
of sources for
downloading
This policy setting allows you to define the
order in which different definition update
sources should be contacted. The value of
Yes
Technical Reference
Page number 225
definition
updates
this setting should be entered as a pipe-
separated string enumerating the definition
update sources in order. Possible values are:
“InternalDefinitionUpdateServer”,
“MicrosoftUpdateServer”, “MMPC”, and
“FileShares”
For example: {
InternalDefinitionUpdateServer |
MicrosoftUpdateServer | MMPC }
If you enable this setting, definition update
sources will be contacted in the order
specified. Once definition updates have
been successfully downloaded from one
specified source, the remaining sources in
the list will not be contacted.
If you disable or do not configure this
setting, definition update sources will be
contacted in a default order.
Signature
Updates
Allow definition
updates from
Microsoft
Update
This policy setting allows you to enable
download of definition updates from
Microsoft Update even if the Automatic
Updates default server is configured to
another download source such as Windows
Update.
If you enable this setting, definition updates
will be downloaded from Microsoft Update.
If you disable or do not configure this
setting, definition updates will be
downloaded from the configured download
source.
Yes
Signature
Updates
Allow real-time
definition
updates based
on reports to
Microsoft
SpyNet
This policy setting allows you to enable real-
time definition updates in response to
reports sent to Microsoft SpyNet. If the
service reports a file as an unknown and
Microsoft SpyNet finds that the latest
definition update has definitions for a threat
involving that file, the service will receive all
No
Technical Reference
Page number 226
of the latest definitions for that threat
immediately. You must have configured
your computer to join Microsoft SpyNet for
this functionality to work.
If you enable or do not configure this
setting, real-time definition updates will be
enabled.
If you disable this setting, real-time
definition updates will disabled.
Signature
Updates
Specify the day
of the week to
check for
definition
updates
This policy setting allows you to specify the
day of the week on which to check for
definition updates. The check can also be
configured to run every day or to never run
at all.
This setting can be configured with the
following ordinal number values:
• (0x0) Every Day (default)
• (0x1) Sunday
• (0x2) Monday
• (0x3) Tuesday
• (0x4) Wednesday
• (0x5) Thursday
• (0x6) Friday
• (0x7) Saturday
• (0x8) Never
If you enable this setting, the check for
definition updates will occur at the
frequency specified.
If you disable or do not configure this
setting, the check for definition updates will
occur at a default frequency.
Yes
Technical Reference
Page number 227
Signature
Updates
Specify the time
to check for
definition
updates
This policy setting allows you to specify the
time of day at which to check for definition
updates. The time value is represented as
the number of minutes past midnight
(00:00). For example, 120 (0x78) is
equivalent to 02:00 AM. By default this
setting is configured to check for definition
updates 15 minutes before the scheduled
scan time. The schedule is based on local
time on the computer where the check is
occurring.
If you enable this setting, the check for
definition updates will occur at the time of
day specified.
If you disable or do not configure this
setting, the check for definition updates will
occur at the default time.
Yes
Signature
Updates
Allow
notifications to
disable
definitions
based reports to
Microsoft
SpyNet
This policy setting allows you to configure
the antimalware service to receive
notifications to disable individual definitions
in response to reports it sends to Microsoft
SpyNet. Microsoft SpyNet uses these
notifications to disable definitions that are
causing false positive reports. You must
have configured your computer to join
Microsoft SpyNet for this functionality to
work.
If you enable this setting or do not
configure, the antimalware service will
receive notifications to disable definitions.
If you disable this setting, the antimalware
service will not receive notifications to
disable definitions.
No
Signature
Updates
Define the
number of days
after which a
catch-up
definition
This policy setting allows you to define the
number of days after which a catch-up
definition update will be required. By
default, the value of this setting is 1 day.
Yes
Technical Reference
Page number 228
update is
required
If you enable this setting, a catch-up
definition update will occur after the
specified number of days.
If you disable or do not configure this
setting, a catch-up definition update will be
required after the default number of days.
Signature
Updates
Specify the
interval to check
for definition
updates
This policy setting allows you to specify an
interval at which to check for definition
updates. The time value is represented as
the number of hours between update
checks. Valid values range from 1 (every
hour) to 24 (once per day).
If you enable this setting, checks for
definition updates will occur at the interval
specified.
If you disable or do not configure this
setting, checks for definition updates will
occur at the default interval.
Yes
Signature
Updates
Check for the
latest virus and
spyware
definitions on
startup
This policy setting allows you to manage
whether a check for new virus and spyware
definitions will occur immediately after
service startup.
If you enable this setting, a check for new
definitions will occur after service startup.
If you disable this setting or do not
configure this setting, a check for new
definitions will not occur after service
startup.
No
SpyNet Configure local
setting override
for reporting to
Microsoft
SpyNet
This policy setting configures a local
override for the configuration to join
Microsoft SpyNet. This setting can only be
set by Group Policy.
If you enable this setting, the local
preference setting will take priority over
Yes
Technical Reference
Page number 229
Group Policy.
If you disable or do not configure this
setting, Group Policy will take priority over
the local preference setting.
SpyNet Join Microsoft
SpyNet
This policy setting allows you to join
Microsoft SpyNet. Microsoft SpyNet is the
online community that helps you choose
how to respond to potential threats. The
community also helps stop the spread of
new malicious software infections.
You can choose to send basic or additional
information about detected software.
Additional information helps Microsoft
create new definitions and help it to protect
your computer. This information can include
things like location of detected items on
your computer if harmful software was
removed. The information will be
automatically collected and sent. In some
instances, personal information might
unintentionally be sent to Microsoft.
However, Microsoft will not use this
information to identify you or contact you.
Possible options are:
• (0x0) Disabled (default)
• (0x1) Basic membership
• (0x2) Advanced membership
Basic membership will send basic
information to Microsoft about software
that has been detected, including where the
software came from, the actions that you
apply or that are applied automatically, and
whether the actions were successful.
Advanced membership, in addition to basic
information, will send more information to
Microsoft about malicious software,
Yes
Technical Reference
Page number 230
spyware, and potentially unwanted
software, including the location of the
software, file names, how the software
operates, and how it has impacted your
computer.
If you enable this setting, you will join
Microsoft SpyNet with the membership
specified.
If you disable or do not configure this
setting, you will not join Microsoft SpyNet.
Threats Specify threats
upon which
default action
should not be
taken when
detected
This policy setting customize which
remediation action will be taken for each
listed Threat ID when it is detected during a
scan. Threats should be added under the
Options for this setting. Each entry must be
listed as a name value pair. The name
defines a valid Threat ID, while the value
contains the action ID for the remediation
action that should be taken.
Valid remediation action values are:
• 2 = Quarantine
• 3 = Remove
• 6 = Ignore
Yes
Threats Specify threat
alert levels at
which default
action should
not be taken
when detected
This policy setting allows you to customize
which automatic remediation action will be
taken for each threat alert level. Threat
alert levels should be added under the
Options for this setting. Each entry must be
listed as a name value pair. The name
defines a threat alert level. The value
contains the action ID for the remediation
action that should be taken.
Valid threat alert levels are:
• 1 = Low
Yes
Technical Reference
Page number 231
• 2 = Medium
• 4 = High
• 5 = Severe
Valid remediation action values are:
• 2=Quarantine
• 3=Remove
• 6=Ignore
UX
Configuration
Display
notifications to
clients when
they need to
perform actions
This policy setting allows you to configure
whether or not to display notifications to
clients when they need to perform the
following actions:
• Run a full scan
• Download the latest virus and
spyware definitions
• Download Standalone System
Sweeper
If you enable or do not configure this
setting, notifications will be displayed to
clients when they need to perform the
specified actions.
If you disable this setting, notifications will
not be displayed to clients when they need
to perform the specified actions.
Yes
FEP2010 Client Help
This section of the Microsoft Forefront Endpoint Protection 2010 Technical Reference contains the
help included with the Forefront Endpoint Protection client software.
Welcome to Microsoft Forefront Endpoint Protection
This version of Microsoft® Forefront® Endpoint Protection 2010 includes the following new features
and enhancements to better help protect your computer from threats:
• Windows Firewall integration. Forefront Endpoint Protection setup enables you to turn on
or off Windows Firewall.
Technical Reference
Page number 232
• Network Inspection System. This feature enhances real-time protection by inspecting
network traffic to help proactively block exploitation of known network-based vulnerabilities.
• New and improved protection engine. The updated engine offers enhanced detection and
cleanup capabilities with better performance.
These features are described in more detail in the following sections.
Windows Firewall integration
Windows Firewall can help prevent attackers or malicious software from gaining access to your
computer through the Internet or a network. Now when you install Forefront Endpoint Protection,
the installation wizard verifies that Windows Firewall is turned on. If you have intentionally turned
off Windows Firewall, you can avoid turning it on by clearing a check box. You can change your
Windows Firewall settings at any time via the System and Security settings in Control Panel.
Network Inspection System
Attackers are increasingly carrying out network-based attacks against exposed vulnerabilities before
software vendors can develop and distribute security updates. Studies of vulnerabilities show that it
can take a month or longer from the time of an initial attack report before a suitable security update
is developed, tested, and released. This gap in protection leaves many computers vulnerable to
attacks and exploitation for a substantial period of time. Network Inspection System works with real-
time protection to better protect you against network-based attacks by greatly reducing the
timespan between vulnerability disclosures and update deployment from weeks to a few hours.
Award-winning protection engine
Under the hood of Forefront Endpoint Protection is its award-winning protection engine that is
updated regularly. The engine is backed by a team of antimalware researchers from the Microsoft
Malware Protection Center, providing responses to the latest malware threats 24 hours a day.
Why do I need antivirus and antispyware software?
It is critical to make sure that your computer is running software that protects against malicious
software. Malicious software, which includes viruses, spyware, or other potentially unwanted
software can try to install itself on your computer any time you connect to the Internet. It can also
infect your computer when you install a program using a CD, DVD, or other removable media.
Malicious software, can also be programmed to run at unexpected times, not just when it is installed.
Microsoft Forefront Endpoint Protection 2010 offers three ways to help keep malicious software
from infecting your computer:
• Using real-time protection—Real-time protection enables Forefront Endpoint Protection to
monitor your computer all the time and alert you when malicious software, including viruses,
spyware, or other potentially unwanted software attempts to install itself or run on your
computer. Forefront Endpoint Protection then suspends the software and enables you to you
to follow its recommendation on the software or take an alternative action.
• Scanning options—You can use Forefront Endpoint Protection to scan for potential threats,
such as viruses, spyware, and other malicious software that might put your computer at risk.
Technical Reference
Page number 233
You can also use it to schedule scans on a regular basis and to remove malicious software
that is detected during a scan.
• Microsoft SpyNet® community—The online Microsoft SpyNet community helps you see how
other people respond to software that has not yet been classified for risks. You can use this
information to help you choose whether to allow this software on your computer. In turn, if
you participate, your choices are added to the community ratings to help other people
decide what to do.
How can I tell if my computer is infected with malicious software?
You might have some form of malicious software, including viruses, spyware, or other potentially
unwanted software, on your computer if:
• You notice new toolbars, links, or favorites that you did not intentionally add to your Web
browser.
• Your home page, mouse pointer, or search program changes unexpectedly.
• You type the address for a specific site, such as a search engine, but you are taken to a
different Web site without notice.
• Files are automatically deleted from your computer.
• Your computer is used to attack other computers.
• You see pop-up ads, even if you're not on the Internet.
• Your computer suddenly starts running more slowly than it usually does. Not all computer
performance problems are caused by malicious software, but malicious software, especially
spyware, can cause a noticeable change.
There might be malicious software on your computer even if you don't see any symptoms. This type
of software can collect information about you and your computer without your knowledge or
consent. To help protect your privacy and your computer, you should run Microsoft Forefront
Endpoint Protection 2010 at all times.
What should I do if Forefront Endpoint Protection detects malicious software on my
computer?
If Microsoft Forefront Endpoint Protection 2010 detects malicious software or potentially unwanted
software on your computer (either when monitoring your computer using real-time protection or
after running a scan), it notifies you about the detected item by displaying a notification message in
the bottom right-hand corner of your screen.
The notification message includes a Clean computer button and a Show details link that lets you
view additional information about the detected item. Click the Show details link to open the
Potential threat details window to get additional information about the detected item. You can now
choose which action to apply to the item, or click Clean computer. If you need help determining
Technical Reference
Page number 234
which action to apply to the detected item, use the alert level that Forefront Endpoint Protection
assigned to the item as your guide (for more information see, Understanding alert levels).
Alert levels help you choose how to respond to viruses, spyware, and other potentially unwanted
software. While Forefront Endpoint Protection will recommend that you remove all viruses and
spyware, not all software that is flagged is malicious or unwanted. The following information can
help you decide what to do if Forefront Endpoint Protection detects potentially unwanted software
on your computer.
Depending on the alert level, you can choose one of the following actions to apply to the detected
item:
• Remove—This action permanently deletes the software from your computer.
• Quarantine—This action quarantines the software so that it can't run. When Forefront
Endpoint Protection quarantines software, it moves it to another location on your computer,
and then prevents the software from running until you choose to restore it or remove it from
your computer.
• Allow—This action adds the software to the Forefront Endpoint Protection allowed list and
allows it to run on your computer. Forefront Endpoint Protection will stop alerting you to
risks that the software might pose to your privacy or to your computer.
Caution:
If you choose Allow for an item, such as software, Forefront Endpoint Protection will stop alerting
you to risks that the software might pose to your privacy or to your computer. Therefore, add
software to the allowed list only if you trust the software and the software publisher.
Using Forefront Endpoint Protection to remove potentially harmful software
To remove all unwanted or potentially harmful items that Microsoft Forefront Endpoint Protection
2010 detects quickly and easily, use the Clean computer option.
1. When you see the notification message that Forefront Endpoint Protection displays in the
Notification area after it detects potential threats, click Clean computer.
2. Forefront Endpoint Protection removes the potential threat (or threats), and then notifies
you when it's finished cleaning your computer.
3. To learn more about the detected threats, click the History tab, and then select All detected
items.
4. If you don't see all the detected items, click View details. If you're prompted for an
administrator password or confirmation, type the password or confirm the action. On
systems running Windows XP, you may need to log on as an administrator on this computer.
Technical Reference
Page number 235
Note:
During computer cleanup, whenever possible, Forefront Endpoint Protection removes only the
infected part of a file, not the entire file.
Frequently asked questions about malicious software
Here are answers to some common questions about malicious software.
What is a virus?
Computer viruses are software programs deliberately designed to interfere with computer operation,
to record, corrupt, or delete data, or to infect other computers throughout the Internet. Viruses
often slow things down and cause other problems in the process.
What is spyware?
Spyware is software that can install itself or run on your computer without getting your consent or
providing you with adequate notice or control. Spyware might not display symptoms after it infects
your computer, but many malicious or unwanted programs can affect how your computer runs. For
example, spyware can monitor your online behavior or collect information about you (including
information that can identify you or other sensitive information), change settings on your computer,
or cause your computer to run slowly.
What's the difference between viruses, spyware, and other potentially harmful software?
Both viruses and spyware are installed on your computer without your knowledge and both have the
potential to be intrusive and destructive. They also have the ability to capture information on your
computer and damage or delete that information. They both can negatively affect your computer's
performance.
The main differences between viruses and spyware is how they behave on your computer. Viruses,
like living organisms, want to infect a computer, replicate, and then spread to as many other
computers as possible. Spyware, however, is more like a mole—it wants to "move into" your
computer and stay there as long as possible, sending valuable information about your computer to
an outside source while it is there.
Where do viruses, spyware, and other potentially unwanted software come from?
Unwanted software, such as viruses, can be installed by Web sites or by programs that you download
or that you install using a CD, DVD, external hard disk, or a device. Spyware is most commonly
installed through free software, such as file sharing, screen savers, or search toolbars.
Can I get malicious software without knowing it?
Yes, some malicious software can be installed from a Web site through an embedded script or
program in a Web page. Some malicious software requires your help to install it. This software uses
Web pop-ups or free software that requires you to accept a downloadable file. However, if you keep
Microsoft Windows® up to date and don't reduce your security settings, you can minimize the
chances of an infection.
Technical Reference
Page number 236
Why is it important to review license agreements before installing software?
When you visit Web sites, do not automatically agree to download anything the site offers. If you
download free software, such as file sharing programs or screen savers, read the license agreement
carefully. Look for clauses that say that you must accept advertising and pop-ups from the company,
or that the software will send certain information back to the software publisher.
What's the difference between Microsoft Forefront Endpoint Protection 2010 and Windows
Defender?
Forefront Endpoint Protection is antimalware software, which means that it's designed to detect and
help protect your computer against a wide range of malicious software, including viruses, spyware,
and other potentially unwanted software. Windows Defender, which is automatically installed with
your Windows operating system, is software that detects and stops spyware. To learn more about
Windows Defender, visit the Windows Defender Web site
(http://go.microsoft.com/fwlink/?LinkId=155580).
Why doesn't Forefront Endpoint Protection detect cookies?
Cookies are small text files that Web sites put on your computer to store information about you and
your preferences. Web sites use cookies to offer you a personalized experience and to gather
information about Web site use. Forefront Endpoint Protection doesn't detect cookies, because it
doesn't consider them a threat to your privacy or to the security of your computer. Most Internet
browser programs allow you to block cookies. For information about blocking cookies in Windows
Internet Explorer, see Block or allow cookies (http://go.microsoft.com/fwlink/?LinkId=155585).
How to help prevent malicious software infections
Two of the biggest concerns for computer users today are viruses and spyware. In both cases, while
these can be a problem, you can defend yourself against them easily enough with just a little bit of
planning:
• Keep your computer’s software current and remember to install all patches. Remember to
update your operating system on a regular basis.
• Make sure your antivirus and antispyware software, Microsoft Forefront Endpoint Protection
2010, is using the latest updates again potential threats (see Keeping virus and spyware
definitions up-to-date). Also make sure you're always using the latest version of Forefront
Endpoint Protection.
• Only download updates from reputable sources. For Windows operating systems, always go
to Microsoft Update (http://go.microsoft.com/fwlink/?LinkID=96304) and for other software
always use the legitimate Web sites of the company or person who produces it.
• If you receive an e-mail with an attachment and you're unsure of the source, then you should
delete it immediately. Don't download any applications or executable files from unknown
sources, and be careful when trading files with other users.
• Install and use a firewall. It is recommended that you enable Windows Firewall.
Technical Reference
Page number 237
How to help prevent malicious software infections
Two of the biggest concerns for computer users today are viruses and spyware. In both cases, while
these can be a problem, you can defend yourself against them easily enough with just a little bit of
planning:
• Keep your computer’s software current and remember to install all patches. Remember to
update your operating system on a regular basis.
• Make sure your antivirus and antispyware software, Microsoft Forefront Endpoint Protection
2010, is using the latest updates again potential threats (see Keeping virus and spyware
definitions up-to-date). Also make sure you're always using the latest version of Forefront
Endpoint Protection.
• Only download updates from reputable sources. For Windows operating systems, always go
to Microsoft Update (http://go.microsoft.com/fwlink/?LinkID=96304) and for other software
always use the legitimate Web sites of the company or person who produces it.
• If you receive an e-mail with an attachment and you're unsure of the source, then you should
delete it immediately. Don't download any applications or executable files from unknown
sources, and be careful when trading files with other users.
• Install and use a firewall. It is recommended that you enable Windows Firewall.
Getting started
Now that you've been introduced to Microsoft Forefront Endpoint Protection 2010 and learned how
it detects malicious software and helps you get rid of unwanted software, let's learn more about this
program's capabilities, including scanning, real-time protection, updating, virus and spyware
definitions, and about removing and restoring quarantined items.
• Scanning for viruses, spyware, and other potentially unwanted software
• What's real-time protection?
• How do I keep virus and spyware definitions up to date?
• How do I remove or restore items quarantined by Forefront Endpoint Protection?
Understanding alert levels
When Microsoft Forefront Endpoint Protection 2010 detects a potential threat, it uses the associated
definition file to assign an alert level to the threat. It then applies the default action associated with
that threat level.
Alert levels help you choose how to respond to viruses, spyware, and other potentially unwanted
software. While Forefront Endpoint Protection recommends that you remove all viruses and
spyware, not all software that is flagged is malicious or unwanted. The information in this table can
Technical Reference
Page number 238
help you decide what to do if Forefront Endpoint Protection detects potentially unwanted software
on your computer.
Alert
level
What it means What to do
Severe These are widespread or exceptionally
malicious programs, similar to viruses or
worms, which negatively affect your
privacy and the security of your
computer, and can damage your
computer.
Remove this software immediately.
High These are programs that might collect
your personal information and
negatively affect your privacy or
damage your computer. For example,
the program collects information or
changes settings, typically without your
knowledge or consent.
Remove this software immediately.
Medium These are programs that might affect
your privacy or make changes to your
computer that could negatively impact
your computing experience. For
example, the program collects personal
information or changes settings.
Review the alert details to see why
the software was detected. If you do
not like what the software does or if
you do not recognize and trust the
publisher, consider blocking or
removing the software.
Low This is potentially unwanted software
that might collect information about
you or your computer or might change
how your computer works. However,
the software is operating in agreement
with licensing terms displayed when you
installed the software.
This software is typically benign when
it runs on your computer, unless it
was installed without your knowledge.
If you're not sure whether to allow it,
review the alert details, or check to
see if you recognize and trust the
software publisher.
Technical Reference
Page number 239
What are recommended actions?
Essentially recommended action means that you want Microsoft Forefront Endpoint Protection 2010
to handle this alert level according to Microsoft’s recommendation. When Forefront Endpoint
Protection detects a threat or potential threat, it takes the action specified as the Default Action in
Settings. Unless you change the Default Actions associated with each alert level Forefront Endpoint
Protection applies the recommended action. The recommended action is a specific action
recommended by Microsoft for dealing with a specific threat or potential threat. It is associated with
the definition specific to a particular threat. Usually, recommended actions are related to the
detected item’s severity level: severe, high, medium, or low (see Understanding alert levels) For
example, in most cases, the recommended action associated with a high-severity alert is to remove
the detected threat. However, even in the case of a high-severity alert, the recommended action
might be to allow the detected threat.
Tip:
Unless you have a deep understanding of malware and their definitions, you should use the
recommended actions to help protect your computer from threats.
Applying default actions to detected items
You can decide how you want Microsoft Forefront Endpoint Protection 2010 to handle the potential
threats it detects, by either applying recommended actions (recommended) or by specifying a
default action for each alert level.
By defining a custom default action for each alert level, you gain more control over how the program
handles detected threats. For example, if you know that all medium level threats are something you
feel comfortable simply quarantining, then you can specify Quarantine for the medium alert level.
To apply default actions
1. Click the Settings tab, and then click Default actions.
2. Select a default action (Recommended action, Quarantine, Remove, or Allow if available).
The default setting (Recommended action) means that you want Forefront Endpoint
Protection to handle this alert level according to Microsoft’s recommendation.
3. Click Save changes. If you are prompted for an administrator password or confirmation, type
the password or confirm the action.
To ensure that Forefront Endpoint Protection applies these actions after it detects potential threats,
select the Apply recommended actions check box.
Scanning for viruses, spyware, and other potentially unwanted software
When you use Microsoft Forefront Endpoint Protection 2010, you can run either a quick scan of your
computer or a full system scan. If malicious software has infected a specific area of your computer,
you can customize a scan by selecting only the drives and folders that you want to check.
Technical Reference
Page number 240
A quick scan checks the places, processes in the memory, and registry files on your computer's hard
disk that malicious software is most likely to infect. A full scan checks all files on the hard disk and all
currently running programs, but it could cause your computer to run slowly until the scan is
completed. At any time, if you suspect that spyware has infected your computer, run a full scan. For
information about scheduling scans to occur regularly, see Scheduling scans.
To scan the areas of your computer that malicious software is most likely to infect (Quick
scan)
On the Forefront Endpoint Protection Home page, click the Quick scan option, and then click Scan
now. The amount of time the scan takes depends on the number of files and folders being scanned.
To scan all areas of your computer (Full scan)
On the Home page, select the Full scan option, and then click Scan now. The scan may take a while,
depending on the number of files and folders being scanned.
To scan specific areas of your computer only (Custom scan)
You can select specific locations on your computer to scan. However, if it detects viruses, spyware, or
other potentially unwanted software, Endpoint Protection will then run an expanded scan to make
sure it removes the detected software from other areas of your computer, if needed.
Running a custom scan
1. On the Home page, select the Custom scan option and then click Scan now.
2. In the Select the drives and folders you want to scan window, select the areas of your
computer that you want to scan, and then click OK. The scan may take a while, depending on
the number of files and folders being scanned.
To scan a specific file or folder (right-click scan)
If you suspect malicious software has infected a file or folder on your computer, or if you are
concerned about something that you downloaded, you can select a specific file or folder on your
computer for Endpoint Protection to scan.
Running a right-click scan
1. Right-click the file or folder on your computer, and then click Scan with Forefront Endpoint
Protection.
2. Endpoint Protection begins scanning the selected file or folder.
3. As soon as it completes the scan, Endpoint Protection displays the scan results.
Note:
Depending on the file size, this scan may take only a few seconds.
Scheduling scans
By default, Forefront Endpoint Protection runs a scheduled scan on your computer once a week. A
weekly scan is sufficient for most computers, because Endpoint Protection monitors your computer
Technical Reference
Page number 241
continuously through the real-time protection feature. To learn more, see What's real-time
protection?.
A scheduled scan checks the areas of your computer that malicious software, including viruses,
spyware, and other potentially unwanted software, are most likely to infect. If you want Endpoint
Protection to check all files and programs on your computer, you can run or schedule a full scan.
To change the scheduled scan
1. Click Settings, and then click Scheduled scan.
2. If the Run a scheduled scan on my computer (recommended) check box is not selected,
select it now.
3. Next to the When field, select the day that you want to run the scan. For example, you can
run a scan daily or on a certain day of the week, such as Sunday.
4. Next to the Around field, select the time that you want the scheduled scan to run.
Note:
Scans may begin within two hours of the scheduled time you select. Exact scan times are
randomized to reduce strains on network traffic. Scans might also be delayed if something else is
currently running on your computer, such as an update.
5. Next to the Scan type field, select the type of scan that you want to run, and then click Save
changes. If you're prompted for an administrator password or confirmation, type the
password or provide confirmation.
When is the best time to run a scan on my computer?
Because the scheduled scan can slow down your computer's performance, you should run the
scheduled scan at a time when it will least affect your work. In other words, schedule the scan for a
time when the computer is on but you aren't using it. By default, the time set is for around 2 A.M.,
but if you work at night, consider changing the time to sometime during the day.
To make sure the scan runs when your computer isn't being used
1. Click Settings, and then click Scheduled scan.
2. If the Start the scheduled scan only when my computer is on but not in use check box is not
selected, select it now, and then click Save changes. If you're prompted for an administrator
password or confirmation, type the password or confirm the action.
Technical Reference
Page number 242
Responding to potential threats after a scan
To gain more control over how Forefront Endpoint Protection handles detected threats, use the
Default actions or the Threat handling tab, depending on your product version.
1. Click the Settings tab, and then select the Default actions tab.
2. Select the action that you want to apply to each alert level.
3. Select the Apply recommended actions check box, and then click Save changes. If you're
prompted for an administrator password or confirmation, type the password or confirm the
action.
To learn more about applying default actions, see Applying default actions to detected items.
How can I view a scan's progress?
Forefront Endpoint Protection notifies you whenever it’s running a scheduled scan. Depending on the
scan type, a scan may take some time and may affect your computer’s performance. To learn more
about scan types, see Scanning for viruses, spyware, and other potentially unwanted software.
To view the progress of a scheduled scan
• If you're running Forefront Endpoint Protectionon the Windows XP (with Service Pack 2 (SP2)
or a later service pack) operating system or on the Windows Vista® operating system, you'll
see the Forefront Endpoint Protection icon in the notification area. Whenever a scan is in
progress, the Forefront Endpoint Protection icon in the notification area will also display an
animation to let you know that it's scanning your computer. Click the icon to see which
type of Forefront Endpoint Protection scan is in progress, how long it’s been running, and
how many items have been scanned.
• If a scan is in progress, Forefront Endpoint Protection displays the scan’s progress until the
scan is complete. When it completes the scan, Endpoint Protection then displays the scan
results and the date and time when the scan was completed.
• If you're running Endpoint Protection on a Windows 7 operating system, you won’t see the
Forefront Endpoint Protection icon in the notification area (unless you manually added the
icon to the notification area). However, when you click the arrow in the notification area, you
can see additional icons, including the Forefront Endpoint Protection icon. Double-clicking
the icon will display the scan's progress.
What are advanced scanning options?
When scanning your computer, you can choose from these additional options:
• Scan archive files—Scanning these files might increase the time required to complete a scan,
but malicious software, including viruses, spyware, and other potentially unwanted software,
can install itself and attempt to "hide" in these files.
• Scan removable drives—Use this option to scan the contents of removable drives, such as
USB flash drives.
Technical Reference
Page number 243
• Create a system restore point before applying actions to detected items—System restore
helps you restore your computer's system files to an earlier point in time. It's a way to undo
system changes to your computer without affecting your personal files, such as e-mail,
documents, or photos. These restore points contain information about registry settings and
other system information that Windows uses. When you select this option, Forefront
Endpoint Protection creates a system restore point on your computer on a daily basis before
cleaning your computer. This option allows you to restore software that you didn't intend to
remove.
To set advanced scanning options
1. Click Settings, and then click Advanced.
2. Select the check box next to each option that you want to use, and then click Save changes.
If you're prompted for an administrator password or confirmation, type the password or
confirm the action.
Excluding items from a scan
To help speed up scans running on your computer, you can choose to exclude certain files, locations,
file types, and processes from the scan.
Warning:
Exclusions can help speed up the scan, but may leave your computer less protected. Only select
them if you're sure that the excluded files, locations, or processes do not contain malicious
software.
Important:
Exclusions are applied to both on-demand scans and real-time protection.
To exclude certain files and locations
1. Click the Settings tab, and then click Excluded files & locations.
2. Click Add, and then select the files, folders, and locations (such as drives) that you want to
exclude.
3. Click OK, and then click Save changes. If you're prompted for an administrator password or
confirmation, type the password or confirm the action.
To exclude certain file types
1. Click the Settings tab and then click Excluded file types.
2. In the field at the top of the tab, enter the file type to exclude, and then click Add.
3. Repeat step 2 until you've added all the file types that you want to exclude.
Technical Reference
Page number 244
4. Click Save changes. If you're prompted for an administrator password or confirmation, type
the password or confirm the action.
To exclude processes running on your computer
1. Click the Settings tab and then click Excluded processes.
2. Click Add, and then select the processes you want to exclude. Make sure that you add only
files that use one of the extensions listed below.
3. Click OK, and then click Save changes. If you're prompted for an administrator password or
confirmation, type the password or confirm the action.
You can exclude the following process types:
• Executable files (.exe)
• Command files (.cmd)
• Batch files (.bat)
• Program information files (.pif)
• Windows Explorer shell command files (.scf)
• Windows screen saver file (.scr)
What's real-time protection?
Real-time protection enables Forefront Endpoint Protection to monitor your computer all the time
and alert you when potential threats, such as viruses and spyware, are trying to install themselves or
run on your computer. Because this feature is an important element of the way that Endpoint
Protection helps protect your computer, you should make sure real-time protection is always turned
on. If real-time protection gets turned off, Endpoint Protection notifies you, and changes your
computer’s status to “At risk”.
Whenever real-time protection detects a threat or potential threat, Endpoint Protection displays a
notification. You can now choose from the following options:
• Click Clean computer to remove the detected item. Endpoint Protection will automatically
remove the item from your computer.
• Click the Show details link to display the Potential threat details window, and then choose
which action to apply to the detected item. For more information, see What should I do if
Forefront Endpoint Protection detects malicious software on my computer?.
Understanding real-time protection options
You can choose the software and settings that you want Forefront Endpoint Protection to monitor,
but we recommend that you turn on real-time protection and enable all real-time protection options.
The following table explains the available options.
Technical Reference
Page number 245
Real-time
protection option
Purpose
Scan all
downloads
This option monitors files and programs that are downloaded, including
files that are automatically downloaded via Windows Internet Explorer
and Microsoft Outlook® Express, such as ActiveX® controls and software
installation programs. These files can be downloaded, installed, or run
by the browser itself. Malicious software, including viruses, spyware,
and other potentially unwanted software, can be included with these
files and installed without your knowledge.
Using the real-time protection option, Endpoint Protection monitors
your computer all the time and checks for any malicious files or
programs that you may have downloaded. This monitoring feature
means that Endpoint Protection doesn't need to slow down your
browsing or e-mail experience by requiring a check of any files or
programs you may want to download.
Monitor file and
program activity
on your
computer
This option monitors when files and programs start running on your
computer, and then it alerts you about any actions they perform and
actions taken on them. This is important, because malicious software
can use vulnerabilities in programs that you have installed to run
malicious or unwanted software without your knowledge. For example,
spyware can run itself in the background when you start a program that
you frequently use. Forefront Endpoint Protection monitors your
programs and alerts you if it detects suspicious activity.
Enable behavior
monitoring
This option monitors collections of behavior for suspicious patterns that
might not be detected by traditional antivirus detection methods.
Enable Network
Inspection
System
This option helps protect your computer against “zero day” exploits of
known vulnerabilities, decreasing the window of time between the
moment a vulnerability is discovered and an update is applied.
Turning real-time protection on and off
To help prevent viruses, spyware, or other potentially unwanted software from running on your
computer, you should make sure you've turned on real-time protection and selected both real-time
Technical Reference
Page number 246
protection options. Real-time protection alerts you when viruses, spyware, or other potentially
unwanted software attempts to install or run on your computer.
To help protect your privacy and your computer, we recommend that you select all real-time
protection options. For more information about real-time protection, see What's real-time
protection?
When you install Forefront Endpoint Protection on your computer, the real-time protection feature is
turned on by default. Although it is not recommended, you can turn off real-time protection.
To turn off real-time protection
1. Click Settings, and then click Real-time protection.
2. Clear the real-time protection options you want to turn off, and then click Save changes. If
you're prompted for an administrator password or confirmation, type the password or
confirm the action.
You can also turn on or off specific features of real-time protection individually. To learn more, see
Understanding real-time protection options.
How do I know that Forefront Endpoint Protection is running on my
computer?
After you install Forefront Endpoint Protection on your computer, you can close the main window
and let Endpoint Protection run quietly in the background. Endpoint Protection will continue running
on your computer, monitor it, and help protect it against threats.
Of course, you'll know that Endpoint Protection is running whenever it displays notification messages
in the notification area. These notifications alert you to potential threats that Endpoint Protection
has detected.
You'll also receive other alert notifications, for example, if for some reason real-time protection has
been turned off, if you haven't updated your virus and spyware definitions for a number of days, or
when upgrades to the program become available. Endpoint Protection also briefly displays a
notification to let you know that it's scanning your computer.
You can also refer to the Endpoint Protection icon that appears in the notification area:
Tip:
Technical Reference
Page number 247
If you don’t see the Endpoint Protection icon in the notification area, click the arrow in the
notification area to show hidden icons, including the Endpoint Protection icon.
The icon color depends on your computer's current status:
• Green indicates that your computer's status is "protected."
• Yellow indicates that your computer's status is "potentially unprotected."
• Red indicates that your computer's status is "at risk."
How to set up Forefront Endpoint Protection alerts
When Microsoft Forefront Endpoint Protection 2010 is running on your computer, it automatically
alerts you if it detects viruses, spyware, or other potentially unwanted software. You can also set
Forefront Endpoint Protection to alert you if you run software that has not yet been analyzed, and
you can choose to be alerted when software makes changes to your computer.
To set up Endpoint Protection alerts
1. Click Settings, and then click Real-time protection.
2. Make sure the Turn on real-time protection (recommended) check box is selected.
3. Select the check boxes next to the real-time protections options you want to run, and then
click Save changes. If you're prompted for an administrator password or confirmation, type
the password or confirm the action.
What are virus and spyware definitions?
When you use Forefront Endpoint Protection, it is important to have up-to-date virus and spyware
definitions. Definitions are files that act like an ever-growing encyclopedia of potential software
threats. Endpoint Protection uses definitions to determine if software that it detects is a virus,
spyware, or other potentially unwanted software, and then to alert you to potential risks. To help
keep your definitions up to date, Endpoint Protection works with Microsoft Update to install new
definitions automatically as they are released. You can also set Endpoint Protection to check online
for updated definitions before scanning. For information about keeping your definitions up to date
and how to download the latest definitions manually, see How do I keep virus and spyware
definitions up to date?.
How do I keep virus and spyware definitions up to date?
Virus and spyware definitions are files that act like an encyclopedia of known malicious software,
including viruses, spyware, and other potentially unwanted software. Because malicious software is
continually being developed, Forefront Endpoint Protection relies on up-to-date definitions to
determine if software that is trying to install, run, or change settings on your computer is a virus,
spyware, or other potentially unwanted software.
To automatically check for new definitions before scheduled scans (recommended)
1. Click Settings, and then click Scheduled scan.
Technical Reference
Page number 248
2. Make sure the Check for the latest virus and spyware definitions before running a
scheduled scan check box is selected, and then click Save changes. If you're prompted for an
administrator password or confirmation, type the password or confirm the action.
To check for new definitions manually
1. Endpoint Protection updates the virus and spyware definitions on your computer
automatically. If the definitions haven’t been updated for over seven days (for example, if
you didn’t turn on your computer for a week), Endpoint Protection will notify you that the
definitions are out of date.
2. To check for new definitions manually, click the Update tab and then click Update.
Note:
While updating definitions, if you're running Endpoint Protection on the Windows XP (with
Service Pack 2 (SP2) or a later service pack) operating system or on the Windows Vista operating
system, the program displays an "updating" icon in the notification area.
Running a scan using the latest updates
To maximize the scan's effectiveness, you should make sure the computer is scanned using the very
latest virus and spyware definitions, which contain the latest updates on potential threats.
To make sure the scan is using the latest virus and spyware definitions
1. Click Settings, and then click Scheduled scan.
2. Make sure the Check for the latest virus and spyware definitions before running a
scheduled scan check box is selected, and then click Save changes. If you're prompted for an
administrator password or confirmation, type the password or confirm the action.
How do I remove or restore items quarantined by Forefront Endpoint
Protection?
When Forefront Endpoint Protection quarantines software, it moves the software to another
location on your computer, and then it prevents the software from running until you choose to
restore it or to remove it from your computer.
For all the steps mentioned in this procedure, if you're prompted for an administrator password or
confirmation, type the password or provide confirmation.
To remove or restore quarantined items
1. Click the History tab, and then select the Quarantined items option.
2. In Windows Vista or Windows 7, click View details to see all of the items.
3. In Windows XP, you'll need to log on as an administrator on the computer to see of the all
items.
Technical Reference
Page number 249
4. Review each item, and then for each, click Remove or Restore. If you want to remove of the
all quarantined items from your computer, click Remove All.
Warning:
Do not restore software with severe or high alert ratings, because it can put your privacy and the
security of your computer at risk.
How do I add or remove items from the Forefront Endpoint Protection allowed list?
If you trust software that Forefront Endpoint Protection has detected, you can stop Forefront
Endpoint Protection from alerting you about risks that the software might pose to your privacy or
your computer. To stop receiving alerts for this software, you must add the software to the Forefront
Endpoint Protection allowed list. If you decide that you want to monitor the software again later, you
can remove it from the Forefront Endpoint Protection allowed list at any time.
To add an item to the allowed list
1. The next time Endpoint Protection alerts you about the software, click the Show details link.
2. In the Potential threat details dialog box, click the down arrow in the Recommendation
column, and then click Allow.
To remove an item from the allowed list and enable Endpoint Protection to monitor it
1. Click the History tab, and then select the Allowed items option.
2. In Windows Vista or Windows 7, click View details to see all of the items. If you're prompted
for an administrator password or confirmation, type the password or confirm the action.
3. In Windows XP, you'll need to log on as an administrator on the computer to see all of the
items.
4. Select the item that you want to monitor, and then click Remove. If you're prompted for an
administrator password or confirmation, type the password or confirm the action.
Warning:
Do not allow software with severe or high alert ratings to run on your computer, because it can put
your privacy and the security of your computer at risk.
How do I view or clear the history in Forefront Endpoint Protection?
The history displays the actions you applied to viruses, spyware, and other potentially unwanted
software that Forefront Endpoint Protection has detected on your computer.
Technical Reference
Page number 250
To view or clear the history
1. Click the History tab.
2. In Windows Vista or Windows 7, click View details to see all of the items. If you are
prompted for an administrator password or confirmation, type the password or confirm the
action.
3. In Windows XP, you need to log on as an administrator on the computer to see all of the
items.
4. To delete all of the items in the list, click Delete history. If you are prompted for an
administrator password or confirmation, type the password or confirm the action.
What if I want to download or run a program that Forefront Endpoint Protection detects
as potentially harmful?
When Forefront Endpoint Protection detects a potentially harmful program, it alerts you by
displaying a notification. However, if you trust a program that Forefront Endpoint Protection has
detected as potentially harmful, you can allow it to run on your computer.
Warning:
If Endpoint Protectionassigns a severe or high alert level to a program, it's a widespread or
exceptionally malicious program or it is a program that might collect your personal information
without your knowledge. These programs can negatively affect your privacy and the security of your
computer and can damage your computer. We strongly advise you not to run these programs on
your computer.
1. Download the program that you want to run.
2. When Forefront Endpoint Protection displays the notification, click the Show details link.
3. In the Potential threat details dialog box, select the program, click the down arrow in the
Recommendation column, and then click Allow.
4. Click Apply actions. If you're prompted for an administrator password or confirmation, type
the password or confirm the action.
Privacy settings for detected items
To help protect user privacy, Forefront Endpoint Protection enables the local computer administrator
to limit viewing the detected items for all of the users on the computer in the History tab.
To allow only the local computer administrator to view all detected items
1. Click Settings, and then click Advanced.
Technical Reference
Page number 251
2. Clear the Allow all users to view the full History results check box, and then click Save
changes. If you're prompted for an administrator password or confirmation, type the
password or confirm the action.
What is the Microsoft SpyNet Community?
Microsoft SpyNet is the online community that helps you choose how to respond to potential
threats. The community also helps stop the spread of new infections. You can choose to send basic or
additional information about detected software. Additional information helps Microsoft create new
definitions to better protect your computer. The information sent can include the location of
detected items on your computer if a virus, spyware, or potentially harmful software has been
removed. The information will be automatically collected and sent.
Reporting suspicious software to Microsoft SpyNet
If Forefront Endpoint Protection detects software on your computer that has not yet been classified
for risks, you might be asked to send a sample of the software to Microsoft SpyNet for analysis.
When you're prompted to send a sample, Endpoint Protection displays a list of files that can help
analysts determine if the software is malicious. You can choose to send some or all of the files in the
list. For information on Microsoft SpyNet, see Changing your Microsoft SpyNet community
membership.
To send files to Microsoft SpyNet
If Endpoint Protection detects a file or program on your computer that might be malicious or
harmful, you can send it to Microsoft.
To submit a malicious software sample
1. On the Help menu, click Submit malicious software sample.
2. The Microsoft Malware Protection Center site opens. Follow the instructions, and submit
the sample.
To report software that might be incorrectly classified
If Endpoint Protection alerts you about software that you don't believe is malicious or unwanted, you
can report the problem to Microsoft by completing the False Positive Report Form on the Microsoft
Web site (http://go.microsoft.com/fwlink/?LinkId=155581).
Changing your Microsoft SpyNet community membership
When you installed Forefront Endpoint Protection, you agreed to join Microsoft SpyNet using a basic
membership. You have the following membership options:
Basic membership—Endpoint Protection sends basic information to Microsoft about software that
Endpoint Protection detects, including where the software came from, the actions that you apply or
that Endpoint Protection applies automatically, and whether the actions were successful. In some
instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will
not use this information to identify you or to contact you.
Advanced membership—In addition to basic information, Endpoint Protection sends more
information to Microsoft about malicious software, spyware, and potentially unwanted software,
Technical Reference
Page number 252
including the location of the software, file names, how the software operates, and how it has
affected your computer. In some instances, personal information might unintentionally be sent to
Microsoft. However, Microsoft will not use this information to identify you or to contact you.
To change your Microsoft SpyNet community membership
1. Click Settings, and then click Microsoft SpyNet.
2. Select the level of participation that you want by clicking Basic membership or Advanced
membership, and then click Save changes. If you're prompted for an administrator password
or confirmation, type the password or confirm the action.
To learn more about Microsoft SpyNet:
• Reporting suspicious software to Microsoft SpyNet
Where can I find the Forefront Endpoint Protection privacy statement?
The updated privacy statement is available through the Help menu or through the Forefront
Endpoint Protection Web site.
To view the privacy statement
1. On the Help menu, click View privacy statement.
Where can I find the Forefront Endpoint Protection license agreement?
The license agreement is available through the Help menu or through the Microsoft Forefront
Endpoint Protection 2010 Web site.
To view the license agreement
1. On the Help menu, click View license agreement.
Troubleshooting
If you encounter problems with Forefront Endpoint Protection, contact your security administrator
for support.
Troubleshooting Update Issues
Microsoft Forefront Endpoint Protection 2010 works automatically with Microsoft Update to ensure
that your virus and spyware definitions are kept up to date.
Symptoms
This article addresses common issues with automatic updates, including the following situations:
• You see error messages indicating that updates have failed.
• When you check for updates, you receive an error message that the virus and spyware
definition updates cannot be checked, downloaded, or installed.
• Even though you are connected to the Internet, the updates fail.
• Updates are not automatically installing as scheduled.
Technical Reference
Page number 253
Cause
The most common causes for update issues are problems with Internet connectivity. For help with
Internet connectivity, see I can't connect to the Internet issue (General topic). However, if you know
you are connected to the Internet because you can browse to other Web sites, the issue might be
caused by conflicts with your settings in Windows Internet Explorer.
Solution
Important:
You have to exit Internet Explorer to complete these steps. Therefore, print them, write them
down, or copy them to another file, and then bookmark this topic for future access.
Step 1: Reset your Internet Explorer settings
1. Exit all open programs, including Internet Explorer.
Note:
Resetting these settings in Internet Explorer deletes your temporary files, cookies, browsing
history, and your online passwords. But, your favorites are not deleted.
2. Click Start, and in the Start Search box, type inetcpl.cpl, and then press Enter.
3. In the Internet Options dialog box, click the Advanced tab.
4. Under the Reset Internet Explorer settings, click Reset, and then click Reset again.
5. Wait until Internet Explorer finishes resetting the settings, and then click OK.
6. Open Internet Explorer.
7. Open Microsoft Security Essentials, click the Update tab, and then click Update.
8. If the issue persists, proceed to the next step.
Step 2: Set Internet Explorer as the default browser
1. Exit all open programs, including Internet Explorer.
2. Click Start, and in the Start Search box, type inetcpl.cpl, and then press Enter.
3. In the Internet Options dialog box, click the Programs tab.
4. Under Default Web browser, click Make default.
5. Click OK.
Technical Reference
Page number 254
6. Open Microsoft Forefront Endpoint Protection 2010. Click the Update tab, and then click
Update.
7. If the issue persists, proceed to the next step.
Step 3: Ensure that the date and time are set correctly on your computer
1. Open Forefront Endpoint Protection.
2. If the error message that you received contains the code 0x80072f8f, the problem is most
likely caused by an incorrect date or time setting on your computer.
3. To reset your computer's date or time setting, follow the steps in Fix broken desktop
shortcuts and common system maintenance tasks
(http://go.microsoft.com/fwlink/?LinkId=155579).
Step 4: Rename the Software Distribution folder on your computer
1. Stop the Automatic Updates service
a. Click Start, click Run, type services.msc, and then click OK.
b. Right-click the Automatic Updates service, and then click Stop.
c. Minimize the Services snap-in.
2. Rename the SoftwareDistribution directory as follows:
a. Click Start, click Run, type cmd, and then click OK.
b. Type cd %windir%, and then press Enter.
c. Type ren SoftwareDistribution SDTemp, and then press Enter.
d. Type exit, and then press Enter.
3. Start the Automatic Updates service as follows:
a. Maximize the Services snap-in.
b. Right-click Automatic Updates service, and then click Start.
c. Close the Services snap-in window.
Step 5: Reset the Microsoft antivirus update engine on your computer
1. Click Start, click All Programs, click Accessories, and then right-click Command Prompt, and
then select Run as administrator.
2. In the Command Prompt window, type the following commands and press Enter after each
command:
Technical Reference
Page number 255
Cd\
Cd program files\microsoft security essentials
Mpcmdrun –removedefinitions –all
Exit
3. Restart your computer.
4. Open Forefront Endpoint Protection, click the Update tab, and then click Update.
5. If the issue persists, proceed to the next step.
Step 6: Manually install the virus and spyware definition updates
• If you are running a 32-bit Windows operating system, download the latest updates manually
at http://go.microsoft.com/fwlink/?LinkID=87342
(http://go.microsoft.com/fwlink/?LinkID=87342).
• If you are running a 64-bit Windows operating system, download the latest updates manually
at http://go.microsoft.com/fwlink/?LinkID=87341
(http://go.microsoft.com/fwlink/?LinkID=87341).
• Click Run. The latest updates are manually installed on your computer.
Note:
If you were able to manually install virus and spyware definitions, the problem is most likely
caused by a download issue. To learn how to resolve download issues, see Resolving download
issues during setup or upgrade.
Step 7: Contact Support
• If the steps did not resolve the issue, contact support. For more information, see Customer
Support (http://go.microsoft.com/fwlink/?LinkID=196174).
I can't start the Forefront Endpoint Protection service
Symptom
You receive a message notifying you that “Microsoft Forefront Endpoint Protection 2010 isn't
monitoring your computer because the program's service stopped. You should restart it now.”
Solution
Step 1: Restart your computer.
• Close all applications and restart your computer.
Technical Reference
Page number 256
Step 2: Make sure the “Microsoft Forefront Endpoint Protection 2010” service is set to automatic
and is started
1. In Windows XP, click Start, click Run, type services.msc, and then press Enter.
–or–
In Windows Vista and Windows 7, click Start, click in the Start Search box, type services.msc, and
then press Enter.
2. Search for Microsoft Antimalware Service. Right click it and select Properties or double-click
it to open the service.
3. Check to make sure that the "Startup Type" is set to "Automatic".
4. Click the Start button to start the service. If the Start button is not available, click the Stop
button, and then click the Start button to restart the service.
5. Make sure you note any errors that may appear during this process, submit a case online,
and include the error information.
Step 3: Remove any existing Internet security programs
1. In Windows XP, click Start, click Run, type appwiz.cpl, and then press Enter.
–or–
In Windows Vista or Windows 7, click Start, click in the Start Search box, type appwiz.cpl, and then
press Enter.
2. In the list of installed programs, uninstall any third-party Internet security programs.*
3. Restart your computer, and then try to install Microsoft Forefront Endpoint Protection 2010
again.
Note:
Some Internet security applications do not uninstall completely. You may need to download and
run a cleanup utility for your previous security application in order for it to be completely
removed.
Caution:
When you remove Internet security programs, your computer is unprotected. If you have
problems installing Forefront Endpoint Protection after you remove existing Internet security
programs, contact Forefront Endpoint Protection Support immediately by submitting a case
Technical Reference
Page number 257
online (for more information, see How to submit a case online ).
Step 4: Uninstall/reinstall Microsoft Forefront Endpoint Protection 2010
1. In Windows XP, click Start, click Run, type appwiz.cpl, and then press Enter.
-or-
In Windows Vista and Windows 7, click Start, and in the Start Search box, type appwiz.cpl, and then
press Enter.
2. In the list of installed programs, click Microsoft Forefront Endpoint Protection 2010, and
then uninstall it.
3. If prompted, restart your computer, and then try to install Microsoft Forefront Endpoint
Protection 2010 again.
I can't install Forefront Endpoint Protection
This topic contains solutions for issues you may encounter while installing Microsoft Forefront
Endpoint Protection 2010.
Symptoms
Installation fails for an unknown reason, or you receive an error message with error code, such as
0x80070643, 0X8007064A, 0x8004FF2E, 0x8004FF01, 0x8004FF07, 0x80070002, 0x8007064C,
0x8004FF00, 0x80070001, 0x80070656, 0x8004FF40, 0xC0000156, 0x8004FF41 0x8004FF0B,
0x8004FF11, 0x80240022, 0x8004FF04, 0x80070660, 0x800106B5, 0x80070715, 0x80070005,
0x8004EE00, 0x8007003, 0x800B0100, 0x8007064E, or 0x8007007E.
If your computer is running Windows XP Service Pack 2 (SP2), you might see one or more of the
following error messages:
• Installation Wizard is missing a filter manager rollup package needed to complete the
installation.
• KB914882 Setup Error, Setup cannot update your Windows XP files because the language
installed on your system is different from the update language.
Cause
Microsoft Forefront Endpoint Protection 2010 cannot be installed on a computer that is running
other security programs. Sometimes, even if you remove other security programs, they do not
completely uninstall. You must be running a genuine version of the Windows operating system to
install Forefront Endpoint Protection.
If your computer is running Windows XP SP2, you might be missing one or more of the following
prerequisites for installing Forefront Endpoint Protection:
• Windows Installer 3.1
Technical Reference
Page number 258
• Forefront Client Security Filter Manager QFE for Windows XP/SP2
Solution
Important:
You will need to restart your computer while resolving this issue. Bookmark this page (mark it as a
Favorite) to make it easier to find this topic again or print it for easy reference.
Step 1: Remove any existing security programs
1. Completely uninstall any existing Internet security programs by following the steps in the
topic: How do I uninstall existing antivirus or antispyware programs?
2. Restart your computer.
3. Install Microsoft Forefront Endpoint Protection 2010 again. If this does not resolve the issue,
continue to the next step.
Step 2: Ensure that the Windows Installer service is running
1. In Windows XP, click Start, click Run, type services.msc, and then press Enter.
–or–
In Windows Vista, click Start. In the Start Search box, type services.msc, and then press Enter.
–or–
In Windows 7, click Start. In the Search programs and files box, type services.msc, and then press
Enter.
2. Right-click Windows Installer, and then click Start. If Start is unavailable and the Stop and
Restart options are available, this tells you that the service is already started.
3. On the Services page, on the File menu, click Exit.
4. In Windows XP, click Start, click Run, type cmd, and then press Enter.
–or–
In Windows Vista, click Start. In the Start Search box, type command prompt. Right-click Command
Prompt, and then click Run as administrator.
–or–
In Windows 7, click Start. In the Search programs and files box, type command prompt. Right-click
Command Prompt, and then click Run as administrator.
5. Type MSIEXEC /REGSERVER, and then press Enter.
Technical Reference
Page number 259
Note:
There is no indication that this command has succeeded or failed.
6. Install Microsoft Forefront Endpoint Protection 2010 again. If this does not resolve the issue,
continue to the next step.
Step 3: If your computer is running Windows XP SP2, verify that it has the required prerequisites
1. If you are running Windows XP and Windows Installer 3.1 is not installed on your computer,
download and install Windows Installer 3.1 from Windows Installer 3.1 v2 (3.1.4000.2435) is
available (http://go.microsoft.com/fwlink/?LinkId=110600).
2. Download and install the required hotfix for client computers running Windows XP SP2:
a. Go to Forefront Client Security Filter Manager QFE for Windows XP/SP2
(http://www.microsoft.com/downloads/details.aspx?FamilyID=B18A6BA9-AF43-
4B0A-BABD-1E60A2D5E08A&amp;amp;displaylang=en&displaylang=en).
b. On the Web page, click the link for the download package that is the same language
as the version of Windows XP running on the client computer.
c. Follow the instructions to download and install the hotfix package.
d. Restart your computer.
e. Install Microsoft Forefront Endpoint Protection 2010. If this does not resolve the
issue, continue to the next step.
Step 4: Start Windows in Selective Startup mode
1. In Windows XP, click Start, click Run, type msconfig, and then press Enter.
–or–
In Windows Vista, click Start. In the Start Search box, type msconfig, and then press Enter.
–or–
In Windows 7, click Start. In the Search programs and files box, type msconfig, and then press Enter.
2. On the General tab, click Selective Startup, and then clear the Load Startup Items check box.
3. On the Services tab, select the Hide All Microsoft Services check box, and then clear all the
check boxes for the services that remain in the list.
4. Click OK, and then click Restart to restart the computer.
5. Try to install Microsoft Forefront Endpoint Protection 2010 again.
Technical Reference
Page number 260
I can't connect to the Internet issue (General topic)
In order to make sure that your computer receives the latest updates from Windows Update, you
must be connected to the Internet.
Symptom
You receive a notification that Microsoft Forefront Endpoint Protection 2010 is unable to install the
latest updates because you are not connected to the Internet.
Cause
Internet issues might be due to connection problems between your computer and your router.
Solution
Note:
Before you begin, print, or write down these instructions. You will restart your computer during
this procedure, so you'll need a copy of the steps to refer to. The steps may contain a link to
another Web site, so you may want to bookmark this topic before you begin.
Step 1: Test your Internet connection by trying to visit several Web sites and checking other
Internet-enabled applications
• If you are able to access Web sites, continue to the next step.
Step 2: Verify that your computer is connected to the Internet
1. In Windows XP, click Start, click Run, type ncpa.cpl, and then press Enter.
–or–
In Windows Vista, click Start, click in the Start Search box, type ncpa.cpl, and then press Enter.
–or–
In Windows 7, click Start, click in the Search programs and files box, type ncpa.cpl, and then press
Enter.
2. Right-click the connection name and then click Status.
3. If your computer is connected, in Windows XP the connection status will appear as
Connected, Enabled, or Authentication succeeded. In Windows Vista and Windows 7, the
IPv4 status will appear as Internet.
4. If your computer doesn't appear to be connected, right-click the connection name, and then
click Connect, Enable, Authenticate, or Repair.
Technical Reference
Page number 261
Step 3: Restart your computer
• Close any open programs and restart your computer.
Step 4: If you still can't connect to the Internet, check your connections
1. If you use a dial-up connection, make sure the telephone cord connection in the wall jack and
in your modem are firmly connected.
2. If you use a cable modem, make sure the cable connection to the modem and the connection
from the modem to your computer are firmly connected.
3. If you use a cable modem or DSL router, make sure the connections to the router and to the
computer are firmly connected. Try unplugging and turning off the router and modem. Wait
a few minutes, plug in the modem in first, wait one minute, then plug in the router, and
restart your computer.
Step 5: Use the Windows Network Diagnostic tool
For computers running Windows Vista and Windows 7
1. In Windows Vista, click Start, click in the Start Search box, type ncpa.cpl, and then press
Enter.
–or–
In Windows 7, click Start, click in the Search programs and files box, type ncpa.cpl, and then press
Enter.
2. Right-click the network connection that the computer would use to connect to the Internet,
click Diagnose, and then follow the on-screen instructions.
3. If you use a cable modem or DSL router, make sure the connections to the router and to the
computer are firmly connected.
4. Try unplugging and turning off the router and modem. Wait a few minutes, plug in the
modem in first, wait one minute, then plug in the router, and restart your computer.
For computers running Windows XP
1. In the Control Panel, click Network and Internet Connections, and then click Network
Diagnostics.
2. If you do not see the Network and Internet Connections option in Control Panel, click Start,
and then click Help and Support. On the Help and Support Center page, under Pick a Task,
click Use Tools to view your computer information and diagnose problems. In the left hand
column of the tools page, click Network Diagnostics.
Step 6: If you still can't connect to the Internet, contact your Internet Service Provider (ISP) or the
company that provides your access to the Internet
Technical Reference
Page number 262
Error “0x8*******” encountered while virus and spyware definition updates or product
upgrades
Forefront Endpoint Protection uses the Microsoft Updates (MU) service to deliver virus and spyware
definition updates and product upgrades. Definition updates failures that are caused by this service
result in a “0x8*******” error. If you encounter these errors, please write down the exact error code
and follow these steps.
Step 1: Restart the Microsoft Update (MU) service
1. In Windows XP, click Start, click Run, type services.msc, and then press Enter.
2. Right-click Automatic Updates, and then click Start. If Start is unavailable, click Restart.
In Windows Vista and Windows 7
1. In Windows Vista, click Start, and in the Start Search box, type services.msc, and then press
Enter.
-or-
In Windows 7, click Start, and in the Search programs and files box, type services.msc, and then
press Enter.
2. Right-click Windows Update, and then click Start. If Start is unavailable, click Restart.
Step 2: Troubleshoot Microsoft Update (MU) errors
1. Visit Windows Vista Help & How-to Windows Vista Help & How-to
(http://go.microsoft.com/fwlink/?LinkId=166390).
2. In the search box, enter the error code that you received.
3. Follow the steps provided and try again.
4. To update the virus and spyware definitions, click the Update tab, and then click Update.
Forefront Endpoint Protection detects a threat but can't remediate it
When Microsoft Forefront Endpoint Protection 2010 detects a potential threat that's hiding inside a
compressed file with a .zip file name extension or within a network share, it tries to deal with the
threat by quarantining or removing the threat.
Symptom
You might receive a notice that Forefront Endpoint Protection was not able to apply your actions.
Cause
In most cases, this problem occurs because Forefront Endpoint Protection doesn't have access to the
location where the infection is located.
Solution
Remove or scan the file
Technical Reference
Page number 263
• If the detected threat was in a .zip file, browse to the .zip file, and then either remove the file
or scan it by right-clicking the file and selecting Scan with Forefront Endpoint Protection. If
Forefront Endpoint Protection detects additional threats in the file, it notifies you about
these threats and enables you to choose an appropriate action.
• If the detected threat was in a network share, browse to the network share and scan it by
right-clicking the file and selecting Scan with Forefront Endpoint Protection. If Forefront
Endpoint Protection detects additional threats in the network share, it notifies you about
these threats and enables you to choose an appropriate action.
• If you're not sure of the file's origin, one of the best solutions is to run a full scan on your
computer. (For more information, see Scanning for viruses, spyware, and other potentially
unwanted software.) A full scan may take some time to complete, but it makes it possible for
Forefront Endpoint Protection to look for the source of the infection and clean it.
