Share via


How to Manage Antimalware Policies and Firewall Settings for Endpoint Protection in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 R2 Endpoint Protection, System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 Endpoint Protection SP1, System Center 2012 Endpoint Protection, System Center 2012 R2 Configuration Manager SP1

Use the information in this topic to help you manage Endpoint Protection antimalware policies and Windows Firewall policies in Microsoft System Center 2012 Configuration Manager, to perform on-demand scans, to force computers to download the latest available definitions, and to remediate detected malware.

How to Manage Antimalware Policies

In the Assets and Compliance workspace, expand Endpoint Protection, click Antimalware Policies, select the antimalware policy that you want to manage, and then select a management task.

Use the following table for more information about the management tasks that might require some information before you select them.

Task

Details

Increase Priority

If multiple antimalware policies are deployed to the same computer, they are applied in order. Use this option to increase the priority by which the selected antimalware policy is applied. Use the Order column to view the order in which the policies are applied.

The antimalware policy that has the highest numbered priority is always applied first.

Decrease Priority

If multiple antimalware policies are deployed to the same computer, they are applied in order. Use this option to decrease the priority by which the selected antimalware policy is applied. Use the Order column to view the order in which the policies are applied.

Merge

Merges the two selected antimalware policies. In the Merge Policies dialog box, enter a name for the new, merged policy. The Base policy is the antimalware policy that is merged with this new antimalware policy.

Note

If two settings conflict, the most secure setting is applied to computers.

Deploy

Opens the Select Collection dialog box. Select the collection to which you want to deploy the antimalware policy, and then click OK.

How to Manage Windows Firewall Policies

In the Assets and Compliance workspace, click Endpoint Protection, click Windows Firewall Policies, select the Windows Firewall policy that you want to manage, and then select a management task.

Use the following table for more information about the management tasks that might require some information before you select them.

Task

Details

Increase Priority

If multiple Windows Firewall policies are deployed to the same computer, they are applied in order. Use this option to increase the priority by which the selected Windows Firewall policy is applied. Use the Order column to view the order in which the policies are applied.

Decrease Priority

If multiple Windows Firewall policies are deployed to the same computer, they are applied in order. Use this option to decrease the priority by which the selected Windows Firewall policy is applied. Use the Order column to view the order in which the policies are applied.

Deploy

Opens the Deploy Windows Firewall Policy dialog box from where you can deploy the firewall policy to a specified collection.

How to Perform an On-demand Scan of Computers

You can perform a scan of a single computer, multiple computers, or a collection of computers in the Configuration Manager console. This scan occurs outside any scheduled scans that you configured. Use the following procedure to perform an on-demand scan.

Important

If any of the computers that you select do not have the Endpoint Protection client installed, the on-demand scan option is unavailable.

To perform an on-demand scan of computers

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Devices or Device Collections node, select the computer or collection of computers that you want to scan.

  3. On the Home tab, in the Collection group, click Endpoint Protection, and then click Full Scan or Quick Scan.

The scan will take place when the computer or collection of computers next downloads client policy. To monitor the results from the scan, use the procedures in How to Monitor Endpoint Protection in Configuration Manager.

How to Force Computers to Download the Latest Definition Files

You can force a single computer, multiple computers, or a collection of computers to download the latest definition files from the Configuration Manager console by using the following procedure.

Important

If any of the computers that you select do not have the Endpoint Protection client installed, the Download Definition option is unavailable.

To force computers to download the latest definition files

  1. In the Devices or Device Collections node, select the computer or collection of computers for which you want to download definitions.

  2. On the Home tab, in the Collection group, click Endpoint Protection, and then click Download Definition. The definition download will take place when the computer or collection of computers next downloads client policy.

    Note

    Use the System Center 2012 Endpoint Protection Status node in the Monitoring workspace to discover clients that have out-of-date definitions.

How to Remediate Detected Malware

When malware is detected on client computers, this will be displayed in the Malware Detected node under Endpoint Protection Status in the Monitoring workspace of the Configuration Manager console. Select an item from the Malware Detected list, and then use one of the following management tasks to remediate or allow the detected malware:

Task

Details

Allow this threat

Creates an antimalware policy to allow the selected malware. The policy is deployed to the All Systems collection and can be monitored in the Client Operations node of the Monitoring workspace.

Restore files quarantined by this threat

Opens the Restore quarantined files dialog box where you can select one of the following options:

  • Run the allow-threat or exclusion operation first to assure that files are not put back into quarantine – Restores the files that were quarantined because of the detected malware and also excludes the files from malware scans. If you do not exclude the files from malware scans, they will be quarantined again when the next scan runs.

  • Restore files without a dependency on the allow or exclusion job – Restores the quarantined files but does not add them to the exclusion list.

View infected clients

Displays a list of all clients that were infected by the selected malware.

Exclude selected files or paths from scan

When you select this option from the malware details pane, the Exclude files and paths dialog box opens where you can specify the files and folders that you want to exclude from malware scans.