Forefront Endpoint Protection in SCCM 2012

Microsoft has been in the anti malware/virus business for a couple of years now. Going back to the first version of Windows Defender and going on today  with the most used antivirus product on the market (Which is free) Microsoft Security Essentials. Microsoft likes to label its security product as Forefront, their Forefront products are not only based on anti-malware/virus but also consists of Forefront TMG (Threat Management Gateway formally called ISA server) And Forefront UAG ( User Access Gateway ) Which is their Network Edge Security products.

Microsoft also has a their own anti-virus/malware product for enterprise businesses, which is called Forefront Endpoint Protection (Which is basically a converted Security Essentials, with added management capabilities)

Now with System Center 2012 release, Microsoft has a different approach. They have included the endpoint protection service with Configmgr 2012.   Therefore now you can manage forefront via SCCM console.

Not sure where Microsoft is headed with this, since if a business wants Forefront they would need to invest in SCCM as well (Even if they don’t need it).  On the other hand, Microsoft can now brag about having a system that does everything. Maybe its something they needed to compete with Symantec Altiris ? (Just a thought)

Let’s take a look at how you setup Forefront in ConfigMgr, and how you can manage it.
First you have to install the Endpoint Protection role via the console.

After that is done, you would need to alter the default client policy (Since by default it is disabled )

In my case I have created a custom client policy which I intend to use.

image

I open the policy and change the following settings,

forefront-policy

After I have changes these, I have to deploy the client settings to a computer collection that I wish to have forefront installed.
So I right click the policy and choose “Deploy”

forefront-policy2

When you now install a agent on a computer that resides within that collection, I will get SCEP installed.
If you watch the install log ccmsetup.log you will find multiple references to scep.exe file.
NOTE: That you need to restart the computer eventually for the installation to finish
After the installation is complete, you will get a new icon down in the system tray.
image That looks like this ( It might say “At risk” but this is because it only has the installed definitions.
Now that you have installed scep you also need to change the policy for how scep is going to function.
Since in the previous Client Policy all you did was install the scep software on the client.

You can also see in the Console under Assets –> “A computer with SCEP installed”
That it says EP managed.
image
Now then over to the client policy

image

Head over to Assets and Compliance –> Endpoint Protection –> Antimalware Policies (There you will have a default client policy, which is the only we are going to alter, since this applies to all SCEP agents in the site)
You can also choose import a policy, Forefront comes with a bunch of premade policies that Microsoft has created.

image

But lets alter the policy, and see what we need.

forefront1

First pane is about scans. The values you see here are the defaults (So im going to leave it at that )

forefront2
Next is the Scan settings, this is also default values ( You should change it to scan removavle storage devices ) Now a days many business computers gets infected by an employees usb drive.
forefront3
Next is the default actions. If SCEP find the signature of a know virus which is under the category of “Severe” the recommend action attatched to that virus is run (Which is most cases is delete/remove)

forefront4

Next is real-time protection,  most values here should stay as default.
forefront5

Next is Exclusion settings (Here you need to figure out, on what computers is this policy going to be deployed? )
If you have a SharePoint servers, it would need different Exclusion settings from a Terminal Server or Exchange.
forefront6

Next is Advanced, the default values here is also recommended. We don’t want to bug the user with notifications about updates every 2 hours, or scans happening.

forefront7
Next is the Threat Override here you can define for instance if you have multiple users that are installed Cain & Abel, SCEP will automatically place it into quarantine, here you can create an override so that users can use the tool.

forefront8

On to the MAPS, which basically sends info to Microsoft regarding malware (If something new is found with a unknown signature your contribution might allow Microsoft to create a fix)
forefront9

Next are the definition updates, here you set the settings for how the client updates.
By default there are 4 sources where the client is allowed to get updates from.

1: WSUS
2: SCCM
3: Microsoft Update
4: Microsoft Malware Protection Center

After you are done with the settings Click OK. 
It might take some time before the policy is updated on the computer.
You can watch the EndpointProtectionAgent.log file under C:windowsccmlogs

Now when you open settings on the SCEP agent you will notice that it says “Some settings are set by the administrator”
image

And for the purpose of this demo I wanted to test the SCEP agent and see what happens and how it interacts with the SCCM console when a virus appears on a computers.
So therefore I turned to EICAR.
EICAR is a test file to test the response of computer (AV) programs
What you need to do is open notepad
Enter this value

X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Save it as EICAR.COM and see what happens Smile



forefront-eicar

And the agent responded instantly, before I was able to finish writing it had automatically removed the file

forefront-eicar2

So now I am interested to see if the console saw that the virus appeared. therefore im going to use the report functionality,
Go over to the Monitoring tab –> Reporting –> Reports.

image

You can see that by default it includes 6 “Endpoint Protection” reports.
Im going to view the Antimalware Activity Report.

image

And there we go, the info has already been exported to the system.

0 thoughts on “Forefront Endpoint Protection in SCCM 2012”

Leave a Reply

Scroll to Top
%d bloggers like this: