Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager
Implementing Endpoint Protection in System
Center 2012 R2 Configuration Manager
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication and is subject to change at any time without notice to you.
This document and its contents are provided AS IS without warranty of any kind, and should not be
interpreted as an offer or commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN
THIS DOCUMENT.
The descriptions of other companies’ products in this proposal, if any, are provided only as a convenience
to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft
cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are
intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative
descriptions of these products, please consult their respective manufacturers.
This deliverable is provided, AS IS without warranty of any kind and MICROSOFT MAKES NO
WARRANTIES, EXPRES OR IMPLIED, OR OTHERWISE.
All trademarks are the property of their respective companies.
Printed in the United States of America
©2007 Microsoft Corporation. All rights reserved.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
The names of the actual companies and products mentioned herein may be the trademarks of their
respective owners.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 1
Objectives After completing this lab, you will be able to:
Configure Endpoint Protection in a Configuration Manager 2012 R2 environment
Create and deploy Endpoint Protection policies
Clean a malware infection
Report status on Endpoint Protection
Implement real-time actions in Configuration Manager 2012 R2 to
quickly respond to client issues
Prerequisites This lab requires an installed and functioning Configuration Manager 2012
R2 site server (Primary1 is the site server virtual machine image). This
lab also requires at least one Configuration Manager 2012 R2 client
(Client1 is the client computer in addition to the site server virtual
machine being installed as a client).
Estimated Time to
Complete This Lab
75 Minutes
Computers used in
this Lab Primary1
Client1
The password for the administrator account on all computers in this lab
is: password.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 2
1 ENABLING ENDPOINT PROTECTION IN CONFIGURATION
MANAGER 2012 R2
In this exercise, you will configure Configuration Manager 2012 R2 to support System Center 2012 R2
Endpoint Protection. This feature is included in Configuration Manager 2012 R2 and provides security in
addition to the normal software update management feature within Configuration Manager, providing
enhanced security for the environment for monitoring and managing virus and malware protection
features. You will begin by configuring the location for clients to download Endpoint Protection definition
updates to use a network location instead of WSUS or Microsoft Update.
Tasks Detailed steps
Complete the following task on: Primary1
1. Start the Configuration Manager 2012 R2 console
1. On the Start menu, click Configuration Manager Console.
NOTE: The System Center 2012 R2 Configuration Manager console window
appears displaying the Assets and Compliance Overview page.
2. Configure the default malware policy for definition location
1. In the navigation pane, expand Endpoint Protection, and then click Antimalware Policies.
NOTE: The list of antimalware policies appear in the results pane. Notice that the only policy is "Default Client Malware Policy", which by default applies to all
clients. In the lab environment, you will configure the location for the client to
acquire malware definitions to use a UNC path, as no Internet access is available in the lab environment, and no definitions have been imported into
WSUS. This is necessary to provide a location for definitions for the site server after the Endpoint Protection point site system role is enabled later in this
exercise, which installs the Endpoint Protection client agent on the site system.
2. In the results pane, click Default Client Malware Policy, and then on the Ribbon, click Properties.
NOTE: The Default Antimalware Policy dialog box appears displaying the available default client malware settings.
3. In the navigation pane, click Definition updates.
NOTE: The Default Antimalware Policy dialog box appears displaying the configurable settings for antimalware definition configuration appears in the
results pane.
4. After Set sources and order for Endpoint Protection definition updates, click Set Source.
NOTE: The Configure Definition Update Sources dialog box appears
allowing you to configure the location(s) that clients can use to download
Endpoint Protection definition updates. Notice that by default, the client will first check for definitions from Configuration Manager, then WSUS, then
Microsoft Update, and finally the Microsoft Malware Protection Center for updated definitions. Notice also that access to definitions from a network path
is not enabled. You can change the order of preference for definition download
location by selecting the location, and clicking Up or Down as appropriate.
5. Click to clear Updates distributed from WSUS, Updates distributed from Microsoft Update, and Updates distributed from
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 3
Microsoft Malware Protection Center as the lab environment does not have access to the Internet, and update definitions have not been imported into the WSUS installation in the lab environment.
NOTE: It is OK to leave the selection for downloading definitions from
Configuration Manager. This will be useful for the client to get definition
updates from a Configuration Manager distribution point when you have it integrated with the software updates feature of Configuration Manager.
6. Click to select Updates from UNC file shares, and then click OK.
NOTE: The Default Antimalware Policy dialog box appears displaying the available definition update settings. Notice that the "Set sources and order for
Endpoint Protection definition updates" setting now displays "2 sources selected". You now need to specify the UNC path to access update definitions
from. Notice also that the default is that there is no UNC location specified.
7. After If UNC file shares are selected as a definition update source, specify the UNC paths, click Set Paths.
NOTE: The Configure Definition Update UNC Paths dialog box appears allowing you to configure the UNC location(s) that clients can use to download
Endpoint Protection definition updates. Notice that by default, no locations are specified.
8. In the UNC path box, type \\Primary1\EPOld and then click Add.
NOTE: The Configure Definition Update UNC Paths dialog box appears
displaying the UNC path for definition download. You can add multiple paths as necessary, however in the lab environment, we only need one path.
9. Click OK.
NOTE: The Default Antimalware Policy dialog box appears displaying the available definition update settings. Notice that the "Set sources and order for
Endpoint Protection definition updates" setting now displays "2 sources selected", and that a UNC path is now specified.
10. Click OK.
NOTE: The list of malware policies appear in the results pane. As you modified
the "Default Client Malware Policy", that is the only policy that appears. This will be used by all clients, unless overridden by a custom policy, which you will
create later in this lab.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 4
In the following procedure, you will enable the Endpoint Protection point site system role. You will then
view log files and status messages related to the deployment of the Endpoint Protection point site system role to verify its installation. You will also view the Endpoint Protection status on the site system role
using the System Center 2012 R2 Endpoint Protection client.
Tasks Detailed steps
Complete the following task on: Primary1
1. Configure an
Endpoint Protection point site system role
1. Click the Administration workspace.
Note: The System Center 2012 R2 Configuration Manager console displays the Administration workspace Overview page.
2. In the navigation pane, expand Site Configuration, and then click Sites.
Note: The list of sites appears in the results pane. Notice that there is only one site available, that being the local site (MCM).
3. In the navigation pane, click Servers and Site System Roles.
Note: The list of site systems appear in the results pane, with the installed
roles for the selected site system displayed in the preview pane. Notice that the site only has one site system (Primary1), and that this site system does not
have the "Endpoint Protection point" site system role installed. The Endpoint Protection point site system role does not really do anything, so it is fine to
have co-located on the site server. We'll use a single server to host all roles to reduce the number of images that need to be started at one time.
4. On the Home tab of the Ribbon, click Add Site System Roles.
Note: The Add Site System Roles Wizard General dialog box appears.
Notice that the FQDN of the site server is displayed. This information was collected during Configuration Manger Setup as part of the prerequisite check
for the site server.
5. Click Next to accept the default configuration of the account to use, to not require site server initiated connections, and to not publish an Internet FQDN.
Note: The Add Site System Roles Wizard Proxy dialog box appears
allowing you to configure a proxy if the site system role requires one to access
the Internet. In your production environment, you may need to configure a proxy server and account to access the Internet. However in our lab
environment, this is not necessary.
6. Click Next to not configure proxy settings.
Note: The Add Site System Roles Wizard System Role Selection dialog
box appears displaying the list of site system roles that can be assigned to this computer. Notice that "Endpoint Protection point" appears as an available site
system role for this site system.
7. Under Available roles, click to select Endpoint Protection point.
Note: A Configuration Manager message box appears indicating that Endpoint Protection is configured to use Configuration Manager's software
update management feature to access definition files from. It also states that if the configuration of using Configuration Manager as a definition source is
enabled, you should configure a software update point.
8. Click OK, and then click Next.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 5
NOTE: The Add Site System Roles Wizard Endpoint Protection dialog
box appears displaying the license terms for Endpoint Protection. System
Center 2012 Endpoint Protection has specific licensing requirements in addition to the standard System Center 2012 Configuration Manager license
requirements. You are only allowed to enable Endpoint protection in environments where the Endpoint Protection license has been acquired.
9. Click to select I accept the Endpoint Protection license terms, and then click Next.
NOTE: The Add Site System Roles Wizard Microsoft Active Protection Service dialog box appears allowing you to configure the options for Microsoft
Active Protection Service. If enabled, Microsoft Active Protection Service will
collect, and send to Microsoft, information about installed applications, which may then be used to help create definitions for application software. As you are
in a virtual environment, without Internet access, there is no need to enable this feature. Notice that if desired, you can choose either a basic or advanced
membership in Microsoft Active Protection Service. In a production
environment, it is recommended to join the Microsoft Active Protection Service.
10. Click Next to accept the default to join MAPS with a basic membership.
Note: The Add Site System Roles Wizard Summary dialog box appears
indicating that you have successfully completed the wizard and are ready to install this site system role.
11. Click Next.
Note: The Add Site System Roles Wizard Completion dialog box appears indicating that the wizard completed successfully.
12. Click Close.
Note: The System Center 2012 R2 Configuration Manager console window
appears displaying the site systems and installed roles for the site. Notice that you did not create a new site system for this role and still only have the site
server as a site system in the site. It will take a moment for the "Endpoint Protection point" site system role to be installed, though it is displayed in the
list of site system roles immediately. You may need to refresh the list of site
system roles on the site system to view the “Endpoint Protection point” site system role.
2. View the Endpoint Protection point installation log file
1. Open C:\Program Files\Microsoft Configuration Manager\Logs\ EPSetup.log.
NOTE: Notepad appears displaying the contents of the Configuration Manager
Endpoint Protection point site system role installation log. Notice that the log
indicates that the required OS version was detected, and that the installation was successful.
2. Close Notepad.
Note: The System Center 2012 R2 Configuration Manager console window appears displaying the Administration workspace and the list of site systems
and installed roles.
3. View the Endpoint Protection point status
1. Click the Monitoring workspace.
Note: The Monitoring workspace appears displaying the Overview page.
2. In the navigation pane, expand System Status, and then click Site Status.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 6
messages NOTE: The list of Configuration Manager 2012 site systems and their installed
roles appears in the results pane. Notice that the “Endpoint Protection point”
appears in the list with a status of OK.
3. In the navigation pane, click Component Status.
NOTE: The list of Configuration Manager 2012 components and their current
status appears in the results pane.
4. In the results pane, click SMS_ENDPOINT_PROTECTION_MANAGER, and then on the Ribbon, click Show Messages.
NOTE: A new menu appears allowing you to specify the type of messages to
display.
5. Click All.
NOTE: The Status Messages: Set Viewing Period dialog box appears
prompting for the age of status messages to display.
6. Click OK to view messages for the past 24 hours.
NOTE: The Configuration Manager Status Message Viewer for <MCM> window appears displaying the status messages for the
SMS_ENDPOINT_PROTECTION_MANAGER component for the most recent 24 hours. Notice a message with an ID of 500. This message indicates that the
component was started.
7. Close the Configuration Manager Status Message Viewer for <MCM> window.
NOTE: The list of Configuration Manager 2012 R2 components and their current status appears in the results pane.
4. View the Endpoint Protection status using the Microsoft Forefront Endpoint Protection client
1. On the Start menu, click System Center Endpoint Protection.
NOTE: The System Center Endpoint Protection window appears. Notice that
the status is "Computer status - At risk", which indicates that the computer is
not fully protected at this point. Notice also that "Real time protection" is currently listed as "Disabled", that "Virus and spyware definitions" has a status
of "Out of date", and that no scan schedule has been defined. You will resolve all of these issues with Configuration Manager 2012 and its integration with
Endpoint Protection.
2. Close the System Center Endpoint Protection window.
NOTE: The System Center 2012 R2 Configuration Manager console window
appears displaying the components and their current status in the Monitoring
workspace.
In the following procedure, you will enable the Endpoint Protection client, which will allow scanning for
malware and viruses on client computers. The Endpoint Protection client agent is disabled by default, and can only be enabled after the "Endpoint Protection point site system role" has been installed.
Tasks Detailed steps
Complete the following task on: Primary1
1. Enable the Endpoint
1. Click the Administration workspace.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 7
Protection client NOTE: The Administration workspace appears displaying the list of site
systems in the results pane, and the appropriate site system roles for the site
system in the preview pane. Notice that the "Endpoint Protection point" site system role is listed as a role on the only site system in our site - "Primary1".
2. In the navigation pane, click Client Settings.
NOTE: The list of client settings appears in the results pane. Notice that the only client setting is "Default Client Settings", which by default applies to all
clients. In the lab environment, you will enable the Endpoint Protection client agent in the default client settings to allow scan and data from all clients.
However, in your production environment, you could create a custom client
setting for devices, enable Endpoint Protection, and then assign the custom client setting to a collection of systems if the agent is not to be installed on all
clients managed by Configuration Manager, or you want to perform additional testing in production on a limited set of clients before enabling for all clients.
3. In the results pane, click Default Client Settings, and then on the Ribbon, click Properties.
NOTE: The Default Settings dialog box appears displaying the available
client settings.
4. In the navigation pane, click Endpoint Protection.
NOTE: The configurable settings for Endpoint Protection appear in the results
pane. Notice that by default, the Endpoint Protection client is not installed on clients.
5. In the Manage Endpoint Protection client on client computers box, click Yes.
NOTE: Additional settings for Endpoint Protection become available for configuration once managing the Endpoint Protection client has been enabled.
For the lab environment, you would also need to configure the last setting to
allow download of the initial definition from the UNC path. Notice that the "Install Endpoint Protection client on client computers" is enabled. This will
install the Endpoint Protection client agent on clients after the next system policy retrieval and evaluation cycle.
6. In the Disable alternate sources (such as Microsoft Windows Update, Microsoft Windows Server Update Services, or UNC shares) for the initial definition updates on client computers box, click No, and then click OK.
NOTE: The list of client settings appears in the results pane. As you modified
the "Default Client Settings", that is the only setting that appears. This setting, which will enable and configure the Endpoint Protection client, will be
implemented on clients at their next system policy retrieval and evaluation cycle.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 8
In the following exercise, you will force the clients to retrieve policies. This will cause the clients to install
the Endpoint Protection client agent. For this policy retrieval process, you will use the traditional method of forcing policy retrieval from the client itself. Configuration Manager 2012 R2 includes the ability to
force policy retrieval from the Configuration Manager Console through real-time actions. You will use that method later in this lab.
Tasks Detailed steps
Complete the following task on: Client1 and Primary1
1. Install the Endpoint Protection Client Agent
1. In Control Panel, click System and Security, and then start Configuration Manager.
NOTE: The Configuration Manager Properties dialog box appears.
2. Click the Actions tab.
NOTE: The Configuration Manager Properties dialog box displays the available actions for the client. After Endpoint Protection has been enabled as
part of the Default Client Settings, or a custom client setting, you need to
retrieve policies to install Endpoint Protection on clients.
3. Click Machine Policy Retrieval & Evaluation Cycle, and then click Run Now.
NOTE: The Configuration Manager client will request new policies, which will
include the policy related to the Endpoint Protection agent installation. A Machine Policy Retrieval & Evaluation Cycle message box appears
indicating the action was initiated, and may take several minutes to complete.
4. Click OK.
NOTE: The Configuration Manager Properties dialog box appears. It will
take a couple of minutes to install Endpoint Protection agent.
5. Click OK.
NOTE: The System Center 2012 R2 Endpoint Protection agent is installed on the client computer. It will take a moment for the agent to install. The installation
occurs locally, as the Endpoint Protection client agent installation program was previously downloaded to the computer during the installation of the
Configuration Manager client.
2. Verify the current status of the Microsoft Forefront Endpoint Protection client
1. On the Start menu, click System Center Endpoint Protection.
NOTE: The System Center Endpoint Protection window appears displaying the
current status of the Endpoint Protection client, which is "Protected". Notice that "Real-time protection" is now set to "On" - recall previously when you viewed
this on the site server it was set to "Off". Also notice that the "Virus and spyware
definitions" status is listed as being old (created x number of days ago). Finally notice that under "Scan details", it indicates that the schedule for quick scans is
weekly, on Saturday, around 2:00pm, and that no scan has been performed yet. You will set a unique schedule in the next exercise to validate that a custom
policy overrides the default policy, as well as initiate a scan using a newer definition. If your client is not protected yet, you will perform an additional
update in the next exercise that will implement a new policy on the client
computer that will complete the installation of a newer definition policy and protect the client.
2. Close the System Center Endpoint Protection window.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 9
2 UPDATING THE ENDPOINT PROTECTION STATUS ON THE
CONFIGURATION MANAGER 2012 R2 CLIENT
In this exercise, you will implement a custom antimalware policy to point to a newer definition update
than the client was installed with. You will force a download of the newer definition file, and then will
force a scan of the client to get current status from the client computer – both of these actions through
the real-time actions feature of Configuration Manager 2012 R2.
Tasks Detailed steps
Complete the following task on: Primary1
1. Create a custom malware policy with a different definition download location
1. Click the Assets and Compliance workspace.
NOTE: The Assets and Compliance workspace appears displaying the list of antimalware settings appear in the results pane. Notice that the only setting is
"Default Client Malware Policy", which applies to all clients, unless overridden
by a custom client antimalware policy. In the previous exercise, you configured the "Default Client Malware Policy" to specify a specific network location to
download the initial malware definition from. You will now create a custom malware policy that specifies a different location from which to download an
updated malware definition policy.
2. On the Ribbon, click Create Antimalware Policy.
NOTE: The Create Antimalware Policy dialog box appears allowing you to configure a custom policy.
3. In the Name box, type Custom policy and then in the Description box, type Sets a new definition source location and scan schedule
4. In the list of settings in the results pane, click to select Scheduled scans and then click to select Definition updates.
NOTE: The selected nodes appear in the navigation pane.
5. In the navigation pane, click Scheduled scans.
NOTE: The Create Antimalware Policy dialog box appears allowing you to
configure the scan schedule settings.
6. In the Scan day box, click Daily.
7. In the Scan time box, click 12 AM.
NOTE: Neither of these settings are required for the lab environment. You are configuring them to allow additional settings for visual confirmation of the
implementation of the custom policy.
8. In the navigation pane, click Definition updates.
NOTE: The Create Antimalware Policy dialog box displays the current client
update settings. Notice that the current settings are from the "Default Client Malware Settings" policy as previously configured, including the definition
download from UNC path(s). You want to continue to use UNC locations,
however want to specify a different path to use for updated definition files.
9. After If UNC file shares are selected as a definition update source, specify the UNC paths, click Set Paths.
NOTE: The Configure Definition Update UNC Paths dialog box appears
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 10
allowing you to configure the UNC location(s) that clients can use to download
Endpoint Protection definition updates. Notice that currently, the
"\\Primary1\EPOld" path is specified. This is where the old definition was stored. The newer definition file is in a different location.
10. In the UNC path box, type \\Primary1\EPNew and then click Add.
NOTE: The Configure Definition Update UNC Paths dialog box appears displaying both UNC paths for definition download. The client will check both
paths, however in the lab environment, you will remove the old path and only have the client check the new path.
11. Under Name, click \\Primary1\EPOld, and then click Remove.
NOTE: The Configure Definition Update UNC Paths dialog box appears
displaying the new UNC paths for definition download.
12. Click OK.
NOTE: The Create Antimalware Policy dialog box appears displaying the
available policy settings.
13. Click OK.
NOTE: The list of antimalware policies appear in the results pane. You have
now created a custom policy that appears in addition to the default policy.
Custom policies are implemented on clients after being deployed to collections of client computers, which you will do next.
14. In the results pane, click Custom policy, and then on the Ribbon, click Deploy.
NOTE: The Select Collection dialog box appears displaying the available device collections that the custom policy can be assigned to.
15. Under Name, click Configuration Manager Clients, and then click OK.
NOTE: The list of antimalware policies appear in the results pane. Notice that the custom policy is displayed as having been deployed to one collection. Your
custom policy will now be implemented on the clients in the target collection
when they next implement system policies. You will force that to occur in the next procedure.
In the following procedure, you will force the clients to retrieve policies using the new real-time action.
This will cause the clients to implement the custom malware policy settings for Endpoint Protection. If
you prefer, you certainly can use the traditional method of forcing policy polling, however the lab
directions are for the new real-time action.
Tasks Detailed steps
Complete the following task on: Primary1
1. Update the
Endpoint Protection client settings through real-time actions
1. In the navigation pane, click Device Collections.
NOTE: The list of collections for the site appears in the results pane. Notice that there are six collections available, including the one you just deployed the
custom antimalware policy to.
2. In the results pane, click Configuration Manager Clients, and then on the Ribbon, click Client Notification.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 11
NOTE: A new menu appears with two options – “Download Computer Policy”
and “Download User Policy”. The first action will force a “Machine Policy
Retrieval & Evaluation Cycle” to occur on all online clients in the target collection. This is essentially the same process you implemented earlier at the
two clients to force the installation of the System Center 2012 R2 Endpoint Protection client agent.
3. Click Download Computer Policy.
NOTE: A Configuration Manager message box appears indicating that there are three clients in the target collection, and that the update computer policy
action will be implemented as soon as possible.
4. Click OK.
NOTE: The action has been implemented, and within moments the clients will have downloaded the new computer policy that dictates a new scan schedule
and definition source update. You will view the updated configuration in the next task.
2. View the
updated Endpoint Protection client configuration
1. On the Start menu, click System Center Endpoint
Protection.
NOTE: The System Center Endpoint Protection window appears displaying the current status of the Endpoint Protection client. Notice that under "Scan details",
it indicates that the scan schedule is now for daily quick scans, around midnight. You will recall that after agent installation, it was a weekly scan around 2:00am.
This process has not initiated a definition update cycle which occurs
automatically every eight hours. You will force it to occur in the next procedure. If your scan schedule has not changed to daily at midnight, it likely means that
you downloaded policies prior to the site server having completed the policy process. Initiate another policy retrieval action, wait a moment, and check again.
2. Close the System Center Endpoint Protection window.
In the following procedure, you will use the System Center 2012 R2 Configuration Manager console to
initiate a definition download process on the clients now that they have the updated malware policy that
points to a newer definition file. This is also a real-time action in Configuration Manager 2012 R2.
Tasks Detailed steps
Complete the following task on: Primary1
1. Force definition update downloads from the Configuration Manager console
1. Click the Assets and Compliance workspace.
NOTE: The Assets and Compliance workspace appears displaying the
antimalware policies in the site.
2. In the navigation pane, click Device Collections.
NOTE: The list of collections appears in the results pane. Notice that there are
six collections of devices. Four of these collections are built-in collections, with two custom collections. You will likely create custom collections in your
environments for managing clients.
2. In the results pane, click Configuration Manager Clients, and then on the Ribbon, click Endpoint Protection.
NOTE: A new menu appears. Notice that from the console you can initiate a
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 12
full or quick scan, as well as to force a definition download.
3. Click Download Definition.
NOTE: A Download Definition message box appears indicating that this
action will evaluate software update deployments, or an Endpoint Protection definition update. It also allows you to specify the definition update action
(software updates or Endpoint Protection) and to set the randomization value.
4. Under Definition update source, click Endpoint Protection client source order.
5. In the Randomize client execution time (in minutes), set the value to 0 to force the action now, and then click OK.
NOTE: The action is now delivered to the client. Within moments the clients
should download new definition files. In a production environment, you likely do want to have a randomization value to spread the load of the action on the
target clients. In the lab, given that there are only two clients available, you
specified an immediate action with no randomization.
In the following procedure, you will force the clients to retrieve policies. This will cause the clients to
download the updated Endpoint Protection definition, using the new UNC path designated in the custom
malware policy.
Tasks Detailed steps
Complete the following task on: Client1 and Primary1
1. View the updated Endpoint Protection client status
1. On the Start menu, click System Center Endpoint Protection.
NOTE: The System Center Endpoint Protection window appears displaying the
current status of the Endpoint Protection client, which now should be
"Potentially unprotected". The reason for being “Potentially unprotected” is that the definitions are out of date. If your definition date and version has not
changed to daily at midnight, it likely means that you downloaded policies prior to the site server having completed the policy process. Initiate another policy
retrieval action, wait a moment, and check again.
2. Click the Update tab.
NOTE: The System Center Endpoint Protection window displays the definition
status, including definition versions, and dates when last created and checked.
Notice that the “Definitions last updated” date and time are very recent. Unfortunately without having Internet access, it is impossible to keep the
definitions up to date for these virtual images. So it is expected, for this lab environment, that the definitions will be out of date.
3. Close the System Center Endpoint Protection window.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 13
In the following procedure, you will use the System Center 2012 R2 Configuration Manager console to
initiate a quick scan process on the clients now that they have downloaded an updated definition file. The Endpoint Protection scans (both Quick and Full) are also real-time actions in Configuration Manager 2012
R2.
Tasks Detailed steps
Complete the following task on: Primary1
1. Force a quick
scan from the Configuration Manager console
1. Click the Assets and Compliance workspace.
NOTE: The Assets and Compliance workspace appears displaying the available device collections.
2. In the results pane, click Configuration Manager Clients, and then on the Ribbon, click Endpoint Protection.
NOTE: A new menu appears. Notice that from the console you can initiate a full or quick scan, as well as to force a definition download.
3. Click Quick Scan.
NOTE: A Configuration Manager message box appears indicating that this
action will impact all managed clients in the target collection, and could result in client and network performance impact. This could be the case with
collections that contain a large number of clients performing actions, such as scanning for compliance and sending state messages to the site, at the same
time.
4. Click OK.
NOTE: The System Center 2012 R2 Configuration Manager console appears
displaying the device collections. In the RTM release of Configuration Manager
2012, clients would need to retrieve policies in order to process the request to perform a quick scan. In Configuration Manager 2012 SP1 and R2, this is a
real-time action, so no further actions are necessary to complete the quick scan process.
In the following procedure, you will verify that the clients are running a quick scan as initiated through
the real-time actions of Configuration Manager 2012 R2.
Tasks Detailed steps
Complete the following task on: Client1 and Primary1
1. View the updated Endpoint Protection client status
1. On the Start menu, click System Center Endpoint Protection.
NOTE: The System Center Endpoint Protection window appears displaying the
current status of the Endpoint Protection client, which should be "Potentially
unprotected". It is very likely that the client is running a quick scan process at the current time, and you will notice the scan occurring on the Home tab of the
System Center Endpoint Protection window.
When the scan process has completed, you will see under "Scan details" that the
"Last scan" shows "Today" and the current time. The site server scan process
will take significantly longer to run than the remote client computer does due to
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 14
the installed software and services on each computer (the site server computer
image having a lot more software installed).
2. Close the System Center Endpoint Protection window.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 15
3 PROTECTING AGAINST MALWARE INFECTIONS
In this exercise, you will configure the site to generate alerts on malware and virus breakouts, including
email delivery for malware outbreaks, and then you will generate a malware infection, and clean it with
Endpoint Protection.
Tasks Detailed steps
Complete the following task on: Primary1
1. View the site properties to generate alerts for malware breakouts
1. In the System Center 2012 R2 Configuration Manager console, click the Administration workspace.
Note: The Administration workspace appears displaying the Default Client
Settings.
2. In the navigation pane, expand Site Configuration, and then click Sites.
NOTE: The list of available sites appears in the results pane. Notice that
there is only one site available, that being the local site "MCM".
3. On the Ribbon, click Settings, and then click Configure Site Components.
NOTE: A new menu appears with components that can be configured. Notice that there is a component for "Email Notification".
4. Click Email Notification.
NOTE: The Email Notification Component Properties dialog box appears allowing you to configure email settings for alert generation. If your
environment has an SMTP email server available, you can configure subscriptions to alerts to receive email messages using the properties
configured here. Notice that you can configure the FQDN of the SMTP server,
the port to use, the authentication method, and the sending email address. You then would enable email notifications on the alerts of interest, which you
will look at later in this exercise.
This lab environment does not have an email server configured, however you
will configure the email settings to experience how to configure them in your
own environments.
5. Click to select Enable email notification for alerts.
6. In the FQDN or IP Address of the SMTP server to send email alerts box, type primary1.configmgrdom.local
7. In the Sender address for email alerts box, type [email protected] and then click OK.
NOTE: The local site appears in the results pane. In your production
environment, you would configure appropriate values for the configuration for your own SMTP server implementation.
2. Configure
collections to generate alerts
1. Click the Assets and Compliance workspace.
Note: The Assets and Compliance workspace appears displaying the available collections in the results pane.
2. In the results pane, click Configuration Manager Clients, and then on the Ribbon, click Properties.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 16
Note: The Configuration Manager Properties dialog box appears
displaying the general properties of the collection. Notice that there are
numerous tabs available to configure collection properties, including one for alert generation.
3. Click the Alerts tab.
Note: The Configuration Manager Clients Properties dialog box appears displaying the alert properties of the collection. Notice that by
default, there are no alerts configured for this collection.
4. Click View this collection in the Endpoint Protection dashboard, and then click Add.
Note: The Add New Collection Alerts dialog box appears allowing you to
configure alerts for client status as well as Endpoint Protection. Notice that
for Endpoint Protection, there are four conditions that can be configured to generate alerts. In your production environment, you may want to enable all
alert conditions. However in the lab environment, you will only enable the first condition, which is to generate an alert for any malware detection.
5. Under Endpoint Protection, click to select Malware is detected, and then click OK.
Note: The Configuration Manager Client Properties dialog box appears
allowing you to configure the specific conditions for this alert. Notice that the collection name is displayed as part of the “Alert Name”, and that you can
configure the alert severity and the malware detection threshold.
6. Click OK to use the default values for the alert creation.
Note: The list of collections appears in the results pane. You have now
configured a collection to generate an alert when any malware is detected on a client. You also viewed how to enable email generation for alerts, although
did not enable it as there is no SMTP email server in the lab environment.
In the next procedure, you will configure an alert subscription to generate an email when an antimalware alert is generated.
3. Configure alert subscriptions
1. Click the Monitoring workspace.
Note: The Monitoring workspace appears displaying the Component Status
page. Notice that there is a node in the navigation pane for "Alerts".
2. In the navigation pane, expand Alerts, and then click All Alerts.
Note: The alerts for the environment appear in the results pane. Notice that there are five alerts generated currently (though none have been triggered),
one being the alert configured on the "Configuration Manager Clients" collection with a “Type” of “Malware detection”. The other four default alerts
are for database replication issues, as well as database drive space issues,
and Windows 8 sideloading activations.
3. In the navigation pane, click Subscriptions.
Note: The alert subscriptions for the environment appear in the results pane.
Notice that there are no alert subscriptions created currently.
4. On the Ribbon, click Create subscription.
Note: The New Subscription dialog box appears allowing you to configure
the recipients for the alerts selected for this subscription. You can add
multiple email addresses as recipients, using a semi-colon as the delimiter between addresses (with no spaces between the addresses).
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 17
5. In the Subscription name box, type Malware Outbreak
6. In the Email address box, type [email protected]
7. Under Selected alerts, click to select Generate alert when malware detected – Malware detection alert for collection: Configuration Manager Clients, and then click OK.
Note: The alert subscriptions for the environment appear in the results pane.
Notice that there is now one alert subscription available.
You have now prepared your site for malware alerts. You will now generate malware in the next procedure.
In the following procedure, you will attempt to access a file that will simulate a malware breakout. You
will copy these files on the client computer, and then clean the malware with Endpoint Protection on the
client.
Tasks Detailed steps
Complete the following task on: Client1
1. Generate malware on the client
1. Start Windows Explorer, and then open the C:\MalwareFiles folder.
NOTE: The contents of the C:\MalwareFiles folder appear. Notice that there are
five files in this folder. These files are not real malware, however they contain public domain code to simulate malware for testing purposes.
2. Attempt to open Test1.txt.
NOTE: A Notepad message box appears indicating that access is denied to this
file. This is because malware is detected as a result of attempting to open the file. When the threat has been generated and detected, a System Center
Endpoint Protection message box appears indicating that attention is required, as one potential threat has been detected, and suspended. The file is
automatically cleaned, and no action is necessary.
3. Click OK, and then close Notepad.
NOTE: System Center 2012 R2 Endpoint Protection removes the threat, and the System Center Endpoint Protection dialog box is closed automatically.
When complete, the System Center Endpoint Protection dialog box appears indicating that the computer has been cleaned.
Notice that Test1.txt has been removed (quarantined) as it was detected as containing a virus.
2. View the
updated Endpoint Protection client status
1. On the Start menu, click System Center Endpoint
Protection.
NOTE: The System Center Endpoint Protection window appears displaying the current status of the Endpoint Protection client, which displays as "Potentially
unprotected".
2. Click the History tab.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 18
NOTE: The System Center Endpoint Protection window appears allowing you to
configure the type of items to display for the Endpoint Protection client, and to
view details. You do not see any malware status on this tab, however you can view status by viewing the historical data for the client.
3. Click View details.
NOTE: The System Center Endpoint Protection window displays historical data for this client. Notice that it displays the one threat generated by accessing one
of the “Eicar_Test_File” files, including the "Alert level" of "Severe" as well as the "Action taken" of "Quarantined". Also notice the bottom portion of the window
displays the generated description and recommended actions (the default data
provided with the “Test1.txt” file definitions with this simulated virus).
4. Close the System Center Endpoint Protection window.
NOTE: Later in this lab, you will use the Configuration Manager 2012 R2 real-
time actions to restore the quarantined files, and allow this threat. In the next exercise, you will report on malware status.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 19
4 MONITORING ENDPOINT PROTECTION STATUS IN THE
CONFIGURATION MANAGER CONSOLE
In this exercise, you will use the Configuration Manager console to view the alert generated and alert
status for Endpoint Protection as a result of the malware outbreak.
Tasks Detailed steps
Complete the following task on: Primary1
1. View the
generated alert related to the threat outbreak
1. Click the Assets and Compliance workspace.
NOTE: The Assets and Compliance Overview page appears displaying the available device collections in the results pane.
2. In the navigation pane, click the Overview node.
NOTE: The Assets and Compliance Overview page appears. Notice that a critical alert has been generated with a "Category" of "Malware detection".
Notice also that the alert description indicates that malware has been
detected on a computer in the "Configuration Manager Clients" collection.
3.1. Click the Monitoring workspace.
NOTE: The Monitoring workspace appears displaying the alert subscriptions
in the results pane. Notice that there is one alert subscription available. If the lab environment had an SMTP email server, and email would have been
delivered to the email recipients configured in the alert subscription.
4.2. In the navigation pane, expand Alerts and click Active Alerts.
NOTE: The Monitoring workspace appears displaying the active alerts in the
site. Notice that there is one active alert. This is the same alert that appears
in the Overview page of the Assets and Compliance workspace.
5.3. In the results pane, click Malware detection alert for collection: Configuration Manager Clients.
NOTE: The summary information for the malware detection alert appears in
the preview pane. Notice under "Status information" is the "Occurrence Count" of "1", which indicates that the alert has only been raised one time.
6.4. In the preview pane, click the Machines tab.
NOTE: The list of computers that were involved in this alert appears in the
preview pane. Notice that the same computer "Client1.configmgrdom.local" is listed once for the malware threat detected.
You could modify alert properties, or close the alert manually if you desired to. You will now view the System Center 2012 R2 Endpoint Protection status
in the Monitoring workspace.
2. View Endpoint Protection status in the Configuration Manager console
1. In the navigation pane, expand Endpoint Protection Status.
NOTE: The navigation pane expands and displays two dashboards for
Endpoint Protection. The first dashboard (“System Center 2012 R2 Endpoint Protection Status”) is a client-centric view of the status of your clients in
terms of definitions, client health, and malware. The second dashboard (“Malware Detected”) is a malware-centric view to view status of all detected
malware.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 20
2. In the navigation pane, click System Center 2012 R2 Endpoint Protection Status.
NOTE: The System Center 2012 R2 Endpoint Protection Status
appears in the results pane. Notice that there may out of date information on
the protection status and malware remediation, depending on the client state message delivery and processing schedules.
3. In the Collection box, click Configuration Manager Clients.
NOTE: This option displays the collection to display summarized data for the System Center 2012 R2 Endpoint Protection dashboard. "Configuration
Manager Clients" should appear by default, assuming that it is the only collection configured to be displayed in the dashboard. If no collection
appears, and the drop down list is empty, click a different node, and then
click the System Center 2012 R2 Endpoint Protection Status node.
4. On the Home tab of the Ribbon, click Run Summarization.
NOTE: The current status for Endpoint Protection is updated using the most
recently processed state messages from the client computers in the site. You will need to refresh the Endpoint Protection Status page to view the updated
data that was just summarized.
The System Center 2012 R2 Endpoint Protection Status dashboard displays the following information displayed in two categories - "Security
State" and "Operational State". For "Security State":
Endpoint Protection Client Status - a quick summary of the status of
clients - clients protected by Endpoint Protection, clients at risk,
clients where the Endpoint Protection agent is not installed, clients on non-supported platforms, inactive Configuration Manager clients, and
computers without the Configuration Manager client installed. In the
lab environment, the status will likely be “at risk” due to out of date definition files for two of the clients (you don’t have the third client in
the collection).
Malware remediation status - status of malware remediation failures,
clients that require a full scan, clients where a reboot is required,
clients where an offline scan is required, clients with settings
modified by malware, and clients with malware remediation in the past 24 hours. In the lab environment, your environment should
have one client with malware remediation in the last 24 hours.
Top 5 malware by number of computers - this displays the top five
malware detected in the past 24 hours, sorted by the number of
clients affected. In the lab environment, your display should show the one virus generated by accessing the “Eicar.Test_File” file, and
have one computer affected by that outbreak.
Also notice that the "Operational State" status is:
Operational status of clients - this view displays the status of clients
that failed the installation of the Endpoint Protection agent, the
number of clients that had issues applying the antimalware policy, the number of clients that need a reboot to complete agent
installation, and the number of unhealthy clients. In the lab
environment, you should have no issues.
Definition Status on Computers - this view displays the status of the
current definition file on individual clients, whether current, up to
three days old, up to a week old, or older than a week, as well as
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 21
any clients with no definitions installed. In the lab environment, you
may have two clients with the signatures older than seven days
(depending on the last time the lab environment was updated with new signature files) and one with no status as it is not an active
client in the site as the virtual machine is not running. Having definitions older than seven days results in the client reporting that it
is in a state of “Potentially unprotected” – as you have noticed.
Note that the System Center 2012 R2 Endpoint Protection Status dashboard
is updated automatically every 20 minutes by default, though can be updated
on demand (as you did earlier in this task).
5. Under Malware remediation status, click the blue bar in the chart after "Malware remediated in the last 24 hours".
NOTE: The Assets and Compliance workspace appears displaying a sticky
node under Devices titled "Configuration Manager Clients: Malware remediated in the past 24 hours". Notice that the results pane displays all
computers with malware detected and remediated in the past 24 hours,
which in the lab environment, should be "Client1". Notice that the results pane displays the status of Endpoint Protection on the client, with status for
"Endpoint Protection Deployment State", "Endpoint Protection Policy Application State", " Endpoint Protection Definition Last Version", " Endpoint
Protection Remediation Status", "Last Infection Time", and "Last Infected Threat".
6. In the preview pane, click the Antimalware Policies tab.
NOTE: The current status for Endpoint Protection is displayed in the preview
pane. This view is provides more details than does the results pane for Endpoint Protection status, including all antimalware policies deployed to the
client.
7. In the preview pane, click the Malware Detail tab.
NOTE: The status for Endpoint Protection malware is displayed in the
preview pane. Notice that the client has detected, and successfully
remediated, one virus.
This is simply another way to identify systems that have been infected by
malware or viruses, and view the details on the malware infection.
3. Generate reports on Endpoint Protection status
1. Click the Monitoring workspace.
NOTE: The Monitoring workspace appears displaying the System Center
2012 R2 Endpoint Protection dashboard in the results pane.
2. In the navigation pane, expand Reporting, expand Reports, and then click Endpoint Protection.
NOTE: The list of reports in the "Endpoint Protection" category appears in
the results pane. Notice that there are six reports in this version of Configuration Manager 2012 for Endpoint Protection. The default view of
reports is sorted by report name.
3. In the results pane, click Antimalware overall status and history, and then on the Ribbon, click Run.
NOTE: The Antimalware overall status and history report window appears. This is a prompted report, and requires the collection to report
status for, as well as the date range to report on.
4. After Collection Name, click Values.
NOTE: The Parameter Value dialog box appears displaying the collection
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 22
available for reporting on. Notice that only two collections appear – “All
Systems” and “Configuration Manager Clients”.
5. Under Collection, click Configuration Manager Clients, and then click OK.
NOTE: The Antimalware overall status and history report window appears displaying the collection to display status for, as well as the default
date range to report on, which by default, is the most recent week up to today's date.
6. Click View Report.
NOTE: The Antimalware overall status and history report window appears displaying the current status for computers in the "Configuration
Manager Clients" collection, for the past week. Notice the following
information displayed in the report:
Overall Endpoint Protection status - status of clients in various
categories, such as protected, at risk (two of our clients), etc.
Malware remediation status - status of remediation of clients in
various categories, such as cleaned (notice that there was a remediation in the past 24 hours)
Operational status of Endpoint Protection clients - status of clients
with operational issues, such as installation failed (there should be no
operational issues in our lab environment)
Definition status on computers - status of the Endpoint Protection
definition, such as current (neither of our clients are current, based
on the age of the definitions in the virtual machine images)
Antimalware Policy Application status on computers - status of the
Antimalware policy on clients, such as successful (should be both our
clients)
7. Close the Antimalware overall status and history report window.
NOTE: The list of reports in the "Endpoint Protection" category appears in
the results pane. Notice that there are six reports in this version of
Configuration Manager 2012 for Endpoint Protection. The default view of reports is sorted by report name. Since the Antimalware overall status
and history report indicated that there was a remediation in the past 24 hours, you will now view that status in another report.
8. In the results pane, click Antimalware activity report, and then on the Ribbon, click Run.
NOTE: The Antimalware activity report report window appears. This is a
prompted report, and requires the collection to report malware activity for, as well as the date range to report on.
9. After Collection Name, click Values.
NOTE: The Parameter Value dialog box appears displaying the collection available for reporting on. Notice that only two collections appear – “All
Systems” and “Configuration Manager Clients”.
10. Under Collection Name, click Configuration Manager Clients, and then click OK.
NOTE: The Antimalware activity report report window appears displaying
the collection to display malware activity for, as well as the default date
range to report on, which by default, is the most recent week up to today's date.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 23
11. Click View Report.
NOTE: The Antimalware activity report report window appears displaying
the data for antimalware activity, for computers in the "Configuration
Manager Clients" collection, for the past week. Notice the following information displayed in the report:
That there are no computers with failed or pending remediation, with
one successful remediation
That there was one threat, with the number of affected computers
(one) and the number of incidents (one)
12. Under Total Remediations, click 1.
NOTE: The Infected computers report window appears displaying the data for Infected Computers report. Notice that the report indicates that
there was one incident on the computer “Client1.ConfigMgrDom.local”.
13. Under Computer Name, click Client1.ConfigMgrDom.local.
NOTE: The Computer malware details report window appears displaying the data for Computer malware details report. Notice the details for the
one computer that was infected.
14. Under Threat Name, click Virus:DOS/EICAR_Test_File.
NOTE: The Malware details report window appears displaying the data for
the one malware that was detected and cleaned on your client. Notice that
the report provides details on the malware, as well as the incidents detected in both tabular and graphical format, as well as listing the computers infected
by this malware.
15. Close the Malware details report window.
NOTE: The list of reports in the "Endpoint Protection" category appears in
the results pane.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 24
5 IMPLEMENTING REAL-TIME ACTIONS TO ALLOW THREATS
In this exercise, you will use the Configuration Manager console to allow the virus to be allowed on the
client computer, and to restore the quarantined files. This would be a scenario if a real application was
falsely identified as a threat, and blocked from running on the client computer.
Tasks Detailed steps
Complete the following task on: Primary1
1. Allow the threat and restore quarantined files
1. Click the Monitoring workspace.
NOTE: The Monitoring workspace appears displaying the available Endpoint
Protection reports in the results pane. You ran a number of these reports in the previous exercise.
2. In the navigation pane, expand Endpoint Protection Status, and then click the Malware Detected node.
NOTE: The malware detected details appear in the results pane. Notice that
is displays the malware that has been detected on all clients in all collections, as well as additional information on the malware/virus in the preview pane.
3. In the results pane, under Collection, click Configuration Manager Clients.
NOTE: Notice the actions that are available on the Ribbon for the malware detected on clients in this collection.
Malware Details – this action will attempt to display information on this
malware from published resources on the Internet
Allow this threat – this action will send a real-time action to the client to
allow this threat to run on the computer (the “false positive” scenario)
Restore files quarantined by this threat – this action will send a real-
time action to the client to restore any files that had been previously
quarantined by the remediation of the threat
View infected clients – this action will create a ‘sticky node’ in the
Assets and Compliance workspace of the clients affected by this specific
malware/virus
4. On the Ribbon, click Allow this threat.
NOTE: An Allow this threat message box appears that this will create an
antimalware policy to allow this threat, and the policy will be deployed to the
“Configuration Manager Clients” collection. The status of this can be tracked in the “Client Operations” node in the Monitoring workspace.
5. Click OK.
NOTE: The malware detected information appears in the results pane.
6. On the Ribbon, click Restore files quarantined by this threat.
NOTE: A Restore quarantined files message box appears that this will
restore files without a dependency on the allow or exclusion job (which you just ran).
7. Click OK.
NOTE: The malware detected information appears in the results pane.
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 25
8. In the navigation pane, click Client Operations.
NOTE: The list of real-time actions implemented in the site appears in the
results pane. You will notice actions issued previously in the lab, including the
“Download Computer Policy”, “Download Definition”, and “Quick Scan” actions. All those actions should have already been summarized so you
should see that two of the three clients were successful in implementing those actions. The two new actions of “Allow threat” and “Restore
Quarantined Items” likely have not been summarized yet.
9. In the results pane, under Operation Name, click Allow threat, and then on the Ribbon, click Run Summarization.
NOTE: Any results for these actions from clients will be summarized. You will
need to refresh the Client Operations node to display updated information.
You may not have any updated status from clients yet. These are real-time actions, so you will see results fairly soon.
You will now verify that the two real-time actions were implemented on the client, and that you can now access the quarantined file.
In the following procedure, you will attempt to access a file that previously simulated a malware
breakout. This file access should be successful now that the real-time actions have been implemented on
the client.
Tasks Detailed steps
Complete the following task on: Client1
1. Generate malware on the client
1. Start Windows Explorer, and then open the C:\MalwareFiles folder.
NOTE: The contents of the C:\MalwareFiles folder appear. Notice that there are
five files in this folder. Notice that Test1txt has been restored. This is an indication that the real-time actions have completed on the client. If “Test1.txt”
has not been restored yet, wait until it has before continuing.
2. Attempt to open Test1.txt.
NOTE: Notepad opens and displays the contents of the file. Recall that
previously, an “Access is denied” message appeared. This is an indication that
the real-time action to allow this threat has been implemented on the client.
3. Close Notepad, and then attempt to access any of the other files.
NOTE: You should be able to access any of the files in the folder now, as the
exclusion was on the threat name, which applies to all five of these files.
2. View the updated Endpoint Protection client status
1. On the Start menu, click System Center Endpoint Protection.
NOTE: The System Center Endpoint Protection window appears displaying the
current status of the Endpoint Protection client, which displays as "Protected".
2. Click the History tab.
NOTE: The System Center Endpoint Protection window appears allowing you to
configure the type of items to display for the Endpoint Protection client, and to
Implementing Endpoint Protection in System Center 2012 R2 Configuration Manager Page 26
view details. You do not see any malware status on this tab, however you can
view status by viewing the historical data for the client.
3. Click View details.
NOTE: The System Center Endpoint Protection window displays historical data for this client. Notice that the previous information regarding the threat for
“Eicar_Test_File” has been removed as it is no longer a valid threat.
4. Close the System Center Endpoint Protection window.
NOTE: Later in this lab, you will use the Configuration Manager 2012 R2 real-
time actions to restore the quarantined files, and allow this threat. In the next exercise, you will report on malware status.
You have now successfully implemented Endpoint Protection 2012 in a Configuration Manager 2012 R2 environment. You modified the default location
to download definition files, enabled the Endpoint Protection point site system role, enabled the Endpoint Protection client agent, and installed the agent on the
client computers. You then created a custom malware policy to set custom
values for your client scan schedules, and definition download location. Finally you generated malware to be detected and remediated, including monitoring the
status on the client as well as the site server. Reports were run to display status, as well as the status was viewed in the Endpoint Protection dashboard.
System Center 2012 Endpoint Protection is a feature included with System Center 2012 Endpoint Protection, and as you have seen, very easy to
implement. You also implemented new Configuration Manager 2012 R2 features
for real-time actions and new Configuration Manager Console information regarding Endpoint Protection (new dashboard and reports).
One final thing that you’d very likely do in your production environments would be to create an automatic deployment rule to deploy any new definition updates
automatically when detected. This would download the definitions, distribute
them to the assigned distribution points, and allow the Endpoint Protection client to download the definitions from the Configuration Manager infrastructure just
as Configuration Manager clients would implement security updates deployed through Configuration Manager. You can experience the creation of automatic
deployment rules in the “Managing Microsoft Software Updates with Configuration Manager 2012” hands-on lab.
Top Related