Example Scenario for Protecting Computers From Malware by Configuring Endpoint Protection in Configuration Manager

This topic provides an example scenario for how you can implement Endpoint Protection in Microsoft System Center 2012 Configuration Manager to protect computers in an organization from malware attacks.

John is the Configuration Manager administrator at Woodgrove Bank. The bank currently uses Microsoft Forefront Endpoint Protection 2010 to protect computers against malware attacks. Additionally, the bank uses Windows Group Policy to ensure that the Windows Firewall is enabled on all computers in the company and that users are notified when Windows Firewall blocks a new program.

John has been asked to upgrade the Woodgrove Bank antimalware software to System Center 2012 Endpoint Protection so that the bank can benefit from the latest antimalware features and be able to centrally manage the antimalware solution from the Configuration Manager console. This implementation has the following requirements:

Use Configuration Manager to manage the Windows Firewall settings that are currently managed by Group Policy.
Use Configuration Manager software updates to download malware definitions to computers. If software updates are not available, for example if the computer is not connected to the corporate network, computers must download definition updates from Microsoft Update.
Users’ computers must perform a quick malware scan every day. Servers, however, must run a full scan every Saturday, outside business hours, at 1 A.M.
Send an email alert whenever any one of the following events occurs:
- Malware is detected on any computer
- The same malware threat is detected on more than 5 percent of computers
- The same malware threat is detected more than 5 times in any 24 hour period
- More than 3 different types of malware are detected in any 24 hour period
Uninstall the existing antimalware solution.

John then performs the following steps to implement Endpoint Protection:

Steps to implement Endpoint Protection

Process

Reference

John reviews the available information about the basic concepts for Endpoint Protection in Configuration Manager.

For overview information about Endpoint Protection, see Introduction to Endpoint Protection in Configuration Manager.

John reviews and implements the required prerequisites to use Endpoint Protection.

For information about the prerequisites for Endpoint Protection, see Prerequisites for Endpoint Protection in Configuration Manager.

John installs the Endpoint Protection site system role on one site system server only, at the top of the Woodgrove Bank hierarchy.

For more information about how to install the Endpoint Protection site system role, see the Step 1: Create an Endpoint Protection Point Site System Role section in the How to Configure Endpoint Protection in Configuration Manager topic.

John configures Configuration Manager to use an SMTP server to send the email alerts.

Note
You must configure an SMTP server only if you want to be notified by email when an Endpoint Protection alert is generated.

For more information, see How to Configure Alerts for Endpoint Protection in Configuration Manager.

Note
The email notification settings are different for Configuration Manager SP1 and Configuration Manager with no service pack.

John creates a device collection that contains all computers and servers to install the Endpoint Protection client. He names this collection All Computers Protected by Endpoint Protection.

Tip
You cannot configure alerts for user collections.

For more information about how to create collections, see How to Create Collections in Configuration Manager

He configures the following alerts for the collection:

Malware is detected: John configures an alert severity of Critical.
The same type of malware is detected on a number of computers : John configures an alert severity of Critical and specifies that the alert will be generated when more than 5 percent of computers have malware detected.
The same type of malware is repeatedly detected within the specified interval on a computer: John configures an alert severity of Critical and specifies that the alert will be generated when malware is detected more than 5 times in a 24 hour period.
Multiple types of malware are detected on the same computer within the specified interval: John configures an alert severity of Critical and specifies that the alert will be generated when more than 3 types of malware are generated in a 24 hour period.

Note
The value for Alert Severity indicates the alert level that will be displayed in the Configuration Manager console and in alerts that he receives in an email message.

He additionally selects the option View this collection in the Endpoint Protection dashboard so that he can monitor the alerts in the Configuration Manager console.

For more information, see How to Configure Alerts for Endpoint Protection in Configuration Manager.

John configures Configuration Manager software updates to download and deploy definition updates three times a day by using an automatic deployment rule.

Important
This frequency is suitable for Configuration Manager SP1. However, for performance reasons, in Configuration Manager with no service pack, do not schedule automatic deployment rules to deliver definition updates more than one time each day.

For more information, see the Using Configuration Manager Software Updates to Deliver Definition Updates section in the How to Configure Definition Updates for Endpoint Protection in Configuration Manager topic.

John examines the settings in the default antimalware policy, which contains recommended security settings from Microsoft. For computers to perform a quick scan every day to, he changes the following settings:

Run a daily quick scan on client computers: Yes.
Daily quick scan schedule time: 9:00 AM.

John notes that Updates distributed from Microsoft Update is selected by default as a definition update source. This fulfills the business requirement that computers download definitions from Microsoft Update when they cannot receive Configuration Manager software updates.

For more information, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager.

John creates a collection that contains only the Woodgrove Bank servers named Woodgrove Bank Servers.

For more information about how to create collections, see How to Create Collections in Configuration Manager

John creates a custom antimalware policy named Woodgrove Bank Server Policy. He adds only the settings for Scheduled scans and makes the following changes:

Scan type: Full
Scan day: Saturday
Scan time: 1:00 AM
Run a daily quick scan on client computers: No.

For more information, see How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager.

John deploys the Woodgrove Bank Server Policy custom antimalware policy to the Woodgrove Bank Servers collection.

For more information, see the To deploy an antimalware policy to client computers section in the How to Create and Deploy Antimalware Policies for Endpoint Protection in Configuration Manager topic.

John creates a new set of custom client device settings for Endpoint Protection and names these Woodgrove Bank Endpoint Protection Settings.

Warning
If you do not want to install and enable Endpoint Protection on all clients in your hierarchy, make sure that the options Manage Endpoint Protection client on client computers and Install Endpoint Protection client on client computers are both configured as No in the default client settings.

For more information, see the Step 5: Configure Custom Client Settings for Endpoint Protection section in the How to Configure Endpoint Protection in Configuration Manager topic.

He configures the following settings for Endpoint Protection:

Manage Endpoint Protection client on client computers: Yes

This setting and value ensures that any existing Endpoint Protection client that is installed becomes managed by Configuration Manager.
Install Endpoint Protection client on client computers: Yes.
Automatically remove previously installed antimalware software before Endpoint Protection is installed: Yes.

This setting and value fulfills the business requirement that the existing antimalware software is removed before Endpoint Protection is installed and enabled.

For more information, see the Step 5: Configure Custom Client Settings for Endpoint Protection section in the How to Configure Endpoint Protection in Configuration Manager topic.

John deploys the Woodgrove Bank Endpoint Protection Settings client settings to the All Computers Protected by Endpoint Protection collection.

For more information, see the How to Create and Deploy Custom Client Settings section in the How to Configure Client Settings in Configuration Manager topic.

John uses the Create Windows Firewall Policy Wizard to create a policy by configuring the following settings for the domain profile:

Enable Windows Firewall: Yes
Notify the user when Windows Firewall blocks a new program: Yes

For more information, see the To create a Windows Firewall policy section in the How to Create and Deploy Windows Firewall Policies for Endpoint Protection in Configuration Manager

John deploys the new firewall policy to the collection All Computers Protected by Endpoint Protection that he created earlier.

For more information, see the To deploy a Windows Firewall policy section in the How to Create and Deploy Windows Firewall Policies for Endpoint Protection in Configuration Manager

John uses the available management tasks for Endpoint Protection to manage antimalware and Windows Firewall policies, perform on-demand scans of computers when necessary, force computers to download the latest definitions, and to specify any further actions to take when malware is detected.

For more information about the Endpoint Protection management tasks, see How to Manage Antimalware Policies and Firewall Settings for Endpoint Protection in Configuration Manager.

John uses the following methods to monitor the status of Endpoint Protection and the actions that are taken by Endpoint Protection:

By using the System Center 2012 Endpoint Protection Status node in the Monitoring workspace.
By using the Endpoint Protection node in the Assets and Compliance workspace.
By using the built-in Configuration Manager reports.

For more information about the System Center 2012 Endpoint Protection Status node, see the How to Monitor Endpoint Protection by Using the System Center 2012 Endpoint Protection Status Node section in the How to Monitor Endpoint Protection in Configuration Manager topic.

For more information about how to monitor Endpoint Protection in the Assets and Compliance workspace, see the How to Monitor Endpoint Protection in the Assets and Compliance Workspace section in the How to Monitor Endpoint Protection in Configuration Manager topic.

For more information about how to monitor Endpoint Protection by using reports, see the How to Monitor Endpoint Protection by Using Reports section in the How to Monitor Endpoint Protection in Configuration Manager topic.

John reports a successful implementation of Endpoint Protection to his manager, and confirms that the computers at Woodgrove Bank are now protected from antimalware, according to the business requirements that he was given.

Steps to implement Endpoint Protection

See Also

Other Resources