Manage antimalware policies and firewall settings

Applies to: Configuration Manager (current branch)

Use the information in this topic to help you manage Endpoint Protection antimalware policies and Windows Firewall policies, to perform on-demand scans, to force computers to download the latest available definitions, and to remediate detected malware.

Manage antimalware policies

In the Assets and Compliance workspace, expand Endpoint Protection, choose Antimalware Policies, select the antimalware policy that you want to manage, and then select a management task.

This table provides more information.

Task Details
Increase Priority If multiple antimalware policies are deployed to the same computer, they are applied in order. Use this option to increase the priority by which the selected antimalware policy is applied. Use the Order column to see the order in which the policies are applied.

The antimalware policy that has the highest priority is always applied first.
Decrease Priority If multiple antimalware policies are deployed to the same computer, they are applied in order. Use this option to decrease the priority by which the selected antimalware policy is applied. Use the Order column to view the order in which the policies are applied.
Merge Merges the two selected antimalware policies. In the Merge Policies dialog box, enter a name for the new, merged policy. The Base policy is the antimalware policy that is merged with this new antimalware policy.

Note: If two settings conflict, the most secure setting is applied to computers.
Deploy Opens the Select Collection dialog box. Select the collection to which you want to deploy the antimalware policy, and then choose OK.

Manage Windows Firewall policies

In the Assets and Compliance workspace, choose Endpoint Protection > Windows Firewall Policies, select the Windows Firewall policy that you want to manage, and then select a management task.

This table provides more information.

Task Details
Increase Priority If multiple Windows Firewall policies are deployed to the same computer, they are applied in order. Use this option to increase the priority by which the selected Windows Firewall policy is applied. Use the Order column to view the order in which the policies are applied.
Decrease Priority If multiple Windows Firewall policies are deployed to the same computer, they are applied in order. Use this option to decrease the priority by which the selected Windows Firewall policy is applied. Use the Order column to view the order in which the policies are applied.
Deploy Opens the Deploy Windows Firewall Policy dialog box from where you can deploy the firewall policy to a collection.

How to perform an on-demand scan of computers

You can perform a scan of a single computer, multiple computers, or a collection of computers in the Configuration Manager console. This scan occurs in addition to any scheduled scans.

Note

If any of the computers that you select do not have the Endpoint Protection client installed, the on-demand scan option is unavailable.

To perform an on-demand scan of computers

  1. In the Configuration Manager console, choose Assets and Compliance.

  2. In the Devices or Device Collections node, select the computer or collection of computers that you want to scan.

  3. On the Home tab, in the Collection group, click Endpoint Protection, and then click Full Scan or Quick Scan.

    The scan will take place when the computer or collection of computers next downloads client policy. To monitor the results from the scan, use the procedures in How to monitor Endpoint Protection.

How to force computers to download the latest definition files

You can force a single computer, multiple computers, or a collection of computers to download the latest definition files from the Configuration Manager console.

Note

If any of the computers that you select do not have the Endpoint Protection client installed, the Download Definition option is unavailable.

To force computers to download the latest definition files

  1. In the Devices or Device Collections node, select the computer or collection of computers for which you want to download definitions.

  2. On the Home tab, in the Collection group, choose Endpoint Protection, and then click Download Definition. The download will take place when the computer or collection of computers next downloads client policy.

    Note

    Use the Endpoint Protection Status node under Security in the Monitoring workspace to discover clients that have out-of-date definitions.

Remediate detected malware

When malware is detected on client computers, this will be displayed in the Malware Detected node under Endpoint Protection Status under Security in the Monitoring workspace of the Configuration Manager console. Select an item from the Malware Detected list, and then use one of the following management tasks to remediate or allow the detected malware:

  • Allow this threat - Creates an antimalware policy to allow the selected malware. The policy is deployed to the All Systems collection and can be monitored in the Client Operations node of the Monitoring workspace.

  • Restore files quarantined by this threat - Opens the Restore quarantined files dialog box where you can select one of the following options:

    • Run the allow-threat or exclusion operation first to assure that files are not put back into quarantine - Restores the files that were quarantined because of the detected malware and also excludes the files from malware scans. If you do not exclude the files from malware scans, they will be quarantined again when the next scan runs.

    • Restore files without a dependency on the allow or exclusion job - Restores the quarantined files but does not add them to the exclusion list.

  • View infected clients - Displays a list of all clients that were infected by the selected malware.

  • Exclude selected files or paths from scan - When you select this option from the malware details pane, the Exclude files and paths dialog box opens where you can specify the files and folders that you want to exclude from malware scans.