You can deploy antimalware policies to collections of
Microsoft System Center 2012
Configuration Manager client computers to specify how
Endpoint Protection protects them from malware and other
threats. These antimalware policies include information about the
scan schedule, the types of files and folders to scan, and the
actions to take when malware is detected. When you enable
Endpoint Protection, a default antimalware policy is applied
to client computers. You can also use additional policy templates
that are supplied or create your own custom antimalware policies to
meet the specific needs of your environment.
 Note |
| Configuration Manager supplies a selection of predefined
templates that are optimized for various scenarios and can be
imported into Configuration Manager. These templates are available
in the folder <ConfigMgr Install
Folder>\AdminConsole\XMLStorage\EPTemplates. |
 Important |
| If you create a new antimalware policy and deploy it to a
collection, this antimalware policy overrides the default
antimalware policy. |
Use the procedures in this topic to create or import antimalware
policies and assign them to System Center 2012
Configuration Manager client computers in your hierarchy.
To modify the default antimalware
policy
-
In the Configuration Manager console, click Assets
and Compliance.
-
In the Assets and Compliance workspace, expand
Endpoint Protection, and then click Antimalware
Policies.
-
Select the antimalware policy Default Client
Antimalware Policy and then, on the Home tab, in the
Properties group, click Properties.
-
In the Default Antimalware Policy dialog box,
configure the settings that you require for this antimalware
policy, and then click OK.
To create a new antimalware
policy
-
In the Configuration Manager console, click Assets
and Compliance.
-
In the Assets and Compliance workspace, expand
Endpoint Protection, and then click Antimalware
Policies.
-
On the Home tab, in the Create group,
click Create Antimalware Policy.
-
In the General section of the Create
Antimalware Policy dialog box, enter a name and a description
for the policy.
-
In the Create Antimalware Policy dialog box,
configure the settings that you require for this antimalware
policy, and then click OK.
-
Verify that the new antimalware policy is displayed in
the Antimalware Policies list.
To import an antimalware
policy
-
In the Configuration Manager console, click Assets
and Compliance.
-
In the Assets and Compliance workspace, expand
Endpoint Protection, and then click Antimalware
Policies.
-
In the Home tab, in the Create group,
click Import.
-
In the Open dialog box, browse to the policy
file to import, and then click Open.
-
In the Create Antimalware Policy dialog box,
review the settings to use, and then click OK.
-
Verify that the new antimalware policy is displayed in
the Antimalware Policies list.
To deploy an antimalware policy to
client computers
-
In the Configuration Manager console, click Assets
and Compliance.
-
In the Assets and Compliance workspace, expand
Endpoint Protection, and then click Antimalware
Policies.
-
In the Antimalware Policies list, select the
antimalware policy to deploy. Then, on the Home tab, in the
Deployment group, click Deploy.
| Note |
| The Deploy option cannot be used with the default client
malware policy. |
-
In the Select Collection dialog box, select the
device collection to which you want to deploy the antimalware
policy, and then click OK.
List of Antimalware Policy
Settings
Many of the antimalware settings are self-explanatory.
Use the following sections for more information about the settings
that might require more information before you configure them.
Scheduled Scans
| Setting name |
Description |
|
Scan type
|
You can specify one of two scan types to run on client
computers:
- Quick scan – This type of scan checks
the in-memory processes and folders where malware is typically
found. It requires fewer resources than a full scan.
- Full Scan – This type of scan adds a
full check of all local files and folders to the items scanned in
the quick scan. This scan takes longer than a quick scan and uses
more CPU processing and memory resources on client computers.
In most cases, use Quick scan to minimize the use of
system resources on client computers. If malware removal requires a
full scan, Endpoint Protection generates an alert that is
displayed in the Configuration Manager console.
The default value is Quick scan.
|
|
Randomize the scheduled scan start times (within 30
minutes)
|
Select True (Configuration Manager with no service pack)
or Yes (Configuration Manager SP1) if you want to help
avoid flooding the network, which can occur if all computers send
their antimalware scans results to the Configuration Manager
database at the same time.
This setting is also useful when you run multiple virtual
machines on a single host. Select this option to reduce the amount
of simultaneous disk access for antimalware scanning.
| Note |
| In Configuration Manager SP1, this setting appears in the
Advanced section of the antimalware policy settings. |
|
Scan Settings
| Setting name |
Description |
|
Scan network drives when running a full scan
|
Set to True (Configuration Manager with no service pack)
or Yes (Configuration Manager SP1) if you want to scan
any mapped network drives on client computers.
| Important |
| If you enable this setting, it might significantly increase the
scan time on client computers. |
|
Default Actions
Select the action to take when malware is detected on
client computers. The following actions can be applied, depending
on the alert threat level of the detected malware.
- Recommended – Use the action
recommended in the malware definition file.
- Quarantine – Quarantine the malware
but do not remove it.
- Remove – Remove the malware from the
computer.
- Allow – Do not remove or quarantine
the malware.
Real-time Protection
| Setting name |
Description |
|
Enable real-time protection
|
Set to True (Configuration Manager with no service pack)
or Yes (Configuration Manager SP1) if you want to
configure real-time protection settings for client computers. We
recommend that you enable this setting.
|
|
Monitor file and program activity on your computer
|
Set to True (Configuration Manager with no service pack)
or Yes (Configuration Manager SP1) if you want
Endpoint Protection to monitor when files and programs start
to run on client computers and to alert you about any actions that
they perform or actions taken on them.
|
|
Scan system files
|
This setting lets you configure whether incoming, outgoing, or
incoming and outgoing system files are monitored for malware. For
performance reasons, you might have to change the default value of
Scan incoming and outgoing files if a server has high
incoming or outgoing file activity.
|
|
Enable behavior monitoring
|
Enable this setting to use computer activity and file data to
detect unknown threats. When this setting is enabled, it might
increase the time required to scan computers for malware.
|
|
Enable protection against network-based exploits
|
Enable this setting to protect computers against known network
exploits by inspecting network traffic and blocking any suspicious
activity.
|
|
Enable script scanning
|
For Configuration Manager with no service pack only.
Enable this setting if you want to scan any scripts that run on
computers for suspicious activity.
|
Exclusion Settings
| Setting name |
Description |
|
Excluded files and folders
|
Click Set to open the Configure File and Folder
Exclusions dialog box and specify the names of the files and
folders to exclude from Endpoint Protection scans.
If you want to exclude files and folders that are located on a
mapped network drive, specify the name of each folder in the
network drive individually. For example, if a network drive is
mapped as F:\MyFolder and it contains subfolders named Folder1,
Folder2 and Folder 3, specify the following exclusions:
- F:\MyFolder\Folder1
- F:\MyFolder\Folder2
- F:\MyFolder\Folder3
|
Advanced
| Setting name |
Description |
|
Enable reparse point scanning
|
For System Center 2012
Configuration Manager SP1 and
System Center 2012 R2 Configuration Manager
only:
Set to Yes if you want Endpoint Protection to scan
NTFS reparse points.
For more information about reparse points, see Reparse Points in the
Windows Dev Center.
|
Threat Overrides
| Setting name |
Description |
|
Threat name and override action
|
Click Set to customize the remediation action to take for
each threat ID when it is detected during a scan.
| Note |
| The list of threat names might not be available immediately
after the configuration of Endpoint Protection. Wait until the
Endpoint Protection point has synchronized the threat
information, and then try again. |
|
Definition Updates
| Setting name |
Description |
|
Set sources and order for Endpoint Protection client
updates
|
Click Set Source to specify the sources for definition
and scanning engine updates, and to also specify the order in which
they are used. If Configuration Manager is specified as one of the
sources, then the other sources are used only if software updates
fails to download the client updates.
If you use any of the following methods to update the
definitions on client computers, then the client computers must be
able to access the Internet.
- Updates distributed from Microsoft Update
- Updates distributed from Microsoft Malware
Protection Center
| Important |
| Clients download definition updates by using the built-in
system account. You must configure a proxy server for this account
to enable these clients to connect to the Internet.If you have
configured a software updates automatic deployment rule to deliver
definition updates to client computers, these updates will be
delivered regardless of the definition updates settings. |
|
See Also
