NIC2012 - System Center Endpoint Protection 2012
-
Upload
nicolai-henriksen -
Category
Technology
-
view
6.059 -
download
0
description
Transcript of NIC2012 - System Center Endpoint Protection 2012
Nicolai Henriksen Chief Infrastructure Architect EDB ErgoGroup MVP Configuration Manager
Blog: systemcenterforefront.blogspot.com Twitter: @nicolaitwitt
Whats new in Endpint Protection 2012
• Integrated in System Center Configuration Manager 2012
• Improved real time alerts and reports • Role-based management • User-centric reports (post beta) • Easy migration from FEP 2010/ConfigMgr 2007 • Support for FEP 2010 client agents
• Endpoint Protection 2012 continues to provide proactive protection against known and
unknown threats using multiple technologies in the antimalware engine like behavior monitoring, network inspection system and heuristics. With cloud based updates through the spynet service, endpoints get updated protection against new threats in real time. Benefits of enabling Dynamic Signature Service in FEP
Do we need antivirus?
Important
No exeptions
Are we ready for the market
NIC 2012
History.. ‘ It’s not a newbie..
NIC 2012
Forefront Client Security in 2006
NIC 2012
Security Essentials beta 2008
January 16, 2012 NIC 2012
Release of beta in November, 2008. They’d had some previous offerings (Windows Defender), but Security Essentials was the first to offer a complete anti-virus and anti-spyware solution that was free (Windows Live OneCare was a short-lived subscription-based precursor to Security Essentials)
NIC 2012
Security Essentials was not to compete with other “for-pay” anti-virus software, but is instead towards the 50-60% of PC users who don’t have (or won’t pay for) anti-virus and anti-malware protection
It’s clear that Microsoft was doing something right; in February 2010, a rogue anti-virus package calling itself Security Essentials 2010
Microsoft has built on the success of Security Essentials in the enterprise with the new Forefront Endpoint Protection 2010 package.
Forefront Endpoint Protection 2010 released Dec 2010
January 16, 2012 NIC 2012
NIC 2012
‘hey, if I can have free anti-virus on my home PC, why are we paying so much for it for our enterprise desktops?
System Center Endpoint Protection 2012 – RTM ..soon
NIC 2012
If I were to make a Antivirus Software..
I would have wanted it to be...
• Very Good detecting and removing malware!
• As fast as possible
• Use as little resources as possible
• Easy to deploy
• Easy to manage and good reporting
Is it any good?
http://www.virusbtn.com/vb100/archive/compare?tab=onDemand&id=23&id2=2&id3=3&id4=52&id5=&id6=
Facts
System Center Endpoint Protection 2012 is the next-generation security and antimalware solution integrated into System Center Configuration Manager 2012. FEP provides a software solution that delivers security and antimalware management for desktops, portable computers, and servers, while providing a lower total cost-of-ownership enterprise solution that enables desktop administrators in your organization to add security management to their day-to-day operations.
Endpoint Protection 2012 One infrastructure for desktop management and protection
• Built on top of Microsoft® System Center Configuration Manager
• Supports all System Center Configuration Manager topologies and scale
• Facilitates easy migration
• Deploy across various operating systems Windows® client and Server
• Protection against all type of malware
• Proactive security against zero day threats
• Productivity-oriented default configuration
• Integrated management of host firewall
• Backed by Microsoft Malware Protection Center
• Unified management interface for desktop administrators
• Effective alerts
• Simple, operation-oriented policy administration
• Historical reporting for security administrators
Ease of Deployment Enhanced Protection Simplified Desktop Management
Antimalware Realities • Malware threats used to be relatively simple…
Antimalware Realities With advances in the Web come increasingly complex threats
Malware has grown into a thriving global business
1) “Malware Author’ grows BOTNET & makes available to “buyers”
2) Access is purchased via ‘MarketPlace’
4) BOTNET attacks seen at multiple
entry points
5) BOTNET also serves to ‘recruit’ additional BOTs
3) BOTNET use granted
Antimalware Realities • The volume of malware is exploding
0
10 000 000
20 000 000
30 000 000
40 000 000
2006 2008 2010
Malicious Files
Antimalware Engineering Releases • Platform – once / yearly
• Engine – monthly
• Signatures – 3x day
• Dynamic Signatures (DSS) – realtime
Some features.. • Zip file detection/remediation • Diagnostic scan • Process/registry/network RTP
watchers • Directional scanning • Persisted file cache • Wildcard support for exclusions • Scheduled scan randomization • CPU throttling • Command line scanner • Signature update package chaining • UNC signature distribution • Signature source ordering fallback • Dynamic translation
• Kernel inspection
• Dynamic signature service
• WLSP integration
• Network vulnerability shielding (NIS)
• Kernel Support Library (KSL) driver
• Reboot tracking (remediation)
• Directed scanning improvements
• Offline scan integration
• Zip file detection/remediation
• Service hardening/anti-tampering
• State management
• Kernel-mode boot-time removal
• Live system behavior monitoring
Dynamic Signature Service (DSS) • Delivers protection for new threats not
in signature set on endpoint.
– Low Fidelity: New class of generics looks for suspicious characteristics as behavior is emulated with Dynamic Translation
– Queries SpyNet telemetry service about ‘interesting’ files
• Back-end classifiers use machine learning to identify new malware
• If the file is known bad, a new signature is delivered in real-time to the client requesting it
• Balances signature distribution time/cost with need for real-time updates
• Admins must choose to opt-in to at least ‘Basic’ SpyNet to use this feature
Firewall & Configuration Management
Malware Response “MMPC”
Generics and Heuristics
Antimalware
Behavior Monitoring
Dynamic Signature
Service
Anti-Rootkit
Vulnerability Shielding
Anti-Rootkit • Advanced rootkit scanning and remediation defends against sophisticated threats.
• New remediation features:
– Reboot Tracking Provides awareness that the system is in the process of rebooting which lets us take aggressive remediation actions that would be too risky otherwise (e.g. swapping out registry hives)
– Directed scanning improvements
– Offline scan integration
– Diagnostic Scan
Firewall & Configuration Management
Malware Response “MMPC”
Generics and Heuristics
Antimalware
Behavior Monitoring
Dynamic Signature
Service
Anti-Rootkit
Network Vulnerability Shielding
0%
20%
40%
60%
80%
100%
Detect
inactive
Detect active Remove
active
2007 83% 57% 33%
2009 100% 72% 60%
2010 100% 100% 86%
Dete
cti
on
Rate
Microsoft Anti-Rootkit Test Results
Source: AV-Test.org
Logs Log name Description Computer with log file
EndpointProtectionAgent.log Records details about the installation of the Endpoint Protection client and the application of antimalware policy to that client.
Client
EPCtrlMgr.log
Records details about the synchronization of malware threat information from the Endpoint Protection role server into the Configuration Manager database.
Site system server
EPMgr.log Monitors the status of the Endpoint Protection site system role.
Site system server
EPSetup.log Provides information about the installation of the Endpoint Protection site system role.
Site system server
PRIMARY SITES
CENTRAL ADMINISTRATION SITE
Simplified Deployment & Migration
FEP Policy: CfgMgr or Group Policy? You should consider managing policy with CfgMgr if…
You should consider managing policy with Group Policy if…
You want unified management (Recommended)
You have CfgMgr deployed on all the computers you will manage
You have non domain-joined machines
You do not want to have to understand and manage many low level settings
You don’t need more than one policy per computer, even on servers
Some of the computers you want to manage don’t have CfgMgr
You prefer to manage policy with group policy
You want extremely granular control over settings
You prefer to “layer” policies, that is to apply more than one policy per computer
Policy Templates - Client Standard High Security Perf. Optimized
Enable NIS
Scheduled Scans Weekly Quick Daily Quick Weekly Full
Weekly Quick
Scan only when idle
Force if 2 scans missed (on reboot)
Throttle CPU 50% - 30%
Force definition update after
1 day 1 day -
Firewall Block incoming in all profiles
Block incoming in all profiles
Not Configured
Available Server Workloads Policies # Server Role or Server Application
1 SQL 2005 Ent/Std (with clustering)
2 SQL 2008 Ent/Std (with clustering)
3 SCOM 2007 R2 (with clustering) in FEP-S Configuration
4 SCCM 2007 (with clustering) in FEP Configuration
5 Exchange2007 (HubTransport, ClientAccess, Mailbox)
6 Exchange2010 (HubTransport, ClientAccess, Mailbox)
7 SharePoint
8 File Services
9 Internet Information Services 6
10 Internet Information Services 7
11 DNS Server
12 Active Directory Domain Services (including SYSVOL/FRS/DFS/DFS-R)
13 DHCP Server
14 Terminal Services
15 Hyper-V
16 Forefront Protection for Exchange
Default Policies
• FEP provides 2 default policies: – Default Desktop Policy
• Weekly quick scan, RTP on, default exclusions, Firewall enabled • Assigned to Deployment Succeeded\Deployed Desktops Collection
– Default Server Policy • No scheduled scan, RTP on, default exclusions, Firewall not
enabled • Assigned to Deployment Succeeded\Deployed Servers Collection
– Can be modified but not deleted
Policy Precedence • Computers can belong to multiple Collections, so may
be candidates for multiple policies
• Only one policy can be applied via ConfigMgr at a time – ConfigMgr-delivered policy does not support “layering”
• Precedence is used to determine the effective policy
FEP Architecture
SQL
Reporting
Services
(or File Share)
ConfigMgr Software Distribution ConfigMgr
Desired Configuration Management
ConfigMgr Site
Server & DB
DATA
Config. / Dashboard
Reports
EVENTS
Desktops, Laptops, and Servers
running ConfigMgr Client & EP 2012
TELEMETRY
SpyNet
EP Capacity Planning
* Actual capacity planning depends on organization load profile, retention policy and specific hardware deployment *http://blogs.technet.com/b/clientsecurity/archive/2011/01/19/fep-capacity-planning-worksheet.aspx
Criteria Recommended Resource availability based on CM HW recommendation
EP 2012
300K topology internal test results
SQL server CPU impact by EP (delta)
20% <5%
SCCM Server CPU impact by EP (delta)
10% <2%
Memory footprint 500MB <100MB
Expected disk capacity after 1-year
500GB <400GB
Supported platforms
Windows 7 (x86 or x64), or Windows 7 XP mode, or Windows Vista (x86 or x64) or later versions, or Windows XP Service Pack 2 (x86 or x64) or later versions, or Windows Server 2008 R2 (x64) or later versions, or Windows Server 2008 R2 Server Core (x64), or Windows Server 2008 (x86 or x64) or later versions, or Windows Server 2003 Service Pack 2 (x86 or x64) or later versions, or Windows Server 2003 R2 (x86 or x64) or later versions
Migration to Endpoint Protection made simple • Automatically removal of existing AV products:
– Symantec Endpoint Protection version 11
– Symantec Endpoint Protection Small Business Edition version 12
– Symantec Corporate Edition version 10
– McAfee VirusScan Enterprise version 8.5 and version 8.7
– TrendMicro OfficeScan version 8.0 and version 10.0
– Forefront Client Security v1
If the previously installed antimalware client has a tamper protection feature enabled, for example, if the software is password protected, you need to disable that tamper protection before you can install FEP. Otherwise, the FEP installation program will not be able to uninstall the existing antimalware client.
Demo
Nicolai Henriksen Chief Infrastructure Architect EDB ErgoGroup MVP Configuration Manager
Blog: systemcenterforefront.blogspot.com Twitter: @nicolaitwitt
Thank you!