How to create and deploy antimalware policies for Endpoint Protection in System Center Configuration Manager

 

Aplica-se A: System Center Configuration Manager (current branch)

You can deploy antimalware policies to collections of O System Center Configuration Manager client computers to specify how Endpoint Protection protects them from malware and other threats. These antimalware policies include information about the scan schedule, the types of files and folders to scan, and the actions to take when malware is detected. When you enable Endpoint Protection, a default antimalware policy is applied to client computers. You can also use additional policy templates that are supplied or create your own custom antimalware policies to meet the specific needs of your environment.

System_CAPS_ICON_note.jpg Nota


Gestor de configuração supplies a selection of predefined templates that are optimized for various scenarios and can be imported into Gestor de configuração. These templates are available in the folder <ConfigMgr Install Folder>\AdminConsole\XMLStorage\EPTemplates.

System_CAPS_ICON_important.jpg Importante


If you create a new antimalware policy and deploy it to a collection, this antimalware policy overrides the default antimalware policy.

Use the procedures in this topic to create or import antimalware policies and assign them to System Center 2012 Configuration Manager client computers in your hierarchy.

System_CAPS_ICON_note.jpg Nota


Before you perform these procedures, ensure that Gestor de configuração is configured for Endpoint Protection as described in Configuring Endpoint Protection in System Center Configuration Manager.

  1. In the Gestor de configuração console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies.

  3. Select the antimalware policy Default Client Antimalware Policy and then, on the Home tab, in the Properties group, click Properties.

  4. In the Default Antimalware Policy dialog box, configure the settings that you require for this antimalware policy, and then click OK.

    System_CAPS_ICON_note.jpg Nota


    For a list of settings that you can configure, see List of Antimalware Policy Settings in this topic.

  1. In the Gestor de configuração console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies.

  3. On the Home tab, in the Create group, click Create Antimalware Policy.

  4. In the General section of the Create Antimalware Policy dialog box, enter a name and a description for the policy.

  5. In the Create Antimalware Policy dialog box, configure the settings that you require for this antimalware policy, and then click OK.

    System_CAPS_ICON_note.jpg Nota


    For a list of settings that you can configure, see List of Antimalware Policy Settings in this topic.

  6. Verify that the new antimalware policy is displayed in the Antimalware Policies list.

  1. In the Gestor de configuração console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies.

  3. In the Home tab, in the Create group, click Import.

  4. In the Open dialog box, browse to the policy file to import, and then click Open.

  5. In the Create Antimalware Policy dialog box, review the settings to use, and then click OK.

  6. Verify that the new antimalware policy is displayed in the Antimalware Policies list.

  1. In the Gestor de configuração console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, expand Endpoint Protection, and then click Antimalware Policies.

  3. In the Antimalware Policies list, select the antimalware policy to deploy. Then, on the Home tab, in the Deployment group, click Deploy.

    System_CAPS_ICON_note.jpg Nota


    The Deploy option cannot be used with the default client malware policy.

  4. In the Select Collection dialog box, select the device collection to which you want to deploy the antimalware policy, and then click OK.

Many of the antimalware settings are self-explanatory. Use the following sections for more information about the settings that might require more information before you configure them.

Este artigo contém informações sobre uma nova funcionalidade introduzida na versão 1602 de O System Center Configuration Manager (current branch). Para utilizar a nova funcionalidade, terá de instalar a atualização 1602. Se não tiver atualizado para a versão mais recente do Gestor de configuração, pode transferir a documentação da versão utilizada na Galeria do TechNet.

Scheduled Scans Settings

  • Scan type - You can specify one of two scan types to run on client computers:

    • Quick scan – This type of scan checks the in-memory processes and folders where malware is typically found. It requires fewer resources than a full scan.

    • Full Scan – This type of scan adds a full check of all local files and folders to the items scanned in the quick scan. This scan takes longer than a quick scan and uses more CPU processing and memory resources on client computers.

    In most cases, use Quick scan to minimize the use of system resources on client computers. If malware removal requires a full scan, Endpoint Protection generates an alert that is displayed in the Gestor de configuração console. The default value is Quick scan.

  • Randomize the scheduled scan start times (within 30 minutes) - Set to Yes to help avoid flooding the network, which can occur if all computers send their antimalware scans results to the Gestor de configuração database at the same time. This setting is also useful when you run multiple virtual machines on a single host. Select this option to reduce the amount of simultaneous disk access for antimalware scanning.

Scan Settings

Scan network drives when running a full scan -
Set to Yes to scan any mapped network drives on client computers. Note: If you enable this setting, it might significantly increase the scan time on client computers.

Scan mapped network drives when running a full scan - Beginning in version 1602 of Configuration Manager, this setting provides greater granularity for the administrator to allow on-demand scans of network files without the risk of always scanning mapped network drives during a scheduled full scan. Also note:

  • The Scan network files setting must be set to Yes for this setting to be available to configure.

  • By default, this setting is set to No, meaning that a full scan will not access mapped network drives.

Default Actions Settings

Select the action to take when malware is detected on client computers. The following actions can be applied, depending on the alert threat level of the detected malware.

  • Recommended – Use the action recommended in the malware definition file.

  • Quarantine – Quarantine the malware but do not remove it.

  • Remove – Remove the malware from the computer.

  • Allow – Do not remove or quarantine the malware.

Real-time Protection Settings

Setting nameDescription
Enable real-time protectionSet to Yes to configure real-time protection settings for client computers. We recommend that you enable this setting.
Monitor file and program activity on your computerSet to Yes if you want Endpoint Protection to monitor when files and programs start to run on client computers and to alert you about any actions that they perform or actions taken on them.
Scan system filesThis setting lets you configure whether incoming, outgoing, or incoming and outgoing system files are monitored for malware. For performance reasons, you might have to change the default value of Scan incoming and outgoing files if a server has high incoming or outgoing file activity.
Enable behavior monitoringEnable this setting to use computer activity and file data to detect unknown threats. When this setting is enabled, it might increase the time required to scan computers for malware.
Enable protection against network-based exploitsEnable this setting to protect computers against known network exploits by inspecting network traffic and blocking any suspicious activity.
Enable script scanningFor Configuration Manager with no service pack only.

Enable this setting if you want to scan any scripts that run on computers for suspicious activity.
Block Potentially Unwanted Applications at download and prior to installationPotential Unwanted Applications (PUA) is a threat classification based on reputation and research-driven identification. Most commonly, these are unwanted application bundlers or their bundled applications.

Beginning in version 1602 of Configuration Manager, this protection policy setting is available and set to Yes by default. When enabled, this setting blocks PUA at download and install time. However, you can exclude specific files or folders to meet the specific needs of your business or organization.

Exclusion Settings

Excluded files and folders:
Click Set to open the Configure File and Folder Exclusions dialog box and specify the names of the files and folders to exclude from Endpoint Protection scans.

If you want to exclude files and folders that are located on a mapped network drive, specify the name of each folder in the network drive individually. For example, if a network drive is mapped as F:\MyFolder and it contains subfolders named Folder1, Folder2 and Folder 3, specify the following exclusions:

  • F:\MyFolder\Folder1

  • F:\MyFolder\Folder2

  • F:\MyFolder\Folder3

Beginning in version 1602 of Configuration Manager, the existing Exclude files and folders setting in the Exclusion settings section of Endpoint Protection antimalware policy is improved to allow device exclusions. For example, you can now specify the following as an exclusion: \device\mvfs (for Multiversion File System). The policy does not validate the device path; the Endpoint Protection policy is provided to the antimalware engine on the client which must be able to interpret the device string.

Advanced Settings

Enable reparse point scanning - Set to Yes if you want Endpoint Protection to scan NTFS reparse points.
For more information about reparse points, see Reparse Points in the Windows Dev Center.

Beginning in version 1602 of Configuration Manager, the antimalware engine may request file samples to be sent to Microsoft for further analysis. By default, it will always prompt before it sends such samples. Administrators can now manage the following settings to configure this behavior:

Enable auto sample file submission to help Microsoft determine whether certain detected items are Malicious - Set to Yes to enable auto sample file submission. By default, this setting is No which means auto sample file submission is disabled and users will be prompted before sending samples. (This setting was first introduced in System Center 2012 R2 Configuration Manager SP1.)

Allow users to modify auto sample file submission settings - This setting determines whether a user with local administrative rights on a device can change the auto sample file submission setting in the client interface. By default, this setting is “No” which means the settings can only be changed from within the Configuration Manager console, and local administrators on a device cannot change this configuration.
For example, the following shows the Windows Defender setting in Windows 10 set by the administrator as enabled, and the user is not allowed to modify it

TechRef_WinDefender

Threat Overrides Settings

Threat name and override action - Click Set to customize the remediation action to take for each threat ID when it is detected during a scan.

System_CAPS_ICON_note.jpg Nota


The list of threat names might not be available immediately after the configuration of Endpoint Protection. Wait until the Endpoint Protection point has synchronized the threat information, and then try again.

Microsoft Active Protection Services

Enabling Microsoft Active Protection Services (MAPS) enables the collection of information about detected malware on managed virtual machines and the actions taken. This information is sent to Microsoft.

Microsoft Active Protection Service membership

  • Basic - Collect and send lists of detected malware
  • Advanced - Basic information as well as more comprehensive information that might occasionally contain personal information from, for example, file paths and partial memory dumps

Allow users to modify Microsoft Active Protection Service settings - Toggles user control of MAPS settings

Definition Updates Settings

Set sources and order for Endpoint Protection client updates - Click Set Source to specify the sources for definition and scanning engine updates, and to also specify the order in which they are used. If Gestor de configuração is specified as one of the sources, then the other sources are used only if software updates fail to download the client updates.

If you use any of the following methods to update the definitions on client computers, then the client computers must be able to access the Internet.

  • Updates distributed from Microsoft Update

  • Updates distributed from Microsoft Malware Protection Center

System_CAPS_ICON_important.jpg Importante


Clients download definition updates by using the built-in system account. You must configure a proxy server for this account to enable these clients to connect to the Internet.

If you have configured a software updates automatic deployment rule to deliver definition updates to client computers, these updates will be delivered regardless of the definition updates settings.

Mostrar: