Using System Center Endpoint Protection
Published: December 18, 2012
Author: Orin Thomas, Consumer Security MVP
System Center Endpoint Protection is Microsoft’s enterprise antimalware solution. Endpoint Protection is the successor product to Forefront Endpoint Protection. System Center Endpoint Protection is available through and managed by System Center 2012 Configuration Manager.
With the release of System Center 2012 Configuration Manager SP1, you can deploy the Endpoint Protection client to computers running Windows 8 and Windows Server 2012. This includes deployment to computers running the Server Core installation option of Windows Server 2012. You can install the RTM version of System Center 2012 Configuration Manager on computers running Windows 7, Windows Vista, Windows XP, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 R2, and Windows Server 2003.
With Service Pack 1, Endpoint Protection isn’t limited to computers running Microsoft operating systems – there are Endpoint Protection clients available for computers running Mac OSX and certain flavors of Linux. It should be noted however that the Linux client is aimed at workloads where a Linux is being utilized as a file server, rather than where Linux is used in a desktop role.
The installation files for the Endpoint Protection agent are deployed to a computer when you deploy the Configuration Manager client software. While the Endpoint Protection installation files are deployed, Endpoint Protection will not be enabled until you “turn it on” by configuring the appropriate Configuration Manager client policy, as shown in the exhibit.
Figure 1. Client Policy
Clients can be enabled on a per-collection basis. This means that you don’t have to enable the Endpoint Protection client for all Configuration Manager clients, but instead can limit the Endpoint Protection client to specific groups of computers.
Once enabled, Endpoint Protection client settings are controlled centrally through Antimalware Policies and Windows Firewall Policies. You can create antimalware policies on a per-collection basis and configure them with the following settings:
- Scheduled scans. Allows you to specify how frequently antimalware scans run on the client. Also allows you to choose between Quick and Full scan.
- Scan settings. Allows you to specify what is scanned. For example whether email, removable drives, archived files and network drives are the target of scans. These settings are shown in the exhibit.
- Default actions. Allows you to specify how malware is treated once detected based on malware threat level. You have the option of having malware quarantined or removed. You can also configure Endpoint Protection to take whatever action is recommended by Microsoft.
- Enable real-time protection. You can use the settings here to enable real time protection. You can also enable or disable scanning of incoming and outgoing files, and all downloaded files and attachments. You can also enable behavior monitoring, which can detect new malware based on behavioral characteristics and also enable protection against network-based exploits.
- Exclusion settings. Use these settings to exclude files, folders, file types and processes from scanning.
- Advanced. Use these settings to configure actions such as system restore point creation, client interface visibility, quarantined item deletion period, allowing users to exclude specific folders, and scan and definition update schedule randomization.
- Threat overrides. Allows you to override specific threats detected by the Endpoint Protection client.
- Microsoft Active Protection Service. Allows the collection and sending of information about detected malware to Microsoft.
- Definition updates. Configure how often the client checks for definition updates. Also allows you to specify the location of definition update files.
Figure 2. Endpoint Protection Policy
Endpoint Protection is able to leverage Configuration Manager's extensive reporting functionality. For example, Configuration Manager 2012 includes reports that show the following data for all the computers in your organization:
- Antimalware activity report
- Antimalware overall status and history
- Computer malware details
- Infected Computer
- Top users by threats
- User threat list
A big advantage of the integration between Endpoint Protection and Configuration Manager is that you can use data generated by Endpoint Protection when creating Configuration Manager collections. This allows you to specifically target computers with Configuration Manager tasks. For example, you could create a collection based on computers that have experienced a malware infection, offering a task sequence that would perform a wipe and load clean installation. Even though Endpoint Protection will have cleaned the infection, some organizations perform a clean installation just to ensure that any malware present has been eradicated.