You are on page 1of 92

Forefront Endpoint Protection 2010, the next version of Forefront Client Security, enables businesses to simplify and improve

endpoint protection while greatly reducing infrastructure costs. It builds on System Center Configuration Manager 2007 R2, allowing customers to use their existing client management infrastructure to deploy and maintain endpoint protection.

Microsoft Forefront Endpoint Protection 2010 Evaluation Guide

2010 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft logo, Forefront, Windows, Windows Server, all Forefront products, and Active Directory Rights Management Services are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This reviewers guide is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Other product and company names herein may be trademarks of their respective owners. Microsoft Corp. One Microsoft Way Redmond, WA 98052-6399 USA

Forefront Endpoint Protection 2010 Evaluation Guide

This guide is designed to walk you through an end-to-end evaluation of Microsoft Forefront Endpoint Protection 2010, based on task-driven scenarios that you would commonly find in your daily production use. Step-by-step instructions will give you a sense of product features, capabilities, usage, and end-user benefits in order to help your pre-purchase assessment.

TABLE OF CONTENTS

Table of Contents .................................................................................................................................. 4 Introduction ........................................................................................................................................... 6 Using This Guide 6 Chapter 1: Overview ............................................................................................................................. 7 What Is Forefront Endpoint Protection 2010? 7 The Convergence of Desktop Security and Management 7 Reduce Ownership Costs 7 Improved Protection 7 Increased Efficiency 8 Whats New in Forefront Endpoint Protection 2010 9 Common Usage Scenarios for Forefront Endpoint Protection 2010 11 Ease of Deployment 11 Enhanced Protection 12 Simplified Management 13 Getting Started 14 Summary 15 Chapter 2: Ease of Deployment and Simplified Management ........................................................ 17 Exercise 1: Deploying Forefront Endpoint Protection 2010 18 Exercise 2: Using Configuration Manager to deploy FEP clients 21 Exercise 3: Operations 27 Exercise 3.1 Operational status: Dashboard overview 28 Exercise 3.2: Policy management 29 Exercise 3.3: Policy customization 32 Exercise 3.4: Policy assignment 39 Exercise 3.5: Using Group Policy for FEP 40 Exercise 3.6: Signature updates 44 Summary 50 Chapter 3: Comprehensive Protection ............................................................................................. 52 Exercise 4: Detecting and cleaning malware impact scanning 53 Exercise 5: On-demand, scheduled and real-time scanning 56 Exercise 5.1: Forefront Endpoint Protection 2010 real-time scanning 57 Exercise 5.2: Forefront Endpoint Protection 2010 scheduled scanning 60 Exercise 5.3: Forefront Endpoint Protection 2010 on-demand scanning 60 Summary 62 Chapter 4: Simplified ManagementReporting and Alerting ........................................................ 63 Exercise 6: Forefront Endpoint Protection 2010 reports 63 Exercise 7: Forefront Endpoint Protection 2010 alerts 66 Exercise 7.1: Sending a Malware Outbreak alert 66 Exercise 7.2: Sending a Malware Detection alert 68 Exercise 7.3: Sending a Repeated Malware Detection alert 70 Exercise 7.4: Sending a Multiple Malware Detection alert 72 Exercise 7.5: Setting the alert level 74 Summary 75

APPENDIX: System Requirements and Prerequisites .................................................................... 76 Hardware Requirements 76 Pre-configured Virtual Environment System Requirements 76 Forefront Endpoint Protection 2010 System Requirements 76 Forefront Endpoint Protection 2010 Client 77 Software Prerequisites for Forefront Endpoint Protection Deployment 77 Exercise 8: Deploying SQL Server 78 Deploying Configuration Manager 2007 R2 80 Forefront Endpoint Protection Security Management Pack: Enabling Real-Time Monitoring with System Center Operations Manager 2007 R2 .................................................................................. 81 Exercise 9: Enabling real-time monitoring with Forefront Endpoint Protection 2010 83 Exercise 10: Generating alerts and notifications 86 Exercise 11: Performing task remediation 89 Resources ............................................................................................................................................ 92

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 5

INTRODUCTION

Forefront Endpoint Protection 2010 (FEP), the next version of Forefront Client Security, enables businesses to simplify and improve endpoint protection while greatly reducing infrastructure costs. It builds on System Center Configuration Manager 2007 R2 and R3, and allows customers to use their existing client management infrastructure to deploy and maintain endpoint protection. .

Microsoft Forefront Endpoint Protection 2010 Overview


Simplify Integrate Protect Creates a single administrative experience for managing and securing endpoints Improves visibility to help administrators identify and remediate potentially vulnerable endpoints Lowers ownership costs by using a single infrastructure for endpoint management and security Deploys effortlessly to hundreds of thousands of endpoints using existing Configuration Manager agents Provides highly accurate detection of known and unknown threats Manages Windows Firewall configurations to actively protect against network-level attacks

Using This Guide This guide highlights important features of FEP and is designed to simplify your review process.
Chapter 1 provides an overview of FEP and outlines its new features, benefits, and common usage scenarios. Chapter 2 covers FEP setup and configuration and signature updates, with installation and management using System Center. Chapter 3 covers the comprehensive antimalware detection and prevention capabilities of FEP, including results analysis. Chapter 4 covers reporting and alerting capabilities of FEP. The appendices provide steps to install System Center server components and other pre-requisites for FEP evaluation. They also explain how you can use Microsoft System Center Operations Manager to monitor FEP activities in real time using the Forefront Endpoint Protection Security Management Pack.

The labs throughout this guide provide evaluation and testing instructions and explain the design and use of various features.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 6

CHAPTER 1: OVERVIEW
Secure and Streamline the Windows Optimized Desktop
Forefront Endpoint Protection 2010 and Configuration Manager are part of the Windows Optimized Desktop, which is built on the Windows 7 Enterprise operating system. The Windows Optimized Desktop also deploys virtualization technologies with integrated management across physical and virtual machines, including Microsoft Virtual Desktop Infrastructure (VDI). Along with Microsoft Office 2010, Windows Internet Explorer 8. and the Microsoft Desktop Optimization Pack, FEP and Configuration Manager help create a more productive, manageable, and secure workforce environment.

What Is Forefront Endpoint Protection 2010?


Desktop management and security have traditionally existed as two separate disciplines, yet both play a central role in keeping users safe and productive. Forefront Endpoint Protection 2010 enables businesses to align client security and management to improve endpoint protection while greatly reducing operational costs. It provides protection from evolving malware threats and builds on Configuration Manager 2007 R2 and R3. This enables customers to use their existing client management infrastructure to deploy and manage endpoint protection. Reduce Ownership Costs With discrete infrastructures for management and security, companies need to purchase and maintain separate hardware and software, create and manage two sets of policies, and take two sets of actions when security incidents occur. Together, FEP and Configuration Manager 2007 deliver operational efficiencies not available with traditional management and security silos. You can use your existing Configuration Manager infrastructure to easily deploy FEP to provide: Simplified deployment of endpoint protection through a proven infrastructure that scales to hundreds of thousands of clients across a distributed environment Reduced infrastructure costs by using your existing Configuration Manager deployment for both endpoint protection and client management The Convergence of Desktop Security and Management

For more information on Windows Optimized Desktop, visit www.microsoft.com/windows/enter prise.

Improved Protection

Many desktop vulnerabilities are a result of poor system configuration, yet security administrators often lack easy access to inventory, patch level, and other desktop-specific data. Forefront Endpoint Protection 2010 and Configuration Manager 2007 give your organization industry-leading threat-detection capabilities to remediate endpoint security vulnerabilities. The FEP antimalware engine provides highly accurate and efficient threat detection and protects against the latest malware and rootkits with low false-positive rate. It also helps protect the clients against unknown or zero-day threats. The combination of these technologies in a single infrastructure offers a unique, consolidated view into the health and protection status of user systems. IT can better identify at-risk machines and take action to patch systems, block outbreaks, and initiate clean-up efforts. These technologies can also consolidate and simplify reporting on the complete desktop environment.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 7

Increased Efficiency

Forefront Endpoint Protection 2010 centralizes visibility into the management and security of endpoints, which can help you identify and remediate potentially vulnerable endpoints via: A single experience to manage clients and to create and configure endpoint protection policies Increased awareness of potentially vulnerable clients

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 8

Key New Features


Simplify
Single console

Whats New in Forefront Endpoint Protection 2010


Forefront Endpoint Protection 2010 makes it easier to protect critical desktop, laptop, and server operating systems from viruses, spyware, rootkits, and other threats. Some of the key new capabilities in FEP include:

FEP is built on Configuration Manager


2007 R2. Configuration Manager provides a single interface for managing and securing endpoints, reducing complexity, and improving troubleshooting and reporting insights.

Forefront Endpoint Protection 2010


Feature
Single console

Central policy creation

Description

Administrators have a central location


for creating and applying all endpointrelated policies.

Improved visibility

With a shared view of endpoint


protection and configuration, administrators can more easily identify and remediate vulnerable computers.

Forefront Endpoint Protection 2010 is built on Configuration Manager 2007 R2 or R3, which enables you to use your existing and client-management infrastructure. You can deploy and manage infrastructure for endpoint protection through a single interface of Configuration desktop Manager, which enables you to manage and secure endpoints management and without the need for additional servers to support FEP. This integration is based on: protection

o o

Centralized deployment: Central package installation on client machines. Policy Management: Endpoint security policies can be defined centrally through the management console. Predefined templates for productivity and security defaults make it simpler to define policies based on best practices. It helps reduce complexity and improve troubleshooting and reporting insights, and can save time and effort. Customized alerts: Forefront Endpoint Protection generates alerts when it detects malwarealerts are based on the severity of the malware. Alerts can also be customized for specific types of malware detection. Reporting: View the overall status of security threats, actions needed, and the overall health status of client machines.

Integrate
Single infrastructure

FEP uses Configuration Manager


infrastructure to deploy and manage endpoint protection. Eliminates the expense of purchasing and maintaining an independent security infrastructure.

Enterprise scalability

Using the Configuration Manager


infrastructure, FEP clients and policies can be efficiently deployed to hundreds of thousands of users.

Enterprise scalability

Protect
Highly accurate detection

Forefront Endpoint Protection 2010 uses the Configuration Manager infrastructure to more efficiently deploy clients and policies. This enables enterprises to deploy and manage endpoint protection clients on a very large scale. The new antimalware engine protects against the latest malware and rootkits with a low rate of false positives. The engine also helps keep employees productive with scanning that has low impact on performance. It enables the administrators to limit processor usage during scans and uses new improvements in the engine like advanced caching to provide high-quality security with optimized performance.

FEP helps protect against the latest


malware and rootkits with lower false positives. Includes protection against network vulnerability exploits.

More accurate and efficient threat detection

Behavior monitoring

FEP detects system behavior and file


reputation data to identify unknown threats.

Efficient scanning

FEP keeps employees productive with


low performance impact scanning.

Client firewall management

FEP helps administrators centrally


manage Windows Firewall protections across the enterprise.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 9

Forefront Endpoint Protection 2010


Feature
Behavioral threat detection

Description
Forefront Endpoint Protection 2010 uses system behavior and file reputation data to identify and block attacks on client systems from previously unknown threats. Detection methods include behavior monitoring, emulation, and Dynamic Translation. Behavior monitoring identifies new threats and tracks behavior of unknown processes or known processes gone bad. Any behavior monitoring detection triggers a request to a cloud-based Dynamic Signature Service that can deliver protection in near-real time for new threats that are not in the signature set on the endpoint. Forefront Endpoint Protection 2010 provides protection against network-level exploits and intrusions by inspecting inbound and outbound network traffic. Based on the Microsoft Network Inspection System, it balances protection with performance by only enabling signatures for the unpatched vulnerabilities. Forefront Endpoint Protection 2010 ensures that Windows Firewall is active and working properly to protect against network-layer threats. It also enables you to more easily manage these protections across the enterprise from the FEP console. Forefront Endpoint Protection 2010 provides multiple options to receive signature and engine updates. Organizations can use their existing Windows Server Update Services (WSUS) infrastructure to receive FEP updates. Administrators can also configure a client to connect to Microsoft Update or use a file share to download the latest definition updates. Forefront Endpoint Protection 2010 automatically alerts you if it detects viruses, spyware, or other potentially unwanted software. It also provides the level of alert for a detected item:

Network Vulnerability Shielding

Windows Firewall Management

Signature updates

Customized alerts based on incidents and assets

Severe or high-level alerts: Forefront Endpoint Protection alerts you to a threat and then always recommends that you remove the program(s). Medium-level alerts: Review the alert details (click the Show details link) to see why FEP detected the item. If you dislike what the software does or if it comes from an unknown or untrusted publisher, consider blocking or removing the software. Low-level alerts: This type of alert typically occurs when a program is installed and FEP is unsure about the authenticity of the program. To allow the software, review the alert details or check to see if you recognize and trust the software publisher.

You can also customize alerts and set FEP to alert you if you run software that has not yet been analyzed. You can also set alerts to notify you if software makes or tries to make some changes to your computer. Detailed reports Forefront Endpoint Protection 2010 uses the same reporting infrastructure as Configuration Manager and provides easy-to-use reports out of the box that provide deep insight into enterprisewide client security activities.

The FEP Security Management Pack enables you to monitor the security of server operating systems or critical assets in real time Manager 2007 R2 using existing Operations Manager infrastructure. Integration with Operations

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 10

Common Usage Scenarios for Forefront Endpoint Protection 2010


Ease of Deployment Endpoint protection that operates separately from existing endpoint management systems often requires many resources and has high maintenance costs.

Forefront Endpoint Protection 2010 uses Configuration Manager 2007 to centralize deployment of security software and policies to multiple endpoints. You can deploy FEP Server on a Configuration Manager standalone (single) site or to a hierarchical site environment. In a hierarchical Configuration Manager deployment there is a parent site that has one or more sites (child sites) attached to it in the hierarchy. Configuration Manager 2007 sites define the scope of administrative control. The administrative control requirements will determine where FEP should be installed:

For centralized policy creation and control, install FEP on the central site For decentralized policy creation and control, install FEP on the child sites

Configuration Manager distribution is used to centrally manage and monitor the deployment of FEP to client computers in your existing infrastructure. With this method, you can control which Configuration Manager collections the client is deployed to, and use the provided reports to determine deployment status or drilldown to information about computers on which the client failed to deploy and why Organizations can use their existing WSUS infrastructure to receive the signature and antimalware engine updates. Additionally, administrators can define network file shares or Internet-based Microsoft Update to provide the latest signature updates to the clients.

In the related section of this common usage scenario, you will evaluate the process of centralized client deployment through Configuration Manager 2007. This scenario provides step-by step instructions to distribute and advertise the software to existing or new endpoints.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 11

Enhanced Protection

Exposure to fast-evolving security threats requires businesses to frequently test patches and updates before they release them to users. Viruses, rootkits, spyware, malware, and directed attacks can arise from inside and outside an organizations network. Some threats breach tight security on the corporate network, and some enter via removable devices. Forefront Endpoint Protection 2010 detects known and unknown threats with a high degree of accuracy and actively protects against network-level exploits. Administrators can enable real-time protection against the evolving threats by defining endpoint protection policies.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 12

Simplified Management

In combination with Configuration Manager 2007, FEP provides a central location for you to create and apply malware protection policies on endpoints. This policy mechanism allows you to centrally control and manage malware-scanning properties, and it provides configurable protection on client computers such as: Scheduled scans Threat-handling settings Real-time protection Exclusion of files, folders, file types, and processes from scans Scans of removable drives and devices Overrides of recommended actions against threats

You can enable updates based on behavior monitoring through the cloud-based Dynamic Signature Service This approach can make policy management a more efficient process that can save organizations time and resources. In the related section in this guide for this common usage scenario, you will evaluate the process of policy creation and centralized deployment on multiple endpoints.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 13

Getting Started
The step-by-step instructions in the following sections show you how to distribute FEP to client computers, create and manage policies, configure FEP alerts, monitor FEP status, look at FEP reporting, and force a quick scan on specific computers. To evaluate FEP, you can either use an FEP Pre-configured Virtual Environment on downloadable virtual machines pre-configured for evaluation or FEP evaluation software that you can deploy in your own environment.

Forefront Endpoint Protection 2010 Evaluation Options


Using the pre-configured virtual environment (Business Ready Security demonstration environment): These Hyper-V-based virtual machines are preconfigured for an easy evaluation of FEP. If you are using the downloadable preconfigured virtual environment (Hyper-V), the FEP environment is already established on the server and client machines. Start with the section: Forefront Endpoint Protection 2010 Evaluation Scenarios for Configuring, Deploying and Using FEP 2010. To deploy the virtual evaluation environment, which is built on virtual hard drives, you will need at least one Windows Server 2008 R2 Standard system with Hyper-V enabled. Note: Before you deploy the virtual environment lab or the evaluation software, in Appendix A please refer to the System Requirements section and ensure that the server and client machines in your environment meet all requirements. Pre-Configured Virtual Environment for FEP Evaluation Link: You can download the pre-configured virtual environment at: http://go.microsoft.com/fwlink/?LinkId=190269 Access the pre-configured virtual environment for evaluation: Before you can do the lab exercises, you must log on to the virtual machines. The user name and password are the same for all virtual machines: User name: WoodgroveBank\Administrator Password: password

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 14

This guide uses the pre-configured virtual environment to provide step-by-step guidance on common security tasks. The environment is pre-configured with the following virtual machines:

Using FEP evaluation software: If you choose to set up your own environment to evaluate FEP, you first need to set up the server and client machines. The prerequisite installations for this setup include: SQL Server 2005 SP2 or 2008 Configuration Manager 2007 R2 / R3 Forefront Endpoint Protection 2010

For detailed installation steps and system requirements, refer to Appendix A. You can download FEP evaluation software at: http://technet.microsoft.com/en-us/evalcenter/ff182914.aspx After you install the software, go to the evaluation scenarios.

Summary
This chapter showed how customers use their existing client management infrastructure to deploy and manage FEP. It discussed the benefits and features of FEP and the reasons why organizations should make it a part of their infrastructure. It also gave an overview of the three common usage scenarios, which the subsequent sections of the guide cover in greater detail. You can find an overview of the three evaluation scenarios in these sections: Common Usage Scenarios for FEP 2010: Describes the common usage scenarios for using FEP Getting Started with the evaluation scenarios: This helps users evaluate FEP

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 15

Chapter 2 provides more information about the ease of deployment and simplified management and covers the following topics: Deploying Forefront Endpoint Protection 2010: Step-by-step installation of FEP. Using Configuration Manager to Deploy FEP Clients: Step-by-step process to distribute and advertise the software to existing or new endpoints. Dashboard Reporting using Forefront Endpoint Protection 2010: The dashboard summarizes the overall health status of clients and provides detailed reports for particular computers. Policy Management using Forefront Endpoint Protection 2010: Defines the various configuration options of the FEP client that users can manage such as: policy customization, policy assignment, group policy configuration, the scan schedule, the location and frequency of definition updates, and scan exclusions Performing Signature Updates on Forefront Endpoint Protection 2010 clients: Provide the latest updates to all endpoints from a central console and keep them protected from new threats.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 16

CHAPTER 2: EASE OF DEPLOYMENT AND SIMPLIFIED MANAGEMENT

Forefront Endpoint Protection 2010 and Configuration Manager together provide the enterprise scalability to efficiently deploy enhanced security within large organizations. Forefront Endpoint Protection 2010 Installation: consists of downloading the package, verifying prerequisites, installing the FEP server, and validating that the success of the installation. Deploy FEP: distribute the client and policies using Configuration Manager to multiple endpoints. Operationalized Security: centralized operations management through Configuration Manager across multiple client machines: o

Deployment and Management Benefits


Simple installation process Installs on root site, deploys to hierarchy Automatically creates additional components (FEP distribution packages, DCM baselines) Creates new reporting database

Converged System Management Simple Centralized Policy

Use existing infrastructure No new servers Integrated console Supports Configuration Manager 2007 SP2/R2 and later

Dashboard Monitoring: summarizes the overall health status of machines and provides detailed reports for particular computers. o Policy Creation: create, configure, and assign FEP policies to endpoints. o Signature Updates: enables administrators to provide latest updates to all endpoints centrally and thus keep them protected against new threats In this chapter, you will evaluate the installation of FEP, FEP centralized client deployment using Configuration Manager 2007, and operations. This chapter will cover the following exercises:

Exercise
1. Deploying FEP 2. Using Configuration Manager to deploy FEP clients 3. Operations 3.1. Operational status: Dashboard overview 3.2. Policy management 3.3. Policy customization 3.4. Policy assignment 3.5. Using Group Policy for FEP 3.6. Signature updates

Illustrates
Step-by-step installation of FEP Centralized deployment of FEP from server to client machines. Description of the operations that can be performed with FEP Contents of Dashboard of Configuration Manager 2007 Step-by-step creation of FEP policies Advanced protection methods to customize policies and change granular settings Assign FEP policies to a Configuration Manager collection Configure clients with FEP Group Policy objects, pre-configured policy templates, and the FEP Group Policy Tool Methods to provide signature updates to endpoints.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 17

NOTE: This lab requires a server installed with Configuration Manager 2007 and SQL Server 2008. For system requirements and prerequisite installation details, you can refer to the following sections of the Appendix: APPENDIX: System Requirements and Prerequisites Deploying SQL Server Deploying System Center Configuration Manager 2007 R2 Deploying Windows Installer version 3.1 Deploying WFP Rollup Package

If you are evaluating FEP with the pre-configured virtual environment, you will need the following virtual machines:

Lab Environment S.No. 1 2 3 4


Machine Name Server 1 (Denver) Server 2 (Fargo) Client 1 (Chicago) Client 2 (Cairo) Roles DC CA AD FS, WSUS FEP Server and Configuration Manager Forefront Client Security (FCS) Client FEP

If you chose to use the pre-configured virtual environment to evaluate FEP, please skip to Using Configuration Manager to Deploy FEP Clients

Exercise 1: Deploying Forefront Endpoint Protection 2010


To install FEP, you need to download FEP, verify prerequisites, which include SQL Server 2008 and Configuration Manager 2007, install the FEP server, and validate the success of the installation. This section describes how to install FEP. After you set up and install the pre-requisites, you can install FEP on the Configuration Manager server.
Figure 1.1 Welcome screen.

1. 2.

Go to the location where you extracted the FEP server source files, and then double-click serversetup.exe to open the FEP server setup wizard. Enter your Name and Organization.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 18

3.

After accepting the license agreement, select one of four installation options: Basic topology: Install all infrastructures on a single server. Basic topology with remote reporting database: Install all FEP components except the remote reporting database. This option allows you to specify a different SQL Server for the FEP reporting database Advanced topology: Customized option that lets you define the following FEP components to install in a distributed environment: o o o Configuration Manager Site Server FEP Extension FEP Reporting and Alerts Configuration Manager Console Extension for FEP

Figure 1.2 Deployment options.

Configuration Manager Console FEP 2010 Extension Only: Install FEP as an extension for the Configuration Manager console.

Based on the install options you choose, the prompts and content you see in the setup wizard may vary from the next steps described here. The remaining steps assume that you used the Advanced topology option was used and selected the capabilities for Site Server, FEP Reporting and Alerts, and Configuration Manager Console Extension for FEP (See Figure 1.3). Extension of FEP for System Center: Integrating FEP with Configuration Manager occurs at multiple levels: the software distribution procedures and analysis, and security configuration through components. These extensions allow the creation of collections, packages for distribution processes, and the creation of objects and baselines used in the desired configuration. Forefront Endpoint Protection 2010 Reporting and Alerts: Allows component installation on local machines for monitoring FEP. Configuration Manager Console extension for FEP: Installation of the FEP console in Configuration Manager for centralized management.

Figure 1.3 Advanced topology.

4.

The wizard provides information to configure the FEP database, including Configuration Manager database computer, database instance, and Forefront Endpoint Protection 2010 database name (See Figure 1.4). If you chose to build your own test environment, enter the information to reference your SQL Server installation.

Figure 1.4 Database configuration.

5.

Next, the wizard configures FEP to use Microsoft Update for automatic updates for Windows and other Microsoft products, including FEP (See Figure 1.5). If you select Join the customer experience program, Microsoft will collect information about the system hardware and FEP usage, to enable further improvements.

Figure 1.5 Update and customer experience.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 19

6.

If you choose to join the Microsoft SpyNet community, you can automatically send and share information about detected software. This information helps Microsoft create new definitions for improved protection, which can help your software better detect and notify you of potential malware. Basic Membership enables the Dynamic Signature Service to provide updates based on behavior monitoring without waiting for the regular signature update process (See Figure 1.6).

Figure 1.6 SpyNet policy configuration.

7.

The Installation Location page allows you to specify the path and folder locations for Forefront files and data files. You can also use the Browse button to change the storage location of product files. This dialog also specifies disk space requirements (See Figure 1.7).

Figure 1.7 Installation location.

8.

The final screen prior to setup is a pre-requisite check. The installer will verify that each of the pre-requisites listed in step 1 have been met. If a pre-requisite check fails, the installer will provide an explanation and remediation steps. Only when all pre-requisites have been met will setup continue (See Figure 1.8).

Figure 1.8 Prerequisites verification.

After you have met all the prerequisites to install FEP, the wizard displays a summary of wizard selections to configure, including general settings, updates, and FEP site extension (See Figure 1.9).

Figure 1.9 Setup summary.

9.

The FEP installation will configure antimalware support on the server automatically. You can use the configuration snap-in added to the Configuration Manager console to manage and monitor FEP.

Figure 1.10 Installation complete.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 20

Exercise 2: Using Configuration Manager to deploy FEP clients


Software deployment in a large network is generally a tedious process that requires a great deal of administrators time and resources. Installing the software on individual client computers reduces productivity and increases the need for remote and centralized deployment. Using different infrastructures for security management and deployment makes the task more complex. In this exercise, you will perform centralized deployment of FEP from a single server to selected endpoints (client machines). This section provides a step-by-step process to distribute and advertise the software to an existing or new collection of endpoints using the same process that is used in Configuration Manager. If you are evaluating with the pre-configured virtual environment, you will need the following virtual machines:

NOTE: Appendix A contains the System Requirements for Client computers.

Key Deployment Benefits


Deploys effortlessly to multiple endpoints using existing Configuration Manager agents

Lab Environment S.No. 1 2 3 4


Machine Name Server 1 (Denver) Server 2 (Fargo) Client 1 (Chicago) Client 2 (Cairo) Roles DC FEP Server and Configuration Manager Forefront Client Security (FCS) Client FEP

The following step-by-step instructions use the pre-configured virtual environment and are configured on the virtual machine called Fargo (Server 2 in the table above). To examine the integration between FEP Server and Configuration Manager: 1.
Figure 2.1 Start menu.

On the Start menu, click Microsoft System Center, click Configuration Manager 2007, and then click ConfigMgr Console to open the Configuration Manager 2007 SP1 R2 console.

2.

In the Configuration Manager Console, expand Site Database, expand Computer Management, and then expand Forefront Endpoint Protection. The Forefront Endpoint Protection 2010 node contains subnodes for Policies, Alerts, and Reports. Notice that FEP Server integrates with the Configuration Manager console to manage FEP client policies, alerts, and reporting.

Figure 2.2 Configuration Manager console.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 21

3.

Under Computer Management, expand Collections, and then expand Forefront Endpoint Protection 2010 collections. Note that FEP Server maintains several collections of client computers.

Figure 2.3 Collections.

To use the Software Distribution wizard to deploy FEP client software 1. In the Configuration Management console, in the left pane, under Collections, select All Systems. Server and client computers are listed in this collection.

Figure 2.4 All systems.

2.

In the middle pane, right-click a client to deploy, click Distribute, and then click Software to open the Distribute Software to Resource wizard. Note: Instead of deploying the FEP client software to a single computer, you can also distribute FEP to all computers in a particular collection at once.

Figure 2.5 Distribute software.

3.

On the Welcome page, click Next.

Figure 2.6 Welcome page.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 22

4.

On the Package page, ensure that Select an existing package is selected, and then click Browse. This page also provides options to Create a new package from a definition file and to Create a new package and program without a definition file, which can be used to create new packages.

Figure 2.7 Package page.

5.

In the Select a Package dialog box, select the Microsoft Corporation Forefront Endpoint Protection 2010 - Deployment 1.0 package, and then click OK.

Figure 2.8 Select a Package dialog box.

6.

On the Package page, click Next.

Figure 2.9 Package page.

7.

On the Distribution Points page, select your default distribution point (Fargo, if you are using the virtual environment) and then click Next. On this page, you can select distribution points based on where the clients will access the package. If the package was previously distributed, some distribution points will already be selected. If you cancel the selection of a distribution point, the package will be deleted from it.

Figure 2.10 Distribution Points page.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 23

8.

On the Select Program page, select Install, and then click Next. Note: You can also use the software distribution package to uninstall FEP clients.

Figure 2.11 Select Program page.

9.

On the Advertisement Target page, select Advertise this program to an existing collection that contains this resource, and then click Next. Note: This page also provides you the option to Advertise this program to an existing collection that contains this resource and then select the collection to send the advertisement.

Figure 2.12 Advertisement Target page.

10. On the Advertisement Name page, in the Name box, type FEP Deployment Install to All Systems. The name of the new advertisement will start with Forefront FEP Deployment Install to All Systems.

Figure 2.13 Advertisement Name page.

11. On the Advertisement Subcollection page, select Advertise the program to members of the collection and its subcollections, and then click Next. Note: This page also provides you the option to Advertise the program only to members of the specified collection.

Figure 2.14 Advertisement Subcollection page.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 24

12. On the Advertisement Schedule page, click Next.

Figure 2.15 Advertisement Schedule page.

13. On the Assign Program page, select Yes, assign the program, select Ignore maintenance windows, and then click Next.

Figure 2.16 Assign Program page.

14. On the Summary page, click Next.

Figure 2.17 Summary page.

15. On the Wizard Completed page, click Close.

Figure 2.18 Wizard Completed page.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 25

To examine the FEP deployment 1. In the Configuration Manager Console, in the left pane, expand System Status, expand Advertisement Status, and then select the Forefront Endpoint Protection 2010 - Deployment advertisement. In the middle pane, notice that the related program from this advertisement has successfully started.

Figure 2.19 Deployment status.

2.

In the left pane, under Computer Management, select Forefront Endpoint Protection.

3.

In the Actions page, click Update Forefront Endpoint Protection 2010 Collections membership.

Figure 2.20 Actions page.

4.

Click OK to confirm that you want to update the membership of the FEP collections. In the middle pane, notice that FEP is now deployed on the client machines.

Figure 2.21 Update FEP Collections membership.

5.

After the distribution is successfully completed, FEP client will be installed on the endpoint. The time needed for successful deployment depends on the Configuration Manager client setting. After successful installation, you can see the FEP icon ( ) in the task bar. Note: When you install the FEP client package, it will automatically uninstall existing antimalware clients, including: Forefront Client Security version 1, including the Operations Manager agent Symantec Endpoint Protection version 11 TrendMicro OfficeScan version 8.0 and version 10.0 McAfee VirusScan Enterprise version 8.5 and version 8.7 Symantec Endpoint Protection Small Business Edition version 12 Symantec Corporate Edition version 10

Figure 2.22 FEP icon.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 26

Exercise 3: Operations
This exercise will help you evaluate ease of operations while managing endpoint security with FEP. Operations include viewing client health status on the Dashboard, centralized policy creation, and configuration of signature updates for multiple clients. This exercise covers the following sub-exercises:

Exercise
3.1. Operational status: Dashboard overview 3.2. Policy management

Illustrates
Contents of Dashboard of Configuration Manager 2007

Step-by-step creation of FEP policy Once the policy is created from the template, FEP offers flexibility to customize it further. Administrators can open the properties of the policy and customize the policyshow an example, for e.g. Administrators can define CPU threshold for scans(highlight it, its anew feature) and many other granular settings Assign the FEP policy to a Configuration Manager collection Configure clients by using Forefront Endpoint Protection GPOs, pre-configured policy templates, and the Forefront Endpoint Protection Group Policy Tool Methods to provide signature updates to endpoints.

3.3. Policy customization

3.4. Policy assignment 3.5. Using Group Policy for FEP 3.6. Signature updates

If you are using the pre-configured virtual environment to evaluate FEP, you will need the following virtual machines: Lab Environment
S.No.
1 2 3 4

Machine Name
Server 1 (Denver) Server 2 (Fargo) Client 1 (Chicago) Client 2 (Cairo)

Roles
DC CA AD FS, , WSUS FEP Server and Configuration Manager Forefront Client Security (FCS) Client FEP

The following step-by-step instructions use the pre-configured virtual environment and the steps are configured on the server machine named Fargo (Server 2) and the FEP Client machine named Cairo (Client 2).

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 27

Exercise 3.1 Operational status: Dashboard overview The Dashboard summarizes the overall health status of clients and provides detailed reports for specific clients. To open the Dashboard, in the Configuration Manager Console under Computer Management, click Forefront Endpoint Protection 2010.

The Dashboard has several sections and sub-sections: Operational Statistics: These are statistics based on the operations performed by FEP on the system and they consist of: o Client Deployment Status: An account of the number of clients targeted and not targeted by FEP and the number of successful, pending, or failed deployments. The graph shown represents these statistics. o Malware Activity Status: The status of malware activity on the clients scanned and any required action to be taken. Active Malware indicates the presence of malware content in the client machines indicated by the numbered link. Restart required shows that the client machines indicated by the numbered link need to be restarted. Full scan required indicates the client machines that need a full system scan. Malware cleaned (Last 24 hours) shows all the malware removed from client machines in the past 24 hours. o Definition Status: Information about definition updates on client machines. The definition update information is categorized as: Older than 1 week Up to 7 days old Up to 3 days old Up to date o Policy Distribution Status: The distribution status of the FEP policy deployed to clients in terms of: Distribution failed Distribution in progress Policy Distributed o Forefront Endpoint Protection Baselines: These include the following baselines: FEP Standard Desktop FEP High- Security FEP Optimized Desktop FEP Laptop o Links and Resources: Links to reports, policy management, alert configuration, and resources for more information.

Figure 3.1 Configuration Manager Console.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 28

Exercise 3.2: Policy management Forefront Endpoint Protection 2010 policy settings define the configuration options of the FEP client and the desktop firewall that you can manage such as, the scan schedule, the location and frequency of definition updates, and scan exclusions. Forefront Endpoint Protection 2010 policy settings that you specify are contained in an FEP policy object. Policies only affect FEP clients after you assign them to a Configuration Manager collection. This section describes how to create a new FEP policy. To create a new FEP policy 1. On the server, in the Configuration Manager console, in the left pane, under Computer Management, expand Forefront Endpoint Policies, and then select Policies. Note: Forefront Endpoint Protection 2010 policy settings define various configuration options of the FEP client that an administrator can manage. You can associate an FEP policy with multiple collections, and you can associate multiple policies with a single collection. Policies are applied in order of precedence.
Figure 3.2 FEP Policies page.

2.

In the Actions pane, click New Policy to open the New Policy wizard.

Figure 3.3 New Policy wizard.

3.

On the General page, in the Policy name box, type Forefront Endpoint Protection 2010 Desktop policy, and then click Next.

Figure 3.4 General page.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 29

4.

On the Policy Type page, select High Security policy, and then click Next. Note: You can choose other templates based on client requirements. For example, the High-security policy enables maximum security settings for antimalware and desktop firewall, and the Performance-optimized policy maximizes performance and enables baseline protections. You can also choose to load one of 16 pre-configured templates that provide optimized security settings based on the server role.

Figure 3.5 Policy Type page.

5.

On the Scheduled Scans page, under Weekly scan, in the Day box select Sunday, in the Hour box select 3:00 AM, and then click Next.

Figure 3.6 Schedule Scans page.

6.

On the Scan Exclusions page, click Next.

Figure 3.7 Scan Exclusions page.

7.

On the Updates page, click Next. This page provides options for you to select locations from which clients can receive definition updates. By default, the selected options are: Enable updates from Configuration Manager or WSUS Enable updates from Microsoft Update

This page also allows you to enable updates from specified file locations. Note that FEP clients can obtain antimalware signature updates from four sources (in order): Configuration Manager, WSUS, Microsoft Update Web site, and UNC file share.

Figure 3.8 Updates page.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 30

8.

On the Client Configuration Options page, select Real-time protection, and then click Next. With this setting, users can configure the scheduled scan time and can choose to receive notification when malware is detected.

Figure 3.9 Client Configuration Options page.

9.

On the Summary page, click Next.

Figure 3.10 Summary page.

10. On the Wizard Completed page, click Close.

Figure 3.11 Wizard Completed page.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 31

Exercise 3.3: Policy customization After you create the policy from the template, FEP offers flexibility to customize it. Administrators can open the properties of the policy and customize the policy and many other settings. Defining CPU Usage for Scans Administrators can limit the processor usage during the scans to different percentages. 1. 2. Open the FEP Console and click Policies. Select the newly created policy, right-click the policy, and select Properties.

Figure 3.12 Policy > Properties.

3.

Click the Antimalware tab and select Limit processor usage during scans to the following percentage to define the percentage of processor usage (see Figure 3.13). Users on endpoint computers can configure CPU usage limits for scans.

Figure 3.13 Limit processor usage.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 32

Exporting a Policy Administrators have the option to export policies that can be used to create a backup or to use it for clients that are not managed by Configuration Manager. 1. 2. Open the FEP Console and click Policies. Select your policy, right-click the policy, and then click Export Policy.

Figure 3.14 Export policy.

3.

Save the policy XML file to the desired location on the system

Figure 3.15 Save the policy XML.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 33

Policy Precedence Policies that have a higher precedence override settings that are defined in policies lower in the precedence order. It allows users to select any policy and adjust its precedence order. Multiple policies can be applied to the same machine, but the policy with the highest precedence takes priority. 1. 2. Open the FEP Console and click Policies. Select your Policy and in the Actions pane click Policy Precedence.

Figure 3.16 Policy precedence.

3. 4.

Define the precedence for the policies by moving the policies up and down using the buttons available. When you are finished, click OK.

Figure 3.17 Edit policy precedence.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 34

Advanced Protection Methods Dynamic Signature Service (Microsoft SpyNet) Microsoft SpyNet service enables users to join an online community that helps them choose how to respond to potential threats and helps stop the spread of new infections. Users can choose to send basic or advanced information about detected software. Additional information helps Microsoft create new definitions to better protect users machines. This service is also used to provide dynamic updates to the endpoints based on behavior-monitoring detections. 1. Click Start, click All programs, click Microsoft System Center, click Configuration Manager 2007, and then click ConfigMgr Console.

Figure 3.18 Click ConfigMgr Console.

2.

In Configuration Manager 2007, expand Computer Management. Under Computer Management, expand Forefront Endpoint Protection, and then click Policies.

Figure 3.19 Computer Management > FEP > Policies.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 35

3. 4.

Double-click Default FEP policy. Click the Antimalware tab and in the list on the left side of the dialog box, select Microsoft SpyNet.

Figure 3.20 Property Dialog Box > Antimalware > Microsoft SpyNet.

5.

Select Join Microsoft SpyNet, and then select either Basic membership or Advanced membership. The screenshot in this example shows the Basic membership selected. Select Allow users on endpoint computers to change SpyNet settings. Click Apply and then click OK.

6. 7.

Firewall Management
Figure 3.21 Join Microsoft SpyNet.

You can centrally enable Windows Firewall on client machines to protect them. Windows Firewall protects client machines from dangerous attacks and helps prevent resource theft and misuse. 1. Click Start, click All programs, click Microsoft System Center, click Configuration Manager 2007, and then click ConfigMgr Console.

Figure 3.22: Click ConfigMgr Console.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 36

2.

In Configuration Manager 2007, expand Computer Management. Under Computer Management, expand Forefront Endpoint Protection, and then click Policies. In the middle pane, you can see two new default policies: Default Server Policy and Default Desktop Policy

Figure 3.23 FEP > Policies > Default Server Policy.

3. 4.

Double-click Default Server policy to open the Default Forefront Endpoint Protection Policy Properties dialog box. Click the Windows Firewall tab.

Figure 3.24 Windows Firewall tab.

5.

Select Enable Host Firewall protection. You can configure Windows Firewall settings for: Domain Networks - Domain network settings are the settings for workplace networks that are attached to a domain. Private Networks - Private network settings are the settings for the networks at home or work where the user knows and trusts the people and devices on the network. Public Networks - Public network settings are the settings for networks in public places such as airports and coffee shops Firewall state (On/Off) On is recommended Incoming Connections (Block Default /Allow/ Block all) Block Default is recommended Notification Display (Yes/No)

For any of these network types, you can adjust settings and preferences for:
Figure 3.25 Enable Host Firewall Protection.

Block All blocks all unsolicited attempts to connect to your machine. Use this setting when you need maximum protection, such as when you connect to a public network, or when a computer worm is spreading over the Internet. With this setting, Windows Firewall does not notify you if it blocks programs, and it ignores programs in the list of allowed programs. You can still view most webpages, send and receive email, and send and receive instant messages. Block Default blocks the connections defined by policies applied in the organization. Everything else will pass through Windows Firewall.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 37

Restore Point System Restore is a component of the Windows operating system that allows you to roll back system files, registry keys, and installed programs, to a previous state in the event of system malfunction or failure. A restore point is a saved snapshot of a machine's data at a specific time. By creating a restore point, you can save the state of the operating system and your own data so that if future changes cause a problem, you can restore the system and your data to its state before the changes occurred.

1.

In Configuration Manager 2007, expand Computer Management. Under Computer Management, expand Forefront Endpoint Protection, and then click Policies.

Figure 3.26 Computer Management > FEP > Policies.

2. 3.

Double-click Default FEP policy to open the Default Forefront Endpoint Protection Policy Properties dialog box. Click the Antimalware tab and in the list on the left select Additional Settings.

Figure 3.27 Antimalware > Additional Settings.

4. 5.

Select Create a system restore point before cleaning computers. Click Apply and then click OK.

Figure 3.28 Create a Restore Point.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 38

Exercise 3.4: Policy assignment To assign FEP policies to clients, you first assign them to a Configuration Manager collection. You can assign a policy to more than one collection if needed and you can assign more than on policy to a collection. When an FEP client has more than one policy assigned to it, the FEP client applies the policy with the highest precedence. To assign a policy to a collection 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection 2010, and then click Policies. Right-click the policy that you want to assign, and then click Assign Policy. Note: You cannot assign the Default Server Policy or the Default Desktop Policy.
Figure 3.29 Assign Policy.

2.

3. 4.

In the Add/Remove Collection dialog box, click Add. In the Browse Collection dialog box, select the collection to which you want to assign the policy, and then click OK. If you need to assign this policy to multiple collections, in the Add/Remove Collection dialog box, for each collection, click Add and repeat this step.

5.

In the Add/Remove Collection dialog box, click OK.

Figure 3.30 Adding Collection.

To monitor FEP policy deployment 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, and click Forefront Endpoint Protection 2010. View the Policy Distribution Status section of the Operational Statistics on the Forefront Endpoint Protection dashboard. You might need to refresh the page to get latest information. In the Links and Resources pane under Web Reports click Policy Distribution Overview for policy deployment information started at the collection level down to the computer level. Note: The FEP reports and FEP Dashboard statistics include only those machines running the FEP client software and the Configuration Manager agent.

2.

3.

Figure 3.31 Policy Distribution status.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 39

Exercise 3.5: Using Group Policy for FEP Users can configure FEP client settings by using Active Directory Group Policy and Group Policy objects (GPOs). The following procedures will show you how to configure clients by using FEP GPOs, pre-configured policy templates, and the FEP Group Policy Tool. Exercise 3.5.1: Converting FEP policies to Group Policy

You can convert policy settings contained in configured FEP policies to the format that is used by Group Policy. In order to convert policies, you must first download and install the FEP Group Policy Tool. This tool is available in the Microsoft Download Center as part of the FEP Group Policy Tools download package. The package also contains ADMX and ADML files. Although these files are not required to use the FEP Group Policy Tool, they are required in order to view or edit GPO policy settings. To extract and install the FEP Group Policy Tool 1. Obtain the Forefront Endpoint Protection Group Policy Tool from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=205492) and copy it to your machine. Double-click fep2010grouppolicytools.exe and extract the files from the package. The Forefront Endpoint Protection Group Policy Tools package includes the following files: fep2010.adml fep2010.admx fep2010gptool.exe

2.

Figure 3.32 Extract Group Policy Tool.

3.

Locate and double-click fep2010gptool.exe to open the FEP Group Policy Tool.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 40

To convert FEP policy settings to Group Policy 1. Locate and double-click fep2010gptool.exe to open the FEP Group Policy Tool. 2. 3. 4.
Figure 3.33 FEP Group Policy Tool.

Select the Domain and the name of the Group Policy object in that domain that you want to populate with pre-configured FEP policy settings. Click Select Policy File. Locate and select the XML policy file that contains the settings that you want to import to the Group Policy object. Select Clear existing Forefront Endpoint Protection settings, and then click OK to import the settings. You can then edit and view the policy settings by using gpedit.msc. Warning: Selecting Clear existing Forefront Endpoint Protection settings will remove all FEP settings contained in the selected Group Policy object and replace them with the imported FEP policy settings. Only select this item if you want to clear all of the existing FEP policy settings from the Group Policy object.

To add ADMX and ADML files locally in order to view or edit policy settings 1. 2. Navigate to the location where you extracted the ADMX and ADML files in the previous procedure. Copy the ADMX file to the %systemroot%\PolicyDefinitions\ folder.

Figure 3.34 Copying an ADMX file.

3.

Copy the ADML file to the %systemroot%\PolicyDefinitions\ language folder. For example, en-US. Note: You must restart the Group Policy Object Editor after performing the preceding steps.

Figure 3.35 Copying the ADML file.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 41

Exercise 3.5.2: Merging policies You can merge policy settings from one or more FEP policies into a single GPO. This is helpful when you have settings contained in multiple FEP policies and you would like to combine those policy settings and use Group Policy to configure clients. In order to merge FEP policies into a single GPO, you must use the FEP Group Policy Tool. Warning: When you merge multiple policies to a single GPO, the order in which you merge the policies will affect the outcome of the effective policy. For example, if you merge three policies that contain conflicting settings for a particular feature, the settings in the last policy that you merge will overwrite any conflicting settings that are already merged or contained in the GPO. To merge FEP policy settings to a GPO: 1. 2. 3. Double-click fep2010gptool.exe to open the FEP Group Policy Tool. Select the Domain and the name of the GPO in that domain that you want to populate with pre-configured FEP policy settings. Click Select Policy File. Locate and select the XML policy file that contains the settings that you want to import into the GPO. If this is the first policy that you are merging and there are no FEP policy settings that you want to retain that already exist in the selected GPO, select Clear existing Forefront Endpoint Protection settings. When you select this option, it clears all FEP policy settings in the target GPO. Clearing the previous policy settings ensures that only the FEP settings that are contained in this policy will be present in the target GPO settings.
Figure 3.36 Merging FEP policy settings.

However, if this is not the first policy that you have merged to the selected GPO and you want to retain existing previous settings contained in that GPO, verify that the check box is not selected. Selecting the check box will clear any previously configured FEP policy settings that are contained in that GPO. Click Apply to merge the policy settings to the GPO. Note: Merging policy settings by using the FEP Group Policy Tool does not affect the source FEP policy file. 4. To merge additional settings contained in FEP policies into the selected GPO, repeat the previous step.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 42

Exercise 3.5.3: Configuring and viewing policies You can view and configure Forefront Endpoint Protection settings by using the Group Policy Object Editor. Each policy setting contains parameter information specific to the feature that you want to configure. Typically you will access the Group Policy Object Editor by selecting a Group Policy object (GPO) from within the Group Policy Management Console (GPMC), and then selecting the edit action for that object. To view FEP Group Policy settings 1. Open the Group Policy Object Editor and go to Local Computer Policy\Computer Configuration\Administrative Templates\System\Forefront Endpoint Protection 2010. Expand Forefront Endpoint Protection 2010 and click the folder that contains the settings that you want to view. For more information about each policy setting, in the right pane, double-click the setting that you want to view to open the configuration dialog box and view the additional policy setting information.

2.

To edit FEP GPO settings 1. Open Group Policy Management. 2. 3. In the console tree, double-click Group Policy Objects in the forest and domain containing the GPO that you want to edit. Right-click the GPO, and then click Edit. Note: You must have edit permissions for the GPO that you want to edit. 4. In the Group Policy Object Editor console, expand Computer Configuration\Administrative Templates\System\Forefront Endpoint Protection 2010 and click the folder that contains the settings that you want to configure. In the right pane, double-click the setting that you want to configure in order to open the configuration dialog box. Configure the settings that you want to deploy to clients, and then click OK. Deploy the policy settings to clients.

5. 6.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 43

Exercise 3.6: Signature updates The Updates section allows you to configure how the FEP clients check for definition updates. This enables you to provide the latest updates to all endpoints centrally and protected them from new threats. Note: If you are evaluating FEP in your own environment, you need to perform the following pre-requisites before proceeding to the next steps: Install WSUS 3.0: Before you can successfully install and configure a software update point on a site system server in Configuration Manager 2007, you must install WSUS 3.0 on the server. Install WSUS 3.0 Administration Console: You need to install the WSUS 3.0 Administration Console on the Configuration Manager 2007 site server to allow the site server and remote Configuration Manager consoles to configure and synchronize software updates. Create and configure an active Software Update Point: The software update point in Center Configuration Manager 2007 is a required component of software updates and is installed as a site system role in the Configuration Manager console. You must create the software update point site system role on a site system server that has WSUS 3.0 installed You can find more information on configuring the Software Update Point here: http://technet.microsoft.com/en-us/library/bb633119.aspx

The above settings are already completed in the pre-configured virtual environment on the server machine named Denver (Server 1-WSUS) and Fargo (Server 2FEP/ConfigMgr server) The following step-by-step instructions use the pre-configured virtual environment and the steps are configured on the server machines named Denver (Server 1) and Fargo (Server 2). Software Updates and Windows Server Update Services When you configure FEP or the FEP Security Management Pack deployment for WSUS-based definition updates, you must perform the following tasks: Configure either the Software Updates area of Configuration Manager or your WSUS server to synchronize both updates and definition updates. Approve the FEP definitions in the WSUS Administration console.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 44

To synchronize updates and approve FEP definitions in Software Updates in Configuration Manager (in the virtual evaluation environment, this is the virtual machine named Fargo) 1. In the Configuration Manager Console, expand Site Management, expand the site name, expand Site Settings, and then click Component Configuration.

Figure 3.37 Component Configuration page.

2.

In the middle pane, right-click Software Update Point Component, and then click Properties.

3.

On the Classifications tab, select Definition Updates and Updates.

Figure 3.38 Classifications tab.

4.

On the Products tab, select Forefront Endpoint Protection 2010, and then click OK.

Figure 3.39 Products tab.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 45

1.

To synchronize updates and approve FEP definitions in WSUS Using an account that has local administrator user rights, log on to the machine running WSUS (in the virtual evaluation environment, this is the virtual machine named Denver). Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update Services.

2.

Figure 3.40 Product and Classifications.

3. 4. 5.

In the WSUS Administration console, in the tree, expand Computers, click Options, and then click Products and Classifications. In the Products and Classifications dialog box, on the Products tab, select Forefront Endpoint Protection 2010 On the Classifications tab, select Definition Updates and Updates, and then click OK.

Approving Updates
Figure 3.41 Forefront Endpoint Protection 2010.

Updates for the FEP client must be approved before those updates are offered to clients requesting the list of available updates. Clients connect to the WSUS server to check for applicable updates and then request the latest approved definition updates. Updates will only be offered to clients after they are approved for installation and after the WSUS server has completed the binary download. To approve definitions and updates in WSUS 1. 2. 3. 4. Using an account that has local administrator user rights, log on to the computer running WSUS. Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update Services. In the WSUS Administration console, click Updates, and then click All Updates or the classification of updates you want to approve. On the list of updates, right-click the update or updates you want to approve for installation, and then click Approve. In the Approve Updates dialog box, click the arrow next to the group for which you want to approve the updates, and then click Approved for Install. Note: You can also set an Automatic Approval rule for definition updates and FEP updates, which configures WSUS to automatically approve for installation any definition updates or FEP updates downloaded by WSUS.

Figure 3.42 Approve all pending updates.

5.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 46

To configure an automatic approval rule 1. In the WSUS Administration console, click Options, and then click Automatic Approvals.

Figure 3.43 Automatic approvals.

2.

On the Update Rules tab, click New Rule.

3.
Figure 3.44 New rule.

In the Add Rule dialog box, under Step 1: Select properties, select When an update is in a specific product. Under Step 2: Edit the properties, click any product. Clear all selections except Forefront Endpoint Protection, and then click OK. In the Step 3: Specify a name box, enter a name for the Forefront Endpoint Protection Definition Updates rule, and then click OK. In the Automatic Approvals dialog box, select the newly created Forefront Endpoint Protection Definition Updates rule and then click Run rule.

4. 5. 6. 7.

Figure 3.45 Forefront Endpoint Protection 2010.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 47

Microsoft Updates Definition Updates You use the Microsoft Update definition update option to keep definitions on mobile clients up-to-date when they are not connected to the corporate network. The Microsoft Update definition update option works in the same way as a normal Microsoft Update request. If configured, the FEP client will query Microsoft Update for new definitions per the frequency configured in the FEP policy. You can configure clients to check for definition updates by setting a policy option.

To configure clients to check Microsoft Update 1. 2. When you create an FEP policy, on the Updates page, select Enable updates from Microsoft Update. When you want to add Microsoft Update as a definition update option to an existing policy, in the properties of the policy, click the Updates tab, and in the update source list, select Updates from Microsoft Updates (MU).

File Share-Based Definition Updates Forefront Endpoint Protection clients can be configured to check a file share for definition updates. To check for updates, the client accounts must have read access to the file share in which you store the definition files. Domain users need read access as well. The user account is used when a manual update is performed. Note: When you configure clients to check a file share for definition updates, clients check the file share first, by default, before they check WSUS or Microsoft Update. You can change this hierarchy. To enable file share-based definition updates 1. 2. 3. 4. Create a folder called File Share on Server 1 (Denver). Right-click the folder and go to Share with. Add the user, select Read/Write access and then click Share. When you create an FEP policy, on the Updates page, select Enable updates from the following file share location, then, in the text box, enter the Universal Naming Convention (UNC) path to the file share. Note: FEP does not create or set permissions on the share automatically

Figure 3.46: Updates tab.

Figure 3.47 UNC check Box and Path for the file share.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 48

To enable file share-based definition updates in an existing policy 1. 2. 3. 4. 5. In the Configuration Manager console, expand Computer Management, expand Forefront Endpoint Protection, and then click Policies. In the middle pane, right-click the policy you want to edit, and then click Properties. Click the Updates tab, then, in the list of update sources, select Updates from UNC file shares (specified below). Under Specify, in order of preference, file shares, click Add, and then type the UNC path to the file share. If necessary, click Add again and add additional UNC paths. Note: You can alter the order of the list of file shares by selecting a listed path, and then, under the list, click Up or Down. 6. When finished, click OK.

To configure a file share for definition updates

1.

Download the required files from the following locations: For x64:

Antimalware definitions (http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64)

Figure 3.48 Downloaded files for x64.

Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197094) Note: This file is required only if you have selected Enable protection against network-based exploits on the Antimalware tab of an FEP policy.

For x86:

Antimalware definitions (http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86)

Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197095) Note: This file is required only if you have selected Enable protection against network-based exploits on the Antimalware tab of an FEP policy.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 49

2.

Save the files in folders with the following names:

The files for x64-based computers must be in a folder named x64 The files for x86-based computers must be in a folder named x86

For example:
Figure 3.49 UNC checkbox and path.

...\Updates\x86 ...\Updates\x64 3. Ensure that each folder contains the following files:

Mpam-fe.exe Nis_full.exe

Summary
This chapter has shown how you can deploy FEP to secure client machines. You can use Configuration Manager 2007 to centrally install and uninstall FEP clients, manage policies, and view the state of client protection. For more details refer to: Deploying Forefront Endpoint Protection 2010: Step-by-step installation of Forefront Endpoint Protection 2010. It is an easy wizard driven setup. Using Configuration Manager to Deploy FEP Clients: Step-by step process to distribute and advertise the software to an already existing or a new collection of endpoints. Overview of the contents of the Dashboard of System Center Configuration Manager 2007: The Dashboard summarizes the overall health status of clients. It provides drilled down reports for particular computers. Policy creation for Forefront Endpoint Protection 2010: Defines the various configuration options of the FEP client that users can manage such as, policy customization and assignment, configuring group policy, the scan schedule, the location and frequency of definition updates, and scan exclusions. Providing signature updates to endpoints: Enables the administrators to provide latest updates to all endpoints centrally and thus keep them protected against new threats.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 50

In Chapter 3, you will learn how FEP can comprehensively protect client machines by detecting and cleaning malware, provide reports and alerts, and provide different types of configurable scanning methods that can be configured for client machines. For more details, refer to: Detecting and Cleaning Malware: Step-by-step process of detecting and cleaning malware using Configuration Manager 2007. On-demand, Schedule and Real-time Scanning: The scanning methods used by FEP include: Real-time scanning: Process of configuring real-time scans Scheduled scanning: Process of configuring scheduled scans On-demand scanning: Process of configuring on-demand scans

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 51

CHAPTER 3: COMPREHENSIVE PROTECTION


Simple Client Experience
Simple Interface Keep user interactions minimal and high-level Provide only necessary interactions

Forefront Endpoint Protection 2010 makes it easier to protect critical desktop, laptop, and server operating systems against viruses, spyware, rootkits, and other threats. Highly accurate and efficient threat detection: The FEP engine protects against the latest malware and rootkits with a low false-positive rate and helps keep employees productive with low-impact scanning. Detection of unknown threats: Forefront Endpoint Protection 2010 uses system behavior and file reputation data to identify and block previously unknown threats from attacking endpoints. Improved network-based protection: Forefront Endpoint Protection 2010 ensures Windows Firewall is active and working properly to protect against network-layer threats, and it allows you to more easily manage protection across the enterprise.

Administrator-managed options Control user configurability Enforce central policy

Performance-Oriented Defaults Template-driven policy creation based on risk Workload-specific policies for servers

Forefront Endpoint Protection 2010 provides protection against these threats using the following techniques: Antimalware protection: The FEP client helps users stay secure and productive both at work and on the go with a lightweight, easy-to-use interface. Whenever possible, the FEP client automatically solves security issues as they occur without disturbing users, so users can stay safe and continue with their work without contacting their desktop administrators. Protection against rootkits: Rootkits are software that enables continued privileged access to a computer, while hiding their presence from administrators. Forefront Endpoint Protection 2010 has features that provide efficient rootkit detection. Heuristics and emulation techniques: Dynamic Translation technology in FEP uses heuristics-based protection. Based on emulated behavior, it translates code that accesses real resources into code that accesses virtualized resources, which keeps the real resources in the system safe from any malicious content. Behavior monitoring: Live system behavior monitoring identifies new threats and tracks behavior of unknown processes and known good processes gone bad. Detections trigger a request to the Dynamic Signature Service and clients will receive an updated signature through the cloud if it is recently identified malware without waiting for the regular signature update process. Network vulnerability shielding: Forefront Endpoint Protection 2010 provides protection against network level exploits and intrusions by inspecting inbound and outbound network traffic. It balances protection with performance by only enabling signatures for the unpatched vulnerabilities.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 52

In this scenario, you will evaluate the process of detecting and cleaning malware using FEP. This section will provide you with the step-by-step processes to detect a malware, run the FEP software to clean up the malware, and generate reports of the malware operations.

Exercise
4. Detecting and cleaning malware impact scanning 5. On-demand, scheduled, and real-time scanning

Illustrates
Detecting and cleaning malware on the client computer Protecting endpoints against malware in real-time

Exercise 4: Detecting and cleaning malware impact scanning


Companies today are challenged to protect endpoints from unauthorized access to information and loss of critical data. Forefront Endpoint Protection 2010 enables organizations to centrally protect endpoints against different types of malware like viruses and rootkits. While evaluating with pre-configured virtual environment, you will need the following virtual machines:

Lab Environment
S.No.
1 2 3 4

Machine Name
Server 1 (Denver) Server 2 (Fargo) Client 1 (Chicago) Client 2 (Cairo)

Roles
DC CA AD FS, AD-RMS, FCI, WSUS FEP Server and Configuration Manager Forefront Client Security (FCS) Client FEP

In this exercise, you will see an example of detecting and cleaning malware on a client machine. The following step by step instructions use the pre-configured virtual environment and are configured on the client machine called Cairo (Client 2 in the table above) 1. If you are using the virtual environment, then directly open the folder where the EICAR test virus file is stored to run a malware and skip to step 4. If you are using your own environment, download the EICAR antimalware test file eicar.com.txt from the EICAR website (http://www.eicar.org/download/eicar.com.txt). Note: Forefront Endpoint Protection 2010 should block this file from being downloaded. The Sample folder contains several copies of the EICAR test virus. This is not a real virus, but a sample file used for antimalware tests Place the file in the C:\Tools\Sample folder

2.

Figure 4.1 Opening the Sample folder.

3.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 53

4.

In the Sample folder, right-click eicar.com.txt, and then click Open. FEP real-time detection recognizes the EICAR test virus, and blocks access to the file. Near the notification area, a popup appears that briefly informs the user about the blocked access to the files.

Figure 4.2 Notification for blocked access to user.

5.

Click OK to acknowledge that Windows cannot access the file. Notice that the eicar.com.txt file is no longer in the folder; FEP has removed it.

Figure 4.3 Right-click the FEP icon.

6. 7. 8.

Close the Sample folder In the Notification area, right-click the FEP icon, and then click Open. In the FEP window, click the History tab. Note: It may take up to 10 minutes before the detected item appears in the list.

9.

Close the FEP window

Figure 4.4 History tab in the FEP window.

10. On the FEP Server (In the pre-configured virtual environment, it is the server named Fargo), in the Configuration Manager console, under Computer Management, select Forefront Endpoint Protection.

Figure 4.5 Select Forefront Endpoint Protection under Computer Management.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 54

11. In the middle pane, note that the Malware Activity Status section shows the number of detected and cleaned malware. Note: The detected malware from the client may not show up immediately. The status change depends on the Configuration Manager client state update setting.

Figure 4.6 Malware Activity Status section.

12. In the Configuration Manager console, under Forefront Endpoint Protection, select Reports. The middle pane lists the three pre-defined reports.

Figure 4.7 Select Reports from Configuration Manager Console.

13. In the middle pane, select Antimalware Activity Report. 14. Right-click the report, and then click Run.
Figure 4.8 Right-click the Antimalware Activity Report and then click Run.

Notice that FEP 2010 integrates with both Configuration Manager and SQL Server Reporting. The malware information may take some time to appear in the report. In the virtual environment, it will take 10-15 minutes for the latest information to populate. In general, it depends on the interval set for a client to upload state messages,

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 55

15. Close the Report Viewer window.

Figure 4.9 Displayed Antimalware Activity report.

Exercise 5: On-demand, scheduled and real-time scanning


Forefront Endpoint Protection 2010 provides the options for on-demand, scheduled and real-time scanning. The organization can select the option appropriate for its business needs.

Exercise
5.1. FEP real-time scanning 5.2. FEP scheduled scanning 5.3. FEP on-demand scanning

Illustrates
Real-time scanning on an FEP Client Scheduled scanning on an FEP Client On-demand scanning on an FEP Client

If you choose to evaluate FEP with the pre-configured virtual environment, you will need the following virtual machines:

Lab Environment
S.No.
1 2 3 4

Machine Name
Server 1 (Denver) Server 2 (Fargo) Client 1 (Chicago) Client 2 (Cairo)

Roles
DC CA AD FS, , WSUS FEP Server and Configuration Manager Forefront Client Security (FCS) Client FEP

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 56

Exercise 5.1: Forefront Endpoint Protection 2010 real-time scanning Real-time scan: protects endpoints against malware in real-time. This can help prevent infection by malware present in the files being accessed. Real-time scanning: All FEP incidents on client machines are reported to the FEP server, used for reporting, creating, and distributing FEP policies throughout the network. In this exercise, you will see an example of configuring and scheduling a scan on the client machine in real time. These step-by-step instructions use the pre-configured virtual environment and the steps are configured on the client machine named Cairo (Client 2 in the table above). 1.
Figure 5.1 Click Computer.

In the FEP client, click the Start menu, and then click Computer.

2.

Right-click USB Disk (K:), and then click Open.

Figure 5.2 Right-click to Open.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 57

3.

On the K: disk, right-click Woodgrove Bank Trey Information.doc, and then click Open Forefront Endpoint Protection 2010 blocks access to the document. Even though the client computer may be on the corporate network, behind the firewalls, malware-infected files can still enter the network through the use of portable USB drives. However, FEP on the client machine detects and blocks the malicious content.

Figure 5.3 Opening the document from the USB drive.

4. 5.

Click OK to close the Microsoft Word dialog box. Close Microsoft Word.

Figure 5.4 Error message shown on the infected file.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 58

Note: The steps to enable real-time scanning are shown in the Policy Creation section in the Evaluation Scenario: Single Infrastructure. These steps are completed on the FEP Configuration Manager Console

Figure 5.5 Real-time scanning.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 59

Exercise 5.2: Forefront Endpoint Protection 2010 scheduled scanning Scheduled scan enables an organization to: Configure a scheduled scan: You can select the scan frequency from Weekly quick scan, Weekly full scan, Daily quick scan, Daily full scan, Daily quick scan and Weekly full scan. You can also set the time and day for weekly scans. Allow clients to schedule scan time: Select this option to allow end users to schedule scans on their client machines. Scan only when the computer is idle Randomize scheduled scan start times (within 30 minutes from scheduled time) Force a scan upon reboot when two or more scheduled scans are missed. Scan archived files Limit processor usage during scans: You can set the processor usage at the client machine for the scanning process.

In this exercise, you will configure and schedule a scan on a client machine.
Figure 5.6 Enable Scheduled scanning.

In the FEP Client, the steps to enable scheduled scanning are mentioned in the Policy Creation section in the Evaluation Scenario: Single Infrastructure. Exercise 5.3: Forefront Endpoint Protection 2010 on-demand scanning On demand scan: enables an organization to perform three kinds of scanning: Quick scan: checks the areas that malicious softwareincluding viruses, spyware and unwanted softwareis most likely to infect. Full scan: checks all the files on the hard disk and checks all running programs. Time duration of the scan depends on the system. Custom scan: checks only the locations and files that user selects.

The scanning can be performed either manually or by running the endpoint scan from the FEP management console In this exercise, you will perform the three types of on-demand scans on a client machine. 1. Quick Scan

Manual steps a. b. c. Double-click the FEP icon on the taskbar. Under Scan options, click Quick. Click Scan now to start scanning.

Figure 5.7 Manually performing the Quick scan.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 60

Running the Quick Scan from the FEP Management Console a. b. c. d. e.


Figure 5.8 Run Quick Scan from FEP console.

Open Configuration Manager console, expand Computer Management, and expand Collections. Select All Systems. Select the client machine Cairo. Go to the Action Pane, and under the client machine Cairo select FEP Operations. Click Run Quick Scan.

2.

Full Scan

Manual Steps a. b. c. Double-click the FEP icon on the taskbar. Under Scan options, click Full. Click Scan now to start scanning.

Figure 5.9 Manually performing the Full scan.

Running the Quick Scan from the FEP Management Console a. b. c. d. e. Open Configuration Manager console, expand Computer Management and expand Collections. Select All Systems. Select the client machine Cairo. Go to the Action Pane, and under the client machine Cairo select FEP Operations. Click Run Full Scan.

Figure 5.10 Run Full Scan from FEP console.

3.

Custom Scan a. Double-click the FEP icon on the taskbar and then click Custom Scan.

Figure 5.11 Custom scan.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 61

b.

Select the locations/files that you want to scan.

Figure 5.12 Select the file location.

c.

Click OK to start the Custom Scan.

Figure 5.13 Custom scan.

Summary
This chapter showed how FEP can provide comprehensive protection to client machines by detecting and cleaning malware, providing reports and alerts, and by providing different types of configurable scanning methods. For more details, please refer to the following sections: Detecting and Cleaning Malware: Step by step process of detecting and cleaning malware impact scanning using Configuration Manager 2007. On-demand, Scheduled and Real-time Scanning: The scanning methods used by FEP

In Chapter 4, you will learn how FEP provides simplified management by using predefined reports and customized alerts. For more details, please refer to the following sections: FEP Reports: Predefined reports with information on client deployment, health, and malware detection. FEP Alerts: Receive email notifications when FEP detects security incidents and generates alerts

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 62

CHAPTER 4: SIMPLIFIED MANAGEMENT REPORTING AND ALERTING

Reporting and Alerting Benefits


Uses existing Reporting Infrastructure- no need for additional database servers Improved visibility into client security and health Critical level alerting Rich historical reports

Forefront Endpoint Protection 2010 is built on Configuration Manager 2007 R2 and provides a single interface for you to manage and secure endpoints, which helps reduce complexity and improve troubleshooting and reporting insights. It provides a central location for you to create and apply all endpoint-related policies. With a shared view of endpoint protection and configuration, you can more easily identify and remediate vulnerable computers. Forefront Endpoint Protection 2010 provides simplified access to information and tools you need to keep your enterprise secure and running. No separate console: Configuration Manager provides a single interface to manage and secure endpoints, which helps to reduce complexity and improve troubleshooting and reporting insights. This approach also helps to reduce the training necessary for client administration. Improved endpoint visibility: With a shared view of endpoint protection and configuration, you can more easily identify and remediate vulnerable computers.

Exercise
6. FEP reports 7. FEP alerts

Illustrates
Reports on client deployment, health, and malware detection Notification when security threats are detected

If you choose to evaluate FEP with the pre-configured virtual environment, you will need the following virtual machines:

Lab Environment
S.No.
1 2 3 4

Machine Name
Server 1 (Denver) Server 2 (Fargo) Client 1 (Chicago) Client 2 (Cairo)

Roles
DC CA AD FS, AD RMS, FCI, WSUS FEP Server and Configuration Manager Forefront Client Security (FCS) Client FEP

Exercise 6: Forefront Endpoint Protection 2010 reports


Forefront Endpoint Protection 2010 provides a number of predefined reports in the Reports node under the Forefront Endpoint Protection node. These reports provide information on client deployment, health, and malware detection. Forefront Endpoint Protection 2010 has six predefined FEP reports: Antimalware Activity Report, Antimalware Protection Summary Report, and Computer List Report run directly from the Reports node Malware Details Report and Computer Details Report run by drilling down within the Antimalware Activity Report Computer List Report and Policy Deployment run directly from the FEP Dashboard

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 63

Antimalware Activity Report: This report displays a dashboard summarizing the overall antimalware status. Security Alerts: Displays a summary of raised FEP alerts. Security Status: Displays a summary of client machines by FEP client status. Antimalware Activity: Displays a dashboard of information about all detected malware. Malware Activity: Displays lists of the top malware infections by severity and frequency.

Figure 6.1 Antimalware Activity report.

Antimalware Protection Summary Report: This report provides an overview of antimalware deployment and health. Antimalware Deployment and Health: Displays a dashboard of antimalware information. Security Status: Displays a summary of client machines by FEP client status.

Figure 6.2 Antimalware Protection Summary report.

Malware Details Report: This report displays further details about specific malware. Malware Details: Displays details about the detected malware. Antimalware Activity: Displays a dashboard of information about the detected malware. Infected Computers: Displays a list of client machines that the detected malware has infected.

Figure 6.3 Malware Details report.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 64

Computer List Report: This report displays a list of computers. Computer List: When you run this report from the Reports node, it displays a list of computers on which the FEP client is deployed. When you run this report by drilling down, it displays a filtered list of computers according to the clicked link.
Figure 6.4 Computer List report.

Computer Details Report: This report displays further details about the specified computer. Computer Details: Displays details about the specified computer. Protection Status: Displays information about the status of the FEP client features. Malware Activity: Displays a summary of malware information followed by a list of malware that has been detected on the specified computer.

Figure 6.5 Computer Details report.

Policy Deployment Report: This Web report displays the breakdown of FEP 2010 client distribution states per collection Click the FEP Dashboard and scroll to the Links and Resources Section. Under Web Reports, click Deployment Overview

Figure 6.6 Policy Deployment report.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 65

Exercise 7: Forefront Endpoint Protection 2010 alerts


Forefront Endpoint Protection 2010 can notify you when it detects security incidents. The alert types that FEP provides include: Malware Outbreak: Forefront Endpoint Protection 2010 can send an alert when it detects a malware outbreak. An outbreak occurs when the number of malware detections reaches a certain threshold. Malware Detection: When FEP detects malware on a client machine, it sends an alert to the client machines that are members of its collection. You can configure the settings to generate alerts and select the recipients of the alerts, Repeated Malware Detection: Forefront Endpoint Protection 2010 sends an alert to client machines if the same malware infects them repeatedly. The alert occurs after a certain number of repeated detections. Multiple Malware Detection: Forefront Endpoint Protection 2010 sends an alert to the client machines infected by multiple malware types. The alert occurs after a certain number of malware detections on a single computer.

Exercise 7.1: Sending a Malware Outbreak alert 1. Click Start, click All Programs, under Microsoft System Center click Configuration Manager 2007, and then click ConfigMgr Console.

Figure 7.1 Click ConfigMgr Console.

2. In Configuration Manager 2007, expand Computer Management. Under Computer Management, expand Forefront Endpoint Protection, and then click Alerts.

Figure 7.2: Computer Management > FEP > Alerts.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 66

3. After selecting Alerts, select Malware Outbreak Alert.

4. Right-click Malware Outbreak Alert and then click Properties.

Figure 7.3 Select Malware Outbreak Alert.

The Malware Outbreak Alert Properties dialog box will appear.


Figure 7.4 Right-click and Select Properties.

5.

Figure 7.5 Properties dialog box.

Select Enable alerts for malware outbreaks and then specify the criteria for malware outbreak alerts, such as: Malware detected on number of computers and Malware detection interval (in minutes). Add the addresses of the recipients to whom alerts should be sent.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 67

6.

Click Apply and then click OK.

Exercise 7.2: Sending a Malware Detection alert 1. Under Computer Management, expand Forefront Endpoint Protection, and then click Alerts. In the middle pane, select Malware Detection alert.
Figure 7.6 Enable Alerts for Malware Outbreaks.

2. Right-click Malware Detection Alert and then click Properties.

Figure 7.7 Select Malware Detection Alert.

Figure 7.8 Right-click and select Properties.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 68

The Malware Detection Alert Properties dialog box will appear.

Figure 7.9 Properties Dialog box.

3.

Select Enable alerts for malware detection and then click Browse to select the parent collection you want to monitor.

Figure 7.10 Select Parent Collection.

4.

In the Browse Collection dialog box, click All Systems, and then click OK.

Figure 7.11 Select All Systems.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 69

5. 6.

Set the Alert detection level to Medium and then add the addresses of recipients to whom alerts should be sent. Click Apply and then click OK.

Figure 7.12 Add recipients.

Exercise 7.3: Sending a Repeated Malware Detection alert 1. Under Computer Management, expand Forefront Endpoint Protection, click Alerts, and then click Repeated Malware Detection Alert.

Figure 7.13 Repeated Malware Detection Alert.

2. Click Browse.

Figure 7.14 Properties dialog box for Repeated Malware Detection Alert.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 70

3. In the Browse Collection dialog box, click All Systems, and then click OK.

Figure 7.15 Select All Systems.

4. Select Add recipients Email ID. Click Apply and then click OK. Note: In order to send the email alerts, the SMTP settings need to be defined

Figure 7.16 Add recipients Email ID.

5.

To define the SMTP settings, in the Actions pane, click Email Settings.

Figure 7.17 Email Settings.

6.

Enter the SMTP Server and Email address, and then click OK

Figure 7.18 Enter SMTP details.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 71

Exercise 7.4: Sending a Multiple Malware Detection alert 1. Under Computer Management, expand Forefront Endpoint Protection, expand Alerts, and then select Multiple Malware Detection Alert.

Figure 7.19 Multiple Malware Detection Alert.

2. 3.

In the Action pane on the right side, click New Multiple Malware Detection Alert. Click Browse.

Figure 7.20 Properties Dialog box for Multiple Malware Detection Alert.

4.

In the Browse Collection dialog box, select All Systems, and then click OK

Figure 7.21 Select All Systems.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 72

5.

Select Add recipients Email ID. Click Apply and then click OK. Note: In order to send the email alerts, the SMTP settings need to be defined.

Figure 7.22 Add recipients Email ID.

6.

To define the SMTP settings, in the Actions pane, click Email Settings.

Figure 7.23 Email Settings.

7.

Enter the SMTP Server and Email address and then click OK.

Figure 7.24 Enter SMTP details.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 73

Exercise 7.5: Setting the alert level 1. Click Start, click All Programs, under Microsoft System Center click Configuration Manager 2007, and then click ConfigMgr Console.

Figure 7.25 Click ConfigMgr Console.

2.

In Configuration Manager 2007, expand Computer Management. Under Computer Management, expand Forefront Endpoint Protection and then click Policies.

Figure 7.26 Computer Management > FEP > Policies.

3.

Double-click Default FEP policy to open the Default FEP Policy Properties dialog box. Click the Antimalware tab. In the list on the left, select Threat Handling.

4. 5.

Figure 7.27 Property Dialog Box > Antimalware > Threat Handling.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 74

Forefront Endpoint Protection 2010 responds to potential threats and classifies them at different alert levels: Low Level: These programs collect personal information or change settings but do not damage the system and operate within the licensing terms displayed when the software is installed. Medium Level: These programs collect personal information or change settings but do not damage the system. High Level: These programs collect personal information, change settings without the users consent or knowledge, or damage the system. Severe Level: These are exceptionally malicious programs that threaten the privacy and security of the client machine and can damage the system.

For each of the alert levels, you can choose to take action as follows: Allow: This action allows the detected item and will also add it to the Allowed Items list. Quarantine: This action moves the detected item to the quarantined area and enables the user to either restore or permanently delete the item. Remove: This action permanently deletes the detected item. Recommended Action: These actions are recommended by Microsoft Security Essentials based on their severity level. o o o
Figure 7.28 Action types for each Alert Level.

Severe and High: Remove the detected programs immediately. Medium: Consider removing the detected item if it is from an untrusted publisher. Low: Consider quarantining the detected item if it is from an untrusted publisher.

Summary
This chapter described how FEP provides simplified management through predefined reports and customized alerts and how it provides the necessary tools to keep the enterprise secure and running. For more details, please refer to the following sections: FEP Reports: Predefined reports with information on client deployment, health, and malware detection. FEP Alerts: Allows administrators to receive email notifications when FEP detects security incidents and generates alerts.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 75

APPENDIX: SYSTEM REQUIREMENTS AND PREREQUISITES

NOTE: This appendix will help you install FEP. Because this guide has been prepared for the purpose of the following labs, instructions in this section may not be suitable for production environments. Please refer to the respective product manuals for information about the setup for production environments.

Hardware Requirements
For this evaluation, you can use either a Hyper-V based FEP virtual environment (called Business Ready Security Demo Environment) or FEP evaluation software that you can deploy in your own test/production environment. NOTE: For a list of compatible systems and peripherals required for Windows Server 2008 R2, visit http://www.microsoft.com/whdc/hcl/default.ms px

Pre-configured Virtual Environment System Requirements


To deploy the business ready security demo environment, which is built on virtual hard disks, you need at least one Windows Server 2008 R2 Standard with Hyper-V enabled with following recommended specifications: Single processor with 1.4 GHz (x64 processor) or 1.3GHz (dual core) 8 GB RAM 100 GB of hard disk space

Forefront Endpoint Protection 2010 System Requirements


Configuration Manager requires a system running Windows 2003 SP2 or later with the following specifications: NOTE: Actual requirements will vary based on your system configuration and the applications and features you choose to install. 2 GB RAM Disk Space o o o Forefront Endpoint Protection Server: 600 MB Forefront Endpoint Protection Database: 1.25 GB Forefront Endpoint Protection Reporting Database: 1.25 GB

Additional Requirements o o o o o No earlier versions of Forefront Endpoint Protection Server installed No installations of other antimalware protection Microsoft Windows Installer version 3.1 or later Microsoft .NET Framework 3.5 Service Pack 1 SQL Server 2005 SP2 or 2008 Enterprise, including: Analysis Services Integration Services Reporting Services SQL Server Agent

Configuration Manager 2007 Service Pack 2 Release 2 site installed with default roles, configured to use the SQL Server Reporting Services, and the following installed and configured: o o o o Hardware Inventory Software Distribution Desired Configuration Management Management Class Hotfix Package
Evaluation Guide Page 76

Microsoft Forefront Endpoint Protection 2010

Forefront Endpoint Protection 2010 Client


Forefront Endpoint Protection 2010 protects multiple Microsoft operating systems. System requirements for the FEP client include: Processor o o Windows XP: 500 MHz or higher Windows Vista or Windows 7: 1.0 GHz or higher

Memory o o Windows XP: 256 MB RAM or higher Windows Vista or Windows 7: 1 GB RAM or higher

Disk Space o 300 MB

Operating System o o o o o o Windows XP SP3 and later x64 Windows Vista RTM and later, x64 and x86 Windows 7 RTM x64, x86 Windows 7 XP mode Windows Server 2003 SP2 and later, x64 and x86 Windows Server 2008 RTM and later, x64 and x86 (not server core)

Additional Requirements o o o o o Configuration Manager agent Windows Installer 3.1 Filter manager rollup (KB914882) WFP rollup package (KB981889). Redistributed by client Windows Update

Software Prerequisites for Forefront Endpoint Protection Deployment


The FEP Setup wizard checks that the prerequisites are already installed before you continue with the installation. If the prerequisites verification check identifies missing prerequisites, the wizard informs you where you can download and install the required components. Forefront Endpoint Protection 2010 Server requires Configuration Manager 2007 R2 / R3 and SQL Server. The following steps explain how to deploy SQL Server and Configuration Manager 2007 for FEP.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 77

Exercise 8: Deploying SQL Server Forefront Endpoint Protection 2010 requires SQL Server 2005 SP2 or 2008 Enterprise with Analysis Services, Integration Services, Reporting Services, and SQL Server Agent running. The SQL Server should be part of the domain. 1. Run System Configuration Checker to detect if SQL Server 2008 R2 is installed on your machine. If it detects SQL Server 2008 on the machine, it will show a message about the automatic upgrade of SQL Server 2008 R2, otherwise setup begins with step 2.

Figure 8.1 System Configuration Checker.

2.

To use the database, analysis, and reporting services for FEP, select the following SQL Server components:


Figure 8.2 Services Selection.

Database Engine Services Analysis Services Reporting Services Integration Services SQL server agent

You need to specify a Default instance or a Named instance to use or run the FEP analysis and reporting services and to activate the databases. MSSQLSERVER is the default Named instance and Instance ID.

3.

Figure 8.3 Configuring database instance.

Microsoft recommends separate accounts for the respective FEP services. This page shows the Service Account tab, which indicates the service account details for the SQL Server services and allows you to specify the startup type for each of the services (for example, Automatic, Manual, and Disabled).

Figure 8.4 Authentication Selection.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 78

4.

The Database Engine Configuration enables you to maintain and generate FEP reports and to enable secure access to those reports. Use the Account Provisioning tab to specify the Authentication Mode and administrators for the database engine:

Authentication Mode: SQL Server supports two authentication modes, Windows authentication mode and Mixed Mode. Specify SQL Server administrators: You must specify at least one system administrator for each instance of SQL Server.

Figure 8.5 Authentication Method.

The Data Directories tab enables you to specify non-default installation directories and in the FILESTREAM tab you can enable FILESTREAM for instances of SQL Server.

5.

On the Analysis Services Configuration page, the Account Provisioning tab enables administrators to specify users with administrative privileges to allow access to analysis services.

Figure 8.6 Analysis Services Configuration.

6.

On the Reporting Services Configuration page, you can select the type of Reporting Services you wish to install. Options include:

Figure 8.7 Reporting Services Configuration.

Install the native mode default configuration Install the SharePoint integrated mode default configuration Install, but do not configure the report server

7.

On the Ready to Install page, you can see a tree view of the installation options specified during Setup.

Figure 8.8 Configuration View.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 79

After you complete the installation of SQL Server 2008, the installer will provide a link to the summary log file for the installation and other important notes.

Figure 8.9 Installation Completion.

Deploying Configuration Manager 2007 R2

Before you install Configuration Manager 2007 R2, make sure you fulfill the following prerequisites:

Extend the Active Directory schema Create a Configuration Manager 2007 R2 System Management Container in Active Directory Install the Microsoft Remote Differential Compression feature Install WebDAV and configured in IIS Install the BITS Server Extensions feature Install WSUS Server 3.0 SP1

During the Configuration Manager installation, when you configure the client agent option, select the following options:

Software inventory: Discovers the software installed on the system. Hardware inventory: Scans and reports for hardware configuration for the specific machine. Collected reports or data is controlled by Managed Object Format (MOF). Defined classes are added to WMI, which reports back to the site server. Desired configuration management: Defines the schedule that the system will scan for compliance based on DCM rules. System Center Client Deployment: Configures the client settings including the account that is used to connect to the software distribution locationand notification settings.

Figure 8.10 Agent Configuration Option.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 80

FOREFRONT ENDPOINT PROTECTION SECURITY MANAGEMENT PACK: ENABLING REAL-TIME MONITORING WITH SYSTEM CENTER OPERATIONS MANAGER 2007 R2

High-value assets (typically servers) that require a greater degree of monitoring can report their events to an Operations Manager infrastructure. Forefront Endpoint Protection 2010 includes the FEP Security Management Pack, which is a standard management pack that you can import to Operations Manager 2007 R2. The FEP Security Management Pack serves two goals. First, organizations that use Operations Manager 2007 R2 to monitor servers can now use their preferred tool to monitor security, too. Second, for organizations that require guaranteed real-time monitoring for their critical systems (like servers) the management pack uses Operations Manager 2007 R2 capabilities to ensure real-time reporting on FEP. In addition to real-time monitoring and alerting, the FEP Security Management Pack can use SQL Reporting or Microsoft Excel to connect to the Operations Manager 2007 R2 database to generate custom reports.

The Operations Manager 2007 R2 console provides access to real-time data generated by FEP clients with Operations Manager 2007 R2 agents installed. This data includes a state view of the various FEP client components (antimalware engine, antimalware activity, definitions, last scan time, firewall state, and others), a list of active alerts, and a list of all FEP-related events that the servers have sent./ The FEP Security Management Pack for Operations Manager 2007 R2 provides a server-centric view under Operations Manager with the following features: Server security and availability tasks Predefined reporting views that can be used to generate custom reports using Excel (an Excel sample spreadsheet with various example of possible reports is available in the download center) Real-time monitoring and alerting for critical systems

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 81

In this scenario, you will import the FEP Management Pack into an Operations Manager 2007 R2 Management Group. You can then monitor all the servers assigned to that Management Group that have the FEP client installed.

If you are evaluating FEP with the pre-configured virtual environment, you will need the following virtual machines:

Lab Environment
S.No.
1 2 3

Machine Name
Server 1 (Denver) Server 2 (Madrid) Server 3 (Oxford)

Roles
DC, CA, AD FS, AD RMS, FCI Exchange 2010 FEP Security Management Pack, Operations Manager

The following step-by-step instructions use the pre-configured virtual environment and the steps are configured on the FEP server machine called Madrid (Server 2 in the table above). The FEP Security Management Pack and Operations Manager Console are configured on the server machine called Oxford (Server 3 in the table above). You can also download the evaluation version of FEP Security Management Pack software to evaluate it with System Center Operations Manager in your test environment.

Exercise
9. Enabling realtime monitoring with FEP 10. Generating alerts and notifications 11. Performing task remediation

Illustrates
Step-by-step guide to import the FEP Security Management Pack, creating an override to allow discovery of Windows Clients and use Operations Manager Console to monitor FEP. Step-by-step guide to generate alerts and create an incident in Operations Manager Console. Step-by-step guide for remediation tasks targeted at computers by Operations Manager operators and delivered to them for execution.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 82

Exercise 9: Enabling real-time monitoring with Forefront Endpoint Protection 2010 This section explains the steps required to import the FEP Security Management Pack. The following steps need to be completed if you are using the evaluation version of FEP Software Management Pack. If you are evaluating FEP Security Management Pack using the pre-configured virtual environment, please skip to Exercise 10 (the FEP Security Management Pack is already installed in the preconfigured virtual environment). To import management pack files into Operations Manager, you must first extract the files from the fep2010 security mp.msi package. You are not required to extract the package locally on the Operations Manager server; however, you must be able to access the files from the Operations Manager console in order to import them. Download and expand the Forefront Endpoint Protection Security Management Pack from the Forefront Endpoint Protection download page (http://go.microsoft.com/fwlink/?LinkID=196678).

To extract Management Pack files 1. Double-click fep2010 security mp.msi. Note: No Management Pack files are installed or imported to Operations Manager during this procedure. The wizard only extracts files.

Figure 9.1 Accept the license agreement.

2.

Read and accept the license agreement, and then click Next.

3.

On the Select Installation Folder page, specify the folder to which you want to extract the management pack files, and then click Next.

Figure 9.2 Specify the installation folder.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 83

4. 5.

On the Confirm Installation page, click Install to extract the package to the specified location. On the Installation Complete page, click Close. Navigate to the file location specified earlier and verify that the following files are present: Microsoft.FEPS.Application.mp Microsoft.FEPS.Library.mp Microsoft.FEPS.Reports.mp

Figure 9.3 Verification of extracted

To import the FEP Security Management Pack 1. Log on to the server running System Center Operations Manager 2007 by using an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 Management Group. In the Operations Console, click the Administration button.

2.

3.

Right-click the Management Packs node and then click Import Management Pack(s) to open the Import Management Packs dialog box.

Figure 9.4 Import Management pack.

4.

In the Import Management Packs dialog box, click Add, and then click Add from disk.

5. 6.

In the Online Catalog Connection dialog box, Select No. In the Select Management Packs to import dialog box, browse to C:\Program Files (x86)\System Center Management Packs\FEP 2010 for Servers OpsMgr 2007 R2 MP, press CTRL+A to select the three .mp files and then click Open. On the Select Management Packs page, the management packs that you selected for import are listed. Next to each management pack a green check mark icon should appear that indicates that the management pack is ready to import. Click Install to import the selected management packs After installation, click Close to close the Import Management Packs window.

7.
Figure 9.5 Add Management pack.

8. 9.

10. In the Management Packs node, press F5 to refresh the list of management packs installed to Operations Manager. Then, in the Look for text box, type Protection, and then click Find Now. The two management packs imported in step 7 should appear in the view.

Figure 9.6 Verifying Management Packs .

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 84

To create an override to allow discovery of Windows clients The Operations Manager Discovery that discovers the FEP client installed on Windows Client machines is disabled. In order to allow Operations Manager to monitor FEP on Windows clients you need to configure an override. 1. 2.
Figure 9.7 Change Scope .

In the lower-left corner, select the Authoring node. Expand Management Pack Objects and select Object Discoveries. In the top-right corner, click Change Scope.

3.

4. 5. 6.

Select View all targets. In the Look for box, type Forefront. Click Clear All to clear the default objects and then click Select All to select all the Forefront objects. Click OK.

Figure 9.8 Forefront Object selection.

7.

Double-click Protected Client Candidate Discovery.

Figure 9.9 Protected Client Candidate

8.

Click the Overrides tab.

Figure 9.10 Override tab selection.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 85

9.

Click the Override button and select For all objects of class: Windows Client.

10. In the top Override box, change the Override Value to True. Click OK and Close.

Figure 9.11 For all objects of class:

Exercise 10: Generating alerts and notifications To generate alerts for the monitors, you first need to create an incident so Operations Manager can identify the issue and generate alerts. In this procedure, you will create an incident by stopping FEP service. To stop the FEP service on a server Perform the following step on the Server 2 (Madrid) computer Open Task Manager, go to the Services tab, right-click Microsoft Antimalware Service, and then click Stop.

Figure 9.12 True Override Value.

Figure 10.1 Stop Antimalware Service.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 86

To monitor the FEP service stopping on a server and then restart it 1. Select Protected Server State and click Refresh until the state changes. This should take less than 1 minute and the Antimalware Engine and Antimalware Definitions components should change to Critical.

Figure 10.2 State change under Protected Server State.

2.

Select the Active Alerts view. Three alerts are raised in response to this condition.

Figure 10.3 Active Alerts view.

3.

Select the domain controller, and in the Action pane, click Health Explorer. As before, you can review information about the monitors that raised these alerts.

4.

Select Antimalware Engine to read information about this condition.

Figure 10.4 Health Explorer.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 87

5.

Select the State Change Events tab to see when the computer entered this state.

Figure 10.5 State Change Events tab.

6.

Near the bottom of the window is a recovery task called Enable real-time protection. Click the link to run it and then click Yes.

Figure 10.6 Enable real-time protection.

7. 8.

Close the Health Explorer window and return to the Protected Server State view. Click Refresh a few times until the state changes to Healthy.

Figure 10.7 Healthy state of system.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 88

9.

Return to the Active Alerts view. The alerts are automatically set to Closed after the monitors change state, and they are removed from the Active Alerts view.

Figure 10.8 Closed Alerts under Active Alerts

Exercise 11: Performing task remediation Tasks are targeted at computers by Operations Manager operators and delivered to them for execution. In this exercise, you will use a task to retrieve FEP information and update definitions on the domain controller. You will also investigate the FEP reports and extract more details To use a task to retrieve FEP information from a Windows Server 1. Select Protected Server State. 2. Select the Server 2 (Madrid) computer and in the Action pane under Protected Server Tasks, click Retrieve Endpoint Settings.
Figure 11.1 Retrieve Endpoint settings.

3. Accept the defaults and click Run and then click Close. 4. Select Task Status and click Refresh until the task status changes from Queued to Success. 5. Select the completed task and scroll down to see detailed information about the client. Examine the list of other taskssuch as Run a full / quick scan, Stop a scan, Update definition files, and others.
Figure 11.2 Task Status.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 89

To use a task to update definitions on the domain controller 1. Select Protected Server State. 2. Select the domain controller and in the Action pane under Protected Server Tasks, click Update Antimalware Definitions 3. Accept the defaults and click Run and then click Close. 4. Select Task Status and click Refresh until the task status changes from Queued to Success. This may take a minute or so.

Figure 11.3 Update Antimalware Definitions.

To investigate FEP Reports 1. Select Protected Server State. 2. Select the domain controller and in the Action pane under Protected Server Reports, click Event Analysis.

Figure 11.4 Event Analysis.

3. In the From box, select Yesterday and then click Run.

Figure 11.5 Select Yesterday in the From box and then click Run.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 90

4. Expand the Protect Server object to see the events related to that server. You can also filter by event type, category, ID or source. Close the report.

Figure 11.6 Event Analysis Report.

5. Click Alerts

Figure 11.7 Alerts.

6. In the From box, select Yesterday and then click Run. Expand Antimalware Engine Malfunction to see more details.

Figure 11.8 Alert Report.

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 91

RESOURCES
Forefront Endpoint Protection 2010 Overview: http://www.microsoft.com/fep
System Center Configuration Manager Overview: http://www.microsoft.com/systemcenter/en/us/default.aspx

Forefront Endpoint Protection 2010 Datasheet: http://download.microsoft.com/download/E/8/1/E81B0B04-5A97-4C0C-8E157464EBCAAE7C/FEP_ds_FINAL%20110810.pdf, Forefront Endpoint Protection 2010 Evaluation Download: http://technet.microsoft.com/en-us/evalcenter/ff182914.aspx Forefront Endpoint Protection 2010 System Requirements: http://www.microsoft.com/forefront/clientsecurity/en/us/endpoint-protection-systemrequirements.aspx
Forefront Endpoint Protection 2010 Hyper-V enabled Virtual Machine Environment for Evaluation: http://go.microsoft.com/fwlink/?LinkId=190269

Forefront Endpoint Protection 2010 Deployment Guide: http://technet.microsoft.com/en-us/library/ff823762.aspx Forefront Endpoint Protection 2010 Technical Library: http://technet.microsoft.com/en-us/library/ff684073.aspx Forefront Endpoint Protection 2010 FAQ: http://www.microsoft.com/forefront/clientsecurity/en/us/endpoint-protection-faq.aspx
Forums: http://social.technet.microsoft.com/Forums/en-US/FCSNext/threads

Microsoft Forefront Endpoint Protection 2010

Evaluation Guide

Page 92