Docstoc

Forefront Endpoint Protection

Document Sample
Forefront Endpoint Protection Powered By Docstoc
					Forefront
Endpoint
Protection


Jack Cobben
                                                                                                                                       Page number 1


       1. Contents
2.      Release Notes .................................................................................................................................. 8
     Microsoft Forefront Endpoint Protection 2010 .................................................................................. 8
        Running a repair on Microsoft Forefront Endpoint Protection 2010 reporting fails ...................... 8
        X-axis labels not displaying properly for the Antimalware Protection Summary report ................ 8
        Managing the Customer Experience Improvement Program setting on the Forefront Endpoint
        Protection server ............................................................................................................................. 9
     Microsoft Forefront Endpoint Protection 2010 Client Software......................................................... 9
        Managing the Customer Experience Improvement Program setting on Forefront Endpoint
        Protection clients............................................................................................................................. 9
     Operating system upgrade .................................................................................................................. 9
     Custom scan on virtual drives in Windows XP .................................................................................. 10
     Forefront Endpoint Protection does not uninstall Symantec on computers running x64 operating
     systems .............................................................................................................................................. 10
     Forefront Endpoint Protection Client stops reporting malware activity when the System Event Log
     is full .................................................................................................................................................. 10
3.      Overview........................................................................................................................................ 10
     Why Use Forefront Endpoint Protection........................................................................................... 11
     Easy to Deploy ................................................................................................................................... 11
     Easy to Manage ................................................................................................................................. 11
     Unified Protection ............................................................................................................................. 12
     Decision Considerations for FEP and the FEP Security Management Pack ....................................... 12
4.      Dashboard Overview ..................................................................................................................... 14
5.      Reports Overview .......................................................................................................................... 16
6.      System Requirements.................................................................................................................... 18
     Prerequisites for Installing Forefront Endpoint Protection on a Server ........................................... 18
        Forefront Endpoint Protection Server Prerequisites..................................................................... 18
        Forefront Endpoint Protection Console Prerequisites .................................................................. 23
     Prerequisites for Deploying Forefront Endpoint Protection on a Client ........................................... 23
     Prerequisites for Importing the Forefront Endpoint Protection Security Management Pack .......... 25
7.      Getting Started .............................................................................................................................. 25
     Getting Assistance ............................................................................................................................. 26
        Where to find Forefront Endpoint Protection Help and Assistance: ............................................ 26
     Providing Feedback ........................................................................................................................... 27



Release Notes
                                                                                                                                    Page number 2

8.      Planning and Architecture ............................................................................................................. 27
     Forefront Endpoint Protection 2010 ................................................................................................. 27
        Forefront Endpoint Protection and High Availability .................................................................... 28
     About Configuration Manager Site Topologies and FEP 2010 .......................................................... 29
        Single-Site Deployment ................................................................................................................. 29
        Hierarchical Deployment ............................................................................................................... 29
        Forefront Endpoint Protection Installed on the Parent and Child Sites........................................ 30
        Forefront Endpoint Protection Installed on the Child Sites .......................................................... 31
     About Basic Setup.............................................................................................................................. 32
        Basic Topology ............................................................................................................................... 33
     About Basic with Remote Reporting Database Setup ....................................................................... 33
        Basic Topology with Remote Reporting Database ........................................................................ 33
     FEP 2010 Security Management Pack ............................................................................................... 34
     Forefront Endpoint Protection Client................................................................................................ 34
        Policies ........................................................................................................................................... 35
        System Requirements.................................................................................................................... 35
        Competitive Uninstall .................................................................................................................... 35
        Forefront Endpoint Protection Client Deployment Options ......................................................... 36
        Definition Updates ........................................................................................................................ 36
     About Configuring Clients by Using Policies ...................................................................................... 37
        Creating and Configuring Policies.................................................................................................. 37
        Deploying Policies.......................................................................................................................... 38
     Planning for Definition Updates ........................................................................................................ 41
     Migrating from Forefront Client Security to Forefront Endpoint Protection.................................... 42
        Client Update for Microsoft Forefront Client Security (1.0.xxxx.0)............................................... 42
9.      Server Installation.......................................................................................................................... 43
     FEP 2010 ............................................................................................................................................ 43
        Overview of Installing Forefront Endpoint Protection .................................................................. 43
        Installation Options ....................................................................................................................... 45
        Installing Using Basic Setup ........................................................................................................... 45
         Prerequisites ................................................................................................................................ 46
        Installing Using Basic with a Remote Reporting Database Setup.................................................. 48
        Installing Using Advanced Setup ................................................................................................... 50



Release Notes
                                                                                                                               Page number 3

      Validating Installation.................................................................................................................... 56
      Configuring the Client Software on a Configuration Manager Site Server ................................... 59
      Moving from a Public RC Version to a Retail Version.................................................................... 61
      Uninstalling .................................................................................................................................... 63
  FEP 2010 Security Management Pack ............................................................................................... 64
      Overview of Installing the Forefront Endpoint Protection Security Management Pack ............... 65
      About Agents ................................................................................................................................. 65
      Extracting the FEP 2010 Security Management Pack Files............................................................ 66
      Importing the FEP 2010 Security Management Pack .................................................................... 67
      Configuring Client Discovery ......................................................................................................... 68
      Create a New Management Pack for Customizations ................................................................... 69
10.      Client Deployment ..................................................................................................................... 70
  Overview of Deploying Forefront Endpoint Protection .................................................................... 70
  FEP 2010 ............................................................................................................................................ 70
      Deploying by Using Configuration Manager Packages .................................................................. 72
      Deploying Manually ....................................................................................................................... 74
      Deploying the Client Software by Using the Command Prompt ................................................... 75
      Validating Deployment .................................................................................................................. 76
      Uninstalling .................................................................................................................................... 78
  Enforcing the Client Software Deployment....................................................................................... 80
      Deploying the FEP Client Software to a FEP Collection ................................................................. 80
      To create a reinstall advertisement .............................................................................................. 81
11.      Operations ................................................................................................................................. 82
  Configuring Client Settings by Using Policies .................................................................................... 82
      FEP Policies .................................................................................................................................... 83
      Creating a Policy ............................................................................................................................ 83
      Duplicating a Policy ....................................................................................................................... 84
      Editing a Policy............................................................................................................................... 85
      Exporting a Policy .......................................................................................................................... 87
      Importing a Policy .......................................................................................................................... 88
      Setting Policy Precedence ............................................................................................................. 88
      Assigning a Policy to Endpoint Computers .................................................................................... 89
      Using Group Policy with FEP.......................................................................................................... 91



Release Notes
                                                                                                                            Page number 4

     Converting FEP Policies to Group Policy........................................................................................ 91
     Merging Settings from Multiple Policy Files .................................................................................. 92
     Exporting Policy Settings to a FEP Policy File ................................................................................ 94
     Configuring and Viewing FEP Group Policy Settings ..................................................................... 94
  FEP Policy Templates ......................................................................................................................... 96
     About Preconfigured Policy Templates ......................................................................................... 96
     Applying Policies from the Command Prompt .............................................................................. 98
     Updating Policies from the Command Prompt ........................................................................... 101
  Common Tasks ................................................................................................................................ 102
     Running an Endpoint Protection Scan ......................................................................................... 102
     Managing Windows Firewall Protection ..................................................................................... 104
     Retrieving the Effective Endpoint Protection Settings ................................................................ 106
     Forcing Definition Updates.......................................................................................................... 106
  Configuring Definition Updates ....................................................................................................... 108
     Configuring Update Synchronization .......................................................................................... 109
     Microsoft Update Definition Updates ......................................................................................... 111
     File-Share-Based Definition Updates........................................................................................... 111
  FEP Monitoring ................................................................................................................................ 113
     Monitoring Client Status by Using the Dashboard ...................................................................... 114
     Using Alerts to Monitor Malware Detections ............................................................................. 116
     Using Desired Configuration Management to Monitor Client Compliance ................................ 120
  FEP 2010 Security Management Pack Monitoring .......................................................................... 125
     Security Considerations ............................................................................................................... 127
     Health Rollup ............................................................................................................................... 127
     Object Classes .............................................................................................................................. 129
     About Discovery .......................................................................................................................... 130
     About Views................................................................................................................................. 132
     About Monitors ........................................................................................................................... 133
     Monitoring Using Overrides ........................................................................................................ 134
     About Rules ................................................................................................................................. 135
     About Alerts................................................................................................................................. 136
     About Tasks ................................................................................................................................. 136
     Placing Objects in Maintenance Mode........................................................................................ 138



Release Notes
                                                                                                                               Page number 5

      Configuring Notification Settings ................................................................................................ 138
  FEP 2010 Reports............................................................................................................................. 138
      Forefront Endpoint Protection Security Reports......................................................................... 138
      Command options ....................................................................................................................... 141
      Operational Reports .................................................................................................................... 141
      Displaying Computers Infected by a Specific Malware ............................................................... 144
      Displaying Recent Malware Infections ........................................................................................ 145
      Subscribing to Reports ................................................................................................................ 145
  FEP 2010 Security Management Pack Reporting ............................................................................ 146
      FEP Health and Deployment Status Schema ............................................................................... 146
      FEP Security Incidents schema .................................................................................................... 149
  Disaster Recovery for FEP 2010 on Configuration Manager ........................................................... 155
       Backup ........................................................................................................................................ 155
       Restore ....................................................................................................................................... 156
  Automating Day-to-Day Tasks by Using Windows PowerShell ....................................................... 157
      Deploying or Removing the FEP Client Software ........................................................................ 157
      Assigning and Unassigning FEP Policies to Collections................................................................ 159
      Automating Desired Configuration Management ....................................................................... 163
      Automating the FEP Dashboard .................................................................................................. 167
      Automating Tasks on Client Computers ...................................................................................... 170
      Automating FEP Reports ............................................................................................................. 174
12.      Troubleshooting ...................................................................................................................... 177
  Using the FEP Best Practices Analyzer............................................................................................. 178
  Troubleshooting FEP and Configuration Manager .......................................................................... 179
      FEP Log Files ................................................................................................................................ 180
  Troubleshooting the FEP Security Management Pack and Operations Manager ........................... 182
13.      Technical Reference ................................................................................................................ 183
  FEP 2010 Policy - Default Settings ................................................................................................... 183
      Antimalware Settings .................................................................................................................. 183
      Updates Settings.......................................................................................................................... 193
      Windows Firewall Settings .......................................................................................................... 194
  Security Management Pack Monitors ............................................................................................. 195
      Forefront Endpoint Protection 2010 Security Management Pack Monitors .............................. 195



Release Notes
                                                                                                                                   Page number 6

  Security Management Pack Tasks ................................................................................................... 196
     Forefront Endpoint Protection 2010 Security Management Pack Tasks .................................... 196
  FEP ADMX Reference....................................................................................................................... 198
  FEP2010 Client Help ........................................................................................................................ 231
     Welcome to Microsoft Forefront Endpoint Protection ............................................................... 231
     Why do I need antivirus and antispyware software? .................................................................. 232
     How can I tell if my computer is infected with malicious software? .......................................... 233
     What should I do if Forefront Endpoint Protection detects malicious software on my computer?
     ..................................................................................................................................................... 233
     Using Forefront Endpoint Protection to remove potentially harmful software ......................... 234
     Frequently asked questions about malicious software............................................................... 235
     How to help prevent malicious software infections ................................................................... 236
     How to help prevent malicious software infections ................................................................... 237
  Getting started ................................................................................................................................ 237
     Understanding alert levels .......................................................................................................... 237
     What are recommended actions? ............................................................................................... 239
     Applying default actions to detected items ................................................................................ 239
  Scanning for viruses, spyware, and other potentially unwanted software .................................... 239
     To scan the areas of your computer that malicious software is most likely to infect (Quick scan)
     ..................................................................................................................................................... 240
     To scan all areas of your computer (Full scan) ............................................................................ 240
     To scan specific areas of your computer only (Custom scan) ..................................................... 240
     Running a custom scan ................................................................................................................ 240
     To scan a specific file or folder (right-click scan) ......................................................................... 240
     Running a right-click scan ............................................................................................................ 240
     Scheduling scans.......................................................................................................................... 240
     When is the best time to run a scan on my computer? .............................................................. 241
     Responding to potential threats after a scan .............................................................................. 242
     How can I view a scan's progress? .............................................................................................. 242
     What are advanced scanning options? ....................................................................................... 242
     Excluding items from a scan ........................................................................................................ 243
  What's real-time protection? .......................................................................................................... 244
     Understanding real-time protection options .............................................................................. 244
     Turning real-time protection on and off ..................................................................................... 245


Release Notes
                                                                                                                              Page number 7

  How do I know that Forefront Endpoint Protection is running on my computer? ......................... 246
     How to set up Forefront Endpoint Protection alerts .................................................................. 247
  What are virus and spyware definitions? ........................................................................................ 247
     How do I keep virus and spyware definitions up to date? .......................................................... 247
     Running a scan using the latest updates ..................................................................................... 248
  How do I remove or restore items quarantined by Forefront Endpoint Protection? ..................... 248
     To remove or restore quarantined items .................................................................................... 248
     How do I add or remove items from the Forefront Endpoint Protection allowed list? .............. 249
     How do I view or clear the history in Forefront Endpoint Protection? ....................................... 249
     What if I want to download or run a program that Forefront Endpoint Protection detects as
     potentially harmful? .................................................................................................................... 250
     Privacy settings for detected items ............................................................................................. 250
  What is the Microsoft SpyNet Community?.................................................................................... 251
     Reporting suspicious software to Microsoft SpyNet ................................................................... 251
     Changing your Microsoft SpyNet community membership ........................................................ 251
     Where can I find the Forefront Endpoint Protection privacy statement? .................................. 252
     Where can I find the Forefront Endpoint Protection license agreement?.................................. 252
  Troubleshooting .............................................................................................................................. 252
     Troubleshooting Update Issues ................................................................................................... 252
     I can't start the Forefront Endpoint Protection service .............................................................. 255
     I can't install Forefront Endpoint Protection ............................................................................... 257
     I can't connect to the Internet issue (General topic) .................................................................. 260
     Error “0x8*******” encountered while virus and spyware definition updates or product
     upgrades ...................................................................................................................................... 262
     Forefront Endpoint Protection detects a threat but can't remediate it ..................................... 262




Release Notes
                                                                                    Page number 8


    2. Release Notes

These release notes contain information that is required to successfully install, deploy and use
Microsoft® Forefront® Endpoint Protection. They contain information that is not available in the
product documentation.

Microsoft Forefront Endpoint Protection 2010
Running a repair on Microsoft Forefront Endpoint Protection 2010 reporting fails
The user account used to run a repair on Forefront Endpoint Protection Reporting must be assigned
the Content Manager SQL Server Reporting Services role.

For more information about the Content Manager SQL Server Reporting role, see Content Manager
Role (http://go.microsoft.com/fwlink/?LinkId=207653) in the SQL Server Books Online.

  Note:


When User Account Control (UAC) is enabled on the SQL Server Reporting Services server, the
role assignment cannot be inherited from the following groups or repair will fail:

     •    Administrators—local group

     •    Domain Administrators—domain group


X-axis labels not displaying properly for the Antimalware Protection Summary report
In some circumstances, when running the Antimalware Protection Summary report, the x-axis labels
do not display properly. This occurs only when running Microsoft SQL Server® 2008 or SQL Server
2008 R2 reporting services.

Install one of the following SQL Server cumulative updates to fix the report:

    •    Cumulative Update package 3 for SQL Server 2008 R2
         (http://go.microsoft.com/fwlink/?LinkId=204839)

    •    Cumulative update package 10 for SQL 2008 Service Pack 1
         (http://go.microsoft.com/fwlink/?LinkId=204840)

  Note:


It is recommended that you install the SQL Server cumulative update prior to installing Forefront
Endpoint Protection. If the SQL Server cumulative update is installed after Forefront Endpoint
Protection was installed, you will need to run a repair on the Microsoft Forefront Endpoint
Protection 2010 Reporting component.




Release Notes
                                                                                     Page number 9

Managing the Customer Experience Improvement Program setting on the Forefront
Endpoint Protection server
After installing Forefront Endpoint Protection you cannot change your membership in the Customer
Experience Improvement Program (CEIP) through the user interface.

To manually configure the CEIP setting, modify the following registry key on the Forefront Endpoint
Protection server:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Forefront Endpoint Protection
2010\config\SqmEnabled

    •   Setting the registry key to 1 joins the CEIP.

    •   Setting the registry key to 0 removes membership in the CEIP.

For the change to take effect you need to restart the computer.

Microsoft Forefront Endpoint Protection 2010 Client Software
Managing the Customer Experience Improvement Program setting on Forefront Endpoint
Protection clients
Forefront Endpoint Protection clients automatically join the Customer Experience Improvement
Program (CEIP). Users can modify this setting; however, the administrator cannot control the CEIP
setting via a Forefront Endpoint Protection policy created in the Configuration Manager console.

To configure the CEIP setting, create the following registry key on the Forefront Endpoint Protection
client computer:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft AntiMalware\Miscellaneous
Configuration\SqmConsentApprove

    •   Setting the registry key to 1 joins the CEIP (default).

    •   Setting the registry key to 0 removes membership in the CEIP.

After the registry key has been created, the user can no longer change this setting from the Forefront
Endpoint Protection client.

For the change to take effect you need to restart the computer.

Operating system upgrade
After the operating system on a client computer is upgraded, the Forefront Endpoint Protection
client software no longer functions as expected. To avoid this, you must uninstall the Forefront
Endpoint Protection client software before running the operating system upgrade.

This applies to the following operating system upgrade paths:

    •   Windows XP to Windows Vista®

    •   Windows Vista to Windows Vista SP1, Windows Vista SP2, or Windows® 7




Release Notes
                                                                                   Page number 10


Custom scan on virtual drives in Windows XP
On computers running Windows XP, malware residing on a virtual drive is not be detected during a
custom scan of the virtual drive. A virtual drive is created by applications using Application
Virtualization (App-V) technology, like Microsoft Office 2010. Quick scans and full scans properly
detect the malware.

Forefront Endpoint Protection does not uninstall Symantec on computers
running x64 operating systems
The Forefront Endpoint Protection client software does not uninstall the Symantec Antivirus
Corporate Edition client on computers running a 64-bit operating system. On these computers, you
need to manually uninstall Symantec software before deploying the Forefront Endpoint Protection
client software.

Forefront Endpoint Protection Client stops reporting malware activity when
the System Event Log is full
Client malware activity incidents are reported from the client to the Forefront Endpoint Protection
server based on the entries in the System event log. If the System event log is full and no new events
can be written, no new malware activity is reported to the Forefront Endpoint Protection server.

It is recommended that you configure the properties of the System event log to overwrite events
when needed, so that new events can be written and are not lost.


    3. Overview
Microsoft® Forefront® Endpoint Protection 2010 (FEP) is a security and antimalware solution
integrated into System Center Configuration Manager 2007, and the Forefront Endpoint Protection
Security Management Pack is a security and antimalware management solution for servers and
critical, high-priority computers, integrated into System Center Operations Manager 2007. Together,
they are a software solution that provides security and antimalware management for desktops,
portable computers, and servers. Together they provide a lower total cost-of-ownership enterprise
solution that enables desktop administrators in your organization to add security management to
their day-to-day operations, within a familiar framework and without requiring specialized security
knowledge.

FEP and the FEP Security Management Pack leverage the familiar administrative experience of
managing and monitoring endpoints. They improve visibility for identifying and remediating
potentially vulnerable endpoints while lowering ownership costs by using existing infrastructure for
both endpoint management and security.

The FEP client software deploys effortlessly to hundreds of thousands of endpoints by using existing
System Center Configuration Manager agents, and provides highly accurate detection of known and
unknown threats, as well as actively protecting against network-level attacks by managing basic
Windows Firewall configurations.

FEP and the FEP Security Management Pack provide the following features:



Overview
                                                                                    Page number 11

    •   Integration with your existing system management infrastructure

    •   Proven antimalware engine

    •   Reporting functionality

    •   In FEP, policy-based antimalware management

    •   In FEP, Firewall management

    •   Seamless migration from previous antivirus solutions

Why Use Forefront Endpoint Protection
Forefront Endpoint Protection and the FEP Security Management Pack provide seamless integration
with the management products you use on a daily basis.

The key benefits are described below.

Easy to Deploy
Forefront Endpoint Protection makes it easy for desktop administrators to roll out a large-scale
endpoint protection solution to all user desktops and portable computers, while the FEP Security
Management Pack makes it simple to roll out real-time alerting and reporting for servers and critical,
high-priority client computers.

FEP comes complete with policy templates, for both recommended client configurations and typical
server workloads, which are ready to use right out-of-the box, taking the guesswork out of security
management. While no advanced customization is required, it is easy to customize policies to meet
the needs of your organization. Forefront Endpoint Protection supports deployments that are built
on the familiar System Center Configuration Manager software distribution infrastructure, while the
FEP Security Management Pack, built on System Center Operations Manager, supports servers and
critical high-priority client computers. Using Forefront Endpoint Protection, you can deploy the client

    •   Across various topologies to support non-domain-joined computers, endpoints at different
        branch offices, in addition to unmanaged (stand-alone) clients.

    •   To seamlessly upgrade or replace previously installed security solutions.

    •   On various Windows® operating systems.

Easy to Manage
Forefront Endpoint Protection and the FEP Security Management Pack offer both the desktop
administrator and the server administrator a streamlined security management experience. Built on
the familiar System Center interfaces, it gives administrators simplified access to the information and
tools they need in order to keep their enterprise secure and running, including the following:

    •   In FEP, policy-based administration

    •   Remediation capabilities including scanning and updating definitions on client computers



Overview
                                                                                    Page number 12

    •   Current and historical reporting that enables administrators to answer critical security
        questions, such as:

            •   What percentage of computers are currently protected?

            •   Is antivirus software installed and turned on?

            •   Are the latest definitions installed?

            •   What malware was detected in the organization?

            •   What computers currently have malware activity?

            •   How can I improve my organizational security?

Forefront Endpoint Protection is built on System Center Configuration Manager, and the FEP Security
Management Pack is built on System Center Operations Manager.

Unified Protection
Forefront Endpoint Protection delivers a single-agent, multithreat protection for desktops, portable
computers, and the FEP Security Management Pack provides management of servers and critical
high-priority client computers. Backed by a world-class response center and a dedicated community
(Microsoft SpyNet®) serving millions of users, the FEP client includes:

    •   Antimalware and antispyware

    •   Rootkit detection and remediation

    •   Critical vulnerability assessment and automatic updates

    •   Integrated Windows Firewall management

    •   Network Inspection System

The FEP client helps users stay secure and productive both at work and on the go with a lightweight,
easy-to-use interface. It is built on the same antimalware engine as Microsoft Security Essentials
(MSE), which has been delighting millions of consumers with low false positives and high catch rates.
Whenever possible, the FEP client automatically solves security issues as they occur without
disturbing users, so users can stay safe and continue with their work without contacting their
desktop administrators.

Decision Considerations for FEP and the FEP Security Management Pack
Both FEP and the FEP Security Management Pack provide best-of-breed security protection for
desktops, portable computers, and servers. You can implement either FEP or the FEP Security
Management Pack, or you can implement both to take advantage of the features of each.

Choosing when to implement each requires that you evaluate your security needs. Consider the
questions in the following table.




Overview
                                                                                Page number 13




If                                          Then


You are already using System Center         You can easily implement Forefront Endpoint
Configuration Manager to manage your        Protection to integrate security into your computer
enterprise                                  management solution.


You are using System Center Operations      You can implement the FEP Security Management
Manager to manage your data center          Pack to monitor your servers and critical high-priority
                                            computers.


You need real-time reporting and            The FEP Security Management Pack can provide real-
monitoring for any of your computers or     time monitoring and alerting for the servers (and high-
servers                                     priority client computers) you designate.


You are using the Desired Configuration     Forefront Endpoint Protection provides additional
Management (DCM) feature in                 DCM checks that allow you to report on the status of
Configuration Manager                       security areas within your Configuration Manager
                                            environment.


You are managing any branch offices or      Configuration Manager supports both of these
non-domain-joined clients                   scenarios, and Forefront Endpoint Protection, built on
                                            Configuration Manager, can take full advantage of this
                                            support.


The desktop administrators in your          If you have implemented Configuration Manager for
organization are responsible for desktop    desktop administration, your desktop administrators
security                                    can work within the familiar interface of Configuration
                                            Manager.


You need historical reporting for malware   Both Forefront Endpoint Protection and the FEP
events                                      Security Management Pack are an option for you. Both
                                            maintain a historical record of malware information in
                                            your organization.




Overview
                                                                                    Page number 14


    4. Dashboard Overview
The Forefront Endpoint Protection dashboard provides key information for tracking the status of
client software deployments, antimalware activity, definition updates, policy distributions, and client
software compliance. The dashboard contains several summary areas displayed on a single page, and
works by querying the Configuration Manager Site database, and using the resulting data sets to
present key metrics in a graphical format.

The Forefront Endpoint Protection dashboard is located in the Configuration Manager console, in the
following path in the tree:

Site Database / Computer Management / Forefront Endpoint Protection

The following table describes the summary areas displayed in the Forefront Endpoint Protection
dashboard:

Summary area        Description


Client              This area displays the following information:
Deployment
                        •    The number of computers in your organization to which the client
Status
                             software was not targeted.

                        •    The number of computers in your organization to which the client
                             software is targeted.



                             The set of computers to which the client software is targeted is
                             divided into the following deployment states:

                                  •   Removed

                                  •   Failed

                                  •   Pending

                                  •   Out of date

                                  •   Deployed


Protection          This area displays the reporting status for the FEP client software.
Status
                    There are three possible status values:

                        •    Protection service off—The number of computers on which the FEP
                             antimalware service is turned off.

                        •    Not reporting—The number of computers to which the FEP client has



Dashboard Overview
                                                                                  Page number 15


                            been deployed, but have not sent a status report back to the
                            Configuration Manager server in the past 14 days.

                        •   Healthy—The number of computers running the FEP client software
                            and have sent a status report back to the Configuration Manager
                            server in the past 14 days.


Security Status     This area displays information about malware activity in your organization.
                    The possible states of the FEP client software are as follows:

                        •   Infected—The number of computers on which the FEP client software
                            has detected active malware.

                        •   Restart required—The number of computers running the FEP client
                            software that require a restart in order to complete malware cleaning.

                        •   Full scan required—The number of computers running the FEP client
                            software that require a full scan.

                        •   Recent malware activity (Last 24 hours)— – The number of
                            computers on which the FEP client software detected and cleaned
                            malware within the last 24 hours.


Definition Status   This area displays information about the age of the FEP antimalware
                    definitions on the client computers. Computers are listed according to the age
                    category into which the definitions fall.

                    The following is a list of possible categories:

                        •   Older than 1 week—The number of client computers with definitions
                            more than 1 week old.

                        •   Up to 7 days old—The number of client computers with definitions up
                            to 1 week old.

                        •   Up to 3 days old—The number of client computers with definitions up
                            to 3 days old.

                        •   Up to date—The number of client computers with up-to-date
                            definitions.

                    Data for this dashboard area is collected by Configuration Manager Desired
                    Configuration Manager (DCM) baselines. For more information about DCM
                    baselines and Forefront Endpoint Protection, see Using Desired Configuration
                    Management to Monitor Client Compliance.




Dashboard Overview
                                                                                        Page number 16


 Policy               This area displays information about the possible policy distribution states for
 Distribution         the FEP client software.
 Status
                      The following is a list of the possible states:

                          •     Failed—The number of computers to which a policy could not be
                                deployed.

                          •     Pending—The number of computers to which a policy is in the process
                                of being deployed.

                          •     Distributed—The number of computers to which a policy was
                                successfully deployed.


 Forefront            This area displays summary status information for FEP client compliance with
 Endpoint             FEP configuration baselines. For more information, see Using Desired
 Protection           Configuration Management to Monitor Client Compliance.
 Baselines




    5. Reports Overview
Reporting in Forefront Endpoint Protection is integrated into the Configuration Manager console. The
information is gathered using the standard Configuration Manager data collection mechanism and is
stored in the Forefront Endpoint Protection reporting database. Since this information is gathered at
scheduled intervals, reports may not reflect the most recent information.

Forefront Endpoint Protection presents the information gathered in the reporting database in
summary and detailed reports, and contain links that can be clicked to view the related reports.
There are several predefined reports located under the Forefront Endpoint Protection Reports node
and under the standard Configuration Manager Reporting node. Reports broadly divide into security
reports and operational reports respectively.

The following table is a list of the available reports.

Report name                   Description                                                  Type


 Antimalware Activity         This report provides an overview of antimalware status,      Security
 Report                       malware alerts, and malware detections.


 Antimalware                  This report provides an overview of antimalware              Security
 Protection Summary           deployment and health.
 Report




Reports Overview
                                                                                      Page number 17


Malware Details           This report displays further details about a specific           Security
Report                    malware.


Computer List Report      This report displays a list of computers that can be filtered   Security
                          by collection, name, protection status, security state,
                          antimalware signature version, detected malware, and
                          last antimalware scan time.


Computer Details          This report displays further details about a specific           Security
Report                    computer.


Deployment                This report displays the breakdown of the Microsoft             Operational
Overview                  Forefront Endpoint Protection 2010 client deployment
                          status per collection.


Deployment for a          This report displays the breakdown of the Microsoft             Operational
specific collection       Forefront Endpoint Protection 2010 client deployment
                          status for a specific collection.


Computers with a          This report displays a list of computers in a collection and    Operational
specific deployment       the specific deployment state.
state


Policy Distribution       This report displays the breakdown of policy distribution       Operational
Overview                  states per collection. The report will only enumerate
                          computers with Microsoft Forefront Endpoint Protection
                          2010 deployed.


Policy Distribution for   This report displays the policy distribution states for a       Operational
a specific collection     specific collection.


Computers with a          This report displays a list of computers in a collection and    Operational
specific policy           the specific policy state.
distribution state


FEP information for a     This report displays a summary of Forefront Endpoint            Operational
specific computer         Protection information for a specific computer.




Reports Overview
                                                                                    Page number 18


    6. System Requirements
To get started with Microsoft Forefront Endpoint Protection 2010, your computers must meet the
minimum requirements for installing the Forefront Endpoint Protection server and deploying the
Forefront Endpoint Protection client. Use the following topics to help you prepare the computers in
your environment:

    •   Prerequisites for Installing Forefront Endpoint Protection on a Server

    •   Prerequisites for Deploying Forefront Endpoint Protection on a Client

    •   Prerequisites for Importing the Forefront Endpoint Protection Security Management Pack

Prerequisites for Installing Forefront Endpoint Protection on a Server
The Forefront Endpoint Protection Setup wizard includes a prerequisites verification that checks that
the prerequisites are already installed before you continue with the installation. If the prerequisites
verification check identifies missing prerequisites, the check points you to locations where you can
download and install the required components.

Forefront Endpoint Protection Server Prerequisites
The following table is the list of minimum requirements for installing the Forefront Endpoint
Protection server.

Prerequi
site        Minimum requirements                   Notes


Memory      2 GB of RAM


Available       •   Forefront Endpoint             For large scale deployments comprised of more
disk                Protection server: 600 MB      than 10,000 client computers, on the computer
space                                              running Microsoft SQL Server® where the
                •   Forefront Endpoint             Forefront Endpoint Protection reporting database
                    Protection database: 1.25
                                                   resides, the tempdb must be configured with a
                    GB                             500 GB Logical Unit Number (LUN) for its data file.
                •   Forefront Endpoint             For more information about configuring the
                    Protection reporting           tempdb data file, see Optimizing tempdb
                    database: 1.25 GB              Performance
                                                   (http://go.microsoft.com/fwlink/?LinkId=206862).


Operatin        •   Windows Server® 2003
g system            Standard, Enterprise, or
                    Datacenter Edition Service
                    Pack 2 (x86 or x64), or

                •   Windows Server 2008



System Requirements
                                                                            Page number 19


                  Standard, Enterprise, or
                  Datacenter Service Pack 1
                  (x86 or x64), or

              •   Windows Server 2008 R2
                  Standard, Enterprise, or
                  Datacenter (x64)


Databas       •   Microsoft SQL Server 2005     •   When using an RTM release of SQL Server
e servers         Standard or Enterprise            2008, make sure that the default instance
                  Edition Service Pack 3 (x86       is defined. If the default instance is not
                  or x64), or                       defined, reporting and alerting does not
                                                    function, because data cannot flow up to
              •   Microsoft SQL Server 2008
                                                    the Configuration Manager site server.
                  Standard or Enterprise (x86
                  or x64), or                   •   Verify that all computers that are running
                                                    SQL Server are joined to the domain, that
              •   Microsoft SQL Server 2008         the user account running Setup is a
                  R2 Standard or Enterprise         member of sysadmin SQL server role, and
                  (x86 or x64)                      that all SQL Server services are running.
                                                    Additionally, in nonclustered SQL Server
                                                    environments, the SQL Server services
                                                    should be configured to start
                                                    automatically.

                                                •   The user account running Setup will be set
                                                    as the owner of the following SQL Server
                                                    databases and jobs:

                                                        •   FEPDB_XXX (database)

                                                        •   FEPDW_XXX (database)

                                                        •   FEP_DataWarehouseMaintenance
                                                            _FEPDW_XXX (job)

                                                        •   FEP_DB_Maintenance_FEPDB_XX
                                                            X (job)

                                                        •   FEP_GetNewData_FEPDW_XXX
                                                            (job)

                                                        •   FEP_GetNewDataOnInstall_FEPD
                                                            W_XXX (job)




System Requirements
                                                                               Page number 20


Addition      •   SQL Server Analysis             •   For SQL Server Analysis Services, the user
al                Services                            account running Setup, or a domain group
require                                               that it is a member of, must belong to the
ments         •   SQL Server Integration              server administrator role on your specified
for               Services                            SQL Server Analysis Server. For more
installing    •   SQL Server Reporting                information, see Analysis Server
Forefron          Services                            Properties Dialog Box
t                                                     (http://go.microsoft.com/fwlink/?LinkID=
Endpoint      •   SQL Server Agent                    204204).
Protecti
on                                                •   The Forefront Endpoint Protection
reportin                                              reporting database and server running
                                                      SQL Server Analysis Services must be
g
database                                              installed on the same SQL Server instance.

                                                  •   On the computer that is running SQL
                                                      Server Analysis Services, the following
                                                      ports must be open for incoming traffic:

                                                          •   SQL Server (TCP 1433)

                                                          •   SQL Server Analysis Services (TCP
                                                              2383)

                                               For more information, see Configuring the
                                               Windows Firewall to Allow SQL Server Access
                                               (http://go.microsoft.com/fwlink/?LinkId=128365).

                                                  •   For Forefront Endpoint Protection
                                                      reporting to function, you must make sure
                                                      that the Forefront Endpoint Protection
                                                      client that is installed as part of Forefront
                                                      Endpoint Protection has access to
                                                      definition updates via the Configuration
                                                      Manager client agent, Windows Server
                                                      Update Services, or Microsoft Update.


Addition      •   The name you entered in
al                the SQL Network Name
require           box for your SQL Server
ments             cluster must be registered
for               in the domain.
installing
              •   SQL Server Integration
Forefron
t                 Services must be installed



System Requirements
                                                  Page number 21


Endpoint          on all nodes and must be
Protecti          part of the cluster group.
on
reportin
g
database
on a SQL
Server
cluster


Configur      •   Microsoft System Center
ation             Configuration Manager
Manager           2007 Service Pack 2
                  installed with default roles,
                  and either

                      •   Microsoft System
                          Center
                          Configuration
                          Manager 2007 R2
                          installed and
                          configured to use
                          SQL Server
                          Reporting Services,
                          or

                      •   Microsoft System
                          Center
                          Configuration
                          Manager 2007 R3
                          installed and
                          configured to use
                          SQL Server
                          Reporting Services

              •   The following client agents
                  are installed and
                  configured:

                      •   Hardware
                          Inventory

                      •   Software
                          Distribution




System Requirements
                                                                           Page number 22


                      •   Desired
                          Configuration
                          Management


Addition      •   No other version of           •   You must install SQL Server Analysis
al                Forefront Endpoint                Management Objects on the computer
require           Protection is installed           where Setup is run when the Forefront
ments                                               Endpoint Protection reporting database is
              •   Microsoft Windows
                                                    being installed on a remote computer.
                  Installer version 3.1
                                                •   You can download the SQL Server Analysis
              •   Microsoft .Net Framework
                                                    Management Objects for your version of
                  3.5 Service Pack 1                SQL Server from the following locations:
              •   Configuration Manager                •   For SQL Server 2008 R2, visit
                  Hotfix KB2271736                         Microsoft SQL Server 2008 R2
                  (http://go.microsoft.com/f               Feature Pack
                  wlink/?LinkId=203936)                    (http://go.microsoft.com/fwlink/?
              •   SQL Server Analysis                      LinkId=206861), go to the
                  Management Objects                       Microsoft SQL Server 2008 R2
                                                           Analysis Management Objects
              •   The computer where Setup                 section, and download the
                  is run is not pending a                  appropriate file based on your
                  restart from a previous                  system architecture.
                  install or update
                                                       •   For SQL Server 2008, visit
              •   The user account running                 Microsoft SQL Server 2008
                  Setup is a domain account                Feature Pack
                  for the domain of which                  (http://go.microsoft.com/fwlink/?
                  the Forefront Endpoint                   LinkId=206625), go to the
                  Protection server is a                   Microsoft Analysis Management
                  member, has local                        Objects section, and download
                  administrative credentials,              the appropriate file based on your
                  and has Configuration                    system architecture.
                  Manager administrative
                  credentials                          •   For SQL Server 2005, visit Feature
                                                           Pack for Microsoft SQL Server
                                                           2005
                                                           (http://go.microsoft.com/fwlink/?
                                                           LinkId=206624), go to the
                                                           Microsoft SQL Server 2005
                                                           Management Objects Collection
                                                           section, and download the
                                                           appropriate file based on your



System Requirements
                                                                                     Page number 23


                                                                    system architecture.


Forefront Endpoint Protection Console Prerequisites
The following table is the list of minimum requirements for installing the Forefront Endpoint
Protection console.

Prerequisite      Minimum requirements


Configuration          •   Microsoft System Center Configuration Manager 2007 Service Pack 2
Manager                    Console, or

                       •   Microsoft System Center Configuration Manager 2007 R2, or

                       •   Microsoft System Center Configuration Manager 2007 R3


Additional             •   Microsoft .Net Framework 3.5 Service Pack 1
requirements
                       •   Configuration Manager Hotfix KB2271736
                           (http://go.microsoft.com/fwlink/?LinkId=203936)

                       •   The computer running Setup is not pending a restart from a previous
                           install or update

                       •   The user account running Setup is a domain account for the domain of
                           which the Forefront Endpoint Protection server is a member, has local
                           administrative credentials, and has Configuration Manager
                           administrative credentials


Prerequisites for Deploying Forefront Endpoint Protection on a Client
The following table is a list of the prerequisites for deploying the Forefront Endpoint Protection on
client computers.

Prerequisite      Requirement


Configuration     A Microsoft System Center Configuration Manager 2007 site that has Forefront
Manager           Endpoint Protection server installed.

                      Note:


                    If you have client computers that do not require the central deployment
                    and management features of Forefront Endpoint Protection server, and you




System Requirements
                                                                                       Page number 24


                  intend to manually install the Forefront Endpoint Protection client, the
                  Configuration Manager prerequisites stated for client computers are not
                  required. For more information, see Deploying the Client Software by Using
                  the Command Prompt.


Operating             •       Windows 7 (x86 or x64), or
system
                      •       Windows 7 XP mode, or

                      •       Windows Vista® (x86 or x64) or later versions, or

                      •       Windows XP Service Pack 2 (x86 or x64) or later versions, or

                      •       Windows Server 2008 R2 (x64) or later versions, or

                      •       Windows Server 2008 R2 Server Core (x64), or

                      •       Windows Server 2008 (x86 or x64) or later versions, or

                      •       Windows Server 2003 Service Pack 2 (x86 or x64) or later versions, or

                      •       Windows Server 2003 R2 (x86 or x64) or later versions

                      Note:


                  On the following operating systems, the Forefront Endpoint Protection
                  client software can be installed manually. However, policies cannot be
                  applied to them, nor can they be centrally managed by Forefront Endpoint
                  Protection.

                          •     Windows 7 Starter

                          •     Windows 7 Home Premium

                          •     Windows Vista Basic

                          •     Windows Vista Home Premium

                          •     Windows XP Home Edition


Available disk   255 MB
space


Additional            •       Windows Installer 3.1 or later versions




System Requirements
                                                                                      Page number 25


requirements          •       Filter manager rollup package for Windows XP Service Pack 2 (x86)
                              KB914882 (http://go.microsoft.com/fwlink/?LinkID=207000)


Competitive       The client installation checks for and uninstalls the following existing
uninstall         antimalware clients:

                      •       Symantec Endpoint Protection version 11

                      •       Symantec Corporate Edition version 10

                      •       McAfee VirusScan Enterprise version 8.5 and version 8.7 and its agent

                      •       Forefront Client Security version 1 and the Operations Manager agent

                      •       TrendMicro OfficeScan version 8 and version 10


Prerequisites for Importing the Forefront Endpoint Protection Security
Management Pack
The following table lists the minimum requirements for importing the Forefront Endpoint Protection
Security Management Pack.

Prerequisite                                   Minimum requirement


System Center Operations Manager                   •   System Center Operations Manager 2007 R2
2007




The following table lists the minimum requirements for the Reporting management pack for use with
the Forefront Endpoint Protection Security Management Pack.

Prerequisite        Minimum requirement


Reporting                 •     Reporting components must be installed for System Center
components                      Operations Manager 2007 R2 in order to use the Reporting feature.




   7. Getting Started
Before deploying Microsoft Forefront Endpoint Protection 2010, you should read the documentation
carefully and plan your deployment according to your business needs. If planned correctly, Forefront
Endpoint Protection can reduce your administrative overhead and total cost of ownership. If
Forefront Endpoint Protection is deployed without sufficient planning you can disrupt your whole



Getting Started
                                                                                 Page number 26

network, because Forefront Endpoint Protection has the potential to affect every computer in your
organization.

Because Forefront Endpoint Protection is built on System Center Configuration Manager, you should
be familiar with Configuration Manager before you deploy Forefront Endpoint Protection. For more
information, see System Center Configuration Manager 2007
(http://go.microsoft.com/fwlink/?LinkId=111469).

Because the FEP Security Management Pack is built on System Center Operations Manager, you
should be familiar with Operations Manager before deploying the FEP Security Management Pack.
For more information, see System Center Operations Manager R2
(http://go.microsoft.com/fwlink/?LinkId=205692).

  Note:


If you are new to Forefront Endpoint Protection, you should experiment in a test network
environment before you deploy the product.

Next Steps

   •   Plan the Forefront Endpoint Protection installation. For more information, see Planning and
       Architecture.

   •   Install Forefront Endpoint Protection on your Configuration Manager Site server. For more
       information, see FEP 2010.

   •   Import the FEP Security Management Pack on your Operations Manager server. For more
       information, see FEP 2010 Security Management Pack.

   •   Deploy Forefront Endpoint Protection policies and clients. For more information, see Client
       Deployment.

   •   Learn about routine operations. For more information, see Operations.

Getting Assistance
   The Forefront Endpoint Protection online help and assistance options are available to you when
   you're planning, deploying, administering, and troubleshooting Forefront Endpoint Protection.

Where to find Forefront Endpoint Protection Help and Assistance:
  • Forefront Endpoint Protection TechNet Library
      (http://go.microsoft.com/fwlink/?LinkId=188968). The FEP TechNet library contains the most
      up-to-date product documentation. This documentation is updated as Forefront Endpoint
      Protection features evolve and new troubleshooting information becomes available.

   •   Forefront Endpoint Security Blog (http://go.microsoft.com/fwlink/?LinkId=196676). The
       Forefront Endpoint Security blog contains technical articles written by the Forefront
       Endpoint Protection team, in addition to product announcements and updates.


Getting Started
                                                                                     Page number 27

    •   Forefront Endpoint Protection Forum (http://go.microsoft.com/fwlink/?LinkId=196677). The
        forum provides a place to discuss Forefront Endpoint Protection with customers and
        Forefront Endpoint Protection team members. The Forefront Endpoint Protection forum is
        an excellent way to interact with the Forefront Endpoint Protection team and with other
        customers worldwide.

    •   The Forefront Endpoint Protection section of the TechNet Wiki
        (http://go.microsoft.com/fwlink/?LinkId=196679). The TechNet Wiki contains community-
        generated content about various Microsoft products, including Forefront Endpoint
        Protection. Through the use of the TechNet Wiki, you can share your knowledge and
        experience with other members of the community.

Providing Feedback
    •   Your feedback about Microsoft Forefront Endpoint Protection 2010 will be greatly
        appreciated and will help Microsoft improve Forefront Endpoint Protection. Please submit all
        feedback to the Forefront Endpoint Protection Forum
        (http://go.microsoft.com/fwlink/?LinkId=188968).


    8. Planning and Architecture
    The content in this section is designed to help you plan your Microsoft Forefront Endpoint
    Protection 2010 installation and the infrastructure required to support it.

    Before you install Forefront Endpoint Protection, it is recommended that you review the
    following sections:

    •   Planning Your Deployment

    •   Migrating from Forefront Client Security to Forefront Endpoint Protection

Forefront Endpoint Protection 2010
Forefront Endpoint Protection easily installs into your existing Configuration Manager 2007
deployment. The Forefront Endpoint Protection server installation process automatically installs the
required components to the correct servers based upon the Configuration Manager deployment.

The following is a list of items that are installed during Forefront Endpoint Protection Setup.

Installation item                    Description


 Forefront Endpoint Protection       The Forefront Endpoint Protection Site server extensions for
 Site Server Extensions for          Configuration Manager.
 Configuration Manager


 Forefront Endpoint Protection       The Forefront Endpoint Protection extensions to the
 Console Extensions for              Configuration Manager management console add views to



Planning and Architecture
                                                                                      Page number 28


Configuration Manager                 manage and monitor Forefront Endpoint Protection client
                                      deployments.


Forefront Endpoint Protection         An auxiliary database used by Forefront Endpoint Protection.
Database


Forefront Endpoint Protection         Provides historical reports on Forefront Endpoint Protection
Reporting role                        client malware activity and client protection status.


Forefront Endpoint Protection         The database for storing Forefront Endpoint Protection client
Reporting database                    protection status and malware activity historical data.


Forefront Endpoint Protection         The Forefront Endpoint Protection client is installed for access
Security Client                       to antimalware metadata.

The following items are installed during the installation of Forefront Endpoint Protection Site Server
Extensions for Configuration Manager:

    •   The FEP – Deployment package.

    •   The FEP – Policies package.

    •   The FEP – Operations package.

    •   Forefront Endpoint Protection Operations tasks are added to the Configuration Manager
        right-click context menu, and the Actions pane for a computer objects.

    •   Forefront Endpoint Protection desired configuration management configuration baselines
        and configuration items.

    •   Forefront Endpoint Protection related collections.

    •   Forefront Endpoint Protection client deployment and policy distribution reports are added to
        Configuration Manager reporting.

Forefront Endpoint Protection and High Availability
Forefront Endpoint Protection is installed on top of Configuration Manager and is dependent on the
availability of the Configuration Manager services. The following items are Forefront Endpoint
Protection server deployment recommendations for high availability:

    •   Use clustered SQL Server for the Forefront Endpoint Protection reporting database.

    •   Use the System Center Operations Manager Forefront Endpoint Protection Monitoring
        Management Pack to monitor Forefront Endpoint Protection services.




Planning and Architecture
                                                                                       Page number 29


About Configuration Manager Site Topologies and FEP 2010
Forefront Endpoint Protection can be deployed to a Configuration Manager stand-alone (single) site
or to a hierarchical site environment. Installation of Forefront Endpoint Protection on secondary sites
is not supported. For more information about Configuration Manager sites, see Understanding
Configuration Manager Sites (http://go.microsoft.com/fwlink/?LinkId=196956).

Single-Site Deployment
In a single-site Configuration Manager deployment, Forefront Endpoint Protection is installed on the
Configuration Manager site server. The Configuration Manager administrator will perform the
following tasks from the Configuration Manager console:

    •   Create or modify Forefront Endpoint Protection policies.

    •   Assign Forefront Endpoint Protection policies to collections.

    •   Deploy Forefront Endpoint Protection clients to collections.

    •   Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection dashboard.

    •   Configure Forefront Endpoint Protection alerts.

    •   Assign the Forefront Endpoint Protection Desired Configuration Management baselines to
        collections.

Hierarchical Deployment
In a hierarchical Configuration Manager deployment, there is a parent site that has one or more sites
(children) attached to it in the hierarchy. A parent site contains pertinent information about its
lower-level sites and it can control many operations at the child sites. A site that has no parent site is
known as a central site. For more information about planning and deploying Configuration Manager,
see Planning and Deploying the Server Infrastructure for Configuration Manager 2007 (
http://go.microsoft.com/fwlink/?LinkId=196960).

Forefront Endpoint Protection can be installed in the following combinations:

    •   Parent and child sites

    •   Parent site

    •   Child sites

The administrative control requirements will determine where Forefront Endpoint Protection should
be installed:

    •   For centralized policy creation and control, install Forefront Endpoint Protection on the
        parent site. When Forefront Endpoint Protection is also installed on the child sites, policies
        are replicated from the parent site to the child sites. Installing Forefront Endpoint Protection
        on the child sites allows the administrator to view the FEP dashboard when connected to the
        child site via the Configuration Manager console.



Planning and Architecture
                                                                                      Page number 30

    •    To view the Forefront Endpoint Protection Dashboard when connected to a child site via the
         Configuration Manager console, you must install FEP on the child site.

    •    For decentralized policy creation and control, install Forefront Endpoint Protection on the
         child sites. You can optionally install the Forefront Endpoint Protection Reporting role at the
         parent site for centralized company-wide reporting.

Forefront Endpoint Protection Installed on the Parent and Child Sites
In this deployment, the Forefront Endpoint Protection site server extension components are
replicated to the child sites. The creation and management of Forefront Endpoint Protection policies
is managed centrally by the administrator of the parent site. The administrator at the child site will
see the Forefront Endpoint Protection policies from the parent site, but cannot create, modify, or
delete policies.

The following table lists the Forefront Endpoint Protection tasks that can be accomplished when
Forefront Endpoint Protection has been installed on the parent and child sites.

                                                                                Parent       Child
Task                                                                            site         sites


Deploy Forefront Endpoint Protection clients to collections                     Yes          Yes


Create or modify Forefront Endpoint Protection policies                         Yes          No


Assign Forefront Endpoint Protection policies to collections                    Yes          Yes


Monitor Forefront Endpoint Protection client deployment and policy              Yes          Yes
deployment progress


Monitor Forefront Endpoint Protection via the Forefront Endpoint                Yes          Yes
Protection dashboard


Forefront Endpoint Protection Reporting                                         Yes          Yes


Configure Forefront Endpoint Protection alerts                                  Yes          Yes


Forefront Endpoint Protection Operations                                        Yes          Yes


  Important:


     •   At a child site there are two FEP – Deployment packages, one from the parent site and



Planning and Architecture
                                                                                      Page number 31


        one from the child site. When deploying the Forefront Endpoint Protection client
        software from the child site you must deploy using the software package from the parent
        site. The first three letters of the software package Package ID indicates from which site
        the software package originates.

    •   When Forefront Endpoint Protection is installed on the child site first and you install
        Forefront Endpoint Protection on the parent site after, the FEP – Policies package on the
        client site is disabled and the FEP – Policies package from the parent site is propagated to
        the child site. Policies created on the child site no longer exist. Before installing Forefront
        Endpoint Protection on the parent site, it is recommended that you export the policies
        from the child site. After installing Forefront Endpoint Protection on the parent site you
        can import the policies on the parent site. For more information about import and
        exporting policies, see Exporting a Policy and Importing a Policy.

    •   Uninstalling Forefront Endpoint Protection on the parent site while Forefront Endpoint
        Protection is also installed on child sites disrupts Forefront Endpoint Protection
        functionality of the child sites. Repair the Forefront Endpoint Protection installation on
        each child site after Forefront Endpoint Protection is uninstalled from the parent site.

    •   FEP clients deployed at the child sites appear only in the following Client Deployment
        Status categories at the parent site:

            •   Deployed

            •   Out of date

The reason for this is that the information for these categories is based on Configuration Manager
hardware inventory data that the parent site receives from the child sites.

The information for the following deployment categories is based on Configuration Manager
advertisements: Removed, Failed, and Pending. Since the parent site is not able to see the
advertisements created at a child site, deployment information for these categories is not
displayed at the parent site. Full deployment status for FEP client software deployed at child sites
can be viewed at the child site.

    •   Policy distribution status for FEP policies assigned to collections at a child site can take up
        to 24 hours to display at the parent site.


Forefront Endpoint Protection Installed on the Child Sites
In this deployment the administrator at each site needs to manage an independent set of Forefront
Endpoint Protection policies. Site administrators can share policies by exporting and importing
Forefront Endpoint Protection policies from one site to another. For more information about
exporting and importing Forefront Endpoint Protection policies, see Exporting a Policy and Importing
a Policy.




Planning and Architecture
                                                                                    Page number 32


  Note:


You can optionally install the Forefront Endpoint Protection Reporting role at the parent site for
centralized company-wide reporting.

The following table lists the Forefront Endpoint Protection tasks that can be accomplished when
Forefront Endpoint Protection has been installed at the child sites and Forefront Endpoint Protection
Reporting role has been installed at the parent site.

                                                                              Parent      Child
Task                                                                          site        sites


Deploy Forefront Endpoint Protection clients to collections                   No          Yes


Create or modify Forefront Endpoint Protection policies                       No          Yes


Assign Forefront Endpoint Protection policies to collections                  No          Yes


Monitor Forefront Endpoint Protection via the Forefront Endpoint              No          Yes
Protection dashboard


Forefront Endpoint Protection Reporting                                       Yes         Yes


Configure Forefront Endpoint Protection alerts                                No          Yes


Forefront Endpoint Protection Operations                                      No          Yes




  Note:


Tasks performed on a child site only affect the devices of that child site.




About Basic Setup
This topic will describe the location of the various Forefront Endpoint Protection components that
are installed when you select the Basic topology option in the Forefront Endpoint Protection Setup
wizard.




Planning and Architecture
                                                                                   Page number 33

Basic Topology
The Basic topology setup wizard option installs the Forefront Endpoint Protection components based
upon the Configuration Manager deployment.

No additional hardware is required for this deployment path. The existing Configuration Manager
servers will be used. Use this setup option when there is sufficient capacity on the computer running
Microsoft SQL Server.

The following table lists the location where each of the Forefront Endpoint Protection components
will be installed.

Component                                         Where installed


Forefront Endpoint Protection Database            SQL Server and instance used for the
                                                  Configuration Manager database.


Forefront Endpoint Protection Site Server         Configuration Manager site server.
Extensions for Configuration Manager


Forefront Endpoint Protection Console             Configuration Manager site server.
Extensions for Configuration Manager


Forefront Endpoint Protection Reporting role      SQL Server used for the Configuration Manager
                                                  reporting services.


Forefront Endpoint Protection Reporting           SQL Server and instance used for the
database                                          Configuration Manager database.


Forefront Endpoint Protection Security Client     The Forefront Endpoint Protection client is
                                                  installed for access to malware metadata.

For more information about installing Forefront Endpoint Protection using the Basic topology option,
see Installing Using Basic Setup.

About Basic with Remote Reporting Database Setup
This topic will describe the location of the various Forefront Endpoint Protection components that
are installed when you select the Basic topology with remote reporting database option in the
Forefront Endpoint Protection Setup wizard.

Basic Topology with Remote Reporting Database
The Basic topology with remote reporting database setup wizard option installs the Forefront
Endpoint Protection components based upon the Configuration Manager deployment and allows you
to specify another Microsoft SQL Server for the Forefront Endpoint Protection Reporting database.


Planning and Architecture
                                                                                  Page number 34

When using this wizard you need to have another Microsoft SQL Server already installed and ready
for use.

Use this option when your existing SQL Server is nearing capacity or you want to separate the
Forefront Endpoint Protection reporting data from the Configuration Manager data.

The following table lists the location where each of the Forefront Endpoint Protection components
will be installed.

Component                                            Where installed


Forefront Endpoint Protection Database               SQL Server and instance used for the
                                                     Configuration Manager database


Forefront Endpoint Protection Site Server            Configuration Manager site server
Extensions for Configuration Manager


Forefront Endpoint Protection Console Extensions     Configuration Manager site server
for Configuration Manager


Forefront Endpoint Protection Reporting role         SQL Server specified during setup


Forefront Endpoint Protection Reporting database     SQL Server specified during setup

For more information about installing Forefront Endpoint Protection using the Basic topology with
remote reporting database option, see Installing Using Basic with a Remote Reporting Database
Setup.

FEP 2010 Security Management Pack
The Forefront Endpoint Protection Security Management Pack is easy to import into your existing
System Center Operations Manager environment. For information about the prerequisites for this
management pack, see Prerequisites for Importing the Forefront Endpoint Protection Security
Management Pack. For information about importing this management pack, see Importing the FEP
2010 Security Management Pack.

Forefront Endpoint Protection Client
Forefront Endpoint Protection client deployment refers to the installation and configuration of the
Forefront Endpoint Protection client software in your enterprise. Before deploying the Forefront
Endpoint Protection client software to computers in your production environment, learn about the
deployment process (for more information, see Client Deployment), create a deployment plan based
on your organization’s security requirements, test your plan in a lab environment, and once you are
confident in your plan, proceed to deploy the Forefront Endpoint Protection client software in your
production environment.



Planning and Architecture
                                                                                       Page number 35

When planning your deployment, take into consideration the information in the following sections.

Policies
Create Forefront Endpoint Protection policies to match your organization's security settings and
apply them to Forefront Endpoint Protection clients. For more information, see About Configuring
Clients by Using Policies.

System Requirements
Before deploying the Forefront Endpoint Protection client software, make sure that your client
computers meet the minimum system requirements for installation. For more information, see
Prerequisites for Deploying Forefront Endpoint Protection on a Client.

The Forefront Endpoint Protection client software requires that you install a Network Inspection
System hotfix on client computers running one of the following operating systems:

    •   Windows Vista Service Pack 1 (SP1)

    •   Windows Vista Service Pack 2 (SP2)

    •   Windows 7

    •   Windows Server 2008

    •   Windows Server 2008 Service Pack 2 (SP2)

    •   Windows Server 2008 R2

If this hotfix is not already installed on the computer, the Forefront Endpoint Protection client
deployment package installs it. Since this hotfix requires the computer to be restarted, consider
downloading hotfix KB981889 (http://go.microsoft.com/fwlink/?LinkID=204112) and deploying it to
client computers before deploying the Forefront Endpoint Protection client.

  Note:


 Network Inspection System (NIS) on the Forefront Endpoint Protection client does not function
 until the client computer is restarted; however, the antimalware protection functions as normal
 without a computer restart.


Competitive Uninstall
The Forefront Endpoint Protection client deployment package checks for and uninstalls the existing
antimalware client. For a list of antimalware clients that are uninstalled, see Prerequisites for
Deploying Forefront Endpoint Protection on a Client.

The following is a list of issues that can interfere with uninstalling an existing antimalware client:

    •   If the previously installed antimalware client has a tamper-protection feature enabled, for
        example, if the software is password protected, you need to disable that tamper protection


Planning and Architecture
                                                                                    Page number 36

        before you can install Forefront Endpoint Protection. Otherwise, the Forefront Endpoint
        Protection installation program will not be able to uninstall the existing antimalware client.
        See the documentation for the previously installed antimalware client for information about
        tamper protection or other settings you may need to configure before you can successfully
        uninstall the software.

    •   If the existing antimalware client is in use by another process when the Forefront Endpoint
        Protection installation program attempts to uninstall it, the uninstall can fail, and in this
        instance, the Forefront Endpoint Protection client will not be installed.

    •   If you use a mechanism to automatically distribute and install antimalware to your client
        computers, you need to disable automatic installation before you install Forefront Endpoint
        Protection. For example, if you use Windows Server Update Services (WSUS) to distribute
        Forefront Client Security (FCS) to your endpoints, before you install Forefront Endpoint
        Protection, you need to configure WSUS to not automatically reinstall FCS.

Forefront Endpoint Protection Client Deployment Options
The Forefront Endpoint Protection client software can be deployed in two ways, both of which can
be used to deploy Forefront Endpoint Protection to client computers in your organization. For more
information on client deployment methods, see FEP 2010.

You can use Configuration Manager distribution to centrally manage and monitor the deployment of
Forefront Endpoint Protection to client computers in your existing infrastructure. With this method,
you can control to which Configuration Manager collections the client is deployed, and utilize the
provided reports to determine deployment status or investigate information about computers on
which the client failed to deploy and why.

If you are not using Configuration Manager, have computers that are not managed by Configuration
Manager, or you prefer an alternative distribution method, you can manually deploy Forefront
Endpoint Protection to client computers. In this scenario, you can apply Forefront Endpoint
Protection policies using Setup command line switches. For more information on manually deploying
Forefront Endpoint Protection with policies, see Deploying the Client Software by Using the
Command Prompt.

Definition Updates
Configure the Forefront Endpoint Protection client software to check for updates from multiple
sources. For more information, see Configuring Definition Updates.

Definition update
method                   More information


Configuration             For more information about configuring WSUS for definition updates, see
Manager/WSUS              Software Updates and Windows Server Update Services Definition
                          Updates.




Planning and Architecture
                                                                                     Page number 37


 Microsoft Update         For more information about configuring Microsoft Updates, see
                          Microsoft Update Definition Updates.


 File share               For more information about configuring a file share for definition
                          updates, see File-Share-Based Definition Updates.




About Configuring Clients by Using Policies
Client configuration in Forefront Endpoint Protection can be accomplished in a variety of ways. While
it is possible to configure each client by logging on locally, this is typically not practical and can be
labor intensive. Additionally, it is a challenge to configure consistent settings for large numbers of
clients if you attempt to configure all of the desired settings locally.

In order to help make client configuration consistent and reliable, you are provided with two ways to
author policies and four ways to deploy policies. The way you elect to configure clients can be based
on your existing environment or you may want to create the necessary environment in order to
deploy client settings based on factors such as policy merge behavior or ease of deployment.

If you are running a server operating system, you can use preconfigured policy templates that
contain optimized settings. Additionally, you can use the Forefront Endpoint Protection Group Policy
Tool in order to convert policies that are in XML format into a format that can be used by Group
Policy. You can also use this tool to merge existing policies into a single policy or to export the FEP
configuration settings from a Group Policy object (GPO) into a policy that can be applied to a
computer or server locally or by script. For more information about the Forefront Endpoint
Protection Group Policy Tool, see Converting FEP Policies to Group Policy. For more information
about preconfigured policy templates for FEP on Configuration Manager, see Creating a Policy. For
more information about preconfigured policy templates for the Forefront Endpoint Protection
Security Management Pack, see About Preconfigured Policy Templates.

Creating and Configuring Policies
Authoring policies consists of both creating a policy and then configuring the settings that you want
to deploy to the clients that will receive the policy. Each authoring method produces an output in a
different format. The method by which you author a policy may determine the method by which you
can deploy a policy. The two methods available for authoring policies are Configuration Manager
with Forefront Endpoint Protection installed, and by using the Group Policy Editor along with the FEP
ADMX. For more information about creating and configuring policies by using Configuration Manager
with Forefront Endpoint Protection installed, see FEP Policies. For more information about creating
policies by using the Forefront Endpoint Protection Group Policy Tool, see Using Group Policy with
FEP. For more information about the policy settings that are available through the FEP ADMX, see the
FEP ADMX Reference.

You can author policies by using the following methods.




Planning and Architecture
                                                                                    Page number 38


Authoring method      Policy can be applied by using                 Additional information


Configuration               •   Configuration Manager with               •   Policy settings can be
Manager with                    Forefront Endpoint Protection                exported by using
Forefront                       installed.                                   Configuration
Endpoint                                                                     Manager with
                            •   Group Policy. Export the policy
Protection                                                                   Forefront Endpoint
                                from Configuration Manager and
installed                                                                    Protection installed.
                                then use the Forefront Endpoint
                                Protection Group Policy Tool to          •   Exported file format is
                                import the exported FEP policy               XML.
                                into a Group Policy object.
                                                                         •   Fewer granular policy
                            •   Script (exported policies).                  settings are available
                                                                             to configure than
                            •   FEP client installation (exported            when using GPEDIT
                                policies).                                   with the FEP ADMX.


GPEDIT with the             •   Group Policy.                            •   Policy settings can be
FEP ADMX                                                                     exported by using the
                            •   Script.                                      Forefront Endpoint
                            •   FEP client installation.                     Protection Group
                                                                             Policy Tool.

                                                                         •   Exported file format is
                                                                             XML.

                                                                         •   Granular policy
                                                                             settings are available
                                                                             with the FEP ADMX.


Deploying Policies
In order to apply configurations to clients, Forefront Endpoint Protection provides four ways to
deploy policies. You can decide on a single way to deploy policies or use a combination of ways. For
example, if you typically use Group Policy to configure and deploy policies, you might want to
continue to use that method in order to deploy FEP policies. Or, you may prefer to use Configuration
Manager in order to manage your FEP client settings. Additionally, you might also have non-domain-
joined servers that also must receive policy settings. You can install policy settings locally on those
servers, or install them by using a script.

  Warning:




Planning and Architecture
                                                                                  Page number 39


It is not recommended to use both Configuration Manager and Group Policy in order to apply
policy settings on the same client. Because Configuration Manager writes to the local policy of the
computer, policy configurations deployed via Group Policy will take precedence over any
conflicting FEP local policy settings.




You can deploy policies by using the following methods.

Policy
deployment        Policy settings
method            merge behavior       Policies authored by             Additional information


Configuration     Policy merging is        •   Only by Configuration        •   Only one policy
Manager with      not available.               Manager with                     can be applied to
Forefront                                      Forefront Endpoint               a computer at
Endpoint                                       Protection installed.            any given time.
Protection
installed                                                                   •   FEP policies are
                                                                                written to the
                                                                                local policy
                                                                                settings.

                                                                            •   If FEP GPO policy
                                                                                settings are also
                                                                                applied to the
                                                                                same computer.
                                                                                Any conflicting
                                                                                FEP GPO policy
                                                                                settings will take
                                                                                precedence over
                                                                                settings that are
                                                                                configured by FEP
                                                                                policy.


Group Policy      Policy merging is        •   GPEDIT and ADMX.             •   Policies merge
                  available.                                                    according to
                                           •   Settings contained in
                                                                                Group Policy
                                               FEP policy XML files             precedence order
                                               can be imported by               and policy
                                               using the Forefront
                                                                                filtering.
                                               Endpoint Protection
                                               Group Policy Tool.           •   FEP GPO policy




Planning and Architecture
                                                                            Page number 40


                                                                           settings take
                                                                           precedence over
                                                                           local policy
                                                                           settings.


MSI install with   Policy merging is    •   The exported XML           •   FEP settings are
parameter          available by using       policy file from               written to the
switch             the Forefront            Configuration                  local policy.
                   Endpoint                 Manager with
                                                                       •   FEP GPO policy
                   Protection Group         Forefront Endpoint
                   Policy Tool to                                          settings take
                                            Protection installed.
                   merge settings                                          precedence over
                                        •   Preconfigured policies         the local policy
                   contained in
                   multiple policy          from the Microsoft             settings.
                   files. The merged        Download Center.
                   settings can then    •   Policy settings
                   be exported to a         exported from Group
                   single XML file.         Policy to an XML
                                            policy file by using the
                                            Forefront Endpoint
                                            Protection Group
                                            Policy Tool.


Script             Policy merging is    •   The exported XML           •   FEP settings are
                   available by using       policy file from               written to the
                   the Forefront            Configuration                  local policy.
                   Endpoint                 Manager with
                   Protection Group         Forefront Endpoint         •   FEP GPO policy
                   Policy Tool to                                          settings take
                                            Protection installed.
                   merge settings                                          precedence over
                   contained in         •   Preconfigured policies         the local policy
                                            from the Microsoft             settings.
                   multiple policy
                   files. The merged        Download Center.
                   settings can then    •   Policy settings
                   be exported to a         exported from Group
                   single XML file.         Policy to an XML
                                            policy file by using the
                                            Forefront Endpoint
                                            Protection Group
                                            Policy Tool.




Planning and Architecture
                                                                                     Page number 41


Planning for Definition Updates
Computers running the FEP client software automatically check for definition updates according to
the schedule defined by the policy that is deployed to them.

When you are planning for definition updates in your environment, you should consider the
following factors:

   •   For Software Update or Windows Server Update Services definition updates:

           •     Ensure you have configured your network to allow communication between the
                 computer running Windows Server Update Services (WSUS) and the internet. For
                 more information about how to configure your network for WSUS, see Configure the
                 Network (http://go.microsoft.com/fwlink/?LinkId=206718) in the WSUS
                 documentation.

           •     You must either manually approve each definition update downloaded from
                 Microsoft Update to your WSUS server, or you can configure an automatic approval
                 rule. For more information about automatic approval rules, see Software Updates
                 and Windows Server Update Services Definition Updates.

           •     You should consider branch office locations and WSUS server locations. If you have
                 client computers distributed among branch offices, depending on the network
                 connection speed and utilization, it may be more efficient to configure those client
                 computers to retrieve definition updates directly from Microsoft Update.

   •   For Microsoft Update definition updates:

           •     If you plan to support direct update via Microsoft Update, ensure that you have the
                 appropriate network ports opened for communication to the Microsoft Update
                 servers.

               Tip:


           To ensure that your client computers always have the latest definition updates, you should enable
           direct updates via Microsoft Update for all client computers, not just portable computers. For
           more information about configuring client computers Microsoft Update, see Microsoft Update
           Definition Updates.

   •   For File-Share-Based definition updates:

           •     When you configure clients to check a file share for definition updates, by default,
                 clients check the file share first, before checking WSUS or Microsoft Update. This
                 order can be changed. For more information, see Configuring Definition Updates.

           •     Ensure that the client computers connecting to the share in which you stored the
                 definition files have Read permissions.



Planning and Architecture
                                                                                   Page number 42

            •   There are two files to download for each architecture (either x86 or x64):

                    •   The antimalware definitions

                    •   The network-based exploit definitions

Ensure you download both files for both architectures, and then save those files without renaming
them according to the steps described in File-Share-Based Definition Updates.

Migrating from Forefront Client Security to Forefront Endpoint Protection
The management infrastructure of Forefront Endpoint Protection (FEP) is built on the System Center
family of products, while the management infrastructure of Forefront Client Security (FCS) runs on a
customized version of Microsoft Operations Manager 2005.

Because the management infrastructure on which these programs run is different, you cannot
directly upgrade from FCS to FEP. In order to migrate from FCS to FEP, you must perform the
following steps:

    1. In the FCS console, document the settings for each policy you want to preserve for FEP.

    2. In WSUS, unapprove all of the FCS client installation packages. These packages are listed as
       follows:

            •   Classification: Updates

            •   Product: Forefront Client Security

The updates have names in the following format:

Client Update for Microsoft Forefront Client Security (1.0.xxxx.0)
where xxxx is the specific build number for each package. You must unapprove all of the updates.


           Caution:


         You should not uninstall the FCS client software. Doing so would leave your client computers
         unprotected. When you deploy the FEP client software, the FEP client software uninstalls the FCS
         client software for you.

    3. Install a new FEP installation on a System Center Configuration Manager server. For steps
       explaining how to do this, see FEP 2010.

    4. Create FEP policies that contain the settings that you want to continue to enforce on your
       client computers. For more information about FEP policies, see Configuring Client Settings by
       Using Policies.

    5. Deploy the FEP client software to the computers in your organization that are running the
       FCS client software. For steps on how to deploy the FEP client software, see FEP 2010.



Planning and Architecture
                                                                                    Page number 43

        The FEP client software uninstalls the FCS client software before installing. For more
        information, see FEP 2010.

           Important:


         The uninstall of the FCS client software also uninstalls the Microsoft Operations Manager 2005
         agent.

    6. After you confirm that all computers running the FCS client software are successfully running
       the FEP client software, you should undeploy the FCS policies. In the FCS console, undeploy
       the policy you created to install the FCS client software. For more information about
       monitoring FEP client software deployment, see Validating Deployment. For more
       information about undeploying FCS policies, see Removing an existing installation of Client
       Security (http://go.microsoft.com/fwlink/?LinkId=206850).

  Important:


 If you uninstall the FCS management infrastructure (the management, collection, collection
 database, reporting, and reporting database roles), the data stored in the reporting database is
 no longer accessible.

In order to preserve the historical reporting information stored in the FCS reporting database, you
should not uninstall your FCS management infrastructure until you no longer need this data.


    9. Server Installation
The Microsoft Forefront Endpoint Protection 2010 installation content helps you install Forefront
Endpoint Protection using the supported topologies. This section includes the following main topics:

    •   FEP 2010

    •   FEP 2010 Security Management Pack

FEP 2010
Installation of Microsoft Forefront Endpoint Protection 2010 consists of downloading Forefront
Endpoint Protection, verifying prerequisites, installing the Forefront Endpoint Protection server, and
validating that the installation was successful.

The steps required to install Forefront Endpoint Protection are described in this section.

Overview of Installing Forefront Endpoint Protection
Install Forefront Endpoint Protection by completing the following steps in order:

    •   Step 1—Download and expand Forefront Endpoint Protection from the Forefront Endpoint
        Protection download page (http://go.microsoft.com/fwlink/?LinkID=196678).



Server Installation
                                                                                   Page number 44


           Important:


         The path to where Setup files are located must only contain ASCII characters.

    •   Step 2—Verify that your environment meets the prerequisites. For more information, see
        Prerequisites for Installing Forefront Endpoint Protection on a Server.

           Important:


         If you are installing Forefront Endpoint Protection on a server using one of the following
         topologies, the Forefront Endpoint Protection client software is deployed on the computer where
         Setup is run:

                      •   Basic topology

                      •   Basic topology with remote reporting database

                      •   Advanced topology with FEP 2010 Reporting and Alerts

         Therefore, before proceeding with this installation, you need to verify that the computer where
         Setup is run also meets the client software’s prerequisites. For more information, see
         Prerequisites for Deploying Forefront Endpoint Protection on a Client.

         Additionally, the deployment of the client software can require the computer to be restarted. If
         you are prompted to restart your computer, you must wait for Setup to complete before
         restarting.

    •   Step 3—Install the Forefront Endpoint Protection server. For more information, see
        Installation Options.

           Warning:


         If you are installing the Forefront Endpoint Protection databases on a SQL Server cluster and the
         active cluster node fails during installation, Setup can fail to complete as expected.


           Important:


         If Setup is run on a Configuration Manager site server with the Configuration Manager agent
         running and the topology specified in Step 2 requires the Forefront Endpoint Protection client to
         be installed, the customized settings need to be reapplied to the Forefront Endpoint Protection
         client. For more information, see Configuring the Client Software on a Configuration Manager Site
         Server.




Server Installation
                                                                                     Page number 45




           Note:


         If you select to update from Microsoft Update when finishing Setup, the wizard can take several
         minutes to close and appears as if it is frozen.




    •   Step 4—Validate that the installation succeeded. For more information, see Validating
        Installation.


Installation Options
This section provides procedures to help you install Forefront Endpoint Protection. You can choose
from several different installation topologies, or you can install one or more stand-alone instances of
the Forefront Endpoint Protection console. For more information about topologies, see Choosing
Your Setup.

The following table is a list of step-by-step procedures for installing Forefront Endpoint Protection.

Procedure               Description


 Installing Using       This procedure details the steps for installing Forefront Endpoint Protection
 Basic Setup            based on the Configuration Manager deployment.


 Installing Using       This procedure details the steps for installing Forefront Endpoint Protection
 Basic with a           based on the Configuration Manager deployment. In addition, you can
 Remote Reporting       specify an alternative Microsoft SQL Server computer name for the
 Database Setup         Forefront Endpoint Protection reporting configuration.


 Installing Using       This procedure details the steps for installing Forefront Endpoint Protection
 Advanced Setup         based on the Configuration Manager deployment and lets you specify the
                        features that you want to install. In addition, you can specify alternative
                        Microsoft SQL Server computer names for the Forefront Endpoint
                        Protection database and reporting configuration settings.




Installing Using Basic Setup
This topic provides the step-by-step procedure to install Forefront Endpoint Protection using a basic
topology.




Server Installation
                                                                                  Page number 46

 Prerequisites
Before you install Forefront Endpoint Protection server, make sure that your environment meets all
the minimum requirements. For more information, see Prerequisites for Installing Forefront Endpoint
Protection on a Server.

To install the Forefront Endpoint Protection server

    1. Insert the Forefront Endpoint Protection DVD into the DVD drive, or manually run splash.hta
       from the autorun folder in the root of the DVD.

    2. Select your preferred language, and then click FEP 2010.

The Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.

    3. On the Welcome page:

            a. In the Name box, type your name.

            b. In the Organization box, type the name of your organization, and then click Next.

    4. On the Microsoft Software License Terms page, review the license agreement. If you accept
       the terms and conditions, select the I accept the software license terms check box, and then
       click Next.

    5. On the Installation Options page, select Basic topology, and then click Next.

    6. On the Reporting Configuration page, under SQL Reporting Services reporting execution
       account:

            a. In the URL box, verify the URL of your reporting server.

            b. In the User name box, verify the name of user account that is used to connect to the
               reporting server.

                      Note:


                 If you specify a domain administrator account, a warning message appears.

            c. In the Password box, type the password for the specified user account, and then click
               Next.

    7. On the Updates and Customer Experience Options page:

            •   If you want to update your Forefront Endpoint Protection installation automatically,
                select the Use Microsoft Update to keep my products up to date check box.

            •   If you want to participate in improving the product by anonymously providing
                hardware and usage information, select the Join the Customer Experience
                Improvement Program option, and then click Next.


Server Installation
                                                                                       Page number 47

    8. On the Microsoft SpyNet Policy Configuration page:

            •   If you want to participate in improving the antimalware abilities of the Forefront
                Endpoint Protection client by providing basic telemetry information about detected
                malware, select the Join Microsoft SpyNet check box, and then click Basic SpyNet
                membership. This option is selected by default.

            •   If, in addition to the basic SpyNet membership, you want provide advanced
                telemetry information about potential malware, select the Join Microsoft SpyNet
                check box, click Advanced SpyNet membership, and then click Next.

                      Important:


                 These options affect the settings in the Forefront Endpoint Protection default policies. For
                 information about modifying policies, see Configuring Client Settings by Using Policies.

    9. On the Installation Location page, specify the root folder for the installation, and then click
       Next.

    10. On the Prerequisites Verification page, review the verification results, and then click Next. If
        there are verifications that failed, in the row of each failed verification, in the Details column,
        click More to determine the cause, and then take appropriate action.

    11. On the Setup Summary page, review the details, and then click Install.

The Installation page shows the installation progress of each installation item. When the installation
successfully completes, click Next.

           Important:


         If you are prompted to restart your computer, you must wait for Setup to complete before
         restarting.

    12. On the Installation Complete page, click Finish.

           Important:


         As part of the Forefront Endpoint Protection installation, the Forefront Endpoint Protection client
         is installed with customized settings on the Configuration Manager Site Server. If the
         Configuration Manager agent is installed on this server, or you did not install Configuration
         Manager or SQL Server using the default locations, or you did not use the default SQL Server
         instance, you must recreate or modify the customized settings. For more information, see
         Configuring the Client Software on a Configuration Manager Site Server.




Server Installation
                                                                                      Page number 48

Next Steps

Once you have completed the installation, you should validate the installation. For more information,
see Validating Installation.

Installing Using Basic with a Remote Reporting Database Setup


This topic provides the step-by-step procedure to install Forefront Endpoint Protection using a basic
topology with remote reporting database.

Prerequisites

Before you install Forefront Endpoint Protection server, make sure that your environment meets all
the minimum requirements. For more information, see Prerequisites for Installing Forefront Endpoint
Protection on a Server.

To install the Forefront Endpoint Protection server

    1. Insert the Forefront Endpoint Protection DVD into the DVD drive, or manually run splash.hta
       from the autorun folder in the root of the DVD.

    2. Select your preferred language, and then click FEP 2010.

The Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.

    3. On the Welcome page:

             a. In the Name box, type your name.

             b. In the Organization box, type the name of your organization, and then click Next.

    4. On the Microsoft Software License Terms page, review the license agreement. If you accept
       the terms and conditions, select the I accept the software license terms check box, and then
       click Next.

    5. On the Installation Options page, select Basic topology with remote reporting database,
       and then click Next.

    6. On the Reporting Configuration page:

             a. Under Microsoft Forefront Endpoint Protection 2010 Reporting Database settings

                      i.    In the Computer box, verify the name of the reporting database computer.

                      ii.   In the Instance box, verify the name of the reporting database instance.

                  iii.      In the Database name box, accept the default name of the reporting
                            database.




Server Installation
                                                                                        Page number 49

                   iv.      If you are reinstalling and you want to reuse the existing database, select the
                            Reuse existing database check box.

          Important:


        If you select this option, you must use the original database name and verify that it exists on the
        specified SQL Server instance on the specified computer.

            b. Under SQL Reporting Services reporting execution account

                      i.    In the URL box, verify the URL of your reporting server.

                      ii.   In the User name box, verify the name of user account that is used to
                            connect to the reporting server.

          Note:


        If you specify a domain administrator account, a warning message appears.

                   iii.     In the Password box, type the password for the specified user account, and
                            then click Next.

    7. On the Updates and Customer Experience Options page:

            •     If you want to update your Forefront Endpoint Protection installation automatically,
                  select the Use Microsoft Update to keep my products up to date check box.

            •     If you want to participate in improving the product by anonymously providing
                  hardware and usage information, select the Join the Customer Experience
                  Improvement Program option, and then click Next.

    8. On the Microsoft SpyNet Policy Configuration page:

            •     If you want to participate in improving the antimalware abilities of the Forefront
                  Endpoint Protection client by providing basic telemetry information about detected
                  malware, select the Join Microsoft SpyNet check box, and then click Basic SpyNet
                  membership. This option is selected by default.

            •     If, in addition to the basic SpyNet membership, you want to provide advanced
                  telemetry information about potential malware, select the Join Microsoft SpyNet
                  check box, click Advanced SpyNet membership, and then click Next.

          Important:


        These options affect the settings in the Forefront Endpoint Protection default policies. For



Server Installation
                                                                                       Page number 50


        information about modifying policies, see Configuring Client Settings by Using Policies.

    9. On the Installation Location page, specify the root folder for the installation, and then click
       Next.

    10. On the Prerequisites Verification page, review the verification results, and then click Next. If
        there are verifications that failed, in the row of each failed verification, in the Details column,
        click More to determine the cause, and then take appropriate action.

    11. On the Setup Summary page, review the details, and then click Install.

The Installation page shows the installation progress of each installation item. When the installation
successfully completes, click Next.

           Important:


         If you are prompted to restart your computer, you must wait for Setup to complete before
         restarting.

    12. On the Installation Complete page, click Finish.

           Important:


         As part of the Forefront Endpoint Protection installation, the Forefront Endpoint Protection client
         is installed with customized settings on the Configuration Manager Site Server. If the
         Configuration Manager agent is installed on this server, or you did not install Configuration
         Manager or SQL Server using the default locations, or you did not use the default SQL Server
         instance, you must recreate or modify the customized settings. For more information, see
         Configuring the Client Software on a Configuration Manager Site Server.

Next Steps

Once you have completed the installation, you should validate the installation. For more information,
see Validating Installation.

Installing Using Advanced Setup
Using advanced topology enables you to install individual Forefront Endpoint Protection features.
Since you can select one or more of these features during the advanced topology installation, the
steps relevant to each feature are described separately.

The following is a list of the step-by-step procedures for the advanced topology features:

    •   To install Configuration Manager Site Server FEP 2010 Extension

    •   To install FEP 2010 Reporting and Alerts



Server Installation
                                                                                     Page number 51


           Warning:


         If you are not installing this feature on a Configuration Manager site server, you must perform the
         following on the servers running the Configuration Manager site server and Configuration
         Manager WMI Provider roles:

                      1. Configure DCOM permissions. For more information, see How to Configure DCOM
                         Permissions for Configuration Manager Console Connections
                         (http://go.microsoft.com/fwlink/?LinkId=206626).

                      2. Add the computer on which you are installing Forefront Endpoint Protection
                         reporting to the local SMS Admins security group.


           Note:


         This feature installs the configuration baselines and configuration items that are used to collect
         reporting and alerting data. If you are installing on a parent Configuration Manager site, the
         configuration baselines and configuration items are overwritten in the children sites.

    •   To install Configuration Manager Console Extension for FEP 2010

Prerequisites

Before you install Forefront Endpoint Protection on a server, make sure that your environment
meets all the minimum requirements. For more information, see Prerequisites for Installing
Forefront Endpoint Protection on a Server.

To install the Configuration Manager Site Server FEP 2010 Extension

    1. Insert the Forefront Endpoint Protection DVD into the DVD drive, or manually run splash.hta
       from the autorun folder in the root of the DVD.

    2. Select your preferred language, and then click FEP 2010.

The Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.

    3. On the Welcome page:

            a. In the Name box, type your name.

            b. In the Organization box, type the name of your organization, and then click Next.

    4. On the Microsoft Software License Terms page, review the license agreement. If you accept
       the terms and conditions, select the I accept the software license terms check box, and then
       click Next.

    5. On the Installation Options page, select Advanced topology, and then click Next.


Server Installation
                                                                                       Page number 52

    6. On the Advanced Topology page, select Configuration Manager Site Server FEP 2010
       Extension, and then click Next.

    7. On the Updates and Customer Experience Options page:

            •   If you want to update your Forefront Endpoint Protection installation automatically,
                select the Use Microsoft Update to keep my products up to date check box.

            •   If you want to participate in improving the product by anonymously providing
                hardware and usage information, select the Join the Customer Experience
                Improvement Program option, and then click Next.

    8. On the Microsoft SpyNet Policy Configuration page:

            •   If you want to participate in improving the antimalware abilities of the Forefront
                Endpoint Protection client software by providing basic telemetry information about
                detected malware, select the Join Microsoft SpyNet check box, and then click Basic
                SpyNet membership. This option is selected by default.

            •   If, in addition to the basic SpyNet membership, you want to provide advanced
                telemetry information about potential malware, select the Join Microsoft SpyNet
                check box, click Advanced SpyNet membership, and then click Next.

          Important:


        These options affect the settings in the Forefront Endpoint Protection default policies. For
        information about modifying policies, see Configuring Client Settings by Using Policies.

    9. On the Installation Location page, specify the root folder for the installation, and then click
       Next.

    10. On the Prerequisites Verification page, review the verification results, and then click Next. If
        there are verifications that failed, in the row of each failed verification, in the Details column,
        click More to determine the cause, and then take appropriate action.

    11. On the Setup Summary page, review the details, and then click Install.

The Installation page shows the installation progress of each installation item. When the installation
successfully completes, click Next.

    12. On the Installation Complete page, click Finish.

To install FEP 2010 Reporting and Alerts

    1. Insert the Forefront Endpoint Protection DVD into the DVD drive, or manually run splash.hta
       from the autorun folder in the root of the DVD.

    2. Select your preferred language, and then click FEP 2010.


Server Installation
                                                                                        Page number 53

The Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.

    3. On the Welcome page:

            a. In the Name box, type your name.

            b. In the Organization box, type the name of your organization, and then click Next.

    4. On the Microsoft Software License Terms page, review the license agreement. If you accept
       the terms and conditions, select the I accept the software license terms check box, and then
       click Next.

    5. On the Installation Options page, select Advanced topology, and then click Next.

    6. On the Advanced Topology page, select FEP 2010 Reporting and Alerts, and then click Next.

    7. On the Configuration Manager Site Server Settings page, verify the name of the
       Configuration Manager site server, and then click Next. If you want to view more details
       about the site server, click Details.

    8. On the Forefront Endpoint Protection 2010 Server Database Configuration page, verify the
       name of the Forefront Endpoint Protection database, and then click Next.

    9. On the Reporting Configuration page:

            a. Under Microsoft Forefront Endpoint Protection 2010 Reporting Database settings:

                      i.    In the Computer box, verify the name of the reporting database computer.

                      ii.   In the Instance box, verify the name of the reporting database instance.

                  iii.      In the Database name box, accept the default name of the reporting
                            database.

                  iv.       If you are reinstalling and you want to reuse the existing database, select the
                            Reuse existing database check box.

          Important:


        If you select this option, you must use the original database name and verify that it exists on the
        specified SQL Server instance on the specified computer.

            b. Under SQL Reporting Services reporting execution account:

                      i.    In the URL box, verify the URL of your reporting server.

                      ii.   In the User name box, verify the name of user account that is used to
                            connect to the reporting server.




Server Installation
                                                                                       Page number 54


          Note:


        If you specify a domain administrator account, a warning message appears.

                   iii.   In the Password box, type the password for the specified user account, and
                          then click Next.

    10. On the Updates and Customer Experience Options page:

            •     If you want to update your Forefront Endpoint Protection installation automatically,
                  select the Use Microsoft Update to keep my products up to date check box.

            •     If you want to participate in improving the product by anonymously providing
                  hardware and usage information, select the Join the Customer Experience
                  Improvement Program option, and then click Next.

    11. On the Microsoft SpyNet Policy Configuration page:

            •     If you want to participate in improving the antimalware abilities of the Forefront
                  Endpoint Protection client software by providing basic telemetry information about
                  detected malware, select the Join Microsoft SpyNet check box, and then click Basic
                  SpyNet membership. This option is selected by default.

            •     If, in addition to the basic SpyNet membership, you want to provide advanced
                  telemetry information about potential malware, select the Join Microsoft SpyNet
                  check box, click Advanced SpyNet membership, and then click Next.

    12. On the Installation Location page, specify the root folder for the installation, and then click
        Next.

    13. On the Prerequisites Verification page, review the verification results, and then click Next. If
        there are verifications that failed, in the row of each failed verification, in the Details column,
        click More to determine the cause, and then take appropriate action.

    14. On the Setup Summary page, review the details, and then click Install.

The Installation page shows the installation progress of each installation item. When the installation
successfully completes, click Next.

           Important:


         If you are prompted to restart your computer, you must wait for Setup to complete before
         restarting.

    15. On the Installation Complete page, click Finish.




Server Installation
                                                                                      Page number 55


           Important:


         As part of the FEP 2010 Reporting and Alerts installation, the Forefront Endpoint Protection client
         software is installed with customized settings. If you are installing Forefront Endpoint Protection
         on your Configuration Manager site server, and either the Configuration Manager agent is
         installed on this server, or you did not install Configuration Manager or SQL Server using the
         default locations, or you did not use the default SQL Server instance, you must recreate or modify
         the customized settings. For more information, see Configuring the Client Software on a
         Configuration Manager Site Server.

To install the Configuration Manager Console Extension for FEP 2010

    1. Insert the Forefront Endpoint Protection DVD into the DVD drive, or manually run splash.hta
       from the autorun folder in the root of the DVD.

    2. Select your preferred language, and then click FEP 2010.

The Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens.

    3. On the Welcome page:

            a. In the Name box, type your name.

            b. In the Organization box, type the name of your organization, and then click Next.

    4. On the Microsoft Software License Terms page, review the license agreement. If you accept
       the terms and conditions, select the I accept the software license terms check box, and then
       click Next.

    5. On the Installation Options page, select Advanced topology, and then click Next.

    6. On the Advanced Topology page, select Configuration Manager Console Extension for FEP
       2010, and then click Next.

    7. On the Installation Location page, specify the root folder for the installation, and then click
       Next.

    8. On the Prerequisites Verification page, review the verification results, and then click Next. If
       there are verifications that failed, in the row of each failed verification, in the Details column,
       click More to determine the cause, and then take appropriate action.

    9. On the Setup Summary page, review the details, and then click Install.

The Installation page shows the installation progress of each installation item. When the installation
successfully completes, click Next.

    10. On the Installation Complete page, click Finish.




Server Installation
                                                                                   Page number 56

Next Steps

Once you have completed the installation, you should validate the installation. For more information,
see Validating Installation.

Validating Installation


Once you have completed the installation, you can validate the installation by checking for Forefront
Endpoint Protection in the Configuration Manager console, or by examining the log files created by
Setup.

To Verify the Forefront Endpoint Protection Server Installation

    1. Open the Configuration Manager console.

           Note:


         If the Configuration Manager console was open during the Forefront Endpoint Protection server
         installation, close and then reopen the console.

    2. In the Configuration Manager console, verify that the following are present:

             •   The Forefront Endpoint Protection collections—Expand System Center Configuration
                 Manager, expand Site Database, expand Computer Management, expand
                 Collections, expand FEP collections, and then check for the following collections:

                      •   Definition Status

                      •   Deployment Status

                      •   Operations

                      •   Policy Distribution Status

                      •   Protection Status

                      •   Security Status

             •   The Forefront Endpoint Protection packages—Expand System Center Configuration
                 Manager, expand Site Database, expand Computer Management, expand Software
                 Distribution, click Packages, and then check for the following packages in the
                 preview pane:

                      •   FEP - Deployment

                      •   FEP - Operations

                      •   FEP - Policies


Server Installation
                                                                                     Page number 57

            •    The Forefront Endpoint Protection Desired Configuration Management configuration
                 baselines—Expand System Center Configuration Manager, expand Site Database,
                 expand Computer Management, click Desired Configuration Management, click
                 Configuration Baselines, and then check for the following configuration baselines in
                 the preview pane:

                      •   FEP - High-Security Desktop

                      •   FEP - Laptop

                      •   FEP - Performance-Optimized Desktop

                      •   FEP - Standard Desktop

                      •   FEP Monitoring - Antimalware Status

                      •   FEP Monitoring - Definitions and Health Status

                      •   FEP Monitoring - Malware Activity

                      •   FEP Monitoring - Malware Detections

            •    The Forefront Endpoint Protection node—Expand System Center Configuration
                 Manager, expand Site Database, expand Computer Management, click Forefront
                 Endpoint Protection, and then check for the following:

                      •   In the preview pane, the Forefront Endpoint Protection Dashboard

                      •   The Policies child node

                      •   The Alerts child node

                      •   The Reports child node

Installation Log Files

During installation, Forefront Endpoint Protection uses log files that can be helpful in locating and
resolving issues. Log files are in text format and you can view them by using a text editor.

Server log files are located in the following location:

    •   If you installed Forefront Endpoint Protection on Windows Server 2003,
        %AllUsersProfile%\Application Data\Microsoft Forefront\Support\Server

    •   If you installed Forefront Endpoint Protection on Windows Server 2008,
        %ProgramData%\Microsoft Forefront\Support\Server

The file names are in the following format:

LogFileName_Date_Time.log




Server Installation
                                                                                    Page number 58

where the following is true:

    •   LogFileName is the name of the log file.

    •   Date is the day, month, and year the log was created, in the format DDMMYYY.

    •   Time is the hour, minute, and second the log file was created, in the format HHMMSS.

The following table lists setup log files and the components with which they are associated.




Log file                                                               File name


 Forefront Endpoint Protection Site Server Extensions                  FEPExt_xxx_xxx.log


 Forefront Endpoint Protection Reporting Components                    FepReport_xxx_xxx.log


 Forefront Endpoint Protection Console Extensions                      FEPUX_xxx_xxx.log


 Forefront Endpoint Protection Setup                                   ServerSetup_xxx_xxx.log

Client log files are, by default, located in the following location:

    •   If you installed Forefront Endpoint Protection on Windows XP, Windows Vista or Windows
        2003, %allusersprofile%\Microsoft\Microsoft Security Client\Support

    •   If you installed Forefront Endpoint Protection on Windows 7 or Windows Server 2008,
        %ProgramData%\Microsoft\Microsoft Security Client\Support

The following table lists setup log files and the components with which they are associated.

File name


 MSSecurityClient_Setup_epp_install.log


 MSSecurityClient_Setup_FEP_install.log


 MSSecurityClient_Setup_mp_ambits_install.log




Server Installation
                                                                                  Page number 59

Configuring the Client Software on a Configuration Manager Site Server
As part of the Forefront Endpoint Protection installation on the Configuration Manager site server,
the Forefront Endpoint Protection client is installed with customized settings. In the following
situations, you must recreate or modify the Forefront Endpoint Protection client customized settings:

    •   If you install Forefront Endpoint Protection on a Configuration Manager site server running
        the Configuration Manager agent, the customized settings are overwritten by the Default
        Server Policy and can adversely affect the operation of your Configuration Manager site
        server. To remediate, you must create a new policy and apply it to the Configuration
        Manager site server. For more information, see “Creating and applying the customized
        policy” later.

    •   If Configuration Manager or SQL Server is not installed in the default location, or the SQL
        Server instance is not MSSQLSERVER, you must update the customized settings to reflect
        your environments settings. For more information, see “Updating customized settings” later.

Creating and applying the customized policy

    1. Create a new Forefront Endpoint Protection policy using the FEP Configuration Manager
       2007 including Defaults template. For more information, see Creating a Policy.

    2. If Microsoft SQL Server is installed on the Configuration Manager site server computer, edit
       the policy, click Antimalware, click Excluded processes, and add the relevant processes from
       the following table. For more information about editing policies, see Editing a Policy.

         SQL
         Server
         version      Processes


         SQL                      •   %programfiles%\Microsoft SQL Server\MSSQL10. <instance>
         Server                       \MSSQL\Binn\SQLServr.exe
         2008
                                  •   %programfiles%\Microsoft SQL Server\MSAS10. <instance>
                                      \OLAP\Bin\MSMDSrv.exe

                                  •   %programfiles%\Microsoft SQL Server\MSRS10. <instance>
                                      \Reporting Services\ReportServer\Bin\ReportingServicesService.exe


         SQL                      •   %programfiles%\Microsoft SQL
         Server                       Server\MSSQL.1\MSSQL\Binn\SQLServr.exe
         2005
                                  •   %programfiles%\Microsoft SQL
                                      Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe

                                  •   %programfiles%\Microsoft SQL Server\MSSQL.3\Reporting




Server Installation
                                                                                            Page number 60


                                               Services\ReportServer\bin\ReportingServicesService.exe

                            where <instance> is the name of your SQL Server instance. The default SQL Server
                            instance is MSSQLSERVER.

     3. Select an existing, or create a new, collection in which the Configuration Manager site server
        is the only member. If you need to create the collection, do the following:

a.      In the Configuration Manager console, expand System Center Configuration Manager,
expand Site Database, expand Computer Management, click Collections, and then in the Actions
pane, click New Collection.

b.      Complete the New Collection Wizard that appears, as follows:

                      i.       On the General page, type the name for the collection.

                      ii.      On the Membership Rules page, click the icon with a computer image.

                   iii.        Complete the Create Direct Membership Rule Wizard that appears, as
                               follows:

                                 i.    On the Search for Resources page, do the following:

                                         i.      In the Resource class list, click System Resource.

                                         ii.     In the Attribute name list, click Name.

                                        iii.     In the Value box, type the name of your Configuration
                                                 Manager site server computer.

                                 ii.   On the Collection Limiting page, in the Search in this collection box,
                                       enter All Systems.

                                iii.   On the Select Resource page, in the Resources list, select the name
                                       of your Configuration Manager site server computer.

     4. Assign the new policy to the collection. For more information, see Assigning a Policy to
        Endpoint Computers.

           Important:


          If Configuration Manager or SQL Server is not installed in the default location, or the SQL Server
          instance is not MSSQLSERVER, you must update the customized settings to reflect your
          environments settings.

Updating customized settings




Server Installation
                                                                                     Page number 61

If Configuration Manager or SQL Server is not installed in the default location, or the SQL Server
instance is not MSSQLSERVER, you must update the customized settings to reflect your
environments settings. To update your customized settings, edit the relevant policy or the settings on
the Forefront Endpoint Protection client, and modify the paths specified in the following sections:

    •   Excluded files and locations

    •   Excluded processes

           Note:


         This is only required if Microsoft SQL Server is installed on the Configuration Manager site server
         computer.




Moving from a Public RC Version to a Retail Version
There is no way to automatically upgrade from the Public RC version of Forefront Endpoint
Protection to the retail version of Forefront Endpoint Protection (FEP). Therefore, in order to move
from the Public RC version installed in a lab to the retail version in the same lab or a production
environment, use the following guidance:

To manually migrate from the Public RC version of FEP to the retail version of FEP

    1. Save the settings of your Public RC version of FEP (Optional). To do so, complete the
       following steps:

            •   Export your custom FEP policies. For more information, see Exporting a Policy.

            •   Manually record the following details:

                      •   FEP policy assignments

                      •   FEP policy precedence

                      •   FEP alert e-mail settings and custom notifications

                      •   FEP Desired Configuration Management configuration baseline assignments

    2. Uninstall the Public RC version of FEP from your lab servers (optional if you are moving FEP to
       a production environment). For more information, see Uninstalling.

           Note:


         If you want to install the retail version with a new FEP reporting database, delete the FEPDW_XXX
         database on your SQL Server.




Server Installation
                                                                                        Page number 62

       3. Install the retail version of FEP on your servers. For more information, see Server Installation.

             Note:


            If you are reusing the Public RC version of the FEP reporting database, you must install FEP using
            one of the following installation options:

                        •   Basic topology with remote reporting database

                        •   Advanced topology with FEP 2010 Reporting and Alerts

       4. Restore the settings from your Public RC version of FEP (Optional). To do so, complete the
          following steps:

               •   Import the custom FEP policies you previously exported. For more information, see
                   Importing a Policy.

               •   Assign FEP policies to collections. For more information, see Assigning a Policy to
                   Endpoint Computers.

               •   Set FEP policy precedence. For more information, see Setting Policy Precedence.

               •   Configure FEP alert e-mail settings and create custom notifications. For more
                   information, see Using Alerts to Monitor Malware Detections.

               •   Assign Desired Configuration Management configuration baselines. For more
                   information, see Using Desired Configuration Management to Monitor Client
                   Compliance.

       5. Upgrade the Public RC version of FEP on client computers. To do so, complete the following
          steps:

  a.       Create a static collection based on the computers in the Out of Date FEP collection.

  b.     Uninstall the Public RC version of FEP from client computers in the static collection you
  created. For more information, see Uninstalling.

  c.     Deploy the retail version of FEP on client computers in the static collection you created.
  When you configure the deployment advertisement, it is recommended that you configure the
  deployment advertisement properties as follows:

i.         In the New Advertisement Wizard, on the Schedule page, next to Mandatory assignments,
  click the button to create a new assignment schedule, and configure the assignment schedule to
  rerun once an hour.

ii.        In the Program rerun behavior list, select Rerun if failed previous attempt.

  For more information, see Deploying by Using Configuration Manager Packages.



  Server Installation
                                                                                    Page number 63


          Important:


        There can be a delay of up to an hour from the time a Public RC version of FEP is uninstalled from
        a client computer until the retail version is installed on it. During this time, these computers are
        unprotected.


          Note:


        After the installation package is advertised to a client computer, that computer will no longer be
        visible in the FEP Out of Date collection.

d.      Monitor the deployment using the Deployment Overview report, and click the links to view
the static collection you created.

Uninstalling
There can be up to four Forefront Endpoint Protection entries in the Control Panel depending on the
installation options selected during Setup. This topic provides the step-by-step procedures to
uninstall each Forefront Endpoint Protection feature from a server.

The following table is a list of the Control Panel entries.

Control Panel entry                          Description


 Microsoft Forefront Endpoint                The Forefront Endpoint Protection client software
 Protection 2010


 Microsoft Forefront Endpoint                The Forefront Endpoint Protection console extensions
 Protection 2010 Console                     for Configuration Manager


 Microsoft Forefront Endpoint                The Forefront Endpoint Protection reporting role
 Protection 2010 Reporting


 Microsoft Forefront Endpoint                The Forefront Endpoint Protection site server
 Protection 2010 Server                      extensions for Configuration Manager




To uninstall Forefront Endpoint Protection

    1. In the Control Panel, select Programs and Features.

    2. Select each Forefront Endpoint Protection entry, and then click Uninstall.



Server Installation
                                                                                       Page number 64


           Note:


         Uninstall does not delete the Forefront Endpoint Protection reporting database in case you want
         to install Forefront Endpoint Protection again and reuse the historical data. The following files are
         not deleted on the computer running SQL Server where the Forefront Endpoint Protection
         reporting database resides:

                      •    FEPDW_XXX.mdf

                      •    FEPDW_XXX_log.ldf

         If you want to delete these database files, delete the FEPDW_XXX database using the SQL Server
         management console.

Known Issues

The following table is a list of known uninstall issues and their resolutions.

Issue                                     Cause                                  Resolution


 Uninstalling Forefront Endpoint          The uninstall removes elements         Repair the Microsoft
 Protection on the parent site while      that are used by the child sites,      Forefront Endpoint
 Forefront Endpoint Protection is         such as policies and configuration     Protection 2010
 also installed on child sites disrupts   baselines. This prevents the           Reporting installation
 Forefront Endpoint Protection            transmission of dashboard,             via the Control Panel
 functionality of the child sites.        reporting, and alerts data from        on all of the children
                                          flowing up to the child sites.         sites.


 Uninstalling the Forefront Endpoint      The uninstall removes the FEP          Repair the Microsoft
 Protection site server extensions on     Collections node, including the        Forefront Endpoint
 the Configuration Manager site           collections nodes used by the          Protection 2010
 server while the Forefront Endpoint      reporting role.                        Reporting installation
 Protection reporting role is installed                                          via the Control Panel.
 disrupts the Forefront Endpoint
 Protection reporting role.




FEP 2010 Security Management Pack
Installing the Forefront Endpoint Protection Security Management Pack consists of downloading the
management pack, verifying the prerequisites, importing the management pack, configuring all of
the necessary discovery settings, and verifying that the agents are properly deployed.




Server Installation
                                                                                   Page number 65

The steps required to install the Forefront Endpoint Protection Security Management Pack are
described in this section.

Overview of Installing the Forefront Endpoint Protection Security Management Pack
Install the Forefront Endpoint Protection Security Management Pack by completing the following
steps in order:

    1. Download and extract the Forefront Endpoint Protection Security Management Pack from
       the Microsoft System Center Management Pack
       Catalog(http://go.microsoft.com/fwlink/?LinkID=207667). For more information about the
       management pack files, see Extracting the FEP 2010 Security Management Pack Files.

    2. Verify that your environment meets the prerequisites. For more information, see
       Prerequisites for Importing the Forefront Endpoint Protection Security Management Pack.

    3. Import the Forefront Endpoint Protection Security Management Pack. For more information
       about importing the management pack, see Importing the FEP 2010 Security Management
       Pack.

    4. Verify that agents have been correctly deployed to client computers. For more information
       about agents, see About Agents.

    5. Configure discovery settings. For more information about discovery, see Configuring Client
       Discovery.

About Agents
The FEP 2010 Security Management Pack supports agent-managed monitoring. Agent-managed
computers have an Operations Manager service installed. This service, which appears as
HealthService in the Services list in Computer Management, is the Operations Manager agent.
Monitoring computers via agents allows access to all Operations Manager options and functionality;
therefore, the vast majority of monitoring is performed this way. In order to monitor FEP 2010
clients, each client must have the Operations Manager agent installed in addition to the FEP 2010
client.

  Note:


 In order to monitor FEP 2010 clients, each client must have the Operations Manager agent
 installed in addition to the FEP 2010 client.

 For information about deploying FEP 2010 clients, see Client Deployment.


Deploying Agents
The first step in monitoring your environment is to deploy agents. You can use any of the following
ways to deploy Operations Manager agents:

    •   The Discovery Wizard (through the Operations console)


Server Installation
                                                                                      Page number 66

    •   The Agent Setup Wizard

    •   The MOMAgent.msi program, from the command line

    •   Active Directory, to assign agents to a management group

For more information about working with Operations Manager agents, see Working with Agents
(http://go.microsoft.com/fwlink/?LinkId=204242).

For more information about Deploying agents, see Deploying Windows Agents
(http://go.microsoft.com/fwlink/?LinkId=204243).

Extracting the FEP 2010 Security Management Pack Files
In order to import management pack files into Operations Manager, you must first extract the files
from the fep2010 security mp.msi package. You can obtain the management pack files from the
Microsoft System Center Management Pack Catalog
(http://go.microsoft.com/fwlink/?LinkID=207667). You are not required to extract the package
locally on the Operations Manager server; however, you must be able to access the files from the
Operations Manager console in order to import them.

To Extract Management Pack Files
   1. Double-click fep2010 security mp.msi.

           Note:


         No management pack files are installed or imported to Operations Manager during this
         procedure. The wizard is used to extract files only.

    2. Read and accept the license agreement, and then click Next.

    3. On the Select Installation Folder page, specify the folder to which you want to extract the
       management pack files, and then click Next.

    4. On the Confirm Installation page, click Install to extract the package to the specified
       location. On the Installation Complete page, click Close.

    5. Navigate to the file location specified earlier and verify that the following files are present:

            •   Microsoft.FEPS.Application.mp

            •   Microsoft.FEPS.Library.mp

            •   Microsoft.FEPS.Reports.mp




Server Installation
                                                                                   Page number 67

Importing the FEP 2010 Security Management Pack
In order to manage clients by using the Forefront Endpoint Protection 2010 Security Management
Pack, you must first import the management pack files into System Center Operations Manager 2007
R2. Before importing the FEP 2010 Security Management Pack, verify that the prerequisites have
been met. For more information about required prerequisites, see Prerequisites for Importing the
Forefront Endpoint Protection Security Management Pack.

  Warning:


 In order to import the Forefront Endpoint Protection Security Management Pack, you must use an
 account that is a member of the Operations Manager Administrators role for the Operations
 Manager 2007 Management Group.


  Tip:


 Enabling detailed logs can be helpful when troubleshooting issues. In order to enable detailed
 logs, you must add the following registry key:
 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FEPS\Log] “Enabled”=dword:00000001


To import Forefront Endpoint Protection 2010 Management Packs
    1. Log on to the server running System Center Operations Manager 2007 by using an account
       that is a member of the Operations Manager Administrators role for the Operations Manager
       2007 Management Group.

    2. In the Operations console, click Administration.

           Note:


         If you run the Operations console on a computer that is not a Management Server, the Connect
         to Server dialog box will display. In the Server name text box, type the name of the Operations
         Manager 2007 Management Server to which you want to connect.

    3. Right-click the Management Packs node, and then click Import Management Pack(s).

    4. In the Import Management Packs dialog box, click Add, and then click Add from disk.

    5. On the Online Catalog Connection dialog box, select No.

           Note:


         If an error message appears that states System Center Operations Manager cannot connect to the




Server Installation
                                                                                  Page number 68


         online catalog, ignore the error and proceed with the next step.

    6. In the Select Management Packs to import dialog box, change to the directory to which you
       have downloaded the Microsoft.FEPS.Library.mp, Microsoft.FEPS.Reports.mp (optional),
       and Microsoft.FEPS.Application.mp files. Select the files, and then click Open.

           Note:


         The Microsoft.FEPS.Reports.mp is required only if you want to use the Reporting feature.

    7. In the Import Management Packs dialog box, verify that Microsoft.FEPS.Library.mp,
       Microsoft.FEPS.Reports.mp (optional), and Microsoft.FEPS.Application.mp are present in
       the list, and then click Import to begin the import process.

        The Import Management Packs page displays and shows the progress for each management
        pack. Each management pack is downloaded to a temporary directory, imported to the
        Operations Manager, and then deleted from the temporary directory. If there is a problem at
        any stage of the import process, select the management pack in the list to view the status
        details.

           Note:


         In order to edit the list of Management Packs that you want to import, in the Import
         Management Packs dialog box, click Add or Remove. After editing the list, click Import to begin
         the import process.

    8. In the dialog box that displays when the import process completes, verify that the icons next
       to Forefront Endpoint Protection 2010 Management Pack and FEPS Reporting show
       success, and then click Close.

    9. Navigate to the Operations onsole. In the Operations console, click Monitoring. You can now
       view the Forefront Endpoint Protection node.

For more information about importing Operations Manager management packs, see How to Import a
Management Pack in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkID=98348).

Configuring Client Discovery
In order to monitor and manage clients, they must first be identified. The discovery process in
Operations Manager is the process by which clients are identified. When a discovery is performed, an
LDAP query is generated and sent to the nearest Active Directory Directory Services domain
controller. Once the query is processed, a list of systems that match the specified parameters is
returned.




Server Installation
                                                                                   Page number 69


  Important:


 By default, the FEP Security Management Pack is configured to discover endpoints that are
 running server operating systems. If you want to monitor endpoints that are running client
 operating systems, you must perform the following procedure.


To configure Discovery for endpoints running client operating systems
    1. In Operations Manager console, navigate to the Authoring view. In the Authoring tree,
       expand Management Pack Objects, and then click Object Discoveries.

    2. On the Operations Manager toolbar, click Scope. In the Look for: search box, enter Protected
       Client Candidate Discovery, and then click Find Now.

    3. In the results pane, right-click Protected Client Candidate Discovery, and then click
       Overrides, Override the Object Discovery, For all objects of class: Windows Client.

    4. In the Override Properties dialog box, in the Override-controlled parameters table, set the
       following values:

            •   In the Enabled parameter row, in the Override column, select the check box.

            •   In the Enabled parameter row, in the Override Value column, select True from the
                drop-down list box.

    5. Click OK to close the dialog box.

For more information about object discovery, see Object Discoveries in Operation Manager 2007
(http://go.microsoft.com/fwlink/?LinkId=108505).
For more information about FEP Security Management Pack discovery, see About Discovery.

Creating a New Management Pack for Customizations
Create a New Management Pack for Customizations
Most vendor management packs are sealed so that you cannot change any of the original settings in
the management pack file. However, you can create customizations, such as overrides or new
monitoring objects, and save them to a different management pack. By default, Operations Manager
2007 saves all customizations to the Default Management Pack. As a best practice, you should
instead create a separate management pack for each sealed management pack you want to
customize.

Creating a new management pack for storing overrides has the following advantages:

    •   It simplifies the process of exporting customizations that were created in your test and pre-
        production environments to your production environment. For example, instead of exporting
        the Default Management Pack that contains customizations from multiple management




Server Installation
                                                                                   Page number 70

        packs, you can export just the management pack that contains customizations of a single
        management pack.

    •   You can delete the original management pack without first needing to delete the Default
        Management Pack. A management pack that contains customizations is dependent on the
        original management pack. This dependency requires you to delete the management pack
        with customizations before you can delete the original management pack. If all of your
        customizations are saved to the Default Management Pack, you must delete the Default
        Management Pack before you can delete an original management pack.

    •   It is easier to track and update customizations to individual management packs.

For more information about sealed and unsealed management packs, see Management Pack
Formats (http://go.microsoft.com/fwlink/?LinkId=108355). For more information about management
pack customizations and the Default Management Pack, see About Management Packs in Operations
Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=108356).


    10.         Client Deployment
Deployment of Microsoft Forefront Endpoint Protection 2010 to client computers consists of
verifying prerequisites, uninstalling third-party antimalware products that cannot be uninstalled by
Forefront Endpoint Protection, creating and deploying Forefront Endpoint Protection policies,
configuring Forefront Endpoint Protection definition updates, deploying the Forefront Endpoint
Protection client software, and verifying that the deployment succeeded.

Forefront Endpoint Protection for clients is available as a Configuration Manager package. The steps
required to deploy Forefront Endpoint Protection to client computers, are described in this section.

Overview of Deploying Forefront Endpoint Protection
Deploy Forefront Endpoint Protection to clients, by completing the following steps, in order:

    •   Step One—Create Forefront Endpoint Protection policies according to your organization’s
        requirements, set policy precedence, and assign policies to one or more deployment
        collections. For more information, see Configuring Client Settings by Using Policies.

    •   Step Two—Configure Forefront Endpoint Protection definition update methods based on the
        settings defined in the Forefront Endpoint Protection policies created in step one. For more
        information, see Configuring Definition Updates.

    •   Step Three—Deploy the Forefront Endpoint Protection installation package to client
        computers. For more information, see FEP 2010.

FEP 2010
Once you have finished configuring and deploying policies, you are ready to deploy Forefront
Endpoint Protection to client computers. You can deploy in two ways:




Client Deployment
                                                                                        Page number 71

    •    By distributing the client installation packages using Configuration Manager. For instructions,
         see Deploying by Using Configuration Manager Packages.

    •    By manually running the installation wizard on the client computer. For instructions, see
         Deploying Manually and Deploying the Client Software by Using the Command Prompt.

Regardless of the method you use to run the installation program, the program checks for and
uninstalls the following antimalware clients:

    •    Symantec Endpoint Protection version 11

    •    Symantec Corporate Edition version 10

    •    McAfee VirusScan Enterprise version 8.5 and version 8.7

    •    Trend Micro OfficeScan version 8.0 and version 10.0

    •    Forefront Client Security version 1 including the Operations Manager agent

If the previously installed antimalware client has a tamper protection feature enabled, for example, if
the software is password protected, you need to disable that tamper protection before you can
install Forefront Endpoint Protection. Otherwise, the Forefront Endpoint Protection installation
program will not be able to uninstall the existing antimalware client. See the documentation for the
previously installed antimalware client for information about tamper protection or other settings you
may need to configure before you can successfully uninstall the software.

In addition, if you use a mechanism to automatically distribute and install antimalware to your client
computers, you need to disable automatic installation before you install Forefront Endpoint
Protection. For example, if you use WSUS to distribute Forefront Client Security (FCS) to your
endpoints, before you install Forefront Endpoint Protection, you need to configure WSUS to not
automatically reinstall FCS.

  Note:


     •    The FEP client software is automatically installed to the following folder:

          %programfiles%\Microsoft Security Client

          You cannot change the destination folder. Using the %programfiles% path prevents users
          who are not members of the local Administrators group on the computer from tampering
          with the installation of the FEP client software.

     •    The path to where the Setup files are located should only contain ASCII characters.

     •    In some cases, after you restore a computer image on which you installed the FEP client
          software, the computer is displayed in Configuration Manager in the Locally Removed
          collection. To resolve this problem, uninstall and reinstall the FEP client software on this



Client Deployment
                                                                                    Page number 72


        computer.

    •   On servers with a large number of short network connections, such as file servers, there
        may be a performance impact when the Behavior Monitoring policy setting is enabled. It
        is recommended that you disable the Behavior Monitoring policy setting in the Default
        Server Policy or any policy you plan to assign to servers.

To disable the Behavior Monitoring policy setting

            1. In the Configuration Manager console, expand System Center Configuration
               Manager, expand Site Database, expand Forefront Endpoint Protection, and
               then click Policies.

            2. Double-click the Default Server Policy or another policy that is assigned to
               servers.

            3. In the policy properties dialog box, click the Antimalware tab.

            4. In the list, click Real-time protection, in the details clear the check box for Use
               behavior monitoring, and then click OK to save the policy.




Deploying by Using Configuration Manager Packages
Forefront Endpoint Protection includes a Configuration Manager package that contains the Forefront
Endpoint Protection client installation program. To deploy the package, you use the Configuration
Manager software distribution feature to send the package data to one or more distribution points,
and then create advertisements that specify which collections will receive the program and the
package.

Advertising the program makes a program available to a specified collection of clients. When you
create advertisements, it is strongly recommended that you test advertised programs in a controlled
environment before you create advertisements for the clients in your site hierarchy.

There are multiple ways to distribute the Forefront Endpoint Protection client software to client
computers using the Configuration Manager tools. This topic provides the steps for one of the
deployment methods. For information about other distributions methods, see Software Distribution
in Configuration Manager (http://go.microsoft.com/fwlink/?LinkId=196839).

  Important:


The Forefront Endpoint Protection server installation does not automatically add the FEP –
Deployment package to a Configuration Manager distribution point. Before the Forefront
Endpoint Protection client software can be installed, the package must be sent to a distribution
point. For more information, see How to Manage Distribution Points




Client Deployment
                                                                                  Page number 73


(http://go.microsoft.com/fwlink/?LinkId=205328).

To deploy Forefront Endpoint Protection 2010 client software

   1. In the Configuration Manager console, expand System Center Configuration Manager,
      expand Site Database, expand Computer Management, and then click Collections.

   2. Right-click the collection to which you want to deploy the FEP client software to, for
      example, All Systems, point to Distribute, and then click Software.

The Distribute Software to Collection Wizard opens.

   3. On the Welcome page, click Next.

   4. On the Package page, click Select an existing package, click Browse, click the Microsoft
      Corporation FEP – Deployment 1.0 package, click OK, and then click Next.

   5. On the Distribution Points page, select the distribution points for the package, and then click
      Next.

Configuration Manager uses distribution points to store the files needed by the Forefront Endpoint
Protection client installation package in order for the installation program to run on client
computers. For more information, see About Distribution Points
(http://go.microsoft.com/fwlink/?LinkId=196840).

   6. On the Select Program page, select the Install program, and then click Next.

   7. On the Advertisement Name page, enter a name that is less than 100 characters, and then
      click Next.

   8. On the Advertisement Subcollection page and on the Advertisement Schedule page, make
      your selections, and then click Next.

   9. On the Assign Program page, select Yes, assign the program, and then click Next.

   10. On the Summary page, review the Details, and then click Next.

   11. On the Wizard Completed page, click Close.

   12. If necessary, modify the advertisement configuration to suit your environment. For more
       information, see How to Modify an Advertisement
       (http://go.microsoft.com/fwlink/?LinkId=196841).

          Important:


        If you delete the advertisement or move a computer out of the collection targeted by the
        advertisement, the following Forefront Endpoint Protection dashboard deployment status




Client Deployment
                                                                                    Page number 74


         categories can be affected:

                     •   Removed—Once the advertisement has completed, if the client software is
                         uninstalled manually, the computer will show up in the Not Targeted category
                         and not in the expected Removed category. For more information about
                         manually uninstalling the client software, see Uninstalling manually.

                     •   Failed—If the advertisement fails to install the client software, the computer will
                         show up in the Not Targeted category and not in the expected Failed category.

         For more information about Forefront Endpoint Protection dashboard deployment status
         categories, see Dashboard Overview.

Next Steps

Once you’ve deployed the Forefront Endpoint Protection client software, you should validate the
deployment. For more information, see Validating Deployment.

Deploying Manually
In addition to deploying the Forefront Endpoint Protection client software by using Configuration
Manager, you can also run the installation program manually as described in this topic. For example,
you might want to perform a manual installation for test purposes in a lab environment, or to install
the Forefront Endpoint Protection client software to computers that do not have the Configuration
Manager agent installed.

Ensure that the installation package is accessible from the computer on which you want to install the
Forefront Endpoint Protection client software. For example, download the package to your local hard
drive or a network share.

To manually install the FEP client software by using the Setup wizard

    1. Using an account that has local administrator user rights, log on to the computer on which
       you want to install Forefront Endpoint Protection.

    2. Browse to the location where you stored the installation package: for example, C:\Temp
       folder.

    3. Double-click FEPInstall.exe and follow the instructions in the wizard.

    4. On the Completing the Microsoft Forefront Endpoint Protection 2010 Installation Wizard
       page, select Scan my computer for potential threats after getting the latest updates. to run
       a scan after downloading definition updates, and then click Finish.

If you chose to download updates and then scan the computer, the Forefront Endpoint Protection
Client launches. For more information about using the Forefront Endpoint Protection client, see the
FEP Client Help (http://go.microsoft.com/fwlink/?LinkId=206364).

Next Steps


Client Deployment
                                                                                       Page number 75

If the computer on which you installed Forefront Endpoint Protection is managed by Configuration
Manager, then Configuration Manager will deploy the policies assigned.

Once you’ve deployed the Forefront Endpoint Protection client, you should validate the deployment.
For more information, see Validating Deployment.

Deploying the Client Software by Using the Command Prompt
You can install the Forefront Endpoint Protection 2010 client software locally from the command
prompt. In order to do so, you must first obtain the installation file FEPInstall.exe. You can also install
the client software along with a preconfigured policy. For more information about preconfigured
policies, see About Preconfigured Policy Templates.

To install the client software from the command prompt
    1. Copy FEPInstall.exe to the server on which you want to install the Forefront Endpoint
       Protection client software.

    2. Open an elevated command prompt, navigate to the folder where FEPInstall.exe is located,
       and then run the following command, adding any additional switches as necessary:

FEPInstall.exe

           Note:


         For the list of FEPInstall.exe switches, see Setup Switches.

    3. Follow the on-screen instructions in order to complete the client software installation and to
       download the antimalware definition updates.

To install the client software along with preconfigured policy settings from the command
prompt
    1. Copy FEPInstall.exe and the appropriate preconfigured policy package to the server on which
       you want to install the Forefront Endpoint Protection client software. For information about
       selecting the proper preconfigured policy templates, see About Preconfigured Policy
       Templates.

    2. Double-click the preconfigured policy package in order to extract the preconfigured policy
       file templates.

    3. Open an elevated command prompt, navigate to the folder where the package is extracted,
       and then run the following command:

FEPInstall.exe /policy [full path]\[policy file]

           Note:




Client Deployment
                                                                                                Page number 76


           You must specify the full path for the policy location.

For example, in order to install both the client software and the policy called FEP_SQL2008.xml, run
the following command:

FEPInstall.exe /policy c:\fepspolicy\ FEP_SQL2008.xml

      4. Follow the on-screen instructions in order to complete the client software installation and to
         download the antimalware definition updates.

Setup Switches
The following table shows the available switches for installing the Forefront Endpoint Protection
2010 client software locally.


Switch         Description


 /s            Specifies that a silent Setup should be performed.


 /q            Specifies that a silent extraction of the Setup files should be performed.


 /i            Specifies that a normal installation should be performed.


 /noreplace    Specifies that third-party software uninstallation is not performed during Setup.


 /policy       Specifies a policy file to be used to configure the client software during installation.


 /sqmoptin     Specifies that this client software installation is opted in to the Microsoft Customer Experience
               Improvement Program.




Validating Deployment
You are able to see the status of the Forefront Endpoint Protection client software deployment from
the Forefront Endpoint Protection dashboard in the Configuration Manager console. A report can be
generated that shows the deployment status by collection. From this report, you have the ability to
drill down to the deployment status of a specific collection, and then to a specific computer.
Additionally, you can view the status of the advertisement in Configuration Manager.

Monitoring the client software deployment from the Forefront Endpoint Protection
dashboard
   1. Open the Configuration Manager console, expand Computer Management, and select the
      Forefront Endpoint Protection node.

      2. The following information is available in the Client Deployment Status section:




Client Deployment
                                                                                           Page number 77

             a. Removed—The number of computers on which the FEP client software was
                previously deployed and has since been manually removed.

             b. Failed—The number of computers on which the FEP client software deployment
                failed.

             c. Pending—The number of computers on which the FEP client software deployment
                has not yet started. Computers that are not connected show as pending until the
                Configuration Manager advertisement is received.

             d. Out of date—The number of computers running a previous version of the FEP client
                software.

             e. Deployed—The number of computers where the FEP client software was successfully
                installed.

Clicking the numbers next to each item brings you to the associated Forefront Endpoint Protection
collection.

Monitoring the client software deployment with Forefront Endpoint Protection reporting
  1. Open the Configuration Manager console, expand Computer Management, and select the
      Forefront Endpoint Protection node.

    2. In the Links and Resources pane, under Web Reports, click Deployment Overview to
       generate the Deployment Overview report.

             •   The Deployment Overview report breaks down the status of the client software
                 deployment by collection.

             •   To drill down to the Deployment for a specific collection report, click the arrow next
                 to the collection.

Validating the client software deployment
    • To validate that the Forefront Endpoint Protection client software successfully installed on a
       computer, click Start, click Control Panel, click Programs, click Programs and Features, and
       then verify that Microsoft Forefront Endpoint Protection 2010 is listed.

The following table lists installation log files. By default, log files are installed in the following
locations:

    •   Windows 7 and Windows Server 2008, and Windows Server 2008 R2 -
        %ProgramData%\Microsoft\Microsoft Security Client\Support

    •   Windows XP, Windows Vista, and Windows Server 2003 -
        %allusersprofile%\Microsoft\Microsoft Security Client\Support




Client Deployment
                                                                                    Page number 78


Log file name                                              Description


EppSetup.log                                               Master setup log file.


MSSecurityClient_Setup_epp_install.log                     User interface and management
                                                           extension setup log file.


MSSecurityClient_Setup_FEP_install.log                     Configuration Manager management
                                                           extensions setup log file.


MSSecurityClient_Setup_mp_ambits_install.log               Antimalware service setup log file.


MSSecurityClient_Setup_epploc_x86_Install or               Localized resources installation log file
MSSecurityClient_Setup_epploc_x64_Install                  (specific to the architecture on the
                                                           client computer).


MSSecurityClient_Setup_amloc-%locale%_install              Log file for installation of localized
                                                           resources for the antimalware service.
                                                           %locale% represents the locale for
                                                           which the install was performed.


MSSecurityClient_Setup_KB981889_Install.evtx               The log file for Windows patch
                                                           installation KB981889. Only present
                                                           on Windows 7 or Windows Server
                                                           2008 R2.


MSSecurityClient_Setup_dw20shared_Install.log              Log file for installation of Dr. Watson
                                                           (only installed on computers running
                                                           Windows XP, and only if not already
                                                           present).




Uninstalling
There are two ways to uninstall Forefront Endpoint Protection from client computers:

   •   By distributing the client uninstall package using Configuration Manager.

   •   By manually running the uninstall wizard on the client computer using a user account that
       has local administrative credentials.




Client Deployment
                                                                                    Page number 79


  Important:


Uninstalling Forefront Endpoint Protection does not change the firewall settings on the client
computer.

Uninstalling using Configuration Manager packages

    1. In the Configuration Manager console, expand System Center Configuration Manager,
       expand Site Database, expand Computer Management, and then click Collections.

    2. Right-click the collection from which you want to uninstall the Forefront Endpoint Protection
       client software, for example, All Systems, point to Distribute, and then click Software.

The Distribute Software to Collection Wizard opens.

    3. On the Welcome page, click Next.

    4. On the Package page, click Select an existing package, click Browse, click the Microsoft
       Corporation FEP – Deployment 1.0 package, click OK, and then click Next.

    5. On the Distribution Points page, select the distribution points for the package, and then click
       Next.

Configuration Manager uses distribution points to store the files needed by the Forefront Endpoint
Protection client uninstall package in order for the uninstall program to run on client computers. For
more information, see About Distribution Points (http://go.microsoft.com/fwlink/?LinkId=196840).

    6. On the Select Program page, select the Uninstall program, and then click Next.

    7. On the Advertisement Name page, enter a name that is less than 100 characters, and then
       click Next.

    8. On the Advertisement Subcollection page and on the Advertisement Schedule page, make
       your selections, and then click Next.

    9. On the Assign Program page, select Yes, assign the program, and then click Next.

    10. On the Summary page, review the Details, and then click Next.

    11. On the Wizard Completed page, click Close.

    12. If necessary, modify the advertisement configuration to suit your environment. For more
        information, see How to Modify an Advertisement
        (http://go.microsoft.com/fwlink/?LinkId=196841).

Uninstalling manually

    1. In Control Panel, start Programs and Features.



Client Deployment
                                                                                  Page number 80

    2. Select Microsoft Forefront Endpoint Protection 2010, and then click Uninstall.

    3. On the Microsoft Forefront Endpoint Protection 2010 Uninstall Wizard that appears, click
       Uninstall.

    4. When the wizard completes uninstall, click Finish.

Enforcing the Client Software Deployment
If the users of the computers to which you deployed FEP have administrative privileges on those
computers, they will be able to uninstall the FEP client software. If this happens, those client
computers would be unprotected from malware and other unwanted software.

   Security Note:


It is recommended that you restrict to whom you grant administrative privileges on the client
computers in your organization. Additionally, you should investigate how the FEP client software
was uninstalled on the client computers.

In order to mitigate this circumstance, you can configure Configuration Manager to rerun an
advertisement of FEP on a specific collection. By configuring the advertisement to always rerun, you
can reduce the amount of time computers in your environment may run without protection.

To complete the mitigation, you must perform the following tasks:

    •   Create a FEP deployment package to reinstall the FEP client software on the members of the
        target collection.

    •   Configure the advertisement of the reinstall package to rerun.

    •   Assign the reinstall package to one or more collections. For more information about
        deploying the FEP client software by using packages, see Deploying by Using Configuration
        Manager Packages.

  Warning:


There are multiple ways to mitigate this scenario. The Locally Removed collection contains all
computers from which the client software was locally uninstalled, including servers and high-
priority client computers. You should determine if you need to rerun the advertisement on all
collection members or if you need to target your rerun advertisement only on specific computers.


Deploying the FEP Client Software to a FEP Collection
One of the preconfigured collections created by the Forefront Endpoint Protection installation on
Configuration Manager is the FEP Collections\Deployment Status\Locally Removed collection.




Client Deployment
                                                                                      Page number 81

Computers listed in this collection previously had the FEP client software installed, but it was locally
uninstalled.

  Note:


 If you remove the FEP client software by using an advertisement of the FEP Deployment Uninstall
 package, the client computers that receive the advertisement do not appear in the Locally
 Removed collection.

You can create a new collection containing the members of the Locally Removed collection, and then
target the members of the new collection with software distribution and an advertisement.

To create a reinstall advertisement
   1. In the Configuration Manager console, expand System Center Configuration Manager,
       expand Site Database, expand Computer Management, expand Collections, expand FEP
       Collections, and then expand Deployment Status.

    2. In the tree, click Locally Removed.

    3. In the details area, select the computers on which you want to reinstall the FEP client
       software, right-click a selected computer, point to Distribute, and then click Software.The
       Distribute Software to Resource Wizard opens.

    4. In the Distribute Software to Resource Wizard, on the Welcome page, click Next.

    5. On the Package page, click Select an existing package, click Browse, click the Microsoft
       Corporation FEP – Deployment 1.0 package, click OK, and then in the wizard, click Next.

    6. On the Distribution Points page, in the Distribution points list, select the check box next to
       the distribution points to which you want to copy the package, and then click Next.

    7. On the Select Program page, in the Programs list, select the Install program, and then click
       Next.

    8. On the Advertisement Target page, select the option for Create a new collection containing
       this resource and advertise this program to the new collection, and then click Next.

    9. On the New Collection page, type a name for the collection, and then click Next.

    10. On the Collection Membership Rules page, in the membership rules list, ensure all the
        required computers are listed, and then click Next.

    11. On the Advertisement Name page, type a name for the advertisement, and then click Next.




Client Deployment
                                                                                   Page number 82


           Note:


          Advertisement names are limited to 100 characters.

    12. On the Advertisement Subcollection page, select the Advertise the program to members of
        the collection and its subcollections option, and then click Next.

    13. On the Advertisement Schedule page, next to Advertise the program after, set the time to
        the current time, select the No, this advertisement never expires option, and then click
        Next.

    14. On the Assign Program page, select the Yes, assign the program option, select the Ignore
        maintenance windows when running program check box, and then click Next.

    15. On the Summary page, review the Details, click Next, and then on the Wizard Completed
        page, click Close.

You should monitor the deployment status for the client computers in the new collection. After the
advertisement has been assigned to the computers, in this new collection, the computers are moved
into the Pending Deployment FEP collection. This is the same process that happens after you deploy
the FEP client software initially. For more information about that process, see Validating
Deployment.


    11.         Operations
This Operations content helps you configure and use Microsoft Forefront Endpoint Protection 2010
and the FEP Security Management Pack. The content included for this version of FEP includes the
following main topics:

    •   Configuring Client Settings by Using Policies

    •   Common Tasks

    •   Configuring Definition Updates

    •   Monitoring

    •   Using Reports in FEP

    •   Disaster Recovery for FEP 2010 on Configuration Manager

    •   Automating Day-to-Day Tasks by Using Windows PowerShell


Configuring Client Settings by Using Policies
Forefront Endpoint Protection provides a number of ways to create, edit, and deploy configuration
settings to FEP clients. For information regarding decision points to help you determine which policy



Operations
                                                                                     Page number 83

authoring and deployment methods are best for your environment, see About Configuring Clients by
Using Policies.

This section includes the following main topics:

    •   FEP Policies

    •   Using Group Policy with FEP

    •   FEP Policy Templates

FEP Policies
FEP Policies

Forefront Endpoint Protection policies are assigned to computers running the FEP client software.
The following content will help you work with Forefront Endpoint Protection policies.

Creating a Policy
Forefront Endpoint Protection policy settings define the various configuration options of the
Forefront Endpoint Protection client software that you can manage. For example, administrators can
manage the scan schedule, the location and frequency of definition updates, and scan exclusions.
Forefront Endpoint Protection policy settings that you specify are contained in a Forefront Endpoint
Protection policy object. Policies do not affect computers running the Forefront Endpoint Protection
client software until you assign them to a Configuration Manager collection.

This section describes how to create a new Forefront Endpoint Protection policy.

To create a new policy

    1. In the Configuration Manager console, expand System Center Configuration Manager,
       expand Site Database, expand Computer Management, expand Forefront Endpoint
       Protection, and then click Policies.

    2. In the Actions pane, click New Policy. The New Policy Wizard opens.

    3. On the General page, type a name for the policy, and then click Next.

    4. On the Policy Type page, select the type of policy appropriate for your organization, and
       then click Next.

          Tip:


         To select a policy template for specific server roles, select Policy template, and then select the
         appropriate server role.


          Note:




Operations
                                                                                     Page number 84


         When selecting Policy template you are taken directly to the Summary page.

    5. On the Scheduled Scans page, select the scan frequency and set a schedule for the
       antimalware scans. For example, you could choose a Weekly quick scan every Sunday at
       2:00 AM, and then click Next.

    6. On the Exclusions page, add files or folders you want to exclude from scans, and then click
       Next.

    7. On the Updates page, select the definition update options you want use in your organization,
       and then click Next.

          Important:


         Before deploying the policy to collections, ensure that the definition update methods selected
         have been configured properly. For more information, see Configuring Definition Updates.


          Important:


         The order in which the FEP client software checks for definition updates can be modified after the
         policy has been created. For more information about editing a policy, see Editing a Policy.

    8. On the Client Configuration page, select the options that you want to allow users to modify,
       and then click Next.

    9. On the Summary page, review the Details, and then click Next to create the policy.

    10. On the Wizard Completed page, click Close.

    11. Repeat these steps for each policy you want to create.

  Important:


New policies are assigned the highest precedence. For more information about changing policy
precedence, see Setting Policy Precedence.


Duplicating a Policy
If you need a new policy that is very similar to an existing Forefront Endpoint Protection policy, you
can duplicate the existing Forefront Endpoint Protection policy and edit the duplicated Forefront
Endpoint Protection policy as required, instead of creating the policy from scratch.

To duplicate a policy




Operations
                                                                                   Page number 85

    1. In the Configuration Manager console, expand System Center Configuration Manager,
       expand Site Database, expand Computer Management, expand Forefront Endpoint
       Protection, and then click Policies.

    2. Select the policy you want to duplicate.

    3. In the Actions pane, click Copy Policy.

    4. Type the name for the new policy in the New policy name field, and then click OK.

  Important:


The new policy is assigned the highest precedence. For more information about changing policy
precedence, see Setting Policy Precedence.




Editing a Policy
Forefront Endpoint Protection policies contain settings that control the configuration options of the
Forefront Endpoint Protection client software. You can customize the settings of the Forefront
Endpoint Protection policy to meet your requirements.

To edit an existing policy

    1. In the Configuration Manager console, expand System Center Configuration Manager,
       expand Site Database, expand Computer Management, expand Forefront Endpoint
       Protection, and then click Policies.

    2. Double-click the policy that you want to edit.

    3. In the Properties dialog box, change the options as appropriate for your organization, and
       then click OK.

The following table summarizes the settings available on each page of the policy properties.

Property page                   Settings


General                             •   Policy name

                                    •   Description

                                    •   Assigned collections (read-only)

                                    •   Properties (read-only)


Antimalware                         •   Scheduled scan




Operations
                                                                                 Page number 86


                                   •   Default actions

                                   •   Real-time protection

                                   •   Excluded files and locations

                                   •   Excluded file types

                                   •   Excluded processes

                                   •   Advanced

                                   •   Overrides

                                   •   Microsoft SpyNet


Updates                            •   Definition update interval

                                   •   Definition update location

                                   •   Definition update order


Windows Firewall                   •   Manage Windows Firewall

                                   •   Firewall profile configuration


  Warning:


It is recommended to clear the Enable protection against network-based exploits check box for
policies assigned to servers. This option is on the Antimalware tab under Real-time protection.


  Important:


The following items can be added to the list of Excluded files and locations, however the
Forefront Endpoint Protection client software will ignore these entries:

    •   \\

    •   \

    •   *

    •   *.*

    •   ?:




Operations
                                                                                      Page number 87


     •   *\

     •   \\\\

     •   \\?\




Exporting a Policy
You can save the settings of a Forefront Endpoint Protection policy by exporting the policy. Exporting
the policy saves the settings of the policy in an XML file. You export policies for the following reasons:

    •    To back up policies

    •    To transfer policies from one Configuration Manager site to another

    •    To apply or update policies on computers that are not managed by Configuration Manager

Exporting a policy

    1. In the Configuration Manager console, expand System Center Configuration Manager,
       expand Site Database, expand Computer Management, expand Forefront Endpoint
       Protection, and then click Policies.

    2. Select the policy to be exported.

    3. In the Actions pane, click Export Policy.

    4. Browse to the folder in which you want to save the policy file, enter a name for the XML file,
       click OK, and then click OK on the confirmation dialog box.

           Note:


         If you select multiple polices to be exported, you will only be prompted to select a folder to save
         the polices. The policies will be exported using their existing names.


           Note:


         The Default Server Policy and Default Desktop Policy cannot be exported.




Operations
                                                                                    Page number 88

Importing a Policy

You can import policy files that have been previously exported. You can import policies for the
following reasons:

    •   To restore policies

    •   To transfer policies from another Configuration Manager site to another

Importing a Policy
   1. In the destination Configuration Manager console, expand System Center Configuration
      Manager, expand Site Database, expand Computer Management, expand Forefront
      Endpoint Protection, and then click Policies.

    2. In the Actions pane, click Import Policy.

    3. Browse to the folder that contains the policy file, select the XML file, and then click Open.

           Warning:


         Policies must have unique names. If you already have a policy that has the name of the policy you
         are importing the import will fail.




          Important:


         Importing policy files created with the Forefront Endpoint Protection 2010 Group Policy Tool will
         fail.




  Important:


Imported policies are assigned the highest policy precedence, for more information about
changing policy precedence, see Setting Policy Precedence.




Setting Policy Precedence
You can assign multiple policies to a Configuration Manager collection, and a single computer can be
a member of multiple collections that have a policy assigned. The Forefront Endpoint Protection
client software uses policy precedence to determine which policy to apply. The policy with the
highest precedence assigned to the computer is applied by the Forefront Endpoint Protection client
software.


Operations
                                                                                       Page number 89

To set the precedence of policies

    1. In the Configuration Manager console, expand System Center Configuration Manager,
       expand Site Database, expand Computer Management, expand Forefront Endpoint
       Protection, and then click Policies.

    2. In the Actions pane, click Edit Policy Precedence.

    3. In the Edit Policy Precedence dialog box, select a policy and use the Up and Down buttons to
       set the policy precedence order.

If you want to modify the precedence of additional policies, repeat this step.

    4. When finished, click OK.

  Note:


The precedence for the Default Server Policy and Default Desktop Policy cannot be modified.




Assigning a Policy to Endpoint Computers
To assign Forefront Endpoint Protection policies to FEP clients, you assign the FEP policy to a
Configuration Manager collection. A policy can be assigned to more than one collection if needed
and a collection can have more than one policy assigned to it.

When a Forefront Endpoint Protection client has more than one policy assigned to it, the policy with
the highest precedence is applied by the Forefront Endpoint Protection client.

This section describes how to assign a policy to a Configuration Manager collection. For more
information about Configuration Manager collections, see Collections in Configuration Manager
(http://go.microsoft.com/fwlink/?LinkId=196838) (http://go.microsoft.com/fwlink/?LinkId=196838).

To assign a policy to a collection

    1. In the Configuration Manager console, expand System Center Configuration Manager,
       expand Site Database, expand Computer Management, expand Forefront Endpoint
       Protection, and then click Policies.

    2. Right-click the policy that you want to assign, and then click Assign Policy.

           Note:


          You cannot assign the Default Server Policy or the Default Desktop Policy.

    3. In the Assign Policy dialog box, click Add.



Operations
                                                                                       Page number 90

    4. In the Browse Collection dialog box, select the collection to which you want to assign the
       policy, and then click OK.

If you need to assign this policy to multiple collections, in the Assign Policy dialog box, for each
collection, click Add and repeat this step.

    5. In the Assign Policy dialog box, click OK.

A separate Configuration Manager advertisement is created for each collection a policy is assigned
to. The advertisements are created in the Software Distribution\Advertisements\FEP Policies folder
in the Configuration Manager console.

  Note:


 The default assignments for the Default Server Policy and the Default Desktop Policy cannot be
 modified.

After assigning Forefront Endpoint Protection policies to the proper collections you will want to make
sure that the policies are being applied.

Monitoring Forefront Endpoint Protection policy deployment

    1. In the Configuration Manager console, expand System Center Configuration Manager,
       expand Site Database, expand Computer Management, and click Forefront Endpoint
       Protection.

    2. View the Policy Distribution Status section of the Operational Statistics on the Forefront
       Endpoint Protection dashboard. You might need to refresh the page to get latest
       information.

    3. In the Links and Resources pane under Web Reports click Policy Distribution Overview for
       policy deployment information started at the collection level down to the computer level.

            Note:


          Only computers running the Forefront Endpoint Protection client software and the Configuration
          Manager agent will be included in the results displayed in the Forefront Endpoint Protection
          reports and included in the Forefront Endpoint Protection dashboard statistics.




           Note:


          In the About information displayed for the Forefront Endpoint Protection client software,




Operations
                                                                                   Page number 91


         information regarding the time the FEP policy was applied is provided. The time shown for Policy
         Applied is in Coordinated Universal Time (UTC).




Using Group Policy with FEP
You can configure FEP client settings by using Active Directory Group Policy and Group Policy objects
(GPOs). The following content will help you configure clients by using Forefront Endpoint Protection
GPOs, preconfigured policy templates, and the Forefront Endpoint Protection Group Policy Tool.

Converting FEP Policies to Group Policy
You can convert policy settings contained in configured FEP policies to the format that is used by
Group Policy. In order to convert policies, you must first download and install the Forefront Endpoint
Protection Group Policy Tool. This tool can be obtained from the Microsoft Download Center
(http://go.microsoft.com/fwlink/?LinkId=207729) as part of the FEP 2010 Group Policy Tools
download package. The package also contains ADMX and ADML files. Although these files are not
required in order to use the Forefront Endpoint Protection Group Policy Tool, they are required in
order to view or edit Group Policy object (GPO) policy settings. For more information about viewing
and editing policy settings, see Configuring and Viewing FEP Group Policy Settings. For information
about merging policy settings by using the Forefront Endpoint Protection Group Policy Tool, see
Merging Settings from Multiple Policy Files.

To extract and install the Forefront Endpoint Protection Group Policy Tool
    1. Obtain the Forefront Endpoint Protection Group Policy Tool. This tool can be obtained from
       the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=207729) and copy it
       to your local computer.

    2. Double-click fep2010grouppolicytools.exe to extract the files from the package.

The Forefront Endpoint Protection Group Policy Tools package includes the following files:
          • fep2010.adml

             •   fep2010.admx

             •   fep2010gptool.exe

    3. Locate and double-click fep2010gptool.exe to open the Forefront Endpoint Protection
       Group Policy Tool.

To convert FEP policy settings to Group Policy
    1. Locate and double-click fep2010gptool.exe to open the Forefront Endpoint Protection
       Group Policy Tool.

    2. On the Import tab, select the Domain and the name of the GPO in that domain that you want
       to populate with preconfigured FEP 2010 policy settings.




Operations
                                                                                       Page number 92

    3. Click Select Policy File. Locate and select the .xml policy file that contains the settings that
       you want to import to the GPO.

    4. Verify that the Clear existing Forefront Endpoint Protection settings before import check
       box is selected, and then click OK to import the settings.

You can then edit and view the policy settings by using gpedit.msc. For more information about
viewing and editing policy settings, see Configuring and Viewing FEP Group Policy Settings.

          Warning:


         Selecting the Clear existing Forefront Endpoint Protection settings before import check box will
         remove all FEP settings contained in the selected GPO and replace them with the imported FEP
         policy settings. If you do not want to clear all of the existing FEP policy settings from the GPO, do
         not select this check box.


To add ADMX and ADML files locally in order to view or edit policy settings
   1. Navigate to the location where you extracted the ADMX and ADML files in the previous
       procedure.

    2. Copy the ADMX file to the %systemroot%\PolicyDefinitions\ folder.

    3. Copy the ADML file to the %systemroot%\PolicyDefinitions\ language folder. For example,
       en-US.

          Note:


         You must restart the Group Policy Object Editor after performing the preceding steps.

    4. For more information about editing GPOs by using ADMX files, see Editing the Local GPO
       Using ADMX files (http://go.microsoft.com/fwlink/?LinkId=203368). For more information
       about editing domain-based GPOs by using ADMX files, see Editing Domain-Based GPOs
       Using ADMX files (http://go.microsoft.com/fwlink/?LinkId=203369).

Merging Settings from Multiple Policy Files
You can merge policy settings from one or more FEP policies into a single Group Policy object (GPO).
This is helpful when you have settings contained in multiple FEP policies and you would like to
combine those policy settings in order to configure clients by using Group Policy. In order to merge
FEP policies to a single GPO, you must use the Forefront Endpoint Protection Group Policy Tool. For
information about how to obtain and extract this tool, see Converting FEP Policies to Group Policy.

  Warning:




Operations
                                                                                      Page number 93


 When you merge multiple policies to a single GPO, the order in which you merge the policies will
 affect the outcome of the effective policy. In other words, if you merge three policies that contain
 conflicting settings for a particular feature, the settings in the last policy that you merge will
 overwrite any conflicting settings that are already merged or contained in the GPO.

Merging FEP policy settings from multiple FEP policy files into a GPO

    1. Double-click fep2010gptool.exe to open the Forefront Endpoint Protection Group Policy
       Tool.

    2. On the Import tab, select the Domain and the name of the GPO in that domain that you want
       to populate with preconfigured FEP policy settings.

    3. Click Select Policy File. Locate and select the .xml policy file that contains the settings that
       you want to import to GPO.

           Warning:


         Verify that the .xml policies files were not obtained as part of the
         FEPServerRolePoliciesForUseWithConfigMgrUI.exe downloaded package. Merging the
         preconfigured policy files created for Configuration Manager is not supported.

    4. If this is the first policy that you are merging and there are no FEP policy settings that you
       want to retain that already exist in the selected GPO, select the Clear existing Forefront
       Endpoint Protection settings before import check box.

By selecting this check box, all of the FEP policy settings are cleared in the target GPO. Clearing all of
the previous policy settings ensures that only the FEP settings that are contained in this policy will be
present in the target GPO settings. However, if this is not the first policy that you have merged to the
selected GPO and you want to retain existing previous settings contained in that GPO, ensure that
the check box is not selected. Selecting the check box will clear any previously configured FEP policy
settings that are contained in that GPO.

           Note:


         Merging policy settings by using the Forefront Endpoint Protection Group Policy Tool does not
         affect or impact the source FEP policy file.

    5. Click Apply to merge the policy settings to the GPO.

    6. Repeat the previous step in order to merge additional settings contained in FEP policies to
       the selected GPO.




Operations
                                                                                      Page number 94

Exporting Policy Settings to a FEP Policy File
In some cases, you may want to apply policy settings contained in a Group Policy object (GPO) locally
to FEP clients. Or, you may want to export FEP policy settings from a GPO in one domain and then
import those settings to a GPO in another domain. You can export policy settings contained in a
configured FEP GPO to a FEP policy file. The FEP policy file can then be used to apply policy settings
locally to FEP clients, or be imported to a different domain. In order to export policies, you must first
download and install the Forefront Endpoint Protection Group Policy Tool. For more information
about extracting and installing the Group Policy Tool, see Converting FEP Policies to Group Policy.

To export FEP policy settings
    1. Locate and double-click fep2010gptool.exe in order to open the Forefront Endpoint
       Protection Group Policy Tool.

    2. On the Export tab, select the Domain and the name of the Group Policy object in that
       domain that contains the settings with which you want to populate the new FEP policy file.

    3. Click Select Policy File. Select the location and name for the destination .xml policy file that
       will contain the exported policy settings.

    4. Click OK to export the FEP GPO policy settings to the .xml policy file.

For more information about how to apply FEP policy settings, see Applying Policies from the
Command Prompt.

           Note:


         When exporting policy settings from a configured GPO, only the FEP policy settings are exported.
         If the GPO contains non-FEP policy settings, those settings will not be present in the new FEP
         policy file.


Configuring and Viewing FEP Group Policy Settings
You can view and configure Forefront Endpoint Protection settings by using the Group Policy Object
Editor. Each policy setting contains parameter information specific to the feature that you want to
configure. Typically you will access the Group Policy Object Editor by selecting a Group Policy object
(GPO) from within the Group Policy Management Console (GPMC), and then selecting the edit action
for that object. For more information about the Group Policy Object Editor, see Ways to open Group
Policy Object Editor (http://go.microsoft.com/fwlink/?LinkId=203938). For information about
opening the Group Policy Object Editor as an MMC snap-in, see Open Group Policy Editor as an MMC
snap-in (http://go.microsoft.com/fwlink/?LinkId=203939).

To view FEP Group Policy settings
    1. Open the Group Policy Object Editor and navigate to Local Computer Policy\Computer
       Configuration\Administrative Templates\System\Forefront Endpoint Protection 2010.




Operations
                                                                                    Page number 95

    2. Expand Forefront Endpoint Protection 2010, and click the folder that contains the settings
       that you want to view.

For more information about each policy setting, in the right pane, double-click the setting that you
want to view in order to open the configuration dialog box and view the additional policy setting
information.

          Important:


         When viewing policy settings, the Group Policy Object Editor, the GPMC, and the RSoP snap-in
         may incorrectly indicate that some values are disabled when they are actually enabled. In order to
         determine whether a setting is enabled, you must open each setting individually for additional
         information, and then view the value. If the value is present, the setting is enabled.


To edit FEP Group Policy object settings
    1. Open Group Policy Management.

    2. In the console tree, double-click Group Policy Objects in the forest and domain containing
       the GPO that you want to edit.

    3. Right-click the GPO, and then click Edit.

          Note:


         You must have Edit permissions for the GPO that you want to edit.

    4. In the Group Policy Object Editor console, expand Computer Configuration\Administrative
       Templates\System\Forefront Endpoint Protection 2010, and then click the folder that
       contains the settings that you want to configure.

    5. In the right pane, double-click the setting that you want to configure in order to open the
       configuration dialog box.

    6. Configure the settings that you want to deploy to computers running the FEP client software,
       and then click OK.

          Important:


         When viewing policy settings, the Group Policy Object Editor, the GPMC, and the RSoP snap-in
         may incorrectly indicate that some values are disabled when they are actually enabled. In order to
         determine whether a setting is enabled, you must open each setting individually for additional
         information, and then view the value. If the value is present, the setting is enabled.




Operations
                                                                                  Page number 96


           Warning:


          It is recommended that the Turn on network protection against exploits of known
          vulnerabilities setting is not enabled for policies assigned to servers.

   7. Deploy the policy settings to computers running the FEP client software. For more
      information about how to deploy Group Policy, see Planning and Deploying Group Policy
      (http://go.microsoft.com/fwlink/?LinkId=203940).

FEP Policy Templates
Forefront Endpoint Protection policy templates can be used to create policies that contain optimized
settings. The following content will help you work with Forefront Endpoint Protection policy
templates.

About Preconfigured Policy Templates
You can maintain consistent configuration settings for multiple endpoints by applying policies.
Preconfigured policy templates can help you create policies that contain optimized settings, defined
by technology. You can also apply preconfigured policy templates locally to endpoints. There are two
different download packages available. FEPServerRolePoliciesForUseWithConfigMgrUI.exe contains
policy templates for use with FEP on Configuration Manager.

FEPServerRolePoliciesForUseWithGPO.exe contains policy templates that can be used to configure
policy settings locally on endpoints, deployed via script, or imported into Group Policy.

Policy templates are in XML format and contain configuration settings that are optimized for
endpoints running specific technologies. Preconfigured policy templates are included in the
installation of FEP on Configuration Manager. Periodically, preconfigured policy templates may be
updated and new templates may be provided. The latest versions of the preconfigured FEP policy
templates are available for download from the Microsoft Download Center
(http://go.microsoft.com/fwlink/?LinkId=207730).

  Note:


In order to work with the updated preconfigured policy templates by using FEP running on
Configuration Manager, you must first extract the policy files to the %programfiles%\Microsoft
Forefront\Policytemplates folder. After extracting the templates, you can then create policies
based on the template settings by using the New Policy Wizard in the Configuration Manager
console. It is important to note that when a policy is created based on a preconfigured policy
template, the policy does not automatically receive updated settings when a new version of the
policy template is extracted to the Policytemplates folder.




Operations
                                                                                      Page number 97

After downloading the policy template package that applies to your FEP environment and extracting
the files to their proper location, you can then select the appropriate policy template that
corresponds to the technology running on the endpoint. Each template contains different
configuration settings. For this reason, it is important that you select the policy template that
contains the policy settings that you want to apply. If you apply the settings contained in a policy
template to an endpoint for which those settings were not intended, you may make configuration
changes that will affect the performance of that endpoint.

To view specific policy template settings, you can right-click the .xml file that you want to view, and
then click Edit. Be careful not to edit the template file. Editing the preconfigured policy template files
directly is not supported. Instead, you can create a policy based on the template by using
Configuration Manager or by using the Group Policy Tool. For information about creating new FEP
policies by using templates in Configuration Manager, see Creating a Policy. For information about
creating new FEP policies from policy templates by using the FEP Group Policy Tool, see Converting
FEP Policies to Group Policy.

Preconfigured policy templates are available for endpoints running the following technologies.




 Microsoft SQL Server 2005


 Microsoft SQL Server 2008


 Internet Information Services (IIS) 6
 Internet Information Services (IIS) 7


 System Center Configuration Manager 2007
 System Center Configuration Manager 2007 R2


 Microsoft Exchange Server 2007
 Microsoft Exchange Server 2010


 Microsoft Forefront Protection 2010 for Exchange Server (FPE)


 Microsoft Office SharePoint® Server 2007
 Microsoft SharePoint 2010


 Microsoft Forefront Protection 2010 for SharePoint (FPSP)




Operations
                                                                                     Page number 98


Domain Controller
Active Directory Domain Services


Microsoft Hyper-V™ (host)


Terminal Services


DNS Server


DHCP Server


File Services


Microsoft Forefront Security for Exchange Server


System Center Operations Manager 2007


Server (FEP-recommended default policy settings for servers)




Applying Policies from the Command Prompt
You can apply preconfigured FEP policy templates downloaded from the Microsoft Download Center,
FEP policies exported by using the FEP Group Policy Tool, and FEP policies exported from
Configuration Manager, from the command prompt.

It is important to note that when applying FEP policies from the command prompt, the resultant
policy settings on the client are cumulative. For this reason, you must apply the policies in the proper
sequence in order to obtain the desired configuration results.

For example, if you apply one policy that sets Turn on behavior monitoring: Enabled, and also sets
Allow users to pause a scan: Enabled, and you then apply a second policy to the same server that
sets Turn on behavior monitoring: Disabled, the resulting policy settings on the client will be Turn on
URL exclusions: Disabled, and Allow users to pause a scan: Enabled. However, configurations that
were set locally on the server that do not pertain to FEP, such as enabling a screen saver, will not be
overwritten. For this reason, it is important to not only be aware of the settings in the policy
template that you are applying; you must also apply policy templates in the proper order. It is
recommended that when you apply multiple policy templates from the command prompt, you apply
the default server policy template first, and then apply additional policy templates.




Operations
                                                                                     Page number 99


  Warning:


 When applying policies to domain-joined computers, regardless of whether the policy settings are
 contained in a preconfigured policy template or an exported policy file, the domain-joined
 computer will not apply the settings contained in the policy until it is able to communicate with
 the domain controller. Clients running the FEP software will indicate that the policy was received
 and applied successfully. However, communication with the domain controller is required in
 order to apply the settings contained in the policy. Settings will be immediately applied when the
 domain-joined computer is able to communicate with the domain controller. This warning does
 not apply to non-domain-joined clients.


Applying Preconfigured Policy Templates
There are two separate downloads available that contain preconfigured policy templates. The
FEPServerRolePoliciesForUseWithGPO.exe download contains the policy templates that you can use
in order to apply preconfigured policy settings from the command prompt. The latest version of
FEPServerRolePoliciesForUseWithGPO.exe is available for download from the Microsoft Download
Center (http://go.microsoft.com/fwlink/?LinkId=207730).

  Important:


 Before proceeding with these steps, verify that the client software that is installed on the
 endpoint is the latest supported version. If the client software is not the latest version, uninstall
 the client software, and then install both the client software and the policy. For more information
 about how to install the client software at the command prompt along with a policy, see
 Deploying the Client Software by Using the Command Prompt.


To apply a preconfigured policy to a client locally
   1. Copy FEPInstall.exe and FEPServerRolePoliciesForUseWithGPO.exe to the server on which
       you want to apply a preconfigured policy to an existing client.

    2. Double-click FEPServerRolePoliciesForUseWithGPO.exe in order to extract the
       preconfigured policy file templates.

    3. From an elevated command prompt, navigate to the %programfiles%\Microsoft Security
       Client folder, and then run the following command:

ConfigSecurityPolicy.exe [full path]\[policy file]

          Important:


         You must change the path to this directory and run the command from that location.




Operations
                                                                                    Page number 100

For example, if you want to apply a policy template named FEP_DHCP.xml to a server running DHCP,
run the following command:

ConfigSecurityPolicy.exe \\servername\share\FEP_DHCP.xml
where servername is the name of the server hosting the share, and share is the name of the shared
folder on that server.

          Important:


         You must always specify the full path for the policy location.

    4. Wait for approximately three minutes in order for the settings to update in the user
       interface, and then open the Forefront Endpoint Protection client software. Verify that the
       settings defined in the policy are shown in the client software.

Applying Exported Policies
You can export policy settings to a Forefront Endpoint Protection .xml policy file by using the
Forefront Endpoint Protection Group Policy Tool or Configuration Manager, depending on the
location of the policy settings. For more information about exporting Group Policy settings, see
Exporting Policy Settings to a FEP Policy File. For more information about exporting FEP policies in
Configuration Manager, see Exporting a Policy.

  Important:


 Before proceeding with these steps, verify that the client software that is installed on the
 endpoint is the latest supported version. If the client software is not the latest version, uninstall
 the client software, and then install both the client software and the policy. For more information
 about how to install the client software at the command prompt along with a policy, see
 Deploying the Client Software by Using the Command Prompt.


To apply an exported policy to a client locally
   1. From an elevated command prompt, navigate to the %programfiles%\Microsoft Security
       Client folder, and then run the following command:

ConfigSecurityPolicy.exe [full path]\[policy file]

          Important:


         You must change the path to this directory and run the command from that location.

For example, if you want to apply a policy template named My_Exported_Policy.xml to a server, run
the following command:




Operations
                                                                                Page number 101

ConfigSecurityPolicy.exe \\servername\share\My_Exported_Policy.xml
where servername is the name of the server hosting the share, and share is the name of the shared
folder on that server.

          Note:


         You must always specify the full path for the policy location.

    2. Wait for approximately three minutes in order for the settings to update in the user
       interface, and then open the Forefront Endpoint Protection client software. Verify that the
       settings defined in the policy are shown in the client software.

Updating Policies from the Command Prompt
You can update the local policy on a client computer by using a policy template and applying that
policy template via the command prompt. Preconfigured policy templates can be obtained from the
Microsoft Download Center. For more information about preconfigured policy templates, see About
Preconfigured Policy Templates. You can also apply policy settings that have been exported from
Configuration Manager or the Forefront Endpoint Protection Group Policy Tool. For more
information about exporting policies from Configuration Manager, see Exporting a Policy. For more
information about exporting policies by using the Group Policy Tool, see Converting FEP Policies to
Group Policy.

To update the local policy on a client computer
   1. From an elevated command prompt, navigate to the %programfiles%\Microsoft Security
      Client folder, and then run the following command:

ConfigSecurityPolicy.exe [full path]\[policy file]

          Important:


         You must change the path to this directory and run the command from that location.

For example, if you want to apply the policy named FEP_DHCP.xml to a client, run the following
command:

ConfigSecurityPolicy.exe \\servername\share\FEP_DHCP.xml
where servername is the name of the server hosting the share, and share is the name of the shared
folder on that server.

          Note:


         You must always specify the full path for the policy location.




Operations
                                                                                 Page number 102

    2. Wait for approximately three minutes in order for the settings to update in the user
       interface, and then open the Forefront Endpoint Protection client software. Verify that the
       settings defined in the policy are shown in the client software.

Common Tasks
There are certain tasks that are common in day-to-day security administration. This section provides
steps for accomplishing these tasks for each of the following attributes of Forefront Endpoint
Protection (FEP):

    •   Forefront Endpoint Protection

    •   The FEP Security Management Pack

    •   The FEP client

  Important:


 Not every common task can be performed in each feature. The features on which the task can be
 performed are listed at the beginning of each set of tasks.




Running an Endpoint Protection Scan
This task applies to the following features:

    •   Forefront Endpoint Protection

    •   The FEP Security Management Pack

    •   The FEP client

  Important:


 You should configure FEP policy to ensure that scans run automatically on a regular basis.


To run a quick or full scan by using FEP
    1. In the Configuration Manager console, in the tree, expand Computer Management, expand
       Collections, and then navigate to the collection that contains the computer on which you
       want to start a scan.

           Tip:


         If you know the name of the target computer, you can search for the computer in the details pane




Operations
                                                                                 Page number 103


          when a parent collection is selected in the tree.

   2. Right-click the computer name, click FEP Operations, and then click either Run Full Scan or
      Run Quick Scan.

           Tip:


          You can target multiple computers by selecting them and then right-clicking a single computer.

To distribute the on-demand scan, Configuration Manager creates an advertisement. You can view
the properties of the advertisement by navigating to Software Distribution in the tree, and then
expanding Advertisements and FEP Operations.

The collections and advertisements created by this process are deleted the next time you run an on-
demand scan, if they are older than seven days.

  Note:


Only one advertisement can run at a time on the client computer. Therefore, if an advertisement
is running on the client computer that could potentially take a while to complete (such as a full
scan on a computer with a large hard disk), subsequent advertisements are processed after that
advertisement completes.


To run a quick or full scan by using the FEP Security Management Pack
    1. In the Operations Manager console, navigate to the Monitoring view, and then expand the
       Monitoring tree.

   2. In the Monitoring tree, under Forefront Endpoint Protection, click Endpoints with FEP.

   3. In the Endpoints with FEP pane, click the name of the endpoint on which you want to start a
      scan.

           Note:


          In order to search for an endpoint by name, enter the name (FQDN) of the endpoint in the Look
          for text box, and then click Find Now.

   4. In the Actions pane, expand Protection Endpoint Tasks, and then click either Quick Scan or
      Full Scan.

   5. In the Run Task dialog box, verify that the target is the endpoint on which you want to run
      the scan and that the check box next to the target name is selected, and then click Run. The
      scan runs with the default parameters.


Operations
                                                                                      Page number 104


           Note:


          The task is marked as successful after the scan is started on the targeted computer. Tasks in the
          FEP Security Management Pack represent the command to run the task, not the results of the
          task itself.


To run a quick or full scan locally on the FEP 2010 client
    1. In the notification area of your computer, right-click the Microsoft Forefront Endpoint
       Protection 2010 icon, and then click Open.

    2. On the FEP Home page, select either the Quick option or Full option, and then click Scan
       now. The scan may take a while, depending on the number of files and folders being
       scanned.

Managing Windows Firewall Protection
This task applies to the following features:

    •   Forefront Endpoint Protection

    •   The FEP Security Management Pack

  Note:


 Windows XP and Windows Server 2003 only support two network locations: Domain networks
 and Private networks. Any settings you configure for the Public networks location are ignored on
 computers running Windows XP or Windows Server 2003.

 Additionally, for both the Domain networks and the Private networks locations, setting the
 Incoming connections list to Allow is ignored on computers running Windows XP.


To turn on or off Windows Firewall protection by using FEP
    1. In the Configuration Manager Console, in the tree, expand Computer Management, expand
       Forefront Endpoint Protection, and then click Policies.

    2. Right-click the policy you want to modify, and then click Properties.

    3. In the Properties dialog box, click the Windows Firewall tab.

    4. On the Windows Firewall tab, click the Manage Windows Firewall check box.

    5. For each of the network locations, in the Firewall State list, select the desired setting of
       either On (recommended) or Off, and then click OK.

After you configure the FEP policy, if the FEP policy is already assigned to a collection, it is refreshed
within the Configuration Manager policy polling interval. You can configure the Configuration


Operations
                                                                                Page number 105

Manager policy polling interval in the Computer Client Agent configuration in the Configuration
Manager console. For more information about the Computer Client Agent, see How to Configure the
Configuration Manager Computer Client Agent (http://go.microsoft.com/fwlink/?LinkId=204087).

Additionally, only one advertisement can run at a time on the client computer. Therefore, if an
advertisement is running on the client computer, the FEP policy advertisement is processed after
that advertisement completes.

  Important:


When you apply a FEP policy to a collection that has more than one policy assigned, policy
precedence determines which policy takes effect on the clients in the collection. For more
information about policy precedence, see Setting Policy Precedence.


To turn on or off Windows Firewall protection by using the FEP Security Management Pack
    1. In the Operations Manager console, navigate to the Monitoring view, and then expand the
       Monitoring tree.

   2. In the Monitoring tree, under Forefront Endpoint Protection, click Endpoints with FEP.

   3. In the Endpoints with FEP pane, click the name of the endpoint on which you want to start a
      scan.

          Note:


        In order to search for an endpoint by name, enter the name (FQDN) of the endpoint in the Look
        for text box, and then click Find Now.

   4. In the Actions pane, expand Protected Endpoint Tasks, and then click either Turn Windows
      Firewall On or Turn Windows Firewall Off.

   5. In the Run Task dialog box, verify that the target is the endpoint on which you want to run
      the task and that the check box next to the target name is selected, and then click Run.

          Note:


        If Group Policy is used to manage the Windows Firewall settings, the FEP Security Management
        Pack task fails to commit the changes to the Windows Firewall configuration. However, the task
        still reports as successful, because there is no method to determine whether Group Policy is used
        to manager the Windows Firewall settings.




Operations
                                                                                 Page number 106

Retrieving the Effective Endpoint Protection Settings
This task applies to the following feature:

    •   The FEP Security Management Pack

To retrieve endpoint settings by using the FEP Security Management Pack
    1. In the Operations Manager console, navigate to the Monitoring view, and then expand the
       Monitoring tree.

    2. In the Monitoring tree, under Forefront Endpoint Protection, click Endpoints with FEP.

    3. In the Endpoints with FEP pane, click the name of the endpoint from which you want to
       retrieve settings.

           Note:


         In order to search for an endpoint by name, enter the name (FQDN) of the endpoint in the Look
         for text box, and then click Find Now.

    4. In the Actions pane, expand Protected Server Tasks, and then click Retrieve Endpoint
       Settings.

    5. In the Run Task dialog box, verify that the target is the endpoint that you want to retrieve
       settings from and that the check box next to the target name is selected, and then click Run.

Forcing Definition Updates
This task applies to the following features:

    •   Forefront Endpoint Protection

    •   The FEP Security Management Pack

    •   The FEP client

  Important:


 You should configure FEP policy to ensure that definition updates run automatically on a regular
 basis, and you should monitor the Definition Status area in the FEP dashboard.

To force a definition update by using FEP

    1. In the Configuration Manager console, in the tree, expand Computer Management, expand
       Collections, and then navigate to the collection that contains the computer on which you
       want to force a definition update.




Operations
                                                                                 Page number 107


           Tip:


          If you know the name of the target computer, you can search for the computer in the details pane
          when a parent collection is selected in the tree.

    2. Right-click the computer name, click FEP Operations, and then click Run Antimalware
       Definitions Update.

           Tip:


          You can target multiple computers by selecting them and then right-clicking a single computer.

To distribute the definition update request, Configuration Manager creates an advertisement. You
can view the properties of the advertisement by navigating to Software Distribution in the tree, and
then expanding Advertisements and FEP Operations.

  Note:


Only one advertisement can run at a time on the client computer. Therefore, if an advertisement
is running on the client computer that could potentially take a while to complete (such as a full
scan on a computer with a large hard disk), subsequent advertisements are processed after that
advertisement completes.

To force a definition update by using the FEP Security Management Pack

    1. In the Operations Manager console, navigate to the Monitoring view, and then expand the
       Monitoring tree.

    2. In the Monitoring tree, under Forefront Endpoint Protection, click Endpoints with FEP.

    3. In the Endpoints with FEP pane, click the name of the endpoint on which you want to update
       definitions.

           Note:


          In order to search for an endpoint by name, enter the name (FQDN) of the endpoint in the Look
          for text box, and then click Find Now.

    4. In the Actions pane, expand Protected Endpoint Tasks, and then click Update Antimalware
       Definitions.

    5. In the Run Task dialog box, verify that the target is the endpoint on which you want to run
       the task and that the check box next to the target name is selected, and then click Run.


Operations
                                                                                     Page number 108

To update definitions locally on the FEP 2010 client

    •   In the FEP client software, click the Update tab, and then click the Update button.



Configuring Definition Updates
You can configure the Forefront Endpoint Protection client software to check for updates from one
or many of the following sources:

    •   Software Updates and Windows Server Update Services Definition Updates

    •   Microsoft Update Definition Updates

    •   File-Share-Based Definition Updates

When you configure multiple definition sources, by default the client software checks for definition
updates in the following order:

    1. File share

    2. Windows Server Update Services (WSUS)

    3. Microsoft Update

However, you can alter both the order of this list and the definition sources checked.

To change the order of definition updates or alter the update sources

    •   After creating a FEP policy, right-click the policy and then click Properties.

             •     To change the order of definition updates, click the Updates tab, and in the list of
                   update sources, click the one you want to reorder, and then click either Up or Down.

             •     To change the definition update sources, on the Updates tab, in the list of update
                   sources, click the check box next to the definition update sources you want check.

                 Note:


             If you select Updates from UNC file shares, you must configure those shares. For more
             information, see File-Share-Based Definition Updates.

    •   When finished, click OK.

You can view the definition status for your deployed FEP clients by viewing the Definition Status area
in the Forefront Endpoint Protection dashboard. For more information about the FEP dashboard, see
Dashboard Overview.

Software Updates and Windows Server Update Services Definition Updates



Operations
                                                                                 Page number 109




When configuring your Forefront Endpoint Protection or FEP Security Management Pack deployment
for WSUS-based definition updates, you must perform the following tasks:

    •   Configure either the Software Updates area of Configuration Manager or your WSUS server
        to synchronize both updates and definition updates.

    •   Approve the Endpoint Protection definitions in the WSUS administration console.

Configuring Update Synchronization
If you are using Forefront Endpoint Protection, you must configure Software Updates in
Configuration Manager to synchronize the appropriate updates for the FEP client.

To synchronize FEP definition updates in Configuration Manager
    1. In the Configuration Manager Console, in the tree, expand Site Management, expand the
       site name, expand Site Settings, and then click Component Configuration.

    2. In the details pane, right-click Software Update Point Component, and then click Properties.

    3. On the Classifications tab, ensure that the Definition Updates check box and the Updates
       check box are selected.

    4. On the Products tab, ensure that the product Forefront Endpoint Protection 2010 check box
       is selected, and then click OK.

FEP client computers receive definition updates from a WSUS server. If you are using a WSUS server
that is not integrated with Configuration Manager, you must configure the definition update
synchronization in the WSUS administration console.

To synchronize FEP definition updates in WSUS
    1. Using an account that has local administrator user rights, log on to the computer running
       WSUS.

    2. Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update
       Services.

    3. In the WSUS Administration console, in the tree, expand the Computers node, click Options,
       and then click Products and Classifications.

    4. In the Products and Classifications dialog box, on the Products tab ensure that the product
       Forefront Endpoint Protection 2010 check box is selected.

    5. On the Classifications tab, ensure that the Definition Updates check box and Updates check
       box are selected, and then click OK.

Approving Updates
Updates for the FEP client must be approved before those updates are offered to clients requesting
the list of available updates. Clients connect to the WSUS server to check for applicable updates and



Operations
                                                                                 Page number 110

then request the latest approved definition updates. Updates are only offered to clients when they
are approved for installation and when the WSUS server has completed the binary download.

To approve definitions and updates in WSUS
   1. Using an account that has local administrator user rights, log on to the computer running
      WSUS.

   2. Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update
      Services.

   3. In the WSUS Administration console, click Updates, and then click All Updates or the
      classification of updates you want to approve.

   4. On the list of updates, right-click the update or updates you want to approve for installation,
      and then click Approve.

   5. In the Approve Updates dialog box, click the arrow next to the computer group for which
      you want to approve the updates, and then click Approved for Install.

You can also set an Automatic Approval rule for definition updates and FEP updates, which
configures WSUS to automatically approve for install any definition updates or FEP updates
downloaded by WSUS.

To configure an automatic approval rule
    1. In the WSUS Administration console, click Options, and then click Automatic Approvals.

   2. On the Update Rules tab, click New Rule.

   3. On the Add Rule dialog box, under Step 1: Select properties, select the When an update is in
      a specific classification check box.

   4. Under Step 2: Edit the properties, click any classification.

   5. Clear all check boxes except Definition Updates, and then click OK.

   6. On the Add Rule dialog box, under Step 1: Select properties, select the When an update is in
      a specific product check box.

   7. Under Step 2: Edit the properties, click any product.

   8. Clear all check boxes except Forefront Endpoint Protection, and then click OK.

   9. In the Step 3: Specify a name box, enter a name for the Forefront Endpoint Protection
      Definition Updates rule, and then click OK.

   10. In the Automatic Approvals dialog box, make sure that the newly create rule Forefront
       Endpoint Protection 2010 Definition Updates check box is selected and then click Run rule.




Operations
                                                                                    Page number 111


  Note:


You should ensure you are declining older definition updates. Failing to do so may impact the
performance of both your WSUS server and possibly your client computers. By configuring
automatic approval for revisions and automatic declination of expired updates, you can
accomplish this task. For more information, see Microsoft Knowledge Base article 938947
(http://go.microsoft.com/fwlink/?LinkId=204078).


Microsoft Update Definition Updates
You use the Microsoft Update definition update option to keep definitions on mobile computers up-
to-date when they are not connected to the corporate network.

The Microsoft Update definition update option works in the same way as a normal Microsoft Update
request. If configured, the FEP client will query Microsoft Update for new definitions according to the
frequency configured in the FEP policy.

You configure clients to check for definition updates by setting a policy option.

To configure clients to check Microsoft Update
    • When you create a FEP policy, on the Updates page, ensure the Enable updates from
       Microsoft Update check box is selected.

    •   When you want to add Microsoft Update as a definition update option to an existing policy,
        in the properties of the policy, click the Updates tab, and in the update source list, ensure
        the Updates from Microsoft Updates check box is selected.

File-Share-Based Definition Updates
The FEP client software can be configured to check a file share for definition updates. In order to
check for updates, the client computer accounts must have read access to the file share in which you
store the definition files.

  Note:


When you configure clients to check a file share for definition updates, by default clients check
the file share first, before checking WSUS or Microsoft Update. This order can be changed. For
more information, see Configuring Definition Updates.


To enable file share-based definition updates
    1. When creating a FEP policy, on the Updates page, click the check box next to Enable updates
       from the following UNC file share, and then in the text box, enter the Universal Naming
       Convention (UNC) path to the file share.

    2. To enable file share-based definition updates in an existing policy, use the following steps:



Operations
                                                                                        Page number 112

              a. In the Configuration Manager console, expand Computer Management, expand
                 Forefront Endpoint Protection, and then click Policies.

              b. In the details pane, right-click the policy you want to edit, and then click Properties.

              c. Click the Updates tab, and then in the list of update sources, click the check box next
                 to Updates from UNC file shares.

              d. Under File shares, click Add, and then type the UNC path to the file share.

              e. If necessary, click Add again and add additional UNC paths.

                     Note:


                    You can alter the order of the list of file shares by selecting a listed path, and then, under the list,
                    click Up or Down.

              f.   When finished, click OK.

When you configure a file share for definition updates, you must download the definition updates to
certain folders in the UNC file share.

To configure a file share for definition updates
    1. Download the required files from the following locations:

For x64:

              •    Antimalware definitions
                   (http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64)

              •    Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197094)

            Note:


           This file is required only if you have enabled the Enable protection against network-based
           exploits check box on the Antimalware tab of a FEP policy.

For x86:

              •    Antimalware definitions
                   (http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86)

              •    Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197095)

                      Note:




Operations
                                                                                   Page number 113


                  This file is required only if you have enabled the Enable protection against network-based
                  exploits check box the Antimalware tab of a FEP policy.


                   Important:


                  Do not rename the files when you download
                  them.

   2. Save the files in folders with the following names:

             •   The files for x64-based computers must be in a folder named x64

             •   The files for x86-based computers must be in a folder named x86

For example:

..\Updates\x86

...\Updates\x64

   3. Ensure that each folder contains the following two files:

             •   Mpam-fe.exe

             •   Nis_full.exe

                   Note:


                  This file is required only if you have enabled the Enable protection against network-based
                  exploits check box on the Antimalware tab of a FEP policy.

   4. Share the parent folder that contains the x64 and x86 folders.

          Important:


        Ensure the client computers and the domain users connecting to the share have read permissions
        to the share. During an automatic update the client computer account is used to authenticate to
        the share. When a user manually updates their definitions by clicking Update, that user account is
        used to authenticate to the share.


FEP Monitoring
You can monitor the client computers that run the FEP client software in a number of ways. The
monitoring features of Forefront Endpoint Protection are summarized in the following table.




Operations
                                                                               Page number 114


Monitoring method               Description


Forefront Endpoint Protection Displays client deployment status, antimalware activity status,
dashboard                     definition status, policy distribution status, and the compliance
                              levels for the configured baselines in Desired Configuration
                              Management (DCM).

                                For information on how to use the Forefront Endpoint Protection
                                dashboard, see Monitoring Client Status by Using the Dashboard.


Forefront Endpoint Protection The alerts node under Forefront Endpoint Protection allows you
alerts                        to configure the alerts that are used to provide administrators
                              with information about malware outbreaks through events in the
                              Windows Event Viewer, or optionally by e-mail.

                                For information on how to use Forefront Endpoint Protection
                                alerts, see Using Alerts to Monitor Malware Detections.


Forefront Endpoint Protection Forefront Endpoint Protection comes with reports that allow you
reports                       to see greater detail about other key indicators for computer
                              health.

                                For more information about Forefront Endpoint Protection
                                reports, see Using Reports in FEP.


Forefront Endpoint Protection   Forefront Endpoint Protection includes baselines for DCM. The
baselines for Desired           addition of Forefront Endpoint Protection baselines to DCM
Configuration Management        allows you to assess and track the configuration compliance for
(DCM)                           the FEP client software.

                                For more information about Forefront Endpoint Protection
                                Desired Configuration Management, see Using Desired
                                Configuration Management to Monitor Client Compliance.




Monitoring Client Status by Using the Dashboard
You use the Forefront Endpoint Protection (FEP) dashboard to view key information you need in
order to track, manage, and report on your organization’s antimalware health and status. For more
information, see Dashboard Overview.




Operations
                                                                                      Page number 115

To view the list of computers to which the Forefront Endpoint Protection client failed to
deploy
    1. In the Configuration Manager console, expand System Center Configuration Manager,
       expand Site Database, expand Computer Management, and then click Forefront Endpoint
       Protection.

In the results pane, in the Client Deployment Status area, the statistics for client deployment display.

    2. In the Client Deployment Status area, next to Failed, click the number displayed.

The Deployment Failed collection displays. This collection lists all the computers that returned a
failure on the installation package for the FEP client software.

  Note:


 For more information about collections in Configuration Manager, see About Collections
 (http://go.microsoft.com/fwlink/?LinkId=196182) in the System Center Configuration Manager
 2007 documentation.


To view malware activity status
    • In the Configuration Manager console, expand System Center Configuration Manager,
       expand Site Database, expand Computer Management, and then click Forefront Endpoint
       Protection.

In the results pane, in the Security Status area, the list of possible FEP security states displays.

The Security Status list contains information about how many computers that had malware were
cleaned, how many are actively infected, and how many computers need additional action.

About Forefront Endpoint Protection Configuration Baselines
The FEP dashboard contains a summary view of the FEP configuration baselines used to monitor and
report information about the categories of computers in your organization. In the Forefront
Endpoint Protection Baselines area, you see a summary view of each FEP configuration baseline and
the number of computers compliant or not compliant with the configuration baseline.

For more information about the FEP configuration baselines, see Using Desired Configuration
Management to Monitor Client Compliance.

  Warning:


 If you enable the Use Reporting Services Reports for Admin console report links option in the
 Configuration Manager site report options, all FEP Desired Configuration Manager baseline
 reports and report links at the bottom of the FEP dashboard do not work, and return an error. To
 fix the reports, run the steps described in How to Copy Configuration Manager Reports to SQL




Operations
                                                                                     Page number 116


 Reporting Services (http://go.microsoft.com/fwlink/?LinkId=207354) in the Configuration
 Manager documentation.


Using Alerts to Monitor Malware Detections
Alerts in Forefront Endpoint Protection (FEP) provide administrators with information about malware
outbreaks. Administrators can view alerts in two ways:

    •   Through events in the Windows Event Viewer

    •   Optionally, by e-mail

There are two varieties of alerts:

    •   Alerts that apply per collection (and any child collections of the parent collection). You can
        create multiple alerts, but a collection can only be assigned one of each alert type.

    •   A global alert for malware outbreaks, which triggers based on any collection.

By default, alerts in FEP are not enabled, and you must configure e-mail settings in order for the e-
mail option to work. Additionally, in a hierarchical Configuration Manager topology where you have
FEP installed on both the child site and the parent site, you should configure alerts at the child site to
notify administrators who can take action on the alerts.

The following table lists the alerts available in FEP.

                                                                           Default trigger threshold
 Alert type      Description                                               when enabled


 Malware         When enabled, an alert of this type is triggered              •   Number of
 Outbreak        when a fast-spreading malware is detected in your                 computers with
 Alert           organization. You configure the threshold for a fast-             the same malware
                 spreading malware in your organization by setting                 detected: 100
                 the number of unique computers infected by a
                 particular malware in 24 hours.


 Malware         After the alert is created, an alert of this type is          •   No parent
 Detection       triggered when the following conditions are met:                  collections are
 Alerts                                                                            specified by
                     •    Malware is detected on a computer that is a
                                                                                   default
                          member of the specified parent collection,
                          or one of its child collections.                     •   Select detection
                                                                                   level: High
                     •    The malware detection falls within the
                          specified detection level for the alert.




Operations
                                                                                Page number 117


Repeated       After the alert is created, an alert of this type is        •   No parent
Malware        triggered when the following conditions are met:                collections are
Detection                                                                      specified by
                   •   The same malware is detected on a
Alerts                                                                         default
                       computer that is a member of the specified
                       parent collection, or one of its child              •   Number of the
                       collections.                                            same malware
                                                                               detected: 4
                   •   The number of detections of the same
                       malware detection meets the specified               •   Interval: 24 hours
                       number of detections in the alert
                       configuration.

                   •   The number of detections occurred within
                       the interval specified in the alert
                       configuration.


Multiple       After the alert is created, an alert of this type is        •   No parent
Malware        triggered when the following conditions are met:                collections are
Detection                                                                      specified by
Alerts             •   Multiple types of malware are detected on a             default
                       computer that is a member of the specified
                       parent collection, or one of its child              •   Number of
                       collections.                                            malware types
                                                                               detected: 4
                   •   The number of malware detected meets the
                       specified number of detections in the alert         •   Interval: 24 hours
                       configuration.

                   •   The number of detections occurred within
                       the interval specified in the alert
                       configuration.


To create and configure per-collection alerts
    1. In the Configuration Manager console, expand System Center Configuration Manager,
       expand Site Database, expand Computer Management, expand Forefront Endpoint
       Protection, and then expand Alerts.

   2. Click one of the per-collection alerts (Malware Detection, Repeated Malware Detection or
      Multiple Malware Detection), and then in the Actions pane, click the New action.

   3. To configure the alert, set the options you need according to the following table.

        Alert name     Option          Description




Operations
                                                                             Page number 118


        Malware     Enter parent   Click Browse to specify the parent collection to monitor. The
        Detection   collection     parent collection and any child collections are monitored for this
        Alert                      alert configuration.


                    Select         Specifies the computer state that can trigger an alert. Valid
                    detection      detection levels are described in the following list:
                    level
                                               •   High: Malware is detected—The alert is triggered
                                                   when there are one or more computers in the
                                                   specified collection on which any malware is
                                                   detected, regardless of the action taken by the
                                                   Forefront Endpoint Protection client.

                                               •   Medium: Action is required—The alert is triggered
                                                   when there are one or more computers in the
                                                   specified collection on which malware is detected
                                                   and manual action is required on the Forefront
                                                   Endpoint Protection client in order to complete
                                                   the malware removal.

                                               •   Low: Malware is active—The alert is triggered
                                                   when there are one or more computers in the
                                                   specified collection on which malware is detected
                                                   and is still active.


        Repeated    Enter parent   Click Browse to specify the parent collection to monitor. The
        Malware     collection     parent collection and any child collections are monitored for this
        Detection                  alert configuration.
        Alert
                    Number of      Specifies the number of detections of the same malware on a
                    the same       computer that is a member of the specified parent collection, or
                    malware        one of its child collections.
                    detected


                    Interval       Specifies the interval during which the number of detections must
                                   occur.


        Multiple    Enter parent   Click Browse to specify the parent collection to monitor. The
        Malware     collection     parent collection and any child collections are monitored for this
        Detection                  alert configuration.
        Alerts
                    Number of      Specifies the number of different types of malware that must be



Operations
                                                                                 Page number 119


                       malware         detected on a computer that is a member of the specified parent
                       types           collection, or one of its child collections.
                       detected


                       Interval        Specifies the interval during which the number of detections must
                                       occur.

   4. For all alerts, in the When an alert is raised, send an e-mail message to the following
      recipients box, type an e-mail address, and then click Add. To send the alert to multiple e-
      mail addresses, repeat this step.

   5. When finished, click OK.

  Important:


You must enable the e-mail settings in Configuration Manager before Forefront Endpoint
Protection will send e-mail notifications.


To enable and configure the global Malware Outbreak alert
    1. In the Configuration Manager console, expand System Center Configuration Manager,
       expand Site Database, expand Computer Management, expand Forefront Endpoint
       Protection, and then expand Alerts.

   2. Click Malware Outbreak Alert, and then in the details pane, double-click Malware Outbreak
      Alert.

   3. In the Malware Outbreak Alert Properties dialog box, select the Enable alert check box.

   4. Next to Number of computers with the same malware detected, type the number of
      computers on which the same malware must be detected in order to trigger this alert.

   5. In the When an alert is raised, send an e-mail message to the following recipients box, type
      an e-mail address, and then click Add. To send the alert to multiple e-mail addresses, repeat
      this step.

   6. When finished, click OK.

To configure e-mail settings
    1. In the Configuration Manager console, expand System Center Configuration Manager,
       expand Site Database, expand Computer Management, expand Forefront Endpoint
       Protection, and then click Alerts.

   2. In the Actions pane, click E-mail Settings.

   3. To enable alerts to be sent by e-mail, select the E-mail alert notification check box.



Operations
                                                                                   Page number 120

    4. In the SMTP Server box, type the fully qualified domain name (FQDN) of your SMTP server.

If your SMTP server uses a port other than the default port, in the Port box, type or select the port
number.

    5. Under Authentication method, select the option for the credential type to use to
       authenticate the connection to the SMTP server.

           Important:


          It is recommended that you use Integrated Windows Authentication as the authentication
          method. When you choose Integrated Windows Authentication, the computer account of the FEP
          server is used to authenticate to the SMTP server. Otherwise, you must ensure that the selected
          credentials must exist on the specified SMTP server for authentication to succeed.

          To view the service credentials, in Windows Services, right-click Forefront Endpoint Protection
          Monitoring Service, click Properties, and then click Log On.

    6. In the E-mail from address box, type the e-mail address from which Forefront Endpoint
       Protection alerts are sent, and then click OK.

           Note:


          To test the SMTP settings, instead of clicking OK, click Test and Close. This adds a test e-mail to
          the e-mail queue that is periodically processed by the Forefront Endpoint Protection Monitoring
          Service.


To view alerts in the Windows Event Viewer
    1. In the Windows Event Viewer, expand Applications and Services Logs, and then click
       Forefront Endpoint Protection.

    2. Double-click the alert you want to view.

Using Desired Configuration Management to Monitor Client Compliance
Forefront Endpoint Protection (FEP) includes Desired Configuration Management (DCM)
configuration baselines. DCM, a feature of System Center Configuration Manager, allows you to
assess computer configuration against configuration baselines. To learn more about DCM and
configuring baselines, see Desired Configuration Management in Configuration Manager
(http://go.microsoft.com/fwlink/?LinkId=206684) in the Configuration Manager documentation.

FEP provides the following predefined configuration baselines:

  Note:




Operations
                                                                                Page number 121


All FEP baselines are read-only.

    •   FEP - High-Security Desktop

    •   FEP - Laptop

    •   FEP - Performance-Optimized Desktop

    •   FEP - Standard Desktop

By default, these baselines are not assigned to collections. In order to see the summary results of
these baselines or any custom baselines you create and assign to the FEP dashboard, you must assign
it to a collection and then run a DCM Home Page Summarization from the DCM home page in the
Configuration Manager console. For more information about using the DCM home page, see How to
Use the Desired Configuration Management Home Page
(http://go.microsoft.com/fwlink/?LinkId=207094) in the Configuration Manager documentation.

  Warning:


The following configuration baselines are used by the FEP dashboard, and you must not modify
the collections to which they are assigned:

    •     FEP Monitoring - Antimalware Status

    •     FEP Monitoring - Definitions and Health Status

    •     FEP Monitoring - Malware Activity

    •     FEP Monitoring - Malware Detections


  Important:


In order to use DCM in Configuration Manager, you must enable DCM on the Configuration
Manager client agent. For more information about how to do this, see How to Enable or Disable
the Desired Configuration Manager Client Agent
(http://go.microsoft.com/fwlink/?LinkId=206661) in the Configuration Manager documentation.


Managing FEP DCM Baselines
Because FEP DCM baselines are read-only, you cannot directly modify the configuration items or
rules from which they are composed. If you need to add additional configuration items or rules to a
FEP baseline, you must first duplicate the target baseline and then edit the new baseline.

  Note:




Operations
                                                                                    Page number 122


If you need to reduce the amount of time it takes to update information generated by a baseline
and displayed in the Forefront Endpoint Protection dashboard, you can modify the schedule of
the baseline assignment that generates that data. However, modifying the schedule of a built-in
baseline assignment could adversely impact the performance of your Configuration Manager
server.

For more information about how to modify the schedule of an assigned baseline, see How to Set
the Configuration Baseline Assignment Compliance Evaluation Schedule in Desired Configuration
Management (http://go.microsoft.com/fwlink/?LinkId=206696) in the Configuration Manager
documentation.


To duplicate a FEP baseline
   1. In the Configuration Manager console, in the tree, expand System Center Configuration
       Manager, expand Site Database, expand Computer Management, expand Desired
       Configuration Management, and then click Configuration Baselines.

    2. In the details pane, right-click the configuration baseline you want to duplicate, and then
       click Duplicate.

After you duplicate the desired FEP baseline, you can edit it by right-clicking the duplicated baseline
and clicking Properties.

For more information about implementing customized DCM baselines, see the following topics in the
Configuration Manager documentation:

    •   How to Configure Configuration Items for Desired Configuration Management
        (http://go.microsoft.com/fwlink/?LinkId=206685)

    •   How to Modify a Configuration Baseline in Desired Configuration Management
        (http://go.microsoft.com/fwlink/?LinkId=206687)

    •   How to Manage Configuration Baselines and Configuration Items for Desired Configuration
        Management (http://go.microsoft.com/fwlink/?LinkId=206688)

The FEP dashboard contains a list of baselines that are assigned to the category *FEP*. When you
duplicate a baseline, this category field is also duplicated. You can assign any baseline to the *FEP*
category and have its statistics appear in the FEP dashboard.

To assign a category to a baseline
   1. In the Configuration Manager console, in the tree, expand System Center Configuration
       Manager, expand Site Database, expand Computer Management, expand Desired
       Configuration Management, and then click Configuration Baselines.

    2. In the details pane, right-click the configuration baseline you want to duplication, and then
       click Properties.




Operations
                                                                                     Page number 123

    3. In the baseline properties dialog box, on the General tab, click the Categories button, and
       then in the Available categories list, select the check box next to FEP, and then click OK.

    4. In the baseline properties dialog box, click OK.

To see the new baseline in the FEP dashboard, after assigning the baseline to a collection, when
viewing the FEP dashboard, in the Actions pane, click Refresh.

  Warning:


Configuration baseline rules should contain no more than 300 software updates. If you create a
rule with more than 300 software updates, the baseline to which the rule is assigned does not
evaluate the client computers correctly. For more information, see Microsoft Knowledge Base
article 937532 (http://go.microsoft.com/fwlink/?LinkId=207668).


Monitoring Baseline Compliance
FEP configuration baselines are composed of configuration items that are monitored and the rules
that define compliance. The configuration baselines are assigned to computers you want to monitor
by using collections and are evaluated both on a schedule and when a security incident (such as a
malware detection) occurs.

  Note:


By default, no baselines are assigned to collections. In order to see baseline results in the FEP
dashboard, you must assign a baseline to a collection.

Client computers can have multiple configuration baselines assigned to them, which provides you
with a high level of control.

To assign a FEP baseline to a collection
   1. In the Configuration Manager console, in the tree, expand System Center Configuration
       Manager, expand Site Database, expand Computer Management, expand Desired
       Configuration Management, and then click Configuration Baselines.

           Tip:


          To limit the list to FEP configuration baselines, in the Look for box, enter the following text, and
          then click Find Now:
          FEP

    2. Right-click the configuration baseline you want to assign, and then click Assign to a
       Collection.




Operations
                                                                                  Page number 124

The Assign Configuration Baseline Wizard opens.

    3. On the Choose Baselines page, click Next.

    4. On the Choose Collection page, click Browse, choose a collection, click OK, and then click
       Next.

    5. On the Set Schedule page, configure how frequently you want the Configuration Manager
       client agent to evaluate compliance to the baseline. When finished, click Next.

           Warning:


          When setting the schedule for a baseline, you should consider how much impact the data
          reporting may have on your Configuration Manager server.

    6. On the Summary page, review the Details, and then click Next.

    7. On the Wizard Competed page, click Close.

After you assign a baseline to a collection, the client computers in the collection evaluate their
compliance against each configuration baseline to which they are assigned, and immediately report
back the results to the site. If a client is not currently connected to the network, but has downloaded
the configuration items referenced in its assigned configuration baselines, the compliance
information will be sent on reconnection.

You can monitor the results of configuration baseline evaluation compliance from the FEP
dashboard.

  Note:


Dashboard statistics are based on data gathered by Configuration Manager at scheduled intervals
and may not reflect the most recent information.


To monitor the results of the configuration baseline evaluation compliance
   1. In the Configuration Manager console, expand System Center Configuration Manager,
      expand Site Database, expand Computer Management, and then click Forefront Endpoint
      Protection.

    2. In the details pane, in the Forefront Endpoint Protection Baselines area, you can see the
       compliance results of the built-in Forefront Endpoint Protection configuration baselines. The
       following list summarizes the meaning of the columns:

             •   Baseline—The name of the FEP configuration baseline.




Operations
                                                                                    Page number 125

             •    Severity—The severity level configured in the configuration item if non-compliance is
                  reported or if the configuration item is not present on the client computer.

             •    Assigned—The number of computers that are assigned to the configuration baseline.

             •    Non-compliant—The number of computers that report a non-compliance status with
                  the selected baseline.

             •    Compliance—The number of computers that report a compliance status with the
                  selected baseline.

             •    Failed—The number of computers that report a failure evaluating their compliance
                  status with the selected baseline.

             •    Compliance Level (expressed as a number percentage)—The number of computers
                  that report a compliance status, with the selected baseline divided by the number of
                  computers assigned the configuration baseline, expressed as a number percentage.

Periodically viewing these results allows you to ascertain the overall compliance of computers in your
organization.

    3. To view detail in the summary report of a configuration baseline, in the Forefront Endpoint
       Protection Baselines area, click the link of the configuration baseline you want to view.

    4. To view more detail in the report, next to each line for which you want to view more detail,
       click the arrow icon.

           Tip:


          You can also view the compliance status of a baseline on a client computer. In the Control Panel,
          open Configuration Manager, and then click the Configurations tab. Click Evaluate to run a
          baseline compliance check, or click View Report to see the results of a selected compliance
          report.


FEP 2010 Security Management Pack Monitoring
You can monitor the client computers that run the FEP client software in a variety of ways. The
monitoring mechanisms of Forefront Endpoint Protection Security Management Pack are
summarized in the following table.

Item              Description


Object            Classes identify all FEP protected and FEP unprotected clients.
classes
                  For information about FEP classes, see Object Classes.




Operations
                                                                                   Page number 126


Discovery      Discovery is the way objects are identified by Operations Manager.

               For information about FEP discovery, see About Discovery.


Rules          Rules perform designated operations. For example, rules can raise alerts when
               security incidents occur.

               For more information about FEP rules, see About Rules.


Monitors       Monitors are event-driven mechanisms that collect information about
               vulnerabilities and the security state of FEP clients.

               For more information about FEP monitors, see About Monitors.


Views          Views display health states of clients, as well as alerts and events.

               For more information about FEP views, see About Views.


Alerts         Alerts can indicate whether there is an issue in your environment.

               For more information about FEP alerts, see About Alerts.


Tasks          Tasks trigger on-demand actions that are required for fixing vulnerabilities and
               security state of FEP clients.

               For more information about FEP tasks, see About Tasks.


Viewing Endpoint Properties
There are two ways to view endpoint information; by using the Health Explorer and by viewing the
Details pane. If you want to view multiple properties for the same endpoint, the Details pane is the
easiest way to view these properties. However, it is important to note that the Health Explorer and
the Detail View pane are populated via different mechanisms. Properties viewed through the Health
Explorer are delivered by monitors and alerts, which are event driven. Properties viewed by using the
Detail View pane are discovery driven. This means that information that is viewed through Health
Explorer for a selected endpoint can reflect different property values than viewing the same
information by using the Detail View pane. For example, if an event occurs after the property
information is refreshed by discovery, the Health Explorer will display the latest updated information
for that property. The Detail View pane will not receive updated property information until the next
time discovery runs.

For more information about FEP monitors, see About Monitors. For more information about FEP
discovery, see About Discovery.




Operations
                                                                                  Page number 127

Monitoring Cluster Nodes
The Forefront Endpoint Protection client software is not cluster aware. Although it is possible to view
all nodes through Operations Manager, the passive node of a cluster cannot be monitored by using
the Forefront Endpoint Protection Security Management Pack.

Security Considerations
All discoveries, monitors, tasks and rules contained in the FEP Security Management pack run under
the Operations Manager default action account. The Operations Manager default account must be
set to run as Local System Account (LSA) in order to allow tasks to properly launch. For more
information about accounts, see Account Information for Operations Manager 2007
(http://go.microsoft.com/fwlink/?LinkId=206963). For more information about Run As Accounts and
Run As Profiles, see Run As Accounts and Run As Profiles in Operations Manager 2007
(http://go.microsoft.com/fwlink/?LinkId=206964).

Run As Profiles
The FEP Security Management Pack discoveries, monitors, and rules run under the default action
account and cannot be changed.

Low-Privilege Environments
The Forefront Endpoint Protection Security Management Pack does not support low-privilege
Operations Manager Agent deployments.

Health Rollup

Health Rollup Diagram
The following diagram displays the health rollup of the FEP Security Management Pack.




Operations
             Page number 128




Operations
                                                                                  Page number 129

Object Classes
Each monitored object that appears in the Operations console is an instance of a particular class. The
Forefront Endpoint Protection Security Management Pack contains the following seven classes:

    •   Protected Server Candidate

    •   Protected Server

    •   Unprotected Server

    •   Antimalware Engine

    •   Malware Activity

    •   Antimalware Definitions

    •   Protected Servers Watcher

The diagram below outlines the object classes and the corresponding object class relationships.




Operations
                                                                                      Page number 130




About Discovery
In Operations Manager, the Discovery Wizard can be used in order to define a query. However, the
FEP 2010 Security Management Pack is preconfigured to target
Microsoft.Windows.Server.Computer. This query will return a True value if the FEP 2010 client is
installed on a client that is running a server operating system. If you also want to target clients that
are running computer operating systems, you must configure Operations Manager to target those
clients.

Objects the FEP Security Management Pack Discovers
The FEP Security Management Pack discovers the object types described in the following table. Not
all of the objects are automatically discovered. Use overrides to discover the object types that are
not discovered automatically. For more information about how to configure discovery to target
clients running computer operating systems, see Configuring Client Discovery.

Category                        Object                                      Discovered automatically


 Server Discovery                Microsoft.Windows.Server.Computer          Yes


 Client Computer Discovery       Microsoft.Windows.Client.Computer          No


Discovery intervals
By default, FEP object discovery is configured to run at specified intervals. As such, it is possible that
clients will not reflect updated properties in the Details pane when viewed in the console. You can
override the default discovery interval, but it is recommended that you use caution when setting
discovery interval configurations as running discovery more frequently can impact performance.

The following table shows the default discovery intervals.

 Object                                                        Default discovery (hours)


 Protected Server Candidate Discovery                           8


 Protected Client Candidate Discovery                           8


 Protected Endpoint Discovery                                   24


Object properties
The discovery process returns information that is then displayed in the Operations Manager console.
Details for selected endpoints can be viewed in the Operations Manager console Monitoring view.




Operations
                                                                                Page number 131

The following table shows the properties for discovered endpoints that are running the FEP client
software.

 Protected Endpoint properties              Additional information


Client version


Antimalware engine status


Real-time protection status


Real-time protection scan direction


NIS status                                   Supported only by Windows Vista with SP1 or later


Windows Firewall status


Antivirus definitions version


Antispyware definitions version


NIS definitions version


Antivirus definitions age (days)


Antivirus definitions creation (GMT)


Antispyware definitions age (days)


Antispyware definitions creation (GMT)


Last quick scan age (days)


Last quick scan start time (GMT)


Last quick scan end time (GMT)




Operations
                                                                                 Page number 132


Last full scan age (days)


Last full scan start time (GMT)


Last full scan end time (GMT)


Definitions download location


Policy name


Policy set date


Failed policy name


Failed policy date


Policy failure details


Installation pending restart


Computer ID

The following table shows the properties for discovered endpoints that are not running the FEP client
software.

 Unprotected Endpoint properties                             Additional information


Operating System Name


Deployment State


Deployment State More Information


ComputerID


About Views
In Operations Manager 2007, views are groups of managed objects that have a commonality that is
defined. When you select a view, a query is sent to the Operations Manager database and the results


Operations
                                                                                  Page number 133

of the query are displayed in the results pane. For more information about Operations Manager 2007
views, see Creating views (http://go.microsoft.com/fwlink/?LinkId=207057).

The Forefront Endpoint Protection Security Management Pack contains the following five views.




View                    Description


Active Alerts           Displays all active alerts.


Dashboard               Displays all protected endpoints and all active alerts.


Endpoints with FEP      Displays all endpoints that have the FEP client software installed.


Endpoints without       Displays endpoints that do not have the FEP client software installed.
FEP


Security Events         Displays all security events from endpoints that have the FEP client
                        software installed.


About Monitors
Monitors use captured data in order to determine the health state of an object. The monitor then
displays the state of the object (Healthy, Warning, or Critical). Additionally, FEP monitors can also
generate alerts. Information that is displayed by monitors is event-driven. The FEP Security
Management Pack contains four types of monitors: Vulnerability, Security State, Overall Health, and
Deployment. For more information about FEP Security Management Pack monitors, see Security
Management Pack Monitors.

Security Management Pack Monitor Types

Vulnerability monitors
Vulnerability monitors track the settings and dynamic statuses of FEP clients. These monitors can be
used to identify possible security vulnerabilities. The FEP Security Management Pack contains the
following Vulnerability monitors:

    •   Antimalware Engine

    •   Antimalware Definitions Age

    •   Antimalware Definitions

    •   Vulnerability Protection

    •   Real-time Protection


Operations
                                                                                  Page number 134

    •   Windows Firewall

Security State monitors
FEP Security State monitors monitor the security state of FEP clients. The FEP Security Management
Pack contains the following Security State monitors:

    •   Active Malware

    •   Additional Actions Pending

Overall Health monitor
The FEP Overall Health monitor reflects the overall health of all protected systems running FEP client
software. This monitor is not visible, but is used to generate alerts when the overall health of
monitored protected clients is unsatisfactory. The FEP Security Management Pack contains the
following Overall Health Monitor:

    •   Malware Outbreak

Deployment monitor
The FEP Deployment monitor reflects the deployment status of protected and unprotected clients.
This monitor can be viewed in the Endpoints without FEP view. The FEP Security Management Pack
contains the following Deployment monitor:

    •   Deployment Failure

Monitoring Using Overrides

Overriding a Monitor
You can use overrides to refine the settings of a monitoring object. As you fine-tune your monitors,
you can reduce the amount of alerts. However, overriding monitors should be done with caution as
you may override settings that are necessary in order to help you keep your environment secure.
Overrides can be used to adjust the configuration of Operations Manager monitoring settings for FEP
Security Management Pack monitors, attributes, object discoveries, and rules. For more information
about FEP monitors, see About Monitors.

When you create an override, you can apply it to a single managed object or to a group of managed
objects. You must have Advanced Operator user rights in order to create and edit overrides. After
you configure override settings, the Effective Value column will display the settings that the override
will enforce.

For more information about how to monitor by using overrides, see How to Monitor Using Overrides
(http://go.microsoft.com/fwlink/?LinkId=206722).

To override a monitor
   1. In the Operations console, click the Authoring button.

    2. In the Authoring pane, expand Management Pack Objects, and then click Monitors.

    3. In the Details pane, expand an object type completely, and then click a monitor.


Operations
                                                                                 Page number 135

    4. On the Operations Manager toolbar, click Overrides, and then point to Override the
       Monitor. You can choose to override this monitor for objects of a specific type or for all
       objects within a group. After you choose which group of object type to override, the
       Override Properties dialog box opens, enabling you to view the default settings contained in
       this monitor. You can then choose whether to override each individual setting contained in
       the monitor.

          Note:


         If the Overrides button is not available, make sure you have selected a monitor and not a
         container object in the Monitors pane.

    5. Select each setting that you want to override. When you complete your changes, click OK.

About Rules
A rule collects data from various sources and then stores that data in the Operations and Data
Warehouse databases. The collected data is then made available for reporting purposes. The FEP
Security Management Pack rules not only collect data, they can also generate alerts. The FEP Security
Management Pack contains the following rules:

    •   Generate Cleaned Malware Alert Rule

    •   Generate Repeated Infection Alert Rule

    •   Collect Security Events Rule

To locate rule details in the Operations console
    1. Open the Operations console.

    2. Click the Authoring section.

    3. Expand Authoring, expand Management Pack Objects, and then click Rules. There may be
       multiple management packs imported to Operations Manager. Click the Management Pack
       column heading to sort the rules by management pack.

    4. Double-click a rule to view. On the General tab, the Rule Name field lists the rule name.

    5. Click the Configuration tab, and then in the Data sources area, click View. The information
       will vary, depending on the type of rule. The information may be a schedule or an interval.
       Rules that collect performance data obtain the data from Performance counters. As such, the
       minimum and maximum values are specific to the counter rather than the rule. To view the
       parameters that you can configure by using overrides, continue to the next step in this
       procedure.

    6. In the Properties dialog box for the rule, click the Overrides tab.




Operations
                                                                                    Page number 136

    7. In the Override one or more parameters of this rule through overrides section, click
       Override.

    8. Select For all objects of type. Override Properties displays the parameters and values that
       you can configure.




About Alerts
   An alert is an indication of an issue that has occurred somewhere in your environment.
   Operations Manager 2007 displays FEP alerts in the Operations console in the Active Alerts view.
   For information about investigating and resolving alerts, see Investigating and Resolving Alerts
   (http://go.microsoft.com/fwlink/?LinkId=207074).

About Tasks
   You can manually initiate tasks in order to troubleshoot individual alerts. Tasks are accessed from
   the Actions pane in the System Center Operations Manager console. For a list of FEP Security
   Management Pack tasks, see Security Management Pack Tasks.

      Note:


     The Operations Manager Web console does not support console tasks. For example, if you
     want to initiate an RDP connection to a client, you must use the Operations Manager console.

    You may also want to override the default settings for specific tasks. For example, when running
    the Update Antimalware Definitions task, definitions will be updated based on the policy
    settings that apply to the target client. You can override the default task parameters and specify
    that definitions can be updated only via the UNC file share that is specified in the policy settings
    for the client.

      Warning:


     If you run a task that conflicts with Group Policy settings that have been configured for the
     target client, the conflicting configuration settings specified by the task will be overwritten by
     Group Policy settings on the client. For example, if you run the task Turn Windows Firewall
     On and Group Policy settings specify to disable Windows Firewall on that client, Windows
     Firewall will not be enabled, even though the task reports a success status.


To view a task
    1. In the Monitoring view, expand Monitoring, and then expand Forefront Endpoint
       Protection. Select a view from the tree, and then locate the endpoint for which you want to
       see available associated tasks.



Operations
                                                                                      Page number 137

   2. Click the endpoint in order to highlight it.

   3. In the Protected Endpoint Tasks section of the Actions pane, view the tasks available for the
      selected endpoint.

              Note:


             If the Actions pane is not displayed, click Actions in order to display it.


To view available overrides for a task
    1. In the Monitoring view, expand Monitoring, and then expand Forefront Endpoint
       Protection. Select a view from the tree, and then locate the endpoint for which you want to
       see available associated tasks and task overrides.

   2. Click the endpoint in order to highlight it.

   3. In the Protected Endpoint Tasks section of the Actions pane, click the task for which you
      want to view available overrides.

   4. In the Run Task dialog box, verify the selected target is correct, and then click Override in
      order to view available override settings for the task.

   5. When you are finished viewing the available task overrides, click Cancel to close Override
      Task Parameters, and then click Cancel.

To run a task
    1. In the Monitoring view, expand Monitoring, and then expand Forefront Endpoint
       Protection. Select a view from the tree, and then locate the endpoint on which you want to
       run a task.

   2. Click the endpoint in order to highlight it.

   3. In the Protected Endpoint Tasks section of the Actions pane, click the task that you want to
      run.

              Warning:


             It is recommended that you use caution when selecting the Turn Windows Firewall On task.
             Turning on Windows Firewall may impact roles and workloads that are running on servers.

   4. In the Run Task dialog box, verify the selected target is correct, configure any additional
      settings and overrides, and then click Run.




Operations
                                                                                 Page number 138

Placing Objects in Maintenance Mode
When a monitored object, such as a computer or distributed application, goes offline for
maintenance, Operations Manager 2007 detects that no agent heartbeat is being received, and as a
result, may generate numerous alerts and notifications. To prevent these alerts and notifications,
place the monitored object in maintenance mode. In maintenance mode, alerts, notifications, rules,
monitors, automatic responses, state changes, and new alerts are suppressed at the agent.

For general instructions on placing a monitored object in maintenance mode, see How to Put a
Monitored Object into Maintenance Mode in Operations Manager 2007
(http://go.microsoft.com/fwlink/?LinkId=108358).

Configuring Notification Settings
Notifications generate messages or run commands automatically when an alert is raised on a
monitored system. By default, notifications for alerts are not configured. For information about how
to configure notifications in Operations Manager, see Configuring Notification
(http://go.microsoft.com/fwlink/?LinkId=206904).

FEP 2010 Reports
Forefront Endpoint Protection reports consist of malware and health reports, and operational
reports. The section describes where the reports are located, how the reports are run, the kind of
information they provide, and the command options available for generated reports.

Forefront Endpoint Protection Security Reports
Forefront Endpoint Protection malware and health reports are located in the Reports node under the
Forefront Endpoint Protection node. These reports provide administrators with information about
the antimalware protection status of, and malware activity on, client computers where Forefront
Endpoint Protection is deployed. There are five predefined Forefront Endpoint Protection reports,
three of which are run directly from the Reports node (source reports), and two that are run by
clicking links within them.

Additionally, the Computer Details Report can be run by navigating to a collection, selecting a
computer, and then in the actions pane clicking Run FEP Computer Details Report. In this instance,
the report is filtered to display information for the selected computer.

The Protection, Deployment, Health, and Security status report sections are based on the last status
reported by the FEP client software and current collection membership, unless otherwise noted.
Malware and Antimalware activity report sections are based on historical information and
computers are displayed based on the collections of which the computer was member when the
activity occurred.

The following table contains a list of the reports.

Report name        Description               Accessed by   Sections


 Antimalware       This report provides       Reports          •    Security Alerts—Displays a




Operations
                                                                              Page number 139


Activity         an overview of            node                  summary of raised Forefront
Report           antimalware status,                             Endpoint Protection alerts. For
                 malware alerts, and                             more information, see Using
                 malware detections.                             Alerts to Monitor Malware
                                                                 Detections.

                                                             •   Security Status—Displays a
                                                                 summary of computers by
                                                                 Forefront Endpoint Protection
                                                                 client status.

                                                             •   Antimalware Activity—
                                                                 Displays a dashboard of
                                                                 information about all detected
                                                                 malware.

                                                             •   Malware Activity—Displays
                                                                 lists of the top malware
                                                                 infections by severity and
                                                                 frequency.


Antimalware      This report provides      Reports           •   Antimalware Deployment and
Protection       an overview of            node                  Health—Displays a dashboard
Summary          antimalware                                     of antimalware information.
Report           deployment and
                                                             •   Security Status—Displays a
                 health.
                                                                 summary of computers by
                                                                 Forefront Endpoint Protection
                                                                 client status.


Malware          This report displays      Clicking a link   •   Malware Details—Displays
Details Report   further details about a   in a source           details about the detected
                 specific malware.         report                malware.

                                                             •   Antimalware Activity—
                                                                 Displays a dashboard of
                                                                 information about the
                                                                 detected malware.

                                                             •   Infected Computers—Displays
                                                                 a list of computers that have
                                                                 been infected with the
                                                                 detected malware.




Operations
                                                                                    Page number 140


Computer List     This report displays a    Reports           Computer List—When you run this
Report            list of computers that    node or           report from the Reports node, it
                  can be filtered by        clicking a link   displays a list of computers to which
                  collection, name,         in a source       the Forefront Endpoint Protection
                  protection status,        report            client is deployed. When run by
                  security state,                             clicking a link in a source report, it
                  antimalware signature                       displays a filtered list of computers
                  version, detected                           according to the clicked link.
                  malware, and last
                  antimalware scan
                  time.


Computer          This report displays      Clicking a link       •   Computer Details—Displays
Details Report    further details about a   in a source               details about the specified
                  specific computer.        report or run             computer.
                                            directly on a
                                            computer in           •   Protection Status—Displays
                                            a collection              information about the status
                                                                      of the Forefront Endpoint
                                                                      Protection client features.

                                                                  •   Malware Activity—Displays a
                                                                      summary of malware
                                                                      information followed by a list
                                                                      of malware that has been
                                                                      detected on the specified
                                                                      computer and its last reports
                                                                      state.

Forefront Endpoint Protection reports have links that you can click to view additional data, such as
more detailed information about items in the source report. For example, you can click a malware
name in the Antimalware Activity Report (source report) to view the Malware Details Report (target
report) and display more information about this malware. The source report passes the malware
name to the target report based on which line in the source report you choose to obtain more
information.

  Important:


The FEP reports only show antimalware activity; Network Inspection Service detections are not
included in the Forefront Endpoint Protection reports. Network Inspection Service detection
events are recorded to the Windows Event Log.




Operations
                                                                                   Page number 141


  Note:


 On a computer running Windows® 7 or Windows Server® 2008 R2, where the regional date and
 time format is specified as Hebrew (Israel), dates and times will display in reverse format in the
 Forefront Endpoint Protection console.

 To resolve the issue, apply the following hotfix:

 KB2030901 (http://go.microsoft.com/fwlink/?LinkId=205598)


Command options
When you run a report, you can use the menu bar commands to do the following:

    •   To view the report with different parameters, change the report filters accordingly, and then
        click View Report.

    •   To search the report, in the Find box, type the search term, and then click Find.

    •   To use the report data in another application, in the Select a format box, select an export file
        format, and then click Export.

    •   To view the most recent information, click Refresh.

    •   To print the report, click Print.

The following table lists the default settings when running reports:

 Report Setting                              Value


 Collection:                                  All Desktops and Servers


 Report time Span:                            Week


Operational Reports
Forefront Endpoint Protection operational reports are located in the standard Configuration
Manager Reports node under the Reporting node. These reports provide administrators with
tracking and troubleshooting information about Forefront Endpoint Protection deployments on, and
policy distribution to, client computers. There are seven predefined Forefront Endpoint Protection
reports, three of which can be run directly from the Forefront Endpoint Protection dashboard, and 4
that can be run by clicking successive links in them.

The following is a list of the reports.




Operations
                                                                                Page number 142


Report name       Description                Accessed by      Details


Deployment        This report displays the   Dashboard or     For each collection, the following
Overview          breakdown of the           Configuration    information is provided:
                  Microsoft Forefront        Manager
                  Endpoint Protection                             •     Count—The total number
                                             Reports
                                                                        of computers in the
                  2010 client deployment
                  status per collection.                                collection.

                                                                  •     The number of computers
                                                                        in each of the following
                                                                        deployment states:
                                                                        Removed, Failed,
                                                                        Pending, Out of date,
                                                                        Deployed, and Not
                                                                        targeted.

                                                                  •     Deployed %—The
                                                                        percentage of computers
                                                                        on which the Forefront
                                                                        Endpoint Protection client
                                                                        has been successfully
                                                                        installed.

                                                              You can click the links in the left-
                                                              hand column to view the
                                                              Deployment for a specific
                                                              collection report.


Deployment        This report displays the   Configuration    For the specified collection, for
for a specific    breakdown of the           Manager          each deployment state, the total
collection        Microsoft Forefront        Reports          number of computers in that state
                  Endpoint Protection                         is displayed.
                  2010 client deployment
                                                              You can click the links in the left-
                  status for a specific
                  collection.                                 hand column to view the
                                                              Deployment for a specific
                                                              collection in a specific state
                                                              report.


Computers         This report displays a list Configuration   For the specified collection and
with a specific   of computers in a           Manager         deployment state, for each
deployment        collection and specific     Reports         computer, a summary of Forefront
                                                              Endpoint Protection deployment



Operations
                                                                                Page number 143


state             deployment state.                           details is displayed.

                                                              You can click the links in the left-
                                                              hand column to view the FEP
                                                              information for a specific
                                                              computer report.


Policy            This report displays the   Dashboard or     For each collection, the following
Distribution      breakdown of policy        Configuration    information is provided:
Overview          distribution states per    Manager
                  collection. The report     Reports              •   Computers—The total
                                                                      number of computers in
                  will only enumerate
                  computers with                                      the collection.
                  Microsoft Forefront                             •   The number of computers
                  Endpoint Protection                                 in each of the following
                  2010 deployed.                                      distribution states: Failed,
                                                                      Pending, and Distributed.

                                                                  •   Success %—The
                                                                      percentage of computers
                                                                      on which the Forefront
                                                                      Endpoint Protection policy
                                                                      has been successfully
                                                                      applied.

                                                              You can click the links in the left-
                                                              hand column to view the Policy
                                                              Distribution for a specific
                                                              collection report.


Policy            This report displays the Configuration      For the specified collection, for
Distribution      policy distribution states Manager          each distribution state, the total
for a specific    for a specific collection. Reports          number of computers in that state
collection                                                    is displayed.

                                                              You can click the links in the left-
                                                              hand column to view the Policy
                                                              Distribution for a specific
                                                              collection in a specific state
                                                              report.


Computers         This report displays a list Configuration   For the specified collection and
with a specific   of computers in a           Manager         deployment state, for each



Operations
                                                                                  Page number 144


policy            collection and specific    Reports            computer, a summary of Forefront
distribution      policy state.                                 Endpoint Protection deployment
state                                                           details is displayed.

                                                                You can click the links in the left-
                                                                hand column to view the FEP
                                                                information for a specific
                                                                computer report.


FEP               This report displays a     Dashboard or       For the specified computer, the
information       summary of Forefront       Configuration      following details are displayed:
for a specific    Endpoint Protection        Manager
                  information for a                                 •   The latest Forefront
computer                                     Reports
                                                                        Endpoint Protection
                  specific computer.
                                                                        summary information.

                                                                    •   The network adapters on
                                                                        the computer.

                                                                    •   Historical Forefront
                                                                        Endpoint Protection client
                                                                        activity information.

                                                                You can click the links in the left-
                                                                hand column to view to other
                                                                standard Configuration Manager
                                                                reports.




Displaying Computers Infected by a Specific Malware
You can use FEP reports to see an overview of antimalware status, malware alerts, and malware
detections, filtered by Configuration Manager collections.

To display a list of computers infected by a specific malware

   1. In the Configuration Manager console, expand System Center Configuration Manager,
      expand Site Database, expand Computer Management, expand Forefront Endpoint
      Protection 2010, and then click Reports.

   2. Select Antimalware Activity Report, and then in the Actions pane, click Run. The
      Antimalware Activity Report opens displaying antimalware activity for the collection and
      time frame specified.

   3. Scroll down to the Malware Activity section, and click the malware of interest. The Malware
      Details Report opens, displaying information for the selected malware.



Operations
                                                                                    Page number 145

    4. In the Computer List section, you can see the list of computers infected by the malware you
       specified.

Displaying Recent Malware Infections
You can use FEP reports to display a list of computers filtered by Forefront Endpoint Protection
security status.

To display a list of malware that has recently infected a computer

    1. In the Configuration Manager console, expand System Center Configuration Manager,
       expand Site Database, expand Computer Management, expand Forefront Endpoint
       Protection 2010, and then click Reports.

    2. Select Computer List Report, and then in the Actions pane, click Run.

    3. In the Security State filter, select the following items, , and then click View Report.

             a. Infected

             b. Action Required

             c. Recent Malware activity (last 24 hours)

    4. The Computer List Report displays, in the Computer List section, click a computer in the list.

The Computer Details Report opens, displaying information about the computer.

    5. In the Malware Activity section, you can see the list of malware that recently infected the
       computer.

Subscribing to Reports
You can subscribe to a report to have it delivered automatically. A subscription specifies the type of
delivery, delivery time, report output format, and for reports that have parameter input fields, any
user-defined parameter values that should be used in the copy of the report you receive. A report
can be delivered to either a file share or via e-mail. It is recommended that you subscribe to the
reports that you find useful to receive on a regular basis.

The following Forefront Endpoint Protection reports can be subscribed to:

    •   Antimalware Activity Report

    •   Antimalware Protection Summary Report

    •   Computer List Report

For more information about subscribing to a report, see How to: Subscribe to a Report (Report
Manager) (http://go.microsoft.com/fwlink/?LinkId=207013).




Operations
                                                                                  Page number 146

For more information about configuring SQL Server Reporting Services to support e-mail delivery of
subscriptions, see Configuring a Report Server for E-Mail Delivery
(http://go.microsoft.com/fwlink/?LinkId=207014).

FEP 2010 Security Management Pack Reporting
You can build your own report queries by using any reporting solution that can connect to the SQL
Server Data Warehouse, such as Microsoft Excel 2010 or Microsoft SQL Server Reporting Services.
Forefront Endpoint Protection sample reports in Microsoft Excel 2010 format can be downloaded
from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=207731). If you elect
to use Excel to build your report queries, it is important to note that Microsoft Excel 2010 limits the
server name in the Login dialog box to 23 characters, which will prevent any existing connections to
the Data Warehouse from refreshing. If the server name of your Data Warehouse server contains
more than 23 characters, you must open the existing connections and replace the FQDN of the server
with the NetBIOS name.

Before you can use the Reporting feature, you need to install and properly configure the required
reporting components for Operations Manager. The Reporting feature for the FEP Security
Management Pack is supported on System Center Operations Manager R2. For more information
about installing the reporting components on System Center Operations Manager R2, see the
Operations Manager 2007 Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=206502). For
information about how to create, customize, and use reports, see Creating Reports
(http://go.microsoft.com/fwlink/?LinkId=150369) in the Operations Manager 2007 R2 User’s Guide.
For information about how to manage reporting in Operations Manager, see Managing Reporting in
Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=206499).

FEP Health and Deployment Status Schema
The below table shows the schema for the FEP Health and Deployment Status view. You can
reference this table when creating custom reports.

Field Name                       Description                      SQL Datatype       Format


RowId                            Key into Event.vEvent table in   uniqueidentifier GUID in string
                                 the Operations Manager Data                       form
                                 Warehouse


Host                             FQDN of computer                 nvarchar(255)      String (FQDN)


TimeStamp                        Date/time value representing     datetime           DateTime
                                 time that the record was
                                 written to the data
                                 warehouse




Operations
                                                                    Page number 147


DeploymentState    Enumerated value describing      nvarchar(max)     String
                   deployment status. Valid                           (enumeration)
                   values are:

                       •   Unknown

                       •   Never installed

                       •   Removed

                       •   Installation canceled
                           by user

                       •   Reboot required


ProtectionStatus   Enumerated value describing      nvarchar(max)     String
                   state of AM protection. Valid                      (enumeration)
                   values are:

                       •   Unknown

                       •   On

                       •   Off


LastQuickScanAge   Elapsed time in days since the nvarchar(max)       String
                   last quick scan was performed                      (integer)
                   on the computer. 0 if no data
                   is available.


LastFullScanAge    Elapsed time in days since the   nvarchar(max)     String
                   last full scan was performed                       (integer)
                   on the computer. 0 if no data
                   is available.


RTPStatus          Enumerated value describing      nvarchar(max)     String
                   state of real-time protection.                     (enumeration)
                   Valid values are:

                       •   Unknown

                       •   On

                       •   Off




Operations
                                                                             Page number 148


FirewallStatus               Enumerated value describing     nvarchar(max)     String
                             state of Windows Firewall.                        (enumeration)
                             Valid values are:

                                 •   Unknown

                                 •   Uninstalled

                                 •   On

                                 •   Off


NISStatus                    Enumerated value describing     nvarchar(max)     String
                             state of Network Inspection                       (enumeration)
                             System. Valid values are:

                                 •   Unknown

                                 •   Not Supported

                                 •   On

                                 •   Off


AVSignaturesAge              Number of days since last AV    nvarchar(max)     String
                             signature update.                                 (integer)


ASSignaturesAge              Number of days since last AS    nvarchar(max)     String
                             signature update.                                 (integer)


AVSignaturesLastUpdateTime Timestamp when antivirus          nvarchar(max)     String (ISO
                           signatures were last updated.                       8601
                                                                               timestamp)


ASSignaturesLastUpdateTime   Timestamp when antispyware      nvarchar(max)     String (ISO
                             signatures were last updated.                     8601
                                                                               timestamp)


EngineVersion                Version of AM engine            nvarchar(max)     String (version
                                                                               number)


FEPClientVersion             Version of FEP client           nvarchar(max)     String (version
                                                                               number)




Operations
                                                                                 Page number 149


AVSignaturesVersion             Version of active antivirus      nvarchar(max)     String (version
                                signatures.                                        number)


ASSignaturesVersion             Version of active antispyware    nvarchar(max)     String (version
                                signatures.                                        number)


NISSignaturesVersion            Version of active Network        nvarchar(max)     String (version
                                Inspection System signatures.                      number)


ActiveFEPPolicy                 Policy name of FEP XML policy nvarchar(max)        String
                                which is applied to the
                                machine. Note that this does
                                not contain information
                                about group policies that are
                                applied to the machine.
                                Group policy settings override
                                FEP policy settings when
                                there is a conflict.


FEPPolicyAppliedTime            Timestamp of last application    nvarchar(max)     String (ISO
                                of FEP XML policy to the                           8601
                                machine.                                           timestamp)


FEP Security Incidents schema
The table below shows the FEP Security Incidents schema. You can reference this table when creating
custom reports.

                                                                 SQL
Field Name                  Description                          Datatype    Format


Type                        Type of incident                     nvarchar(   String constant
                                                                 max)        "SecurityIncident"


RowID                       Key into Event.vEvent table in the   uniqueide   GUID in string form
                            Operations Manager Data              ntifier
                            Warehouse


Name                        Descriptive information about        nvarchar(   String constant
                            incident.                            max)        "MalwareInfection"




Operations
                                                                             Page number 150


Description               Not Used                              nvarchar(   String constant
                                                                max)        “NotImplemented”


TimeStamp                 Date/time of security incident        datetime    DateTime


SchemaVersion             Database schema version               nvarchar(   String constant “1.0”
                                                                max)


Severity                  Enumerated value describing           nvarchar(   String (enumeration)
                          severity of incident. Valid values    max)
                          are:

                              1. Unknown

                              2. Low

                              3. Moderate

                              4. High

                              5. Severe


ObserverHost              Name of computer where incident       nvarchar(   String (FQDN)
                          occurred.                             max)


ObserverUser              Name of logged on user when           nvarchar(   String (domain\user)
                          incident occurred, if the detection   max)
                          was in a process associated with a
                          logged on user.


ObserverProductName       Product name of protection            nvarchar(   String constant
                          product that detected the             max)        “ForefrontEndpointP
                          incident.                                         rotection”


ObserverProductVersion    Product version of protection         nvarchar(   String (version
                          product that detected the             max)        number)
                          incident.


ObserverProtectionType    Type of protection technology that nvarchar(      String constant “AM”
                          detected the incident.             max)


ObserverProtectionVersi   Protection engine version             nvarchar(   String (version



Operations
                                                                           Page number 151


on                        information.                        max)        number)


ObserverProtectionSigna   Protection definitions version      nvarchar(   String (version
tureVersion               information.                        max)        number)


ObserverDetection         Enumerated value describing         nvarchar(   String (enumeration)
                          method of detection. Valid values   max)
                          are:

                              •   Unknown

                              •   User Initiated Scan

                              •   System Initiated Scan

                              •   Real-Time Protection

                              •   IE Downloads and Outlook
                                  Express Attachments


ObserverDetectionTime     Local time of detection on          nvarchar(   String (ISO 8601
                          machine where incident occurred.    max)        timestamp)


ActorHost                 Not Used                            nvarchar(   String constant NULL
                                                              max)


ActorUser                 Not Used                            nvarchar(   String constant NULL
                                                              max)


ActorProcess              Not Used                            nvarchar(   String constant NULL
                                                              max)


ActorResource             Not Used                            nvarchar(   String constant NULL
                                                              max)


ActionType                Type of security incident.          nvarchar(   String constant
                                                              max)        "MalwareInfection"


TargetHost                Name of computer where incident     nvarchar(   String (FQDN)
                          occurred.                           max)




Operations
                                                                            Page number 152


TargetUser               Name of logged on user when           nvarchar(   String (domain\user)
                         incident occurred, if the detection   max)
                         was in a process associated with a
                         logged on user.


TargetProcess            Name of process which was             nvarchar(   String (image path
                         attempting to access infected file.   max)        name)


TargetResource           Threat name of detected malware. nvarchar(        String constant
                                                          max)             "Threat".


ClassificationType       Threat name of detected malware       nvarchar(   String constant
                                                               max)        "Threat".


ClassificationCategory   Enumerated value describing           nvarchar(   String (enumeration)
                         threat category. Valid values are:    max)

                             •   Invalid

                             •   Adware

                             •   Spyware

                             •   PasswordStealer

                             •   TrojanDownloader

                             •   Worm

                             •   Backdoor

                             •   RemoteAccessTrojan

                             •   Trojan

                             •   EmailFlooder

                             •   KeyLogger

                             •   Dialer

                             •   MonitoringSoftware

                             •   BrowserModifier

                             •   Cookie




Operations
                                            Page number 153


             •   BrowserPlugin

             •   AolExploit

             •   Nuker

             •   SecuritySisabler

             •   JokeProgram

             •   HostileActivexControl

             •   SoftwareBundler

             •   StealthNotifier

             •   SettingsModifier

             •   Toolbar

             •   RemoteControlSoftware

             •   TrojanFftp

             •   PotentialUnwantedSoftwa
                 re

             •   IcqExploit

             •   TrojanTelnet

             •   Exploit

             •   FileSharingProgram

             •   MalwareCreationTool

             •   RemoteControlSoftwareTo
                 ol

             •   TrojanDenialOfService

             •   TrojanDropper

             •   TrojanMassmailer

             •   TrojanMonitoringSoftware

             •   TrojanProxyServer

             •   Virus




Operations
                                                                           Page number 154


                             •   Known

                             •   Unknown

                             •   Spp

                             •   Behavior

                             •   Vulnerabiltiy

                             •   Policy


ClassificationID         Threat ID of detected malware.       nvarchar(   String (integer)
                         This can be used to look up the      max)
                         malware on the Microsoft
                         Malware Protection Center
                         (http://go.microsoft.com/fwlink/?
                         LinkId=206607).


ClassificationSeverity   Enumerated value describing          nvarchar(   String (enumeration)
                         severity of detected threat. Valid   max)
                         values are:

                             •   Unknown

                             •   Low

                             •   Moderate

                             •   High

                             •   Severe


RemediationType          Enumerated value describing type     nvarchar(   String (enumeration)
                         of remediation that was              max)
                         performed.


RemediationResult        Enumerated string containing a       nvarchar(   String (enumeration)
                         Boolean value describing whether     max)
                         the remediation action was
                         successful. Valid values are:

                             •   True

                             •   False




Operations
                                                                                    Page number 155


 RemediationErrorCode        Error encountered during               nvarchar(     String (hexadecimal
                             remediation.                           max)          DWORD error code)


 RemediationPendingActi      Enumerated value describing            nvarchar(     String (enumeration)
 on                          action remaining to complete           max)
                             remediation


 IsActiveMalware             Enumerated string containing a         nvarchar(     String (enumeration)
                             Boolean value describing whether       max)
                             malware is active on the system.
                             Valid values are:

                                  •   True

                                  •   False




Disaster Recovery for FEP 2010 on Configuration Manager
Disaster recovery refers to restoring your servers and data in the event of a partial or complete
failure due to natural or technical causes. When a server is damaged or fails, your ability to restore
that server’s functions and data depends on the actions you take before the disaster occurs.
Therefore, preparing for disaster recovery by planning both backup and recovery operations is a
necessity for enterprise solutions such as Forefront Endpoint Protection.

The steps to back up and restore Forefront Endpoint Protection are described in this section.

 Backup
The operation consists of scheduling the periodic back up of data and configuration settings on
servers running Forefront Endpoint Protection features.

To back up Forefront Endpoint Protection
   1. Back up the Configuration Manager site server. For more information, see Overview of
       Backup and Recovery (http://go.microsoft.com/fwlink/?LinkID=206967).

          Note:


         The backup includes Forefront Endpoint Protection specific Configuration Manager items and
         their settings, for example, Forefront Endpoint Protection policies, their assignments, and their
         precedence.

    2. Back up the Forefront Endpoint Protection reporting database using a SQL Server backup
       solution. The default database name is FEPDW_XXX.




Operations
                                                                                   Page number 156

 Restore
In the event of a server failure resulting in a replacement server, the recovery operations consists of
reinstalling the operating system, applications, and server configuration on the replacement server,
and then restoring the data and configuration settings. Since Forefront Endpoint Protection can be
installed using a remote reporting database, the steps for restoring are divided into two procedures
as follows:

To restore when the Configuration Manager site server fails and is replaced
    1. Restore Configuration Manager. For more information, see Overview of Backup and
       Recovery (http://go.microsoft.com/fwlink/?LinkID=206967).

    2. Restore the Forefront Endpoint Protection reporting database (optional—only if SQL Server is
       also restored)

          Important:


         For large-scale deployments comprised of more than 10,000 client computers, the tempdb must
         be configured with a 500 GB Logical Unit Number (LUN) for its data file. For more information
         about configuring the tempdb data file, see Optimizing tempdb Performance
         (http://go.microsoft.com/fwlink/?LinkID=206862).

    3. Install Forefront Endpoint Protection using the reuse existing database option. For more
       information, see either Installing Using Basic with a Remote Reporting Database Setup or To
       install FEP 2010 Reporting and Alerts.

To restore when the SQL Server system where the Forefront Endpoint Protection reporting
database resides fails and is replaced
    1. Restore SQL Server and the Forefront Endpoint Protection reporting database.

          Important:


         For large-scale deployments comprised of more than 10,000 client computers, the tempdb must
         be configured with a 500 GB Logical Unit Number (LUN) for its data file. For more information
         about configuring the tempdb data file, see Optimizing tempdb Performance
         (http://go.microsoft.com/fwlink/?LinkID=206862).

    2. Uninstall the Forefront Endpoint Protection reporting feature from the server where it is
       installed (optional—only if it is installed on a server other than the SQL Server system where
       the Forefront Endpoint Protection reporting database resides). For more information, see
       Uninstalling.

    3. Install Forefront Endpoint Protection using the reuse existing database option. For more
       information, see either Installing Using Basic with a Remote Reporting Database Setup or To
       install FEP 2010 Reporting and Alerts.



Operations
                                                                                 Page number 157


Automating Day-to-Day Tasks by Using Windows PowerShell
In Forefront Endpoint Protection, you can automate day-to-day tasks by using Windows PowerShell
and Configuration Manager Windows Management Instrumentation (WMI) objects.

The following is a list of some of the day-to-day tasks that can be automated:

    •   Deploy the FEP client software to the computers in a collection or remove the FEP client from
        computers in a collection.

    •   Assign a FEP policy to the computers in a collection

    •   Unassign a FEP policy from the computers in a collection

    •   Assign a Desired Configuration Management (DCM) baseline to the computers in a collection

    •   Retrieve DCM baseline results for specific computers

    •   Unassign a DCM baseline from the computers in a collection

    •   Retrieve FEP dashboard data

    •   Run reports

    •   Retrieve report data

    •   Run a quick or full antimalware scan

    •   Force a definition update

This section contains the following topics to help you automate Forefront Endpoint Protection
management by using Windows PowerShell and Configuration Manager Windows Management
Instrumentation (WMI) objects.

Deploying or Removing the FEP Client Software

Assigning and Unassigning FEP Policies to Collections

Automating Desired Configuration Management

Automating the FEP Dashboard

Automating Tasks on Client Computers

Automating FEP Reports

Deploying or Removing the FEP Client Software
You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to
automate the creation of software packages and the assignments of the software packages to
collections.

Prerequisites



Operations
                                                                                     Page number 158

In order to create a script similar to the example in this topic, you must have the following
prerequisite software:

     •   Windows PowerShell (either version 1.0 or 2.0)

The following script demonstrates how you can deploy (or remove) the FEP client to a collection. The
script defines switches to specify the Configuration Manager information needed, and uses that
information to create a mandatory advertisement of the FEP deployment package.



function CreateDeploymentAdvertisement(

    $ConfigMgrServer,             # Config Mgr WMI site provider to connect to. e.g. MyServer

    $SiteCode,             # Config Mgr site code. e.g. ABC

    $CollectionID,          # Target collection ID. e.g. ABC00008

  $AdvertisementName,             # Requested name for the deployment advertisement. e.g. Deploy
FEP

    [switch]$IncludeSubCollection, # Switch to include subcollection, default is false (not include)

    [switch]$Uninstall)       # Switch to do uninstall. Default is Install

{

    $ConfigMgrNamespace = "root\sms\site_$SiteCode"

    $now = Get-Date -Format "yyyyMMddhhmmss.ffffff+***" # Config Mgr time format

  $ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace) # WMI
provider full path



    # Get the FEP deployment package to be used when creating the advertisement

  $package = Get-WmiObject -class "SMS_Package" -filter "MifName='FEP - Deployment'" -
namespace $ConfigMgrNamespace -computername $ConfigMgrServer



  # Create a new SMS advertisement instance for the FEP deployment package. The program installs
or uninstalls depending on $Uninstall switch

  # For more information about the SMS_Advertisement Server WMI class, see
http://go.microsoft.com/fwlink/?LinkID=208535 on MSDN.




Operations
                                                                                   Page number 159

  $newAdvertisement = ([WmiClass]($ConfigMgrProviderPath +
":SMS_Advertisement")).CreateInstance()

    $newAdvertisement.CollectionID = $CollectionID

    $newAdvertisement.PackageID = $package.PackageID

    $newAdvertisement.ProgramName = if ($Uninstall) { "Uninstall" } else { "Install" }

    $newAdvertisement.AdvertisementName = $AdvertisementName

 $newAdvertisement.AdvertFlags = 0x02000000 -bor 0x00100000 # NO_DISPLAY |
OVERRIDE_SERVICE_WINDOWS

  $newAdvertisement.RemoteClientFlags = 0x00002000 -bor 0x00000010 -bor 0x00000040 #
RERUN_IF_FAILED | DOWNLOAD_FROM_LOCAL_DISPPOINT |
DOWNLOAD_FROM_REMOTE_DISPPOINT

    $newAdvertisement.IncludeSubCollection = $IncludeSubCollection

    $newAdvertisement.PresentTime = $now



    # Create a mandatory assignment schedule

  $AssignedSchedule = ([WmiClass]($ConfigMgrProviderPath +
":SMS_ST_NonRecurring")).CreateInstance()

    $AssignedSchedule.StartTime = $now



    $newAdvertisement.AssignedScheduleEnabled = $true

    $newAdvertisement.AssignedSchedule = $AssignedSchedule



    $newAdvertisement.Put()



    Write-Output "Created FEP client roll out advertisement: $AdvertisementName"

}

Assigning and Unassigning FEP Policies to Collections
You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to
automate assigning FEP policies to collections.




Operations
                                                                                     Page number 160

The following sections demonstrate how you can assign or unassign FEP policies to a collection. The
scripts define switches to specify the Configuration Manager information needed, and use that
information to assign the designated policy to a collection.

FEP policies are created in Configuration Manager as packages, and distributed by using mandatory
assignments.

Prerequisites

In order to create a script similar to the example in this topic, you must have the following
prerequisite software:

     •   Windows PowerShell (either version 1.0 or 2.0)

The following example script creates a mandatory assignment of a policy package to a specified
collection.

function AssignPolicy(

    $ConfigMgrServer,          # ConfigMgr WMI site provider to connect to. e.g. MyServer

    $SiteCode,             # ConfigMgr site code. e.g. ABC

    $PolicyName,            # Name of FEP policy to assign. e.g. “MyPolicy”

    $CollectionID,          # Collection ID to assign policy to. e.g. ABC00008

    [switch]$IncludeSubCollection) # Switch to include subcollections. The default is false (not include).

{

    $ConfigMgrNamespace = "root\sms\site_$SiteCode"

    $now = Get-Date -Format "yyyyMMddhhmmss.ffffff+***"

    $ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace)



    # Get the FEP policies package to the advertisement from

  $package = Get-WmiObject -class "SMS_Package" -filter "MifName='FEP - Policies'" -namespace
$ConfigMgrNamespace -computername $ConfigMgrServer



    # Create a new SMS advertisement instance for the FEP policy package.

    # SMS_Advertisement Server WMI Class http://msdn.microsoft.com/en-us/library/cc146108.aspx

  $newAdvertisement = ([WmiClass]($ConfigMgrProviderPath +
":SMS_Advertisement")).CreateInstance()


Operations
                                                                          Page number 161




  $newAdvertisement.CollectionID = $CollectionID

  $newAdvertisement.PackageID = $package.PackageID

  $newAdvertisement.ProgramName = $PolicyName

  $newAdvertisement.AdvertisementName = "Assign FEP Policy $PolicyName"

 $newAdvertisement.AdvertFlags = 0x02000000 -bor 0x00100000 # NO_DISPLAY |
OVERRIDE_SERVICE_WINDOWS

  $newAdvertisement.RemoteClientFlags = 0x00000800 -bor 0x00000010 -bor 0x00000040 #
RERUN_ALWAYS | DOWNLOAD_FROM_LOCAL_DISPPOINT |
DOWNLOAD_FROM_REMOTE_DISPPOINT

  $newAdvertisement.IncludeSubCollection = $IncludeSubCollection

  $newAdvertisement.PresentTime = $now



  # Create a mandatory assignment schedule

  $AssignedSchedule = ([WmiClass]($ConfigMgrProviderPath +
":SMS_ST_NonRecurring")).CreateInstance()

  $AssignedSchedule.StartTime = $now



  $newAdvertisement.AssignedScheduleEnabled = $true

  $newAdvertisement.AssignedSchedule = $AssignedSchedule



  $newAdvertisement.Put()

  $newAdvertisement.Get() # Refresh new advertisement



  # Add the advertisement to the FEP policies advertisement folder



  # Get the container node (notice to use localized name)

  $AdvertisementFolder = Get-WmiObject -class "SMS_ObjectContainerNode" -filter "Name='FEP
Policies'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer


Operations
                                                                               Page number 162




    # Create a container item for the advertisement

  $newContainerItem = ([WmiClass]($ConfigMgrProviderPath +
":SMS_ObjectContainerItem")).CreateInstance()



    $newContainerItem.ContainerNodeId = $AdvertisementFolder.ContainerNodeId

    $newContainerItem.InstanceKey = $newAdvertisement.AdvertisementID



    $newContainerItem.Put()



    Write-Output "Policy $PolicyName Assigned to $CollectionID"

}

The following example script demonstrates removal of a policy assignment from a collection of
endpoints.

function RemovePolicyAssignment(

    $ConfigMgrServer, # ConfigMgr WMI site provider to connect to. e.g. MyServer

    $SiteCode,   # ConfigMgr site code. e.g. ABC

    $PolicyName, # Name of FEP policy that its assignment should be removed. e.g. “MyPolicy”

    $CollectionID) # Collection ID to remove assignment from. e.g. ABC00008

{

    $ConfigMgrNamespace = "root\sms\site_$SiteCode"



    # Get the FEP policies package

  $package = Get-WmiObject -class "SMS_Package" -filter "MifName='FEP - Policies'" -namespace
$ConfigMgrNamespace -computername $ConfigMgrServer



    # Get existing advertisements




Operations
                                                                                   Page number 163

  $filter = "PackageID='{0}' AND ProgramName='$PolicyName' AND CollectionID='$CollectionID'" -f
$package.PackageID

  $advertisements = Get-WmiObject -class "SMS_Advertisement" -filter $filter -namespace
$ConfigMgrNamespace -computername $ConfigMgrServer



    if ($advertisements -eq $null)

    {

        Write-Output "There are no policy assignment of $PolicyName to $CollectionID."

    }

    else

    {

        Write-Output "Removing policy assignments of $PolicyName from $CollectionID."

        $advertisements | Remove-WMIObject

    }

}

Automating Desired Configuration Management
You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to
automate management of FEP desired configuration management (DCM) baselines.

Configuration baselines define best practices and thresholds for configuration settings. You assign
baselines to collections of computers. After the computers receive the baseline, they evaluate their
configuration against the baseline, and report their status to the Configuration Manager server.

The following sections demonstrate how you can assign or unassign FEP baselines to a collection. The
scripts define switches to specify the Configuration Manager information needed, and use that
information to assign the designated baseline to a collection.

Prerequisites

In order to create a script similar to the example in this topic, you must have the following
prerequisite software:

        •   Windows PowerShell (either version 1.0 or 2.0)

The following example script demonstrates how to assign a FEP DCM baseline to a target collection.

function AssignDCMBaseline(




Operations
                                                                                       Page number 164




    $ConfigMgrServer,              # ConfigMgr WMI site provider to connect to. e.g. MyServer

    $SiteCode,             # ConfigMgr site code. e.g. ABC

    $BaselineName,             # DCM Baseline localized name. e.g. “FEP - Standard Desktop”

    $TargetCollectionID,        # Collection ID to assign the baseline to. e.g. ABC00008

    [switch]$IncludeSubCollection) # Switch to include subcollection, default is false (not include)



{

    $ConfigMgrNamespace = "root\sms\site_$SiteCode"

    $now = Get-Date -Format "yyyyMMddhhmmss.ffffff+***"

    $ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace)



    # Get the DCM baseline to assign

  $CIBaseline = Get-WmiObject -Class "SMS_ConfigurationBaselineInfo" -filter
"LocalizedDisplayName='$BaselineName'" -namespace $ConfigMgrNamespace -computername
$ConfigMgrServer



    # Note: it is possible to verify CI exists here (i.e. not $null and only one with name)

    # Create new SMS Baseline Assignment instance

  $newAssignment = ([WmiClass]($ConfigMgrProviderPath +
":SMS_BaselineAssignment")).CreateInstance()



    $newAssignment.AssignedCIs = @($CIBaseline.CI_ID)

    $newAssignment.TargetCollectionID = $TargetCollectionID

    $newAssignment.ApplyToSubTargets = $IncludeSubCollection

    $newAssignment.AssignmentAction = 2 # APPLY

    $newAssignment.AssignmentName = "Assign $BaselineName to $TargetCollectionID"

    $newAssignment.AssignmentDescription = ""



Operations
                                                                                Page number 165

    $newAssignment.DesiredConfigType = 1 # REQUIRED

    $newAssignment.DPLocality = 4 # DP_DOWNLOAD_FROM_LOCAL

    $newAssignment.NotifyUser = $false

    $newAssignment.SendDetailedNonComplianceStatus = $true

    $newAssignment.StartTime = $now

    $newAssignment.SuppressReboot = 0

    $newAssignment.UseGMTTimes = $false



    # Create recurrent daily evaluation schedule

  $AssignedSchedule = ([WmiClass]($ConfigMgrProviderPath +
":SMS_ST_RecurInterval")).CreateInstance()

    $AssignedSchedule.StartTime = $now

    $AssignedSchedule.DaySpan = 1



  $ScheduleAsString = ([WmiClass]($ConfigMgrProviderPath +
":SMS_ScheduleMethods")).WriteToString($AssignedSchedule)



    $newAssignment.EvaluationSchedule = $ScheduleAsString.StringData

    $newAssignment.Put()



  Write-Output "Created assignment of DCM baseline $BaselineName to collection
$TargetCollectionID"

}

The following example script demonstrates how to remove a FEP DCM baseline from a target
collection.

function RemoveDCMAssignment(



    $ConfigMgrServer,      # ConfigMgr WMI site provider to connect to. e.g. MyServer




Operations
                                                                                     Page number 166

    $SiteCode,       # ConfigMgr site code. e.g. ABC

    $BaselineName,      # DCM Baseline localized name. e.g. “FEP - Standard Desktop”

    $TargetCollectionID) # Collection ID to remove the baseline assignment from. e.g. ABC00008

{

    $ConfigMgrNamespace = "root\sms\site_$SiteCode"

    # Get the DCM baseline to remove assignment from

  $CIBaseline = Get-WmiObject -Class "SMS_ConfigurationBaselineInfo" -filter
"LocalizedDisplayName='$BaselineName'" -namespace $ConfigMgrNamespace -computername
$ConfigMgrServer

    $filter = "AssignedCIs = '{0}' AND TargetCollectionID='{1}'" -f $CIBaseline.CI_ID, $TargetCollectionID

    # Get the existing assignments

  $assignments = Get-WmiObject -class "SMS_BaselineAssignment" -filter $filter -namespace
$ConfigMgrNamespace -computername $ConfigMgrServer



    if ($assignments -eq $null)

    {

        Write-Output "There are no DCM baseline $BaselineName assignments to $TargetCollectionID."

    }

    else

    {

        Write-Output "Removing DCM baseline $BaselineName from collection $TargetCollectionID."

        $assignments | Remove-WMIObject

    }

}

The following example script demonstrates how to retrieve a Configuration Manager WMI results
object that contains compliance results for a DCM baseline assignment.

The results object contains a count of compliant computers, a count of noncompliant computers, a
count of evaluation failures, and other information relevant to DCM. For more information about the
SMS_CI_ComplianceSummary WMI class see SMS_CI_ComplianceSummary Server WMI Class



Operations
                                                                                   Page number 167

(http://go.microsoft.com/fwlink/?LinkId=208530) in the Configuration Manager reference
documentation on MSDN.

function GetBaselineResult(



    $ConfigMgrServer, # ConfigMgr WMI site provider to connect to. e.g. MyServer

    $SiteCode,   # ConfigMgr site code. e.g. ABC

    $BaselineName) # DCM Baseline localized name. e.g. “FEP - Standard Desktop”



{

    $ConfigMgrNamespace = "root\sms\site_$SiteCode"

    # Get the DCM baseline to query

  $CIBaseline = Get-WmiObject -Class "SMS_ConfigurationBaselineInfo" -filter
"LocalizedDisplayName='$BaselineName'" -namespace $ConfigMgrNamespace -computername
$ConfigMgrServer

  $result = Get-WmiObject -Class "SMS_CI_ComplianceSummary" -filter ("CI_ID='{0}'" -f
$CIBaseline.CI_ID) -namespace $ConfigMgrNamespace -computername $ConfigMgrServer



    return $result

}

Automating the FEP Dashboard
You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to
automate retrieval of FEP dashboard information. The FEP dashboard displays important information
about the security of your organization, such as the number of deployed clients, definition
deployment status, number of client computers infected, and number of client computers with
malware removed.

Each dashboard data set is represented by a Configuration Manager collection. The following
example script demonstrates how to obtain a count of computers that belong to a specified
collection.

Prerequisites

In order to create a script similar to the example in this topic, you must have the following
prerequisite software:

     •   Windows PowerShell (either version 1.0 or 2.0)


Operations
                                                                                  Page number 168

The following table lists the Configuration Manager collections that are used to populate the data for
the FEP dashboard. To retrieve the dashboard data via a script, you must specify the appropriate
Configuration Manager collection in the script.




Dashboard Area                                      Collection Names


Deployment Status                                    Deployment Succeeded


                                                     Out of Date


                                                     Deployment Failed


                                                     Deployment Pending


                                                     Locally Removed


                                                     Not Targeted


Policy Distribution Status                           Distribution Failed


                                                     Distribution in Progress


                                                     Policy Distributed


Definition Status                                    Up to Date


                                                     Up to 3 Days


                                                     Up to 7 Days


                                                     Older Than 1 Week


Malware Activity Status                              Infected


                                                     Restart Required




Operations
                                                                                  Page number 169


                                                       Full Scan Required


                                                       Recent Activity


    Health Status                                      Protection Inactive


                                                       Not Reporting


                                                       Healthy

The following example script retrieves dashboard data from the FEP database for the specified
collection.

function GetDashboardInfo(

     $ConfigMgrServer,     # ConfigMgr WMI site provider to which to connect. e.g. MyServer

     $SiteCode,      # ConfigMgr site code. e.g. ABC

  $CollectionName) # Collection name for which count of computers should be returned. e.g.
Infected. Use the table above to determine the collection name to query.

{

     $ConfigMgrNamespace = "root\sms\site_$SiteCode"

     $ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace)



     # Get the SMS collection to query

  $Collection = Get-WmiObject -class "SMS_Collection" -filter "Name='$CollectionName'" -
namespace $ConfigMgrNamespace -computername $ConfigMgrServer

     # Get the SMS_Collection class

     $SmsCollectionClass = [WmiClass]($ConfigMgrProviderPath + ":SMS_Collection")

     $count = $SmsCollectionClass.GetNumResults($Collection).Result



     Write-Output "Count of computers in $CollectionName is $count"



     return $count


Operations
                                                                                    Page number 170

}

Automating Tasks on Client Computers
You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to
automate FEP tasks on client computers.

FEP tasks run from a software package named Microsoft Corporation FEP – Operations 1.0. In the
Configuration Manager console, you can right-click a computer or group of computers, point to FEP
Operations, and then select one of three actions:

      •   Full Scan: runs a full antimalware scan on the selected computers.

      •   Quick Scan: runs a quick antimalware scan on the selected computers.

      •   Run Definition Update: runs a definition update cycle on the selected computers.

When you run a task on a client computer or set of computers, FEP performs the following steps:

      •   Creates a dynamic collection

      •   Adds the selected computers to the collection

      •   Creates a mandatory assigned advertisement of the requested task from the FEP Operations
          software package

Prerequisites

In order to create a script similar to the example in this topic, you must have the following
prerequisite software:

      •   Windows PowerShell (either version 1.0 or 2.0)

      •   Before you run operational tasks from a script, you should first verify that the FEP operations
          package (named Microsoft Corporation FEP – Operations 1.0) distributed to your
          Configuration Manager distribution points.

     Note:


    Cleanup of old operations components (the dynamic collections and advertisements used to
    distribute the tasks) is done only when performing tasks from the Configuration Manager console.

The following example script demonstrates how to run a full scan task on a computer.

function RunFullScan(

     $ConfigMgrServer, # ConfigMgr WMI site provider to connect to. e.g. MyServer

     $SiteCode, # ConfigMgr site code. e.g. ABC




Operations
                                                                                Page number 171

  $Computers) # A computer or list of computer NetBios names on which the scan should be run.
For example: (“ComputerA”, “ComputerB”)

{

 $Operation = "Full Scan" # Change the scan type by changing the phrase in the quotes to either
Quick Scan or Update Definitions.



    $UtcNow =[System.DateTime]::UtcNow

    $ConfigMgrNamespace = "root\sms\site_$SiteCode"

    $ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace)



    # Create a collection for the task

    $newCollection = ([WmiClass]($ConfigMgrProviderPath + ":SMS_Collection")).CreateInstance()



    $newCollection.Name = "$Operation at $UtcNow (UTC)"

    $newCollection.RefreshType = 1 # Manual

    $newCollection.OwnedByThisSite = $true

    $newCollection.Put()

    $newCollection.Get() # refresh the object



    # Add the collection as a subcollection to FEP Operations

  $OperationCollection = Get-WmiObject -class "SMS_Collection" -filter "Name='Operations'" -
namespace $ConfigMgrNamespace -computername $ConfigMgrServer



  $CollectionToSubCollection = ([WmiClass]($ConfigMgrProviderPath +
":SMS_CollectToSubCollect")).CreateInstance()

    $CollectionToSubCollection.parentCollectionID = $OperationCollection.CollectionID

    $CollectionToSubCollection.subCollectionID = $newCollection.CollectionID

    $CollectionToSubCollection.Put()




Operations
                                                                              Page number 172




  # Add computers to collection (Direct Rule)

  foreach ($Computer in $Computers)

  {

    # For more information about the SMS_R_SYSTEM Server WMI class, see
http://go.microsoft.com/fwlink/?LinkId=208534 on MSDN.

   $Client = Get-WmiObject -class "SMS_R_System" -filter ("NetbiosName = '{0}'" -f $Computer) -
namespace $ConfigMgrNamespace -computername $ConfigMgrServer



    $SmsCollectionRuleDirect = ([WmiClass]($ConfigMgrProviderPath +
":SMS_CollectionRuleDirect")).CreateInstance()

      $SmsCollectionRuleDirect.ResourceID = $Client.ResourceID

      $SmsCollectionRuleDirect.ResourceClassName = "SMS_R_System"



      $newCollection.AddMembershipRules($SmsCollectionRuleDirect)

  }



  # Create Quick Scan advertisement

  $now = Get-Date -Format "yyyyMMddhhmmss.ffffff+***"



  # Get the FEP operations package

  $package = Get-WmiObject -class "SMS_Package" -filter "MifName='FEP - Operations'" -
namespace $ConfigMgrNamespace -computername $ConfigMgrServer



  # Create a new advertisement for the FEP operation package.

  # For more information about the SMS_Advertisement Server WMI class, see
http://go.microsoft.com/fwlink/?LinkId=208535 on MSDN.

  $newAdvertisement = ([WmiClass]($ConfigMgrProviderPath +
":SMS_Advertisement")).CreateInstance()



Operations
                                                                          Page number 173




  $newAdvertisement.CollectionID = $CollectionID

  $newAdvertisement.PackageID = $package.PackageID

  $newAdvertisement.ProgramName = $Operation

  $newAdvertisement.AdvertisementName = "Run $Operation at $UtcNow (UTC)"

 $newAdvertisement.AdvertFlags = 0x02000000 -bor 0x00100000 # NO_DISPLAY |
OVERRIDE_SERVICE_WINDOWS

  $newAdvertisement.RemoteClientFlags = 0x00000800 -bor 0x00000010 -bor 0x00000040 #
RERUN_ALWAYS | DOWNLOAD_FROM_LOCAL_DISPPOINT |
DOWNLOAD_FROM_REMOTE_DISPPOINT

  $newAdvertisement.PresentTime = $now

  $newAdvertisement.Priority = 1 # High



  # Create a mandatory assignment schedule

  $AssignedSchedule = ([WmiClass]($ConfigMgrProviderPath +
":SMS_ST_NonRecurring")).CreateInstance()

  $AssignedSchedule.StartTime = $now



  $newAdvertisement.AssignedScheduleEnabled = $true

  $newAdvertisement.AssignedSchedule = $AssignedSchedule



  $newAdvertisement.Put()

  $newAdvertisement.Get()



  # Add the advertisement to the FEP operations advertisement folder



  # Get the container node (notice to use localized name)

 $AdvertisementFolder = Get-WmiObject -class "SMS_ObjectContainerNode" -filter "Name='FEP
Operations'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer


Operations
                                                                                   Page number 174




    # Create a container item for the advertisement

  $newContainerItem = ([WmiClass]($ConfigMgrProviderPath +
":SMS_ObjectContainerItem")).CreateInstance()



    $newContainerItem.ContainerNodeId = $AdvertisementFolder.ContainerNodeId

    $newContainerItem.InstanceKey = $newAdvertisement.AdvertisementID



    $newContainerItem.Put()



    Write-Output "$Operation scheduled to computers: $Computers"

}

Automating FEP Reports
You can automate retrieval of FEP reports by using Windows PowerShell.

Prerequisites

In order to create a script similar to the example in this topic, you must have the following
prerequisite software:

     •   Windows PowerShell 2.0

The following example script demonstrates how to retrieve a FEP computer list report as an XML
object and then display the computer list.

$ReportServer = "ReportServer.contoso.com" #Change the value in quotes to your report server
FQDN.

$SiteCode = "FEP" #Change the value in quotes to your site code.



#URI to the .asmx file on the report server – change the value in quotes to the appropriate path on
your report server.

$URI = "http://$ReportServer//ReportServer//ReportExecution2005.asmx?wsdl"



#Report Path – to retrieve a different report, replace the name of the report



Operations
                                                                                Page number 175

$ReportPath = "/Forefront Endpoint Protection_$SiteCode/Antimalware/Computer List Report"



# Create the web service proxy for the reports

New-WebServiceProxy -Uri $URI -UseDefaultCredential -namespace "ReportExecution2005" | out-
null



$ReportService = new-object ReportExecution2005.ReportExecutionService

$ReportService.Credentials = [System.Net.CredentialCache]::DefaultCredentials



# Load report

$ReportService.GetType().GetMethod("LoadReport").Invoke($ReportService, @($ReportPath, $null))
| out-null



# Report Parameters

# Depending on the number of parameters being used in the report, you may need to add or remove
parameters. Specify by changing the Param1.Value line.



# Report Time Span

# 1 - Custom - Should be used along with CustomStartDate and CustomEndDate

# 2 - Day

# 3 - Week

# 4 - Month

# 5 - Quarter

# 6 - Year



$param1 = new-object ReportExecution2005.ParameterValue

$param1.Name = "ReportSpan"

$param1.Value = 3



Operations
                                                                                   Page number 176




# Number of computers to which to limit the report. -1 specifies that there is no limit.

$param2 = new-object ReportExecution2005.ParameterValue

$param2.Name = "NumberOfReturnedComputersParameter"

$param2.Value = -1



# Security State parameter:

# 1 - Clean

# 2 - Recent malware activity (last 24 hours)

# 3 - Action Required

# 4 - Infected



$param3 = new-object ReportExecution2005.ParameterValue

$param3.Name = "SecurityStateParameter"

$param3.Value = 2



# The following ReportScope parameter is optional; it limits the report to a single collection.

# The ID can be found in FEPDW (FEPDW_[SiteCode]) database using the following query:

# SELECT * FROM vwFEP_Common_CollectionLookupDimension



#$param4 = new-object ReportExecution2005.ParameterValue

#$param4.Name = "ReportScope"

#$param4.Value = "1002"



$parameters = [ReportExecution2005.ParameterValue[]] ($param1, $param2, $param3)



$ExecParams = $ReportService.SetExecutionParameters($parameters, "en-us");


Operations
                                                                               Page number 177




# For more report parameter options, see ReportExecutionService.Render Method
(http://go.microsoft.com/fwlink/?LinkId=208533) on MSDN.

$format = "xml"

$deviceinfo = ""

$extention = ""

$mimeType = ""

$encoding = "UTF-8"

$warnings = $null

$streamIDs = $null



$ReportAsStream = $ReportService.Render($format, $deviceInfo,[ref] $extention, [ref]
$mimeType,[ref] $encoding, [ref] $warnings, [ref] $streamIDs)

$ReportAsString = [Text.Encoding]::UTF8.GetString($ReportAsStream)



$ReportAsXml = [xml]$ReportAsString.Trim()



# Access the report data using the xml object. It possible to use XPath or any XMLDocument methods
to parse the xml.

$computers = $ReportAsXml.GetElementsByTagName("Detail")



foreach ($computer in $computers)

{

Write-Host $computer.ComputerName $computer.SecurityState

}


    12.           Troubleshooting
This troubleshooting content provides guidance for diagnosing and resolving issues you may
encounter when using Forefront Endpoint Protection.



Troubleshooting
                                                                                  Page number 178


Using the FEP Best Practices Analyzer
The Forefront Endpoint Protection Best Practices Analyzer (BPA) includes checks to scan both
Forefront Endpoint Protection (FEP) and Configuration Manager for configuration problems, missing
dependencies, incorrect settings, or other issues that could adversely affect the health of your FEP
installation.

Prerequisites

    •   The FEP BPA checks are based on the Microsoft Baseline Configuration Analyzer version 2.0
        (MBCA). In order to run the FEP BPA, you must download and install the MBCA
        (http://go.microsoft.com/fwlink/?LinkId=206778).

    •   The MBCA requires Windows PowerShell™ 2.0. Windows PowerShell 2.0 is included with
        Windows Server 2008 R2, but must be installed for Windows Server 2008 or Windows Server
        2003. To download Windows PowerShell 2.0, see Microsoft Knowledge Base article 968929
        (http://go.microsoft.com/fwlink/?LinkId=206779)

    •   You must run MBCA and the FEP MBCA checks on the Configuration Manager server on
        which you installed FEP.

To install the FEP BPA

    1. After you download the FEP BPA, copy it to your Configuration Manager server, and then
       double-click fepBPASetup.msi.

    2. In the FEP 2010 Best Practices Analyzer Setup wizard, select the I accept the terms in the
       license agreement check box, click Next, and then click Finish.

The FEP BPA Checks

The FEP BPA includes configuration checks for various Configuration Manager features, as well as FEP
dependencies and prerequisites that are important to FEP health.

The following table lists the check categories and describes of some of the checks included with this
release of the FEP BPA.




FEP BPA check category           Description


SQL Server checks                Reviews the status and configuration of the computers running
                                 SQL Server that host the FEP databases.


Configuration Manager            Reviews the DCM checks that are used to populate the FEP
Desired Configuration            dashboard, ensures they are assigned to collections, and checks
Management checks                the configuration items for FEP are not corrupted or missing.




Troubleshooting
                                                                                    Page number 179


Package, policy, and             Reviews FEP packages, policies, and advertisements for the
advertisement checks             correct number (no defaults have been deleted), and that they
                                 are correctly assigned.


Alert checks                     Reviews the number of FEP alerts, that they are assigned to
                                 collections correctly, and that the SMTP port is correctly assigned
                                 (for e-mailing of alerts).


Events and general FEP           Collects and displays information for recent FEP errors and
configuration checks             events, as well as some registry settings and a list of the FEP files
                                 installed on the computer.


Configuration Manager            Reviews the status and configuration of the Configuration
configuration checks             Manager installation and services important to the health of FEP.


Troubleshooting FEP and Configuration Manager
Forefront Endpoint Protection (FEP) is built on Configuration Manager. Because of the tight
integration with Configuration Manager, troubleshooting common issues with FEP frequently
involves troubleshooting Configuration Manager.

You can find information about Troubleshooting Configuration Manager 2007
(http://go.microsoft.com/fwlink/?LinkId=206765) in the Configuration Manager Documentation
Library. Additionally, the table below lists various Configuration Manager troubleshooting resources
and how those resources apply to troubleshooting FEP.




Resource                                                   Description


Troubleshooting Software Distribution                      FEP uses the Software Distribution
(http://go.microsoft.com/fwlink/?LinkId=206762)            feature of Configuration Manager for
                                                           the following tasks:

                                                               •    Client software deployment (via
                                                                    software packages)

                                                               •    Policy deployment

                                                               •    On-demand scans

                                                               •    Forcing a definition update




Troubleshooting
                                                                                    Page number 180


 Troubleshooting Software Updates                             Contains information relevant to
 (http://go.microsoft.com/fwlink/?LinkId=206761)              definition updates. By default, FEP uses
                                                              Software Updates in Configuration
                                                              Manager and WSUS to deliver definition
                                                              updates to computers running the FEP
                                                              client software.


 Troubleshooting Desired Configuration Management             Contains information relevant to
 (http://go.microsoft.com/fwlink/?LinkId=206756)              troubleshooting FEP and Desired
                                                              Configuration Management (DCM). DCM
                                                              is used in FEP to populate data into the
                                                              dashboard and for any custom
                                                              configuration baselines you enforce for
                                                              your collections.




FEP Log Files
Forefront Endpoint Protection (FEP) creates log files both during the installation on your
Configuration Manager server, and during day-to-day operations.

FEP Server Installation Log Files

The installation log files are listed below:

Log file name                                      Description


 FEPExt_xxx_xxx.log                                 FEP site server extensions


 FepReport_xxx_xxx.log                              FEP Reporting Components


 FEPUX_xxx_xxx.log                                  FEP Console Extensions


 ServerSetup_xxx_xxx.log                            FEP Setup

You can find FEP server installation log files in the following location:

    •   If you installed FEP on Windows Server 2003:

        %AllUsersProfile%\Application Data\Microsoft Forefront\Support\Server




Troubleshooting
                                                                                       Page number 181

    •   If you installed FEP on Windows Server 2008:

        %ProgramData%\Microsoft Forefront\Support\Server

The file names use the following format:

LogFileName_Date_Time.log

where the following is true:

    •   LogFileName is the name of the log file.

    •   Date is the day, month, and year the log was created, in the format DDMMYYY.

    •   Time is the hour, minute, and second the log file was created, in the format HHMMSS.

FEP Server Operational Log Files
The following table lists the log files in which FEP stores operational information.

Log file name          Description


 SmsAdminUI.log        FEP stores console-related information in this Configuration Manager
                       console log file. It can be found in C:\Program Files (x86)\Microsoft
                       Configuration Manager\AdminUI\AdminUILog. For more information
                       about this log file, see Troubleshooting Configuration Manager Console
                       Issues (http://go.microsoft.com/fwlink/?LinkId=207567) in the
                       Configuration Manager documentation.


 FepServiceTrace.etl FEP service tracing log file. This file, stored in %ProgramData%\Microsoft
                     Forefront\Support\ contains binary information typically only useful to
                     product support personnel.


FEP Client Software Installation Log Files
The FEP client software creates log files both during installation and during day-to-day operations.

The following table lists Setup log files and the components with which they are associated.

Log file name                                                 Description


 EppSetup.log                                                 Master Setup log file.


 MSSecurityClient_Setup_epp_install.log                       User interface and management
                                                              extension Setup log file.




Troubleshooting
                                                                                      Page number 182


 MSSecurityClient_Setup_FEP_install.log                         Configuration Manager management
                                                                extensions Setup log file.


 MSSecurityClient_Setup_mp_ambits_install.log                   Antimalware service Setup log file.


 MSSecurityClient_Setup_epploc_x86_Install or                   Localized resources installation log file
 MSSecurityClient_Setup_epploc_x64_Install                      (specific to the architecture on the
                                                                client computer).


 MSSecurityClient_Setup_amloc-%locale%_install                  Log file for installation of localized
                                                                resources for the antimalware service.
                                                                %locale% represents the locale for
                                                                which the install was performed.


 MSSecurityClient_Setup_KB981889_Install.evtx                   The log file for Windows patch
                                                                installation KB981889. Only present
                                                                on Windows 7 or Windows Server
                                                                2008 R2.


 MSSecurityClient_Setup_dw20shared_Install.log                  Log file for installation of Dr. Watson
                                                                (only installed on computers running
                                                                Windows XP, and only if not already
                                                                present).

You can find FEP client installation log files in the following location:

    •   %allusersprofile%\Microsoft\Microsoft Antimalware\Support: log files specific for the
        antimalware service

    •   %allusersprofile%\Microsoft\Microsoft Security Client\Support: log files specific for the FEP
        client software

    •   %windir%\WindowsUpdate.log: Windows Update log files, which include information about
        definition updates



Troubleshooting the FEP Security Management Pack and Operations
Manager
The FEP Security Management Pack is built on Operations Manager, and implemented as an
Operations Manager management pack. Troubleshooting the FEP Security Management Pack
involves working with the Operations Manager Operations console and the management pack
features.



Troubleshooting
                                                                                  Page number 183

You can view information about Managing Management Packs
(http://go.microsoft.com/fwlink/?LinkId=206769) in the Operations Manager documentation.


    13.         Technical Reference
This technical reference provides additional information about Forefront Endpoint Protection.

FEP 2010 Policy - Default Settings
The following tables show the policy settings for the Default Server Policy, Default Desktop Policy,
and the default settings when running the New Policy Wizard for Forefront Endpoint Protection
installed on Configuration Manager. The tables match the tabs of the properties of a Forefront
Endpoint Protection policy.

Antimalware Settings
Section /        Setting    Default      Default      Standard        Performance-       High-
setting                     Desktop      Server       Desktop         optimized          security
                            Policy       Policy       Policy          policy             policy


Schedule         Schedul    Enabled      Not          Enabled         Enabled            Enabled
scan             e type                  enabled
                 and
                 time of
                 scan


                 Scan       Weekly       Not          Weekly quick    Weekly quick       Daily quick
                 type       quick        applicable   scan            scan               scan and
                            scan                                                         weekly full
                                                                                         scan


                 Daily      Not          Not          Not             Not applicable     2:00 AM
                 scan       applicable   applicable   applicable
                 time


                 Weekly Sunday           Not          Saturday        Saturday           Saturday
                 scan day                applicable


                 Weekly     3:00 AM      Not          3:00 AM         3:00 AM            3:00 AM
                 Scan                    applicable
                 tim:


                 Check      Enabled      Not          Enabled         Enabled            Enabled
                 for



Technical Reference
                                                                           Page number 184


                definitio             applicable
                n
                updates
                before
                starting
                scan


                Scan        Enabled   Not          Enabled       Enabled        Not
                only                  applicable                                enabled
                when
                the
                comput
                er is not
                in use


                Random      Enabled   Not          Enabled       Enabled        Enabled
                ize                   applicable
                schedul
                ed scan
                start
                times
                (within
                30
                minutes
                from
                schedul
                ed time)


                Force a     Not       Not          Not enabled                  Enabled
                scan        enabled   applicable
                upon
                restart
                when
                two or
                more
                schedul
                e scans
                are
                missed


                Limit       Enabled   Enabled      Enabled       Enabled        Not
                process



Technical Reference
                                                                          Page number 185


                or usage                                                       enabled
                during
                scans to
                the
                followin
                g
                percent
                age


                Percent    50%       30%       50%           30%               Not
                age                                                            applicable


                Allow      Not       Not       Not enabled   Not enabled       Not
                users on   enabled   enabled                                   enabled
                endpoin
                t
                comput
                ers to
                configur
                e
                process
                or usage
                limits
                for
                scans


                User's     No        No        No control    No control        No control
                control    control   control
                on
                schedul
                e scans



Default         Server     Recomme   Recomme   Recommend     Recommended       Recomme
actions                    nded      nded      ed action     action            nded
                           action    action                                    action


                High       Recomme   Recomme   Recommend     Recommended       Recomme
                           nded      nded      ed action     action            nded
                           action    action                                    action




Technical Reference
                                                                              Page number 186


                Medium     Quarantin   Quarantin   Quarantine    Quarantine        Quarantin
                           e           e                                           e


                Low        Allow       Allow       Allow         Allow             Allow



Real-time       Enable     Enabled     Enabled     Enabled       Enabled           Enabled
protection      real-
                time
                protecti
                on


                Scan       Scan        Scan        Scan           Scan incoming    Scan
                system     incoming    incoming    incoming and and outgoing       incoming
                files      and         and         outgoing files files            and
                           outgoing    outgoing                                    outgoing
                           files       files                                       files


                Scan all Enabled       Not         Enabled       Enabled           Enabled
                downloa                enabled
                ded files
                and
                attachm
                ents


                Use      Enabled       Enabled     Enabled       Enabled           Enabled
                behavio
                r                         Note:
                monitori
                ng
                                         On
                                         servers
                                         with a
                                         large
                                         numbe
                                         r of
                                         short
                                         networ
                                         k
                                         connec
                                         tions,
                                         such



Technical Reference
                                                                         Page number 187


                                       as file
                                       servers
                                       , there
                                       may
                                       be a
                                       perfor
                                       mance
                                       impact
                                       when
                                       the
                                       Behavi
                                       or
                                       Monit
                                       oring
                                       policy
                                       setting
                                       is
                                       enable
                                       d.


                Enable     Enabled   Not         Enabled       Not enabled    Enabled
                protecti             enabled
                on
                against                 Note:
                network
                -based
                                       It is
                exploits
                                       recom
                                       mende
                                       d that
                                       you do
                                       not
                                       enable
                                       this
                                       setting
                                       on
                                       servers
                                       .


                Allow      Not       Enabled     Not enabled   Not enabled    Not
                users on   enabled                                            enabled
                endpoin



Technical Reference
                                                                                 Page number 188


                 t
                 comput
                 er to
                 configur
                 e real-
                 time
                 protecti
                 on
                 settings




Excluded files   Files      %windir%     %windir%     %windir%\So     %windir%\Softw     %windir%\
and locations    and        \Software    \Software    ftwareDistrib   areDistribution\   SoftwareD
                 location   Distributi   Distributi   ution\Datast    Datastore\Datas    istribution
                 s          on\Datast    on\Datast    ore\Datastor    tore.edb%windi     \Datastore
                            ore\Datas    ore\Datas    e.edb%windi     r%\SoftwareDist    \Datastore
                            tore.edb     tore.edb     r%\Software     ribution\Datast    .edb%win
                            %windir%     %windir%     Distribution\   ore\logs\Res*.lo   dir%\Soft
                            \Software    \Software    Datastore\lo    g%windir%\Soft     wareDistri
                            Distributi   Distributi   gs\Res*.log%    wareDistributio    bution\Da
                            on\Datast    on\Datast    windir%\Soft    n\Datastore\Log    tastore\lo
                            ore\logs\    ore\logs\    wareDistribu    s\Res*.jrs%wind    gs\Res*.lo
                            Res*.log%    Res*.log%    tion\Datasto    ir%\SoftwareDis    g%windir
                            windir%\S    windir%\S    re\Logs\Res*    tribution\Datast   %\Softwar
                            oftwareDi    oftwareDi    .jrs%windir%    ore\Logs\Edb.ch    eDistributi
                            stribution   stribution   \SoftwareDis    k%windir%\Soft     on\Datast
                            \Datastor    \Datastor    tribution\Dat   wareDistributio    ore\Logs\
                            e\Logs\Re    e\Logs\Re    astore\Logs\    n\Datastore\Log    Res*.jrs%
                            s*.jrs%wi    s*.jrs%wi    Edb.chk%win     s\tmp.edb%win      windir%\S
                            ndir%\Sof    ndir%\Sof    dir%\Softwar    dir%\Security\D    oftwareDi
                            twareDist    twareDist    eDistribution   atabase\*.edb%     stribution\
                            ribution\    ribution\    \Datastore\L    windir%\Securit    Datastore\
                            Datastore    Datastore    ogs\tmp.edb     y\Database\*.sd    Logs\Edb.
                            \Logs\Edb    \Logs\Edb    %windir%\Se     b%windir%\Sec      chk%windi
                            .chk%win     .chk%win     curity\Datab    urity\Database\    r%\Softwa
                            dir%\Soft    dir%\Soft    ase\*.edb%w     *.log%windir%\     reDistribut
                            wareDistri   wareDistri   indir%\Securi   Security\Databa    ion\Datast
                            bution\Da    bution\Da    ty\Database\    se\*.chk%windir    ore\Logs\t
                            tastore\L    tastore\L    *.sdb%windir    %\Security\Data    mp.edb%
                            ogs\tmp.e    ogs\tmp.e    %\Security\D    base\*.jrs%allus   windir%\S
                            db%windi     db%windi     atabase\*.lo    ersprofile%\NTu    ecurity\Da
                            r%\Securi    r%\Securi    g%windir%\S     ser.pol%System     tabase\*.e



Technical Reference
                                                                                 Page number 189


                           ty\Databa     ty\Databa     ecurity\Data    Root%\System3     db%windir
                           se\*.edb      se\*.edb      base\*.chk%     2\GroupPolicy\r   %\Security
                           %windir%      %windir%      windir%\Sec     egistry.pol       \Database
                           \Security\    \Security\    urity\Databa                      \*.sdb%wi
                           Database\     Database\     se\*.jrs%allu                     ndir%\Sec
                           *.sdb%wi      *.sdb%wi      sersprofile%\                     urity\Data
                           ndir%\Sec     ndir%\Sec     NTuser.pol%                       base\*.log
                           urity\Data    urity\Data    SystemRoot                        %windir%\
                           base\*.lo     base\*.lo     %\System32\                       Security\D
                           g%windir      g%windir      GroupPolicy\                      atabase\*.
                           %\Securit     %\Securit     registry.pol                      chk%windi
                           y\Databas     y\Databas                                       r%\Securit
                           e\*.chk%      e\*.chk%                                        y\Databas
                           windir%\S     windir%\S                                       e\*.jrs%all
                           ecurity\D     ecurity\D                                       usersprofil
                           atabase\*     atabase\*                                       e%\NTuse
                           .jrs%allus    .jrs%allus                                      r.pol%Syst
                           ersprofile    ersprofile                                      emRoot%\
                           %\NTuser      %\NTuser                                        System32\
                           .pol%Syst     .pol%Syst                                       GroupPoli
                           emRoot%       emRoot%                                         cy\registry
                           \System3      \System3                                        .pol
                           2\GroupP      2\GroupP
                           olicy\regis   olicy\regis
                           try.pol       try.pol



Excluded file   File       (empty)       (empty)       (empty)         (empty)           (empty)
types           types



Excluded        Process    (empty)       (empty)       (empty)         (empty)           (empty)
processes       es



Advanced        Scan       Enabled       Enabled       Enabled         Enabled           Enabled
                archived
                files


                Scan       Not           Not           Not enabled     Not enabled       Not
                network    enabled       enabled                                         enabled
                drives
                when


Technical Reference
                                                                       Page number 190


                running
                a full
                scan


                Scan       Not       Not       Not enabled   Not enabled    Not
                remova     enabled   enabled                                enabled
                ble
                storage
                devices,
                such as
                USB
                flash
                drives


                Create a   Not       Not       Not enabled   Not enabled    Not
                system     enabled   enabled                                enabled
                restore
                point
                before
                cleaning
                comput
                ers


                Show      Not        Not       Not enabled   Not enabled    Not
                notificat enabled    enabled                                enabled
                ions
                message
                s to
                users on
                endpoin
                t
                comput
                ers
                when
                the
                need
                they
                need to
                perform
                the
                followin
                g



Technical Reference
                                                                        Page number 191


                actions:
                Run a
                full
                scan,
                Downlo
                ad the
                latest
                virus
                and
                spyware
                definitio
                ns,
                Downlo
                ad
                Microso
                ft
                Standal
                one
                System
                Sweeper


                Delete   Not          Not       Not enabled   Not enabled    Not
                quaranti enabled      enabled                                enabled
                ne files
                after
                (number
                of days)


                Allow       Not       Not       Not enabled   Not enabled    Not
                user on     enabled   enabled                                enabled
                endpoin
                t
                comput
                ers to
                configur
                e
                quaranti
                ned
                delete
                period




Technical Reference
                                                                             Page number 192


                Allow      Not          Enabled    Not enabled    Not enabled        Not
                user on    enabled                                                   enabled
                endpoin
                t
                comput
                ers to
                exclude
                file and
                location
                s, file
                types,
                and
                process
                es



                Overrid    Select the   (empty)    (empty)        (empty)            (empty)       (
                es         override                                                                e
                           action                                                                  m
                           you want                                                                p
                           to apply                                                                t
                           when                                                                    y
                           Forefront                                                               )
                           Endpoint
                           Protectio
                           n detects
                           a threat
                           with the
                           following
                           name



Microsoft       Join       Based on     Based on   Based on the   Based on the       Based on
SpyNet          Microso    the          the        setting        setting selected   the setting
                ft         setting      setting    selected       during FEP         selected
                SpyNet     selected     selected   during FEP     server setup       during FEP
                           during       during     server setup                      server
                           FEP          FEP                                          setup
                           server       server
                           setup        setup


                Allow      Not          Not        Not enabled    Not enabled        Not




Technical Reference
                                                                                   Page number 193


                users on   enabled        enabled                                          enabled
                endpoin
                t
                comput
                ers to
                change
                SpyNet
                settings


Updates Settings
Section /   Setting Default           Default         Standard        Performance- High-security
setting             Desktop           Server Policy   Desktop         optimized    policy
                    Policy                            Policy          policy


Check for Every    Enabled            Enabled         Enabled         Enabled          Enabled
definition (hours)
updates            8                  8               8               8                8
using the
following
interval   Daily   Not enabled        Not enabled     Not enabled     Not enabled      Not enabled
           at
                      Not             Not             Not             Not              Not
                      applicable      applicable      applicable      applicable       applicable


Force a definition    1               Not enabled     1               Not enabled      1
update when
definition updates
have failed for
(days)


Clients will pull     Updates         Updates         Updates         Updates          Updates
updates from the      distributed     distributed     distributed     distributed      distributed
selected sources in   from            from            from            from             from
the order specified   Configuration   Configuration   Configuration   Configuration    Configuration
below (from top to    Manager or      Manager or      Manager or      Manager or       Manager or
bottom)               WSUS            WSUS            WSUS            WSUS             WSUS
                      Updates         Updates         Updates         Updates from     Updates
                      from            from            from            Microsoft        from
                      Microsoft       Microsoft       Microsoft       Update           Microsoft
                      Update          Update          Update                           Update




Technical Reference
                                                                                   Page number 194

Windows Firewall Settings
Section     Setting       Default           Default     Standard          Performanc    High-security
/ setting                 Desktop           Server      Desktop           e-optimized   policy
                          Policy            Policy      Policy            policy


Enable Host Firewall      Enabled           Not         Enabled           Not enabled   Enabled
protection                                  enabled



Domain      Firewall      On                Not         On                Not           On
Network     State:        (recommende       applicabl   (recommende       applicable    (recommende
s                         d)                e           d)                              d)


            Incoming      Block (default)   Not         Block (default)   Not           Block (default)
            connectio                       applicabl                     applicable
            ns                              e


            Display       Yes               Not         Yes               Not           Yes
            notificatio                     applicabl                     applicable
            n                               e



Private     Firewall      On                Not         On                Not           On
Network     State:        (recommende       applicabl   (recommende       applicable    (recommende
s                         d)                e           d)                              d)


            Incoming      Block (default)   Not         Block (default)   Not           Block (default)
            connectio                       applicabl                     applicable
            ns                              e


            Display       Yes               Not         Yes               Not           Yes
            notificatio                     applicabl                     applicable
            n                               e



Public      Firewall      On                Not         On                Not           On
Network     State:        (recommende       applicabl   (recommende       applicable    (recommende
s                         d)                e           d)                              d)


            Incoming      Block (default)   Not         Block (default)   Not           Block (default)
            connectio                       applicabl



Technical Reference
                                                                                       Page number 195


             ns                               e                               applicable


             Display       Yes                Not          Yes                Not           Yes
             notificatio                      applicabl                       applicable
             n                                e




Security Management Pack Monitors


Forefront Endpoint Protection 2010 Security Management Pack Monitors
The following table shows the available monitors in the Forefront Endpoint Protection 2010 Security
Management Pack. For more information about FEP Security Management Pack monitors, see About
Monitors.

                                                                                Generates    Disabled
Monitor name        Monitor description                                         alerts       by default


Real-time           This monitor tracks the state of antimalware real-          Yes          No
Protection          time protection.


Windows             This monitor detects the Windows Firewall state.            Yes          Yes
Firewall


Antimalware         This monitor tracks the health of the antimalware           Yes          No
Engine              client and service.


Antimalware         This monitor detects whether there is a valid               Yes          No
Definitions         definitions file. If the definitions file is missing or
                    corrupt, the monitor will enter a Critical state.


Antimalware         This monitor detects whether the definition file is         Yes          No
Definitions Age     out of date. If the definition file is older than three
                    days, the monitor will enter a Warning state. If the
                    definition is older than five days, the monitor will
                    enter a Critical state.


Additional          This monitor tracks whether additional actions must         Yes          No
Actions             be performed after malware has been blocked and




Technical Reference
                                                                                     Page number 196


Pending            removed from a computer.


Vulnerability      This monitor detects computers that have real-time        No           No
Protection         protection turned off and, additionally, have not
                   performed a scan in the past three days.


Malware            This monitor detects a malware outbreak of both           Yes          No
Outbreak           cleaned and active infections when they occur on
                   more than 5% (by default) of the total number of
                   computers in a time period of one hour (by default).


Deployment         This monitor tracks Forefront Endpoint Protection         Yes          No
Failure            client installation failures and detects computers
                   that require a restart in order to complete the
                   installation.


Active Malware     This monitor tracks failed malware cleanup                Yes          No
                   operations.




Security Management Pack Tasks


Forefront Endpoint Protection 2010 Security Management Pack Tasks
The following table shows the available tasks in the Forefront Endpoint Protection 2010 Security
Management Pack. For more information about FEP tasks, see About Tasks.

                                                                                         Recovery
 Task name            Task description                                                   task


Full Scan             This task will start a full scan on the selected endpoints.        No


Quick Scan            This task will start a quick scan on the selected endpoints.       No


Update                This task will force a definition update on the selected           Yes
Antimalware           endpoints.
Definitions


Stop Scan             This task will stop scans that were started by a task or started   No
                      manually on the client and are running on the selected



Technical Reference
                                                                                     Page number 197


                      endpoints. This task will not stop scheduled scans.


Enable Real-time      This task will enable real-time protection on the selected         No
Protection            endpoints.


Disable Real-time     This task will enable NIS on the selected endpoints.               No
Protection


Enable NIS            This task will enable NIS on the selected endpoints.               No


Disable NIS           This task will disable NIS on the selected endpoints.              No


Turn Windows          This task will turn on Windows Firewall at the profile level on    Yes
Firewall On           the selected endpoints.


Turn Windows          This task will turn off Windows Firewall at the profile level on   No
Firewall Off          the selected endpoints.


Retrieve Endpoint     This task will retrieve all effective settings from the selected   No
Settings              endpoints.


Remote Desktop        This task will initiate a remote desktop connection to the         No
Connection            selected computer.


Restart Computer      This task will initiate a restart on the selected computer         Recovery
                      within one minute.                                                 Task Only


Start Antimalware     This task will start the antimalware service on the selected       Recovery
Service               endpoint.                                                          Task Only


  Important:


When a Quick Scan or a Full Scan task is successfully initiated, the task will report a Success
status. However, the success status indicates only that the scan was successfully initiated. It does
not indicate that the scan successfully completed on the client.




Technical Reference
                                                                                     Page number 198


FEP ADMX Reference
The table below shows the policy settings available after loading FEP ADMX files. For more
information about FEP ADMX files, see Configuring and Viewing FEP Group Policy Settings. For
information about configuring policies by using Configuration Manager, see FEP Policies.

                                                                                       Configurable
                                                                                       via the
                                                                                       Configuration
                                                                                       Manager
 Name            Setting Title      Description                                        console


Forefront        Allow              This policy setting controls the load priority     No
Endpoint         antimalware        for the antimalware service. Increasing the
Protection       service to         load priority will allow for faster service
2010             startup with       startup, but may impact performance.
                 normal priority
                                    If you enable or do not configure this
                                    setting, the antimalware service will load as
                                    a normal priority task.

                                    If you disable this setting, the antimalware
                                    service will load as a low priority task.


Forefront        Turn on spyware    This policy setting allows you to manage           No
Endpoint         definitions        whether spyware definitions are used
Protection                          during a scan.
2010
                                    If you enable or do not configure this
                                    setting, spyware definitions will be enabled
                                    by default and used during scans.

                                    If you disable this setting, spyware
                                    definitions will be disabled and will not be
                                    used during scans.


Forefront        Turn on virus      This policy setting allows you to manage           No
Endpoint         definitions        whether virus definitions are used during a
Protection                          scan.
2010
                                    If you enable or do not configure this
                                    setting, virus definitions will be enabled and
                                    used during scans.

                                    If you disable this setting, virus definitions



Technical Reference
                                                                                     Page number 199


                                  will be disabled and will not be used during
                                  scans.


Forefront       Configure local   This policy setting controls whether or not          Yes
Endpoint        administrator     complex list settings configured by a local
Protection      merge behavior    administrator are merged with Group Policy
2010            for lists         settings. This setting applies to lists, such as
                                  threats and exclusions.

                                  If you enable or do not configure this
                                  setting, unique items defined in Group
                                  Policy and in preference settings configured
                                  by the local administrator will be merged
                                  into the resulting effective policy. In the
                                  case of conflicts, Group policy Settings will
                                  override preference settings.

                                  If you disable this setting, only items
                                  defined by Group Policy will be used in the
                                  resulting effective policy. Group Policy
                                  settings will override preference settings
                                  configured by the local administrator.


Forefront       Turn on routine   This policy setting allows you to configure          No
Endpoint        remediation       routinely taking action on detected items. It
Protection                        is recommended that you enable this policy.
2010
                                  If you enable this setting, routine
                                  remediation will be enabled.

                                  If you disable or do not configure this
                                  setting, routine remediation will be
                                  disabled.


Forefront       Define            This policy, if defined, will prevent                No
Endpoint        addresses to      antimalware from using the configured
Protection      bypass proxy      proxy server when communicating with the
2010            server            specified IP addresses. The address value
                                  should be entered as a valid URL.

                                  If you enable this setting, the proxy server
                                  will be bypassed for the specified addresses.

                                  If you disable or do not configure this



Technical Reference
                                                                                 Page number 200


                                 setting, the proxy server will not be
                                 bypassed for the specified addresses.


Forefront       Define proxy     This policy setting allows you to configure       No
Endpoint        server for       the named proxy that should be used when
Protection      connecting to    the client attempts to connect to the
2010            the network      network for definition updates and SpyNet
                                 reporting. If the named proxy fails or if
                                 there is no proxy specified, the following
                                 settings will be used (in order):

                                     1. Internet Explorer proxy settings

                                     2. Autodetect

                                     3. None

                                 If you enable this setting, the proxy will be
                                 set to the specified URL.

                                 If you disable or do not configure this
                                 setting, the proxy will be set according to
                                 the order specified above.


Forefront       Randomize        This policy setting allows you to enable or Yes
Endpoint        scheduled task   disable randomization of the scheduled scan
Protection      times            start time and the scheduled definition
2010                             update start time. This setting is used to
                                 distribute the resource impact of scanning.
                                 For example, it could be used in guest
                                 virtual machines sharing a host, to prevent
                                 multiple guest virtual machines from
                                 undertaking a disk-intensive operation at
                                 the same time.

                                 If you enable or do not configure this
                                 setting, scheduled tasks will begin at a
                                 random time within an interval of 30
                                 minutes before and after the specified start
                                 time.

                                 If you disable this setting, scheduled tasks
                                 will begin at the specified start time.




Technical Reference
                                                                                 Page number 201


Forefront       Allow             This policy setting allows you to configure        No
Endpoint        antimalware       whether or not the antimalware service
Protection      service to        remains running when antivirus and
2010            remain running    antispyware definitions are disabled. It is
                always            recommended that this setting remain
                                  disabled.

                                  If you enable this setting, the antimalware
                                  service will always remain running, even if
                                  both antivirus and antispyware definitions
                                  are disabled.

                                  If you disable or do not configure this
                                  setting, the antimalware service will be
                                  stopped when both antivirus and
                                  antispyware definitions are disabled. If the
                                  computer is restarted, the service will be
                                  started if it is set to Automatic startup. After
                                  the service has started, there will be a check
                                  to see if antivirus and antispyware
                                  definitions are enabled. If at least one is
                                  enabled, the service will remain running. If
                                  both are disabled, the service will be
                                  stopped.


Exclusions      Extension         This policy setting allows you specify a list of   Yes
                exclusions        file types that should be excluded from
                                  scheduled, custom, and real-time scanning.
                                  File types should be added under the
                                  Options for this setting. Each entry must be
                                  listed as a name value pair, where the name
                                  should be a string representation of the file
                                  type extension (such as "obj" or "lib"). The
                                  value is not used and it is recommended
                                  that this be set to 0.


Exclusions      Path exclusions   This policy setting allows you to disable          Yes
                                  scheduled and real-time scanning for files
                                  under the paths specified or for the fully
                                  qualified resources specified. Paths should
                                  be added under the Options for this setting.
                                  Each entry must be listed as a name value
                                  pair, where the name should be a string



Technical Reference
                                                                                   Page number 202


                                   representation of a path or a fully qualified
                                   resource name. As an example, a path might
                                   be defined as: "c:\Windows" to exclude all
                                   files in this directory. A fully qualified
                                   resource name might be defined as:
                                   "C:\Windows\App.exe". The value is not
                                   used and it is recommended that this be set
                                   to 0.


Exclusions      Process            This policy setting allows you to disable         Yes
                exclusions         scheduled and real-time scanning for any
                                   file opened by any of the specified
                                   processes. The process itself will not be
                                   excluded. To exclude the process, use the
                                   Path exclusion. Processes should be added
                                   under the Options for this setting. Each
                                   entry must be listed as a name value pair,
                                   where the name should be a string
                                   representation of the path to the process
                                   image. Note that only executables can be
                                   excluded. For example, a process might be
                                   defined as: "c:\windows\app.exe". The
                                   value is not used and it is recommended
                                   that this be set to 0.


Network         Turn on protocol   This policy setting allows you to configure       No
Inspection      recognition        protocol recognition for network protection
System                             against exploits of known vulnerabilities.

                                   If you enable or do not configure this
                                   setting, protocol recognition will be
                                   enabled.

                                   If you disable this setting, protocol
                                   recognition will be disabled.


Network         Turn on            This policy setting allows you to configure       No
Inspection      definition         definition retirement for network
System          retirement         protection against exploits of known
                                   vulnerabilities. Definition retirement checks
                                   to see if a computer has the required
                                   security updates necessary to protect it
                                   against a particular vulnerability. If the



Technical Reference
                                                                                   Page number 203


                                   system is not vulnerable to the exploit
                                   detected by a definition, then that
                                   definition is "retired". If all definitions for a
                                   given protocol are retired then that protocol
                                   is no longer parsed. Enabling this feature
                                   helps to improve performance. On a
                                   computer that is up-to-date with all the
                                   latest security updates, network protection
                                   will have no impact on network
                                   performance.

                                   If you enable or do not configure this
                                   setting, definition retirement will be
                                   enabled.

                                   If you disable this setting, definition
                                   retirement will be disabled.


Network         Define the rate    This policy setting limits the rate at which        No
Inspection      of detection       detection events for network protection
System          events for         against exploits of known vulnerabilities will
                logging            be logged. Logging will be limited to not
                                   more often than one event per the defined
                                   interval. The interval value is defined in
                                   minutes. The default interval is 60 minutes.

                                   If you enable this setting, detection events
                                   will not be logged if there is more than one
                                   similar report (by definition GUID) in the
                                   specified number of minutes.

                                   If you disable or do not configure this
                                   setting, detection events will be logged at
                                   the default rate.


Network         IP address range   This policy, if defined, will prevent network       No
Inspection      exclusions         protection against exploits of known
System                             vulnerabilities from inspecting the specified
Exclusions                         IP addresses. IP addresses should be added
                                   under the Options for this setting. Each
                                   entry must be listed as a name value pair,
                                   where the name should be a string
                                   representation of an IP address range. As an
                                   example, a range might be defined as:



Technical Reference
                                                                                    Page number 204


                                   157.1.45.123-60.1.1.1. The value is not used
                                   and it is recommended that this be set to 0.


Network         Port number        This policy setting defines a list of TCP port     No
Inspection      exclusions         numbers from which network traffic
System                             inspection will be disabled. Port numbers
Exclusions                         should be added under the Options for this
                                   setting. Each entry must be listed as a name
                                   value pair, where the name should be a
                                   string representation of a TCP port number.
                                   As an example, a range might be defined as:
                                   8080. The value is not used and it is
                                   recommended that this be set to 0.


Network         Process            This policy setting defines processes from         No
Inspection      exclusions for     which outbound network traffic will not be
System          outbound traffic   inspected. Process names should be added
Exclusions                         under the Options for this setting. Each
                                   entry must be listed as a name value pair,
                                   where the name should be a string
                                   representation of a process path and name.
                                   As an example, a process might be defined
                                   as: "C:\Windows\System32\App.exe" . The
                                   value is not used and it is recommended
                                   that this be set to 0.


Network         Threat ID          This policy setting defines threats which will     No
Inspection      exclusions         be excluded from detection during network
System                             traffic inspection. Threats should be added
Exclusions                         under the Options for this setting. Each
                                   entry must be listed as a name value pair,
                                   where the name should be a string
                                   representation of a Threat ID. As an
                                   example, a Threat ID might be defined as:
                                   2925110632. The value is not used and it is
                                   recommended that this be set to 0.


Quarantine      Configure local    This policy setting configures a local             Yes
                setting override   override for the configuration of the
                for the removal    number of days items should be kept in the
                of items from      Quarantine folder before being removed.
                Quarantine



Technical Reference
                                                                                  Page number 205


                folder            This setting can only be set by Group Policy.

                                  If you enable this setting, the local
                                  preference setting will take priority over
                                  Group Policy.

                                  If you disable or do not configure this
                                  setting, Group Policy will take priority over
                                  the local preference setting.


Quarantine      Configure        This policy setting defines the number of          Yes
                removal of items days items should be kept in the Quarantine
                from Quarantine folder before being removed.
                folder
                                 If you enable this setting, items will be
                                 removed from the Quarantine folder after
                                 the number of days specified.

                                  If you disable or do not configure this
                                  setting, items will be kept in the quarantine
                                  folder indefinitely and will not be
                                  automatically removed.


Real-time       Turn on           This policy setting allows you to configure       Yes
Protection      behavior          behavior monitoring.
                monitoring
                                  If you enable or do not configure this
                                  setting, behavior monitoring will be
                                  enabled.

                                  If you disable this setting, behavior
                                  monitoring will be disabled.


Real-time       Turn on           This policy setting allows you to configure       No
Protection      Information       Information Protection Control (IPC).
                Protection
                                  If you enable this setting, IPC will be
                Control
                                  enabled.

                                  If you disable or do not configure this
                                  setting, IPC will be disabled.


Real-time       Turn on network   This policy setting allows you to configure       Yes
Protection      protection        network protection against exploits of




Technical Reference
                                                                                   Page number 206


                against exploits   known vulnerabilities.
                of known
                                   If you enable or do not configure this
                vulnerabilities
                                   setting, the network protection will be
                                   enabled.

                                   If you disable this setting, the network
                                   protection will be disabled.


Real-time       Scan all           This policy setting allows you to configure        Yes
Protection      downloaded         scanning for all downloaded files and
                files and          attachments.
                attachments
                                   If you enable or do not configure this
                                   setting, scanning for all downloaded files
                                   and attachments will be enabled.

                                   If you disable this setting, scanning for all
                                   downloaded files and attachments will be
                                   disabled.


Real-time       Monitor file and   This policy setting allows you to configure        Yes
Protection      program activity   monitoring for file and program activity.
                on your
                                   If you enable or do not configure this
                computer
                                   setting, monitoring for file and program
                                   activity will be enabled.

                                   If you disable this setting, monitoring for file
                                   and program activity will be disabled.


Real-time       Turn on raw        This policy setting controls whether raw           No
Protection      volume write       volume write notifications are sent to
                notifications      behavior monitoring.

                                   If you enable or do not configure this
                                   setting, raw write notifications will be
                                   enabled.

                                   If you disable this setting, raw write
                                   notifications be disabled.


Real-time       Turn on real-      This policy setting allows you to configure     Yes
Protection      time protection    real-time protection. This setting controls all




Technical Reference
                                                                                  Page number 207


                                   real-time protection components. It is
                                   recommended that you turn on real-time
                                   protection.

                                   If you enable or do not configure this
                                   setting, real-time protection will be turned
                                   on.

                                   If you disable this setting, real-time
                                   protection will be turned off.


Real-time       Turn on process    This policy setting allows you to configure        Yes
Protection      scanning           process scanning when real-time protection
                whenever real-     is turned on. This helps to catch malware
                time protection    which could start when real-time protection
                is enabled         is turned off.

                                   If you enable or do not configure this
                                   setting, a process scan will be initiated when
                                   real-time protection is turned on.

                                   If you disable this setting, a process scan will
                                   not be initiated when real-time protection is
                                   turned on.


Real-time       Define the         This policy setting defines the maximum size No
Protection      maximum size of    (in kilobytes) of downloaded files and
                downloaded         attachments that will be scanned.
                files and
                attachments to     If you enable this setting, downloaded files
                                   and attachments smaller than the size
                be scanned
                                   specified will be scanned.

                                   If you disable or do not configure this
                                   setting, a default size will be applied.


Real-time       Configure local    This policy setting configures a local             Yes
Protection      setting override   override for the configuration of behavior
                for turn on        monitoring. This setting can only be set by
                behavior           Group Policy.
                monitoring
                                   If you enable this setting, the local
                                   preference setting will take priority over
                                   Group Policy.




Technical Reference
                                                                                   Page number 208


                                   If you disable or do not configure this
                                   setting, Group Policy will take priority over
                                   the local preference setting.


Real-time       Configure local    This policy setting configures a local            Yes
Protection      setting override   override for the configuration of monitoring
                for monitoring     for file and program activity on your
                file and program   computer. This setting can only be set by
                activity on your   Group Policy.
                computer
                                   If you enable this setting, the local
                                   preference setting will take priority over
                                   Group Policy.

                                   If you disable or do not configure this
                                   setting, Group Policy will take priority over
                                   the local preference setting.


Real-time       Configure local    This policy setting configures a local            Yes
Protection      setting override   override for the configuration of network
                to turn off        protection against exploits of known
                Intrusion          vulnerabilities. This setting can only be set
                Prevention         by Group Policy.
                System
                                   If you enable this setting, the local
                                   preference setting will take priority over
                                   Group Policy.

                                   If you disable or do not configure this
                                   setting, Group Policy will take priority over
                                   the local preference setting.


Real-time       Configure local    This policy setting configures a local            Yes
Protection      setting override   override for the configuration of scanning
                for scanning all   for all downloaded files and attachments.
                downloaded         This setting can only be set by Group Policy.
                files and
                                   If you enable this setting, the local
                attachments
                                   preference setting will take priority over
                                   Group Policy.

                                   If you disable or do not configure this
                                   setting, Group Policy will take priority over




Technical Reference
                                                                                    Page number 209


                                    the local preference setting.


Real-time       Configure local     This policy setting configures a local            Yes
Protection      setting override    override for the configuration to turn on
                to turn on real-    real-time protection. This setting can only
                time protection     be set by Group Policy.

                                    If you enable this setting, the local
                                    preference setting will take priority over
                                    Group Policy.

                                    If you disable or do not configure this
                                    setting, Group Policy will take priority over
                                    the local preference setting.


Real-time       Configure local     This policy setting configures a local            Yes
Protection      setting override    override for the configuration of the script
                to turn on script   scanning browser helper object in Internet
                scanning            Explorer. This setting can only be set by
                                    Group Policy.

                                    If you enable this setting, the local
                                    preference setting will take priority over
                                    Group Policy.

                                    If you disable or do not configure this
                                    setting, Group Policy will take priority over
                                    the local preference setting.


Real-time       Configure local     This policy setting configures a local            Yes
Protection      setting override    override for the configuration of monitoring
                for monitoring      for incoming and outgoing file activity. This
                for incoming and    setting can only be set by Group Policy.
                outgoing file
                                    If you enable this setting, the local
                activity
                                    preference setting will take priority over
                                    Group Policy.

                                    If you disable or do not configure this
                                    setting, Group Policy will take priority over
                                    the local preference setting.


Real-time       Configure           This policy setting allows you to configure       Yes
                monitoring for      monitoring for incoming and outgoing files,



Technical Reference
                                                                                    Page number 210


Protection      incoming and      without having to turn off monitoring
                outgoing file and entirely. It is recommended for use on
                program activity servers where there is a lot of incoming and
                                  outgoing file activity but for performance
                                  reasons need to have scanning disabled for
                                  a particular scan direction. The appropriate
                                  configuration should be evaluated based on
                                  the server role.

                                   Note that this configuration is only honored
                                   for NTFS volumes. For any other file system
                                   type, full monitoring of file and program
                                   activity will be present on those volumes.

                                   The options for this setting are mutually
                                   exclusive:

                                       1. 0 = Scan incoming and outgoing files
                                          (default)

                                       2. 1 = Scan incoming files only

                                       3. 2 = Scan outgoing files only

                                   Any other value, or if the value does not
                                   exist, resolves to the default (0).

                                   If you enable this setting, the specified type
                                   of monitoring will be enabled.

                                   If you disable or do not configure this
                                   setting, monitoring for incoming and
                                   outgoing files will be enabled.


Remediation     Configure local    This policy setting configures a local             Yes
                setting override   override for the configuration of the time to
                for the time of    run a scheduled full scan to complete
                day to run a       remediation. This setting can only be set by
                scheduled full     Group Policy.
                scan to
                complete           If you enable this setting, the local
                                   preference setting will take priority over
                remediation
                                   Group Policy.

                                   If you disable or do not configure this
                                   setting, Group Policy will take priority over



Technical Reference
                                                                                   Page number 211


                                   the local preference setting.


Remediation     Specify the day    This policy setting allows you to specify the     Yes
                of the week to     day of the week on which to perform a
                run a scheduled    scheduled full scan in order to complete
                full scan to       remediation. The scan can also be
                complete           configured to run every day or to never run
                remediation        at all.

                                   This setting can be configured with the
                                   following ordinal number values:

                                       •   (0x0) Every Day (default)

                                       •   (0x1) Sunday

                                       •   (0x2) Monday

                                       •   (0x3) Tuesday

                                       •   (0x4) Wednesday

                                       •   (0x5) Thursday

                                       •   (0x6) Friday

                                       •   (0x7) Saturday

                                       •   (0x8) Never

                                   If you enable this setting, a scheduled full
                                   scan to complete remediation will run at the
                                   frequency specified.

                                   If you disable or do not configure this
                                   setting, a scheduled full scan to complete
                                   remediation will run at a default frequency.


Remediation     Specify the time   This policy setting allows you to specify the     Yes
                of day to run a    time of day at which to perform a scheduled
                scheduled full     full scan in order to complete remediation.
                scan to            The time value is represented as the
                complete           number of minutes past midnight (00:00).
                remediation        For example, 120 (0x78) is equivalent to
                                   02:00 AM. The schedule is based on local
                                   time on the computer where the scan is




Technical Reference
                                                                                    Page number 212


                                    executing.

                                    If you enable this setting, a scheduled full
                                    scan to complete remediation will run at the
                                    time of day specified.

                                    If you disable or do not configure this
                                    setting, a scheduled full scan to complete
                                    remediation will run at a default time.


Reporting       Configure time      This policy setting configures the time in        No
                out for             minutes before a detection in the
                detections          "additional action" state moves to the
                requiring           "cleared" state.
                additional action


Reporting       Configure time      This policy setting configures the time in        No
                out for             minutes before a detection in the “critically
                detections in       failed” state to moves to either the
                critically failed   “additional action” state or the “cleared”
                state               state.


Reporting       Configure           This policy setting allows you to configure       No
                Watson events       whether or not Watson events are sent.

                                    If you enable or do not configure this
                                    setting, Watson events will be sent.

                                    If you disable this setting, Watson events
                                    will not be sent.


Reporting       Configure time      This policy setting configures the time in        No
                out for             minutes before a detection in the "non-
                detections in       critically failed" state moves to the
                non-critical        "cleared" state.
                failed state


Reporting       Configure time      This policy setting configures the time in        No
                out for             minutes before a detection in the
                detections in       "completed" state moves to the "cleared"
                recently            state.
                remediated




Technical Reference
                                                                                   Page number 213


                state


Reporting       Configure         This policy configures Windows software            No
                Windows           trace preprocessor (WPP Software Tracing)
                software trace    components
                preprocessor
                components


Reporting       Configure WPP     This policy allows you to configure tracing        No
                tracing level     levels for Windows software trace
                                  preprocessor (WPP Software Tracing).

                                  Tracing levels are defined as:

                                      •   1 - Error

                                      •   2 - Warning

                                      •   3 - Info

                                      •   4 - Debug


Scan            Allow users to    This policy setting allows you to manage           No
                pause scan        whether or not end users can pause a scan
                                  in progress.

                                  If you enable or do not configure this
                                  setting, a new context menu will be added
                                  to the task tray icon to allow the user to
                                  pause a scan.

                                  If you disable this setting, users will not be
                                  able to pause scans.


Scan            Specify the       This policy setting allows you to configure        No
                maximum depth     the maximum directory depth level into
                to scan archive   which archive files such as .ZIP or .CAB are
                files             unpacked during scanning. The default
                                  directory depth level is 0.

                                  If you enable this setting, archive files will
                                  be scanned to the directory depth level
                                  specified.

                                  If you disable or do not configure this



Technical Reference
                                                                                    Page number 214


                                   setting, archive files will be scanned to the
                                   default directory depth level.


Scan            Specify the        This policy setting allows you to configure        No
                maximum size of    the maximum size of archive files such as
                archive files to   .ZIP or .CAB that will be scanned. The value
                be scanned         represents file size in kilobytes (KB). The
                                   default value is 0 and represents no limit to
                                   archive size for scanning.

                                   If you enable this setting, archive files less
                                   than or equal to the size specified will be
                                   scanned.

                                   If you disable or do not configure this
                                   setting, archive files will be scanned
                                   according to the default value.


Scan            Specify the        This policy setting allows you to configure        Yes
                maximum            the maximum percentage CPU utilization
                percentage of      permitted during a scan. Valid values for
                CPU utilization    this setting are a percentage represented by
                during a scan      the integers 5 to 100. A value of 0 indicates
                                   that there should be no throttling of CPU
                                   utilization. The default value is 50.

                                   If you enable this setting, CPU utilization will
                                   not exceed the percentage specified.

                                   If you disable or do not configure this
                                   setting, CPU utilization will not exceed the
                                   default value.


Scan            Check for the      This policy setting allows you to manage           Yes
                latest virus and   whether a check for new virus and spyware
                spyware            definitions will occur before running a scan.
                definitions
                                   This setting applies to scheduled scans as
                before running a
                                   well as the command line "mpcmdrun -
                scheduled scan
                                   SigUpdate", but it has no effect on scans
                                   initiated manually from the user interface.

                                   If you enable this setting, a check for new




Technical Reference
                                                                                   Page number 215


                                 definitions will occur before running a scan.

                                 If you disable this setting or do not
                                 configure this setting, the scan will start
                                 using the existing definitions.


Scan            Scan archive     This policy setting allows you to configure         Yes
                files            scans for malicious software and unwanted
                                 software in archive files such as .ZIP or .CAB
                                 files.

                                 If you enable or do not configure this
                                 setting, archive files will be scanned.

                                 If you disable this setting, archive files will
                                 not be scanned.


Scan            Turn on catch-   This policy setting allows you to configure         Yes
                up full scan     catch-up scans for scheduled full scans. A
                                 catch-up scan is a scan that is initiated
                                 because a regularly scheduled scan was
                                 missed. Usually these scheduled scans are
                                 missed because the computer was turned
                                 off at the scheduled time.

                                 If you enable this setting, catch-up scans for
                                 scheduled full scans will be turned on. If a
                                 computer is offline for two consecutive
                                 scheduled scans, a catch-up scan is started
                                 the next time someone logs on to the
                                 computer. If there is no scheduled scan
                                 configured, there will be no catch-up scan
                                 run.

                                 If you disable or do not configure this
                                 setting, catch-up scans for scheduled full
                                 scans will be turned off.


Scan            Turn on catch-   This policy setting allows you to configure         Yes
                up quick scan    catch-up scans for scheduled quick scans. A
                                 catch-up scan is a scan that is initiated
                                 because a regularly scheduled scan was
                                 missed. Usually these scheduled scans are
                                 missed because the computer was turned



Technical Reference
                                                                                   Page number 216


                                 off at the scheduled time.

                                 If you enable this setting, catch-up scans for
                                 scheduled quick scans will be turned on. If a
                                 computer is offline for two consecutive
                                 scheduled scans, a catch-up scan is started
                                 the next time someone logs on to the
                                 computer. If there is no scheduled scan
                                 configured, there will be no catch-up scan
                                 run.

                                 If you disable or do not configure this
                                 setting, catch-up scans for scheduled quick
                                 scans will be turned off.


Scan            Turn on e-mail   This policy setting allows you to configure e- No
                scanning         mail scanning. When e-mail scanning is
                                 enabled, the engine will parse the mailbox
                                 and mail files, according to their specific
                                 format, in order to analyze the mail bodies
                                 and attachments. Several e-mail formats are
                                 currently supported, for example: pst
                                 (Microsoft Outlook®), dbx, mbx, mime
                                 (Outlook Express), binhex (Mac).

                                 If you enable this setting, e-mail scanning
                                 will be enabled.

                                 If you disable or do not configure this
                                 setting, e-mail scanning will be disabled.


Scan            Turn on          This policy setting allows you to configure         Yes
                heuristics       heuristics. Suspicious detections will be
                                 suppressed right before reporting to the
                                 engine client. Turning off heuristics will
                                 reduce the capability to flag new threats. It
                                 is recommended that you do not turn off
                                 heuristics.

                                 If you enable or do not configure this
                                 setting, heuristics will be enabled.

                                 If you disable this setting, heuristics will be
                                 disabled.




Technical Reference
                                                                                 Page number 217


Scan            Scan packed       This policy setting allows you to configure      No
                executables       scanning for packed executables. It is
                                  recommended that this type of scanning
                                  remain enabled.

                                  If you enable or do not configure this
                                  setting, packed executables will be scanned.

                                  If you disable this setting, packed
                                  executables will not be scanned.


Scan            Scan removable    This policy setting allows you to manage         Yes
                drives            whether or not to scan for malicious
                                  software and unwanted software in the
                                  contents of removable drives, such as USB
                                  flash drives, when running a full scan.

                                  If you enable this setting, removable drives
                                  will be scanned during any type of scan.

                                  If you disable or do not configure this
                                  setting, removable drives will not be
                                  scanned during a full scan. Removable
                                  drives may still be scanned during quick
                                  scan and custom scan.


Scan            Turn on reparse   This policy setting allows you to configure      No
                point scanning    reparse point scanning. If you allow reparse
                                  points to be scanned, there is a possible risk
                                  of recursion. However, the engine supports
                                  following reparse points to a maximum
                                  depth so at worst scanning could be slowed.
                                  Reparse point scanning is disabled by
                                  default and this is the recommended state
                                  for this functionality.

                                  If you enable this setting, reparse point
                                  scanning will be enabled.

                                  If you disable or do not configure this
                                  setting, reparse point scanning will be
                                  disabled.




Technical Reference
                                                                                    Page number 218


Scan            Create a system    This policy setting allows you to create a         Yes
                restore point      system restore point on the computer on a
                                   daily basis prior to cleaning.

                                   If you enable this setting, a system restore
                                   point will be created.

                                   If you disable or do not configure this
                                   setting, a system restore point will not be
                                   created.


Scan            Run full scan on   This policy setting allows you to configure        Yes
                mapped             scanning mapped network drives.
                network drives
                                   If you enable this setting, mapped network
                                   drives will be scanned.

                                   If you disable or do not configure this
                                   setting, mapped network drives will not be
                                   scanned.


Scan            Scan network       This policy setting allows you to configure        Yes
                files              scanning for network files. It is
                                   recommended that you do not enable this
                                   setting.

                                   If you enable this setting, network files will
                                   be scanned.

                                   If you disable or do not configure this
                                   setting, network files will not be scanned.


Scan            Configure local    This policy setting configures a local             Yes
                setting override   override for the configuration of maximum
                for maximum        percentage of CPU utilization during scan.
                percentage of      This setting can only be set by Group Policy.
                CPU utilization
                                   If you enable this setting, the local
                                   preference setting will take priority over
                                   Group Policy.

                                   If you disable or do not configure this
                                   setting, Group Policy will take priority over
                                   the local preference setting.




Technical Reference
                                                                                     Page number 219


Scan            Configure local     This policy setting configures a local             Yes
                setting override    override for the configuration of the scan
                for the scan type   type to use during a scheduled scan. This
                to use for a        setting can only be set by Group Policy.
                scheduled scan
                                    If you enable this setting, the local
                                    preference setting will take priority over
                                    Group Policy.

                                    If you disable or do not configure this
                                    setting, Group Policy will take priority over
                                    the local preference setting.


Scan            Configure local     This policy setting configures a local             Yes
                setting override    override for the configuration of scheduled
                for schedule        scan day. This setting can only be set by
                scan day            Group Policy.

                                    If you enable this setting, the local
                                    preference setting will take priority over
                                    Group Policy.

                                    If you disable or do not configure this
                                    setting, Group Policy will take priority over
                                    the local preference setting.


Scan            Configure local     This policy setting configures a local             Yes
                setting override    override for the configuration of scheduled
                for scheduled       quick scan time. This setting can only be set
                quick scan time     by Group Policy.

                                    If you enable this setting, the local
                                    preference setting will take priority over
                                    Group Policy.

                                    If you disable or do not configure this
                                    setting, Group Policy will take priority over
                                    the local preference setting.


Scan            Block unsigned      This policy setting allows you to manage           No
                obfuscated          whether to detect and block binaries that
                executables         are obfuscated or binaries that do not have
                                    a trusted digital signature. For the signature
                                    on a binary to be trusted, it must chain to a



Technical Reference
                                                                                   Page number 220


                                  code signing certificate in the Windows
                                  Trusted Root Program.

                                  If you enable this setting, unsigned
                                  obfuscated executables will be blocked.

                                  If you disable or do not configure this
                                  setting, unsigned obfuscated executables
                                  will not be blocked.


Scan            Turn on removal   This policy setting defines the number of          No
                of items from     days items should be kept in the scan
                scan history      history folder before being permanently
                folder            removed. The value represents the number
                                  of days to keep items in the folder. If set to
                                  zero, items will be kept forever and will not
                                  be automatically removed. By default, the
                                  value is set to 30 days.

                                  If you enable this setting, items will be
                                  removed from the scan history folder after
                                  the number of days specified.

                                  If you disable or do not configure this
                                  setting, items will be kept in the scan history
                                  folder for the default number of days.


Scan            Specify the       This policy setting allows you to specify an       Yes
                interval to run   interval at which to perform a quick scan.
                quick scans per   The time value is represented as the
                day               number of hours between quick scans. Valid
                                  values range from 1 (every hour) to 24
                                  (once per day). If set to zero, interval quick
                                  scans will not occur. By default, this setting
                                  is set to 0.

                                  If you enable this setting, a quick scan will
                                  run at the interval specified.

                                  If you disable or do not configure this
                                  setting, a quick scan will run at a default
                                  time.




Technical Reference
                                                                                     Page number 221


Scan            Start the           This policy setting allows you to configure        Yes
                scheduled scan      scheduled scans to start only when your
                only when           computer is on but not in use.
                computer is on
                                    If you enable or do not configure this
                but not in use
                                    setting, scheduled scans will only run when
                                    the computer is on but not in use.

                                    If you disable this setting, scheduled scans
                                    will run at the scheduled time.


Scan            Specify the scan    This policy setting allows you to specify the      Yes
                type to use for a   scan type to use during a scheduled scan.
                scheduled scan      Scan type options are:

                                        •   1 = Quick Scan (default)

                                        •   2 = Full Scan

                                    If you enable this setting, the scan type will
                                    be set to the specified value.

                                    If you disable or do not configure this
                                    setting, the default scan type will used.


Scan            Specify the day     This policy setting allows you to specify the      Yes
                of the week to      day of the week on which to perform a
                run a scheduled     scheduled scan. The scan can also be
                scan                configured to run every day or to never run
                                    at all.

                                    This setting can be configured with the
                                    following ordinal number values:

                                        •   (0x0) Every Day (default)

                                        •   (0x1) Sunday

                                        •   (0x2) Monday

                                        •   (0x3) Tuesday

                                        •   (0x4) Wednesday

                                        •   (0x5) Thursday

                                        •   (0x6) Friday



Technical Reference
                                                                                     Page number 222


                                        •   (0x7) Saturday

                                        •   (0x8) Never

                                    If you enable this setting, a scheduled scan
                                    will run at the frequency specified.

                                    If you disable or do not configure this
                                    setting, a scheduled scan will run at a
                                    default frequency.


Scan            Specify the time    This policy setting allows you to specify the  Yes
                for a daily quick   time of day at which to perform a daily
                scan                quick scan. The time value is represented as
                                    the number of minutes past midnight
                                    (00:00). For example, 120 (0x78) is
                                    equivalent to 02:00 AM. By default, this
                                    setting is set to a time value of 2:00 AM. The
                                    schedule is based on local time on the
                                    computer where the scan is executing.

                                    If you enable this setting, a daily quick scan
                                    will run at the time of day specified.

                                    If you disable or do not configure this
                                    setting, a daily quick scan will run at a
                                    default time.


Scan            Specify the time    This policy setting allows you to specify the      Yes
                of day to run a     time of day at which to perform a scheduled
                scheduled scan      scan. The time value is represented as the
                                    number of minutes past midnight (00:00).
                                    For example, 120 (0x78) is equivalent to
                                    02:00 AM. By default, this setting is set to a
                                    time value of 2:00 AM. The schedule is
                                    based on local time on the computer where
                                    the scan is executing.

                                    If you enable this setting, a scheduled scan
                                    will run at the time of day specified.

                                    If you disable or do not configure this
                                    setting, a scheduled scan will run at a
                                    default time.




Technical Reference
                                                                                  Page number 223


Signature       Define the        This policy setting allows you to define the      Yes
Updates         number of days    number of days that must pass before
                before spyware    spyware definitions are considered out of
                definitions are   date. If definitions are determined to be out
                considered out    of date, this state may trigger several
                of date           additional actions, including falling back to
                                  an alternative update source or displaying a
                                  warning icon in the user interface. By
                                  default, this value is set to 14 days.

                                  If you enable this setting, spyware
                                  definitions will be considered out of date
                                  after the number of days specified have
                                  passed without an update.

                                  If you disable or do not configure this
                                  setting, spyware definitions will be
                                  considered out of date after the default
                                  number of days have passed without an
                                  update.


Signature       Define the        This policy setting allows you to define the      Yes
Updates         number of days    number of days that must pass before virus
                before virus      definitions are considered out of date. If
                definitions are   definitions are determined to be out of
                considered out    date, this state may trigger several
                of date           additional actions, including falling back to
                                  an alternative update source or displaying a
                                  warning icon in the user interface. By
                                  default, this value is set to 14 days.

                                  If you enable this setting, virus definitions
                                  will be considered out of date after the
                                  number of days specified have passed
                                  without an update.

                                  If you disable or do not configure this
                                  setting, virus definitions will be considered
                                  out of date after the default number of days
                                  have passed without an update.


Signature       Define file       This policy setting allows you to configure       Yes
Updates         shares for        UNC file share sources for downloading
                downloading       definition updates. Sources will be



Technical Reference
                                                                                   Page number 224


                definition         contacted in the order specified. The value
                updates            of this setting should be entered as a pipe-
                                   separated string enumerating the definition
                                   update sources. For example: "{\\unc1 |
                                   \\unc2 }". The list is empty by default.

                                   If you enable this setting, the specified
                                   sources will be contacted for definition
                                   updates. Once definition updates have been
                                   successfully downloaded from one specified
                                   source, the remaining sources in the list will
                                   not be contacted.

                                   If you disable or do not configure this
                                   setting, the list will remain empty by default
                                   and no sources will be contacted.


Signature       Turn on scan       This policy setting allows you to configure       Yes
Updates         after signature    the automatic scan which starts after a
                update             definition update has occurred.

                                   If you enable or do not configure this
                                   setting, a scan will start following a
                                   definition update.

                                   If you disable this setting, a scan will not
                                   start following a definition update.


Signature       Allow definition   This policy setting allows you to configure       Yes
Updates         updates when       definition updates on startup when there is
                running on         no antimalware engine present.
                battery power
                                   If you enable or do not configure this
                                   setting, definition updates will be initiated
                                   on startup when there is no antimalware
                                   engine present.

                                   If you disable this setting, definition updates
                                   will not be initiated on startup when there is
                                   no antimalware engine present.


Signature       Define the order   This policy setting allows you to define the      Yes
Updates         of sources for     order in which different definition update
                downloading        sources should be contacted. The value of



Technical Reference
                                                                                    Page number 225


                definition         this setting should be entered as a pipe-
                updates            separated string enumerating the definition
                                   update sources in order. Possible values are:
                                   “InternalDefinitionUpdateServer”,
                                   “MicrosoftUpdateServer”, “MMPC”, and
                                   “FileShares”

                                   For example: {
                                   InternalDefinitionUpdateServer |
                                   MicrosoftUpdateServer | MMPC }

                                   If you enable this setting, definition update
                                   sources will be contacted in the order
                                   specified. Once definition updates have
                                   been successfully downloaded from one
                                   specified source, the remaining sources in
                                   the list will not be contacted.

                                   If you disable or do not configure this
                                   setting, definition update sources will be
                                   contacted in a default order.


Signature       Allow definition   This policy setting allows you to enable           Yes
Updates         updates from       download of definition updates from
                Microsoft          Microsoft Update even if the Automatic
                Update             Updates default server is configured to
                                   another download source such as Windows
                                   Update.

                                   If you enable this setting, definition updates
                                   will be downloaded from Microsoft Update.

                                   If you disable or do not configure this
                                   setting, definition updates will be
                                   downloaded from the configured download
                                   source.


Signature       Allow real-time    This policy setting allows you to enable real- No
Updates         definition         time definition updates in response to
                updates based      reports sent to Microsoft SpyNet. If the
                on reports to      service reports a file as an unknown and
                Microsoft          Microsoft SpyNet finds that the latest
                SpyNet             definition update has definitions for a threat
                                   involving that file, the service will receive all



Technical Reference
                                                                                   Page number 226


                                  of the latest definitions for that threat
                                  immediately. You must have configured
                                  your computer to join Microsoft SpyNet for
                                  this functionality to work.

                                  If you enable or do not configure this
                                  setting, real-time definition updates will be
                                  enabled.

                                  If you disable this setting, real-time
                                  definition updates will disabled.


Signature       Specify the day   This policy setting allows you to specify the      Yes
Updates         of the week to    day of the week on which to check for
                check for         definition updates. The check can also be
                definition        configured to run every day or to never run
                updates           at all.

                                  This setting can be configured with the
                                  following ordinal number values:

                                      •   (0x0) Every Day (default)

                                      •   (0x1) Sunday

                                      •   (0x2) Monday

                                      •   (0x3) Tuesday

                                      •   (0x4) Wednesday

                                      •   (0x5) Thursday

                                      •   (0x6) Friday

                                      •   (0x7) Saturday

                                      •   (0x8) Never

                                  If you enable this setting, the check for
                                  definition updates will occur at the
                                  frequency specified.

                                  If you disable or do not configure this
                                  setting, the check for definition updates will
                                  occur at a default frequency.




Technical Reference
                                                                                    Page number 227


Signature       Specify the time   This policy setting allows you to specify the      Yes
Updates         to check for       time of day at which to check for definition
                definition         updates. The time value is represented as
                updates            the number of minutes past midnight
                                   (00:00). For example, 120 (0x78) is
                                   equivalent to 02:00 AM. By default this
                                   setting is configured to check for definition
                                   updates 15 minutes before the scheduled
                                   scan time. The schedule is based on local
                                   time on the computer where the check is
                                   occurring.

                                   If you enable this setting, the check for
                                   definition updates will occur at the time of
                                   day specified.

                                   If you disable or do not configure this
                                   setting, the check for definition updates will
                                   occur at the default time.


Signature       Allow              This policy setting allows you to configure        No
Updates         notifications to   the antimalware service to receive
                disable            notifications to disable individual definitions
                definitions        in response to reports it sends to Microsoft
                based reports to   SpyNet. Microsoft SpyNet uses these
                Microsoft          notifications to disable definitions that are
                SpyNet             causing false positive reports. You must
                                   have configured your computer to join
                                   Microsoft SpyNet for this functionality to
                                   work.

                                   If you enable this setting or do not
                                   configure, the antimalware service will
                                   receive notifications to disable definitions.

                                   If you disable this setting, the antimalware
                                   service will not receive notifications to
                                   disable definitions.


Signature       Define the         This policy setting allows you to define the       Yes
Updates         number of days     number of days after which a catch-up
                after which a      definition update will be required. By
                catch-up           default, the value of this setting is 1 day.
                definition



Technical Reference
                                                                                    Page number 228


                update is           If you enable this setting, a catch-up
                required            definition update will occur after the
                                    specified number of days.

                                    If you disable or do not configure this
                                    setting, a catch-up definition update will be
                                    required after the default number of days.


Signature       Specify the         This policy setting allows you to specify an      Yes
Updates         interval to check   interval at which to check for definition
                for definition      updates. The time value is represented as
                updates             the number of hours between update
                                    checks. Valid values range from 1 (every
                                    hour) to 24 (once per day).

                                    If you enable this setting, checks for
                                    definition updates will occur at the interval
                                    specified.

                                    If you disable or do not configure this
                                    setting, checks for definition updates will
                                    occur at the default interval.


Signature       Check for the       This policy setting allows you to manage          No
Updates         latest virus and    whether a check for new virus and spyware
                spyware             definitions will occur immediately after
                definitions on      service startup.
                startup
                                    If you enable this setting, a check for new
                                    definitions will occur after service startup.

                                    If you disable this setting or do not
                                    configure this setting, a check for new
                                    definitions will not occur after service
                                    startup.


SpyNet          Configure local     This policy setting configures a local            Yes
                setting override    override for the configuration to join
                for reporting to    Microsoft SpyNet. This setting can only be
                Microsoft           set by Group Policy.
                SpyNet
                                    If you enable this setting, the local
                                    preference setting will take priority over




Technical Reference
                                                                                 Page number 229


                                 Group Policy.

                                 If you disable or do not configure this
                                 setting, Group Policy will take priority over
                                 the local preference setting.


SpyNet          Join Microsoft   This policy setting allows you to join            Yes
                SpyNet           Microsoft SpyNet. Microsoft SpyNet is the
                                 online community that helps you choose
                                 how to respond to potential threats. The
                                 community also helps stop the spread of
                                 new malicious software infections.

                                 You can choose to send basic or additional
                                 information about detected software.
                                 Additional information helps Microsoft
                                 create new definitions and help it to protect
                                 your computer. This information can include
                                 things like location of detected items on
                                 your computer if harmful software was
                                 removed. The information will be
                                 automatically collected and sent. In some
                                 instances, personal information might
                                 unintentionally be sent to Microsoft.
                                 However, Microsoft will not use this
                                 information to identify you or contact you.

                                 Possible options are:

                                     •   (0x0) Disabled (default)

                                     •   (0x1) Basic membership

                                     •   (0x2) Advanced membership

                                 Basic membership will send basic
                                 information to Microsoft about software
                                 that has been detected, including where the
                                 software came from, the actions that you
                                 apply or that are applied automatically, and
                                 whether the actions were successful.

                                 Advanced membership, in addition to basic
                                 information, will send more information to
                                 Microsoft about malicious software,




Technical Reference
                                                                                  Page number 230


                                  spyware, and potentially unwanted
                                  software, including the location of the
                                  software, file names, how the software
                                  operates, and how it has impacted your
                                  computer.

                                  If you enable this setting, you will join
                                  Microsoft SpyNet with the membership
                                  specified.

                                  If you disable or do not configure this
                                  setting, you will not join Microsoft SpyNet.


Threats         Specify threats   This policy setting customize which               Yes
                upon which        remediation action will be taken for each
                default action    listed Threat ID when it is detected during a
                should not be     scan. Threats should be added under the
                taken when        Options for this setting. Each entry must be
                detected          listed as a name value pair. The name
                                  defines a valid Threat ID, while the value
                                  contains the action ID for the remediation
                                  action that should be taken.

                                  Valid remediation action values are:

                                      •   2 = Quarantine

                                      •   3 = Remove

                                      •   6 = Ignore


Threats         Specify threat    This policy setting allows you to customize       Yes
                alert levels at   which automatic remediation action will be
                which default     taken for each threat alert level. Threat
                action should     alert levels should be added under the
                not be taken      Options for this setting. Each entry must be
                when detected     listed as a name value pair. The name
                                  defines a threat alert level. The value
                                  contains the action ID for the remediation
                                  action that should be taken.

                                  Valid threat alert levels are:

                                      •   1 = Low




Technical Reference
                                                                                      Page number 231


                                        •   2 = Medium

                                        •   4 = High

                                        •   5 = Severe

                                    Valid remediation action values are:

                                        •   2=Quarantine

                                        •   3=Remove

                                        •   6=Ignore


UX               Display            This policy setting allows you to configure         Yes
Configuration    notifications to   whether or not to display notifications to
                 clients when       clients when they need to perform the
                 they need to       following actions:
                 perform actions
                                        •   Run a full scan

                                        •   Download the latest virus and
                                            spyware definitions

                                        •   Download Standalone System
                                            Sweeper

                                    If you enable or do not configure this
                                    setting, notifications will be displayed to
                                    clients when they need to perform the
                                    specified actions.

                                    If you disable this setting, notifications will
                                    not be displayed to clients when they need
                                    to perform the specified actions.




FEP2010 Client Help
This section of the Microsoft Forefront Endpoint Protection 2010 Technical Reference contains the
help included with the Forefront Endpoint Protection client software.

Welcome to Microsoft Forefront Endpoint Protection
This version of Microsoft® Forefront® Endpoint Protection 2010 includes the following new features
and enhancements to better help protect your computer from threats:

   •   Windows Firewall integration. Forefront Endpoint Protection setup enables you to turn on
       or off Windows Firewall.


Technical Reference
                                                                                   Page number 232

    •   Network Inspection System. This feature enhances real-time protection by inspecting
        network traffic to help proactively block exploitation of known network-based vulnerabilities.

    •   New and improved protection engine. The updated engine offers enhanced detection and
        cleanup capabilities with better performance.

These features are described in more detail in the following sections.

Windows Firewall integration
Windows Firewall can help prevent attackers or malicious software from gaining access to your
computer through the Internet or a network. Now when you install Forefront Endpoint Protection,
the installation wizard verifies that Windows Firewall is turned on. If you have intentionally turned
off Windows Firewall, you can avoid turning it on by clearing a check box. You can change your
Windows Firewall settings at any time via the System and Security settings in Control Panel.

Network Inspection System
Attackers are increasingly carrying out network-based attacks against exposed vulnerabilities before
software vendors can develop and distribute security updates. Studies of vulnerabilities show that it
can take a month or longer from the time of an initial attack report before a suitable security update
is developed, tested, and released. This gap in protection leaves many computers vulnerable to
attacks and exploitation for a substantial period of time. Network Inspection System works with real-
time protection to better protect you against network-based attacks by greatly reducing the
timespan between vulnerability disclosures and update deployment from weeks to a few hours.

Award-winning protection engine
Under the hood of Forefront Endpoint Protection is its award-winning protection engine that is
updated regularly. The engine is backed by a team of antimalware researchers from the Microsoft
Malware Protection Center, providing responses to the latest malware threats 24 hours a day.

Why do I need antivirus and antispyware software?
It is critical to make sure that your computer is running software that protects against malicious
software. Malicious software, which includes viruses, spyware, or other potentially unwanted
software can try to install itself on your computer any time you connect to the Internet. It can also
infect your computer when you install a program using a CD, DVD, or other removable media.
Malicious software, can also be programmed to run at unexpected times, not just when it is installed.

Microsoft Forefront Endpoint Protection 2010 offers three ways to help keep malicious software
from infecting your computer:

    •   Using real-time protection—Real-time protection enables Forefront Endpoint Protection to
        monitor your computer all the time and alert you when malicious software, including viruses,
        spyware, or other potentially unwanted software attempts to install itself or run on your
        computer. Forefront Endpoint Protection then suspends the software and enables you to you
        to follow its recommendation on the software or take an alternative action.

    •   Scanning options—You can use Forefront Endpoint Protection to scan for potential threats,
        such as viruses, spyware, and other malicious software that might put your computer at risk.



Technical Reference
                                                                                   Page number 233

        You can also use it to schedule scans on a regular basis and to remove malicious software
        that is detected during a scan.

    •   Microsoft SpyNet® community—The online Microsoft SpyNet community helps you see how
        other people respond to software that has not yet been classified for risks. You can use this
        information to help you choose whether to allow this software on your computer. In turn, if
        you participate, your choices are added to the community ratings to help other people
        decide what to do.

How can I tell if my computer is infected with malicious software?
You might have some form of malicious software, including viruses, spyware, or other potentially
unwanted software, on your computer if:

    •   You notice new toolbars, links, or favorites that you did not intentionally add to your Web
        browser.

    •   Your home page, mouse pointer, or search program changes unexpectedly.

    •   You type the address for a specific site, such as a search engine, but you are taken to a
        different Web site without notice.

    •   Files are automatically deleted from your computer.

    •   Your computer is used to attack other computers.

    •   You see pop-up ads, even if you're not on the Internet.

    •   Your computer suddenly starts running more slowly than it usually does. Not all computer
        performance problems are caused by malicious software, but malicious software, especially
        spyware, can cause a noticeable change.

There might be malicious software on your computer even if you don't see any symptoms. This type
of software can collect information about you and your computer without your knowledge or
consent. To help protect your privacy and your computer, you should run Microsoft Forefront
Endpoint Protection 2010 at all times.

What should I do if Forefront Endpoint Protection detects malicious software on my
computer?
If Microsoft Forefront Endpoint Protection 2010 detects malicious software or potentially unwanted
software on your computer (either when monitoring your computer using real-time protection or
after running a scan), it notifies you about the detected item by displaying a notification message in
the bottom right-hand corner of your screen.

The notification message includes a Clean computer button and a Show details link that lets you
view additional information about the detected item. Click the Show details link to open the
Potential threat details window to get additional information about the detected item. You can now
choose which action to apply to the item, or click Clean computer. If you need help determining




Technical Reference
                                                                                  Page number 234

which action to apply to the detected item, use the alert level that Forefront Endpoint Protection
assigned to the item as your guide (for more information see, Understanding alert levels).

Alert levels help you choose how to respond to viruses, spyware, and other potentially unwanted
software. While Forefront Endpoint Protection will recommend that you remove all viruses and
spyware, not all software that is flagged is malicious or unwanted. The following information can
help you decide what to do if Forefront Endpoint Protection detects potentially unwanted software
on your computer.

Depending on the alert level, you can choose one of the following actions to apply to the detected
item:

    •   Remove—This action permanently deletes the software from your computer.

    •   Quarantine—This action quarantines the software so that it can't run. When Forefront
        Endpoint Protection quarantines software, it moves it to another location on your computer,
        and then prevents the software from running until you choose to restore it or remove it from
        your computer.

    •   Allow—This action adds the software to the Forefront Endpoint Protection allowed list and
        allows it to run on your computer. Forefront Endpoint Protection will stop alerting you to
        risks that the software might pose to your privacy or to your computer.


   Caution:


If you choose Allow for an item, such as software, Forefront Endpoint Protection will stop alerting
you to risks that the software might pose to your privacy or to your computer. Therefore, add
software to the allowed list only if you trust the software and the software publisher.

Using Forefront Endpoint Protection to remove potentially harmful software
To remove all unwanted or potentially harmful items that Microsoft Forefront Endpoint Protection
2010 detects quickly and easily, use the Clean computer option.

    1. When you see the notification message that Forefront Endpoint Protection displays in the
       Notification area after it detects potential threats, click Clean computer.

    2. Forefront Endpoint Protection removes the potential threat (or threats), and then notifies
       you when it's finished cleaning your computer.

    3. To learn more about the detected threats, click the History tab, and then select All detected
       items.

    4. If you don't see all the detected items, click View details. If you're prompted for an
       administrator password or confirmation, type the password or confirm the action. On
       systems running Windows XP, you may need to log on as an administrator on this computer.




Technical Reference
                                                                                Page number 235


  Note:


During computer cleanup, whenever possible, Forefront Endpoint Protection removes only the
infected part of a file, not the entire file.


Frequently asked questions about malicious software
Here are answers to some common questions about malicious software.

What is a virus?
Computer viruses are software programs deliberately designed to interfere with computer operation,
to record, corrupt, or delete data, or to infect other computers throughout the Internet. Viruses
often slow things down and cause other problems in the process.

What is spyware?
Spyware is software that can install itself or run on your computer without getting your consent or
providing you with adequate notice or control. Spyware might not display symptoms after it infects
your computer, but many malicious or unwanted programs can affect how your computer runs. For
example, spyware can monitor your online behavior or collect information about you (including
information that can identify you or other sensitive information), change settings on your computer,
or cause your computer to run slowly.

What's the difference between viruses, spyware, and other potentially harmful software?
Both viruses and spyware are installed on your computer without your knowledge and both have the
potential to be intrusive and destructive. They also have the ability to capture information on your
computer and damage or delete that information. They both can negatively affect your computer's
performance.

The main differences between viruses and spyware is how they behave on your computer. Viruses,
like living organisms, want to infect a computer, replicate, and then spread to as many other
computers as possible. Spyware, however, is more like a mole—it wants to "move into" your
computer and stay there as long as possible, sending valuable information about your computer to
an outside source while it is there.

Where do viruses, spyware, and other potentially unwanted software come from?
Unwanted software, such as viruses, can be installed by Web sites or by programs that you download
or that you install using a CD, DVD, external hard disk, or a device. Spyware is most commonly
installed through free software, such as file sharing, screen savers, or search toolbars.

Can I get malicious software without knowing it?
Yes, some malicious software can be installed from a Web site through an embedded script or
program in a Web page. Some malicious software requires your help to install it. This software uses
Web pop-ups or free software that requires you to accept a downloadable file. However, if you keep
Microsoft Windows® up to date and don't reduce your security settings, you can minimize the
chances of an infection.



Technical Reference
                                                                                 Page number 236

Why is it important to review license agreements before installing software?
When you visit Web sites, do not automatically agree to download anything the site offers. If you
download free software, such as file sharing programs or screen savers, read the license agreement
carefully. Look for clauses that say that you must accept advertising and pop-ups from the company,
or that the software will send certain information back to the software publisher.

What's the difference between Microsoft Forefront Endpoint Protection 2010 and Windows
Defender?
Forefront Endpoint Protection is antimalware software, which means that it's designed to detect and
help protect your computer against a wide range of malicious software, including viruses, spyware,
and other potentially unwanted software. Windows Defender, which is automatically installed with
your Windows operating system, is software that detects and stops spyware. To learn more about
Windows Defender, visit the Windows Defender Web site
(http://go.microsoft.com/fwlink/?LinkId=155580).

Why doesn't Forefront Endpoint Protection detect cookies?
Cookies are small text files that Web sites put on your computer to store information about you and
your preferences. Web sites use cookies to offer you a personalized experience and to gather
information about Web site use. Forefront Endpoint Protection doesn't detect cookies, because it
doesn't consider them a threat to your privacy or to the security of your computer. Most Internet
browser programs allow you to block cookies. For information about blocking cookies in Windows
Internet Explorer, see Block or allow cookies (http://go.microsoft.com/fwlink/?LinkId=155585).

How to help prevent malicious software infections
Two of the biggest concerns for computer users today are viruses and spyware. In both cases, while
these can be a problem, you can defend yourself against them easily enough with just a little bit of
planning:

    •   Keep your computer’s software current and remember to install all patches. Remember to
        update your operating system on a regular basis.

    •   Make sure your antivirus and antispyware software, Microsoft Forefront Endpoint Protection
        2010, is using the latest updates again potential threats (see Keeping virus and spyware
        definitions up-to-date). Also make sure you're always using the latest version of Forefront
        Endpoint Protection.

    •   Only download updates from reputable sources. For Windows operating systems, always go
        to Microsoft Update (http://go.microsoft.com/fwlink/?LinkID=96304) and for other software
        always use the legitimate Web sites of the company or person who produces it.

    •   If you receive an e-mail with an attachment and you're unsure of the source, then you should
        delete it immediately. Don't download any applications or executable files from unknown
        sources, and be careful when trading files with other users.

    •   Install and use a firewall. It is recommended that you enable Windows Firewall.




Technical Reference
                                                                                     Page number 237

How to help prevent malicious software infections
Two of the biggest concerns for computer users today are viruses and spyware. In both cases, while
these can be a problem, you can defend yourself against them easily enough with just a little bit of
planning:

    •   Keep your computer’s software current and remember to install all patches. Remember to
        update your operating system on a regular basis.

    •   Make sure your antivirus and antispyware software, Microsoft Forefront Endpoint Protection
        2010, is using the latest updates again potential threats (see Keeping virus and spyware
        definitions up-to-date). Also make sure you're always using the latest version of Forefront
        Endpoint Protection.

    •   Only download updates from reputable sources. For Windows operating systems, always go
        to Microsoft Update (http://go.microsoft.com/fwlink/?LinkID=96304) and for other software
        always use the legitimate Web sites of the company or person who produces it.

    •   If you receive an e-mail with an attachment and you're unsure of the source, then you should
        delete it immediately. Don't download any applications or executable files from unknown
        sources, and be careful when trading files with other users.

    •   Install and use a firewall. It is recommended that you enable Windows Firewall.



Getting started
Now that you've been introduced to Microsoft Forefront Endpoint Protection 2010 and learned how
it detects malicious software and helps you get rid of unwanted software, let's learn more about this
program's capabilities, including scanning, real-time protection, updating, virus and spyware
definitions, and about removing and restoring quarantined items.

    •   Scanning for viruses, spyware, and other potentially unwanted software

    •   What's real-time protection?

    •   How do I keep virus and spyware definitions up to date?

    •   How do I remove or restore items quarantined by Forefront Endpoint Protection?

Understanding alert levels
When Microsoft Forefront Endpoint Protection 2010 detects a potential threat, it uses the associated
definition file to assign an alert level to the threat. It then applies the default action associated with
that threat level.

Alert levels help you choose how to respond to viruses, spyware, and other potentially unwanted
software. While Forefront Endpoint Protection recommends that you remove all viruses and
spyware, not all software that is flagged is malicious or unwanted. The information in this table can




Technical Reference
                                                                                 Page number 238

help you decide what to do if Forefront Endpoint Protection detects potentially unwanted software
on your computer.




   Alert     What it means                               What to do
   level


   Severe    These are widespread or exceptionally       Remove this software immediately.
             malicious programs, similar to viruses or
             worms, which negatively affect your
             privacy and the security of your
             computer, and can damage your
             computer.


   High      These are programs that might collect       Remove this software immediately.
             your personal information and
             negatively affect your privacy or
             damage your computer. For example,
             the program collects information or
             changes settings, typically without your
             knowledge or consent.


   Medium    These are programs that might affect        Review the alert details to see why
             your privacy or make changes to your        the software was detected. If you do
             computer that could negatively impact       not like what the software does or if
             your computing experience. For              you do not recognize and trust the
             example, the program collects personal      publisher, consider blocking or
             information or changes settings.            removing the software.


   Low       This is potentially unwanted software       This software is typically benign when
             that might collect information about        it runs on your computer, unless it
             you or your computer or might change        was installed without your knowledge.
             how your computer works. However,           If you're not sure whether to allow it,
             the software is operating in agreement      review the alert details, or check to
             with licensing terms displayed when you     see if you recognize and trust the
             installed the software.                     software publisher.




Technical Reference
                                                                                   Page number 239

What are recommended actions?
Essentially recommended action means that you want Microsoft Forefront Endpoint Protection 2010
to handle this alert level according to Microsoft’s recommendation. When Forefront Endpoint
Protection detects a threat or potential threat, it takes the action specified as the Default Action in
Settings. Unless you change the Default Actions associated with each alert level Forefront Endpoint
Protection applies the recommended action. The recommended action is a specific action
recommended by Microsoft for dealing with a specific threat or potential threat. It is associated with
the definition specific to a particular threat. Usually, recommended actions are related to the
detected item’s severity level: severe, high, medium, or low (see Understanding alert levels) For
example, in most cases, the recommended action associated with a high-severity alert is to remove
the detected threat. However, even in the case of a high-severity alert, the recommended action
might be to allow the detected threat.

  Tip:


Unless you have a deep understanding of malware and their definitions, you should use the
recommended actions to help protect your computer from threats.


Applying default actions to detected items
You can decide how you want Microsoft Forefront Endpoint Protection 2010 to handle the potential
threats it detects, by either applying recommended actions (recommended) or by specifying a
default action for each alert level.

By defining a custom default action for each alert level, you gain more control over how the program
handles detected threats. For example, if you know that all medium level threats are something you
feel comfortable simply quarantining, then you can specify Quarantine for the medium alert level.

To apply default actions
   1. Click the Settings tab, and then click Default actions.

    2. Select a default action (Recommended action, Quarantine, Remove, or Allow if available).
       The default setting (Recommended action) means that you want Forefront Endpoint
       Protection to handle this alert level according to Microsoft’s recommendation.

    3. Click Save changes. If you are prompted for an administrator password or confirmation, type
       the password or confirm the action.

To ensure that Forefront Endpoint Protection applies these actions after it detects potential threats,
select the Apply recommended actions check box.

Scanning for viruses, spyware, and other potentially unwanted software
When you use Microsoft Forefront Endpoint Protection 2010, you can run either a quick scan of your
computer or a full system scan. If malicious software has infected a specific area of your computer,
you can customize a scan by selecting only the drives and folders that you want to check.



Technical Reference
                                                                                       Page number 240

A quick scan checks the places, processes in the memory, and registry files on your computer's hard
disk that malicious software is most likely to infect. A full scan checks all files on the hard disk and all
currently running programs, but it could cause your computer to run slowly until the scan is
completed. At any time, if you suspect that spyware has infected your computer, run a full scan. For
information about scheduling scans to occur regularly, see Scheduling scans.

To scan the areas of your computer that malicious software is most likely to infect (Quick
scan)
On the Forefront Endpoint Protection Home page, click the Quick scan option, and then click Scan
now. The amount of time the scan takes depends on the number of files and folders being scanned.

To scan all areas of your computer (Full scan)
On the Home page, select the Full scan option, and then click Scan now. The scan may take a while,
depending on the number of files and folders being scanned.

To scan specific areas of your computer only (Custom scan)
You can select specific locations on your computer to scan. However, if it detects viruses, spyware, or
other potentially unwanted software, Endpoint Protection will then run an expanded scan to make
sure it removes the detected software from other areas of your computer, if needed.

Running a custom scan
   1. On the Home page, select the Custom scan option and then click Scan now.

    2. In the Select the drives and folders you want to scan window, select the areas of your
       computer that you want to scan, and then click OK. The scan may take a while, depending on
       the number of files and folders being scanned.

To scan a specific file or folder (right-click scan)
If you suspect malicious software has infected a file or folder on your computer, or if you are
concerned about something that you downloaded, you can select a specific file or folder on your
computer for Endpoint Protection to scan.

Running a right-click scan
   1. Right-click the file or folder on your computer, and then click Scan with Forefront Endpoint
      Protection.

    2. Endpoint Protection begins scanning the selected file or folder.

    3. As soon as it completes the scan, Endpoint Protection displays the scan results.

  Note:


Depending on the file size, this scan may take only a few seconds.

Scheduling scans
By default, Forefront Endpoint Protection runs a scheduled scan on your computer once a week. A
weekly scan is sufficient for most computers, because Endpoint Protection monitors your computer


Technical Reference
                                                                                  Page number 241

continuously through the real-time protection feature. To learn more, see What's real-time
protection?.

A scheduled scan checks the areas of your computer that malicious software, including viruses,
spyware, and other potentially unwanted software, are most likely to infect. If you want Endpoint
Protection to check all files and programs on your computer, you can run or schedule a full scan.

To change the scheduled scan
    1. Click Settings, and then click Scheduled scan.

    2. If the Run a scheduled scan on my computer (recommended) check box is not selected,
       select it now.

    3. Next to the When field, select the day that you want to run the scan. For example, you can
       run a scan daily or on a certain day of the week, such as Sunday.

    4. Next to the Around field, select the time that you want the scheduled scan to run.

          Note:


         Scans may begin within two hours of the scheduled time you select. Exact scan times are
         randomized to reduce strains on network traffic. Scans might also be delayed if something else is
         currently running on your computer, such as an update.

    5. Next to the Scan type field, select the type of scan that you want to run, and then click Save
       changes. If you're prompted for an administrator password or confirmation, type the
       password or provide confirmation.




When is the best time to run a scan on my computer?
Because the scheduled scan can slow down your computer's performance, you should run the
scheduled scan at a time when it will least affect your work. In other words, schedule the scan for a
time when the computer is on but you aren't using it. By default, the time set is for around 2 A.M.,
but if you work at night, consider changing the time to sometime during the day.

To make sure the scan runs when your computer isn't being used
   1. Click Settings, and then click Scheduled scan.

    2. If the Start the scheduled scan only when my computer is on but not in use check box is not
       selected, select it now, and then click Save changes. If you're prompted for an administrator
       password or confirmation, type the password or confirm the action.




Technical Reference
                                                                                    Page number 242

Responding to potential threats after a scan
To gain more control over how Forefront Endpoint Protection handles detected threats, use the
Default actions or the Threat handling tab, depending on your product version.

    1. Click the Settings tab, and then select the Default actions tab.

    2. Select the action that you want to apply to each alert level.

    3. Select the Apply recommended actions check box, and then click Save changes. If you're
       prompted for an administrator password or confirmation, type the password or confirm the
       action.

To learn more about applying default actions, see Applying default actions to detected items.

How can I view a scan's progress?
Forefront Endpoint Protection notifies you whenever it’s running a scheduled scan. Depending on the
scan type, a scan may take some time and may affect your computer’s performance. To learn more
about scan types, see Scanning for viruses, spyware, and other potentially unwanted software.

To view the progress of a scheduled scan
    • If you're running Forefront Endpoint Protectionon the Windows XP (with Service Pack 2 (SP2)
       or a later service pack) operating system or on the Windows Vista® operating system, you'll
        see the Forefront Endpoint Protection icon in the notification area. Whenever a scan is in
        progress, the Forefront Endpoint Protection icon in the notification area will also display an
        animation to let you know that it's scanning your computer. Click the icon to see which
        type of Forefront Endpoint Protection scan is in progress, how long it’s been running, and
        how many items have been scanned.

    •   If a scan is in progress, Forefront Endpoint Protection displays the scan’s progress until the
        scan is complete. When it completes the scan, Endpoint Protection then displays the scan
        results and the date and time when the scan was completed.

    •   If you're running Endpoint Protection on a Windows 7 operating system, you won’t see the
        Forefront Endpoint Protection icon in the notification area (unless you manually added the
        icon to the notification area). However, when you click the arrow in the notification area, you
        can see additional icons, including the Forefront Endpoint Protection icon. Double-clicking
        the icon will display the scan's progress.

What are advanced scanning options?
When scanning your computer, you can choose from these additional options:

    •   Scan archive files—Scanning these files might increase the time required to complete a scan,
        but malicious software, including viruses, spyware, and other potentially unwanted software,
        can install itself and attempt to "hide" in these files.

    •   Scan removable drives—Use this option to scan the contents of removable drives, such as
        USB flash drives.



Technical Reference
                                                                                    Page number 243

    •   Create a system restore point before applying actions to detected items—System restore
        helps you restore your computer's system files to an earlier point in time. It's a way to undo
        system changes to your computer without affecting your personal files, such as e-mail,
        documents, or photos. These restore points contain information about registry settings and
        other system information that Windows uses. When you select this option, Forefront
        Endpoint Protection creates a system restore point on your computer on a daily basis before
        cleaning your computer. This option allows you to restore software that you didn't intend to
        remove.

To set advanced scanning options
    1. Click Settings, and then click Advanced.

    2. Select the check box next to each option that you want to use, and then click Save changes.
       If you're prompted for an administrator password or confirmation, type the password or
       confirm the action.

Excluding items from a scan
To help speed up scans running on your computer, you can choose to exclude certain files, locations,
file types, and processes from the scan.

  Warning:


Exclusions can help speed up the scan, but may leave your computer less protected. Only select
them if you're sure that the excluded files, locations, or processes do not contain malicious
software.


  Important:


Exclusions are applied to both on-demand scans and real-time protection.


To exclude certain files and locations
    1. Click the Settings tab, and then click Excluded files & locations.

    2. Click Add, and then select the files, folders, and locations (such as drives) that you want to
       exclude.

    3. Click OK, and then click Save changes. If you're prompted for an administrator password or
       confirmation, type the password or confirm the action.

To exclude certain file types
    1. Click the Settings tab and then click Excluded file types.

    2. In the field at the top of the tab, enter the file type to exclude, and then click Add.

    3. Repeat step 2 until you've added all the file types that you want to exclude.


Technical Reference
                                                                                  Page number 244

    4. Click Save changes. If you're prompted for an administrator password or confirmation, type
       the password or confirm the action.

To exclude processes running on your computer
    1. Click the Settings tab and then click Excluded processes.

    2. Click Add, and then select the processes you want to exclude. Make sure that you add only
       files that use one of the extensions listed below.

    3. Click OK, and then click Save changes. If you're prompted for an administrator password or
       confirmation, type the password or confirm the action.

You can exclude the following process types:
   • Executable files (.exe)

    •   Command files (.cmd)

    •   Batch files (.bat)

    •   Program information files (.pif)

    •   Windows Explorer shell command files (.scf)

    •   Windows screen saver file (.scr)

What's real-time protection?
Real-time protection enables Forefront Endpoint Protection to monitor your computer all the time
and alert you when potential threats, such as viruses and spyware, are trying to install themselves or
run on your computer. Because this feature is an important element of the way that Endpoint
Protection helps protect your computer, you should make sure real-time protection is always turned
on. If real-time protection gets turned off, Endpoint Protection notifies you, and changes your
computer’s status to “At risk”.

Whenever real-time protection detects a threat or potential threat, Endpoint Protection displays a
notification. You can now choose from the following options:

    •   Click Clean computer to remove the detected item. Endpoint Protection will automatically
        remove the item from your computer.

    •   Click the Show details link to display the Potential threat details window, and then choose
        which action to apply to the detected item. For more information, see What should I do if
        Forefront Endpoint Protection detects malicious software on my computer?.

Understanding real-time protection options
You can choose the software and settings that you want Forefront Endpoint Protection to monitor,
but we recommend that you turn on real-time protection and enable all real-time protection options.
The following table explains the available options.




Technical Reference
                                                                                Page number 245




   Real-time         Purpose
   protection option


   Scan all           This option monitors files and programs that are downloaded, including
   downloads          files that are automatically downloaded via Windows Internet Explorer
                      and Microsoft Outlook® Express, such as ActiveX® controls and software
                      installation programs. These files can be downloaded, installed, or run
                      by the browser itself. Malicious software, including viruses, spyware,
                      and other potentially unwanted software, can be included with these
                      files and installed without your knowledge.

                      Using the real-time protection option, Endpoint Protection monitors
                      your computer all the time and checks for any malicious files or
                      programs that you may have downloaded. This monitoring feature
                      means that Endpoint Protection doesn't need to slow down your
                      browsing or e-mail experience by requiring a check of any files or
                      programs you may want to download.


   Monitor file and   This option monitors when files and programs start running on your
   program activity   computer, and then it alerts you about any actions they perform and
   on your            actions taken on them. This is important, because malicious software
   computer           can use vulnerabilities in programs that you have installed to run
                      malicious or unwanted software without your knowledge. For example,
                      spyware can run itself in the background when you start a program that
                      you frequently use. Forefront Endpoint Protection monitors your
                      programs and alerts you if it detects suspicious activity.


   Enable behavior    This option monitors collections of behavior for suspicious patterns that
   monitoring         might not be detected by traditional antivirus detection methods.


   Enable Network     This option helps protect your computer against “zero day” exploits of
   Inspection         known vulnerabilities, decreasing the window of time between the
   System             moment a vulnerability is discovered and an update is applied.




Turning real-time protection on and off
To help prevent viruses, spyware, or other potentially unwanted software from running on your
computer, you should make sure you've turned on real-time protection and selected both real-time




Technical Reference
                                                                                    Page number 246

protection options. Real-time protection alerts you when viruses, spyware, or other potentially
unwanted software attempts to install or run on your computer.

To help protect your privacy and your computer, we recommend that you select all real-time
protection options. For more information about real-time protection, see What's real-time
protection?

When you install Forefront Endpoint Protection on your computer, the real-time protection feature is
turned on by default. Although it is not recommended, you can turn off real-time protection.

To turn off real-time protection

    1. Click Settings, and then click Real-time protection.

    2. Clear the real-time protection options you want to turn off, and then click Save changes. If
       you're prompted for an administrator password or confirmation, type the password or
       confirm the action.

You can also turn on or off specific features of real-time protection individually. To learn more, see
Understanding real-time protection options.

How do I know that Forefront Endpoint Protection is running on my
computer?
After you install Forefront Endpoint Protection on your computer, you can close the main window
and let Endpoint Protection run quietly in the background. Endpoint Protection will continue running
on your computer, monitor it, and help protect it against threats.

Of course, you'll know that Endpoint Protection is running whenever it displays notification messages
in the notification area. These notifications alert you to potential threats that Endpoint Protection
has detected.

You'll also receive other alert notifications, for example, if for some reason real-time protection has
been turned off, if you haven't updated your virus and spyware definitions for a number of days, or
when upgrades to the program become available. Endpoint Protection also briefly displays a
notification to let you know that it's scanning your computer.




You can also refer to the Endpoint Protection icon that appears in the notification area:




  Tip:




Technical Reference
                                                                                   Page number 247


If you don’t see the Endpoint Protection icon in the notification area, click the arrow in the
notification area to show hidden icons, including the Endpoint Protection icon.

The icon color depends on your computer's current status:

    •   Green indicates that your computer's status is "protected."

    •   Yellow indicates that your computer's status is "potentially unprotected."

    •   Red indicates that your computer's status is "at risk."

How to set up Forefront Endpoint Protection alerts
When Microsoft Forefront Endpoint Protection 2010 is running on your computer, it automatically
alerts you if it detects viruses, spyware, or other potentially unwanted software. You can also set
Forefront Endpoint Protection to alert you if you run software that has not yet been analyzed, and
you can choose to be alerted when software makes changes to your computer.

To set up Endpoint Protection alerts
    1. Click Settings, and then click Real-time protection.

    2. Make sure the Turn on real-time protection (recommended) check box is selected.

    3. Select the check boxes next to the real-time protections options you want to run, and then
       click Save changes. If you're prompted for an administrator password or confirmation, type
       the password or confirm the action.

What are virus and spyware definitions?
When you use Forefront Endpoint Protection, it is important to have up-to-date virus and spyware
definitions. Definitions are files that act like an ever-growing encyclopedia of potential software
threats. Endpoint Protection uses definitions to determine if software that it detects is a virus,
spyware, or other potentially unwanted software, and then to alert you to potential risks. To help
keep your definitions up to date, Endpoint Protection works with Microsoft Update to install new
definitions automatically as they are released. You can also set Endpoint Protection to check online
for updated definitions before scanning. For information about keeping your definitions up to date
and how to download the latest definitions manually, see How do I keep virus and spyware
definitions up to date?.

How do I keep virus and spyware definitions up to date?
Virus and spyware definitions are files that act like an encyclopedia of known malicious software,
including viruses, spyware, and other potentially unwanted software. Because malicious software is
continually being developed, Forefront Endpoint Protection relies on up-to-date definitions to
determine if software that is trying to install, run, or change settings on your computer is a virus,
spyware, or other potentially unwanted software.

To automatically check for new definitions before scheduled scans (recommended)
   1. Click Settings, and then click Scheduled scan.




Technical Reference
                                                                                    Page number 248

    2. Make sure the Check for the latest virus and spyware definitions before running a
       scheduled scan check box is selected, and then click Save changes. If you're prompted for an
       administrator password or confirmation, type the password or confirm the action.

To check for new definitions manually
    1. Endpoint Protection updates the virus and spyware definitions on your computer
       automatically. If the definitions haven’t been updated for over seven days (for example, if
       you didn’t turn on your computer for a week), Endpoint Protection will notify you that the
       definitions are out of date.

    2. To check for new definitions manually, click the Update tab and then click Update.

  Note:


While updating definitions, if you're running Endpoint Protection on the Windows XP (with
Service Pack 2 (SP2) or a later service pack) operating system or on the Windows Vista operating
system, the program displays an "updating" icon     in the notification area.


Running a scan using the latest updates
To maximize the scan's effectiveness, you should make sure the computer is scanned using the very
latest virus and spyware definitions, which contain the latest updates on potential threats.

To make sure the scan is using the latest virus and spyware definitions
   1. Click Settings, and then click Scheduled scan.

    2. Make sure the Check for the latest virus and spyware definitions before running a
       scheduled scan check box is selected, and then click Save changes. If you're prompted for an
       administrator password or confirmation, type the password or confirm the action.

How do I remove or restore items quarantined by Forefront Endpoint
Protection?
When Forefront Endpoint Protection quarantines software, it moves the software to another
location on your computer, and then it prevents the software from running until you choose to
restore it or to remove it from your computer.

For all the steps mentioned in this procedure, if you're prompted for an administrator password or
confirmation, type the password or provide confirmation.

To remove or restore quarantined items
   1. Click the History tab, and then select the Quarantined items option.

    2. In Windows Vista or Windows 7, click View details to see all of the items.

    3. In Windows XP, you'll need to log on as an administrator on the computer to see of the all
       items.



Technical Reference
                                                                                 Page number 249

    4. Review each item, and then for each, click Remove or Restore. If you want to remove of the
       all quarantined items from your computer, click Remove All.

  Warning:


Do not restore software with severe or high alert ratings, because it can put your privacy and the
security of your computer at risk.


How do I add or remove items from the Forefront Endpoint Protection allowed list?
If you trust software that Forefront Endpoint Protection has detected, you can stop Forefront
Endpoint Protection from alerting you about risks that the software might pose to your privacy or
your computer. To stop receiving alerts for this software, you must add the software to the Forefront
Endpoint Protection allowed list. If you decide that you want to monitor the software again later, you
can remove it from the Forefront Endpoint Protection allowed list at any time.

To add an item to the allowed list
   1. The next time Endpoint Protection alerts you about the software, click the Show details link.

    2. In the Potential threat details dialog box, click the down arrow in the Recommendation
       column, and then click Allow.

To remove an item from the allowed list and enable Endpoint Protection to monitor it
    1. Click the History tab, and then select the Allowed items option.

    2. In Windows Vista or Windows 7, click View details to see all of the items. If you're prompted
       for an administrator password or confirmation, type the password or confirm the action.

    3. In Windows XP, you'll need to log on as an administrator on the computer to see all of the
       items.

    4. Select the item that you want to monitor, and then click Remove. If you're prompted for an
       administrator password or confirmation, type the password or confirm the action.

  Warning:


Do not allow software with severe or high alert ratings to run on your computer, because it can put
your privacy and the security of your computer at risk.




How do I view or clear the history in Forefront Endpoint Protection?
The history displays the actions you applied to viruses, spyware, and other potentially unwanted
software that Forefront Endpoint Protection has detected on your computer.



Technical Reference
                                                                                   Page number 250

To view or clear the history
    1. Click the History tab.

   2. In Windows Vista or Windows 7, click View details to see all of the items. If you are
      prompted for an administrator password or confirmation, type the password or confirm the
      action.

   3. In Windows XP, you need to log on as an administrator on the computer to see all of the
      items.

   4. To delete all of the items in the list, click Delete history. If you are prompted for an
      administrator password or confirmation, type the password or confirm the action.

What if I want to download or run a program that Forefront Endpoint Protection detects
as potentially harmful?
When Forefront Endpoint Protection detects a potentially harmful program, it alerts you by
displaying a notification. However, if you trust a program that Forefront Endpoint Protection has
detected as potentially harmful, you can allow it to run on your computer.

  Warning:


If Endpoint Protectionassigns a severe or high alert level to a program, it's a widespread or
exceptionally malicious program or it is a program that might collect your personal information
without your knowledge. These programs can negatively affect your privacy and the security of your
computer and can damage your computer. We strongly advise you not to run these programs on
your computer.

   1. Download the program that you want to run.

   2. When Forefront Endpoint Protection displays the notification, click the Show details link.

   3. In the Potential threat details dialog box, select the program, click the down arrow in the
      Recommendation column, and then click Allow.

   4. Click Apply actions. If you're prompted for an administrator password or confirmation, type
      the password or confirm the action.

Privacy settings for detected items
To help protect user privacy, Forefront Endpoint Protection enables the local computer administrator
to limit viewing the detected items for all of the users on the computer in the History tab.

To allow only the local computer administrator to view all detected items

   1. Click Settings, and then click Advanced.




Technical Reference
                                                                                   Page number 251

    2. Clear the Allow all users to view the full History results check box, and then click Save
       changes. If you're prompted for an administrator password or confirmation, type the
       password or confirm the action.

What is the Microsoft SpyNet Community?
Microsoft SpyNet is the online community that helps you choose how to respond to potential
threats. The community also helps stop the spread of new infections. You can choose to send basic or
additional information about detected software. Additional information helps Microsoft create new
definitions to better protect your computer. The information sent can include the location of
detected items on your computer if a virus, spyware, or potentially harmful software has been
removed. The information will be automatically collected and sent.

Reporting suspicious software to Microsoft SpyNet
If Forefront Endpoint Protection detects software on your computer that has not yet been classified
for risks, you might be asked to send a sample of the software to Microsoft SpyNet for analysis.
When you're prompted to send a sample, Endpoint Protection displays a list of files that can help
analysts determine if the software is malicious. You can choose to send some or all of the files in the
list. For information on Microsoft SpyNet, see Changing your Microsoft SpyNet community
membership.

To send files to Microsoft SpyNet
If Endpoint Protection detects a file or program on your computer that might be malicious or
harmful, you can send it to Microsoft.

To submit a malicious software sample
    1. On the Help menu, click Submit malicious software sample.

    2. The Microsoft Malware Protection Center site opens. Follow the instructions, and submit
       the sample.

To report software that might be incorrectly classified
If Endpoint Protection alerts you about software that you don't believe is malicious or unwanted, you
can report the problem to Microsoft by completing the False Positive Report Form on the Microsoft
Web site (http://go.microsoft.com/fwlink/?LinkId=155581).

Changing your Microsoft SpyNet community membership
When you installed Forefront Endpoint Protection, you agreed to join Microsoft SpyNet using a basic
membership. You have the following membership options:

Basic membership—Endpoint Protection sends basic information to Microsoft about software that
Endpoint Protection detects, including where the software came from, the actions that you apply or
that Endpoint Protection applies automatically, and whether the actions were successful. In some
instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will
not use this information to identify you or to contact you.

Advanced membership—In addition to basic information, Endpoint Protection sends more
information to Microsoft about malicious software, spyware, and potentially unwanted software,


Technical Reference
                                                                                Page number 252

including the location of the software, file names, how the software operates, and how it has
affected your computer. In some instances, personal information might unintentionally be sent to
Microsoft. However, Microsoft will not use this information to identify you or to contact you.

To change your Microsoft SpyNet community membership
    1. Click Settings, and then click Microsoft SpyNet.

    2. Select the level of participation that you want by clicking Basic membership or Advanced
       membership, and then click Save changes. If you're prompted for an administrator password
       or confirmation, type the password or confirm the action.

To learn more about Microsoft SpyNet:

    •   Reporting suspicious software to Microsoft SpyNet

Where can I find the Forefront Endpoint Protection privacy statement?
The updated privacy statement is available through the Help menu or through the Forefront
Endpoint Protection Web site.

To view the privacy statement
    1. On the Help menu, click View privacy statement.

Where can I find the Forefront Endpoint Protection license agreement?
The license agreement is available through the Help menu or through the Microsoft Forefront
Endpoint Protection 2010 Web site.

To view the license agreement
    1. On the Help menu, click View license agreement.

Troubleshooting
If you encounter problems with Forefront Endpoint Protection, contact your security administrator
for support.

Troubleshooting Update Issues
Microsoft Forefront Endpoint Protection 2010 works automatically with Microsoft Update to ensure
that your virus and spyware definitions are kept up to date.

Symptoms
This article addresses common issues with automatic updates, including the following situations:

    •   You see error messages indicating that updates have failed.

    •   When you check for updates, you receive an error message that the virus and spyware
        definition updates cannot be checked, downloaded, or installed.

    •   Even though you are connected to the Internet, the updates fail.

    •   Updates are not automatically installing as scheduled.




Technical Reference
                                                                                   Page number 253

Cause
The most common causes for update issues are problems with Internet connectivity. For help with
Internet connectivity, see I can't connect to the Internet issue (General topic). However, if you know
you are connected to the Internet because you can browse to other Web sites, the issue might be
caused by conflicts with your settings in Windows Internet Explorer.

Solution
  Important:


You have to exit Internet Explorer to complete these steps. Therefore, print them, write them
down, or copy them to another file, and then bookmark this topic for future access.

Step 1: Reset your Internet Explorer settings

    1. Exit all open programs, including Internet Explorer.

           Note:


         Resetting these settings in Internet Explorer deletes your temporary files, cookies, browsing
         history, and your online passwords. But, your favorites are not deleted.

    2. Click Start, and in the Start Search box, type inetcpl.cpl, and then press Enter.

    3. In the Internet Options dialog box, click the Advanced tab.

    4. Under the Reset Internet Explorer settings, click Reset, and then click Reset again.

    5. Wait until Internet Explorer finishes resetting the settings, and then click OK.

    6. Open Internet Explorer.

    7. Open Microsoft Security Essentials, click the Update tab, and then click Update.

    8. If the issue persists, proceed to the next step.

Step 2: Set Internet Explorer as the default browser

    1. Exit all open programs, including Internet Explorer.

    2. Click Start, and in the Start Search box, type inetcpl.cpl, and then press Enter.

    3. In the Internet Options dialog box, click the Programs tab.

    4. Under Default Web browser, click Make default.

    5. Click OK.




Technical Reference
                                                                                Page number 254

   6. Open Microsoft Forefront Endpoint Protection 2010. Click the Update tab, and then click
      Update.

   7. If the issue persists, proceed to the next step.

Step 3: Ensure that the date and time are set correctly on your computer

   1. Open Forefront Endpoint Protection.

   2. If the error message that you received contains the code 0x80072f8f, the problem is most
      likely caused by an incorrect date or time setting on your computer.

   3. To reset your computer's date or time setting, follow the steps in Fix broken desktop
      shortcuts and common system maintenance tasks
      (http://go.microsoft.com/fwlink/?LinkId=155579).

Step 4: Rename the Software Distribution folder on your computer

   1. Stop the Automatic Updates service

           a. Click Start, click Run, type services.msc, and then click OK.

           b. Right-click the Automatic Updates service, and then click Stop.

           c. Minimize the Services snap-in.

   2. Rename the SoftwareDistribution directory as follows:

           a. Click Start, click Run, type cmd, and then click OK.

           b. Type cd %windir%, and then press Enter.

           c. Type ren SoftwareDistribution SDTemp, and then press Enter.

           d. Type exit, and then press Enter.

   3. Start the Automatic Updates service as follows:

           a. Maximize the Services snap-in.

           b. Right-click Automatic Updates service, and then click Start.

           c. Close the Services snap-in window.

Step 5: Reset the Microsoft antivirus update engine on your computer

   1. Click Start, click All Programs, click Accessories, and then right-click Command Prompt, and
      then select Run as administrator.

   2. In the Command Prompt window, type the following commands and press Enter after each
      command:



Technical Reference
                                                                                    Page number 255

Cd\

Cd program files\microsoft security essentials

Mpcmdrun –removedefinitions –all

Exit

       3. Restart your computer.

       4. Open Forefront Endpoint Protection, click the Update tab, and then click Update.

       5. If the issue persists, proceed to the next step.

Step 6: Manually install the virus and spyware definition updates

       •   If you are running a 32-bit Windows operating system, download the latest updates manually
           at http://go.microsoft.com/fwlink/?LinkID=87342
           (http://go.microsoft.com/fwlink/?LinkID=87342).

       •   If you are running a 64-bit Windows operating system, download the latest updates manually
           at http://go.microsoft.com/fwlink/?LinkID=87341
           (http://go.microsoft.com/fwlink/?LinkID=87341).

       •   Click Run. The latest updates are manually installed on your computer.

  Note:


 If you were able to manually install virus and spyware definitions, the problem is most likely
 caused by a download issue. To learn how to resolve download issues, see Resolving download
 issues during setup or upgrade.

Step 7: Contact Support

       •   If the steps did not resolve the issue, contact support. For more information, see Customer
           Support (http://go.microsoft.com/fwlink/?LinkID=196174).

I can't start the Forefront Endpoint Protection service

Symptom
You receive a message notifying you that “Microsoft Forefront Endpoint Protection 2010 isn't
monitoring your computer because the program's service stopped. You should restart it now.”

Solution
Step 1: Restart your computer.

       •   Close all applications and restart your computer.




Technical Reference
                                                                                     Page number 256

Step 2: Make sure the “Microsoft Forefront Endpoint Protection 2010” service is set to automatic
and is started

    1. In Windows XP, click Start, click Run, type services.msc, and then press Enter.

–or–

In Windows Vista and Windows 7, click Start, click in the Start Search box, type services.msc, and
then press Enter.

    2. Search for Microsoft Antimalware Service. Right click it and select Properties or double-click
       it to open the service.

    3. Check to make sure that the "Startup Type" is set to "Automatic".

    4. Click the Start button to start the service. If the Start button is not available, click the Stop
       button, and then click the Start button to restart the service.

    5. Make sure you note any errors that may appear during this process, submit a case online,
       and include the error information.

Step 3: Remove any existing Internet security programs

    1. In Windows XP, click Start, click Run, type appwiz.cpl, and then press Enter.

–or–

In Windows Vista or Windows 7, click Start, click in the Start Search box, type appwiz.cpl, and then
press Enter.

    2. In the list of installed programs, uninstall any third-party Internet security programs.*

    3. Restart your computer, and then try to install Microsoft Forefront Endpoint Protection 2010
       again.

  Note:


Some Internet security applications do not uninstall completely. You may need to download and
run a cleanup utility for your previous security application in order for it to be completely
removed.


   Caution:


When you remove Internet security programs, your computer is unprotected. If you have
problems installing Forefront Endpoint Protection after you remove existing Internet security
programs, contact Forefront Endpoint Protection Support immediately by submitting a case




Technical Reference
                                                                                    Page number 257


 online (for more information, see How to submit a case online ).

Step 4: Uninstall/reinstall Microsoft Forefront Endpoint Protection 2010

       1. In Windows XP, click Start, click Run, type appwiz.cpl, and then press Enter.

-or-

In Windows Vista and Windows 7, click Start, and in the Start Search box, type appwiz.cpl, and then
press Enter.

       2. In the list of installed programs, click Microsoft Forefront Endpoint Protection 2010, and
          then uninstall it.

       3. If prompted, restart your computer, and then try to install Microsoft Forefront Endpoint
          Protection 2010 again.

I can't install Forefront Endpoint Protection
This topic contains solutions for issues you may encounter while installing Microsoft Forefront
Endpoint Protection 2010.

Symptoms
Installation fails for an unknown reason, or you receive an error message with error code, such as
0x80070643, 0X8007064A, 0x8004FF2E, 0x8004FF01, 0x8004FF07, 0x80070002, 0x8007064C,
0x8004FF00, 0x80070001, 0x80070656, 0x8004FF40, 0xC0000156, 0x8004FF41 0x8004FF0B,
0x8004FF11, 0x80240022, 0x8004FF04, 0x80070660, 0x800106B5, 0x80070715, 0x80070005,
0x8004EE00, 0x8007003, 0x800B0100, 0x8007064E, or 0x8007007E.

If your computer is running Windows XP Service Pack 2 (SP2), you might see one or more of the
following error messages:

       •   Installation Wizard is missing a filter manager rollup package needed to complete the
           installation.

       •   KB914882 Setup Error, Setup cannot update your Windows XP files because the language
           installed on your system is different from the update language.

Cause
Microsoft Forefront Endpoint Protection 2010 cannot be installed on a computer that is running
other security programs. Sometimes, even if you remove other security programs, they do not
completely uninstall. You must be running a genuine version of the Windows operating system to
install Forefront Endpoint Protection.

If your computer is running Windows XP SP2, you might be missing one or more of the following
prerequisites for installing Forefront Endpoint Protection:

       •   Windows Installer 3.1




Technical Reference
                                                                                   Page number 258

    •   Forefront Client Security Filter Manager QFE for Windows XP/SP2

Solution
  Important:


You will need to restart your computer while resolving this issue. Bookmark this page (mark it as a
Favorite) to make it easier to find this topic again or print it for easy reference.

Step 1: Remove any existing security programs

    1. Completely uninstall any existing Internet security programs by following the steps in the
       topic: How do I uninstall existing antivirus or antispyware programs?

    2. Restart your computer.

    3. Install Microsoft Forefront Endpoint Protection 2010 again. If this does not resolve the issue,
       continue to the next step.

Step 2: Ensure that the Windows Installer service is running

    1. In Windows XP, click Start, click Run, type services.msc, and then press Enter.

–or–

In Windows Vista, click Start. In the Start Search box, type services.msc, and then press Enter.

–or–

In Windows 7, click Start. In the Search programs and files box, type services.msc, and then press
Enter.

    2. Right-click Windows Installer, and then click Start. If Start is unavailable and the Stop and
       Restart options are available, this tells you that the service is already started.

    3. On the Services page, on the File menu, click Exit.

    4. In Windows XP, click Start, click Run, type cmd, and then press Enter.

–or–

In Windows Vista, click Start. In the Start Search box, type command prompt. Right-click Command
Prompt, and then click Run as administrator.

–or–

In Windows 7, click Start. In the Search programs and files box, type command prompt. Right-click
Command Prompt, and then click Run as administrator.

    5. Type MSIEXEC /REGSERVER, and then press Enter.



Technical Reference
                                                                                  Page number 259


          Note:


         There is no indication that this command has succeeded or failed.

    6. Install Microsoft Forefront Endpoint Protection 2010 again. If this does not resolve the issue,
       continue to the next step.

Step 3: If your computer is running Windows XP SP2, verify that it has the required prerequisites

    1. If you are running Windows XP and Windows Installer 3.1 is not installed on your computer,
       download and install Windows Installer 3.1 from Windows Installer 3.1 v2 (3.1.4000.2435) is
       available (http://go.microsoft.com/fwlink/?LinkId=110600).

    2. Download and install the required hotfix for client computers running Windows XP SP2:

            a. Go to Forefront Client Security Filter Manager QFE for Windows XP/SP2
               (http://www.microsoft.com/downloads/details.aspx?FamilyID=B18A6BA9-AF43-
               4B0A-BABD-1E60A2D5E08A&amp;amp;amp;displaylang=en&displaylang=en).

            b. On the Web page, click the link for the download package that is the same language
               as the version of Windows XP running on the client computer.

            c. Follow the instructions to download and install the hotfix package.

            d. Restart your computer.

            e. Install Microsoft Forefront Endpoint Protection 2010. If this does not resolve the
               issue, continue to the next step.

Step 4: Start Windows in Selective Startup mode

    1. In Windows XP, click Start, click Run, type msconfig, and then press Enter.

–or–

In Windows Vista, click Start. In the Start Search box, type msconfig, and then press Enter.

–or–

In Windows 7, click Start. In the Search programs and files box, type msconfig, and then press Enter.

    2. On the General tab, click Selective Startup, and then clear the Load Startup Items check box.

    3. On the Services tab, select the Hide All Microsoft Services check box, and then clear all the
       check boxes for the services that remain in the list.

    4. Click OK, and then click Restart to restart the computer.

    5. Try to install Microsoft Forefront Endpoint Protection 2010 again.



Technical Reference
                                                                                    Page number 260




I can't connect to the Internet issue (General topic)
In order to make sure that your computer receives the latest updates from Windows Update, you
must be connected to the Internet.

Symptom
You receive a notification that Microsoft Forefront Endpoint Protection 2010 is unable to install the
latest updates because you are not connected to the Internet.

Cause
Internet issues might be due to connection problems between your computer and your router.



Solution
  Note:


 Before you begin, print, or write down these instructions. You will restart your computer during
 this procedure, so you'll need a copy of the steps to refer to. The steps may contain a link to
 another Web site, so you may want to bookmark this topic before you begin.

Step 1: Test your Internet connection by trying to visit several Web sites and checking other
Internet-enabled applications

    •   If you are able to access Web sites, continue to the next step.

Step 2: Verify that your computer is connected to the Internet

    1. In Windows XP, click Start, click Run, type ncpa.cpl, and then press Enter.

–or–

In Windows Vista, click Start, click in the Start Search box, type ncpa.cpl, and then press Enter.

–or–

In Windows 7, click Start, click in the Search programs and files box, type ncpa.cpl, and then press
Enter.

    2. Right-click the connection name and then click Status.

    3. If your computer is connected, in Windows XP the connection status will appear as
       Connected, Enabled, or Authentication succeeded. In Windows Vista and Windows 7, the
       IPv4 status will appear as Internet.

    4. If your computer doesn't appear to be connected, right-click the connection name, and then
       click Connect, Enable, Authenticate, or Repair.



Technical Reference
                                                                                    Page number 261

Step 3: Restart your computer

    •   Close any open programs and restart your computer.

Step 4: If you still can't connect to the Internet, check your connections

    1. If you use a dial-up connection, make sure the telephone cord connection in the wall jack and
       in your modem are firmly connected.

    2. If you use a cable modem, make sure the cable connection to the modem and the connection
       from the modem to your computer are firmly connected.

    3. If you use a cable modem or DSL router, make sure the connections to the router and to the
       computer are firmly connected. Try unplugging and turning off the router and modem. Wait
       a few minutes, plug in the modem in first, wait one minute, then plug in the router, and
       restart your computer.

Step 5: Use the Windows Network Diagnostic tool

For computers running Windows Vista and Windows 7

    1. In Windows Vista, click Start, click in the Start Search box, type ncpa.cpl, and then press
       Enter.

–or–

In Windows 7, click Start, click in the Search programs and files box, type ncpa.cpl, and then press
Enter.

    2. Right-click the network connection that the computer would use to connect to the Internet,
       click Diagnose, and then follow the on-screen instructions.

    3. If you use a cable modem or DSL router, make sure the connections to the router and to the
       computer are firmly connected.

    4. Try unplugging and turning off the router and modem. Wait a few minutes, plug in the
       modem in first, wait one minute, then plug in the router, and restart your computer.

For computers running Windows XP

    1. In the Control Panel, click Network and Internet Connections, and then click Network
       Diagnostics.

    2. If you do not see the Network and Internet Connections option in Control Panel, click Start,
       and then click Help and Support. On the Help and Support Center page, under Pick a Task,
       click Use Tools to view your computer information and diagnose problems. In the left hand
       column of the tools page, click Network Diagnostics.

Step 6: If you still can't connect to the Internet, contact your Internet Service Provider (ISP) or the
company that provides your access to the Internet


Technical Reference
                                                                                       Page number 262

Error “0x8*******” encountered while virus and spyware definition updates or product
upgrades
Forefront Endpoint Protection uses the Microsoft Updates (MU) service to deliver virus and spyware
definition updates and product upgrades. Definition updates failures that are caused by this service
result in a “0x8*******” error. If you encounter these errors, please write down the exact error code
and follow these steps.

Step 1: Restart the Microsoft Update (MU) service

       1. In Windows XP, click Start, click Run, type services.msc, and then press Enter.

       2. Right-click Automatic Updates, and then click Start. If Start is unavailable, click Restart.

In Windows Vista and Windows 7

       1. In Windows Vista, click Start, and in the Start Search box, type services.msc, and then press
          Enter.

-or-

In Windows 7, click Start, and in the Search programs and files box, type services.msc, and then
press Enter.

       2. Right-click Windows Update, and then click Start. If Start is unavailable, click Restart.

Step 2: Troubleshoot Microsoft Update (MU) errors

       1. Visit Windows Vista Help & How-to Windows Vista Help & How-to
          (http://go.microsoft.com/fwlink/?LinkId=166390).

       2. In the search box, enter the error code that you received.

       3. Follow the steps provided and try again.

       4. To update the virus and spyware definitions, click the Update tab, and then click Update.

Forefront Endpoint Protection detects a threat but can't remediate it
When Microsoft Forefront Endpoint Protection 2010 detects a potential threat that's hiding inside a
compressed file with a .zip file name extension or within a network share, it tries to deal with the
threat by quarantining or removing the threat.

Symptom
You might receive a notice that Forefront Endpoint Protection was not able to apply your actions.

Cause
In most cases, this problem occurs because Forefront Endpoint Protection doesn't have access to the
location where the infection is located.

Solution
Remove or scan the file


Technical Reference
                                                                                    Page number 263

   •   If the detected threat was in a .zip file, browse to the .zip file, and then either remove the file
       or scan it by right-clicking the file and selecting Scan with Forefront Endpoint Protection. If
       Forefront Endpoint Protection detects additional threats in the file, it notifies you about
       these threats and enables you to choose an appropriate action.

   •   If the detected threat was in a network share, browse to the network share and scan it by
       right-clicking the file and selecting Scan with Forefront Endpoint Protection. If Forefront
       Endpoint Protection detects additional threats in the network share, it notifies you about
       these threats and enables you to choose an appropriate action.

   •   If you're not sure of the file's origin, one of the best solutions is to run a full scan on your
       computer. (For more information, see Scanning for viruses, spyware, and other potentially
       unwanted software.) A full scan may take some time to complete, but it makes it possible for
       Forefront Endpoint Protection to look for the source of the infection and clean it.




Technical Reference

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:82
posted:2/8/2012
language:English
pages:264