Export (0) Print
Expand All

How to Monitor Endpoint Protection in Configuration Manager

Updated: January 1, 2013

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Endpoint Protection, System Center 2012 Endpoint Protection SP1, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Endpoint Protection

You can monitor Endpoint Protection in your Microsoft System Center 2012 Configuration Manager hierarchy by using the System Center 2012 Endpoint Protection Status node in the Monitoring workspace, the Endpoint Protection node in the Assets and Compliance workspace, and by using reports.

  1. In the Configuration Manager console, click Monitoring.

  2. In the Monitoring workspace, click System Center 2012 Endpoint Protection Status.

  3. In the Collection list, select the collection for which you want to view status information.

    ImportantImportant
    Collections are available for selection in the following cases:

    • When you select View this collection in the Endpoint Protection dashboard on the Alerts tab of the <collection name>Properties dialog box.

    • When you deploy an Endpoint Protection antimalware policy to the collection.

    • When you enable and deploy Endpoint Protection client settings to the collection.

  4. Review the information that is displayed in the Security State and Operational State sections. You can click any status link to create a temporary collection in the Devices node in the Assets and Compliance workspace. The temporary collection contains the computers with the selected status.

    ImportantImportant
    Information that is displayed in the System Center 2012 Endpoint Protection Status node is based on the last data that was summarized from the Configuration Manager database and might not be current. If you want to retrieve the latest data, on the Home tab, click Run Summarization, or click Schedule Summarization to adjust the summarization interval.

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, perform one of the following actions:

    • Click Devices. In the Devices list, select a computer, and then click the Malware Detail tab.

    • Click Device Collections. In the Device Collections list, select the collection that contains the computer you want to monitor and then, on the Home tab, in the Collection group, click Show Members.

  3. In the <collection name> list, select a computer, and then click the Malware Detail tab.

Use the following reports to help you view information about Endpoint Protection in your hierarchy. You can also use these reports to help troubleshoot any Endpoint Protection problems. For more information about how to configure reporting in Configuration Manager, see Reporting in Configuration Manager. The Endpoint Protection reports are in the Endpoint Protection folder.

 

Report name Description

Antimalware Activity Report

Displays an overview of antimalware activity for a specified collection.

Infected Computers

Displays a list of computers on which a specified threat is detected.

Top Users By Threats

Displays a list of users with the most number of detected threats.

User Threat List

Displays a list of threats that were found for a specified user account.

Use the following table to identify the different Endpoint Protection alert levels that might be displayed in reports, or in the Configuration Manager console.

 

Alert level Description

Failed

Endpoint Protection failed to remediate the malware. Check your logs for details of the error.

noteNote
For a list of Configuration Manager and Endpoint Protection log files, see the Endpoint Protection section in the Technical Reference for Log Files in Configuration Manager topic.

Removed

Endpoint Protection successfully removed the malware.

Quarantined

Endpoint Protection moved the malware to a secure location and prevented it from running until you remove it or allow it to run.

Cleaned

The malware was cleaned from the infected file.

Allowed

An administrative user selected to allow the software that contains the malware to run.

No Action

Endpoint Protection took no action on the malware. This might occur if the computer is restarted after malware is detected and the malware is no longer detected; for instance, if a mapped network drive on which malware is detected is not reconnected when the computer restarts.

Blocked

Endpoint Protection blocked the malware from running. This might occur if a process on the computer is found to contain malware.

-----
For additional resources, see Information and Support for Configuration Manager.

Tip: Use this query to find online documentation in the TechNet Library for System Center 2012 Configuration Manager. For instructions and examples, see Search the Configuration Manager Documentation Library.
-----
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft