Forefront Endpoint Protection

Forefront Endpoint Protection
Jack Cobben
Page number 1
1. Contents
2. Release Notes .................................................................................................................................. 8 Microsoft Forefront Endpoint Protection 2010 .................................................................................. 8 Running a repair on Microsoft Forefront Endpoint Protection 2010 reporting fails ...................... 8 X-axis labels not displaying properly for the Antimalware Protection Summary report ................ 8 Managing the Customer Experience Improvement Program setting on the Forefront Endpoint Protection server ............................................................................................................................. 9 Microsoft Forefront Endpoint Protection 2010 Client Software......................................................... 9 Managing the Customer Experience Improvement Program setting on Forefront Endpoint Protection clients............................................................................................................................. 9 Operating system upgrade .................................................................................................................. 9 Custom scan on virtual drives in Windows XP .................................................................................. 10 Forefront Endpoint Protection does not uninstall Symantec on computers running x64 operating systems .............................................................................................................................................. 10 Forefront Endpoint Protection Client stops reporting malware activity when the System Event Log is full .................................................................................................................................................. 10 3. Overview........................................................................................................................................ 10 Why Use Forefront Endpoint Protection........................................................................................... 11 Easy to Deploy ................................................................................................................................... 11 Easy to Manage ................................................................................................................................. 11 Unified Protection ............................................................................................................................. 12 Decision Considerations for FEP and the FEP Security Management Pack ....................................... 12 4. 5. 6. Dashboard Overview ..................................................................................................................... 14 Reports Overview .......................................................................................................................... 16 System Requirements.................................................................................................................... 18 Prerequisites for Installing Forefront Endpoint Protection on a Server ........................................... 18 Forefront Endpoint Protection Server Prerequisites..................................................................... 18 Forefront Endpoint Protection Console Prerequisites .................................................................. 23 Prerequisites for Deploying Forefront Endpoint Protection on a Client ........................................... 23 Prerequisites for Importing the Forefront Endpoint Protection Security Management Pack .......... 25 7. Getting Started .............................................................................................................................. 25 Getting Assistance ............................................................................................................................. 26 Where to find Forefront Endpoint Protection Help and Assistance: ............................................ 26 Providing Feedback ........................................................................................................................... 27
Release Notes
Page number 2 8. Planning and Architecture ............................................................................................................. 27 Forefront Endpoint Protection 2010 ................................................................................................. 27 Forefront Endpoint Protection and High Availability .................................................................... 28 About Configuration Manager Site Topologies and FEP 2010 .......................................................... 29 Single-Site Deployment ................................................................................................................. 29 Hierarchical Deployment ............................................................................................................... 29 Forefront Endpoint Protection Installed on the Parent and Child Sites........................................ 30 Forefront Endpoint Protection Installed on the Child Sites .......................................................... 31 About Basic Setup.............................................................................................................................. 32 Basic Topology ............................................................................................................................... 33 About Basic with Remote Reporting Database Setup ....................................................................... 33 Basic Topology with Remote Reporting Database ........................................................................ 33 FEP 2010 Security Management Pack ............................................................................................... 34 Forefront Endpoint Protection Client................................................................................................ 34 Policies ........................................................................................................................................... 35 System Requirements.................................................................................................................... 35 Competitive Uninstall .................................................................................................................... 35 Forefront Endpoint Protection Client Deployment Options ......................................................... 36 Definition Updates ........................................................................................................................ 36 About Configuring Clients by Using Policies ...................................................................................... 37 Creating and Configuring Policies.................................................................................................. 37 Deploying Policies.......................................................................................................................... 38 Planning for Definition Updates ........................................................................................................ 41 Migrating from Forefront Client Security to Forefront Endpoint Protection.................................... 42 Client Update for Microsoft Forefront Client Security (1.0.xxxx.0)............................................... 42 9. Server Installation.......................................................................................................................... 43 FEP 2010 ............................................................................................................................................ 43 Overview of Installing Forefront Endpoint Protection .................................................................. 43 Installation Options ....................................................................................................................... 45 Installing Using Basic Setup ........................................................................................................... 45 Prerequisites ................................................................................................................................ 46 Installing Using Basic with a Remote Reporting Database Setup.................................................. 48 Installing Using Advanced Setup ................................................................................................... 50
Release Notes
Page number 3 Validating Installation.................................................................................................................... 56 Configuring the Client Software on a Configuration Manager Site Server ................................... 59 Moving from a Public RC Version to a Retail Version.................................................................... 61 Uninstalling .................................................................................................................................... 63 FEP 2010 Security Management Pack ............................................................................................... 64 Overview of Installing the Forefront Endpoint Protection Security Management Pack ............... 65 About Agents ................................................................................................................................. 65 Extracting the FEP 2010 Security Management Pack Files............................................................ 66 Importing the FEP 2010 Security Management Pack .................................................................... 67 Configuring Client Discovery ......................................................................................................... 68 Create a New Management Pack for Customizations ................................................................... 69 10. Client Deployment ..................................................................................................................... 70
Overview of Deploying Forefront Endpoint Protection .................................................................... 70 FEP 2010 ............................................................................................................................................ 70 Deploying by Using Configuration Manager Packages .................................................................. 72 Deploying Manually ....................................................................................................................... 74 Deploying the Client Software by Using the Command Prompt ................................................... 75 Validating Deployment .................................................................................................................. 76 Uninstalling .................................................................................................................................... 78 Enforcing the Client Software Deployment....................................................................................... 80 Deploying the FEP Client Software to a FEP Collection ................................................................. 80 To create a reinstall advertisement .............................................................................................. 81 11. Operations ................................................................................................................................. 82
Configuring Client Settings by Using Policies .................................................................................... 82 FEP Policies .................................................................................................................................... 83 Creating a Policy ............................................................................................................................ 83 Duplicating a Policy ....................................................................................................................... 84 Editing a Policy............................................................................................................................... 85 Exporting a Policy .......................................................................................................................... 87 Importing a Policy .......................................................................................................................... 88 Setting Policy Precedence ............................................................................................................. 88 Assigning a Policy to Endpoint Computers .................................................................................... 89 Using Group Policy with FEP.......................................................................................................... 91
Release Notes
Page number 4 Converting FEP Policies to Group Policy........................................................................................ 91 Merging Settings from Multiple Policy Files .................................................................................. 92 Exporting Policy Settings to a FEP Policy File ................................................................................ 94 Configuring and Viewing FEP Group Policy Settings ..................................................................... 94 FEP Policy Templates ......................................................................................................................... 96 About Preconfigured Policy Templates ......................................................................................... 96 Applying Policies from the Command Prompt .............................................................................. 98 Updating Policies from the Command Prompt ........................................................................... 101 Common Tasks ................................................................................................................................ 102 Running an Endpoint Protection Scan ......................................................................................... 102 Managing Windows Firewall Protection ..................................................................................... 104 Retrieving the Effective Endpoint Protection Settings ................................................................ 106 Forcing Definition Updates.......................................................................................................... 106 Configuring Definition Updates ....................................................................................................... 108 Configuring Update Synchronization .......................................................................................... 109 Microsoft Update Definition Updates ......................................................................................... 111 File-Share-Based Definition Updates........................................................................................... 111 FEP Monitoring ................................................................................................................................ 113 Monitoring Client Status by Using the Dashboard ...................................................................... 114 Using Alerts to Monitor Malware Detections ............................................................................. 116 Using Desired Configuration Management to Monitor Client Compliance ................................ 120 FEP 2010 Security Management Pack Monitoring .......................................................................... 125 Security Considerations ............................................................................................................... 127 Health Rollup ............................................................................................................................... 127 Object Classes .............................................................................................................................. 129 About Discovery .......................................................................................................................... 130 About Views................................................................................................................................. 132 About Monitors ........................................................................................................................... 133 Monitoring Using Overrides ........................................................................................................ 134 About Rules ................................................................................................................................. 135 About Alerts................................................................................................................................. 136 About Tasks ................................................................................................................................. 136 Placing Objects in Maintenance Mode........................................................................................ 138
Release Notes
Page number 5 Configuring Notification Settings ................................................................................................ 138 FEP 2010 Reports............................................................................................................................. 138 Forefront Endpoint Protection Security Reports......................................................................... 138 Command options ....................................................................................................................... 141 Operational Reports .................................................................................................................... 141 Displaying Computers Infected by a Specific Malware ............................................................... 144 Displaying Recent Malware Infections ........................................................................................ 145 Subscribing to Reports ................................................................................................................ 145 FEP 2010 Security Management Pack Reporting ............................................................................ 146 FEP Health and Deployment Status Schema ............................................................................... 146 FEP Security Incidents schema .................................................................................................... 149 Disaster Recovery for FEP 2010 on Configuration Manager ........................................................... 155 Backup ........................................................................................................................................ 155 Restore ....................................................................................................................................... 156 Automating Day-to-Day Tasks by Using Windows PowerShell ....................................................... 157 Deploying or Removing the FEP Client Software ........................................................................ 157 Assigning and Unassigning FEP Policies to Collections................................................................ 159 Automating Desired Configuration Management ....................................................................... 163 Automating the FEP Dashboard .................................................................................................. 167 Automating Tasks on Client Computers ...................................................................................... 170 Automating FEP Reports ............................................................................................................. 174 12. Troubleshooting ...................................................................................................................... 177
Using the FEP Best Practices Analyzer............................................................................................. 178 Troubleshooting FEP and Configuration Manager .......................................................................... 179 FEP Log Files ................................................................................................................................ 180 Troubleshooting the FEP Security Management Pack and Operations Manager ........................... 182 13. Technical Reference ................................................................................................................ 183
FEP 2010 Policy - Default Settings ................................................................................................... 183 Antimalware Settings .................................................................................................................. 183 Updates Settings.......................................................................................................................... 193 Windows Firewall Settings .......................................................................................................... 194 Security Management Pack Monitors ............................................................................................. 195 Forefront Endpoint Protection 2010 Security Management Pack Monitors .............................. 195
Release Notes
Page number 6 Security Management Pack Tasks ................................................................................................... 196 Forefront Endpoint Protection 2010 Security Management Pack Tasks .................................... 196 FEP ADMX Reference....................................................................................................................... 198 FEP2010 Client Help ........................................................................................................................ 231 Welcome to Microsoft Forefront Endpoint Protection ............................................................... 231 Why do I need antivirus and antispyware software? .................................................................. 232 How can I tell if my computer is infected with malicious software? .......................................... 233 What should I do if Forefront Endpoint Protection detects malicious software on my computer? ..................................................................................................................................................... 233 Using Forefront Endpoint Protection to remove potentially harmful software ......................... 234 Frequently asked questions about malicious software............................................................... 235 How to help prevent malicious software infections ................................................................... 236 How to help prevent malicious software infections ................................................................... 237 Getting started ................................................................................................................................ 237 Understanding alert levels .......................................................................................................... 237 What are recommended actions? ............................................................................................... 239 Applying default actions to detected items ................................................................................ 239 Scanning for viruses, spyware, and other potentially unwanted software .................................... 239 To scan the areas of your computer that malicious software is most likely to infect (Quick scan) ..................................................................................................................................................... 240 To scan all areas of your computer (Full scan) ............................................................................ 240 To scan specific areas of your computer only (Custom scan) ..................................................... 240 Running a custom scan ................................................................................................................ 240 To scan a specific file or folder (right-click scan) ......................................................................... 240 Running a right-click scan ............................................................................................................ 240 Scheduling scans.......................................................................................................................... 240 When is the best time to run a scan on my computer? .............................................................. 241 Responding to potential threats after a scan .............................................................................. 242 How can I view a scan's progress? .............................................................................................. 242 What are advanced scanning options? ....................................................................................... 242 Excluding items from a scan ........................................................................................................ 243 What's real-time protection? .......................................................................................................... 244 Understanding real-time protection options .............................................................................. 244 Turning real-time protection on and off ..................................................................................... 245
Release Notes
Page number 7 How do I know that Forefront Endpoint Protection is running on my computer? ......................... 246 How to set up Forefront Endpoint Protection alerts .................................................................. 247 What are virus and spyware definitions? ........................................................................................ 247 How do I keep virus and spyware definitions up to date? .......................................................... 247 Running a scan using the latest updates ..................................................................................... 248 How do I remove or restore items quarantined by Forefront Endpoint Protection? ..................... 248 To remove or restore quarantined items .................................................................................... 248 How do I add or remove items from the Forefront Endpoint Protection allowed list? .............. 249 How do I view or clear the history in Forefront Endpoint Protection? ....................................... 249 What if I want to download or run a program that Forefront Endpoint Protection detects as potentially harmful? .................................................................................................................... 250 Privacy settings for detected items ............................................................................................. 250 What is the Microsoft SpyNet Community?.................................................................................... 251 Reporting suspicious software to Microsoft SpyNet ................................................................... 251 Changing your Microsoft SpyNet community membership ........................................................ 251 Where can I find the Forefront Endpoint Protection privacy statement? .................................. 252 Where can I find the Forefront Endpoint Protection license agreement?.................................. 252 Troubleshooting .............................................................................................................................. 252 Troubleshooting Update Issues ................................................................................................... 252 I can't start the Forefront Endpoint Protection service .............................................................. 255 I can't install Forefront Endpoint Protection ............................................................................... 257 I can't connect to the Internet issue (General topic) .................................................................. 260 Error 0x8******* encountered while virus and spyware definition updates or product upgrades ...................................................................................................................................... 262 Forefront Endpoint Protection detects a threat but can't remediate it ..................................... 262
Release Notes
Page number 8
2. Release Notes
These release notes contain information that is required to successfully install, deploy and use Microsoft Forefront Endpoint Protection. They contain information that is not available in the product documentation.
Microsoft Forefront Endpoint Protection 2010

Running a repair on Microsoft Forefront Endpoint Protection 2010 reporting fails The user account used to run a repair on Forefront Endpoint Protection Reporting must be assigned the Content Manager SQL Server Reporting Services role. For more information about the Content Manager SQL Server Reporting role, see Content Manager Role (http://go.microsoft.com/fwlink/?LinkId=207653) in the SQL Server Books Online. Note: When User Account Control (UAC) is enabled on the SQL Server Reporting Services server, the role assignment cannot be inherited from the following groups or repair will fail:

Administratorslocal group Domain Administratorsdomain group
X-axis labels not displaying properly for the Antimalware Protection Summary report In some circumstances, when running the Antimalware Protection Summary report, the x-axis labels do not display properly. This occurs only when running Microsoft SQL Server 2008 or SQL Server 2008 R2 reporting services. Install one of the following SQL Server cumulative updates to fix the report:
Cumulative Update package 3 for SQL Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkId=204839) Cumulative update package 10 for SQL 2008 Service Pack 1 (http://go.microsoft.com/fwlink/?LinkId=204840)
Note: It is recommended that you install the SQL Server cumulative update prior to installing Forefront Endpoint Protection. If the SQL Server cumulative update is installed after Forefront Endpoint Protection was installed, you will need to run a repair on the Microsoft Forefront Endpoint Protection 2010 Reporting component.
Release Notes
Page number 9 Managing the Customer Experience Improvement Program setting on the Forefront Endpoint Protection server After installing Forefront Endpoint Protection you cannot change your membership in the Customer Experience Improvement Program (CEIP) through the user interface. To manually configure the CEIP setting, modify the following registry key on the Forefront Endpoint Protection server: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Forefront Endpoint Protection 2010\config\SqmEnabled

Setting the registry key to 1 joins the CEIP. Setting the registry key to 0 removes membership in the CEIP.
For the change to take effect you need to restart the computer.
Microsoft Forefront Endpoint Protection 2010 Client Software

Managing the Customer Experience Improvement Program setting on Forefront Endpoint Protection clients Forefront Endpoint Protection clients automatically join the Customer Experience Improvement Program (CEIP). Users can modify this setting; however, the administrator cannot control the CEIP setting via a Forefront Endpoint Protection policy created in the Configuration Manager console. To configure the CEIP setting, create the following registry key on the Forefront Endpoint Protection client computer: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft AntiMalware\Miscellaneous Configuration\SqmConsentApprove

Setting the registry key to 1 joins the CEIP (default). Setting the registry key to 0 removes membership in the CEIP.
After the registry key has been created, the user can no longer change this setting from the Forefront Endpoint Protection client. For the change to take effect you need to restart the computer.
Operating system upgrade

After the operating system on a client computer is upgraded, the Forefront Endpoint Protection client software no longer functions as expected. To avoid this, you must uninstall the Forefront Endpoint Protection client software before running the operating system upgrade. This applies to the following operating system upgrade paths:

Windows XP to Windows Vista Windows Vista to Windows Vista SP1, Windows Vista SP2, or Windows 7
Release Notes
Page number 10
Custom scan on virtual drives in Windows XP

On computers running Windows XP, malware residing on a virtual drive is not be detected during a custom scan of the virtual drive. A virtual drive is created by applications using Application Virtualization (App-V) technology, like Microsoft Office 2010. Quick scans and full scans properly detect the malware.
Forefront Endpoint Protection does not uninstall Symantec on computers running x64 operating systems
The Forefront Endpoint Protection client software does not uninstall the Symantec Antivirus Corporate Edition client on computers running a 64-bit operating system. On these computers, you need to manually uninstall Symantec software before deploying the Forefront Endpoint Protection client software.
Forefront Endpoint Protection Client stops reporting malware activity when the System Event Log is full
Client malware activity incidents are reported from the client to the Forefront Endpoint Protection server based on the entries in the System event log. If the System event log is full and no new events can be written, no new malware activity is reported to the Forefront Endpoint Protection server. It is recommended that you configure the properties of the System event log to overwrite events when needed, so that new events can be written and are not lost.
3. Overview
Microsoft Forefront Endpoint Protection 2010 (FEP) is a security and antimalware solution integrated into System Center Configuration Manager 2007, and the Forefront Endpoint Protection Security Management Pack is a security and antimalware management solution for servers and critical, high-priority computers, integrated into System Center Operations Manager 2007. Together, they are a software solution that provides security and antimalware management for desktops, portable computers, and servers. Together they provide a lower total cost-of-ownership enterprise solution that enables desktop administrators in your organization to add security management to their day-to-day operations, within a familiar framework and without requiring specialized security knowledge. FEP and the FEP Security Management Pack leverage the familiar administrative experience of managing and monitoring endpoints. They improve visibility for identifying and remediating potentially vulnerable endpoints while lowering ownership costs by using existing infrastructure for both endpoint management and security. The FEP client software deploys effortlessly to hundreds of thousands of endpoints by using existing System Center Configuration Manager agents, and provides highly accurate detection of known and unknown threats, as well as actively protecting against network-level attacks by managing basic Windows Firewall configurations. FEP and the FEP Security Management Pack provide the following features:
Overview
Page number 11

Integration with your existing system management infrastructure Proven antimalware engine Reporting functionality In FEP, policy-based antimalware management In FEP, Firewall management Seamless migration from previous antivirus solutions
Why Use Forefront Endpoint Protection

Forefront Endpoint Protection and the FEP Security Management Pack provide seamless integration with the management products you use on a daily basis. The key benefits are described below.
Easy to Deploy
Forefront Endpoint Protection makes it easy for desktop administrators to roll out a large-scale endpoint protection solution to all user desktops and portable computers, while the FEP Security Management Pack makes it simple to roll out real-time alerting and reporting for servers and critical, high-priority client computers. FEP comes complete with policy templates, for both recommended client configurations and typical server workloads, which are ready to use right out-of-the box, taking the guesswork out of security management. While no advanced customization is required, it is easy to customize policies to meet the needs of your organization. Forefront Endpoint Protection supports deployments that are built on the familiar System Center Configuration Manager software distribution infrastructure, while the FEP Security Management Pack, built on System Center Operations Manager, supports servers and critical high-priority client computers. Using Forefront Endpoint Protection, you can deploy the client
Across various topologies to support non-domain-joined computers, endpoints at different branch offices, in addition to unmanaged (stand-alone) clients. To seamlessly upgrade or replace previously installed security solutions. On various Windows operating systems.
Easy to Manage
Forefront Endpoint Protection and the FEP Security Management Pack offer both the desktop administrator and the server administrator a streamlined security management experience. Built on the familiar System Center interfaces, it gives administrators simplified access to the information and tools they need in order to keep their enterprise secure and running, including the following:

In FEP, policy-based administration Remediation capabilities including scanning and updating definitions on client computers
Overview
Page number 12
Current and historical reporting that enables administrators to answer critical security questions, such as:

What percentage of computers are currently protected? Is antivirus software installed and turned on? Are the latest definitions installed? What malware was detected in the organization? What computers currently have malware activity? How can I improve my organizational security?
Forefront Endpoint Protection is built on System Center Configuration Manager, and the FEP Security Management Pack is built on System Center Operations Manager.
Unified Protection
Forefront Endpoint Protection delivers a single-agent, multithreat protection for desktops, portable computers, and the FEP Security Management Pack provides management of servers and critical high-priority client computers. Backed by a world-class response center and a dedicated community (Microsoft SpyNet) serving millions of users, the FEP client includes:

Antimalware and antispyware Rootkit detection and remediation Critical vulnerability assessment and automatic updates Integrated Windows Firewall management Network Inspection System
The FEP client helps users stay secure and productive both at work and on the go with a lightweight, easy-to-use interface. It is built on the same antimalware engine as Microsoft Security Essentials (MSE), which has been delighting millions of consumers with low false positives and high catch rates. Whenever possible, the FEP client automatically solves security issues as they occur without disturbing users, so users can stay safe and continue with their work without contacting their desktop administrators.
Decision Considerations for FEP and the FEP Security Management Pack
Both FEP and the FEP Security Management Pack provide best-of-breed security protection for desktops, portable computers, and servers. You can implement either FEP or the FEP Security Management Pack, or you can implement both to take advantage of the features of each. Choosing when to implement each requires that you evaluate your security needs. Consider the questions in the following table.
Overview
Page number 13
If You are already using System Center Configuration Manager to manage your enterprise You are using System Center Operations Manager to manage your data center
Then You can easily implement Forefront Endpoint Protection to integrate security into your computer management solution. You can implement the FEP Security Management Pack to monitor your servers and critical high-priority computers. The FEP Security Management Pack can provide realtime monitoring and alerting for the servers (and highpriority client computers) you designate. Forefront Endpoint Protection provides additional DCM checks that allow you to report on the status of security areas within your Configuration Manager environment. Configuration Manager supports both of these scenarios, and Forefront Endpoint Protection, built on Configuration Manager, can take full advantage of this support. If you have implemented Configuration Manager for desktop administration, your desktop administrators can work within the familiar interface of Configuration Manager. Both Forefront Endpoint Protection and the FEP Security Management Pack are an option for you. Both maintain a historical record of malware information in your organization.
You need real-time reporting and monitoring for any of your computers or servers You are using the Desired Configuration Management (DCM) feature in Configuration Manager
You are managing any branch offices or non-domain-joined clients
The desktop administrators in your organization are responsible for desktop security
You need historical reporting for malware events
Overview
Page number 14
4. Dashboard Overview
The Forefront Endpoint Protection dashboard provides key information for tracking the status of client software deployments, antimalware activity, definition updates, policy distributions, and client software compliance. The dashboard contains several summary areas displayed on a single page, and works by querying the Configuration Manager Site database, and using the resulting data sets to present key metrics in a graphical format. The Forefront Endpoint Protection dashboard is located in the Configuration Manager console, in the following path in the tree: Site Database / Computer Management / Forefront Endpoint Protection The following table describes the summary areas displayed in the Forefront Endpoint Protection dashboard: Summary area Client Deployment Status Description This area displays the following information:
The number of computers in your organization to which the client software was not targeted. The number of computers in your organization to which the client software is targeted.
The set of computers to which the client software is targeted is divided into the following deployment states:

Removed Failed Pending Out of date Deployed
Protection Status
This area displays the reporting status for the FEP client software. There are three possible status values:
Protection service offThe number of computers on which the FEP antimalware service is turned off. Not reportingThe number of computers to which the FEP client has
Dashboard Overview
Page number 15 been deployed, but have not sent a status report back to the Configuration Manager server in the past 14 days.
HealthyThe number of computers running the FEP client software and have sent a status report back to the Configuration Manager server in the past 14 days.
Security Status
This area displays information about malware activity in your organization. The possible states of the FEP client software are as follows:
InfectedThe number of computers on which the FEP client software has detected active malware. Restart requiredThe number of computers running the FEP client software that require a restart in order to complete malware cleaning. Full scan requiredThe number of computers running the FEP client software that require a full scan. Recent malware activity (Last 24 hours) The number of computers on which the FEP client software detected and cleaned malware within the last 24 hours.
Definition Status
This area displays information about the age of the FEP antimalware definitions on the client computers. Computers are listed according to the age category into which the definitions fall. The following is a list of possible categories:
Older than 1 weekThe number of client computers with definitions more than 1 week old. Up to 7 days oldThe number of client computers with definitions up to 1 week old. Up to 3 days oldThe number of client computers with definitions up to 3 days old. Up to dateThe number of client computers with up-to-date definitions.
Data for this dashboard area is collected by Configuration Manager Desired Configuration Manager (DCM) baselines. For more information about DCM baselines and Forefront Endpoint Protection, see Using Desired Configuration Management to Monitor Client Compliance.
Dashboard Overview
Page number 16 Policy Distribution Status This area displays information about the possible policy distribution states for the FEP client software. The following is a list of the possible states:
FailedThe number of computers to which a policy could not be deployed. PendingThe number of computers to which a policy is in the process of being deployed. DistributedThe number of computers to which a policy was successfully deployed.
Forefront Endpoint Protection Baselines
This area displays summary status information for FEP client compliance with FEP configuration baselines. For more information, see Using Desired Configuration Management to Monitor Client Compliance.
5. Reports Overview
Reporting in Forefront Endpoint Protection is integrated into the Configuration Manager console. The information is gathered using the standard Configuration Manager data collection mechanism and is stored in the Forefront Endpoint Protection reporting database. Since this information is gathered at scheduled intervals, reports may not reflect the most recent information. Forefront Endpoint Protection presents the information gathered in the reporting database in summary and detailed reports, and contain links that can be clicked to view the related reports. There are several predefined reports located under the Forefront Endpoint Protection Reports node and under the standard Configuration Manager Reporting node. Reports broadly divide into security reports and operational reports respectively. The following table is a list of the available reports. Report name Antimalware Activity Report Antimalware Protection Summary Report Description This report provides an overview of antimalware status, malware alerts, and malware detections. This report provides an overview of antimalware deployment and health. Type Security
Security
Reports Overview
Page number 17 Malware Details Report Computer List Report This report displays further details about a specific malware. This report displays a list of computers that can be filtered by collection, name, protection status, security state, antimalware signature version, detected malware, and last antimalware scan time. This report displays further details about a specific computer. This report displays the breakdown of the Microsoft Forefront Endpoint Protection 2010 client deployment status per collection. This report displays the breakdown of the Microsoft Forefront Endpoint Protection 2010 client deployment status for a specific collection. This report displays a list of computers in a collection and the specific deployment state. Security
Security
Computer Details Report Deployment Overview
Security
Operational
Deployment for a specific collection
Operational
Computers with a specific deployment state Policy Distribution Overview
Operational
This report displays the breakdown of policy distribution states per collection. The report will only enumerate computers with Microsoft Forefront Endpoint Protection 2010 deployed. This report displays the policy distribution states for a specific collection. This report displays a list of computers in a collection and the specific policy state.
Operational
Policy Distribution for a specific collection Computers with a specific policy distribution state FEP information for a specific computer
Operational
Operational
This report displays a summary of Forefront Endpoint Protection information for a specific computer.
Operational
Reports Overview
Page number 18
6. System Requirements
To get started with Microsoft Forefront Endpoint Protection 2010, your computers must meet the minimum requirements for installing the Forefront Endpoint Protection server and deploying the Forefront Endpoint Protection client. Use the following topics to help you prepare the computers in your environment:

Prerequisites for Installing Forefront Endpoint Protection on a Server Prerequisites for Deploying Forefront Endpoint Protection on a Client Prerequisites for Importing the Forefront Endpoint Protection Security Management Pack
Prerequisites for Installing Forefront Endpoint Protection on a Server

The Forefront Endpoint Protection Setup wizard includes a prerequisites verification that checks that the prerequisites are already installed before you continue with the installation. If the prerequisites verification check identifies missing prerequisites, the check points you to locations where you can download and install the required components. Forefront Endpoint Protection Server Prerequisites The following table is the list of minimum requirements for installing the Forefront Endpoint Protection server. Prerequi site Memory Available disk space
Minimum requirements 2 GB of RAM Forefront Endpoint Protection server: 600 MB Forefront Endpoint Protection database: 1.25 GB Forefront Endpoint Protection reporting database: 1.25 GB
Notes
For large scale deployments comprised of more than 10,000 client computers, on the computer running Microsoft SQL Server where the Forefront Endpoint Protection reporting database resides, the tempdb must be configured with a 500 GB Logical Unit Number (LUN) for its data file. For more information about configuring the tempdb data file, see Optimizing tempdb Performance (http://go.microsoft.com/fwlink/?LinkId=206862).
Operatin g system
Windows Server 2003 Standard, Enterprise, or Datacenter Edition Service Pack 2 (x86 or x64), or Windows Server 2008
System Requirements
Page number 19 Standard, Enterprise, or Datacenter Service Pack 1 (x86 or x64), or
Windows Server 2008 R2 Standard, Enterprise, or Datacenter (x64) Microsoft SQL Server 2005 Standard or Enterprise Edition Service Pack 3 (x86 or x64), or Microsoft SQL Server 2008 Standard or Enterprise (x86 or x64), or Microsoft SQL Server 2008 R2 Standard or Enterprise (x86 or x64) When using an RTM release of SQL Server 2008, make sure that the default instance is defined. If the default instance is not defined, reporting and alerting does not function, because data cannot flow up to the Configuration Manager site server. Verify that all computers that are running SQL Server are joined to the domain, that the user account running Setup is a member of sysadmin SQL server role, and that all SQL Server services are running. Additionally, in nonclustered SQL Server environments, the SQL Server services should be configured to start automatically. The user account running Setup will be set as the owner of the following SQL Server databases and jobs:

Databas e servers
FEPDB_XXX (database) FEPDW_XXX (database) FEP_DataWarehouseMaintenance _FEPDW_XXX (job) FEP_DB_Maintenance_FEPDB_XX X (job) FEP_GetNewData_FEPDW_XXX (job) FEP_GetNewDataOnInstall_FEPD W_XXX (job)
System Requirements
Page number 20 Addition al require ments for installing Forefron t Endpoint Protecti on reportin g database SQL Server Analysis Services SQL Server Integration Services SQL Server Reporting Services SQL Server Agent
For SQL Server Analysis Services, the user account running Setup, or a domain group that it is a member of, must belong to the server administrator role on your specified SQL Server Analysis Server. For more information, see Analysis Server Properties Dialog Box (http://go.microsoft.com/fwlink/?LinkID= 204204). The Forefront Endpoint Protection reporting database and server running SQL Server Analysis Services must be installed on the same SQL Server instance. On the computer that is running SQL Server Analysis Services, the following ports must be open for incoming traffic:

SQL Server (TCP 1433) SQL Server Analysis Services (TCP 2383)
For more information, see Configuring the Windows Firewall to Allow SQL Server Access (http://go.microsoft.com/fwlink/?LinkId=128365).
For Forefront Endpoint Protection reporting to function, you must make sure that the Forefront Endpoint Protection client that is installed as part of Forefront Endpoint Protection has access to definition updates via the Configuration Manager client agent, Windows Server Update Services, or Microsoft Update.
Addition al require ments for installing Forefron t
The name you entered in the SQL Network Name box for your SQL Server cluster must be registered in the domain. SQL Server Integration Services must be installed
System Requirements
Page number 21 Endpoint Protecti on reportin g database on a SQL Server cluster Configur ation Manager on all nodes and must be part of the cluster group.
Microsoft System Center Configuration Manager 2007 Service Pack 2 installed with default roles, and either
Microsoft System Center Configuration Manager 2007 R2 installed and configured to use SQL Server Reporting Services, or Microsoft System Center Configuration Manager 2007 R3 installed and configured to use SQL Server Reporting Services
The following client agents are installed and configured:
Hardware Inventory Software Distribution
System Requirements
Page number 22 Desired Configuration Management You must install SQL Server Analysis Management Objects on the computer where Setup is run when the Forefront Endpoint Protection reporting database is being installed on a remote computer. You can download the SQL Server Analysis Management Objects for your version of SQL Server from the following locations:
Addition al require ments
No other version of Forefront Endpoint Protection is installed Microsoft Windows Installer version 3.1 Microsoft .Net Framework 3.5 Service Pack 1 Configuration Manager Hotfix KB2271736 (http://go.microsoft.com/f wlink/?LinkId=203936) SQL Server Analysis Management Objects The computer where Setup is run is not pending a restart from a previous install or update
For SQL Server 2008 R2, visit Microsoft SQL Server 2008 R2 Feature Pack (http://go.microsoft.com/fwlink/? LinkId=206861), go to the Microsoft SQL Server 2008 R2 Analysis Management Objects section, and download the appropriate file based on your system architecture. For SQL Server 2008, visit Microsoft SQL Server 2008 Feature Pack (http://go.microsoft.com/fwlink/? LinkId=206625), go to the Microsoft Analysis Management Objects section, and download the appropriate file based on your system architecture. For SQL Server 2005, visit Feature Pack for Microsoft SQL Server 2005 (http://go.microsoft.com/fwlink/? LinkId=206624), go to the Microsoft SQL Server 2005 Management Objects Collection section, and download the appropriate file based on your
The user account running Setup is a domain account for the domain of which the Forefront Endpoint Protection server is a member, has local administrative credentials, and has Configuration Manager administrative credentials
System Requirements
Page number 23 system architecture.
Forefront Endpoint Protection Console Prerequisites The following table is the list of minimum requirements for installing the Forefront Endpoint Protection console. Prerequisite Configuration Manager Minimum requirements Microsoft System Center Configuration Manager 2007 Service Pack 2 Console, or Microsoft System Center Configuration Manager 2007 R2, or Microsoft System Center Configuration Manager 2007 R3 Microsoft .Net Framework 3.5 Service Pack 1 Configuration Manager Hotfix KB2271736 (http://go.microsoft.com/fwlink/?LinkId=203936) The computer running Setup is not pending a restart from a previous install or update The user account running Setup is a domain account for the domain of which the Forefront Endpoint Protection server is a member, has local administrative credentials, and has Configuration Manager administrative credentials
Additional requirements
Prerequisites for Deploying Forefront Endpoint Protection on a Client

The following table is a list of the prerequisites for deploying the Forefront Endpoint Protection on client computers. Prerequisite Configuration Manager Requirement A Microsoft System Center Configuration Manager 2007 site that has Forefront Endpoint Protection server installed. Note: If you have client computers that do not require the central deployment and management features of Forefront Endpoint Protection server, and you
System Requirements
Page number 24
intend to manually install the Forefront Endpoint Protection client, the Configuration Manager prerequisites stated for client computers are not required. For more information, see Deploying the Client Software by Using the Command Prompt.
Operating system
Windows 7 (x86 or x64), or Windows 7 XP mode, or Windows Vista (x86 or x64) or later versions, or Windows XP Service Pack 2 (x86 or x64) or later versions, or Windows Server 2008 R2 (x64) or later versions, or Windows Server 2008 R2 Server Core (x64), or Windows Server 2008 (x86 or x64) or later versions, or Windows Server 2003 Service Pack 2 (x86 or x64) or later versions, or Windows Server 2003 R2 (x86 or x64) or later versions
Note: On the following operating systems, the Forefront Endpoint Protection client software can be installed manually. However, policies cannot be applied to them, nor can they be centrally managed by Forefront Endpoint Protection.

Windows 7 Starter Windows 7 Home Premium Windows Vista Basic Windows Vista Home Premium Windows XP Home Edition
Available disk space Additional
255 MB
Windows Installer 3.1 or later versions
System Requirements
Page number 25 requirements Filter manager rollup package for Windows XP Service Pack 2 (x86) KB914882 (http://go.microsoft.com/fwlink/?LinkID=207000)
Competitive uninstall
The client installation checks for and uninstalls the following existing antimalware clients:

Symantec Endpoint Protection version 11 Symantec Corporate Edition version 10 McAfee VirusScan Enterprise version 8.5 and version 8.7 and its agent Forefront Client Security version 1 and the Operations Manager agent TrendMicro OfficeScan version 8 and version 10
Prerequisites for Importing the Forefront Endpoint Protection Security Management Pack
The following table lists the minimum requirements for importing the Forefront Endpoint Protection Security Management Pack. Prerequisite System Center Operations Manager 2007 Minimum requirement System Center Operations Manager 2007 R2
The following table lists the minimum requirements for the Reporting management pack for use with the Forefront Endpoint Protection Security Management Pack. Prerequisite Reporting components Minimum requirement Reporting components must be installed for System Center Operations Manager 2007 R2 in order to use the Reporting feature.
7. Getting Started
Before deploying Microsoft Forefront Endpoint Protection 2010, you should read the documentation carefully and plan your deployment according to your business needs. If planned correctly, Forefront Endpoint Protection can reduce your administrative overhead and total cost of ownership. If Forefront Endpoint Protection is deployed without sufficient planning you can disrupt your whole
Getting Started
Page number 26 network, because Forefront Endpoint Protection has the potential to affect every computer in your organization. Because Forefront Endpoint Protection is built on System Center Configuration Manager, you should be familiar with Configuration Manager before you deploy Forefront Endpoint Protection. For more information, see System Center Configuration Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=111469). Because the FEP Security Management Pack is built on System Center Operations Manager, you should be familiar with Operations Manager before deploying the FEP Security Management Pack. For more information, see System Center Operations Manager R2 (http://go.microsoft.com/fwlink/?LinkId=205692). Note: If you are new to Forefront Endpoint Protection, you should experiment in a test network environment before you deploy the product. Next Steps
Plan the Forefront Endpoint Protection installation. For more information, see Planning and Architecture. Install Forefront Endpoint Protection on your Configuration Manager Site server. For more information, see FEP 2010. Import the FEP Security Management Pack on your Operations Manager server. For more information, see FEP 2010 Security Management Pack. Deploy Forefront Endpoint Protection policies and clients. For more information, see Client Deployment. Learn about routine operations. For more information, see Operations.
Getting Assistance
The Forefront Endpoint Protection online help and assistance options are available to you when you're planning, deploying, administering, and troubleshooting Forefront Endpoint Protection. Where to find Forefront Endpoint Protection Help and Assistance: Forefront Endpoint Protection TechNet Library (http://go.microsoft.com/fwlink/?LinkId=188968). The FEP TechNet library contains the most up-to-date product documentation. This documentation is updated as Forefront Endpoint Protection features evolve and new troubleshooting information becomes available.
Forefront Endpoint Security Blog (http://go.microsoft.com/fwlink/?LinkId=196676). The Forefront Endpoint Security blog contains technical articles written by the Forefront Endpoint Protection team, in addition to product announcements and updates.
Getting Started
Page number 27
Forefront Endpoint Protection Forum (http://go.microsoft.com/fwlink/?LinkId=196677). The forum provides a place to discuss Forefront Endpoint Protection with customers and Forefront Endpoint Protection team members. The Forefront Endpoint Protection forum is an excellent way to interact with the Forefront Endpoint Protection team and with other customers worldwide. The Forefront Endpoint Protection section of the TechNet Wiki (http://go.microsoft.com/fwlink/?LinkId=196679). The TechNet Wiki contains communitygenerated content about various Microsoft products, including Forefront Endpoint Protection. Through the use of the TechNet Wiki, you can share your knowledge and experience with other members of the community.
Providing Feedback
Your feedback about Microsoft Forefront Endpoint Protection 2010 will be greatly appreciated and will help Microsoft improve Forefront Endpoint Protection. Please submit all feedback to the Forefront Endpoint Protection Forum (http://go.microsoft.com/fwlink/?LinkId=188968).
8. Planning and Architecture

The content in this section is designed to help you plan your Microsoft Forefront Endpoint Protection 2010 installation and the infrastructure required to support it. Before you install Forefront Endpoint Protection, it is recommended that you review the following sections:

Planning Your Deployment Migrating from Forefront Client Security to Forefront Endpoint Protection
Forefront Endpoint Protection 2010

Forefront Endpoint Protection easily installs into your existing Configuration Manager 2007 deployment. The Forefront Endpoint Protection server installation process automatically installs the required components to the correct servers based upon the Configuration Manager deployment. The following is a list of items that are installed during Forefront Endpoint Protection Setup. Installation item Forefront Endpoint Protection Site Server Extensions for Configuration Manager Forefront Endpoint Protection Console Extensions for Description The Forefront Endpoint Protection Site server extensions for Configuration Manager.
The Forefront Endpoint Protection extensions to the Configuration Manager management console add views to
Planning and Architecture
Page number 28 Configuration Manager manage and monitor Forefront Endpoint Protection client deployments. An auxiliary database used by Forefront Endpoint Protection.
Forefront Endpoint Protection Database Forefront Endpoint Protection Reporting role Forefront Endpoint Protection Reporting database Forefront Endpoint Protection Security Client
Provides historical reports on Forefront Endpoint Protection client malware activity and client protection status. The database for storing Forefront Endpoint Protection client protection status and malware activity historical data. The Forefront Endpoint Protection client is installed for access to antimalware metadata.
The following items are installed during the installation of Forefront Endpoint Protection Site Server Extensions for Configuration Manager:

The FEP Deployment package. The FEP Policies package. The FEP Operations package. Forefront Endpoint Protection Operations tasks are added to the Configuration Manager right-click context menu, and the Actions pane for a computer objects. Forefront Endpoint Protection desired configuration management configuration baselines and configuration items. Forefront Endpoint Protection related collections. Forefront Endpoint Protection client deployment and policy distribution reports are added to Configuration Manager reporting.
Forefront Endpoint Protection and High Availability Forefront Endpoint Protection is installed on top of Configuration Manager and is dependent on the availability of the Configuration Manager services. The following items are Forefront Endpoint Protection server deployment recommendations for high availability:

Use clustered SQL Server for the Forefront Endpoint Protection reporting database. Use the System Center Operations Manager Forefront Endpoint Protection Monitoring Management Pack to monitor Forefront Endpoint Protection services.
Page number 29
About Configuration Manager Site Topologies and FEP 2010

Forefront Endpoint Protection can be deployed to a Configuration Manager stand-alone (single) site or to a hierarchical site environment. Installation of Forefront Endpoint Protection on secondary sites is not supported. For more information about Configuration Manager sites, see Understanding Configuration Manager Sites (http://go.microsoft.com/fwlink/?LinkId=196956). Single-Site Deployment In a single-site Configuration Manager deployment, Forefront Endpoint Protection is installed on the Configuration Manager site server. The Configuration Manager administrator will perform the following tasks from the Configuration Manager console:

Create or modify Forefront Endpoint Protection policies. Assign Forefront Endpoint Protection policies to collections. Deploy Forefront Endpoint Protection clients to collections. Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection dashboard. Configure Forefront Endpoint Protection alerts. Assign the Forefront Endpoint Protection Desired Configuration Management baselines to collections.
Hierarchical Deployment In a hierarchical Configuration Manager deployment, there is a parent site that has one or more sites (children) attached to it in the hierarchy. A parent site contains pertinent information about its lower-level sites and it can control many operations at the child sites. A site that has no parent site is known as a central site. For more information about planning and deploying Configuration Manager, see Planning and Deploying the Server Infrastructure for Configuration Manager 2007 ( http://go.microsoft.com/fwlink/?LinkId=196960). Forefront Endpoint Protection can be installed in the following combinations:

Parent and child sites Parent site Child sites
The administrative control requirements will determine where Forefront Endpoint Protection should be installed:
For centralized policy creation and control, install Forefront Endpoint Protection on the parent site. When Forefront Endpoint Protection is also installed on the child sites, policies are replicated from the parent site to the child sites. Installing Forefront Endpoint Protection on the child sites allows the administrator to view the FEP dashboard when connected to the child site via the Configuration Manager console.
Page number 30
To view the Forefront Endpoint Protection Dashboard when connected to a child site via the Configuration Manager console, you must install FEP on the child site. For decentralized policy creation and control, install Forefront Endpoint Protection on the child sites. You can optionally install the Forefront Endpoint Protection Reporting role at the parent site for centralized company-wide reporting.
Forefront Endpoint Protection Installed on the Parent and Child Sites In this deployment, the Forefront Endpoint Protection site server extension components are replicated to the child sites. The creation and management of Forefront Endpoint Protection policies is managed centrally by the administrator of the parent site. The administrator at the child site will see the Forefront Endpoint Protection policies from the parent site, but cannot create, modify, or delete policies. The following table lists the Forefront Endpoint Protection tasks that can be accomplished when Forefront Endpoint Protection has been installed on the parent and child sites. Parent site Yes Yes Yes Yes Child sites Yes No Yes Yes
Task Deploy Forefront Endpoint Protection clients to collections Create or modify Forefront Endpoint Protection policies Assign Forefront Endpoint Protection policies to collections Monitor Forefront Endpoint Protection client deployment and policy deployment progress Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection dashboard Forefront Endpoint Protection Reporting Configure Forefront Endpoint Protection alerts Forefront Endpoint Protection Operations
Yes
Yes
Yes Yes Yes
Yes Yes Yes
Important: At a child site there are two FEP Deployment packages, one from the parent site and
Page number 31 one from the child site. When deploying the Forefront Endpoint Protection client software from the child site you must deploy using the software package from the parent site. The first three letters of the software package Package ID indicates from which site the software package originates.
When Forefront Endpoint Protection is installed on the child site first and you install Forefront Endpoint Protection on the parent site after, the FEP Policies package on the client site is disabled and the FEP Policies package from the parent site is propagated to the child site. Policies created on the child site no longer exist. Before installing Forefront Endpoint Protection on the parent site, it is recommended that you export the policies from the child site. After installing Forefront Endpoint Protection on the parent site you can import the policies on the parent site. For more information about import and exporting policies, see Exporting a Policy and Importing a Policy. Uninstalling Forefront Endpoint Protection on the parent site while Forefront Endpoint Protection is also installed on child sites disrupts Forefront Endpoint Protection functionality of the child sites. Repair the Forefront Endpoint Protection installation on each child site after Forefront Endpoint Protection is uninstalled from the parent site. FEP clients deployed at the child sites appear only in the following Client Deployment Status categories at the parent site:

Deployed Out of date
The reason for this is that the information for these categories is based on Configuration Manager hardware inventory data that the parent site receives from the child sites. The information for the following deployment categories is based on Configuration Manager advertisements: Removed, Failed, and Pending. Since the parent site is not able to see the advertisements created at a child site, deployment information for these categories is not displayed at the parent site. Full deployment status for FEP client software deployed at child sites can be viewed at the child site.
Policy distribution status for FEP policies assigned to collections at a child site can take up to 24 hours to display at the parent site.
Forefront Endpoint Protection Installed on the Child Sites In this deployment the administrator at each site needs to manage an independent set of Forefront Endpoint Protection policies. Site administrators can share policies by exporting and importing Forefront Endpoint Protection policies from one site to another. For more information about exporting and importing Forefront Endpoint Protection policies, see Exporting a Policy and Importing a Policy.
Page number 32 Note: You can optionally install the Forefront Endpoint Protection Reporting role at the parent site for centralized company-wide reporting. The following table lists the Forefront Endpoint Protection tasks that can be accomplished when Forefront Endpoint Protection has been installed at the child sites and Forefront Endpoint Protection Reporting role has been installed at the parent site. Parent site No No No No Child sites Yes Yes Yes Yes
Task Deploy Forefront Endpoint Protection clients to collections Create or modify Forefront Endpoint Protection policies Assign Forefront Endpoint Protection policies to collections Monitor Forefront Endpoint Protection via the Forefront Endpoint Protection dashboard Forefront Endpoint Protection Reporting Configure Forefront Endpoint Protection alerts Forefront Endpoint Protection Operations
Yes No No
Yes Yes Yes
Note: Tasks performed on a child site only affect the devices of that child site.
About Basic Setup

This topic will describe the location of the various Forefront Endpoint Protection components that are installed when you select the Basic topology option in the Forefront Endpoint Protection Setup wizard.
Page number 33 Basic Topology The Basic topology setup wizard option installs the Forefront Endpoint Protection components based upon the Configuration Manager deployment. No additional hardware is required for this deployment path. The existing Configuration Manager servers will be used. Use this setup option when there is sufficient capacity on the computer running Microsoft SQL Server. The following table lists the location where each of the Forefront Endpoint Protection components will be installed. Component Forefront Endpoint Protection Database Where installed SQL Server and instance used for the Configuration Manager database. Configuration Manager site server.
Forefront Endpoint Protection Site Server Extensions for Configuration Manager Forefront Endpoint Protection Console Extensions for Configuration Manager Forefront Endpoint Protection Reporting role
Configuration Manager site server.
SQL Server used for the Configuration Manager reporting services. SQL Server and instance used for the Configuration Manager database. The Forefront Endpoint Protection client is installed for access to malware metadata.
Forefront Endpoint Protection Reporting database Forefront Endpoint Protection Security Client
For more information about installing Forefront Endpoint Protection using the Basic topology option, see Installing Using Basic Setup.
About Basic with Remote Reporting Database Setup

This topic will describe the location of the various Forefront Endpoint Protection components that are installed when you select the Basic topology with remote reporting database option in the Forefront Endpoint Protection Setup wizard. Basic Topology with Remote Reporting Database The Basic topology with remote reporting database setup wizard option installs the Forefront Endpoint Protection components based upon the Configuration Manager deployment and allows you to specify another Microsoft SQL Server for the Forefront Endpoint Protection Reporting database.
Page number 34 When using this wizard you need to have another Microsoft SQL Server already installed and ready for use. Use this option when your existing SQL Server is nearing capacity or you want to separate the Forefront Endpoint Protection reporting data from the Configuration Manager data. The following table lists the location where each of the Forefront Endpoint Protection components will be installed. Component Forefront Endpoint Protection Database Where installed SQL Server and instance used for the Configuration Manager database Configuration Manager site server
Forefront Endpoint Protection Site Server Extensions for Configuration Manager Forefront Endpoint Protection Console Extensions for Configuration Manager Forefront Endpoint Protection Reporting role Forefront Endpoint Protection Reporting database
Configuration Manager site server
SQL Server specified during setup SQL Server specified during setup
For more information about installing Forefront Endpoint Protection using the Basic topology with remote reporting database option, see Installing Using Basic with a Remote Reporting Database Setup.
FEP 2010 Security Management Pack

The Forefront Endpoint Protection Security Management Pack is easy to import into your existing System Center Operations Manager environment. For information about the prerequisites for this management pack, see Prerequisites for Importing the Forefront Endpoint Protection Security Management Pack. For information about importing this management pack, see Importing the FEP 2010 Security Management Pack.
Forefront Endpoint Protection Client

Forefront Endpoint Protection client deployment refers to the installation and configuration of the Forefront Endpoint Protection client software in your enterprise. Before deploying the Forefront Endpoint Protection client software to computers in your production environment, learn about the deployment process (for more information, see Client Deployment), create a deployment plan based on your organizations security requirements, test your plan in a lab environment, and once you are confident in your plan, proceed to deploy the Forefront Endpoint Protection client software in your production environment.
Page number 35 When planning your deployment, take into consideration the information in the following sections. Policies Create Forefront Endpoint Protection policies to match your organization's security settings and apply them to Forefront Endpoint Protection clients. For more information, see About Configuring Clients by Using Policies. System Requirements Before deploying the Forefront Endpoint Protection client software, make sure that your client computers meet the minimum system requirements for installation. For more information, see Prerequisites for Deploying Forefront Endpoint Protection on a Client. The Forefront Endpoint Protection client software requires that you install a Network Inspection System hotfix on client computers running one of the following operating systems:

Windows Vista Service Pack 1 (SP1) Windows Vista Service Pack 2 (SP2) Windows 7 Windows Server 2008 Windows Server 2008 Service Pack 2 (SP2) Windows Server 2008 R2
If this hotfix is not already installed on the computer, the Forefront Endpoint Protection client deployment package installs it. Since this hotfix requires the computer to be restarted, consider downloading hotfix KB981889 (http://go.microsoft.com/fwlink/?LinkID=204112) and deploying it to client computers before deploying the Forefront Endpoint Protection client. Note: Network Inspection System (NIS) on the Forefront Endpoint Protection client does not function until the client computer is restarted; however, the antimalware protection functions as normal without a computer restart.
Competitive Uninstall The Forefront Endpoint Protection client deployment package checks for and uninstalls the existing antimalware client. For a list of antimalware clients that are uninstalled, see Prerequisites for Deploying Forefront Endpoint Protection on a Client. The following is a list of issues that can interfere with uninstalling an existing antimalware client:
If the previously installed antimalware client has a tamper-protection feature enabled, for example, if the software is password protected, you need to disable that tamper protection
Page number 36 before you can install Forefront Endpoint Protection. Otherwise, the Forefront Endpoint Protection installation program will not be able to uninstall the existing antimalware client. See the documentation for the previously installed antimalware client for information about tamper protection or other settings you may need to configure before you can successfully uninstall the software.
If the existing antimalware client is in use by another process when the Forefront Endpoint Protection installation program attempts to uninstall it, the uninstall can fail, and in this instance, the Forefront Endpoint Protection client will not be installed. If you use a mechanism to automatically distribute and install antimalware to your client computers, you need to disable automatic installation before you install Forefront Endpoint Protection. For example, if you use Windows Server Update Services (WSUS) to distribute Forefront Client Security (FCS) to your endpoints, before you install Forefront Endpoint Protection, you need to configure WSUS to not automatically reinstall FCS.
Forefront Endpoint Protection Client Deployment Options The Forefront Endpoint Protection client software can be deployed in two ways, both of which can be used to deploy Forefront Endpoint Protection to client computers in your organization. For more information on client deployment methods, see FEP 2010. You can use Configuration Manager distribution to centrally manage and monitor the deployment of Forefront Endpoint Protection to client computers in your existing infrastructure. With this method, you can control to which Configuration Manager collections the client is deployed, and utilize the provided reports to determine deployment status or investigate information about computers on which the client failed to deploy and why. If you are not using Configuration Manager, have computers that are not managed by Configuration Manager, or you prefer an alternative distribution method, you can manually deploy Forefront Endpoint Protection to client computers. In this scenario, you can apply Forefront Endpoint Protection policies using Setup command line switches. For more information on manually deploying Forefront Endpoint Protection with policies, see Deploying the Client Software by Using the Command Prompt. Definition Updates Configure the Forefront Endpoint Protection client software to check for updates from multiple sources. For more information, see Configuring Definition Updates. Definition update method Configuration Manager/WSUS
More information For more information about configuring WSUS for definition updates, see Software Updates and Windows Server Update Services Definition Updates.
Page number 37 Microsoft Update For more information about configuring Microsoft Updates, see Microsoft Update Definition Updates. For more information about configuring a file share for definition updates, see File-Share-Based Definition Updates.
File share
About Configuring Clients by Using Policies

Client configuration in Forefront Endpoint Protection can be accomplished in a variety of ways. While it is possible to configure each client by logging on locally, this is typically not practical and can be labor intensive. Additionally, it is a challenge to configure consistent settings for large numbers of clients if you attempt to configure all of the desired settings locally. In order to help make client configuration consistent and reliable, you are provided with two ways to author policies and four ways to deploy policies. The way you elect to configure clients can be based on your existing environment or you may want to create the necessary environment in order to deploy client settings based on factors such as policy merge behavior or ease of deployment. If you are running a server operating system, you can use preconfigured policy templates that contain optimized settings. Additionally, you can use the Forefront Endpoint Protection Group Policy Tool in order to convert policies that are in XML format into a format that can be used by Group Policy. You can also use this tool to merge existing policies into a single policy or to export the FEP configuration settings from a Group Policy object (GPO) into a policy that can be applied to a computer or server locally or by script. For more information about the Forefront Endpoint Protection Group Policy Tool, see Converting FEP Policies to Group Policy. For more information about preconfigured policy templates for FEP on Configuration Manager, see Creating a Policy. For more information about preconfigured policy templates for the Forefront Endpoint Protection Security Management Pack, see About Preconfigured Policy Templates. Creating and Configuring Policies Authoring policies consists of both creating a policy and then configuring the settings that you want to deploy to the clients that will receive the policy. Each authoring method produces an output in a different format. The method by which you author a policy may determine the method by which you can deploy a policy. The two methods available for authoring policies are Configuration Manager with Forefront Endpoint Protection installed, and by using the Group Policy Editor along with the FEP ADMX. For more information about creating and configuring policies by using Configuration Manager with Forefront Endpoint Protection installed, see FEP Policies. For more information about creating policies by using the Forefront Endpoint Protection Group Policy Tool, see Using Group Policy with FEP. For more information about the policy settings that are available through the FEP ADMX, see the FEP ADMX Reference. You can author policies by using the following methods.
Page number 38 Authoring method Configuration Manager with Forefront Endpoint Protection installed Policy can be applied by using Configuration Manager with Forefront Endpoint Protection installed. Group Policy. Export the policy from Configuration Manager and then use the Forefront Endpoint Protection Group Policy Tool to import the exported FEP policy into a Group Policy object. Script (exported policies). FEP client installation (exported policies). Additional information Policy settings can be exported by using Configuration Manager with Forefront Endpoint Protection installed. Exported file format is XML. Fewer granular policy settings are available to configure than when using GPEDIT with the FEP ADMX. Policy settings can be exported by using the Forefront Endpoint Protection Group Policy Tool. Exported file format is XML. Granular policy settings are available with the FEP ADMX.
GPEDIT with the FEP ADMX
Group Policy. Script. FEP client installation.
Deploying Policies In order to apply configurations to clients, Forefront Endpoint Protection provides four ways to deploy policies. You can decide on a single way to deploy policies or use a combination of ways. For example, if you typically use Group Policy to configure and deploy policies, you might want to continue to use that method in order to deploy FEP policies. Or, you may prefer to use Configuration Manager in order to manage your FEP client settings. Additionally, you might also have non-domainjoined servers that also must receive policy settings. You can install policy settings locally on those servers, or install them by using a script. Warning:
Page number 39 It is not recommended to use both Configuration Manager and Group Policy in order to apply policy settings on the same client. Because Configuration Manager writes to the local policy of the computer, policy configurations deployed via Group Policy will take precedence over any conflicting FEP local policy settings.
You can deploy policies by using the following methods. Policy deployment method Configuration Manager with Forefront Endpoint Protection installed
Policy settings merge behavior Policy merging is not available.
Policies authored by Only by Configuration Manager with Forefront Endpoint Protection installed.
Additional information Only one policy can be applied to a computer at any given time. FEP policies are written to the local policy settings. If FEP GPO policy settings are also applied to the same computer. Any conflicting FEP GPO policy settings will take precedence over settings that are configured by FEP policy. Policies merge according to Group Policy precedence order and policy filtering. FEP GPO policy
Group Policy
Policy merging is available.
GPEDIT and ADMX. Settings contained in FEP policy XML files can be imported by using the Forefront Endpoint Protection Group Policy Tool.
Page number 40 settings take precedence over local policy settings. MSI install with parameter switch Policy merging is available by using the Forefront Endpoint Protection Group Policy Tool to merge settings contained in multiple policy files. The merged settings can then be exported to a single XML file. The exported XML policy file from Configuration Manager with Forefront Endpoint Protection installed. Preconfigured policies from the Microsoft Download Center. Policy settings exported from Group Policy to an XML policy file by using the Forefront Endpoint Protection Group Policy Tool. The exported XML policy file from Configuration Manager with Forefront Endpoint Protection installed. Preconfigured policies from the Microsoft Download Center. Policy settings exported from Group Policy to an XML policy file by using the Forefront Endpoint Protection Group Policy Tool. FEP settings are written to the local policy. FEP GPO policy settings take precedence over the local policy settings. FEP settings are written to the local policy. FEP GPO policy settings take precedence over the local policy settings.
Script
Policy merging is available by using the Forefront Endpoint Protection Group Policy Tool to merge settings contained in multiple policy files. The merged settings can then be exported to a single XML file.
Page number 41
Planning for Definition Updates

Computers running the FEP client software automatically check for definition updates according to the schedule defined by the policy that is deployed to them. When you are planning for definition updates in your environment, you should consider the following factors:
For Software Update or Windows Server Update Services definition updates:
Ensure you have configured your network to allow communication between the computer running Windows Server Update Services (WSUS) and the internet. For more information about how to configure your network for WSUS, see Configure the Network (http://go.microsoft.com/fwlink/?LinkId=206718) in the WSUS documentation. You must either manually approve each definition update downloaded from Microsoft Update to your WSUS server, or you can configure an automatic approval rule. For more information about automatic approval rules, see Software Updates and Windows Server Update Services Definition Updates. You should consider branch office locations and WSUS server locations. If you have client computers distributed among branch offices, depending on the network connection speed and utilization, it may be more efficient to configure those client computers to retrieve definition updates directly from Microsoft Update.
For Microsoft Update definition updates:
If you plan to support direct update via Microsoft Update, ensure that you have the appropriate network ports opened for communication to the Microsoft Update servers. Tip:
To ensure that your client computers always have the latest definition updates, you should enable direct updates via Microsoft Update for all client computers, not just portable computers. For more information about configuring client computers Microsoft Update, see Microsoft Update Definition Updates.
For File-Share-Based definition updates:
When you configure clients to check a file share for definition updates, by default, clients check the file share first, before checking WSUS or Microsoft Update. This order can be changed. For more information, see Configuring Definition Updates. Ensure that the client computers connecting to the share in which you stored the definition files have Read permissions.
Page number 42
There are two files to download for each architecture (either x86 or x64):

The antimalware definitions The network-based exploit definitions
Ensure you download both files for both architectures, and then save those files without renaming them according to the steps described in File-Share-Based Definition Updates.
Migrating from Forefront Client Security to Forefront Endpoint Protection

The management infrastructure of Forefront Endpoint Protection (FEP) is built on the System Center family of products, while the management infrastructure of Forefront Client Security (FCS) runs on a customized version of Microsoft Operations Manager 2005. Because the management infrastructure on which these programs run is different, you cannot directly upgrade from FCS to FEP. In order to migrate from FCS to FEP, you must perform the following steps: 1. In the FCS console, document the settings for each policy you want to preserve for FEP. 2. In WSUS, unapprove all of the FCS client installation packages. These packages are listed as follows:

Classification: Updates Product: Forefront Client Security
The updates have names in the following format: Client Update for Microsoft Forefront Client Security (1.0.xxxx.0) where xxxx is the specific build number for each package. You must unapprove all of the updates. Caution: You should not uninstall the FCS client software. Doing so would leave your client computers unprotected. When you deploy the FEP client software, the FEP client software uninstalls the FCS client software for you. 3. Install a new FEP installation on a System Center Configuration Manager server. For steps explaining how to do this, see FEP 2010. 4. Create FEP policies that contain the settings that you want to continue to enforce on your client computers. For more information about FEP policies, see Configuring Client Settings by Using Policies. 5. Deploy the FEP client software to the computers in your organization that are running the FCS client software. For steps on how to deploy the FEP client software, see FEP 2010.
Page number 43 The FEP client software uninstalls the FCS client software before installing. For more information, see FEP 2010. Important: The uninstall of the FCS client software also uninstalls the Microsoft Operations Manager 2005 agent. 6. After you confirm that all computers running the FCS client software are successfully running the FEP client software, you should undeploy the FCS policies. In the FCS console, undeploy the policy you created to install the FCS client software. For more information about monitoring FEP client software deployment, see Validating Deployment. For more information about undeploying FCS policies, see Removing an existing installation of Client Security (http://go.microsoft.com/fwlink/?LinkId=206850). Important: If you uninstall the FCS management infrastructure (the management, collection, collection database, reporting, and reporting database roles), the data stored in the reporting database is no longer accessible. In order to preserve the historical reporting information stored in the FCS reporting database, you should not uninstall your FCS management infrastructure until you no longer need this data.
9. Server Installation
The Microsoft Forefront Endpoint Protection 2010 installation content helps you install Forefront Endpoint Protection using the supported topologies. This section includes the following main topics:

FEP 2010 FEP 2010 Security Management Pack
FEP 2010
Installation of Microsoft Forefront Endpoint Protection 2010 consists of downloading Forefront Endpoint Protection, verifying prerequisites, installing the Forefront Endpoint Protection server, and validating that the installation was successful. The steps required to install Forefront Endpoint Protection are described in this section. Overview of Installing Forefront Endpoint Protection Install Forefront Endpoint Protection by completing the following steps in order:
Step 1Download and expand Forefront Endpoint Protection from the Forefront Endpoint Protection download page (http://go.microsoft.com/fwlink/?LinkID=196678).
Server Installation
Page number 44 Important: The path to where Setup files are located must only contain ASCII characters.
Step 2Verify that your environment meets the prerequisites. For more information, see Prerequisites for Installing Forefront Endpoint Protection on a Server. Important: If you are installing Forefront Endpoint Protection on a server using one of the following topologies, the Forefront Endpoint Protection client software is deployed on the computer where Setup is run:

Basic topology Basic topology with remote reporting database Advanced topology with FEP 2010 Reporting and Alerts
Therefore, before proceeding with this installation, you need to verify that the computer where Setup is run also meets the client softwares prerequisites. For more information, see Prerequisites for Deploying Forefront Endpoint Protection on a Client. Additionally, the deployment of the client software can require the computer to be restarted. If you are prompted to restart your computer, you must wait for Setup to complete before restarting.
Step 3Install the Forefront Endpoint Protection server. For more information, see Installation Options. Warning: If you are installing the Forefront Endpoint Protection databases on a SQL Server cluster and the active cluster node fails during installation, Setup can fail to complete as expected. Important: If Setup is run on a Configuration Manager site server with the Configuration Manager agent running and the topology specified in Step 2 requires the Forefront Endpoint Protection client to be installed, the customized settings need to be reapplied to the Forefront Endpoint Protection client. For more information, see Configuring the Client Software on a Configuration Manager Site Server.
Server Installation
Page number 45
Note: If you select to update from Microsoft Update when finishing Setup, the wizard can take several minutes to close and appears as if it is frozen.
Step 4Validate that the installation succeeded. For more information, see Validating Installation.
Installation Options This section provides procedures to help you install Forefront Endpoint Protection. You can choose from several different installation topologies, or you can install one or more stand-alone instances of the Forefront Endpoint Protection console. For more information about topologies, see Choosing Your Setup. The following table is a list of step-by-step procedures for installing Forefront Endpoint Protection. Procedure Installing Using Basic Setup Installing Using Basic with a Remote Reporting Database Setup Installing Using Advanced Setup Description This procedure details the steps for installing Forefront Endpoint Protection based on the Configuration Manager deployment. This procedure details the steps for installing Forefront Endpoint Protection based on the Configuration Manager deployment. In addition, you can specify an alternative Microsoft SQL Server computer name for the Forefront Endpoint Protection reporting configuration. This procedure details the steps for installing Forefront Endpoint Protection based on the Configuration Manager deployment and lets you specify the features that you want to install. In addition, you can specify alternative Microsoft SQL Server computer names for the Forefront Endpoint Protection database and reporting configuration settings.
Installing Using Basic Setup This topic provides the step-by-step procedure to install Forefront Endpoint Protection using a basic topology.
Server Installation
Page number 46 Prerequisites Before you install Forefront Endpoint Protection server, make sure that your environment meets all the minimum requirements. For more information, see Prerequisites for Installing Forefront Endpoint Protection on a Server. To install the Forefront Endpoint Protection server 1. Insert the Forefront Endpoint Protection DVD into the DVD drive, or manually run splash.hta from the autorun folder in the root of the DVD. 2. Select your preferred language, and then click FEP 2010. The Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens. 3. On the Welcome page: a. In the Name box, type your name. b. In the Organization box, type the name of your organization, and then click Next. 4. On the Microsoft Software License Terms page, review the license agreement. If you accept the terms and conditions, select the I accept the software license terms check box, and then click Next. 5. On the Installation Options page, select Basic topology, and then click Next. 6. On the Reporting Configuration page, under SQL Reporting Services reporting execution account: a. In the URL box, verify the URL of your reporting server. b. In the User name box, verify the name of user account that is used to connect to the reporting server. Note: If you specify a domain administrator account, a warning message appears. c. In the Password box, type the password for the specified user account, and then click Next. 7. On the Updates and Customer Experience Options page:
If you want to update your Forefront Endpoint Protection installation automatically, select the Use Microsoft Update to keep my products up to date check box. If you want to participate in improving the product by anonymously providing hardware and usage information, select the Join the Customer Experience Improvement Program option, and then click Next.
Server Installation
Page number 47 8. On the Microsoft SpyNet Policy Configuration page:
If you want to participate in improving the antimalware abilities of the Forefront Endpoint Protection client by providing basic telemetry information about detected malware, select the Join Microsoft SpyNet check box, and then click Basic SpyNet membership. This option is selected by default. If, in addition to the basic SpyNet membership, you want provide advanced telemetry information about potential malware, select the Join Microsoft SpyNet check box, click Advanced SpyNet membership, and then click Next. Important: These options affect the settings in the Forefront Endpoint Protection default policies. For information about modifying policies, see Configuring Client Settings by Using Policies.
9. On the Installation Location page, specify the root folder for the installation, and then click Next. 10. On the Prerequisites Verification page, review the verification results, and then click Next. If there are verifications that failed, in the row of each failed verification, in the Details column, click More to determine the cause, and then take appropriate action. 11. On the Setup Summary page, review the details, and then click Install. The Installation page shows the installation progress of each installation item. When the installation successfully completes, click Next. Important: If you are prompted to restart your computer, you must wait for Setup to complete before restarting. 12. On the Installation Complete page, click Finish. Important: As part of the Forefront Endpoint Protection installation, the Forefront Endpoint Protection client is installed with customized settings on the Configuration Manager Site Server. If the Configuration Manager agent is installed on this server, or you did not install Configuration Manager or SQL Server using the default locations, or you did not use the default SQL Server instance, you must recreate or modify the customized settings. For more information, see Configuring the Client Software on a Configuration Manager Site Server.
Server Installation
Page number 48 Next Steps Once you have completed the installation, you should validate the installation. For more information, see Validating Installation. Installing Using Basic with a Remote Reporting Database Setup
This topic provides the step-by-step procedure to install Forefront Endpoint Protection using a basic topology with remote reporting database. Prerequisites Before you install Forefront Endpoint Protection server, make sure that your environment meets all the minimum requirements. For more information, see Prerequisites for Installing Forefront Endpoint Protection on a Server. To install the Forefront Endpoint Protection server 1. Insert the Forefront Endpoint Protection DVD into the DVD drive, or manually run splash.hta from the autorun folder in the root of the DVD. 2. Select your preferred language, and then click FEP 2010. The Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens. 3. On the Welcome page: a. In the Name box, type your name. b. In the Organization box, type the name of your organization, and then click Next. 4. On the Microsoft Software License Terms page, review the license agreement. If you accept the terms and conditions, select the I accept the software license terms check box, and then click Next. 5. On the Installation Options page, select Basic topology with remote reporting database, and then click Next. 6. On the Reporting Configuration page: a. Under Microsoft Forefront Endpoint Protection 2010 Reporting Database settings i. ii. iii. In the Computer box, verify the name of the reporting database computer. In the Instance box, verify the name of the reporting database instance. In the Database name box, accept the default name of the reporting database.
Server Installation
Page number 49 iv. If you are reinstalling and you want to reuse the existing database, select the Reuse existing database check box.
Important: If you select this option, you must use the original database name and verify that it exists on the specified SQL Server instance on the specified computer. b. Under SQL Reporting Services reporting execution account i. ii. In the URL box, verify the URL of your reporting server. In the User name box, verify the name of user account that is used to connect to the reporting server.
Note: If you specify a domain administrator account, a warning message appears. iii. In the Password box, type the password for the specified user account, and then click Next.
7. On the Updates and Customer Experience Options page:
8. On the Microsoft SpyNet Policy Configuration page:
If you want to participate in improving the antimalware abilities of the Forefront Endpoint Protection client by providing basic telemetry information about detected malware, select the Join Microsoft SpyNet check box, and then click Basic SpyNet membership. This option is selected by default. If, in addition to the basic SpyNet membership, you want to provide advanced telemetry information about potential malware, select the Join Microsoft SpyNet check box, click Advanced SpyNet membership, and then click Next.
Important: These options affect the settings in the Forefront Endpoint Protection default policies. For
Server Installation
Page number 50 information about modifying policies, see Configuring Client Settings by Using Policies. 9. On the Installation Location page, specify the root folder for the installation, and then click Next. 10. On the Prerequisites Verification page, review the verification results, and then click Next. If there are verifications that failed, in the row of each failed verification, in the Details column, click More to determine the cause, and then take appropriate action. 11. On the Setup Summary page, review the details, and then click Install. The Installation page shows the installation progress of each installation item. When the installation successfully completes, click Next. Important: If you are prompted to restart your computer, you must wait for Setup to complete before restarting. 12. On the Installation Complete page, click Finish. Important: As part of the Forefront Endpoint Protection installation, the Forefront Endpoint Protection client is installed with customized settings on the Configuration Manager Site Server. If the Configuration Manager agent is installed on this server, or you did not install Configuration Manager or SQL Server using the default locations, or you did not use the default SQL Server instance, you must recreate or modify the customized settings. For more information, see Configuring the Client Software on a Configuration Manager Site Server. Next Steps Once you have completed the installation, you should validate the installation. For more information, see Validating Installation. Installing Using Advanced Setup Using advanced topology enables you to install individual Forefront Endpoint Protection features. Since you can select one or more of these features during the advanced topology installation, the steps relevant to each feature are described separately. The following is a list of the step-by-step procedures for the advanced topology features:

To install Configuration Manager Site Server FEP 2010 Extension To install FEP 2010 Reporting and Alerts
Server Installation
Page number 51 Warning: If you are not installing this feature on a Configuration Manager site server, you must perform the following on the servers running the Configuration Manager site server and Configuration Manager WMI Provider roles: 1. Configure DCOM permissions. For more information, see How to Configure DCOM Permissions for Configuration Manager Console Connections (http://go.microsoft.com/fwlink/?LinkId=206626). 2. Add the computer on which you are installing Forefront Endpoint Protection reporting to the local SMS Admins security group. Note: This feature installs the configuration baselines and configuration items that are used to collect reporting and alerting data. If you are installing on a parent Configuration Manager site, the configuration baselines and configuration items are overwritten in the children sites.
To install Configuration Manager Console Extension for FEP 2010
Prerequisites Before you install Forefront Endpoint Protection on a server, make sure that your environment meets all the minimum requirements. For more information, see Prerequisites for Installing Forefront Endpoint Protection on a Server. To install the Configuration Manager Site Server FEP 2010 Extension 1. Insert the Forefront Endpoint Protection DVD into the DVD drive, or manually run splash.hta from the autorun folder in the root of the DVD. 2. Select your preferred language, and then click FEP 2010. The Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens. 3. On the Welcome page: a. In the Name box, type your name. b. In the Organization box, type the name of your organization, and then click Next. 4. On the Microsoft Software License Terms page, review the license agreement. If you accept the terms and conditions, select the I accept the software license terms check box, and then click Next. 5. On the Installation Options page, select Advanced topology, and then click Next.
Server Installation
Page number 52 6. On the Advanced Topology page, select Configuration Manager Site Server FEP 2010 Extension, and then click Next. 7. On the Updates and Customer Experience Options page:
If you want to participate in improving the antimalware abilities of the Forefront Endpoint Protection client software by providing basic telemetry information about detected malware, select the Join Microsoft SpyNet check box, and then click Basic SpyNet membership. This option is selected by default. If, in addition to the basic SpyNet membership, you want to provide advanced telemetry information about potential malware, select the Join Microsoft SpyNet check box, click Advanced SpyNet membership, and then click Next.
Important: These options affect the settings in the Forefront Endpoint Protection default policies. For information about modifying policies, see Configuring Client Settings by Using Policies. 9. On the Installation Location page, specify the root folder for the installation, and then click Next. 10. On the Prerequisites Verification page, review the verification results, and then click Next. If there are verifications that failed, in the row of each failed verification, in the Details column, click More to determine the cause, and then take appropriate action. 11. On the Setup Summary page, review the details, and then click Install. The Installation page shows the installation progress of each installation item. When the installation successfully completes, click Next. 12. On the Installation Complete page, click Finish. To install FEP 2010 Reporting and Alerts 1. Insert the Forefront Endpoint Protection DVD into the DVD drive, or manually run splash.hta from the autorun folder in the root of the DVD. 2. Select your preferred language, and then click FEP 2010.
Server Installation
Page number 53 The Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens. 3. On the Welcome page: a. In the Name box, type your name. b. In the Organization box, type the name of your organization, and then click Next. 4. On the Microsoft Software License Terms page, review the license agreement. If you accept the terms and conditions, select the I accept the software license terms check box, and then click Next. 5. On the Installation Options page, select Advanced topology, and then click Next. 6. On the Advanced Topology page, select FEP 2010 Reporting and Alerts, and then click Next. 7. On the Configuration Manager Site Server Settings page, verify the name of the Configuration Manager site server, and then click Next. If you want to view more details about the site server, click Details. 8. On the Forefront Endpoint Protection 2010 Server Database Configuration page, verify the name of the Forefront Endpoint Protection database, and then click Next. 9. On the Reporting Configuration page: a. Under Microsoft Forefront Endpoint Protection 2010 Reporting Database settings: i. ii. iii. In the Computer box, verify the name of the reporting database computer. In the Instance box, verify the name of the reporting database instance. In the Database name box, accept the default name of the reporting database. If you are reinstalling and you want to reuse the existing database, select the Reuse existing database check box.
iv.
Important: If you select this option, you must use the original database name and verify that it exists on the specified SQL Server instance on the specified computer. b. Under SQL Reporting Services reporting execution account: i. ii. In the URL box, verify the URL of your reporting server. In the User name box, verify the name of user account that is used to connect to the reporting server.
Server Installation
Page number 54 Note: If you specify a domain administrator account, a warning message appears. iii. In the Password box, type the password for the specified user account, and then click Next.
10. On the Updates and Customer Experience Options page:
If you want to participate in improving the antimalware abilities of the Forefront Endpoint Protection client software by providing basic telemetry information about detected malware, select the Join Microsoft SpyNet check box, and then click Basic SpyNet membership. This option is selected by default. If, in addition to the basic SpyNet membership, you want to provide advanced telemetry information about potential malware, select the Join Microsoft SpyNet check box, click Advanced SpyNet membership, and then click Next.
12. On the Installation Location page, specify the root folder for the installation, and then click Next. 13. On the Prerequisites Verification page, review the verification results, and then click Next. If there are verifications that failed, in the row of each failed verification, in the Details column, click More to determine the cause, and then take appropriate action. 14. On the Setup Summary page, review the details, and then click Install. The Installation page shows the installation progress of each installation item. When the installation successfully completes, click Next. Important: If you are prompted to restart your computer, you must wait for Setup to complete before restarting. 15. On the Installation Complete page, click Finish.
Server Installation
Page number 55 Important: As part of the FEP 2010 Reporting and Alerts installation, the Forefront Endpoint Protection client software is installed with customized settings. If you are installing Forefront Endpoint Protection on your Configuration Manager site server, and either the Configuration Manager agent is installed on this server, or you did not install Configuration Manager or SQL Server using the default locations, or you did not use the default SQL Server instance, you must recreate or modify the customized settings. For more information, see Configuring the Client Software on a Configuration Manager Site Server. To install the Configuration Manager Console Extension for FEP 2010 1. Insert the Forefront Endpoint Protection DVD into the DVD drive, or manually run splash.hta from the autorun folder in the root of the DVD. 2. Select your preferred language, and then click FEP 2010. The Microsoft Forefront Endpoint Protection 2010 Server Setup wizard opens. 3. On the Welcome page: a. In the Name box, type your name. b. In the Organization box, type the name of your organization, and then click Next. 4. On the Microsoft Software License Terms page, review the license agreement. If you accept the terms and conditions, select the I accept the software license terms check box, and then click Next. 5. On the Installation Options page, select Advanced topology, and then click Next. 6. On the Advanced Topology page, select Configuration Manager Console Extension for FEP 2010, and then click Next. 7. On the Installation Location page, specify the root folder for the installation, and then click Next. 8. On the Prerequisites Verification page, review the verification results, and then click Next. If there are verifications that failed, in the row of each failed verification, in the Details column, click More to determine the cause, and then take appropriate action. 9. On the Setup Summary page, review the details, and then click Install. The Installation page shows the installation progress of each installation item. When the installation successfully completes, click Next. 10. On the Installation Complete page, click Finish.
Server Installation
Page number 56 Next Steps Once you have completed the installation, you should validate the installation. For more information, see Validating Installation. Validating Installation
Once you have completed the installation, you can validate the installation by checking for Forefront Endpoint Protection in the Configuration Manager console, or by examining the log files created by Setup. To Verify the Forefront Endpoint Protection Server Installation 1. Open the Configuration Manager console. Note: If the Configuration Manager console was open during the Forefront Endpoint Protection server installation, close and then reopen the console. 2. In the Configuration Manager console, verify that the following are present:
The Forefront Endpoint Protection collectionsExpand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Collections, expand FEP collections, and then check for the following collections:

Definition Status Deployment Status Operations Policy Distribution Status Protection Status Security Status
The Forefront Endpoint Protection packagesExpand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Software Distribution, click Packages, and then check for the following packages in the preview pane:

FEP - Deployment FEP - Operations FEP - Policies
Server Installation
Page number 57
The Forefront Endpoint Protection Desired Configuration Management configuration baselinesExpand System Center Configuration Manager, expand Site Database, expand Computer Management, click Desired Configuration Management, click Configuration Baselines, and then check for the following configuration baselines in the preview pane:

FEP - High-Security Desktop FEP - Laptop FEP - Performance-Optimized Desktop FEP - Standard Desktop FEP Monitoring - Antimalware Status FEP Monitoring - Definitions and Health Status FEP Monitoring - Malware Activity FEP Monitoring - Malware Detections
The Forefront Endpoint Protection nodeExpand System Center Configuration Manager, expand Site Database, expand Computer Management, click Forefront Endpoint Protection, and then check for the following:

In the preview pane, the Forefront Endpoint Protection Dashboard The Policies child node The Alerts child node The Reports child node
Installation Log Files During installation, Forefront Endpoint Protection uses log files that can be helpful in locating and resolving issues. Log files are in text format and you can view them by using a text editor. Server log files are located in the following location:
If you installed Forefront Endpoint Protection on Windows Server 2003, %AllUsersProfile%\Application Data\Microsoft Forefront\Support\Server If you installed Forefront Endpoint Protection on Windows Server 2008, %ProgramData%\Microsoft Forefront\Support\Server
The file names are in the following format: LogFileName_Date_Time.log
Server Installation
Page number 58 where the following is true:

LogFileName is the name of the log file. Date is the day, month, and year the log was created, in the format DDMMYYY. Time is the hour, minute, and second the log file was created, in the format HHMMSS.
The following table lists setup log files and the components with which they are associated.
Log file Forefront Endpoint Protection Site Server Extensions Forefront Endpoint Protection Reporting Components Forefront Endpoint Protection Console Extensions Forefront Endpoint Protection Setup Client log files are, by default, located in the following location:
File name FEPExt_xxx_xxx.log FepReport_xxx_xxx.log FEPUX_xxx_xxx.log ServerSetup_xxx_xxx.log
If you installed Forefront Endpoint Protection on Windows XP, Windows Vista or Windows 2003, %allusersprofile%\Microsoft\Microsoft Security Client\Support If you installed Forefront Endpoint Protection on Windows 7 or Windows Server 2008, %ProgramData%\Microsoft\Microsoft Security Client\Support
The following table lists setup log files and the components with which they are associated. File name MSSecurityClient_Setup_epp_install.log MSSecurityClient_Setup_FEP_install.log MSSecurityClient_Setup_mp_ambits_install.log
Server Installation
Page number 59 Configuring the Client Software on a Configuration Manager Site Server As part of the Forefront Endpoint Protection installation on the Configuration Manager site server, the Forefront Endpoint Protection client is installed with customized settings. In the following situations, you must recreate or modify the Forefront Endpoint Protection client customized settings:
If you install Forefront Endpoint Protection on a Configuration Manager site server running the Configuration Manager agent, the customized settings are overwritten by the Default Server Policy and can adversely affect the operation of your Configuration Manager site server. To remediate, you must create a new policy and apply it to the Configuration Manager site server. For more information, see Creating and applying the customized policy later. If Configuration Manager or SQL Server is not installed in the default location, or the SQL Server instance is not MSSQLSERVER, you must update the customized settings to reflect your environments settings. For more information, see Updating customized settings later.
Creating and applying the customized policy 1. Create a new Forefront Endpoint Protection policy using the FEP Configuration Manager 2007 including Defaults template. For more information, see Creating a Policy. 2. If Microsoft SQL Server is installed on the Configuration Manager site server computer, edit the policy, click Antimalware, click Excluded processes, and add the relevant processes from the following table. For more information about editing policies, see Editing a Policy. SQL Server version SQL Server 2008
Processes %programfiles%\Microsoft SQL Server\MSSQL10. <instance> \MSSQL\Binn\SQLServr.exe %programfiles%\Microsoft SQL Server\MSAS10. <instance> \OLAP\Bin\MSMDSrv.exe %programfiles%\Microsoft SQL Server\MSRS10. <instance> \Reporting Services\ReportServer\Bin\ReportingServicesService.exe %programfiles%\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLServr.exe %programfiles%\Microsoft SQL Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe %programfiles%\Microsoft SQL Server\MSSQL.3\Reporting
SQL Server 2005
Server Installation
Page number 60 Services\ReportServer\bin\ReportingServicesService.exe where <instance> is the name of your SQL Server instance. The default SQL Server instance is MSSQLSERVER. 3. Select an existing, or create a new, collection in which the Configuration Manager site server is the only member. If you need to create the collection, do the following: a. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, click Collections, and then in the Actions pane, click New Collection. b. Complete the New Collection Wizard that appears, as follows: i. ii. iii. On the General page, type the name for the collection. On the Membership Rules page, click the icon with a computer image. Complete the Create Direct Membership Rule Wizard that appears, as follows: i. On the Search for Resources page, do the following: i. ii. iii. In the Resource class list, click System Resource. In the Attribute name list, click Name. In the Value box, type the name of your Configuration Manager site server computer.
ii.
On the Collection Limiting page, in the Search in this collection box, enter All Systems. On the Select Resource page, in the Resources list, select the name of your Configuration Manager site server computer.
iii.
4. Assign the new policy to the collection. For more information, see Assigning a Policy to Endpoint Computers. Important: If Configuration Manager or SQL Server is not installed in the default location, or the SQL Server instance is not MSSQLSERVER, you must update the customized settings to reflect your environments settings. Updating customized settings
Server Installation
Page number 61 If Configuration Manager or SQL Server is not installed in the default location, or the SQL Server instance is not MSSQLSERVER, you must update the customized settings to reflect your environments settings. To update your customized settings, edit the relevant policy or the settings on the Forefront Endpoint Protection client, and modify the paths specified in the following sections:

Excluded files and locations Excluded processes Note: This is only required if Microsoft SQL Server is installed on the Configuration Manager site server computer.
Moving from a Public RC Version to a Retail Version There is no way to automatically upgrade from the Public RC version of Forefront Endpoint Protection to the retail version of Forefront Endpoint Protection (FEP). Therefore, in order to move from the Public RC version installed in a lab to the retail version in the same lab or a production environment, use the following guidance: To manually migrate from the Public RC version of FEP to the retail version of FEP 1. Save the settings of your Public RC version of FEP (Optional). To do so, complete the following steps:

Export your custom FEP policies. For more information, see Exporting a Policy. Manually record the following details:

FEP policy assignments FEP policy precedence FEP alert e-mail settings and custom notifications FEP Desired Configuration Management configuration baseline assignments
2. Uninstall the Public RC version of FEP from your lab servers (optional if you are moving FEP to a production environment). For more information, see Uninstalling. Note: If you want to install the retail version with a new FEP reporting database, delete the FEPDW_XXX database on your SQL Server.
Server Installation
Page number 62 3. Install the retail version of FEP on your servers. For more information, see Server Installation. Note: If you are reusing the Public RC version of the FEP reporting database, you must install FEP using one of the following installation options:

Basic topology with remote reporting database Advanced topology with FEP 2010 Reporting and Alerts
4. Restore the settings from your Public RC version of FEP (Optional). To do so, complete the following steps:
Import the custom FEP policies you previously exported. For more information, see Importing a Policy. Assign FEP policies to collections. For more information, see Assigning a Policy to Endpoint Computers. Set FEP policy precedence. For more information, see Setting Policy Precedence. Configure FEP alert e-mail settings and create custom notifications. For more information, see Using Alerts to Monitor Malware Detections. Assign Desired Configuration Management configuration baselines. For more information, see Using Desired Configuration Management to Monitor Client Compliance.
5. Upgrade the Public RC version of FEP on client computers. To do so, complete the following steps: a. Create a static collection based on the computers in the Out of Date FEP collection.
b. Uninstall the Public RC version of FEP from client computers in the static collection you created. For more information, see Uninstalling. c. Deploy the retail version of FEP on client computers in the static collection you created. When you configure the deployment advertisement, it is recommended that you configure the deployment advertisement properties as follows: i. In the New Advertisement Wizard, on the Schedule page, next to Mandatory assignments, click the button to create a new assignment schedule, and configure the assignment schedule to rerun once an hour. ii. In the Program rerun behavior list, select Rerun if failed previous attempt.
For more information, see Deploying by Using Configuration Manager Packages.
Server Installation
Page number 63 Important: There can be a delay of up to an hour from the time a Public RC version of FEP is uninstalled from a client computer until the retail version is installed on it. During this time, these computers are unprotected. Note: After the installation package is advertised to a client computer, that computer will no longer be visible in the FEP Out of Date collection. d. Monitor the deployment using the Deployment Overview report, and click the links to view the static collection you created. Uninstalling There can be up to four Forefront Endpoint Protection entries in the Control Panel depending on the installation options selected during Setup. This topic provides the step-by-step procedures to uninstall each Forefront Endpoint Protection feature from a server. The following table is a list of the Control Panel entries. Control Panel entry Microsoft Forefront Endpoint Protection 2010 Microsoft Forefront Endpoint Protection 2010 Console Microsoft Forefront Endpoint Protection 2010 Reporting Microsoft Forefront Endpoint Protection 2010 Server Description The Forefront Endpoint Protection client software
The Forefront Endpoint Protection console extensions for Configuration Manager The Forefront Endpoint Protection reporting role
The Forefront Endpoint Protection site server extensions for Configuration Manager
To uninstall Forefront Endpoint Protection 1. In the Control Panel, select Programs and Features. 2. Select each Forefront Endpoint Protection entry, and then click Uninstall.
Server Installation
Page number 64 Note: Uninstall does not delete the Forefront Endpoint Protection reporting database in case you want to install Forefront Endpoint Protection again and reuse the historical data. The following files are not deleted on the computer running SQL Server where the Forefront Endpoint Protection reporting database resides:

FEPDW_XXX.mdf FEPDW_XXX_log.ldf
If you want to delete these database files, delete the FEPDW_XXX database using the SQL Server management console. Known Issues The following table is a list of known uninstall issues and their resolutions. Issue Uninstalling Forefront Endpoint Protection on the parent site while Forefront Endpoint Protection is also installed on child sites disrupts Forefront Endpoint Protection functionality of the child sites. Cause The uninstall removes elements that are used by the child sites, such as policies and configuration baselines. This prevents the transmission of dashboard, reporting, and alerts data from flowing up to the child sites. The uninstall removes the FEP Collections node, including the collections nodes used by the reporting role. Resolution Repair the Microsoft Forefront Endpoint Protection 2010 Reporting installation via the Control Panel on all of the children sites. Repair the Microsoft Forefront Endpoint Protection 2010 Reporting installation via the Control Panel.
Uninstalling the Forefront Endpoint Protection site server extensions on the Configuration Manager site server while the Forefront Endpoint Protection reporting role is installed disrupts the Forefront Endpoint Protection reporting role.
FEP 2010 Security Management Pack

Installing the Forefront Endpoint Protection Security Management Pack consists of downloading the management pack, verifying the prerequisites, importing the management pack, configuring all of the necessary discovery settings, and verifying that the agents are properly deployed.
Server Installation
Page number 65 The steps required to install the Forefront Endpoint Protection Security Management Pack are described in this section. Overview of Installing the Forefront Endpoint Protection Security Management Pack Install the Forefront Endpoint Protection Security Management Pack by completing the following steps in order: 1. Download and extract the Forefront Endpoint Protection Security Management Pack from the Microsoft System Center Management Pack Catalog(http://go.microsoft.com/fwlink/?LinkID=207667). For more information about the management pack files, see Extracting the FEP 2010 Security Management Pack Files. 2. Verify that your environment meets the prerequisites. For more information, see Prerequisites for Importing the Forefront Endpoint Protection Security Management Pack. 3. Import the Forefront Endpoint Protection Security Management Pack. For more information about importing the management pack, see Importing the FEP 2010 Security Management Pack. 4. Verify that agents have been correctly deployed to client computers. For more information about agents, see About Agents. 5. Configure discovery settings. For more information about discovery, see Configuring Client Discovery. About Agents The FEP 2010 Security Management Pack supports agent-managed monitoring. Agent-managed computers have an Operations Manager service installed. This service, which appears as HealthService in the Services list in Computer Management, is the Operations Manager agent. Monitoring computers via agents allows access to all Operations Manager options and functionality; therefore, the vast majority of monitoring is performed this way. In order to monitor FEP 2010 clients, each client must have the Operations Manager agent installed in addition to the FEP 2010 client. Note: In order to monitor FEP 2010 clients, each client must have the Operations Manager agent installed in addition to the FEP 2010 client. For information about deploying FEP 2010 clients, see Client Deployment.
Deploying Agents The first step in monitoring your environment is to deploy agents. You can use any of the following ways to deploy Operations Manager agents:
The Discovery Wizard (through the Operations console)
Server Installation
Page number 66

The Agent Setup Wizard The MOMAgent.msi program, from the command line Active Directory, to assign agents to a management group
For more information about working with Operations Manager agents, see Working with Agents (http://go.microsoft.com/fwlink/?LinkId=204242). For more information about Deploying agents, see Deploying Windows Agents (http://go.microsoft.com/fwlink/?LinkId=204243). Extracting the FEP 2010 Security Management Pack Files In order to import management pack files into Operations Manager, you must first extract the files from the fep2010 security mp.msi package. You can obtain the management pack files from the Microsoft System Center Management Pack Catalog (http://go.microsoft.com/fwlink/?LinkID=207667). You are not required to extract the package locally on the Operations Manager server; however, you must be able to access the files from the Operations Manager console in order to import them. To Extract Management Pack Files 1. Double-click fep2010 security mp.msi. Note: No management pack files are installed or imported to Operations Manager during this procedure. The wizard is used to extract files only. 2. Read and accept the license agreement, and then click Next. 3. On the Select Installation Folder page, specify the folder to which you want to extract the management pack files, and then click Next. 4. On the Confirm Installation page, click Install to extract the package to the specified location. On the Installation Complete page, click Close. 5. Navigate to the file location specified earlier and verify that the following files are present:

Microsoft.FEPS.Application.mp Microsoft.FEPS.Library.mp Microsoft.FEPS.Reports.mp
Server Installation
Page number 67 Importing the FEP 2010 Security Management Pack In order to manage clients by using the Forefront Endpoint Protection 2010 Security Management Pack, you must first import the management pack files into System Center Operations Manager 2007 R2. Before importing the FEP 2010 Security Management Pack, verify that the prerequisites have been met. For more information about required prerequisites, see Prerequisites for Importing the Forefront Endpoint Protection Security Management Pack. Warning: In order to import the Forefront Endpoint Protection Security Management Pack, you must use an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 Management Group. Tip: Enabling detailed logs can be helpful when troubleshooting issues. In order to enable detailed logs, you must add the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FEPS\Log] Enabled=dword:00000001
To import Forefront Endpoint Protection 2010 Management Packs 1. Log on to the server running System Center Operations Manager 2007 by using an account that is a member of the Operations Manager Administrators role for the Operations Manager 2007 Management Group. 2. In the Operations console, click Administration. Note: If you run the Operations console on a computer that is not a Management Server, the Connect to Server dialog box will display. In the Server name text box, type the name of the Operations Manager 2007 Management Server to which you want to connect. 3. Right-click the Management Packs node, and then click Import Management Pack(s). 4. In the Import Management Packs dialog box, click Add, and then click Add from disk. 5. On the Online Catalog Connection dialog box, select No. Note: If an error message appears that states System Center Operations Manager cannot connect to the
Server Installation
Page number 68 online catalog, ignore the error and proceed with the next step. 6. In the Select Management Packs to import dialog box, change to the directory to which you have downloaded the Microsoft.FEPS.Library.mp, Microsoft.FEPS.Reports.mp (optional), and Microsoft.FEPS.Application.mp files. Select the files, and then click Open. Note: The Microsoft.FEPS.Reports.mp is required only if you want to use the Reporting feature. 7. In the Import Management Packs dialog box, verify that Microsoft.FEPS.Library.mp, Microsoft.FEPS.Reports.mp (optional), and Microsoft.FEPS.Application.mp are present in the list, and then click Import to begin the import process. The Import Management Packs page displays and shows the progress for each management pack. Each management pack is downloaded to a temporary directory, imported to the Operations Manager, and then deleted from the temporary directory. If there is a problem at any stage of the import process, select the management pack in the list to view the status details. Note: In order to edit the list of Management Packs that you want to import, in the Import Management Packs dialog box, click Add or Remove. After editing the list, click Import to begin the import process. 8. In the dialog box that displays when the import process completes, verify that the icons next to Forefront Endpoint Protection 2010 Management Pack and FEPS Reporting show success, and then click Close. 9. Navigate to the Operations onsole. In the Operations console, click Monitoring. You can now view the Forefront Endpoint Protection node. For more information about importing Operations Manager management packs, see How to Import a Management Pack in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkID=98348). Configuring Client Discovery In order to monitor and manage clients, they must first be identified. The discovery process in Operations Manager is the process by which clients are identified. When a discovery is performed, an LDAP query is generated and sent to the nearest Active Directory Directory Services domain controller. Once the query is processed, a list of systems that match the specified parameters is returned.
Server Installation
Page number 69 Important: By default, the FEP Security Management Pack is configured to discover endpoints that are running server operating systems. If you want to monitor endpoints that are running client operating systems, you must perform the following procedure.
To configure Discovery for endpoints running client operating systems 1. In Operations Manager console, navigate to the Authoring view. In the Authoring tree, expand Management Pack Objects, and then click Object Discoveries. 2. On the Operations Manager toolbar, click Scope. In the Look for: search box, enter Protected Client Candidate Discovery, and then click Find Now. 3. In the results pane, right-click Protected Client Candidate Discovery, and then click Overrides, Override the Object Discovery, For all objects of class: Windows Client. 4. In the Override Properties dialog box, in the Override-controlled parameters table, set the following values:

In the Enabled parameter row, in the Override column, select the check box. In the Enabled parameter row, in the Override Value column, select True from the drop-down list box.
5. Click OK to close the dialog box. For more information about object discovery, see Object Discoveries in Operation Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=108505). For more information about FEP Security Management Pack discovery, see About Discovery.
Creating a New Management Pack for Customizations

Create a New Management Pack for Customizations Most vendor management packs are sealed so that you cannot change any of the original settings in the management pack file. However, you can create customizations, such as overrides or new monitoring objects, and save them to a different management pack. By default, Operations Manager 2007 saves all customizations to the Default Management Pack. As a best practice, you should instead create a separate management pack for each sealed management pack you want to customize. Creating a new management pack for storing overrides has the following advantages:
It simplifies the process of exporting customizations that were created in your test and preproduction environments to your production environment. For example, instead of exporting the Default Management Pack that contains customizations from multiple management
Server Installation
Page number 70 packs, you can export just the management pack that contains customizations of a single management pack.
You can delete the original management pack without first needing to delete the Default Management Pack. A management pack that contains customizations is dependent on the original management pack. This dependency requires you to delete the management pack with customizations before you can delete the original management pack. If all of your customizations are saved to the Default Management Pack, you must delete the Default Management Pack before you can delete an original management pack. It is easier to track and update customizations to individual management packs.
For more information about sealed and unsealed management packs, see Management Pack Formats (http://go.microsoft.com/fwlink/?LinkId=108355). For more information about management pack customizations and the Default Management Pack, see About Management Packs in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=108356).
10.
Client Deployment
Deployment of Microsoft Forefront Endpoint Protection 2010 to client computers consists of verifying prerequisites, uninstalling third-party antimalware products that cannot be uninstalled by Forefront Endpoint Protection, creating and deploying Forefront Endpoint Protection policies, configuring Forefront Endpoint Protection definition updates, deploying the Forefront Endpoint Protection client software, and verifying that the deployment succeeded. Forefront Endpoint Protection for clients is available as a Configuration Manager package. The steps required to deploy Forefront Endpoint Protection to client computers, are described in this section.
Overview of Deploying Forefront Endpoint Protection

Deploy Forefront Endpoint Protection to clients, by completing the following steps, in order:
Step OneCreate Forefront Endpoint Protection policies according to your organizations requirements, set policy precedence, and assign policies to one or more deployment collections. For more information, see Configuring Client Settings by Using Policies. Step TwoConfigure Forefront Endpoint Protection definition update methods based on the settings defined in the Forefront Endpoint Protection policies created in step one. For more information, see Configuring Definition Updates. Step ThreeDeploy the Forefront Endpoint Protection installation package to client computers. For more information, see FEP 2010.
FEP 2010
Once you have finished configuring and deploying policies, you are ready to deploy Forefront Endpoint Protection to client computers. You can deploy in two ways:
Client Deployment
Page number 71
By distributing the client installation packages using Configuration Manager. For instructions, see Deploying by Using Configuration Manager Packages. By manually running the installation wizard on the client computer. For instructions, see Deploying Manually and Deploying the Client Software by Using the Command Prompt.
Regardless of the method you use to run the installation program, the program checks for and uninstalls the following antimalware clients:

Symantec Endpoint Protection version 11 Symantec Corporate Edition version 10 McAfee VirusScan Enterprise version 8.5 and version 8.7 Trend Micro OfficeScan version 8.0 and version 10.0 Forefront Client Security version 1 including the Operations Manager agent
If the previously installed antimalware client has a tamper protection feature enabled, for example, if the software is password protected, you need to disable that tamper protection before you can install Forefront Endpoint Protection. Otherwise, the Forefront Endpoint Protection installation program will not be able to uninstall the existing antimalware client. See the documentation for the previously installed antimalware client for information about tamper protection or other settings you may need to configure before you can successfully uninstall the software. In addition, if you use a mechanism to automatically distribute and install antimalware to your client computers, you need to disable automatic installation before you install Forefront Endpoint Protection. For example, if you use WSUS to distribute Forefront Client Security (FCS) to your endpoints, before you install Forefront Endpoint Protection, you need to configure WSUS to not automatically reinstall FCS. Note: The FEP client software is automatically installed to the following folder: %programfiles%\Microsoft Security Client You cannot change the destination folder. Using the %programfiles% path prevents users who are not members of the local Administrators group on the computer from tampering with the installation of the FEP client software.

The path to where the Setup files are located should only contain ASCII characters. In some cases, after you restore a computer image on which you installed the FEP client software, the computer is displayed in Configuration Manager in the Locally Removed collection. To resolve this problem, uninstall and reinstall the FEP client software on this
Client Deployment
Page number 72 computer.
On servers with a large number of short network connections, such as file servers, there may be a performance impact when the Behavior Monitoring policy setting is enabled. It is recommended that you disable the Behavior Monitoring policy setting in the Default Server Policy or any policy you plan to assign to servers.
To disable the Behavior Monitoring policy setting 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Forefront Endpoint Protection, and then click Policies. 2. Double-click the Default Server Policy or another policy that is assigned to servers. 3. In the policy properties dialog box, click the Antimalware tab. 4. In the list, click Real-time protection, in the details clear the check box for Use behavior monitoring, and then click OK to save the policy.
Deploying by Using Configuration Manager Packages Forefront Endpoint Protection includes a Configuration Manager package that contains the Forefront Endpoint Protection client installation program. To deploy the package, you use the Configuration Manager software distribution feature to send the package data to one or more distribution points, and then create advertisements that specify which collections will receive the program and the package. Advertising the program makes a program available to a specified collection of clients. When you create advertisements, it is strongly recommended that you test advertised programs in a controlled environment before you create advertisements for the clients in your site hierarchy. There are multiple ways to distribute the Forefront Endpoint Protection client software to client computers using the Configuration Manager tools. This topic provides the steps for one of the deployment methods. For information about other distributions methods, see Software Distribution in Configuration Manager (http://go.microsoft.com/fwlink/?LinkId=196839). Important: The Forefront Endpoint Protection server installation does not automatically add the FEP Deployment package to a Configuration Manager distribution point. Before the Forefront Endpoint Protection client software can be installed, the package must be sent to a distribution point. For more information, see How to Manage Distribution Points
Client Deployment
Page number 73 (http://go.microsoft.com/fwlink/?LinkId=205328). To deploy Forefront Endpoint Protection 2010 client software 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, and then click Collections. 2. Right-click the collection to which you want to deploy the FEP client software to, for example, All Systems, point to Distribute, and then click Software. The Distribute Software to Collection Wizard opens. 3. On the Welcome page, click Next. 4. On the Package page, click Select an existing package, click Browse, click the Microsoft Corporation FEP Deployment 1.0 package, click OK, and then click Next. 5. On the Distribution Points page, select the distribution points for the package, and then click Next. Configuration Manager uses distribution points to store the files needed by the Forefront Endpoint Protection client installation package in order for the installation program to run on client computers. For more information, see About Distribution Points (http://go.microsoft.com/fwlink/?LinkId=196840). 6. On the Select Program page, select the Install program, and then click Next. 7. On the Advertisement Name page, enter a name that is less than 100 characters, and then click Next. 8. On the Advertisement Subcollection page and on the Advertisement Schedule page, make your selections, and then click Next. 9. On the Assign Program page, select Yes, assign the program, and then click Next. 10. On the Summary page, review the Details, and then click Next. 11. On the Wizard Completed page, click Close. 12. If necessary, modify the advertisement configuration to suit your environment. For more information, see How to Modify an Advertisement (http://go.microsoft.com/fwlink/?LinkId=196841). Important: If you delete the advertisement or move a computer out of the collection targeted by the advertisement, the following Forefront Endpoint Protection dashboard deployment status
Client Deployment
Page number 74 categories can be affected:
RemovedOnce the advertisement has completed, if the client software is uninstalled manually, the computer will show up in the Not Targeted category and not in the expected Removed category. For more information about manually uninstalling the client software, see Uninstalling manually. FailedIf the advertisement fails to install the client software, the computer will show up in the Not Targeted category and not in the expected Failed category.
For more information about Forefront Endpoint Protection dashboard deployment status categories, see Dashboard Overview. Next Steps Once youve deployed the Forefront Endpoint Protection client software, you should validate the deployment. For more information, see Validating Deployment. Deploying Manually In addition to deploying the Forefront Endpoint Protection client software by using Configuration Manager, you can also run the installation program manually as described in this topic. For example, you might want to perform a manual installation for test purposes in a lab environment, or to install the Forefront Endpoint Protection client software to computers that do not have the Configuration Manager agent installed. Ensure that the installation package is accessible from the computer on which you want to install the Forefront Endpoint Protection client software. For example, download the package to your local hard drive or a network share. To manually install the FEP client software by using the Setup wizard 1. Using an account that has local administrator user rights, log on to the computer on which you want to install Forefront Endpoint Protection. 2. Browse to the location where you stored the installation package: for example, C:\Temp folder. 3. Double-click FEPInstall.exe and follow the instructions in the wizard. 4. On the Completing the Microsoft Forefront Endpoint Protection 2010 Installation Wizard page, select Scan my computer for potential threats after getting the latest updates. to run a scan after downloading definition updates, and then click Finish. If you chose to download updates and then scan the computer, the Forefront Endpoint Protection Client launches. For more information about using the Forefront Endpoint Protection client, see the FEP Client Help (http://go.microsoft.com/fwlink/?LinkId=206364). Next Steps
Client Deployment
Page number 75 If the computer on which you installed Forefront Endpoint Protection is managed by Configuration Manager, then Configuration Manager will deploy the policies assigned. Once youve deployed the Forefront Endpoint Protection client, you should validate the deployment. For more information, see Validating Deployment. Deploying the Client Software by Using the Command Prompt You can install the Forefront Endpoint Protection 2010 client software locally from the command prompt. In order to do so, you must first obtain the installation file FEPInstall.exe. You can also install the client software along with a preconfigured policy. For more information about preconfigured policies, see About Preconfigured Policy Templates. To install the client software from the command prompt 1. Copy FEPInstall.exe to the server on which you want to install the Forefront Endpoint Protection client software. 2. Open an elevated command prompt, navigate to the folder where FEPInstall.exe is located, and then run the following command, adding any additional switches as necessary: FEPInstall.exe Note: For the list of FEPInstall.exe switches, see Setup Switches. 3. Follow the on-screen instructions in order to complete the client software installation and to download the antimalware definition updates. To install the client software along with preconfigured policy settings from the command prompt 1. Copy FEPInstall.exe and the appropriate preconfigured policy package to the server on which you want to install the Forefront Endpoint Protection client software. For information about selecting the proper preconfigured policy templates, see About Preconfigured Policy Templates. 2. Double-click the preconfigured policy package in order to extract the preconfigured policy file templates. 3. Open an elevated command prompt, navigate to the folder where the package is extracted, and then run the following command: FEPInstall.exe /policy [full path]\[policy file] Note:
Client Deployment
Page number 76 You must specify the full path for the policy location. For example, in order to install both the client software and the policy called FEP_SQL2008.xml, run the following command: FEPInstall.exe /policy c:\fepspolicy\ FEP_SQL2008.xml 4. Follow the on-screen instructions in order to complete the client software installation and to download the antimalware definition updates. Setup Switches The following table shows the available switches for installing the Forefront Endpoint Protection 2010 client software locally.
Switch /s Description Specifies that a silent Setup should be performed.
/q
Specifies that a silent extraction of the Setup files should be performed.
/i
Specifies that a normal installation should be performed.
/noreplace
Specifies that third-party software uninstallation is not performed during Setup.
/policy
Specifies a policy file to be used to configure the client software during installation.
/sqmoptin
Specifies that this client software installation is opted in to the Microsoft Customer Experience Improvement Program.
Validating Deployment You are able to see the status of the Forefront Endpoint Protection client software deployment from the Forefront Endpoint Protection dashboard in the Configuration Manager console. A report can be generated that shows the deployment status by collection. From this report, you have the ability to drill down to the deployment status of a specific collection, and then to a specific computer. Additionally, you can view the status of the advertisement in Configuration Manager. Monitoring the client software deployment from the Forefront Endpoint Protection dashboard 1. Open the Configuration Manager console, expand Computer Management, and select the Forefront Endpoint Protection node. 2. The following information is available in the Client Deployment Status section:
Client Deployment
Page number 77 a. RemovedThe number of computers on which the FEP client software was previously deployed and has since been manually removed. b. FailedThe number of computers on which the FEP client software deployment failed. c. PendingThe number of computers on which the FEP client software deployment has not yet started. Computers that are not connected show as pending until the Configuration Manager advertisement is received. d. Out of dateThe number of computers running a previous version of the FEP client software. e. DeployedThe number of computers where the FEP client software was successfully installed. Clicking the numbers next to each item brings you to the associated Forefront Endpoint Protection collection. Monitoring the client software deployment with Forefront Endpoint Protection reporting 1. Open the Configuration Manager console, expand Computer Management, and select the Forefront Endpoint Protection node. 2. In the Links and Resources pane, under Web Reports, click Deployment Overview to generate the Deployment Overview report.
The Deployment Overview report breaks down the status of the client software deployment by collection. To drill down to the Deployment for a specific collection report, click the arrow next to the collection.
Validating the client software deployment To validate that the Forefront Endpoint Protection client software successfully installed on a computer, click Start, click Control Panel, click Programs, click Programs and Features, and then verify that Microsoft Forefront Endpoint Protection 2010 is listed. The following table lists installation log files. By default, log files are installed in the following locations:
Windows 7 and Windows Server 2008, and Windows Server 2008 R2 %ProgramData%\Microsoft\Microsoft Security Client\Support Windows XP, Windows Vista, and Windows Server 2003 %allusersprofile%\Microsoft\Microsoft Security Client\Support
Client Deployment
Page number 78 Log file name EppSetup.log MSSecurityClient_Setup_epp_install.log Description Master setup log file. User interface and management extension setup log file. Configuration Manager management extensions setup log file. Antimalware service setup log file. Localized resources installation log file (specific to the architecture on the client computer). Log file for installation of localized resources for the antimalware service. %locale% represents the locale for which the install was performed. The log file for Windows patch installation KB981889. Only present on Windows 7 or Windows Server 2008 R2. Log file for installation of Dr. Watson (only installed on computers running Windows XP, and only if not already present).
MSSecurityClient_Setup_FEP_install.log
MSSecurityClient_Setup_mp_ambits_install.log MSSecurityClient_Setup_epploc_x86_Install or MSSecurityClient_Setup_epploc_x64_Install
MSSecurityClient_Setup_amloc-%locale%_install
MSSecurityClient_Setup_KB981889_Install.evtx
MSSecurityClient_Setup_dw20shared_Install.log
Uninstalling There are two ways to uninstall Forefront Endpoint Protection from client computers:

By distributing the client uninstall package using Configuration Manager. By manually running the uninstall wizard on the client computer using a user account that has local administrative credentials.
Client Deployment
Page number 79 Important: Uninstalling Forefront Endpoint Protection does not change the firewall settings on the client computer. Uninstalling using Configuration Manager packages 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, and then click Collections. 2. Right-click the collection from which you want to uninstall the Forefront Endpoint Protection client software, for example, All Systems, point to Distribute, and then click Software. The Distribute Software to Collection Wizard opens. 3. On the Welcome page, click Next. 4. On the Package page, click Select an existing package, click Browse, click the Microsoft Corporation FEP Deployment 1.0 package, click OK, and then click Next. 5. On the Distribution Points page, select the distribution points for the package, and then click Next. Configuration Manager uses distribution points to store the files needed by the Forefront Endpoint Protection client uninstall package in order for the uninstall program to run on client computers. For more information, see About Distribution Points (http://go.microsoft.com/fwlink/?LinkId=196840). 6. On the Select Program page, select the Uninstall program, and then click Next. 7. On the Advertisement Name page, enter a name that is less than 100 characters, and then click Next. 8. On the Advertisement Subcollection page and on the Advertisement Schedule page, make your selections, and then click Next. 9. On the Assign Program page, select Yes, assign the program, and then click Next. 10. On the Summary page, review the Details, and then click Next. 11. On the Wizard Completed page, click Close. 12. If necessary, modify the advertisement configuration to suit your environment. For more information, see How to Modify an Advertisement (http://go.microsoft.com/fwlink/?LinkId=196841). Uninstalling manually 1. In Control Panel, start Programs and Features.
Client Deployment
Page number 80 2. Select Microsoft Forefront Endpoint Protection 2010, and then click Uninstall. 3. On the Microsoft Forefront Endpoint Protection 2010 Uninstall Wizard that appears, click Uninstall. 4. When the wizard completes uninstall, click Finish.
Enforcing the Client Software Deployment

If the users of the computers to which you deployed FEP have administrative privileges on those computers, they will be able to uninstall the FEP client software. If this happens, those client computers would be unprotected from malware and other unwanted software. Security Note: It is recommended that you restrict to whom you grant administrative privileges on the client computers in your organization. Additionally, you should investigate how the FEP client software was uninstalled on the client computers. In order to mitigate this circumstance, you can configure Configuration Manager to rerun an advertisement of FEP on a specific collection. By configuring the advertisement to always rerun, you can reduce the amount of time computers in your environment may run without protection. To complete the mitigation, you must perform the following tasks:
Create a FEP deployment package to reinstall the FEP client software on the members of the target collection. Configure the advertisement of the reinstall package to rerun. Assign the reinstall package to one or more collections. For more information about deploying the FEP client software by using packages, see Deploying by Using Configuration Manager Packages.
Warning: There are multiple ways to mitigate this scenario. The Locally Removed collection contains all computers from which the client software was locally uninstalled, including servers and highpriority client computers. You should determine if you need to rerun the advertisement on all collection members or if you need to target your rerun advertisement only on specific computers.
Deploying the FEP Client Software to a FEP Collection One of the preconfigured collections created by the Forefront Endpoint Protection installation on Configuration Manager is the FEP Collections\Deployment Status\Locally Removed collection.
Client Deployment
Page number 81 Computers listed in this collection previously had the FEP client software installed, but it was locally uninstalled. Note: If you remove the FEP client software by using an advertisement of the FEP Deployment Uninstall package, the client computers that receive the advertisement do not appear in the Locally Removed collection. You can create a new collection containing the members of the Locally Removed collection, and then target the members of the new collection with software distribution and an advertisement. To create a reinstall advertisement 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Collections, expand FEP Collections, and then expand Deployment Status. 2. In the tree, click Locally Removed. 3. In the details area, select the computers on which you want to reinstall the FEP client software, right-click a selected computer, point to Distribute, and then click Software.The Distribute Software to Resource Wizard opens. 4. In the Distribute Software to Resource Wizard, on the Welcome page, click Next. 5. On the Package page, click Select an existing package, click Browse, click the Microsoft Corporation FEP Deployment 1.0 package, click OK, and then in the wizard, click Next. 6. On the Distribution Points page, in the Distribution points list, select the check box next to the distribution points to which you want to copy the package, and then click Next. 7. On the Select Program page, in the Programs list, select the Install program, and then click Next. 8. On the Advertisement Target page, select the option for Create a new collection containing this resource and advertise this program to the new collection, and then click Next. 9. On the New Collection page, type a name for the collection, and then click Next. 10. On the Collection Membership Rules page, in the membership rules list, ensure all the required computers are listed, and then click Next. 11. On the Advertisement Name page, type a name for the advertisement, and then click Next.
Client Deployment
Page number 82 Note: Advertisement names are limited to 100 characters. 12. On the Advertisement Subcollection page, select the Advertise the program to members of the collection and its subcollections option, and then click Next. 13. On the Advertisement Schedule page, next to Advertise the program after, set the time to the current time, select the No, this advertisement never expires option, and then click Next. 14. On the Assign Program page, select the Yes, assign the program option, select the Ignore maintenance windows when running program check box, and then click Next. 15. On the Summary page, review the Details, click Next, and then on the Wizard Completed page, click Close. You should monitor the deployment status for the client computers in the new collection. After the advertisement has been assigned to the computers, in this new collection, the computers are moved into the Pending Deployment FEP collection. This is the same process that happens after you deploy the FEP client software initially. For more information about that process, see Validating Deployment.
11.
Operations
This Operations content helps you configure and use Microsoft Forefront Endpoint Protection 2010 and the FEP Security Management Pack. The content included for this version of FEP includes the following main topics:

Configuring Client Settings by Using Policies Common Tasks Configuring Definition Updates Monitoring Using Reports in FEP Disaster Recovery for FEP 2010 on Configuration Manager Automating Day-to-Day Tasks by Using Windows PowerShell
Configuring Client Settings by Using Policies

Forefront Endpoint Protection provides a number of ways to create, edit, and deploy configuration settings to FEP clients. For information regarding decision points to help you determine which policy
Operations
Page number 83 authoring and deployment methods are best for your environment, see About Configuring Clients by Using Policies. This section includes the following main topics:

FEP Policies Using Group Policy with FEP FEP Policy Templates
FEP Policies FEP Policies Forefront Endpoint Protection policies are assigned to computers running the FEP client software. The following content will help you work with Forefront Endpoint Protection policies. Creating a Policy Forefront Endpoint Protection policy settings define the various configuration options of the Forefront Endpoint Protection client software that you can manage. For example, administrators can manage the scan schedule, the location and frequency of definition updates, and scan exclusions. Forefront Endpoint Protection policy settings that you specify are contained in a Forefront Endpoint Protection policy object. Policies do not affect computers running the Forefront Endpoint Protection client software until you assign them to a Configuration Manager collection. This section describes how to create a new Forefront Endpoint Protection policy. To create a new policy 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then click Policies. 2. In the Actions pane, click New Policy. The New Policy Wizard opens. 3. On the General page, type a name for the policy, and then click Next. 4. On the Policy Type page, select the type of policy appropriate for your organization, and then click Next. Tip: To select a policy template for specific server roles, select Policy template, and then select the appropriate server role. Note:
Operations
Page number 84 When selecting Policy template you are taken directly to the Summary page. 5. On the Scheduled Scans page, select the scan frequency and set a schedule for the antimalware scans. For example, you could choose a Weekly quick scan every Sunday at 2:00 AM, and then click Next. 6. On the Exclusions page, add files or folders you want to exclude from scans, and then click Next. 7. On the Updates page, select the definition update options you want use in your organization, and then click Next. Important: Before deploying the policy to collections, ensure that the definition update methods selected have been configured properly. For more information, see Configuring Definition Updates. Important: The order in which the FEP client software checks for definition updates can be modified after the policy has been created. For more information about editing a policy, see Editing a Policy. 8. On the Client Configuration page, select the options that you want to allow users to modify, and then click Next. 9. On the Summary page, review the Details, and then click Next to create the policy. 10. On the Wizard Completed page, click Close. 11. Repeat these steps for each policy you want to create. Important: New policies are assigned the highest precedence. For more information about changing policy precedence, see Setting Policy Precedence.
Duplicating a Policy If you need a new policy that is very similar to an existing Forefront Endpoint Protection policy, you can duplicate the existing Forefront Endpoint Protection policy and edit the duplicated Forefront Endpoint Protection policy as required, instead of creating the policy from scratch. To duplicate a policy
Operations
Page number 85 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then click Policies. 2. Select the policy you want to duplicate. 3. In the Actions pane, click Copy Policy. 4. Type the name for the new policy in the New policy name field, and then click OK. Important: The new policy is assigned the highest precedence. For more information about changing policy precedence, see Setting Policy Precedence.
Editing a Policy Forefront Endpoint Protection policies contain settings that control the configuration options of the Forefront Endpoint Protection client software. You can customize the settings of the Forefront Endpoint Protection policy to meet your requirements. To edit an existing policy 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then click Policies. 2. Double-click the policy that you want to edit. 3. In the Properties dialog box, change the options as appropriate for your organization, and then click OK. The following table summarizes the settings available on each page of the policy properties. Property page General Settings Policy name Description Assigned collections (read-only) Properties (read-only) Scheduled scan
Antimalware
Operations
Page number 86 Default actions Real-time protection Excluded files and locations Excluded file types Excluded processes Advanced Overrides Microsoft SpyNet Definition update interval Definition update location Definition update order Manage Windows Firewall Firewall profile configuration
Updates
Windows Firewall
Warning: It is recommended to clear the Enable protection against network-based exploits check box for policies assigned to servers. This option is on the Antimalware tab under Real-time protection. Important: The following items can be added to the list of Excluded files and locations, however the Forefront Endpoint Protection client software will ignore these entries:

\\ \ * *.* ?:
Operations
Page number 87 *\ \\\\ \\?\
Exporting a Policy You can save the settings of a Forefront Endpoint Protection policy by exporting the policy. Exporting the policy saves the settings of the policy in an XML file. You export policies for the following reasons:

To back up policies To transfer policies from one Configuration Manager site to another To apply or update policies on computers that are not managed by Configuration Manager
Exporting a policy 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then click Policies. 2. Select the policy to be exported. 3. In the Actions pane, click Export Policy. 4. Browse to the folder in which you want to save the policy file, enter a name for the XML file, click OK, and then click OK on the confirmation dialog box. Note: If you select multiple polices to be exported, you will only be prompted to select a folder to save the polices. The policies will be exported using their existing names. Note: The Default Server Policy and Default Desktop Policy cannot be exported.
Operations
Page number 88 Importing a Policy You can import policy files that have been previously exported. You can import policies for the following reasons:

To restore policies To transfer policies from another Configuration Manager site to another
Importing a Policy 1. In the destination Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then click Policies. 2. In the Actions pane, click Import Policy. 3. Browse to the folder that contains the policy file, select the XML file, and then click Open. Warning: Policies must have unique names. If you already have a policy that has the name of the policy you are importing the import will fail.
Important: Importing policy files created with the Forefront Endpoint Protection 2010 Group Policy Tool will fail.
Important: Imported policies are assigned the highest policy precedence, for more information about changing policy precedence, see Setting Policy Precedence.
Setting Policy Precedence You can assign multiple policies to a Configuration Manager collection, and a single computer can be a member of multiple collections that have a policy assigned. The Forefront Endpoint Protection client software uses policy precedence to determine which policy to apply. The policy with the highest precedence assigned to the computer is applied by the Forefront Endpoint Protection client software.
Operations
Page number 89 To set the precedence of policies 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then click Policies. 2. In the Actions pane, click Edit Policy Precedence. 3. In the Edit Policy Precedence dialog box, select a policy and use the Up and Down buttons to set the policy precedence order. If you want to modify the precedence of additional policies, repeat this step. 4. When finished, click OK. Note: The precedence for the Default Server Policy and Default Desktop Policy cannot be modified.
Assigning a Policy to Endpoint Computers To assign Forefront Endpoint Protection policies to FEP clients, you assign the FEP policy to a Configuration Manager collection. A policy can be assigned to more than one collection if needed and a collection can have more than one policy assigned to it. When a Forefront Endpoint Protection client has more than one policy assigned to it, the policy with the highest precedence is applied by the Forefront Endpoint Protection client. This section describes how to assign a policy to a Configuration Manager collection. For more information about Configuration Manager collections, see Collections in Configuration Manager (http://go.microsoft.com/fwlink/?LinkId=196838) (http://go.microsoft.com/fwlink/?LinkId=196838). To assign a policy to a collection 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then click Policies. 2. Right-click the policy that you want to assign, and then click Assign Policy. Note: You cannot assign the Default Server Policy or the Default Desktop Policy. 3. In the Assign Policy dialog box, click Add.
Operations
Page number 90 4. In the Browse Collection dialog box, select the collection to which you want to assign the policy, and then click OK. If you need to assign this policy to multiple collections, in the Assign Policy dialog box, for each collection, click Add and repeat this step. 5. In the Assign Policy dialog box, click OK. A separate Configuration Manager advertisement is created for each collection a policy is assigned to. The advertisements are created in the Software Distribution\Advertisements\FEP Policies folder in the Configuration Manager console. Note: The default assignments for the Default Server Policy and the Default Desktop Policy cannot be modified. After assigning Forefront Endpoint Protection policies to the proper collections you will want to make sure that the policies are being applied. Monitoring Forefront Endpoint Protection policy deployment 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, and click Forefront Endpoint Protection. 2. View the Policy Distribution Status section of the Operational Statistics on the Forefront Endpoint Protection dashboard. You might need to refresh the page to get latest information. 3. In the Links and Resources pane under Web Reports click Policy Distribution Overview for policy deployment information started at the collection level down to the computer level. Note: Only computers running the Forefront Endpoint Protection client software and the Configuration Manager agent will be included in the results displayed in the Forefront Endpoint Protection reports and included in the Forefront Endpoint Protection dashboard statistics.
Note: In the About information displayed for the Forefront Endpoint Protection client software,
Operations
Page number 91 information regarding the time the FEP policy was applied is provided. The time shown for Policy Applied is in Coordinated Universal Time (UTC).
Using Group Policy with FEP You can configure FEP client settings by using Active Directory Group Policy and Group Policy objects (GPOs). The following content will help you configure clients by using Forefront Endpoint Protection GPOs, preconfigured policy templates, and the Forefront Endpoint Protection Group Policy Tool. Converting FEP Policies to Group Policy You can convert policy settings contained in configured FEP policies to the format that is used by Group Policy. In order to convert policies, you must first download and install the Forefront Endpoint Protection Group Policy Tool. This tool can be obtained from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=207729) as part of the FEP 2010 Group Policy Tools download package. The package also contains ADMX and ADML files. Although these files are not required in order to use the Forefront Endpoint Protection Group Policy Tool, they are required in order to view or edit Group Policy object (GPO) policy settings. For more information about viewing and editing policy settings, see Configuring and Viewing FEP Group Policy Settings. For information about merging policy settings by using the Forefront Endpoint Protection Group Policy Tool, see Merging Settings from Multiple Policy Files. To extract and install the Forefront Endpoint Protection Group Policy Tool 1. Obtain the Forefront Endpoint Protection Group Policy Tool. This tool can be obtained from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=207729) and copy it to your local computer. 2. Double-click fep2010grouppolicytools.exe to extract the files from the package. The Forefront Endpoint Protection Group Policy Tools package includes the following files: fep2010.adml

fep2010.admx fep2010gptool.exe
3. Locate and double-click fep2010gptool.exe to open the Forefront Endpoint Protection Group Policy Tool. To convert FEP policy settings to Group Policy 1. Locate and double-click fep2010gptool.exe to open the Forefront Endpoint Protection Group Policy Tool. 2. On the Import tab, select the Domain and the name of the GPO in that domain that you want to populate with preconfigured FEP 2010 policy settings.
Operations
Page number 92 3. Click Select Policy File. Locate and select the .xml policy file that contains the settings that you want to import to the GPO. 4. Verify that the Clear existing Forefront Endpoint Protection settings before import check box is selected, and then click OK to import the settings. You can then edit and view the policy settings by using gpedit.msc. For more information about viewing and editing policy settings, see Configuring and Viewing FEP Group Policy Settings. Warning: Selecting the Clear existing Forefront Endpoint Protection settings before import check box will remove all FEP settings contained in the selected GPO and replace them with the imported FEP policy settings. If you do not want to clear all of the existing FEP policy settings from the GPO, do not select this check box.
To add ADMX and ADML files locally in order to view or edit policy settings 1. Navigate to the location where you extracted the ADMX and ADML files in the previous procedure. 2. Copy the ADMX file to the %systemroot%\PolicyDefinitions\ folder. 3. Copy the ADML file to the %systemroot%\PolicyDefinitions\ language folder. For example, en-US. Note: You must restart the Group Policy Object Editor after performing the preceding steps. 4. For more information about editing GPOs by using ADMX files, see Editing the Local GPO Using ADMX files (http://go.microsoft.com/fwlink/?LinkId=203368). For more information about editing domain-based GPOs by using ADMX files, see Editing Domain-Based GPOs Using ADMX files (http://go.microsoft.com/fwlink/?LinkId=203369). Merging Settings from Multiple Policy Files You can merge policy settings from one or more FEP policies into a single Group Policy object (GPO). This is helpful when you have settings contained in multiple FEP policies and you would like to combine those policy settings in order to configure clients by using Group Policy. In order to merge FEP policies to a single GPO, you must use the Forefront Endpoint Protection Group Policy Tool. For information about how to obtain and extract this tool, see Converting FEP Policies to Group Policy. Warning:
Operations
Page number 93 When you merge multiple policies to a single GPO, the order in which you merge the policies will affect the outcome of the effective policy. In other words, if you merge three policies that contain conflicting settings for a particular feature, the settings in the last policy that you merge will overwrite any conflicting settings that are already merged or contained in the GPO. Merging FEP policy settings from multiple FEP policy files into a GPO 1. Double-click fep2010gptool.exe to open the Forefront Endpoint Protection Group Policy Tool. 2. On the Import tab, select the Domain and the name of the GPO in that domain that you want to populate with preconfigured FEP policy settings. 3. Click Select Policy File. Locate and select the .xml policy file that contains the settings that you want to import to GPO. Warning: Verify that the .xml policies files were not obtained as part of the FEPServerRolePoliciesForUseWithConfigMgrUI.exe downloaded package. Merging the preconfigured policy files created for Configuration Manager is not supported. 4. If this is the first policy that you are merging and there are no FEP policy settings that you want to retain that already exist in the selected GPO, select the Clear existing Forefront Endpoint Protection settings before import check box. By selecting this check box, all of the FEP policy settings are cleared in the target GPO. Clearing all of the previous policy settings ensures that only the FEP settings that are contained in this policy will be present in the target GPO settings. However, if this is not the first policy that you have merged to the selected GPO and you want to retain existing previous settings contained in that GPO, ensure that the check box is not selected. Selecting the check box will clear any previously configured FEP policy settings that are contained in that GPO. Note: Merging policy settings by using the Forefront Endpoint Protection Group Policy Tool does not affect or impact the source FEP policy file. 5. Click Apply to merge the policy settings to the GPO. 6. Repeat the previous step in order to merge additional settings contained in FEP policies to the selected GPO.
Operations
Page number 94 Exporting Policy Settings to a FEP Policy File In some cases, you may want to apply policy settings contained in a Group Policy object (GPO) locally to FEP clients. Or, you may want to export FEP policy settings from a GPO in one domain and then import those settings to a GPO in another domain. You can export policy settings contained in a configured FEP GPO to a FEP policy file. The FEP policy file can then be used to apply policy settings locally to FEP clients, or be imported to a different domain. In order to export policies, you must first download and install the Forefront Endpoint Protection Group Policy Tool. For more information about extracting and installing the Group Policy Tool, see Converting FEP Policies to Group Policy. To export FEP policy settings 1. Locate and double-click fep2010gptool.exe in order to open the Forefront Endpoint Protection Group Policy Tool. 2. On the Export tab, select the Domain and the name of the Group Policy object in that domain that contains the settings with which you want to populate the new FEP policy file. 3. Click Select Policy File. Select the location and name for the destination .xml policy file that will contain the exported policy settings. 4. Click OK to export the FEP GPO policy settings to the .xml policy file. For more information about how to apply FEP policy settings, see Applying Policies from the Command Prompt. Note: When exporting policy settings from a configured GPO, only the FEP policy settings are exported. If the GPO contains non-FEP policy settings, those settings will not be present in the new FEP policy file.
Configuring and Viewing FEP Group Policy Settings You can view and configure Forefront Endpoint Protection settings by using the Group Policy Object Editor. Each policy setting contains parameter information specific to the feature that you want to configure. Typically you will access the Group Policy Object Editor by selecting a Group Policy object (GPO) from within the Group Policy Management Console (GPMC), and then selecting the edit action for that object. For more information about the Group Policy Object Editor, see Ways to open Group Policy Object Editor (http://go.microsoft.com/fwlink/?LinkId=203938). For information about opening the Group Policy Object Editor as an MMC snap-in, see Open Group Policy Editor as an MMC snap-in (http://go.microsoft.com/fwlink/?LinkId=203939). To view FEP Group Policy settings 1. Open the Group Policy Object Editor and navigate to Local Computer Policy\Computer Configuration\Administrative Templates\System\Forefront Endpoint Protection 2010.
Operations
Page number 95 2. Expand Forefront Endpoint Protection 2010, and click the folder that contains the settings that you want to view. For more information about each policy setting, in the right pane, double-click the setting that you want to view in order to open the configuration dialog box and view the additional policy setting information. Important: When viewing policy settings, the Group Policy Object Editor, the GPMC, and the RSoP snap-in may incorrectly indicate that some values are disabled when they are actually enabled. In order to determine whether a setting is enabled, you must open each setting individually for additional information, and then view the value. If the value is present, the setting is enabled.
To edit FEP Group Policy object settings 1. Open Group Policy Management. 2. In the console tree, double-click Group Policy Objects in the forest and domain containing the GPO that you want to edit. 3. Right-click the GPO, and then click Edit. Note: You must have Edit permissions for the GPO that you want to edit. 4. In the Group Policy Object Editor console, expand Computer Configuration\Administrative Templates\System\Forefront Endpoint Protection 2010, and then click the folder that contains the settings that you want to configure. 5. In the right pane, double-click the setting that you want to configure in order to open the configuration dialog box. 6. Configure the settings that you want to deploy to computers running the FEP client software, and then click OK. Important: When viewing policy settings, the Group Policy Object Editor, the GPMC, and the RSoP snap-in may incorrectly indicate that some values are disabled when they are actually enabled. In order to determine whether a setting is enabled, you must open each setting individually for additional information, and then view the value. If the value is present, the setting is enabled.
Operations
Page number 96 Warning: It is recommended that the Turn on network protection against exploits of known vulnerabilities setting is not enabled for policies assigned to servers. 7. Deploy the policy settings to computers running the FEP client software. For more information about how to deploy Group Policy, see Planning and Deploying Group Policy (http://go.microsoft.com/fwlink/?LinkId=203940).
FEP Policy Templates

Forefront Endpoint Protection policy templates can be used to create policies that contain optimized settings. The following content will help you work with Forefront Endpoint Protection policy templates. About Preconfigured Policy Templates You can maintain consistent configuration settings for multiple endpoints by applying policies. Preconfigured policy templates can help you create policies that contain optimized settings, defined by technology. You can also apply preconfigured policy templates locally to endpoints. There are two different download packages available. FEPServerRolePoliciesForUseWithConfigMgrUI.exe contains policy templates for use with FEP on Configuration Manager. FEPServerRolePoliciesForUseWithGPO.exe contains policy templates that can be used to configure policy settings locally on endpoints, deployed via script, or imported into Group Policy. Policy templates are in XML format and contain configuration settings that are optimized for endpoints running specific technologies. Preconfigured policy templates are included in the installation of FEP on Configuration Manager. Periodically, preconfigured policy templates may be updated and new templates may be provided. The latest versions of the preconfigured FEP policy templates are available for download from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=207730). Note: In order to work with the updated preconfigured policy templates by using FEP running on Configuration Manager, you must first extract the policy files to the %programfiles%\Microsoft Forefront\Policytemplates folder. After extracting the templates, you can then create policies based on the template settings by using the New Policy Wizard in the Configuration Manager console. It is important to note that when a policy is created based on a preconfigured policy template, the policy does not automatically receive updated settings when a new version of the policy template is extracted to the Policytemplates folder.
Operations
Page number 97 After downloading the policy template package that applies to your FEP environment and extracting the files to their proper location, you can then select the appropriate policy template that corresponds to the technology running on the endpoint. Each template contains different configuration settings. For this reason, it is important that you select the policy template that contains the policy settings that you want to apply. If you apply the settings contained in a policy template to an endpoint for which those settings were not intended, you may make configuration changes that will affect the performance of that endpoint. To view specific policy template settings, you can right-click the .xml file that you want to view, and then click Edit. Be careful not to edit the template file. Editing the preconfigured policy template files directly is not supported. Instead, you can create a policy based on the template by using Configuration Manager or by using the Group Policy Tool. For information about creating new FEP policies by using templates in Configuration Manager, see Creating a Policy. For information about creating new FEP policies from policy templates by using the FEP Group Policy Tool, see Converting FEP Policies to Group Policy. Preconfigured policy templates are available for endpoints running the following technologies.
Microsoft SQL Server 2005 Microsoft SQL Server 2008 Internet Information Services (IIS) 6 Internet Information Services (IIS) 7 System Center Configuration Manager 2007 System Center Configuration Manager 2007 R2 Microsoft Exchange Server 2007 Microsoft Exchange Server 2010 Microsoft Forefront Protection 2010 for Exchange Server (FPE) Microsoft Office SharePoint Server 2007 Microsoft SharePoint 2010 Microsoft Forefront Protection 2010 for SharePoint (FPSP)
Operations
Page number 98 Domain Controller Active Directory Domain Services Microsoft Hyper-V (host) Terminal Services DNS Server DHCP Server File Services Microsoft Forefront Security for Exchange Server System Center Operations Manager 2007 Server (FEP-recommended default policy settings for servers)
Applying Policies from the Command Prompt You can apply preconfigured FEP policy templates downloaded from the Microsoft Download Center, FEP policies exported by using the FEP Group Policy Tool, and FEP policies exported from Configuration Manager, from the command prompt. It is important to note that when applying FEP policies from the command prompt, the resultant policy settings on the client are cumulative. For this reason, you must apply the policies in the proper sequence in order to obtain the desired configuration results. For example, if you apply one policy that sets Turn on behavior monitoring: Enabled, and also sets Allow users to pause a scan: Enabled, and you then apply a second policy to the same server that sets Turn on behavior monitoring: Disabled, the resulting policy settings on the client will be Turn on URL exclusions: Disabled, and Allow users to pause a scan: Enabled. However, configurations that were set locally on the server that do not pertain to FEP, such as enabling a screen saver, will not be overwritten. For this reason, it is important to not only be aware of the settings in the policy template that you are applying; you must also apply policy templates in the proper order. It is recommended that when you apply multiple policy templates from the command prompt, you apply the default server policy template first, and then apply additional policy templates.
Operations
Page number 99 Warning: When applying policies to domain-joined computers, regardless of whether the policy settings are contained in a preconfigured policy template or an exported policy file, the domain-joined computer will not apply the settings contained in the policy until it is able to communicate with the domain controller. Clients running the FEP software will indicate that the policy was received and applied successfully. However, communication with the domain controller is required in order to apply the settings contained in the policy. Settings will be immediately applied when the domain-joined computer is able to communicate with the domain controller. This warning does not apply to non-domain-joined clients.
Applying Preconfigured Policy Templates There are two separate downloads available that contain preconfigured policy templates. The FEPServerRolePoliciesForUseWithGPO.exe download contains the policy templates that you can use in order to apply preconfigured policy settings from the command prompt. The latest version of FEPServerRolePoliciesForUseWithGPO.exe is available for download from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=207730). Important: Before proceeding with these steps, verify that the client software that is installed on the endpoint is the latest supported version. If the client software is not the latest version, uninstall the client software, and then install both the client software and the policy. For more information about how to install the client software at the command prompt along with a policy, see Deploying the Client Software by Using the Command Prompt.
To apply a preconfigured policy to a client locally 1. Copy FEPInstall.exe and FEPServerRolePoliciesForUseWithGPO.exe to the server on which you want to apply a preconfigured policy to an existing client. 2. Double-click FEPServerRolePoliciesForUseWithGPO.exe in order to extract the preconfigured policy file templates. 3. From an elevated command prompt, navigate to the %programfiles%\Microsoft Security Client folder, and then run the following command: ConfigSecurityPolicy.exe [full path]\[policy file] Important: You must change the path to this directory and run the command from that location.
Operations
Page number 100 For example, if you want to apply a policy template named FEP_DHCP.xml to a server running DHCP, run the following command: ConfigSecurityPolicy.exe \\servername\share\FEP_DHCP.xml where servername is the name of the server hosting the share, and share is the name of the shared folder on that server. Important: You must always specify the full path for the policy location. 4. Wait for approximately three minutes in order for the settings to update in the user interface, and then open the Forefront Endpoint Protection client software. Verify that the settings defined in the policy are shown in the client software. Applying Exported Policies You can export policy settings to a Forefront Endpoint Protection .xml policy file by using the Forefront Endpoint Protection Group Policy Tool or Configuration Manager, depending on the location of the policy settings. For more information about exporting Group Policy settings, see Exporting Policy Settings to a FEP Policy File. For more information about exporting FEP policies in Configuration Manager, see Exporting a Policy. Important: Before proceeding with these steps, verify that the client software that is installed on the endpoint is the latest supported version. If the client software is not the latest version, uninstall the client software, and then install both the client software and the policy. For more information about how to install the client software at the command prompt along with a policy, see Deploying the Client Software by Using the Command Prompt.
To apply an exported policy to a client locally 1. From an elevated command prompt, navigate to the %programfiles%\Microsoft Security Client folder, and then run the following command: ConfigSecurityPolicy.exe [full path]\[policy file] Important: You must change the path to this directory and run the command from that location. For example, if you want to apply a policy template named My_Exported_Policy.xml to a server, run the following command:
Operations
Page number 101 ConfigSecurityPolicy.exe \\servername\share\My_Exported_Policy.xml where servername is the name of the server hosting the share, and share is the name of the shared folder on that server. Note: You must always specify the full path for the policy location. 2. Wait for approximately three minutes in order for the settings to update in the user interface, and then open the Forefront Endpoint Protection client software. Verify that the settings defined in the policy are shown in the client software. Updating Policies from the Command Prompt You can update the local policy on a client computer by using a policy template and applying that policy template via the command prompt. Preconfigured policy templates can be obtained from the Microsoft Download Center. For more information about preconfigured policy templates, see About Preconfigured Policy Templates. You can also apply policy settings that have been exported from Configuration Manager or the Forefront Endpoint Protection Group Policy Tool. For more information about exporting policies from Configuration Manager, see Exporting a Policy. For more information about exporting policies by using the Group Policy Tool, see Converting FEP Policies to Group Policy. To update the local policy on a client computer 1. From an elevated command prompt, navigate to the %programfiles%\Microsoft Security Client folder, and then run the following command: ConfigSecurityPolicy.exe [full path]\[policy file] Important: You must change the path to this directory and run the command from that location. For example, if you want to apply the policy named FEP_DHCP.xml to a client, run the following command: ConfigSecurityPolicy.exe \\servername\share\FEP_DHCP.xml where servername is the name of the server hosting the share, and share is the name of the shared folder on that server. Note: You must always specify the full path for the policy location.
Operations
Page number 102 2. Wait for approximately three minutes in order for the settings to update in the user interface, and then open the Forefront Endpoint Protection client software. Verify that the settings defined in the policy are shown in the client software.
Common Tasks
There are certain tasks that are common in day-to-day security administration. This section provides steps for accomplishing these tasks for each of the following attributes of Forefront Endpoint Protection (FEP):

Forefront Endpoint Protection The FEP Security Management Pack The FEP client
Important: Not every common task can be performed in each feature. The features on which the task can be performed are listed at the beginning of each set of tasks.
Running an Endpoint Protection Scan This task applies to the following features:

Important: You should configure FEP policy to ensure that scans run automatically on a regular basis.
To run a quick or full scan by using FEP 1. In the Configuration Manager console, in the tree, expand Computer Management, expand Collections, and then navigate to the collection that contains the computer on which you want to start a scan. Tip: If you know the name of the target computer, you can search for the computer in the details pane
Operations
Page number 103 when a parent collection is selected in the tree. 2. Right-click the computer name, click FEP Operations, and then click either Run Full Scan or Run Quick Scan. Tip: You can target multiple computers by selecting them and then right-clicking a single computer. To distribute the on-demand scan, Configuration Manager creates an advertisement. You can view the properties of the advertisement by navigating to Software Distribution in the tree, and then expanding Advertisements and FEP Operations. The collections and advertisements created by this process are deleted the next time you run an ondemand scan, if they are older than seven days. Note: Only one advertisement can run at a time on the client computer. Therefore, if an advertisement is running on the client computer that could potentially take a while to complete (such as a full scan on a computer with a large hard disk), subsequent advertisements are processed after that advertisement completes.
To run a quick or full scan by using the FEP Security Management Pack 1. In the Operations Manager console, navigate to the Monitoring view, and then expand the Monitoring tree. 2. In the Monitoring tree, under Forefront Endpoint Protection, click Endpoints with FEP. 3. In the Endpoints with FEP pane, click the name of the endpoint on which you want to start a scan. Note: In order to search for an endpoint by name, enter the name (FQDN) of the endpoint in the Look for text box, and then click Find Now. 4. In the Actions pane, expand Protection Endpoint Tasks, and then click either Quick Scan or Full Scan. 5. In the Run Task dialog box, verify that the target is the endpoint on which you want to run the scan and that the check box next to the target name is selected, and then click Run. The scan runs with the default parameters.
Operations
Page number 104 Note: The task is marked as successful after the scan is started on the targeted computer. Tasks in the FEP Security Management Pack represent the command to run the task, not the results of the task itself.
To run a quick or full scan locally on the FEP 2010 client 1. In the notification area of your computer, right-click the Microsoft Forefront Endpoint Protection 2010 icon, and then click Open. 2. On the FEP Home page, select either the Quick option or Full option, and then click Scan now. The scan may take a while, depending on the number of files and folders being scanned. Managing Windows Firewall Protection This task applies to the following features:

Forefront Endpoint Protection The FEP Security Management Pack
Note: Windows XP and Windows Server 2003 only support two network locations: Domain networks and Private networks. Any settings you configure for the Public networks location are ignored on computers running Windows XP or Windows Server 2003. Additionally, for both the Domain networks and the Private networks locations, setting the Incoming connections list to Allow is ignored on computers running Windows XP.
To turn on or off Windows Firewall protection by using FEP 1. In the Configuration Manager Console, in the tree, expand Computer Management, expand Forefront Endpoint Protection, and then click Policies. 2. Right-click the policy you want to modify, and then click Properties. 3. In the Properties dialog box, click the Windows Firewall tab. 4. On the Windows Firewall tab, click the Manage Windows Firewall check box. 5. For each of the network locations, in the Firewall State list, select the desired setting of either On (recommended) or Off, and then click OK. After you configure the FEP policy, if the FEP policy is already assigned to a collection, it is refreshed within the Configuration Manager policy polling interval. You can configure the Configuration
Operations
Page number 105 Manager policy polling interval in the Computer Client Agent configuration in the Configuration Manager console. For more information about the Computer Client Agent, see How to Configure the Configuration Manager Computer Client Agent (http://go.microsoft.com/fwlink/?LinkId=204087). Additionally, only one advertisement can run at a time on the client computer. Therefore, if an advertisement is running on the client computer, the FEP policy advertisement is processed after that advertisement completes. Important: When you apply a FEP policy to a collection that has more than one policy assigned, policy precedence determines which policy takes effect on the clients in the collection. For more information about policy precedence, see Setting Policy Precedence.
To turn on or off Windows Firewall protection by using the FEP Security Management Pack 1. In the Operations Manager console, navigate to the Monitoring view, and then expand the Monitoring tree. 2. In the Monitoring tree, under Forefront Endpoint Protection, click Endpoints with FEP. 3. In the Endpoints with FEP pane, click the name of the endpoint on which you want to start a scan. Note: In order to search for an endpoint by name, enter the name (FQDN) of the endpoint in the Look for text box, and then click Find Now. 4. In the Actions pane, expand Protected Endpoint Tasks, and then click either Turn Windows Firewall On or Turn Windows Firewall Off. 5. In the Run Task dialog box, verify that the target is the endpoint on which you want to run the task and that the check box next to the target name is selected, and then click Run. Note: If Group Policy is used to manage the Windows Firewall settings, the FEP Security Management Pack task fails to commit the changes to the Windows Firewall configuration. However, the task still reports as successful, because there is no method to determine whether Group Policy is used to manager the Windows Firewall settings.
Operations
Page number 106 Retrieving the Effective Endpoint Protection Settings This task applies to the following feature:
The FEP Security Management Pack
To retrieve endpoint settings by using the FEP Security Management Pack 1. In the Operations Manager console, navigate to the Monitoring view, and then expand the Monitoring tree. 2. In the Monitoring tree, under Forefront Endpoint Protection, click Endpoints with FEP. 3. In the Endpoints with FEP pane, click the name of the endpoint from which you want to retrieve settings. Note: In order to search for an endpoint by name, enter the name (FQDN) of the endpoint in the Look for text box, and then click Find Now. 4. In the Actions pane, expand Protected Server Tasks, and then click Retrieve Endpoint Settings. 5. In the Run Task dialog box, verify that the target is the endpoint that you want to retrieve settings from and that the check box next to the target name is selected, and then click Run. Forcing Definition Updates This task applies to the following features:

Important: You should configure FEP policy to ensure that definition updates run automatically on a regular basis, and you should monitor the Definition Status area in the FEP dashboard. To force a definition update by using FEP 1. In the Configuration Manager console, in the tree, expand Computer Management, expand Collections, and then navigate to the collection that contains the computer on which you want to force a definition update.
Operations
Page number 107 Tip: If you know the name of the target computer, you can search for the computer in the details pane when a parent collection is selected in the tree. 2. Right-click the computer name, click FEP Operations, and then click Run Antimalware Definitions Update. Tip: You can target multiple computers by selecting them and then right-clicking a single computer. To distribute the definition update request, Configuration Manager creates an advertisement. You can view the properties of the advertisement by navigating to Software Distribution in the tree, and then expanding Advertisements and FEP Operations. Note: Only one advertisement can run at a time on the client computer. Therefore, if an advertisement is running on the client computer that could potentially take a while to complete (such as a full scan on a computer with a large hard disk), subsequent advertisements are processed after that advertisement completes. To force a definition update by using the FEP Security Management Pack 1. In the Operations Manager console, navigate to the Monitoring view, and then expand the Monitoring tree. 2. In the Monitoring tree, under Forefront Endpoint Protection, click Endpoints with FEP. 3. In the Endpoints with FEP pane, click the name of the endpoint on which you want to update definitions. Note: In order to search for an endpoint by name, enter the name (FQDN) of the endpoint in the Look for text box, and then click Find Now. 4. In the Actions pane, expand Protected Endpoint Tasks, and then click Update Antimalware Definitions. 5. In the Run Task dialog box, verify that the target is the endpoint on which you want to run the task and that the check box next to the target name is selected, and then click Run.
Operations
Page number 108 To update definitions locally on the FEP 2010 client
In the FEP client software, click the Update tab, and then click the Update button.
Configuring Definition Updates

You can configure the Forefront Endpoint Protection client software to check for updates from one or many of the following sources:

Software Updates and Windows Server Update Services Definition Updates Microsoft Update Definition Updates File-Share-Based Definition Updates
When you configure multiple definition sources, by default the client software checks for definition updates in the following order: 1. File share 2. Windows Server Update Services (WSUS) 3. Microsoft Update However, you can alter both the order of this list and the definition sources checked. To change the order of definition updates or alter the update sources
After creating a FEP policy, right-click the policy and then click Properties.
To change the order of definition updates, click the Updates tab, and in the list of update sources, click the one you want to reorder, and then click either Up or Down. To change the definition update sources, on the Updates tab, in the list of update sources, click the check box next to the definition update sources you want check. Note:
If you select Updates from UNC file shares, you must configure those shares. For more information, see File-Share-Based Definition Updates.
When finished, click OK.
You can view the definition status for your deployed FEP clients by viewing the Definition Status area in the Forefront Endpoint Protection dashboard. For more information about the FEP dashboard, see Dashboard Overview. Software Updates and Windows Server Update Services Definition Updates
Operations
Page number 109
When configuring your Forefront Endpoint Protection or FEP Security Management Pack deployment for WSUS-based definition updates, you must perform the following tasks:
Configure either the Software Updates area of Configuration Manager or your WSUS server to synchronize both updates and definition updates. Approve the Endpoint Protection definitions in the WSUS administration console.
Configuring Update Synchronization If you are using Forefront Endpoint Protection, you must configure Software Updates in Configuration Manager to synchronize the appropriate updates for the FEP client. To synchronize FEP definition updates in Configuration Manager 1. In the Configuration Manager Console, in the tree, expand Site Management, expand the site name, expand Site Settings, and then click Component Configuration. 2. In the details pane, right-click Software Update Point Component, and then click Properties. 3. On the Classifications tab, ensure that the Definition Updates check box and the Updates check box are selected. 4. On the Products tab, ensure that the product Forefront Endpoint Protection 2010 check box is selected, and then click OK. FEP client computers receive definition updates from a WSUS server. If you are using a WSUS server that is not integrated with Configuration Manager, you must configure the definition update synchronization in the WSUS administration console. To synchronize FEP definition updates in WSUS 1. Using an account that has local administrator user rights, log on to the computer running WSUS. 2. Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update Services. 3. In the WSUS Administration console, in the tree, expand the Computers node, click Options, and then click Products and Classifications. 4. In the Products and Classifications dialog box, on the Products tab ensure that the product Forefront Endpoint Protection 2010 check box is selected. 5. On the Classifications tab, ensure that the Definition Updates check box and Updates check box are selected, and then click OK. Approving Updates Updates for the FEP client must be approved before those updates are offered to clients requesting the list of available updates. Clients connect to the WSUS server to check for applicable updates and
Operations
Page number 110 then request the latest approved definition updates. Updates are only offered to clients when they are approved for installation and when the WSUS server has completed the binary download. To approve definitions and updates in WSUS 1. Using an account that has local administrator user rights, log on to the computer running WSUS. 2. Click Start, point to Administrative Tools, and then click Microsoft Windows Server Update Services. 3. In the WSUS Administration console, click Updates, and then click All Updates or the classification of updates you want to approve. 4. On the list of updates, right-click the update or updates you want to approve for installation, and then click Approve. 5. In the Approve Updates dialog box, click the arrow next to the computer group for which you want to approve the updates, and then click Approved for Install. You can also set an Automatic Approval rule for definition updates and FEP updates, which configures WSUS to automatically approve for install any definition updates or FEP updates downloaded by WSUS. To configure an automatic approval rule 1. In the WSUS Administration console, click Options, and then click Automatic Approvals. 2. On the Update Rules tab, click New Rule. 3. On the Add Rule dialog box, under Step 1: Select properties, select the When an update is in a specific classification check box. 4. Under Step 2: Edit the properties, click any classification. 5. Clear all check boxes except Definition Updates, and then click OK. 6. On the Add Rule dialog box, under Step 1: Select properties, select the When an update is in a specific product check box. 7. Under Step 2: Edit the properties, click any product. 8. Clear all check boxes except Forefront Endpoint Protection, and then click OK. 9. In the Step 3: Specify a name box, enter a name for the Forefront Endpoint Protection Definition Updates rule, and then click OK. 10. In the Automatic Approvals dialog box, make sure that the newly create rule Forefront Endpoint Protection 2010 Definition Updates check box is selected and then click Run rule.
Operations
Page number 111 Note: You should ensure you are declining older definition updates. Failing to do so may impact the performance of both your WSUS server and possibly your client computers. By configuring automatic approval for revisions and automatic declination of expired updates, you can accomplish this task. For more information, see Microsoft Knowledge Base article 938947 (http://go.microsoft.com/fwlink/?LinkId=204078).
Microsoft Update Definition Updates You use the Microsoft Update definition update option to keep definitions on mobile computers upto-date when they are not connected to the corporate network. The Microsoft Update definition update option works in the same way as a normal Microsoft Update request. If configured, the FEP client will query Microsoft Update for new definitions according to the frequency configured in the FEP policy. You configure clients to check for definition updates by setting a policy option. To configure clients to check Microsoft Update When you create a FEP policy, on the Updates page, ensure the Enable updates from Microsoft Update check box is selected.
When you want to add Microsoft Update as a definition update option to an existing policy, in the properties of the policy, click the Updates tab, and in the update source list, ensure the Updates from Microsoft Updates check box is selected.
File-Share-Based Definition Updates The FEP client software can be configured to check a file share for definition updates. In order to check for updates, the client computer accounts must have read access to the file share in which you store the definition files. Note: When you configure clients to check a file share for definition updates, by default clients check the file share first, before checking WSUS or Microsoft Update. This order can be changed. For more information, see Configuring Definition Updates.
To enable file share-based definition updates 1. When creating a FEP policy, on the Updates page, click the check box next to Enable updates from the following UNC file share, and then in the text box, enter the Universal Naming Convention (UNC) path to the file share. 2. To enable file share-based definition updates in an existing policy, use the following steps:
Operations
Page number 112 a. In the Configuration Manager console, expand Computer Management, expand Forefront Endpoint Protection, and then click Policies. b. In the details pane, right-click the policy you want to edit, and then click Properties. c. Click the Updates tab, and then in the list of update sources, click the check box next to Updates from UNC file shares. d. Under File shares, click Add, and then type the UNC path to the file share. e. If necessary, click Add again and add additional UNC paths. Note: You can alter the order of the list of file shares by selecting a listed path, and then, under the list, click Up or Down. f. When finished, click OK.
When you configure a file share for definition updates, you must download the definition updates to certain folders in the UNC file share. To configure a file share for definition updates 1. Download the required files from the following locations: For x64:
Antimalware definitions (http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64) Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197094)
Note: This file is required only if you have enabled the Enable protection against network-based exploits check box on the Antimalware tab of a FEP policy. For x86:
Antimalware definitions (http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86) Network-based exploit definitions (http://go.microsoft.com/fwlink/?LinkId=197095) Note:
Operations
Page number 113 This file is required only if you have enabled the Enable protection against network-based exploits check box the Antimalware tab of a FEP policy. Important: Do not rename the files when you download them. 2. Save the files in folders with the following names:

The files for x64-based computers must be in a folder named x64 The files for x86-based computers must be in a folder named x86
For example: ..\Updates\x86 ...\Updates\x64 3. Ensure that each folder contains the following two files:

Mpam-fe.exe Nis_full.exe Note: This file is required only if you have enabled the Enable protection against network-based exploits check box on the Antimalware tab of a FEP policy.
4. Share the parent folder that contains the x64 and x86 folders. Important: Ensure the client computers and the domain users connecting to the share have read permissions to the share. During an automatic update the client computer account is used to authenticate to the share. When a user manually updates their definitions by clicking Update, that user account is used to authenticate to the share.
FEP Monitoring
You can monitor the client computers that run the FEP client software in a number of ways. The monitoring features of Forefront Endpoint Protection are summarized in the following table.
Operations
Page number 114 Monitoring method Description
Forefront Endpoint Protection Displays client deployment status, antimalware activity status, definition status, policy distribution status, and the compliance dashboard levels for the configured baselines in Desired Configuration Management (DCM). For information on how to use the Forefront Endpoint Protection dashboard, see Monitoring Client Status by Using the Dashboard. Forefront Endpoint Protection The alerts node under Forefront Endpoint Protection allows you to configure the alerts that are used to provide administrators alerts with information about malware outbreaks through events in the Windows Event Viewer, or optionally by e-mail. For information on how to use Forefront Endpoint Protection alerts, see Using Alerts to Monitor Malware Detections. Forefront Endpoint Protection Forefront Endpoint Protection comes with reports that allow you to see greater detail about other key indicators for computer reports health. For more information about Forefront Endpoint Protection reports, see Using Reports in FEP. Forefront Endpoint Protection baselines for Desired Configuration Management (DCM) Forefront Endpoint Protection includes baselines for DCM. The addition of Forefront Endpoint Protection baselines to DCM allows you to assess and track the configuration compliance for the FEP client software. For more information about Forefront Endpoint Protection Desired Configuration Management, see Using Desired Configuration Management to Monitor Client Compliance.
Monitoring Client Status by Using the Dashboard You use the Forefront Endpoint Protection (FEP) dashboard to view key information you need in order to track, manage, and report on your organizations antimalware health and status. For more information, see Dashboard Overview.
Operations
Page number 115 To view the list of computers to which the Forefront Endpoint Protection client failed to deploy 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, and then click Forefront Endpoint Protection. In the results pane, in the Client Deployment Status area, the statistics for client deployment display. 2. In the Client Deployment Status area, next to Failed, click the number displayed. The Deployment Failed collection displays. This collection lists all the computers that returned a failure on the installation package for the FEP client software. Note: For more information about collections in Configuration Manager, see About Collections (http://go.microsoft.com/fwlink/?LinkId=196182) in the System Center Configuration Manager 2007 documentation.
To view malware activity status In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, and then click Forefront Endpoint Protection. In the results pane, in the Security Status area, the list of possible FEP security states displays. The Security Status list contains information about how many computers that had malware were cleaned, how many are actively infected, and how many computers need additional action. About Forefront Endpoint Protection Configuration Baselines The FEP dashboard contains a summary view of the FEP configuration baselines used to monitor and report information about the categories of computers in your organization. In the Forefront Endpoint Protection Baselines area, you see a summary view of each FEP configuration baseline and the number of computers compliant or not compliant with the configuration baseline. For more information about the FEP configuration baselines, see Using Desired Configuration Management to Monitor Client Compliance. Warning: If you enable the Use Reporting Services Reports for Admin console report links option in the Configuration Manager site report options, all FEP Desired Configuration Manager baseline reports and report links at the bottom of the FEP dashboard do not work, and return an error. To fix the reports, run the steps described in How to Copy Configuration Manager Reports to SQL
Operations
Page number 116 Reporting Services (http://go.microsoft.com/fwlink/?LinkId=207354) in the Configuration Manager documentation.
Using Alerts to Monitor Malware Detections Alerts in Forefront Endpoint Protection (FEP) provide administrators with information about malware outbreaks. Administrators can view alerts in two ways:

Through events in the Windows Event Viewer Optionally, by e-mail
There are two varieties of alerts:
Alerts that apply per collection (and any child collections of the parent collection). You can create multiple alerts, but a collection can only be assigned one of each alert type. A global alert for malware outbreaks, which triggers based on any collection.
By default, alerts in FEP are not enabled, and you must configure e-mail settings in order for the email option to work. Additionally, in a hierarchical Configuration Manager topology where you have FEP installed on both the child site and the parent site, you should configure alerts at the child site to notify administrators who can take action on the alerts. The following table lists the alerts available in FEP. Default trigger threshold when enabled Number of computers with the same malware detected: 100
Alert type Malware Outbreak Alert
Description When enabled, an alert of this type is triggered when a fast-spreading malware is detected in your organization. You configure the threshold for a fastspreading malware in your organization by setting the number of unique computers infected by a particular malware in 24 hours. After the alert is created, an alert of this type is triggered when the following conditions are met:
Malware Detection Alerts
Malware is detected on a computer that is a member of the specified parent collection, or one of its child collections. The malware detection falls within the specified detection level for the alert.
No parent collections are specified by default Select detection level: High
Operations
Page number 117 Repeated Malware Detection Alerts After the alert is created, an alert of this type is triggered when the following conditions are met:
The same malware is detected on a computer that is a member of the specified parent collection, or one of its child collections. The number of detections of the same malware detection meets the specified number of detections in the alert configuration. The number of detections occurred within the interval specified in the alert configuration.
No parent collections are specified by default Number of the same malware detected: 4 Interval: 24 hours
Multiple Malware Detection Alerts
After the alert is created, an alert of this type is triggered when the following conditions are met:
Multiple types of malware are detected on a computer that is a member of the specified parent collection, or one of its child collections. The number of malware detected meets the specified number of detections in the alert configuration. The number of detections occurred within the interval specified in the alert configuration.
No parent collections are specified by default Number of malware types detected: 4 Interval: 24 hours
To create and configure per-collection alerts 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then expand Alerts. 2. Click one of the per-collection alerts (Malware Detection, Repeated Malware Detection or Multiple Malware Detection), and then in the Actions pane, click the New action. 3. To configure the alert, set the options you need according to the following table. Alert name Option Description
Operations
Page number 118 Malware Detection Alert Enter parent collection Click Browse to specify the parent collection to monitor. The parent collection and any child collections are monitored for this alert configuration. Specifies the computer state that can trigger an alert. Valid detection levels are described in the following list:
Select detection level
High: Malware is detectedThe alert is triggered when there are one or more computers in the specified collection on which any malware is detected, regardless of the action taken by the Forefront Endpoint Protection client. Medium: Action is requiredThe alert is triggered when there are one or more computers in the specified collection on which malware is detected and manual action is required on the Forefront Endpoint Protection client in order to complete the malware removal. Low: Malware is activeThe alert is triggered when there are one or more computers in the specified collection on which malware is detected and is still active.
Repeated Malware Detection Alert
Enter parent collection
Click Browse to specify the parent collection to monitor. The parent collection and any child collections are monitored for this alert configuration. Specifies the number of detections of the same malware on a computer that is a member of the specified parent collection, or one of its child collections.
Number of the same malware detected Interval
Specifies the interval during which the number of detections must occur. Click Browse to specify the parent collection to monitor. The parent collection and any child collections are monitored for this alert configuration. Specifies the number of different types of malware that must be
Multiple Malware Detection Alerts
Enter parent collection
Number of
Operations
Page number 119 malware types detected Interval detected on a computer that is a member of the specified parent collection, or one of its child collections.
Specifies the interval during which the number of detections must occur.
4. For all alerts, in the When an alert is raised, send an e-mail message to the following recipients box, type an e-mail address, and then click Add. To send the alert to multiple email addresses, repeat this step. 5. When finished, click OK. Important: You must enable the e-mail settings in Configuration Manager before Forefront Endpoint Protection will send e-mail notifications.
To enable and configure the global Malware Outbreak alert 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then expand Alerts. 2. Click Malware Outbreak Alert, and then in the details pane, double-click Malware Outbreak Alert. 3. In the Malware Outbreak Alert Properties dialog box, select the Enable alert check box. 4. Next to Number of computers with the same malware detected, type the number of computers on which the same malware must be detected in order to trigger this alert. 5. In the When an alert is raised, send an e-mail message to the following recipients box, type an e-mail address, and then click Add. To send the alert to multiple e-mail addresses, repeat this step. 6. When finished, click OK. To configure e-mail settings 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection, and then click Alerts. 2. In the Actions pane, click E-mail Settings. 3. To enable alerts to be sent by e-mail, select the E-mail alert notification check box.
Operations
Page number 120 4. In the SMTP Server box, type the fully qualified domain name (FQDN) of your SMTP server. If your SMTP server uses a port other than the default port, in the Port box, type or select the port number. 5. Under Authentication method, select the option for the credential type to use to authenticate the connection to the SMTP server. Important: It is recommended that you use Integrated Windows Authentication as the authentication method. When you choose Integrated Windows Authentication, the computer account of the FEP server is used to authenticate to the SMTP server. Otherwise, you must ensure that the selected credentials must exist on the specified SMTP server for authentication to succeed. To view the service credentials, in Windows Services, right-click Forefront Endpoint Protection Monitoring Service, click Properties, and then click Log On. 6. In the E-mail from address box, type the e-mail address from which Forefront Endpoint Protection alerts are sent, and then click OK. Note: To test the SMTP settings, instead of clicking OK, click Test and Close. This adds a test e-mail to the e-mail queue that is periodically processed by the Forefront Endpoint Protection Monitoring Service.
To view alerts in the Windows Event Viewer 1. In the Windows Event Viewer, expand Applications and Services Logs, and then click Forefront Endpoint Protection. 2. Double-click the alert you want to view. Using Desired Configuration Management to Monitor Client Compliance Forefront Endpoint Protection (FEP) includes Desired Configuration Management (DCM) configuration baselines. DCM, a feature of System Center Configuration Manager, allows you to assess computer configuration against configuration baselines. To learn more about DCM and configuring baselines, see Desired Configuration Management in Configuration Manager (http://go.microsoft.com/fwlink/?LinkId=206684) in the Configuration Manager documentation. FEP provides the following predefined configuration baselines: Note:
Operations
Page number 121 All FEP baselines are read-only.

FEP - High-Security Desktop FEP - Laptop FEP - Performance-Optimized Desktop FEP - Standard Desktop
By default, these baselines are not assigned to collections. In order to see the summary results of these baselines or any custom baselines you create and assign to the FEP dashboard, you must assign it to a collection and then run a DCM Home Page Summarization from the DCM home page in the Configuration Manager console. For more information about using the DCM home page, see How to Use the Desired Configuration Management Home Page (http://go.microsoft.com/fwlink/?LinkId=207094) in the Configuration Manager documentation. Warning: The following configuration baselines are used by the FEP dashboard, and you must not modify the collections to which they are assigned:

FEP Monitoring - Antimalware Status FEP Monitoring - Definitions and Health Status FEP Monitoring - Malware Activity FEP Monitoring - Malware Detections
Important: In order to use DCM in Configuration Manager, you must enable DCM on the Configuration Manager client agent. For more information about how to do this, see How to Enable or Disable the Desired Configuration Manager Client Agent (http://go.microsoft.com/fwlink/?LinkId=206661) in the Configuration Manager documentation.
Managing FEP DCM Baselines Because FEP DCM baselines are read-only, you cannot directly modify the configuration items or rules from which they are composed. If you need to add additional configuration items or rules to a FEP baseline, you must first duplicate the target baseline and then edit the new baseline. Note:
Operations
Page number 122 If you need to reduce the amount of time it takes to update information generated by a baseline and displayed in the Forefront Endpoint Protection dashboard, you can modify the schedule of the baseline assignment that generates that data. However, modifying the schedule of a built-in baseline assignment could adversely impact the performance of your Configuration Manager server. For more information about how to modify the schedule of an assigned baseline, see How to Set the Configuration Baseline Assignment Compliance Evaluation Schedule in Desired Configuration Management (http://go.microsoft.com/fwlink/?LinkId=206696) in the Configuration Manager documentation.
To duplicate a FEP baseline 1. In the Configuration Manager console, in the tree, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Desired Configuration Management, and then click Configuration Baselines. 2. In the details pane, right-click the configuration baseline you want to duplicate, and then click Duplicate. After you duplicate the desired FEP baseline, you can edit it by right-clicking the duplicated baseline and clicking Properties. For more information about implementing customized DCM baselines, see the following topics in the Configuration Manager documentation:
How to Configure Configuration Items for Desired Configuration Management (http://go.microsoft.com/fwlink/?LinkId=206685) How to Modify a Configuration Baseline in Desired Configuration Management (http://go.microsoft.com/fwlink/?LinkId=206687) How to Manage Configuration Baselines and Configuration Items for Desired Configuration Management (http://go.microsoft.com/fwlink/?LinkId=206688)
The FEP dashboard contains a list of baselines that are assigned to the category *FEP*. When you duplicate a baseline, this category field is also duplicated. You can assign any baseline to the *FEP* category and have its statistics appear in the FEP dashboard. To assign a category to a baseline 1. In the Configuration Manager console, in the tree, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Desired Configuration Management, and then click Configuration Baselines. 2. In the details pane, right-click the configuration baseline you want to duplication, and then click Properties.
Operations
Page number 123 3. In the baseline properties dialog box, on the General tab, click the Categories button, and then in the Available categories list, select the check box next to FEP, and then click OK. 4. In the baseline properties dialog box, click OK. To see the new baseline in the FEP dashboard, after assigning the baseline to a collection, when viewing the FEP dashboard, in the Actions pane, click Refresh. Warning: Configuration baseline rules should contain no more than 300 software updates. If you create a rule with more than 300 software updates, the baseline to which the rule is assigned does not evaluate the client computers correctly. For more information, see Microsoft Knowledge Base article 937532 (http://go.microsoft.com/fwlink/?LinkId=207668).
Monitoring Baseline Compliance FEP configuration baselines are composed of configuration items that are monitored and the rules that define compliance. The configuration baselines are assigned to computers you want to monitor by using collections and are evaluated both on a schedule and when a security incident (such as a malware detection) occurs. Note: By default, no baselines are assigned to collections. In order to see baseline results in the FEP dashboard, you must assign a baseline to a collection. Client computers can have multiple configuration baselines assigned to them, which provides you with a high level of control. To assign a FEP baseline to a collection 1. In the Configuration Manager console, in the tree, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Desired Configuration Management, and then click Configuration Baselines. Tip: To limit the list to FEP configuration baselines, in the Look for box, enter the following text, and then click Find Now: FEP 2. Right-click the configuration baseline you want to assign, and then click Assign to a Collection.
Operations
Page number 124 The Assign Configuration Baseline Wizard opens. 3. On the Choose Baselines page, click Next. 4. On the Choose Collection page, click Browse, choose a collection, click OK, and then click Next. 5. On the Set Schedule page, configure how frequently you want the Configuration Manager client agent to evaluate compliance to the baseline. When finished, click Next. Warning: When setting the schedule for a baseline, you should consider how much impact the data reporting may have on your Configuration Manager server. 6. On the Summary page, review the Details, and then click Next. 7. On the Wizard Competed page, click Close. After you assign a baseline to a collection, the client computers in the collection evaluate their compliance against each configuration baseline to which they are assigned, and immediately report back the results to the site. If a client is not currently connected to the network, but has downloaded the configuration items referenced in its assigned configuration baselines, the compliance information will be sent on reconnection. You can monitor the results of configuration baseline evaluation compliance from the FEP dashboard. Note: Dashboard statistics are based on data gathered by Configuration Manager at scheduled intervals and may not reflect the most recent information.
To monitor the results of the configuration baseline evaluation compliance 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, and then click Forefront Endpoint Protection. 2. In the details pane, in the Forefront Endpoint Protection Baselines area, you can see the compliance results of the built-in Forefront Endpoint Protection configuration baselines. The following list summarizes the meaning of the columns:
BaselineThe name of the FEP configuration baseline.
Operations
Page number 125
SeverityThe severity level configured in the configuration item if non-compliance is reported or if the configuration item is not present on the client computer. AssignedThe number of computers that are assigned to the configuration baseline. Non-compliantThe number of computers that report a non-compliance status with the selected baseline. ComplianceThe number of computers that report a compliance status with the selected baseline. FailedThe number of computers that report a failure evaluating their compliance status with the selected baseline. Compliance Level (expressed as a number percentage)The number of computers that report a compliance status, with the selected baseline divided by the number of computers assigned the configuration baseline, expressed as a number percentage.
Periodically viewing these results allows you to ascertain the overall compliance of computers in your organization. 3. To view detail in the summary report of a configuration baseline, in the Forefront Endpoint Protection Baselines area, click the link of the configuration baseline you want to view. 4. To view more detail in the report, next to each line for which you want to view more detail, click the arrow icon. Tip: You can also view the compliance status of a baseline on a client computer. In the Control Panel, open Configuration Manager, and then click the Configurations tab. Click Evaluate to run a baseline compliance check, or click View Report to see the results of a selected compliance report.
FEP 2010 Security Management Pack Monitoring

You can monitor the client computers that run the FEP client software in a variety of ways. The monitoring mechanisms of Forefront Endpoint Protection Security Management Pack are summarized in the following table. Item Object classes Description Classes identify all FEP protected and FEP unprotected clients. For information about FEP classes, see Object Classes.
Operations
Page number 126 Discovery Discovery is the way objects are identified by Operations Manager. For information about FEP discovery, see About Discovery. Rules Rules perform designated operations. For example, rules can raise alerts when security incidents occur. For more information about FEP rules, see About Rules. Monitors Monitors are event-driven mechanisms that collect information about vulnerabilities and the security state of FEP clients. For more information about FEP monitors, see About Monitors. Views Views display health states of clients, as well as alerts and events. For more information about FEP views, see About Views. Alerts Alerts can indicate whether there is an issue in your environment. For more information about FEP alerts, see About Alerts. Tasks Tasks trigger on-demand actions that are required for fixing vulnerabilities and security state of FEP clients. For more information about FEP tasks, see About Tasks.
Viewing Endpoint Properties There are two ways to view endpoint information; by using the Health Explorer and by viewing the Details pane. If you want to view multiple properties for the same endpoint, the Details pane is the easiest way to view these properties. However, it is important to note that the Health Explorer and the Detail View pane are populated via different mechanisms. Properties viewed through the Health Explorer are delivered by monitors and alerts, which are event driven. Properties viewed by using the Detail View pane are discovery driven. This means that information that is viewed through Health Explorer for a selected endpoint can reflect different property values than viewing the same information by using the Detail View pane. For example, if an event occurs after the property information is refreshed by discovery, the Health Explorer will display the latest updated information for that property. The Detail View pane will not receive updated property information until the next time discovery runs. For more information about FEP monitors, see About Monitors. For more information about FEP discovery, see About Discovery.
Operations
Page number 127 Monitoring Cluster Nodes The Forefront Endpoint Protection client software is not cluster aware. Although it is possible to view all nodes through Operations Manager, the passive node of a cluster cannot be monitored by using the Forefront Endpoint Protection Security Management Pack. Security Considerations All discoveries, monitors, tasks and rules contained in the FEP Security Management pack run under the Operations Manager default action account. The Operations Manager default account must be set to run as Local System Account (LSA) in order to allow tasks to properly launch. For more information about accounts, see Account Information for Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=206963). For more information about Run As Accounts and Run As Profiles, see Run As Accounts and Run As Profiles in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=206964). Run As Profiles The FEP Security Management Pack discoveries, monitors, and rules run under the default action account and cannot be changed. Low-Privilege Environments The Forefront Endpoint Protection Security Management Pack does not support low-privilege Operations Manager Agent deployments. Health Rollup Health Rollup Diagram The following diagram displays the health rollup of the FEP Security Management Pack.
Operations
Page number 128
Operations
Page number 129 Object Classes Each monitored object that appears in the Operations console is an instance of a particular class. The Forefront Endpoint Protection Security Management Pack contains the following seven classes:

Protected Server Candidate Protected Server Unprotected Server Antimalware Engine Malware Activity Antimalware Definitions Protected Servers Watcher
The diagram below outlines the object classes and the corresponding object class relationships.
Operations
Page number 130
About Discovery In Operations Manager, the Discovery Wizard can be used in order to define a query. However, the FEP 2010 Security Management Pack is preconfigured to target Microsoft.Windows.Server.Computer. This query will return a True value if the FEP 2010 client is installed on a client that is running a server operating system. If you also want to target clients that are running computer operating systems, you must configure Operations Manager to target those clients. Objects the FEP Security Management Pack Discovers The FEP Security Management Pack discovers the object types described in the following table. Not all of the objects are automatically discovered. Use overrides to discover the object types that are not discovered automatically. For more information about how to configure discovery to target clients running computer operating systems, see Configuring Client Discovery. Category Server Discovery Client Computer Discovery Object Microsoft.Windows.Server.Computer Microsoft.Windows.Client.Computer Discovered automatically Yes No
Discovery intervals By default, FEP object discovery is configured to run at specified intervals. As such, it is possible that clients will not reflect updated properties in the Details pane when viewed in the console. You can override the default discovery interval, but it is recommended that you use caution when setting discovery interval configurations as running discovery more frequently can impact performance. The following table shows the default discovery intervals. Object Protected Server Candidate Discovery Protected Client Candidate Discovery Protected Endpoint Discovery Default discovery (hours) 8 8 24
Object properties The discovery process returns information that is then displayed in the Operations Manager console. Details for selected endpoints can be viewed in the Operations Manager console Monitoring view.
Operations
Page number 131 The following table shows the properties for discovered endpoints that are running the FEP client software. Protected Endpoint properties Client version Antimalware engine status Real-time protection status Real-time protection scan direction NIS status Windows Firewall status Antivirus definitions version Antispyware definitions version NIS definitions version Antivirus definitions age (days) Antivirus definitions creation (GMT) Antispyware definitions age (days) Antispyware definitions creation (GMT) Last quick scan age (days) Last quick scan start time (GMT) Last quick scan end time (GMT) Supported only by Windows Vista with SP1 or later Additional information
Operations
Page number 132 Last full scan age (days) Last full scan start time (GMT) Last full scan end time (GMT) Definitions download location Policy name Policy set date Failed policy name Failed policy date Policy failure details Installation pending restart Computer ID The following table shows the properties for discovered endpoints that are not running the FEP client software. Unprotected Endpoint properties Operating System Name Deployment State Deployment State More Information ComputerID Additional information
About Views In Operations Manager 2007, views are groups of managed objects that have a commonality that is defined. When you select a view, a query is sent to the Operations Manager database and the results
Operations
Page number 133 of the query are displayed in the results pane. For more information about Operations Manager 2007 views, see Creating views (http://go.microsoft.com/fwlink/?LinkId=207057). The Forefront Endpoint Protection Security Management Pack contains the following five views.
View Active Alerts Dashboard Endpoints with FEP Endpoints without FEP Security Events
Description Displays all active alerts. Displays all protected endpoints and all active alerts. Displays all endpoints that have the FEP client software installed. Displays endpoints that do not have the FEP client software installed.
Displays all security events from endpoints that have the FEP client software installed.
About Monitors Monitors use captured data in order to determine the health state of an object. The monitor then displays the state of the object (Healthy, Warning, or Critical). Additionally, FEP monitors can also generate alerts. Information that is displayed by monitors is event-driven. The FEP Security Management Pack contains four types of monitors: Vulnerability, Security State, Overall Health, and Deployment. For more information about FEP Security Management Pack monitors, see Security Management Pack Monitors. Security Management Pack Monitor Types Vulnerability monitors Vulnerability monitors track the settings and dynamic statuses of FEP clients. These monitors can be used to identify possible security vulnerabilities. The FEP Security Management Pack contains the following Vulnerability monitors:

Antimalware Engine Antimalware Definitions Age Antimalware Definitions Vulnerability Protection Real-time Protection
Operations
Page number 134
Windows Firewall
Security State monitors FEP Security State monitors monitor the security state of FEP clients. The FEP Security Management Pack contains the following Security State monitors:

Active Malware Additional Actions Pending
Overall Health monitor The FEP Overall Health monitor reflects the overall health of all protected systems running FEP client software. This monitor is not visible, but is used to generate alerts when the overall health of monitored protected clients is unsatisfactory. The FEP Security Management Pack contains the following Overall Health Monitor:
Malware Outbreak
Deployment monitor The FEP Deployment monitor reflects the deployment status of protected and unprotected clients. This monitor can be viewed in the Endpoints without FEP view. The FEP Security Management Pack contains the following Deployment monitor:
Deployment Failure
Monitoring Using Overrides Overriding a Monitor You can use overrides to refine the settings of a monitoring object. As you fine-tune your monitors, you can reduce the amount of alerts. However, overriding monitors should be done with caution as you may override settings that are necessary in order to help you keep your environment secure. Overrides can be used to adjust the configuration of Operations Manager monitoring settings for FEP Security Management Pack monitors, attributes, object discoveries, and rules. For more information about FEP monitors, see About Monitors. When you create an override, you can apply it to a single managed object or to a group of managed objects. You must have Advanced Operator user rights in order to create and edit overrides. After you configure override settings, the Effective Value column will display the settings that the override will enforce. For more information about how to monitor by using overrides, see How to Monitor Using Overrides (http://go.microsoft.com/fwlink/?LinkId=206722). To override a monitor 1. In the Operations console, click the Authoring button. 2. In the Authoring pane, expand Management Pack Objects, and then click Monitors. 3. In the Details pane, expand an object type completely, and then click a monitor.
Operations
Page number 135 4. On the Operations Manager toolbar, click Overrides, and then point to Override the Monitor. You can choose to override this monitor for objects of a specific type or for all objects within a group. After you choose which group of object type to override, the Override Properties dialog box opens, enabling you to view the default settings contained in this monitor. You can then choose whether to override each individual setting contained in the monitor. Note: If the Overrides button is not available, make sure you have selected a monitor and not a container object in the Monitors pane. 5. Select each setting that you want to override. When you complete your changes, click OK. About Rules A rule collects data from various sources and then stores that data in the Operations and Data Warehouse databases. The collected data is then made available for reporting purposes. The FEP Security Management Pack rules not only collect data, they can also generate alerts. The FEP Security Management Pack contains the following rules:

Generate Cleaned Malware Alert Rule Generate Repeated Infection Alert Rule Collect Security Events Rule
To locate rule details in the Operations console 1. Open the Operations console. 2. Click the Authoring section. 3. Expand Authoring, expand Management Pack Objects, and then click Rules. There may be multiple management packs imported to Operations Manager. Click the Management Pack column heading to sort the rules by management pack. 4. Double-click a rule to view. On the General tab, the Rule Name field lists the rule name. 5. Click the Configuration tab, and then in the Data sources area, click View. The information will vary, depending on the type of rule. The information may be a schedule or an interval. Rules that collect performance data obtain the data from Performance counters. As such, the minimum and maximum values are specific to the counter rather than the rule. To view the parameters that you can configure by using overrides, continue to the next step in this procedure. 6. In the Properties dialog box for the rule, click the Overrides tab.
Operations
Page number 136 7. In the Override one or more parameters of this rule through overrides section, click Override. 8. Select For all objects of type. Override Properties displays the parameters and values that you can configure.
About Alerts An alert is an indication of an issue that has occurred somewhere in your environment. Operations Manager 2007 displays FEP alerts in the Operations console in the Active Alerts view. For information about investigating and resolving alerts, see Investigating and Resolving Alerts (http://go.microsoft.com/fwlink/?LinkId=207074). About Tasks You can manually initiate tasks in order to troubleshoot individual alerts. Tasks are accessed from the Actions pane in the System Center Operations Manager console. For a list of FEP Security Management Pack tasks, see Security Management Pack Tasks. Note: The Operations Manager Web console does not support console tasks. For example, if you want to initiate an RDP connection to a client, you must use the Operations Manager console. You may also want to override the default settings for specific tasks. For example, when running the Update Antimalware Definitions task, definitions will be updated based on the policy settings that apply to the target client. You can override the default task parameters and specify that definitions can be updated only via the UNC file share that is specified in the policy settings for the client. Warning: If you run a task that conflicts with Group Policy settings that have been configured for the target client, the conflicting configuration settings specified by the task will be overwritten by Group Policy settings on the client. For example, if you run the task Turn Windows Firewall On and Group Policy settings specify to disable Windows Firewall on that client, Windows Firewall will not be enabled, even though the task reports a success status.
To view a task 1. In the Monitoring view, expand Monitoring, and then expand Forefront Endpoint Protection. Select a view from the tree, and then locate the endpoint for which you want to see available associated tasks.
Operations
Page number 137 2. Click the endpoint in order to highlight it. 3. In the Protected Endpoint Tasks section of the Actions pane, view the tasks available for the selected endpoint. Note: If the Actions pane is not displayed, click Actions in order to display it.
To view available overrides for a task 1. In the Monitoring view, expand Monitoring, and then expand Forefront Endpoint Protection. Select a view from the tree, and then locate the endpoint for which you want to see available associated tasks and task overrides. 2. Click the endpoint in order to highlight it. 3. In the Protected Endpoint Tasks section of the Actions pane, click the task for which you want to view available overrides. 4. In the Run Task dialog box, verify the selected target is correct, and then click Override in order to view available override settings for the task. 5. When you are finished viewing the available task overrides, click Cancel to close Override Task Parameters, and then click Cancel. To run a task 1. In the Monitoring view, expand Monitoring, and then expand Forefront Endpoint Protection. Select a view from the tree, and then locate the endpoint on which you want to run a task. 2. Click the endpoint in order to highlight it. 3. In the Protected Endpoint Tasks section of the Actions pane, click the task that you want to run. Warning: It is recommended that you use caution when selecting the Turn Windows Firewall On task. Turning on Windows Firewall may impact roles and workloads that are running on servers. 4. In the Run Task dialog box, verify the selected target is correct, configure any additional settings and overrides, and then click Run.
Operations
Page number 138 Placing Objects in Maintenance Mode When a monitored object, such as a computer or distributed application, goes offline for maintenance, Operations Manager 2007 detects that no agent heartbeat is being received, and as a result, may generate numerous alerts and notifications. To prevent these alerts and notifications, place the monitored object in maintenance mode. In maintenance mode, alerts, notifications, rules, monitors, automatic responses, state changes, and new alerts are suppressed at the agent. For general instructions on placing a monitored object in maintenance mode, see How to Put a Monitored Object into Maintenance Mode in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=108358). Configuring Notification Settings Notifications generate messages or run commands automatically when an alert is raised on a monitored system. By default, notifications for alerts are not configured. For information about how to configure notifications in Operations Manager, see Configuring Notification (http://go.microsoft.com/fwlink/?LinkId=206904).
FEP 2010 Reports

Forefront Endpoint Protection reports consist of malware and health reports, and operational reports. The section describes where the reports are located, how the reports are run, the kind of information they provide, and the command options available for generated reports. Forefront Endpoint Protection Security Reports Forefront Endpoint Protection malware and health reports are located in the Reports node under the Forefront Endpoint Protection node. These reports provide administrators with information about the antimalware protection status of, and malware activity on, client computers where Forefront Endpoint Protection is deployed. There are five predefined Forefront Endpoint Protection reports, three of which are run directly from the Reports node (source reports), and two that are run by clicking links within them. Additionally, the Computer Details Report can be run by navigating to a collection, selecting a computer, and then in the actions pane clicking Run FEP Computer Details Report. In this instance, the report is filtered to display information for the selected computer. The Protection, Deployment, Health, and Security status report sections are based on the last status reported by the FEP client software and current collection membership, unless otherwise noted. Malware and Antimalware activity report sections are based on historical information and computers are displayed based on the collections of which the computer was member when the activity occurred. The following table contains a list of the reports. Report name Antimalware Description This report provides Accessed by Reports Sections Security AlertsDisplays a
Operations
Page number 139 Activity Report an overview of antimalware status, malware alerts, and malware detections. node summary of raised Forefront Endpoint Protection alerts. For more information, see Using Alerts to Monitor Malware Detections.
Security StatusDisplays a summary of computers by Forefront Endpoint Protection client status. Antimalware Activity Displays a dashboard of information about all detected malware. Malware ActivityDisplays lists of the top malware infections by severity and frequency. Antimalware Deployment and HealthDisplays a dashboard of antimalware information. Security StatusDisplays a summary of computers by Forefront Endpoint Protection client status. Malware DetailsDisplays details about the detected malware. Antimalware Activity Displays a dashboard of information about the detected malware. Infected ComputersDisplays a list of computers that have been infected with the detected malware.
Antimalware Protection Summary Report
This report provides an overview of antimalware deployment and health.
Reports node
Malware Details Report
This report displays further details about a specific malware.
Clicking a link in a source report
Operations
Page number 140 Computer List Report This report displays a list of computers that can be filtered by collection, name, protection status, security state, antimalware signature version, detected malware, and last antimalware scan time. This report displays further details about a specific computer. Reports node or clicking a link in a source report Computer ListWhen you run this report from the Reports node, it displays a list of computers to which the Forefront Endpoint Protection client is deployed. When run by clicking a link in a source report, it displays a filtered list of computers according to the clicked link.
Computer Details Report
Clicking a link in a source report or run directly on a computer in a collection
Computer DetailsDisplays details about the specified computer. Protection StatusDisplays information about the status of the Forefront Endpoint Protection client features. Malware ActivityDisplays a summary of malware information followed by a list of malware that has been detected on the specified computer and its last reports state.
Forefront Endpoint Protection reports have links that you can click to view additional data, such as more detailed information about items in the source report. For example, you can click a malware name in the Antimalware Activity Report (source report) to view the Malware Details Report (target report) and display more information about this malware. The source report passes the malware name to the target report based on which line in the source report you choose to obtain more information. Important: The FEP reports only show antimalware activity; Network Inspection Service detections are not included in the Forefront Endpoint Protection reports. Network Inspection Service detection events are recorded to the Windows Event Log.
Operations
Page number 141 Note: On a computer running Windows 7 or Windows Server 2008 R2, where the regional date and time format is specified as Hebrew (Israel), dates and times will display in reverse format in the Forefront Endpoint Protection console. To resolve the issue, apply the following hotfix: KB2030901 (http://go.microsoft.com/fwlink/?LinkId=205598)
Command options When you run a report, you can use the menu bar commands to do the following:
To view the report with different parameters, change the report filters accordingly, and then click View Report. To search the report, in the Find box, type the search term, and then click Find. To use the report data in another application, in the Select a format box, select an export file format, and then click Export. To view the most recent information, click Refresh. To print the report, click Print.
The following table lists the default settings when running reports: Report Setting Collection: Report time Span: Value All Desktops and Servers Week
Operational Reports Forefront Endpoint Protection operational reports are located in the standard Configuration Manager Reports node under the Reporting node. These reports provide administrators with tracking and troubleshooting information about Forefront Endpoint Protection deployments on, and policy distribution to, client computers. There are seven predefined Forefront Endpoint Protection reports, three of which can be run directly from the Forefront Endpoint Protection dashboard, and 4 that can be run by clicking successive links in them. The following is a list of the reports.
Operations
Page number 142 Report name Deployment Overview Description This report displays the breakdown of the Microsoft Forefront Endpoint Protection 2010 client deployment status per collection. Accessed by Dashboard or Configuration Manager Reports Details For each collection, the following information is provided:
CountThe total number of computers in the collection. The number of computers in each of the following deployment states: Removed, Failed, Pending, Out of date, Deployed, and Not targeted. Deployed %The percentage of computers on which the Forefront Endpoint Protection client has been successfully installed.
You can click the links in the lefthand column to view the Deployment for a specific collection report. Deployment for a specific collection This report displays the breakdown of the Microsoft Forefront Endpoint Protection 2010 client deployment status for a specific collection. Configuration Manager Reports For the specified collection, for each deployment state, the total number of computers in that state is displayed. You can click the links in the lefthand column to view the Deployment for a specific collection in a specific state report. For the specified collection and deployment state, for each computer, a summary of Forefront Endpoint Protection deployment
Computers with a specific deployment
This report displays a list Configuration of computers in a Manager collection and specific Reports
Operations
Page number 143 state deployment state. details is displayed. You can click the links in the lefthand column to view the FEP information for a specific computer report. Policy Distribution Overview This report displays the breakdown of policy distribution states per collection. The report will only enumerate computers with Microsoft Forefront Endpoint Protection 2010 deployed. Dashboard or Configuration Manager Reports For each collection, the following information is provided:
ComputersThe total number of computers in the collection. The number of computers in each of the following distribution states: Failed, Pending, and Distributed. Success %The percentage of computers on which the Forefront Endpoint Protection policy has been successfully applied.
You can click the links in the lefthand column to view the Policy Distribution for a specific collection report. Policy Distribution for a specific collection This report displays the Configuration policy distribution states Manager for a specific collection. Reports For the specified collection, for each distribution state, the total number of computers in that state is displayed. You can click the links in the lefthand column to view the Policy Distribution for a specific collection in a specific state report. Computers with a specific This report displays a list Configuration of computers in a Manager For the specified collection and deployment state, for each
Operations
Page number 144 policy distribution state collection and specific policy state. Reports computer, a summary of Forefront Endpoint Protection deployment details is displayed. You can click the links in the lefthand column to view the FEP information for a specific computer report. FEP information for a specific computer This report displays a summary of Forefront Endpoint Protection information for a specific computer. Dashboard or Configuration Manager Reports For the specified computer, the following details are displayed:
The latest Forefront Endpoint Protection summary information. The network adapters on the computer. Historical Forefront Endpoint Protection client activity information.
You can click the links in the lefthand column to view to other standard Configuration Manager reports.
Displaying Computers Infected by a Specific Malware You can use FEP reports to see an overview of antimalware status, malware alerts, and malware detections, filtered by Configuration Manager collections. To display a list of computers infected by a specific malware 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection 2010, and then click Reports. 2. Select Antimalware Activity Report, and then in the Actions pane, click Run. The Antimalware Activity Report opens displaying antimalware activity for the collection and time frame specified. 3. Scroll down to the Malware Activity section, and click the malware of interest. The Malware Details Report opens, displaying information for the selected malware.
Operations
Page number 145 4. In the Computer List section, you can see the list of computers infected by the malware you specified. Displaying Recent Malware Infections You can use FEP reports to display a list of computers filtered by Forefront Endpoint Protection security status. To display a list of malware that has recently infected a computer 1. In the Configuration Manager console, expand System Center Configuration Manager, expand Site Database, expand Computer Management, expand Forefront Endpoint Protection 2010, and then click Reports. 2. Select Computer List Report, and then in the Actions pane, click Run. 3. In the Security State filter, select the following items, , and then click View Report. a. Infected b. Action Required c. Recent Malware activity (last 24 hours) 4. The Computer List Report displays, in the Computer List section, click a computer in the list. The Computer Details Report opens, displaying information about the computer. 5. In the Malware Activity section, you can see the list of malware that recently infected the computer. Subscribing to Reports You can subscribe to a report to have it delivered automatically. A subscription specifies the type of delivery, delivery time, report output format, and for reports that have parameter input fields, any user-defined parameter values that should be used in the copy of the report you receive. A report can be delivered to either a file share or via e-mail. It is recommended that you subscribe to the reports that you find useful to receive on a regular basis. The following Forefront Endpoint Protection reports can be subscribed to:

Antimalware Activity Report Antimalware Protection Summary Report Computer List Report
For more information about subscribing to a report, see How to: Subscribe to a Report (Report Manager) (http://go.microsoft.com/fwlink/?LinkId=207013).
Operations
Page number 146 For more information about configuring SQL Server Reporting Services to support e-mail delivery of subscriptions, see Configuring a Report Server for E-Mail Delivery (http://go.microsoft.com/fwlink/?LinkId=207014).
FEP 2010 Security Management Pack Reporting

You can build your own report queries by using any reporting solution that can connect to the SQL Server Data Warehouse, such as Microsoft Excel 2010 or Microsoft SQL Server Reporting Services. Forefront Endpoint Protection sample reports in Microsoft Excel 2010 format can be downloaded from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=207731). If you elect to use Excel to build your report queries, it is important to note that Microsoft Excel 2010 limits the server name in the Login dialog box to 23 characters, which will prevent any existing connections to the Data Warehouse from refreshing. If the server name of your Data Warehouse server contains more than 23 characters, you must open the existing connections and replace the FQDN of the server with the NetBIOS name. Before you can use the Reporting feature, you need to install and properly configure the required reporting components for Operations Manager. The Reporting feature for the FEP Security Management Pack is supported on System Center Operations Manager R2. For more information about installing the reporting components on System Center Operations Manager R2, see the Operations Manager 2007 Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=206502). For information about how to create, customize, and use reports, see Creating Reports (http://go.microsoft.com/fwlink/?LinkId=150369) in the Operations Manager 2007 R2 Users Guide. For information about how to manage reporting in Operations Manager, see Managing Reporting in Operations Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=206499). FEP Health and Deployment Status Schema The below table shows the schema for the FEP Health and Deployment Status view. You can reference this table when creating custom reports. Field Name RowId Description Key into Event.vEvent table in the Operations Manager Data Warehouse FQDN of computer Date/time value representing time that the record was written to the data warehouse SQL Datatype Format
uniqueidentifier GUID in string form
Host TimeStamp
nvarchar(255) datetime
String (FQDN) DateTime
Operations
Page number 147 DeploymentState Enumerated value describing deployment status. Valid values are:

nvarchar(max)
String (enumeration)
Unknown Never installed Removed Installation canceled by user Reboot required nvarchar(max) String (enumeration)
ProtectionStatus
Enumerated value describing state of AM protection. Valid values are:

Unknown On Off String (integer)
LastQuickScanAge
Elapsed time in days since the nvarchar(max) last quick scan was performed on the computer. 0 if no data is available. Elapsed time in days since the last full scan was performed on the computer. 0 if no data is available. Enumerated value describing state of real-time protection. Valid values are:

LastFullScanAge
nvarchar(max)
String (integer)
RTPStatus
nvarchar(max)
Unknown On Off
Operations
Page number 148 FirewallStatus Enumerated value describing state of Windows Firewall. Valid values are:

nvarchar(max)
Unknown Uninstalled On Off nvarchar(max) String (enumeration)
NISStatus
Enumerated value describing state of Network Inspection System. Valid values are:

Unknown Not Supported On Off nvarchar(max) String (integer) String (integer) String (ISO 8601 timestamp) String (ISO 8601 timestamp) String (version number) String (version number)
AVSignaturesAge
Number of days since last AV signature update. Number of days since last AS signature update.
ASSignaturesAge
nvarchar(max)
AVSignaturesLastUpdateTime Timestamp when antivirus signatures were last updated.
nvarchar(max)
ASSignaturesLastUpdateTime
Timestamp when antispyware signatures were last updated.
nvarchar(max)
EngineVersion
Version of AM engine
nvarchar(max)
FEPClientVersion
Version of FEP client
nvarchar(max)
Operations
Page number 149 AVSignaturesVersion Version of active antivirus signatures. Version of active antispyware signatures. Version of active Network Inspection System signatures. nvarchar(max) String (version number) String (version number) String (version number) String
ASSignaturesVersion
nvarchar(max)
NISSignaturesVersion
nvarchar(max)
ActiveFEPPolicy
Policy name of FEP XML policy nvarchar(max) which is applied to the machine. Note that this does not contain information about group policies that are applied to the machine. Group policy settings override FEP policy settings when there is a conflict. Timestamp of last application of FEP XML policy to the machine. nvarchar(max)
FEPPolicyAppliedTime
String (ISO 8601 timestamp)
FEP Security Incidents schema The table below shows the FEP Security Incidents schema. You can reference this table when creating custom reports. SQL Datatype nvarchar( max) uniqueide ntifier
Field Name Type
Description Type of incident
Format String constant "SecurityIncident" GUID in string form
RowID
Key into Event.vEvent table in the Operations Manager Data Warehouse Descriptive information about incident.
Name
nvarchar( max)
String constant "MalwareInfection"
Operations
Page number 150 Description Not Used nvarchar( max) datetime nvarchar( max) nvarchar( max) String constant NotImplemented DateTime String constant 1.0
TimeStamp SchemaVersion
Date/time of security incident Database schema version
Severity
Enumerated value describing severity of incident. Valid values are: 1. Unknown 2. Low 3. Moderate 4. High 5. Severe
ObserverHost
Name of computer where incident occurred. Name of logged on user when incident occurred, if the detection was in a process associated with a logged on user. Product name of protection product that detected the incident. Product version of protection product that detected the incident.
nvarchar( max) nvarchar( max)
String (FQDN)
ObserverUser
String (domain\user)
ObserverProductName
nvarchar( max)
String constant ForefrontEndpointP rotection String (version number)
ObserverProductVersion
nvarchar( max)
ObserverProtectionType
Type of protection technology that nvarchar( detected the incident. max) Protection engine version nvarchar(
String constant AM
ObserverProtectionVersi
String (version
Operations
Page number 151 on ObserverProtectionSigna tureVersion ObserverDetection information. Protection definitions version information. Enumerated value describing method of detection. Valid values are:

max) nvarchar( max) nvarchar( max)
number) String (version number) String (enumeration)
Unknown User Initiated Scan System Initiated Scan Real-Time Protection IE Downloads and Outlook Express Attachments nvarchar( max) nvarchar( max) nvarchar( max) nvarchar( max) nvarchar( max) nvarchar( max) nvarchar( max) String (ISO 8601 timestamp) String constant NULL
ObserverDetectionTime
Local time of detection on machine where incident occurred. Not Used
ActorHost
ActorUser
Not Used
String constant NULL
ActorProcess
Not Used
ActorResource
Not Used
ActionType
Type of security incident.
String constant "MalwareInfection" String (FQDN)
TargetHost
Name of computer where incident occurred.
Operations
Page number 152 TargetUser Name of logged on user when incident occurred, if the detection was in a process associated with a logged on user. Name of process which was attempting to access infected file. nvarchar( max) String (domain\user)
TargetProcess
nvarchar( max)
String (image path name) String constant "Threat". String constant "Threat". String (enumeration)
TargetResource
Threat name of detected malware. nvarchar( max) Threat name of detected malware nvarchar( max) nvarchar( max)
ClassificationType
ClassificationCategory
Enumerated value describing threat category. Valid values are:

Invalid Adware Spyware PasswordStealer TrojanDownloader Worm Backdoor RemoteAccessTrojan Trojan EmailFlooder KeyLogger Dialer MonitoringSoftware BrowserModifier Cookie
Operations
Page number 153 BrowserPlugin AolExploit Nuker SecuritySisabler JokeProgram HostileActivexControl SoftwareBundler StealthNotifier SettingsModifier Toolbar RemoteControlSoftware TrojanFftp PotentialUnwantedSoftwa re IcqExploit TrojanTelnet Exploit FileSharingProgram MalwareCreationTool RemoteControlSoftwareTo ol TrojanDenialOfService TrojanDropper TrojanMassmailer TrojanMonitoringSoftware TrojanProxyServer Virus
Operations
Page number 154 Known Unknown Spp Behavior Vulnerabiltiy Policy nvarchar( max) String (integer)
ClassificationID
Threat ID of detected malware. This can be used to look up the malware on the Microsoft Malware Protection Center (http://go.microsoft.com/fwlink/? LinkId=206607). Enumerated value describing severity of detected threat. Valid values are:

ClassificationSeverity
nvarchar( max)
Unknown Low Moderate High Severe nvarchar( max) String (enumeration)
RemediationType
Enumerated value describing type of remediation that was performed. Enumerated string containing a Boolean value describing whether the remediation action was successful. Valid values are:

RemediationResult
nvarchar( max)
True False
Operations
Page number 155 RemediationErrorCode Error encountered during remediation. Enumerated value describing action remaining to complete remediation Enumerated string containing a Boolean value describing whether malware is active on the system. Valid values are:

nvarchar( max) nvarchar( max)
String (hexadecimal DWORD error code) String (enumeration)
RemediationPendingActi on
IsActiveMalware
nvarchar( max)
True False
Disaster Recovery for FEP 2010 on Configuration Manager

Disaster recovery refers to restoring your servers and data in the event of a partial or complete failure due to natural or technical causes. When a server is damaged or fails, your ability to restore that servers functions and data depends on the actions you take before the disaster occurs. Therefore, preparing for disaster recovery by planning both backup and recovery operations is a necessity for enterprise solutions such as Forefront Endpoint Protection. The steps to back up and restore Forefront Endpoint Protection are described in this section. Backup The operation consists of scheduling the periodic back up of data and configuration settings on servers running Forefront Endpoint Protection features. To back up Forefront Endpoint Protection 1. Back up the Configuration Manager site server. For more information, see Overview of Backup and Recovery (http://go.microsoft.com/fwlink/?LinkID=206967). Note: The backup includes Forefront Endpoint Protection specific Configuration Manager items and their settings, for example, Forefront Endpoint Protection policies, their assignments, and their precedence. 2. Back up the Forefront Endpoint Protection reporting database using a SQL Server backup solution. The default database name is FEPDW_XXX.
Operations
Page number 156 Restore In the event of a server failure resulting in a replacement server, the recovery operations consists of reinstalling the operating system, applications, and server configuration on the replacement server, and then restoring the data and configuration settings. Since Forefront Endpoint Protection can be installed using a remote reporting database, the steps for restoring are divided into two procedures as follows: To restore when the Configuration Manager site server fails and is replaced 1. Restore Configuration Manager. For more information, see Overview of Backup and Recovery (http://go.microsoft.com/fwlink/?LinkID=206967). 2. Restore the Forefront Endpoint Protection reporting database (optionalonly if SQL Server is also restored) Important: For large-scale deployments comprised of more than 10,000 client computers, the tempdb must be configured with a 500 GB Logical Unit Number (LUN) for its data file. For more information about configuring the tempdb data file, see Optimizing tempdb Performance (http://go.microsoft.com/fwlink/?LinkID=206862). 3. Install Forefront Endpoint Protection using the reuse existing database option. For more information, see either Installing Using Basic with a Remote Reporting Database Setup or To install FEP 2010 Reporting and Alerts. To restore when the SQL Server system where the Forefront Endpoint Protection reporting database resides fails and is replaced 1. Restore SQL Server and the Forefront Endpoint Protection reporting database. Important: For large-scale deployments comprised of more than 10,000 client computers, the tempdb must be configured with a 500 GB Logical Unit Number (LUN) for its data file. For more information about configuring the tempdb data file, see Optimizing tempdb Performance (http://go.microsoft.com/fwlink/?LinkID=206862). 2. Uninstall the Forefront Endpoint Protection reporting feature from the server where it is installed (optionalonly if it is installed on a server other than the SQL Server system where the Forefront Endpoint Protection reporting database resides). For more information, see Uninstalling. 3. Install Forefront Endpoint Protection using the reuse existing database option. For more information, see either Installing Using Basic with a Remote Reporting Database Setup or To install FEP 2010 Reporting and Alerts.
Operations
Page number 157
Automating Day-to-Day Tasks by Using Windows PowerShell

In Forefront Endpoint Protection, you can automate day-to-day tasks by using Windows PowerShell and Configuration Manager Windows Management Instrumentation (WMI) objects. The following is a list of some of the day-to-day tasks that can be automated:
Deploy the FEP client software to the computers in a collection or remove the FEP client from computers in a collection. Assign a FEP policy to the computers in a collection Unassign a FEP policy from the computers in a collection Assign a Desired Configuration Management (DCM) baseline to the computers in a collection Retrieve DCM baseline results for specific computers Unassign a DCM baseline from the computers in a collection Retrieve FEP dashboard data Run reports Retrieve report data Run a quick or full antimalware scan Force a definition update
This section contains the following topics to help you automate Forefront Endpoint Protection management by using Windows PowerShell and Configuration Manager Windows Management Instrumentation (WMI) objects. Deploying or Removing the FEP Client Software Assigning and Unassigning FEP Policies to Collections Automating Desired Configuration Management Automating the FEP Dashboard Automating Tasks on Client Computers Automating FEP Reports Deploying or Removing the FEP Client Software You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to automate the creation of software packages and the assignments of the software packages to collections. Prerequisites
Operations
Page number 158 In order to create a script similar to the example in this topic, you must have the following prerequisite software:
Windows PowerShell (either version 1.0 or 2.0)
The following script demonstrates how you can deploy (or remove) the FEP client to a collection. The script defines switches to specify the Configuration Manager information needed, and uses that information to create a mandatory advertisement of the FEP deployment package.
function CreateDeploymentAdvertisement( $ConfigMgrServer, $SiteCode, $CollectionID, $AdvertisementName, FEP # Config Mgr WMI site provider to connect to. e.g. MyServer # Config Mgr site code. e.g. ABC # Target collection ID. e.g. ABC00008 # Requested name for the deployment advertisement. e.g. Deploy
[switch]$IncludeSubCollection, # Switch to include subcollection, default is false (not include) [switch]$Uninstall) { $ConfigMgrNamespace = "root\sms\site_$SiteCode" $now = Get-Date -Format "yyyyMMddhhmmss.ffffff+***" # Config Mgr time format $ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace) # WMI provider full path # Switch to do uninstall. Default is Install
# Get the FEP deployment package to be used when creating the advertisement $package = Get-WmiObject -class "SMS_Package" -filter "MifName='FEP - Deployment'" namespace $ConfigMgrNamespace -computername $ConfigMgrServer
# Create a new SMS advertisement instance for the FEP deployment package. The program installs or uninstalls depending on $Uninstall switch # For more information about the SMS_Advertisement Server WMI class, see http://go.microsoft.com/fwlink/?LinkID=208535 on MSDN.
Operations
Page number 159 $newAdvertisement = ([WmiClass]($ConfigMgrProviderPath + ":SMS_Advertisement")).CreateInstance() $newAdvertisement.CollectionID = $CollectionID $newAdvertisement.PackageID = $package.PackageID $newAdvertisement.ProgramName = if ($Uninstall) { "Uninstall" } else { "Install" } $newAdvertisement.AdvertisementName = $AdvertisementName $newAdvertisement.AdvertFlags = 0x02000000 -bor 0x00100000 # NO_DISPLAY | OVERRIDE_SERVICE_WINDOWS $newAdvertisement.RemoteClientFlags = 0x00002000 -bor 0x00000010 -bor 0x00000040 # RERUN_IF_FAILED | DOWNLOAD_FROM_LOCAL_DISPPOINT | DOWNLOAD_FROM_REMOTE_DISPPOINT $newAdvertisement.IncludeSubCollection = $IncludeSubCollection $newAdvertisement.PresentTime = $now
# Create a mandatory assignment schedule $AssignedSchedule = ([WmiClass]($ConfigMgrProviderPath + ":SMS_ST_NonRecurring")).CreateInstance() $AssignedSchedule.StartTime = $now
$newAdvertisement.AssignedScheduleEnabled = $true $newAdvertisement.AssignedSchedule = $AssignedSchedule
$newAdvertisement.Put()
Write-Output "Created FEP client roll out advertisement: $AdvertisementName" } Assigning and Unassigning FEP Policies to Collections You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to automate assigning FEP policies to collections.
Operations
Page number 160 The following sections demonstrate how you can assign or unassign FEP policies to a collection. The scripts define switches to specify the Configuration Manager information needed, and use that information to assign the designated policy to a collection. FEP policies are created in Configuration Manager as packages, and distributed by using mandatory assignments. Prerequisites In order to create a script similar to the example in this topic, you must have the following prerequisite software:
The following example script creates a mandatory assignment of a policy package to a specified collection. function AssignPolicy( $ConfigMgrServer, $SiteCode, $PolicyName, $CollectionID, # ConfigMgr WMI site provider to connect to. e.g. MyServer # ConfigMgr site code. e.g. ABC # Name of FEP policy to assign. e.g. MyPolicy # Collection ID to assign policy to. e.g. ABC00008
[switch]$IncludeSubCollection) # Switch to include subcollections. The default is false (not include). { $ConfigMgrNamespace = "root\sms\site_$SiteCode" $now = Get-Date -Format "yyyyMMddhhmmss.ffffff+***" $ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace)
# Get the FEP policies package to the advertisement from $package = Get-WmiObject -class "SMS_Package" -filter "MifName='FEP - Policies'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
# Create a new SMS advertisement instance for the FEP policy package. # SMS_Advertisement Server WMI Class http://msdn.microsoft.com/en-us/library/cc146108.aspx $newAdvertisement = ([WmiClass]($ConfigMgrProviderPath + ":SMS_Advertisement")).CreateInstance() Operations
Page number 161
$newAdvertisement.CollectionID = $CollectionID $newAdvertisement.PackageID = $package.PackageID $newAdvertisement.ProgramName = $PolicyName $newAdvertisement.AdvertisementName = "Assign FEP Policy $PolicyName" $newAdvertisement.AdvertFlags = 0x02000000 -bor 0x00100000 # NO_DISPLAY | OVERRIDE_SERVICE_WINDOWS $newAdvertisement.RemoteClientFlags = 0x00000800 -bor 0x00000010 -bor 0x00000040 # RERUN_ALWAYS | DOWNLOAD_FROM_LOCAL_DISPPOINT | DOWNLOAD_FROM_REMOTE_DISPPOINT $newAdvertisement.IncludeSubCollection = $IncludeSubCollection $newAdvertisement.PresentTime = $now
$newAdvertisement.Put() $newAdvertisement.Get() # Refresh new advertisement
# Add the advertisement to the FEP policies advertisement folder
# Get the container node (notice to use localized name) $AdvertisementFolder = Get-WmiObject -class "SMS_ObjectContainerNode" -filter "Name='FEP Policies'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
Operations
Page number 162
# Create a container item for the advertisement $newContainerItem = ([WmiClass]($ConfigMgrProviderPath + ":SMS_ObjectContainerItem")).CreateInstance()
$newContainerItem.ContainerNodeId = $AdvertisementFolder.ContainerNodeId $newContainerItem.InstanceKey = $newAdvertisement.AdvertisementID
$newContainerItem.Put()
Write-Output "Policy $PolicyName Assigned to $CollectionID" } The following example script demonstrates removal of a policy assignment from a collection of endpoints. function RemovePolicyAssignment( $ConfigMgrServer, # ConfigMgr WMI site provider to connect to. e.g. MyServer $SiteCode, # ConfigMgr site code. e.g. ABC
$PolicyName, # Name of FEP policy that its assignment should be removed. e.g. MyPolicy $CollectionID) # Collection ID to remove assignment from. e.g. ABC00008 { $ConfigMgrNamespace = "root\sms\site_$SiteCode"
# Get the FEP policies package $package = Get-WmiObject -class "SMS_Package" -filter "MifName='FEP - Policies'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
# Get existing advertisements
Operations
Page number 163 $filter = "PackageID='{0}' AND ProgramName='$PolicyName' AND CollectionID='$CollectionID'" -f $package.PackageID $advertisements = Get-WmiObject -class "SMS_Advertisement" -filter $filter -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
if ($advertisements -eq $null) { Write-Output "There are no policy assignment of $PolicyName to $CollectionID." } else { Write-Output "Removing policy assignments of $PolicyName from $CollectionID." $advertisements | Remove-WMIObject } } Automating Desired Configuration Management You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to automate management of FEP desired configuration management (DCM) baselines. Configuration baselines define best practices and thresholds for configuration settings. You assign baselines to collections of computers. After the computers receive the baseline, they evaluate their configuration against the baseline, and report their status to the Configuration Manager server. The following sections demonstrate how you can assign or unassign FEP baselines to a collection. The scripts define switches to specify the Configuration Manager information needed, and use that information to assign the designated baseline to a collection. Prerequisites In order to create a script similar to the example in this topic, you must have the following prerequisite software:
The following example script demonstrates how to assign a FEP DCM baseline to a target collection. function AssignDCMBaseline(
Operations
Page number 164
$ConfigMgrServer, $SiteCode, $BaselineName, $TargetCollectionID,
# ConfigMgr WMI site provider to connect to. e.g. MyServer # ConfigMgr site code. e.g. ABC # DCM Baseline localized name. e.g. FEP - Standard Desktop # Collection ID to assign the baseline to. e.g. ABC00008
[switch]$IncludeSubCollection) # Switch to include subcollection, default is false (not include)
{ $ConfigMgrNamespace = "root\sms\site_$SiteCode" $now = Get-Date -Format "yyyyMMddhhmmss.ffffff+***" $ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace)
# Get the DCM baseline to assign $CIBaseline = Get-WmiObject -Class "SMS_ConfigurationBaselineInfo" -filter "LocalizedDisplayName='$BaselineName'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
# Note: it is possible to verify CI exists here (i.e. not $null and only one with name) # Create new SMS Baseline Assignment instance $newAssignment = ([WmiClass]($ConfigMgrProviderPath + ":SMS_BaselineAssignment")).CreateInstance()
$newAssignment.AssignedCIs = @($CIBaseline.CI_ID) $newAssignment.TargetCollectionID = $TargetCollectionID $newAssignment.ApplyToSubTargets = $IncludeSubCollection $newAssignment.AssignmentAction = 2 # APPLY $newAssignment.AssignmentName = "Assign $BaselineName to $TargetCollectionID" $newAssignment.AssignmentDescription = ""
Operations
Page number 165 $newAssignment.DesiredConfigType = 1 # REQUIRED $newAssignment.DPLocality = 4 # DP_DOWNLOAD_FROM_LOCAL $newAssignment.NotifyUser = $false $newAssignment.SendDetailedNonComplianceStatus = $true $newAssignment.StartTime = $now $newAssignment.SuppressReboot = 0 $newAssignment.UseGMTTimes = $false
# Create recurrent daily evaluation schedule $AssignedSchedule = ([WmiClass]($ConfigMgrProviderPath + ":SMS_ST_RecurInterval")).CreateInstance() $AssignedSchedule.StartTime = $now $AssignedSchedule.DaySpan = 1
$ScheduleAsString = ([WmiClass]($ConfigMgrProviderPath + ":SMS_ScheduleMethods")).WriteToString($AssignedSchedule)
$newAssignment.EvaluationSchedule = $ScheduleAsString.StringData $newAssignment.Put()
Write-Output "Created assignment of DCM baseline $BaselineName to collection $TargetCollectionID" } The following example script demonstrates how to remove a FEP DCM baseline from a target collection. function RemoveDCMAssignment(
$ConfigMgrServer,
# ConfigMgr WMI site provider to connect to. e.g. MyServer
Operations
Page number 166 $SiteCode, $BaselineName, # ConfigMgr site code. e.g. ABC # DCM Baseline localized name. e.g. FEP - Standard Desktop
$TargetCollectionID) # Collection ID to remove the baseline assignment from. e.g. ABC00008 { $ConfigMgrNamespace = "root\sms\site_$SiteCode" # Get the DCM baseline to remove assignment from $CIBaseline = Get-WmiObject -Class "SMS_ConfigurationBaselineInfo" -filter "LocalizedDisplayName='$BaselineName'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer $filter = "AssignedCIs = '{0}' AND TargetCollectionID='{1}'" -f $CIBaseline.CI_ID, $TargetCollectionID # Get the existing assignments $assignments = Get-WmiObject -class "SMS_BaselineAssignment" -filter $filter -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
if ($assignments -eq $null) { Write-Output "There are no DCM baseline $BaselineName assignments to $TargetCollectionID." } else { Write-Output "Removing DCM baseline $BaselineName from collection $TargetCollectionID." $assignments | Remove-WMIObject } } The following example script demonstrates how to retrieve a Configuration Manager WMI results object that contains compliance results for a DCM baseline assignment. The results object contains a count of compliant computers, a count of noncompliant computers, a count of evaluation failures, and other information relevant to DCM. For more information about the SMS_CI_ComplianceSummary WMI class see SMS_CI_ComplianceSummary Server WMI Class
Operations
Page number 167 (http://go.microsoft.com/fwlink/?LinkId=208530) in the Configuration Manager reference documentation on MSDN. function GetBaselineResult(
$ConfigMgrServer, # ConfigMgr WMI site provider to connect to. e.g. MyServer $SiteCode, # ConfigMgr site code. e.g. ABC
$BaselineName) # DCM Baseline localized name. e.g. FEP - Standard Desktop
{ $ConfigMgrNamespace = "root\sms\site_$SiteCode" # Get the DCM baseline to query $CIBaseline = Get-WmiObject -Class "SMS_ConfigurationBaselineInfo" -filter "LocalizedDisplayName='$BaselineName'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer $result = Get-WmiObject -Class "SMS_CI_ComplianceSummary" -filter ("CI_ID='{0}'" -f $CIBaseline.CI_ID) -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
return $result } Automating the FEP Dashboard You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to automate retrieval of FEP dashboard information. The FEP dashboard displays important information about the security of your organization, such as the number of deployed clients, definition deployment status, number of client computers infected, and number of client computers with malware removed. Each dashboard data set is represented by a Configuration Manager collection. The following example script demonstrates how to obtain a count of computers that belong to a specified collection. Prerequisites In order to create a script similar to the example in this topic, you must have the following prerequisite software:
Operations
Page number 168 The following table lists the Configuration Manager collections that are used to populate the data for the FEP dashboard. To retrieve the dashboard data via a script, you must specify the appropriate Configuration Manager collection in the script.
Dashboard Area Deployment Status
Collection Names Deployment Succeeded Out of Date Deployment Failed Deployment Pending Locally Removed Not Targeted
Policy Distribution Status
Distribution Failed Distribution in Progress Policy Distributed
Definition Status
Up to Date Up to 3 Days Up to 7 Days Older Than 1 Week
Malware Activity Status
Infected Restart Required
Operations
Page number 169 Full Scan Required Recent Activity Health Status Protection Inactive Not Reporting Healthy The following example script retrieves dashboard data from the FEP database for the specified collection. function GetDashboardInfo( $ConfigMgrServer, $SiteCode, # ConfigMgr WMI site provider to which to connect. e.g. MyServer
# ConfigMgr site code. e.g. ABC
$CollectionName) # Collection name for which count of computers should be returned. e.g. Infected. Use the table above to determine the collection name to query. { $ConfigMgrNamespace = "root\sms\site_$SiteCode" $ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace)
# Get the SMS collection to query $Collection = Get-WmiObject -class "SMS_Collection" -filter "Name='$CollectionName'" namespace $ConfigMgrNamespace -computername $ConfigMgrServer # Get the SMS_Collection class $SmsCollectionClass = [WmiClass]($ConfigMgrProviderPath + ":SMS_Collection") $count = $SmsCollectionClass.GetNumResults($Collection).Result
Write-Output "Count of computers in $CollectionName is $count"
return $count
Operations
Page number 170 } Automating Tasks on Client Computers You can use the Configuration Manager Windows Management Instrumentation (WMI) provider to automate FEP tasks on client computers. FEP tasks run from a software package named Microsoft Corporation FEP Operations 1.0. In the Configuration Manager console, you can right-click a computer or group of computers, point to FEP Operations, and then select one of three actions:

Full Scan: runs a full antimalware scan on the selected computers. Quick Scan: runs a quick antimalware scan on the selected computers. Run Definition Update: runs a definition update cycle on the selected computers.
When you run a task on a client computer or set of computers, FEP performs the following steps:

Creates a dynamic collection Adds the selected computers to the collection Creates a mandatory assigned advertisement of the requested task from the FEP Operations software package
Prerequisites In order to create a script similar to the example in this topic, you must have the following prerequisite software:

Windows PowerShell (either version 1.0 or 2.0) Before you run operational tasks from a script, you should first verify that the FEP operations package (named Microsoft Corporation FEP Operations 1.0) distributed to your Configuration Manager distribution points.
Note: Cleanup of old operations components (the dynamic collections and advertisements used to distribute the tasks) is done only when performing tasks from the Configuration Manager console. The following example script demonstrates how to run a full scan task on a computer. function RunFullScan( $ConfigMgrServer, # ConfigMgr WMI site provider to connect to. e.g. MyServer $SiteCode, # ConfigMgr site code. e.g. ABC
Operations
Page number 171 $Computers) # A computer or list of computer NetBios names on which the scan should be run. For example: (ComputerA, ComputerB) { $Operation = "Full Scan" # Change the scan type by changing the phrase in the quotes to either Quick Scan or Update Definitions.
$UtcNow =[System.DateTime]::UtcNow $ConfigMgrNamespace = "root\sms\site_$SiteCode" $ConfigMgrProviderPath = "\\" + (Join-Path $ConfigMgrServer $ConfigMgrNamespace)
# Create a collection for the task $newCollection = ([WmiClass]($ConfigMgrProviderPath + ":SMS_Collection")).CreateInstance()
$newCollection.Name = "$Operation at $UtcNow (UTC)" $newCollection.RefreshType = 1 # Manual $newCollection.OwnedByThisSite = $true $newCollection.Put() $newCollection.Get() # refresh the object
# Add the collection as a subcollection to FEP Operations $OperationCollection = Get-WmiObject -class "SMS_Collection" -filter "Name='Operations'" namespace $ConfigMgrNamespace -computername $ConfigMgrServer
$CollectionToSubCollection = ([WmiClass]($ConfigMgrProviderPath + ":SMS_CollectToSubCollect")).CreateInstance() $CollectionToSubCollection.parentCollectionID = $OperationCollection.CollectionID $CollectionToSubCollection.subCollectionID = $newCollection.CollectionID $CollectionToSubCollection.Put()
Operations
Page number 172
# Add computers to collection (Direct Rule) foreach ($Computer in $Computers) { # For more information about the SMS_R_SYSTEM Server WMI class, see http://go.microsoft.com/fwlink/?LinkId=208534 on MSDN. $Client = Get-WmiObject -class "SMS_R_System" -filter ("NetbiosName = '{0}'" -f $Computer) namespace $ConfigMgrNamespace -computername $ConfigMgrServer
$SmsCollectionRuleDirect = ([WmiClass]($ConfigMgrProviderPath + ":SMS_CollectionRuleDirect")).CreateInstance() $SmsCollectionRuleDirect.ResourceID = $Client.ResourceID $SmsCollectionRuleDirect.ResourceClassName = "SMS_R_System"
$newCollection.AddMembershipRules($SmsCollectionRuleDirect) }
# Create Quick Scan advertisement $now = Get-Date -Format "yyyyMMddhhmmss.ffffff+***"
# Get the FEP operations package $package = Get-WmiObject -class "SMS_Package" -filter "MifName='FEP - Operations'" namespace $ConfigMgrNamespace -computername $ConfigMgrServer
# Create a new advertisement for the FEP operation package. # For more information about the SMS_Advertisement Server WMI class, see http://go.microsoft.com/fwlink/?LinkId=208535 on MSDN. $newAdvertisement = ([WmiClass]($ConfigMgrProviderPath + ":SMS_Advertisement")).CreateInstance()
Operations
Page number 173
$newAdvertisement.CollectionID = $CollectionID $newAdvertisement.PackageID = $package.PackageID $newAdvertisement.ProgramName = $Operation $newAdvertisement.AdvertisementName = "Run $Operation at $UtcNow (UTC)" $newAdvertisement.AdvertFlags = 0x02000000 -bor 0x00100000 # NO_DISPLAY | OVERRIDE_SERVICE_WINDOWS $newAdvertisement.RemoteClientFlags = 0x00000800 -bor 0x00000010 -bor 0x00000040 # RERUN_ALWAYS | DOWNLOAD_FROM_LOCAL_DISPPOINT | DOWNLOAD_FROM_REMOTE_DISPPOINT $newAdvertisement.PresentTime = $now $newAdvertisement.Priority = 1 # High
$newAdvertisement.Put() $newAdvertisement.Get()
# Add the advertisement to the FEP operations advertisement folder
# Get the container node (notice to use localized name) $AdvertisementFolder = Get-WmiObject -class "SMS_ObjectContainerNode" -filter "Name='FEP Operations'" -namespace $ConfigMgrNamespace -computername $ConfigMgrServer
Operations
Page number 174
# Create a container item for the advertisement $newContainerItem = ([WmiClass]($ConfigMgrProviderPath + ":SMS_ObjectContainerItem")).CreateInstance()
$newContainerItem.ContainerNodeId = $AdvertisementFolder.ContainerNodeId $newContainerItem.InstanceKey = $newAdvertisement.AdvertisementID
$newContainerItem.Put()
Write-Output "$Operation scheduled to computers: $Computers" } Automating FEP Reports You can automate retrieval of FEP reports by using Windows PowerShell. Prerequisites In order to create a script similar to the example in this topic, you must have the following prerequisite software:
Windows PowerShell 2.0
The following example script demonstrates how to retrieve a FEP computer list report as an XML object and then display the computer list. $ReportServer = "ReportServer.contoso.com" #Change the value in quotes to your report server FQDN. $SiteCode = "FEP" #Change the value in quotes to your site code.
#URI to the .asmx file on the report server change the value in quotes to the appropriate path on your report server. $URI = "http://$ReportServer//ReportServer//ReportExecution2005.asmx?wsdl"
#Report Path to retrieve a different report, replace the name of the report
Operations
Page number 175 $ReportPath = "/Forefront Endpoint Protection_$SiteCode/Antimalware/Computer List Report"
# Create the web service proxy for the reports New-WebServiceProxy -Uri $URI -UseDefaultCredential -namespace "ReportExecution2005" | outnull
$ReportService = new-object ReportExecution2005.ReportExecutionService $ReportService.Credentials = [System.Net.CredentialCache]::DefaultCredentials
# Load report $ReportService.GetType().GetMethod("LoadReport").Invoke($ReportService, @($ReportPath, $null)) | out-null
# Report Parameters # Depending on the number of parameters being used in the report, you may need to add or remove parameters. Specify by changing the Param1.Value line.
# Report Time Span # 1 - Custom - Should be used along with CustomStartDate and CustomEndDate # 2 - Day # 3 - Week # 4 - Month # 5 - Quarter # 6 - Year
$param1 = new-object ReportExecution2005.ParameterValue $param1.Name = "ReportSpan" $param1.Value = 3
Operations
Page number 176
# Number of computers to which to limit the report. -1 specifies that there is no limit. $param2 = new-object ReportExecution2005.ParameterValue $param2.Name = "NumberOfReturnedComputersParameter" $param2.Value = -1
# Security State parameter: # 1 - Clean # 2 - Recent malware activity (last 24 hours) # 3 - Action Required # 4 - Infected
$param3 = new-object ReportExecution2005.ParameterValue $param3.Name = "SecurityStateParameter" $param3.Value = 2
# The following ReportScope parameter is optional; it limits the report to a single collection. # The ID can be found in FEPDW (FEPDW_[SiteCode]) database using the following query: # SELECT * FROM vwFEP_Common_CollectionLookupDimension
#$param4 = new-object ReportExecution2005.ParameterValue #$param4.Name = "ReportScope" #$param4.Value = "1002"
$parameters = [ReportExecution2005.ParameterValue[]] ($param1, $param2, $param3)
$ExecParams = $ReportService.SetExecutionParameters($parameters, "en-us");
Operations
Page number 177
# For more report parameter options, see ReportExecutionService.Render Method (http://go.microsoft.com/fwlink/?LinkId=208533) on MSDN. $format = "xml" $deviceinfo = "" $extention = "" $mimeType = "" $encoding = "UTF-8" $warnings = $null $streamIDs = $null
$ReportAsStream = $ReportService.Render($format, $deviceInfo,[ref] $extention, [ref] $mimeType,[ref] $encoding, [ref] $warnings, [ref] $streamIDs) $ReportAsString = [Text.Encoding]::UTF8.GetString($ReportAsStream)
$ReportAsXml = [xml]$ReportAsString.Trim()
# Access the report data using the xml object. It possible to use XPath or any XMLDocument methods to parse the xml. $computers = $ReportAsXml.GetElementsByTagName("Detail")
foreach ($computer in $computers) { Write-Host $computer.ComputerName $computer.SecurityState }
12.
Troubleshooting
This troubleshooting content provides guidance for diagnosing and resolving issues you may encounter when using Forefront Endpoint Protection.
Troubleshooting
Page number 178
Using the FEP Best Practices Analyzer

The Forefront Endpoint Protection Best Practices Analyzer (BPA) includes checks to scan both Forefront Endpoint Protection (FEP) and Configuration Manager for configuration problems, missing dependencies, incorrect settings, or other issues that could adversely affect the health of your FEP installation. Prerequisites
The FEP BPA checks are based on the Microsoft Baseline Configuration Analyzer version 2.0 (MBCA). In order to run the FEP BPA, you must download and install the MBCA (http://go.microsoft.com/fwlink/?LinkId=206778). The MBCA requires Windows PowerShell 2.0. Windows PowerShell 2.0 is included with Windows Server 2008 R2, but must be installed for Windows Server 2008 or Windows Server 2003. To download Windows PowerShell 2.0, see Microsoft Knowledge Base article 968929 (http://go.microsoft.com/fwlink/?LinkId=206779) You must run MBCA and the FEP MBCA checks on the Configuration Manager server on which you installed FEP.
To install the FEP BPA 1. After you download the FEP BPA, copy it to your Configuration Manager server, and then double-click fepBPASetup.msi. 2. In the FEP 2010 Best Practices Analyzer Setup wizard, select the I accept the terms in the license agreement check box, click Next, and then click Finish. The FEP BPA Checks The FEP BPA includes configuration checks for various Configuration Manager features, as well as FEP dependencies and prerequisites that are important to FEP health. The following table lists the check categories and describes of some of the checks included with this release of the FEP BPA.
FEP BPA check category SQL Server checks
Description Reviews the status and configuration of the computers running SQL Server that host the FEP databases. Reviews the DCM checks that are used to populate the FEP dashboard, ensures they are assigned to collections, and checks the configuration items for FEP are not corrupted or missing.
Configuration Manager Desired Configuration Management checks
Troubleshooting
Page number 179 Package, policy, and advertisement checks Reviews FEP packages, policies, and advertisements for the correct number (no defaults have been deleted), and that they are correctly assigned. Reviews the number of FEP alerts, that they are assigned to collections correctly, and that the SMTP port is correctly assigned (for e-mailing of alerts). Collects and displays information for recent FEP errors and events, as well as some registry settings and a list of the FEP files installed on the computer. Reviews the status and configuration of the Configuration Manager installation and services important to the health of FEP.
Alert checks
Events and general FEP configuration checks
Configuration Manager configuration checks
Troubleshooting FEP and Configuration Manager

Forefront Endpoint Protection (FEP) is built on Configuration Manager. Because of the tight integration with Configuration Manager, troubleshooting common issues with FEP frequently involves troubleshooting Configuration Manager. You can find information about Troubleshooting Configuration Manager 2007 (http://go.microsoft.com/fwlink/?LinkId=206765) in the Configuration Manager Documentation Library. Additionally, the table below lists various Configuration Manager troubleshooting resources and how those resources apply to troubleshooting FEP.
Resource Troubleshooting Software Distribution (http://go.microsoft.com/fwlink/?LinkId=206762)
Description FEP uses the Software Distribution feature of Configuration Manager for the following tasks:
Client software deployment (via software packages) Policy deployment On-demand scans Forcing a definition update
Troubleshooting
Page number 180 Troubleshooting Software Updates (http://go.microsoft.com/fwlink/?LinkId=206761) Contains information relevant to definition updates. By default, FEP uses Software Updates in Configuration Manager and WSUS to deliver definition updates to computers running the FEP client software. Contains information relevant to troubleshooting FEP and Desired Configuration Management (DCM). DCM is used in FEP to populate data into the dashboard and for any custom configuration baselines you enforce for your collections.
Troubleshooting Desired Configuration Management (http://go.microsoft.com/fwlink/?LinkId=206756)
FEP Log Files Forefront Endpoint Protection (FEP) creates log files both during the installation on your Configuration Manager server, and during day-to-day operations. FEP Server Installation Log Files The installation log files are listed below: Log file name FEPExt_xxx_xxx.log FepReport_xxx_xxx.log FEPUX_xxx_xxx.log ServerSetup_xxx_xxx.log Description FEP site server extensions FEP Reporting Components FEP Console Extensions FEP Setup
You can find FEP server installation log files in the following location:
If you installed FEP on Windows Server 2003: %AllUsersProfile%\Application Data\Microsoft Forefront\Support\Server
Troubleshooting
Page number 181
If you installed FEP on Windows Server 2008: %ProgramData%\Microsoft Forefront\Support\Server
The file names use the following format: LogFileName_Date_Time.log where the following is true:

LogFileName is the name of the log file. Date is the day, month, and year the log was created, in the format DDMMYYY. Time is the hour, minute, and second the log file was created, in the format HHMMSS.
FEP Server Operational Log Files The following table lists the log files in which FEP stores operational information. Log file name SmsAdminUI.log Description FEP stores console-related information in this Configuration Manager console log file. It can be found in C:\Program Files (x86)\Microsoft Configuration Manager\AdminUI\AdminUILog. For more information about this log file, see Troubleshooting Configuration Manager Console Issues (http://go.microsoft.com/fwlink/?LinkId=207567) in the Configuration Manager documentation.
FepServiceTrace.etl FEP service tracing log file. This file, stored in %ProgramData%\Microsoft Forefront\Support\ contains binary information typically only useful to product support personnel.
FEP Client Software Installation Log Files The FEP client software creates log files both during installation and during day-to-day operations. The following table lists Setup log files and the components with which they are associated. Log file name EppSetup.log MSSecurityClient_Setup_epp_install.log Description Master Setup log file. User interface and management extension Setup log file.
Troubleshooting
Page number 182 MSSecurityClient_Setup_FEP_install.log Configuration Manager management extensions Setup log file. Antimalware service Setup log file. Localized resources installation log file (specific to the architecture on the client computer). Log file for installation of localized resources for the antimalware service. %locale% represents the locale for which the install was performed. The log file for Windows patch installation KB981889. Only present on Windows 7 or Windows Server 2008 R2. Log file for installation of Dr. Watson (only installed on computers running Windows XP, and only if not already present).
MSSecurityClient_Setup_mp_ambits_install.log MSSecurityClient_Setup_epploc_x86_Install or MSSecurityClient_Setup_epploc_x64_Install
MSSecurityClient_Setup_amloc-%locale%_install
MSSecurityClient_Setup_KB981889_Install.evtx
MSSecurityClient_Setup_dw20shared_Install.log
You can find FEP client installation log files in the following location:
%allusersprofile%\Microsoft\Microsoft Antimalware\Support: log files specific for the antimalware service %allusersprofile%\Microsoft\Microsoft Security Client\Support: log files specific for the FEP client software %windir%\WindowsUpdate.log: Windows Update log files, which include information about definition updates
Troubleshooting the FEP Security Management Pack and Operations Manager

The FEP Security Management Pack is built on Operations Manager, and implemented as an Operations Manager management pack. Troubleshooting the FEP Security Management Pack involves working with the Operations Manager Operations console and the management pack features.
Troubleshooting
Page number 183 You can view information about Managing Management Packs (http://go.microsoft.com/fwlink/?LinkId=206769) in the Operations Manager documentation.
13.
Technical Reference
This technical reference provides additional information about Forefront Endpoint Protection.
FEP 2010 Policy - Default Settings

The following tables show the policy settings for the Default Server Policy, Default Desktop Policy, and the default settings when running the New Policy Wizard for Forefront Endpoint Protection installed on Configuration Manager. The tables match the tabs of the properties of a Forefront Endpoint Protection policy. Antimalware Settings Section / setting Setting Default Desktop Policy Enabled Default Server Policy Not enabled Standard Desktop Policy Enabled Performanceoptimized policy Enabled Highsecurity policy Enabled
Schedule scan
Schedul e type and time of scan Scan type
Weekly quick scan
Not applicable
Weekly quick scan
Weekly quick scan
Daily quick scan and weekly full scan 2:00 AM
Daily scan time
Not applicable
Not applicable
Not applicable
Not applicable
Weekly Sunday scan day Weekly Scan tim: Check for 3:00 AM
Not applicable Not applicable
Saturday
Saturday
Saturday
3:00 AM
3:00 AM
3:00 AM
Enabled
Not
Enabled
Enabled
Enabled
Technical Reference
Page number 184 definitio n updates before starting scan Scan only when the comput er is not in use Random ize schedul ed scan start times (within 30 minutes from schedul ed time) Force a scan upon restart when two or more schedul e scans are missed Limit process Enabled applicable
Not applicable
Enabled
Enabled
Not enabled
Enabled
Not applicable
Enabled
Enabled
Enabled
Not enabled
Not applicable
Not enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Not
Technical Reference
Page number 185 or usage during scans to the followin g percent age Percent age Allow users on endpoin t comput ers to configur e process or usage limits for scans User's control on schedul e scans 50% 30% 50% 30% enabled
Not applicable Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
No control
No control
No control
No control
No control
Default actions
Server
Recomme nded action Recomme nded action
Recommend ed action
Recommended action
High
Recommend ed action
Recommended action
Technical Reference
Page number 186 Medium Quarantin e Allow Quarantin e Allow Quarantine Quarantine Quarantin e Allow
Low
Allow
Allow
Real-time protection
Enable realtime protecti on Scan system files
Enabled
Enabled
Enabled
Enabled
Enabled
Scan incoming and outgoing files
Scan incoming and outgoing files Not enabled
Scan Scan incoming incoming and and outgoing outgoing files files
Scan incoming and outgoing files Enabled
Scan all Enabled downloa ded files and attachm ents Use Enabled behavio r monitori ng
Enabled
Enabled
Enabled Note: On servers with a large numbe r of short networ k connec tions, such
Enabled
Enabled
Enabled
Technical Reference
Page number 187
as file servers , there may be a perfor mance impact when the Behavi or Monit oring policy setting is enable d.
Enable protecti on against network -based exploits
Enabled
Not enabled Note: It is recom mende d that you do not enable this setting on servers .
Enabled
Not enabled
Enabled
Allow users on endpoin
Not enabled
Enabled
Not enabled
Not enabled
Not enabled
Technical Reference
Page number 188 t comput er to configur e realtime protecti on settings
Excluded files and locations
Files and location s
%windir% \Software Distributi on\Datast ore\Datas tore.edb %windir% \Software Distributi on\Datast ore\logs\ Res*.log% windir%\S oftwareDi stribution \Datastor e\Logs\Re s*.jrs%wi ndir%\Sof twareDist ribution\ Datastore \Logs\Edb .chk%win dir%\Soft wareDistri bution\Da tastore\L ogs\tmp.e db%windi r%\Securi
%windir% \Software Distributi on\Datast ore\Datas tore.edb %windir% \Software Distributi on\Datast ore\logs\ Res*.log% windir%\S oftwareDi stribution \Datastor e\Logs\Re s*.jrs%wi ndir%\Sof twareDist ribution\ Datastore \Logs\Edb .chk%win dir%\Soft wareDistri bution\Da tastore\L ogs\tmp.e db%windi r%\Securi
%windir%\So ftwareDistrib ution\Datast ore\Datastor e.edb%windi r%\Software Distribution\ Datastore\lo gs\Res*.log% windir%\Soft wareDistribu tion\Datasto re\Logs\Res* .jrs%windir% \SoftwareDis tribution\Dat astore\Logs\ Edb.chk%win dir%\Softwar eDistribution \Datastore\L ogs\tmp.edb %windir%\Se curity\Datab ase\*.edb%w indir%\Securi ty\Database\ *.sdb%windir %\Security\D atabase\*.lo g%windir%\S
%windir%\Softw areDistribution\ Datastore\Datas tore.edb%windi r%\SoftwareDist ribution\Datast ore\logs\Res*.lo g%windir%\Soft wareDistributio n\Datastore\Log s\Res*.jrs%wind ir%\SoftwareDis tribution\Datast ore\Logs\Edb.ch k%windir%\Soft wareDistributio n\Datastore\Log s\tmp.edb%win dir%\Security\D atabase\*.edb% windir%\Securit y\Database\*.sd b%windir%\Sec urity\Database\ *.log%windir%\ Security\Databa se\*.chk%windir %\Security\Data base\*.jrs%allus ersprofile%\NTu ser.pol%System
%windir%\ SoftwareD istribution \Datastore \Datastore .edb%win dir%\Soft wareDistri bution\Da tastore\lo gs\Res*.lo g%windir %\Softwar eDistributi on\Datast ore\Logs\ Res*.jrs% windir%\S oftwareDi stribution\ Datastore\ Logs\Edb. chk%windi r%\Softwa reDistribut ion\Datast ore\Logs\t mp.edb% windir%\S ecurity\Da tabase\*.e
Technical Reference
Page number 189 ty\Databa se\*.edb %windir% \Security\ Database\ *.sdb%wi ndir%\Sec urity\Data base\*.lo g%windir %\Securit y\Databas e\*.chk% windir%\S ecurity\D atabase\* .jrs%allus ersprofile %\NTuser .pol%Syst emRoot% \System3 2\GroupP olicy\regis try.pol ty\Databa se\*.edb %windir% \Security\ Database\ *.sdb%wi ndir%\Sec urity\Data base\*.lo g%windir %\Securit y\Databas e\*.chk% windir%\S ecurity\D atabase\* .jrs%allus ersprofile %\NTuser .pol%Syst emRoot% \System3 2\GroupP olicy\regis try.pol ecurity\Data base\*.chk% windir%\Sec urity\Databa se\*.jrs%allu sersprofile%\ NTuser.pol% SystemRoot %\System32\ GroupPolicy\ registry.pol Root%\System3 2\GroupPolicy\r egistry.pol db%windir %\Security \Database \*.sdb%wi ndir%\Sec urity\Data base\*.log %windir%\ Security\D atabase\*. chk%windi r%\Securit y\Databas e\*.jrs%all usersprofil e%\NTuse r.pol%Syst emRoot%\ System32\ GroupPoli cy\registry .pol
Excluded file types
File types
(empty)
(empty)
(empty)
(empty)
(empty)
Excluded processes
Process es
(empty)
(empty)
(empty)
(empty)
(empty)
Advanced
Scan archived files Scan network drives when
Enabled
Enabled
Enabled
Enabled
Enabled
Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Technical Reference
Page number 190 running a full scan Scan remova ble storage devices, such as USB flash drives Create a system restore point before cleaning comput ers Not enabled Not enabled Not enabled Not enabled Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Show Not notificat enabled ions message s to users on endpoin t comput ers when the need they need to perform the followin g
Not enabled
Not enabled
Not enabled
Not enabled
Technical Reference
Page number 191 actions: Run a full scan, Downlo ad the latest virus and spyware definitio ns, Downlo ad Microso ft Standal one System Sweeper Delete Not quaranti enabled ne files after (number of days) Allow user on endpoin t comput ers to configur e quaranti ned delete period Not enabled Not enabled Not enabled Not enabled Not enabled
Not enabled
Not enabled
Not enabled
Not enabled
Technical Reference
Page number 192 Allow user on endpoin t comput ers to exclude file and location s, file types, and process es Not enabled Enabled Not enabled Not enabled Not enabled
Overrid es
Select the override action you want to apply when Forefront Endpoint Protectio n detects a threat with the following name
(empty)
(empty)
(empty)
(empty)
( e m p t y )
Microsoft SpyNet
Join Microso ft SpyNet
Based on the setting selected during FEP server setup Not
Based on the setting selected during FEP server setup Not
Based on the setting selected during FEP server setup
Allow
Not enabled
Not enabled
Not
Technical Reference
Page number 193 users on endpoin t comput ers to change SpyNet settings enabled enabled enabled
Updates Settings Section / setting Setting Default Desktop Policy Default Server Policy Standard Desktop Policy Enabled 8 Not enabled Not applicable 1 Performance- High-security optimized policy policy Enabled 8 Not enabled Not applicable Not enabled Enabled 8 Not enabled Not applicable 1
Check for Every Enabled definition (hours) updates 8 using the following Daily Not enabled interval at Not applicable Force a definition update when definition updates have failed for (days) Clients will pull updates from the selected sources in the order specified below (from top to bottom) 1
Enabled 8 Not enabled Not applicable Not enabled
Updates distributed from Configuration Manager or WSUS Updates from Microsoft Update
Technical Reference
Page number 194 Windows Firewall Settings Section / setting Setting Default Desktop Policy Enabled Default Server Policy Not enabled Standard Desktop Policy Enabled Performanc e-optimized policy Not enabled High-security policy
Enable Host Firewall protection
Enabled
Domain Network s
Firewall State:
On (recommende d) Block (default)
Not applicabl e Not applicabl e Not applicabl e
Not applicable
Incoming connectio ns Display notificatio n
Not applicable
Yes
Yes
Not applicable
Yes
Private Network s
Firewall State:
Not applicabl e Not applicabl e Not applicabl e
Not applicable
Incoming connectio ns Display notificatio n
Not applicable
Yes
Yes
Not applicable
Yes
Public Network s
Firewall State:
Not applicabl e Not applicabl
Not applicable
Incoming connectio
Not
Technical Reference
Page number 195 ns Display notificatio n Yes e Not applicabl e Yes applicable Not applicable Yes
Security Management Pack Monitors

Forefront Endpoint Protection 2010 Security Management Pack Monitors The following table shows the available monitors in the Forefront Endpoint Protection 2010 Security Management Pack. For more information about FEP Security Management Pack monitors, see About Monitors. Generates alerts Yes Disabled by default No
Monitor name Real-time Protection Windows Firewall Antimalware Engine Antimalware Definitions
Monitor description This monitor tracks the state of antimalware realtime protection. This monitor detects the Windows Firewall state.
Yes
Yes
This monitor tracks the health of the antimalware client and service. This monitor detects whether there is a valid definitions file. If the definitions file is missing or corrupt, the monitor will enter a Critical state. This monitor detects whether the definition file is out of date. If the definition file is older than three days, the monitor will enter a Warning state. If the definition is older than five days, the monitor will enter a Critical state. This monitor tracks whether additional actions must be performed after malware has been blocked and
Yes
No
Yes
No
Antimalware Definitions Age
Yes
No
Additional Actions
Yes
No
Technical Reference
Page number 196 Pending Vulnerability Protection removed from a computer. This monitor detects computers that have real-time protection turned off and, additionally, have not performed a scan in the past three days. This monitor detects a malware outbreak of both cleaned and active infections when they occur on more than 5% (by default) of the total number of computers in a time period of one hour (by default). This monitor tracks Forefront Endpoint Protection client installation failures and detects computers that require a restart in order to complete the installation. This monitor tracks failed malware cleanup operations. No No
Malware Outbreak
Yes
No
Deployment Failure
Yes
No
Active Malware
Yes
No
Security Management Pack Tasks

Forefront Endpoint Protection 2010 Security Management Pack Tasks The following table shows the available tasks in the Forefront Endpoint Protection 2010 Security Management Pack. For more information about FEP tasks, see About Tasks. Recovery task No No Yes
Task name Full Scan Quick Scan Update Antimalware Definitions Stop Scan
Task description This task will start a full scan on the selected endpoints. This task will start a quick scan on the selected endpoints. This task will force a definition update on the selected endpoints.
This task will stop scans that were started by a task or started manually on the client and are running on the selected
No
Technical Reference
Page number 197 endpoints. This task will not stop scheduled scans. Enable Real-time Protection Disable Real-time Protection Enable NIS Disable NIS Turn Windows Firewall On Turn Windows Firewall Off Retrieve Endpoint Settings Remote Desktop Connection Restart Computer This task will enable real-time protection on the selected endpoints. This task will enable NIS on the selected endpoints. No
No
This task will enable NIS on the selected endpoints. This task will disable NIS on the selected endpoints. This task will turn on Windows Firewall at the profile level on the selected endpoints. This task will turn off Windows Firewall at the profile level on the selected endpoints. This task will retrieve all effective settings from the selected endpoints. This task will initiate a remote desktop connection to the selected computer. This task will initiate a restart on the selected computer within one minute. This task will start the antimalware service on the selected endpoint.
No No Yes
No
No
No
Recovery Task Only Recovery Task Only
Start Antimalware Service
Important: When a Quick Scan or a Full Scan task is successfully initiated, the task will report a Success status. However, the success status indicates only that the scan was successfully initiated. It does not indicate that the scan successfully completed on the client.
Technical Reference
Page number 198
FEP ADMX Reference

The table below shows the policy settings available after loading FEP ADMX files. For more information about FEP ADMX files, see Configuring and Viewing FEP Group Policy Settings. For information about configuring policies by using Configuration Manager, see FEP Policies. Configurable via the Configuration Manager console No
Name Forefront Endpoint Protection 2010
Setting Title Allow antimalware service to startup with normal priority
Description This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance. If you enable or do not configure this setting, the antimalware service will load as a normal priority task. If you disable this setting, the antimalware service will load as a low priority task.
Turn on spyware definitions
This policy setting allows you to manage whether spyware definitions are used during a scan. If you enable or do not configure this setting, spyware definitions will be enabled by default and used during scans. If you disable this setting, spyware definitions will be disabled and will not be used during scans.
No
Turn on virus definitions
This policy setting allows you to manage whether virus definitions are used during a scan. If you enable or do not configure this setting, virus definitions will be enabled and used during scans. If you disable this setting, virus definitions
No
Technical Reference
Page number 199 will be disabled and will not be used during scans. Forefront Endpoint Protection 2010 Configure local administrator merge behavior for lists This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists, such as threats and exclusions. If you enable or do not configure this setting, unique items defined in Group Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Group policy Settings will override preference settings. If you disable this setting, only items defined by Group Policy will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator. Forefront Endpoint Protection 2010 Turn on routine remediation This policy setting allows you to configure routinely taking action on detected items. It is recommended that you enable this policy. If you enable this setting, routine remediation will be enabled. If you disable or do not configure this setting, routine remediation will be disabled. Forefront Endpoint Protection 2010 Define addresses to bypass proxy server This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL. If you enable this setting, the proxy server will be bypassed for the specified addresses. If you disable or do not configure this No No Yes
Technical Reference
Page number 200 setting, the proxy server will not be bypassed for the specified addresses. Forefront Endpoint Protection 2010 Define proxy server for connecting to the network This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for definition updates and SpyNet reporting. If the named proxy fails or if there is no proxy specified, the following settings will be used (in order): 1. Internet Explorer proxy settings 2. Autodetect 3. None If you enable this setting, the proxy will be set to the specified URL. If you disable or do not configure this setting, the proxy will be set according to the order specified above. Forefront Endpoint Protection 2010 Randomize scheduled task times This policy setting allows you to enable or Yes disable randomization of the scheduled scan start time and the scheduled definition update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time. If you enable or do not configure this setting, scheduled tasks will begin at a random time within an interval of 30 minutes before and after the specified start time. If you disable this setting, scheduled tasks will begin at the specified start time. No
Technical Reference
Page number 201 Forefront Endpoint Protection 2010 Allow antimalware service to remain running always This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware definitions are disabled. It is recommended that this setting remain disabled. If you enable this setting, the antimalware service will always remain running, even if both antivirus and antispyware definitions are disabled. If you disable or do not configure this setting, the antimalware service will be stopped when both antivirus and antispyware definitions are disabled. If the computer is restarted, the service will be started if it is set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware definitions are enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped. Exclusions Extension exclusions This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0. This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string Yes No
Exclusions
Path exclusions
Yes
Technical Reference
Page number 202 representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0. Exclusions Process exclusions This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Note that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0. This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, protocol recognition will be enabled. If you disable this setting, protocol recognition will be disabled. Network Inspection System Turn on definition retirement This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the No Yes
Network Inspection System
Turn on protocol recognition
No
Technical Reference
Page number 203 system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all definitions for a given protocol are retired then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance. If you enable or do not configure this setting, definition retirement will be enabled. If you disable this setting, definition retirement will be disabled. Network Inspection System Define the rate of detection events for logging This policy setting limits the rate at which detection events for network protection against exploits of known vulnerabilities will be logged. Logging will be limited to not more often than one event per the defined interval. The interval value is defined in minutes. The default interval is 60 minutes. If you enable this setting, detection events will not be logged if there is more than one similar report (by definition GUID) in the specified number of minutes. If you disable or do not configure this setting, detection events will be logged at the default rate. Network Inspection System Exclusions IP address range exclusions This policy, if defined, will prevent network protection against exploits of known vulnerabilities from inspecting the specified IP addresses. IP addresses should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of an IP address range. As an example, a range might be defined as: No No
Technical Reference
Page number 204 157.1.45.123-60.1.1.1. The value is not used and it is recommended that this be set to 0. Network Inspection System Exclusions Port number exclusions This policy setting defines a list of TCP port numbers from which network traffic inspection will be disabled. Port numbers should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a TCP port number. As an example, a range might be defined as: 8080. The value is not used and it is recommended that this be set to 0. This policy setting defines processes from which outbound network traffic will not be inspected. Process names should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a process path and name. As an example, a process might be defined as: "C:\Windows\System32\App.exe" . The value is not used and it is recommended that this be set to 0. This policy setting defines threats which will be excluded from detection during network traffic inspection. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a Threat ID. As an example, a Threat ID might be defined as: 2925110632. The value is not used and it is recommended that this be set to 0. This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. No
Network Inspection System Exclusions
Process exclusions for outbound traffic
No
Network Inspection System Exclusions
Threat ID exclusions
No
Quarantine
Configure local setting override for the removal of items from Quarantine
Yes
Technical Reference
Page number 205 folder This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Quarantine Configure This policy setting defines the number of removal of items days items should be kept in the Quarantine from Quarantine folder before being removed. folder If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed. Real-time Protection Turn on behavior monitoring This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting, behavior monitoring will be enabled. If you disable this setting, behavior monitoring will be disabled. Real-time Protection Turn on Information Protection Control This policy setting allows you to configure Information Protection Control (IPC). If you enable this setting, IPC will be enabled. If you disable or do not configure this setting, IPC will be disabled. Real-time Protection Turn on network protection This policy setting allows you to configure network protection against exploits of Yes No Yes Yes
Technical Reference
Page number 206 against exploits of known vulnerabilities known vulnerabilities. If you enable or do not configure this setting, the network protection will be enabled. If you disable this setting, the network protection will be disabled. Real-time Protection Scan all downloaded files and attachments This policy setting allows you to configure scanning for all downloaded files and attachments. If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. If you disable this setting, scanning for all downloaded files and attachments will be disabled. Real-time Protection Monitor file and program activity on your computer This policy setting allows you to configure monitoring for file and program activity. If you enable or do not configure this setting, monitoring for file and program activity will be enabled. If you disable this setting, monitoring for file and program activity will be disabled. Real-time Protection Turn on raw volume write notifications This policy setting controls whether raw volume write notifications are sent to behavior monitoring. If you enable or do not configure this setting, raw write notifications will be enabled. If you disable this setting, raw write notifications be disabled. Real-time Protection Turn on realtime protection This policy setting allows you to configure Yes real-time protection. This setting controls all No Yes Yes
Technical Reference
Page number 207 real-time protection components. It is recommended that you turn on real-time protection. If you enable or do not configure this setting, real-time protection will be turned on. If you disable this setting, real-time protection will be turned off. Real-time Protection Turn on process scanning whenever realtime protection is enabled This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off. If you enable or do not configure this setting, a process scan will be initiated when real-time protection is turned on. If you disable this setting, a process scan will not be initiated when real-time protection is turned on. Real-time Protection Define the maximum size of downloaded files and attachments to be scanned This policy setting defines the maximum size No (in kilobytes) of downloaded files and attachments that will be scanned. If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned. If you disable or do not configure this setting, a default size will be applied. Real-time Protection Configure local setting override for turn on behavior monitoring This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. Yes Yes
Technical Reference
Page number 208 If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Real-time Protection Configure local setting override for monitoring file and program activity on your computer This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Real-time Protection Configure local setting override to turn off Intrusion Prevention System This policy setting configures a local override for the configuration of network protection against exploits of known vulnerabilities. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Real-time Protection Configure local setting override for scanning all downloaded files and attachments This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over Yes Yes Yes
Technical Reference
Page number 209 the local preference setting. Real-time Protection Configure local setting override to turn on realtime protection This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Real-time Protection Configure local setting override to turn on script scanning This policy setting configures a local override for the configuration of the script scanning browser helper object in Internet Explorer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Real-time Protection Configure local setting override for monitoring for incoming and outgoing file activity This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Real-time Configure monitoring for This policy setting allows you to configure monitoring for incoming and outgoing files, Yes Yes Yes Yes
Technical Reference
Page number 210 Protection incoming and without having to turn off monitoring outgoing file and entirely. It is recommended for use on program activity servers where there is a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role. Note that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes. The options for this setting are mutually exclusive: 1. 0 = Scan incoming and outgoing files (default) 2. 1 = Scan incoming files only 3. 2 = Scan outgoing files only Any other value, or if the value does not exist, resolves to the default (0). If you enable this setting, the specified type of monitoring will be enabled. If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled. Remediation Configure local setting override for the time of day to run a scheduled full scan to complete remediation This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over Yes
Technical Reference
Page number 211 the local preference setting. Remediation Specify the day of the week to run a scheduled full scan to complete remediation This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values:

Yes
(0x0) Every Day (default) (0x1) Sunday (0x2) Monday (0x3) Tuesday (0x4) Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never
If you enable this setting, a scheduled full scan to complete remediation will run at the frequency specified. If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default frequency. Remediation Specify the time of day to run a scheduled full scan to complete remediation This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is Yes
Technical Reference
Page number 212 executing. If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified. If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default time. Reporting Configure time out for detections requiring additional action Configure time out for detections in critically failed state Configure Watson events This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state. No
Reporting
This policy setting configures the time in minutes before a detection in the critically failed state to moves to either the additional action state or the cleared state. This policy setting allows you to configure whether or not Watson events are sent. If you enable or do not configure this setting, Watson events will be sent. If you disable this setting, Watson events will not be sent.
No
Reporting
No
Reporting
Configure time out for detections in non-critical failed state Configure time out for detections in recently remediated
This policy setting configures the time in minutes before a detection in the "noncritically failed" state moves to the "cleared" state.
No
Reporting
This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state.
No
Technical Reference
Page number 213 state Reporting Configure Windows software trace preprocessor components Configure WPP tracing level This policy configures Windows software trace preprocessor (WPP Software Tracing) components No
Reporting
This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). Tracing levels are defined as:

No
1 - Error 2 - Warning 3 - Info 4 - Debug No
Scan
Allow users to pause scan
This policy setting allows you to manage whether or not end users can pause a scan in progress. If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. If you disable this setting, users will not be able to pause scans.
Scan
Specify the maximum depth to scan archive files
This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. If you enable this setting, archive files will be scanned to the directory depth level specified. If you disable or do not configure this
No
Technical Reference
Page number 214 setting, archive files will be scanned to the default directory depth level. Scan Specify the maximum size of archive files to be scanned This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning. If you enable this setting, archive files less than or equal to the size specified will be scanned. If you disable or do not configure this setting, archive files will be scanned according to the default value. Scan Specify the maximum percentage of CPU utilization during a scan This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization. The default value is 50. If you enable this setting, CPU utilization will not exceed the percentage specified. If you disable or do not configure this setting, CPU utilization will not exceed the default value. Scan Check for the latest virus and spyware definitions before running a scheduled scan This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. This setting applies to scheduled scans as well as the command line "mpcmdrun SigUpdate", but it has no effect on scans initiated manually from the user interface. If you enable this setting, a check for new Yes Yes No
Technical Reference
Page number 215 definitions will occur before running a scan. If you disable this setting or do not configure this setting, the scan will start using the existing definitions. Scan Scan archive files This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. If you enable or do not configure this setting, archive files will be scanned. If you disable this setting, archive files will not be scanned. Scan Turn on catchup full scan This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off. Scan Turn on catchup quick scan This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned Yes Yes Yes
Technical Reference
Page number 216 off at the scheduled time. If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run. If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off. Scan Turn on e-mail scanning This policy setting allows you to configure e- No mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Microsoft Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). If you enable this setting, e-mail scanning will be enabled. If you disable or do not configure this setting, e-mail scanning will be disabled. Scan Turn on heuristics This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics. If you enable or do not configure this setting, heuristics will be enabled. If you disable this setting, heuristics will be disabled. Yes
Technical Reference
Page number 217 Scan Scan packed executables This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled. If you enable or do not configure this setting, packed executables will be scanned. If you disable this setting, packed executables will not be scanned. Scan Scan removable drives This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. If you enable this setting, removable drives will be scanned during any type of scan. If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan. Scan Turn on reparse point scanning This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functionality. If you enable this setting, reparse point scanning will be enabled. If you disable or do not configure this setting, reparse point scanning will be disabled. No Yes No
Technical Reference
Page number 218 Scan Create a system restore point This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. If you enable this setting, a system restore point will be created. If you disable or do not configure this setting, a system restore point will not be created. Scan Run full scan on mapped network drives This policy setting allows you to configure scanning mapped network drives. If you enable this setting, mapped network drives will be scanned. If you disable or do not configure this setting, mapped network drives will not be scanned. Scan Scan network files This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. If you enable this setting, network files will be scanned. If you disable or do not configure this setting, network files will not be scanned. Scan Configure local setting override for maximum percentage of CPU utilization This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Yes Yes Yes Yes
Technical Reference
Page number 219 Scan Configure local setting override for the scan type to use for a scheduled scan This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Scan Configure local setting override for schedule scan day This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Scan Configure local setting override for scheduled quick scan time This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. Scan Block unsigned obfuscated executables This policy setting allows you to manage whether to detect and block binaries that are obfuscated or binaries that do not have a trusted digital signature. For the signature on a binary to be trusted, it must chain to a No Yes Yes Yes
Technical Reference
Page number 220 code signing certificate in the Windows Trusted Root Program. If you enable this setting, unsigned obfuscated executables will be blocked. If you disable or do not configure this setting, unsigned obfuscated executables will not be blocked. Scan Turn on removal of items from scan history folder This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days. If you enable this setting, items will be removed from the scan history folder after the number of days specified. If you disable or do not configure this setting, items will be kept in the scan history folder for the default number of days. Scan Specify the interval to run quick scans per day This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting is set to 0. If you enable this setting, a quick scan will run at the interval specified. If you disable or do not configure this setting, a quick scan will run at a default time. Yes No
Technical Reference
Page number 221 Scan Start the scheduled scan only when computer is on but not in use This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use. If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use. If you disable this setting, scheduled scans will run at the scheduled time. Scan Specify the scan type to use for a scheduled scan This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are:

Yes
Yes
1 = Quick Scan (default) 2 = Full Scan
If you enable this setting, the scan type will be set to the specified value. If you disable or do not configure this setting, the default scan type will used. Scan Specify the day of the week to run a scheduled scan This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values:

Yes
(0x0) Every Day (default) (0x1) Sunday (0x2) Monday (0x3) Tuesday (0x4) Wednesday (0x5) Thursday (0x6) Friday
Technical Reference
Page number 222 (0x7) Saturday (0x8) Never
If you enable this setting, a scheduled scan will run at the frequency specified. If you disable or do not configure this setting, a scheduled scan will run at a default frequency. Scan Specify the time for a daily quick scan This policy setting allows you to specify the Yes time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. If you enable this setting, a daily quick scan will run at the time of day specified. If you disable or do not configure this setting, a daily quick scan will run at a default time. Scan Specify the time of day to run a scheduled scan This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. If you enable this setting, a scheduled scan will run at the time of day specified. If you disable or do not configure this setting, a scheduled scan will run at a default time. Yes
Technical Reference
Page number 223 Signature Updates Define the number of days before spyware definitions are considered out of date This policy setting allows you to define the number of days that must pass before spyware definitions are considered out of date. If definitions are determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. If you enable this setting, spyware definitions will be considered out of date after the number of days specified have passed without an update. If you disable or do not configure this setting, spyware definitions will be considered out of date after the default number of days have passed without an update. Signature Updates Define the number of days before virus definitions are considered out of date This policy setting allows you to define the number of days that must pass before virus definitions are considered out of date. If definitions are determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. If you enable this setting, virus definitions will be considered out of date after the number of days specified have passed without an update. If you disable or do not configure this setting, virus definitions will be considered out of date after the default number of days have passed without an update. Signature Updates Define file shares for downloading This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be Yes Yes Yes
Technical Reference
Page number 224 definition updates contacted in the order specified. The value of this setting should be entered as a pipeseparated string enumerating the definition update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default. If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted. Signature Updates Turn on scan after signature update This policy setting allows you to configure the automatic scan which starts after a definition update has occurred. If you enable or do not configure this setting, a scan will start following a definition update. If you disable this setting, a scan will not start following a definition update. Signature Updates Allow definition updates when running on battery power This policy setting allows you to configure definition updates on startup when there is no antimalware engine present. If you enable or do not configure this setting, definition updates will be initiated on startup when there is no antimalware engine present. If you disable this setting, definition updates will not be initiated on startup when there is no antimalware engine present. Signature Updates Define the order of sources for downloading This policy setting allows you to define the order in which different definition update sources should be contacted. The value of Yes Yes Yes
Technical Reference
Page number 225 definition updates this setting should be entered as a pipeseparated string enumerating the definition update sources in order. Possible values are: InternalDefinitionUpdateServer, MicrosoftUpdateServer, MMPC, and FileShares For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. If you disable or do not configure this setting, definition update sources will be contacted in a default order. Signature Updates Allow definition updates from Microsoft Update This policy setting allows you to enable download of definition updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update. If you enable this setting, definition updates will be downloaded from Microsoft Update. If you disable or do not configure this setting, definition updates will be downloaded from the configured download source. Signature Updates Allow real-time definition updates based on reports to Microsoft SpyNet This policy setting allows you to enable real- No time definition updates in response to reports sent to Microsoft SpyNet. If the service reports a file as an unknown and Microsoft SpyNet finds that the latest definition update has definitions for a threat involving that file, the service will receive all Yes
Technical Reference
Page number 226 of the latest definitions for that threat immediately. You must have configured your computer to join Microsoft SpyNet for this functionality to work. If you enable or do not configure this setting, real-time definition updates will be enabled. If you disable this setting, real-time definition updates will disabled. Signature Updates Specify the day of the week to check for definition updates This policy setting allows you to specify the day of the week on which to check for definition updates. The check can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values:

Yes
(0x0) Every Day (default) (0x1) Sunday (0x2) Monday (0x3) Tuesday (0x4) Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never
If you enable this setting, the check for definition updates will occur at the frequency specified. If you disable or do not configure this setting, the check for definition updates will occur at a default frequency.
Technical Reference
Page number 227 Signature Updates Specify the time to check for definition updates This policy setting allows you to specify the time of day at which to check for definition updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this setting is configured to check for definition updates 15 minutes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring. If you enable this setting, the check for definition updates will occur at the time of day specified. If you disable or do not configure this setting, the check for definition updates will occur at the default time. Signature Updates Allow notifications to disable definitions based reports to Microsoft SpyNet This policy setting allows you to configure the antimalware service to receive notifications to disable individual definitions in response to reports it sends to Microsoft SpyNet. Microsoft SpyNet uses these notifications to disable definitions that are causing false positive reports. You must have configured your computer to join Microsoft SpyNet for this functionality to work. If you enable this setting or do not configure, the antimalware service will receive notifications to disable definitions. If you disable this setting, the antimalware service will not receive notifications to disable definitions. Signature Updates Define the number of days after which a catch-up definition This policy setting allows you to define the number of days after which a catch-up definition update will be required. By default, the value of this setting is 1 day. Yes No Yes
Technical Reference
Page number 228 update is required If you enable this setting, a catch-up definition update will occur after the specified number of days. If you disable or do not configure this setting, a catch-up definition update will be required after the default number of days. Signature Updates Specify the interval to check for definition updates This policy setting allows you to specify an interval at which to check for definition updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day). If you enable this setting, checks for definition updates will occur at the interval specified. If you disable or do not configure this setting, checks for definition updates will occur at the default interval. Signature Updates Check for the latest virus and spyware definitions on startup This policy setting allows you to manage whether a check for new virus and spyware definitions will occur immediately after service startup. If you enable this setting, a check for new definitions will occur after service startup. If you disable this setting or do not configure this setting, a check for new definitions will not occur after service startup. SpyNet Configure local setting override for reporting to Microsoft SpyNet This policy setting configures a local override for the configuration to join Microsoft SpyNet. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Yes No Yes
Technical Reference
Page number 229 Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. SpyNet Join Microsoft SpyNet This policy setting allows you to join Microsoft SpyNet. Microsoft SpyNet is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you. Possible options are:

Yes
(0x0) Disabled (default) (0x1) Basic membership (0x2) Advanced membership
Basic membership will send basic information to Microsoft about software that has been detected, including where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful. Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software,
Technical Reference
Page number 230 spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer. If you enable this setting, you will join Microsoft SpyNet with the membership specified. If you disable or do not configure this setting, you will not join Microsoft SpyNet. Threats Specify threats upon which default action should not be taken when detected This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken. Valid remediation action values are:

Yes
2 = Quarantine 3 = Remove 6 = Ignore Yes
Threats
Specify threat alert levels at which default action should not be taken when detected
This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level. Threat alert levels should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a threat alert level. The value contains the action ID for the remediation action that should be taken. Valid threat alert levels are:
1 = Low
Technical Reference
Page number 231 2 = Medium 4 = High 5 = Severe
Valid remediation action values are:

2=Quarantine 3=Remove 6=Ignore Yes
UX Configuration
Display notifications to clients when they need to perform actions
This policy setting allows you to configure whether or not to display notifications to clients when they need to perform the following actions:

Run a full scan Download the latest virus and spyware definitions Download Standalone System Sweeper
If you enable or do not configure this setting, notifications will be displayed to clients when they need to perform the specified actions. If you disable this setting, notifications will not be displayed to clients when they need to perform the specified actions.
FEP2010 Client Help

This section of the Microsoft Forefront Endpoint Protection 2010 Technical Reference contains the help included with the Forefront Endpoint Protection client software. Welcome to Microsoft Forefront Endpoint Protection This version of Microsoft Forefront Endpoint Protection 2010 includes the following new features and enhancements to better help protect your computer from threats:
Windows Firewall integration. Forefront Endpoint Protection setup enables you to turn on or off Windows Firewall.
Technical Reference
Page number 232
Network Inspection System. This feature enhances real-time protection by inspecting network traffic to help proactively block exploitation of known network-based vulnerabilities. New and improved protection engine. The updated engine offers enhanced detection and cleanup capabilities with better performance.
These features are described in more detail in the following sections. Windows Firewall integration Windows Firewall can help prevent attackers or malicious software from gaining access to your computer through the Internet or a network. Now when you install Forefront Endpoint Protection, the installation wizard verifies that Windows Firewall is turned on. If you have intentionally turned off Windows Firewall, you can avoid turning it on by clearing a check box. You can change your Windows Firewall settings at any time via the System and Security settings in Control Panel. Network Inspection System Attackers are increasingly carrying out network-based attacks against exposed vulnerabilities before software vendors can develop and distribute security updates. Studies of vulnerabilities show that it can take a month or longer from the time of an initial attack report before a suitable security update is developed, tested, and released. This gap in protection leaves many computers vulnerable to attacks and exploitation for a substantial period of time. Network Inspection System works with realtime protection to better protect you against network-based attacks by greatly reducing the timespan between vulnerability disclosures and update deployment from weeks to a few hours. Award-winning protection engine Under the hood of Forefront Endpoint Protection is its award-winning protection engine that is updated regularly. The engine is backed by a team of antimalware researchers from the Microsoft Malware Protection Center, providing responses to the latest malware threats 24 hours a day. Why do I need antivirus and antispyware software? It is critical to make sure that your computer is running software that protects against malicious software. Malicious software, which includes viruses, spyware, or other potentially unwanted software can try to install itself on your computer any time you connect to the Internet. It can also infect your computer when you install a program using a CD, DVD, or other removable media. Malicious software, can also be programmed to run at unexpected times, not just when it is installed. Microsoft Forefront Endpoint Protection 2010 offers three ways to help keep malicious software from infecting your computer:
Using real-time protectionReal-time protection enables Forefront Endpoint Protection to monitor your computer all the time and alert you when malicious software, including viruses, spyware, or other potentially unwanted software attempts to install itself or run on your computer. Forefront Endpoint Protection then suspends the software and enables you to you to follow its recommendation on the software or take an alternative action. Scanning optionsYou can use Forefront Endpoint Protection to scan for potential threats, such as viruses, spyware, and other malicious software that might put your computer at risk.
Technical Reference
Page number 233 You can also use it to schedule scans on a regular basis and to remove malicious software that is detected during a scan.
Microsoft SpyNet communityThe online Microsoft SpyNet community helps you see how other people respond to software that has not yet been classified for risks. You can use this information to help you choose whether to allow this software on your computer. In turn, if you participate, your choices are added to the community ratings to help other people decide what to do.
How can I tell if my computer is infected with malicious software? You might have some form of malicious software, including viruses, spyware, or other potentially unwanted software, on your computer if:
You notice new toolbars, links, or favorites that you did not intentionally add to your Web browser. Your home page, mouse pointer, or search program changes unexpectedly. You type the address for a specific site, such as a search engine, but you are taken to a different Web site without notice. Files are automatically deleted from your computer. Your computer is used to attack other computers. You see pop-up ads, even if you're not on the Internet. Your computer suddenly starts running more slowly than it usually does. Not all computer performance problems are caused by malicious software, but malicious software, especially spyware, can cause a noticeable change.
There might be malicious software on your computer even if you don't see any symptoms. This type of software can collect information about you and your computer without your knowledge or consent. To help protect your privacy and your computer, you should run Microsoft Forefront Endpoint Protection 2010 at all times. What should I do if Forefront Endpoint Protection detects malicious software on my computer? If Microsoft Forefront Endpoint Protection 2010 detects malicious software or potentially unwanted software on your computer (either when monitoring your computer using real-time protection or after running a scan), it notifies you about the detected item by displaying a notification message in the bottom right-hand corner of your screen. The notification message includes a Clean computer button and a Show details link that lets you view additional information about the detected item. Click the Show details link to open the Potential threat details window to get additional information about the detected item. You can now choose which action to apply to the item, or click Clean computer. If you need help determining
Technical Reference
Page number 234 which action to apply to the detected item, use the alert level that Forefront Endpoint Protection assigned to the item as your guide (for more information see, Understanding alert levels). Alert levels help you choose how to respond to viruses, spyware, and other potentially unwanted software. While Forefront Endpoint Protection will recommend that you remove all viruses and spyware, not all software that is flagged is malicious or unwanted. The following information can help you decide what to do if Forefront Endpoint Protection detects potentially unwanted software on your computer. Depending on the alert level, you can choose one of the following actions to apply to the detected item:

RemoveThis action permanently deletes the software from your computer. QuarantineThis action quarantines the software so that it can't run. When Forefront Endpoint Protection quarantines software, it moves it to another location on your computer, and then prevents the software from running until you choose to restore it or remove it from your computer. AllowThis action adds the software to the Forefront Endpoint Protection allowed list and allows it to run on your computer. Forefront Endpoint Protection will stop alerting you to risks that the software might pose to your privacy or to your computer.
Caution:
If you choose Allow for an item, such as software, Forefront Endpoint Protection will stop alerting you to risks that the software might pose to your privacy or to your computer. Therefore, add software to the allowed list only if you trust the software and the software publisher. Using Forefront Endpoint Protection to remove potentially harmful software To remove all unwanted or potentially harmful items that Microsoft Forefront Endpoint Protection 2010 detects quickly and easily, use the Clean computer option. 1. When you see the notification message that Forefront Endpoint Protection displays in the Notification area after it detects potential threats, click Clean computer. 2. Forefront Endpoint Protection removes the potential threat (or threats), and then notifies you when it's finished cleaning your computer. 3. To learn more about the detected threats, click the History tab, and then select All detected items. 4. If you don't see all the detected items, click View details. If you're prompted for an administrator password or confirmation, type the password or confirm the action. On systems running Windows XP, you may need to log on as an administrator on this computer.
Technical Reference
Page number 235 Note: During computer cleanup, whenever possible, Forefront Endpoint Protection removes only the infected part of a file, not the entire file.
Frequently asked questions about malicious software Here are answers to some common questions about malicious software. What is a virus? Computer viruses are software programs deliberately designed to interfere with computer operation, to record, corrupt, or delete data, or to infect other computers throughout the Internet. Viruses often slow things down and cause other problems in the process. What is spyware? Spyware is software that can install itself or run on your computer without getting your consent or providing you with adequate notice or control. Spyware might not display symptoms after it infects your computer, but many malicious or unwanted programs can affect how your computer runs. For example, spyware can monitor your online behavior or collect information about you (including information that can identify you or other sensitive information), change settings on your computer, or cause your computer to run slowly. What's the difference between viruses, spyware, and other potentially harmful software? Both viruses and spyware are installed on your computer without your knowledge and both have the potential to be intrusive and destructive. They also have the ability to capture information on your computer and damage or delete that information. They both can negatively affect your computer's performance. The main differences between viruses and spyware is how they behave on your computer. Viruses, like living organisms, want to infect a computer, replicate, and then spread to as many other computers as possible. Spyware, however, is more like a moleit wants to "move into" your computer and stay there as long as possible, sending valuable information about your computer to an outside source while it is there. Where do viruses, spyware, and other potentially unwanted software come from? Unwanted software, such as viruses, can be installed by Web sites or by programs that you download or that you install using a CD, DVD, external hard disk, or a device. Spyware is most commonly installed through free software, such as file sharing, screen savers, or search toolbars. Can I get malicious software without knowing it? Yes, some malicious software can be installed from a Web site through an embedded script or program in a Web page. Some malicious software requires your help to install it. This software uses Web pop-ups or free software that requires you to accept a downloadable file. However, if you keep Microsoft Windows up to date and don't reduce your security settings, you can minimize the chances of an infection.
Technical Reference
Page number 236 Why is it important to review license agreements before installing software? When you visit Web sites, do not automatically agree to download anything the site offers. If you download free software, such as file sharing programs or screen savers, read the license agreement carefully. Look for clauses that say that you must accept advertising and pop-ups from the company, or that the software will send certain information back to the software publisher. What's the difference between Microsoft Forefront Endpoint Protection 2010 and Windows Defender? Forefront Endpoint Protection is antimalware software, which means that it's designed to detect and help protect your computer against a wide range of malicious software, including viruses, spyware, and other potentially unwanted software. Windows Defender, which is automatically installed with your Windows operating system, is software that detects and stops spyware. To learn more about Windows Defender, visit the Windows Defender Web site (http://go.microsoft.com/fwlink/?LinkId=155580). Why doesn't Forefront Endpoint Protection detect cookies? Cookies are small text files that Web sites put on your computer to store information about you and your preferences. Web sites use cookies to offer you a personalized experience and to gather information about Web site use. Forefront Endpoint Protection doesn't detect cookies, because it doesn't consider them a threat to your privacy or to the security of your computer. Most Internet browser programs allow you to block cookies. For information about blocking cookies in Windows Internet Explorer, see Block or allow cookies (http://go.microsoft.com/fwlink/?LinkId=155585). How to help prevent malicious software infections Two of the biggest concerns for computer users today are viruses and spyware. In both cases, while these can be a problem, you can defend yourself against them easily enough with just a little bit of planning:
Keep your computers software current and remember to install all patches. Remember to update your operating system on a regular basis. Make sure your antivirus and antispyware software, Microsoft Forefront Endpoint Protection 2010, is using the latest updates again potential threats (see Keeping virus and spyware definitions up-to-date). Also make sure you're always using the latest version of Forefront Endpoint Protection. Only download updates from reputable sources. For Windows operating systems, always go to Microsoft Update (http://go.microsoft.com/fwlink/?LinkID=96304) and for other software always use the legitimate Web sites of the company or person who produces it. If you receive an e-mail with an attachment and you're unsure of the source, then you should delete it immediately. Don't download any applications or executable files from unknown sources, and be careful when trading files with other users. Install and use a firewall. It is recommended that you enable Windows Firewall.
Technical Reference
Page number 237 How to help prevent malicious software infections Two of the biggest concerns for computer users today are viruses and spyware. In both cases, while these can be a problem, you can defend yourself against them easily enough with just a little bit of planning:
Keep your computers software current and remember to install all patches. Remember to update your operating system on a regular basis. Make sure your antivirus and antispyware software, Microsoft Forefront Endpoint Protection 2010, is using the latest updates again potential threats (see Keeping virus and spyware definitions up-to-date). Also make sure you're always using the latest version of Forefront Endpoint Protection. Only download updates from reputable sources. For Windows operating systems, always go to Microsoft Update (http://go.microsoft.com/fwlink/?LinkID=96304) and for other software always use the legitimate Web sites of the company or person who produces it. If you receive an e-mail with an attachment and you're unsure of the source, then you should delete it immediately. Don't download any applications or executable files from unknown sources, and be careful when trading files with other users. Install and use a firewall. It is recommended that you enable Windows Firewall.
Getting started
Now that you've been introduced to Microsoft Forefront Endpoint Protection 2010 and learned how it detects malicious software and helps you get rid of unwanted software, let's learn more about this program's capabilities, including scanning, real-time protection, updating, virus and spyware definitions, and about removing and restoring quarantined items.

Scanning for viruses, spyware, and other potentially unwanted software What's real-time protection? How do I keep virus and spyware definitions up to date? How do I remove or restore items quarantined by Forefront Endpoint Protection?
Understanding alert levels When Microsoft Forefront Endpoint Protection 2010 detects a potential threat, it uses the associated definition file to assign an alert level to the threat. It then applies the default action associated with that threat level. Alert levels help you choose how to respond to viruses, spyware, and other potentially unwanted software. While Forefront Endpoint Protection recommends that you remove all viruses and spyware, not all software that is flagged is malicious or unwanted. The information in this table can
Technical Reference
Page number 238 help you decide what to do if Forefront Endpoint Protection detects potentially unwanted software on your computer.
Alert level Severe
What it means
What to do
These are widespread or exceptionally malicious programs, similar to viruses or worms, which negatively affect your privacy and the security of your computer, and can damage your computer. These are programs that might collect your personal information and negatively affect your privacy or damage your computer. For example, the program collects information or changes settings, typically without your knowledge or consent. These are programs that might affect your privacy or make changes to your computer that could negatively impact your computing experience. For example, the program collects personal information or changes settings. This is potentially unwanted software that might collect information about you or your computer or might change how your computer works. However, the software is operating in agreement with licensing terms displayed when you installed the software.
Remove this software immediately.
High
Remove this software immediately.
Medium
Review the alert details to see why the software was detected. If you do not like what the software does or if you do not recognize and trust the publisher, consider blocking or removing the software. This software is typically benign when it runs on your computer, unless it was installed without your knowledge. If you're not sure whether to allow it, review the alert details, or check to see if you recognize and trust the software publisher.
Low
Technical Reference
Page number 239 What are recommended actions? Essentially recommended action means that you want Microsoft Forefront Endpoint Protection 2010 to handle this alert level according to Microsofts recommendation. When Forefront Endpoint Protection detects a threat or potential threat, it takes the action specified as the Default Action in Settings. Unless you change the Default Actions associated with each alert level Forefront Endpoint Protection applies the recommended action. The recommended action is a specific action recommended by Microsoft for dealing with a specific threat or potential threat. It is associated with the definition specific to a particular threat. Usually, recommended actions are related to the detected items severity level: severe, high, medium, or low (see Understanding alert levels) For example, in most cases, the recommended action associated with a high-severity alert is to remove the detected threat. However, even in the case of a high-severity alert, the recommended action might be to allow the detected threat. Tip: Unless you have a deep understanding of malware and their definitions, you should use the recommended actions to help protect your computer from threats.
Applying default actions to detected items You can decide how you want Microsoft Forefront Endpoint Protection 2010 to handle the potential threats it detects, by either applying recommended actions (recommended) or by specifying a default action for each alert level. By defining a custom default action for each alert level, you gain more control over how the program handles detected threats. For example, if you know that all medium level threats are something you feel comfortable simply quarantining, then you can specify Quarantine for the medium alert level. To apply default actions 1. Click the Settings tab, and then click Default actions. 2. Select a default action (Recommended action, Quarantine, Remove, or Allow if available). The default setting (Recommended action) means that you want Forefront Endpoint Protection to handle this alert level according to Microsofts recommendation. 3. Click Save changes. If you are prompted for an administrator password or confirmation, type the password or confirm the action. To ensure that Forefront Endpoint Protection applies these actions after it detects potential threats, select the Apply recommended actions check box.
Scanning for viruses, spyware, and other potentially unwanted software

When you use Microsoft Forefront Endpoint Protection 2010, you can run either a quick scan of your computer or a full system scan. If malicious software has infected a specific area of your computer, you can customize a scan by selecting only the drives and folders that you want to check.
Technical Reference
Page number 240 A quick scan checks the places, processes in the memory, and registry files on your computer's hard disk that malicious software is most likely to infect. A full scan checks all files on the hard disk and all currently running programs, but it could cause your computer to run slowly until the scan is completed. At any time, if you suspect that spyware has infected your computer, run a full scan. For information about scheduling scans to occur regularly, see Scheduling scans. To scan the areas of your computer that malicious software is most likely to infect (Quick scan) On the Forefront Endpoint Protection Home page, click the Quick scan option, and then click Scan now. The amount of time the scan takes depends on the number of files and folders being scanned. To scan all areas of your computer (Full scan) On the Home page, select the Full scan option, and then click Scan now. The scan may take a while, depending on the number of files and folders being scanned. To scan specific areas of your computer only (Custom scan) You can select specific locations on your computer to scan. However, if it detects viruses, spyware, or other potentially unwanted software, Endpoint Protection will then run an expanded scan to make sure it removes the detected software from other areas of your computer, if needed. Running a custom scan 1. On the Home page, select the Custom scan option and then click Scan now. 2. In the Select the drives and folders you want to scan window, select the areas of your computer that you want to scan, and then click OK. The scan may take a while, depending on the number of files and folders being scanned. To scan a specific file or folder (right-click scan) If you suspect malicious software has infected a file or folder on your computer, or if you are concerned about something that you downloaded, you can select a specific file or folder on your computer for Endpoint Protection to scan. Running a right-click scan 1. Right-click the file or folder on your computer, and then click Scan with Forefront Endpoint Protection. 2. Endpoint Protection begins scanning the selected file or folder. 3. As soon as it completes the scan, Endpoint Protection displays the scan results. Note:
Depending on the file size, this scan may take only a few seconds. Scheduling scans By default, Forefront Endpoint Protection runs a scheduled scan on your computer once a week. A weekly scan is sufficient for most computers, because Endpoint Protection monitors your computer
Technical Reference
Page number 241 continuously through the real-time protection feature. To learn more, see What's real-time protection?. A scheduled scan checks the areas of your computer that malicious software, including viruses, spyware, and other potentially unwanted software, are most likely to infect. If you want Endpoint Protection to check all files and programs on your computer, you can run or schedule a full scan. To change the scheduled scan 1. Click Settings, and then click Scheduled scan. 2. If the Run a scheduled scan on my computer (recommended) check box is not selected, select it now. 3. Next to the When field, select the day that you want to run the scan. For example, you can run a scan daily or on a certain day of the week, such as Sunday. 4. Next to the Around field, select the time that you want the scheduled scan to run. Note: Scans may begin within two hours of the scheduled time you select. Exact scan times are randomized to reduce strains on network traffic. Scans might also be delayed if something else is currently running on your computer, such as an update. 5. Next to the Scan type field, select the type of scan that you want to run, and then click Save changes. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
When is the best time to run a scan on my computer? Because the scheduled scan can slow down your computer's performance, you should run the scheduled scan at a time when it will least affect your work. In other words, schedule the scan for a time when the computer is on but you aren't using it. By default, the time set is for around 2 A.M., but if you work at night, consider changing the time to sometime during the day. To make sure the scan runs when your computer isn't being used 1. Click Settings, and then click Scheduled scan. 2. If the Start the scheduled scan only when my computer is on but not in use check box is not selected, select it now, and then click Save changes. If you're prompted for an administrator password or confirmation, type the password or confirm the action.
Technical Reference
Page number 242 Responding to potential threats after a scan To gain more control over how Forefront Endpoint Protection handles detected threats, use the Default actions or the Threat handling tab, depending on your product version. 1. Click the Settings tab, and then select the Default actions tab. 2. Select the action that you want to apply to each alert level. 3. Select the Apply recommended actions check box, and then click Save changes. If you're prompted for an administrator password or confirmation, type the password or confirm the action. To learn more about applying default actions, see Applying default actions to detected items. How can I view a scan's progress? Forefront Endpoint Protection notifies you whenever its running a scheduled scan. Depending on the scan type, a scan may take some time and may affect your computers performance. To learn more about scan types, see Scanning for viruses, spyware, and other potentially unwanted software. To view the progress of a scheduled scan If you're running Forefront Endpoint Protectionon the Windows XP (with Service Pack 2 (SP2) or a later service pack) operating system or on the Windows Vista operating system, you'll see the Forefront Endpoint Protection icon in the notification area. Whenever a scan is in progress, the Forefront Endpoint Protection icon in the notification area will also display an animation to let you know that it's scanning your computer. Click the icon to see which type of Forefront Endpoint Protection scan is in progress, how long its been running, and how many items have been scanned.
If a scan is in progress, Forefront Endpoint Protection displays the scans progress until the scan is complete. When it completes the scan, Endpoint Protection then displays the scan results and the date and time when the scan was completed. If you're running Endpoint Protection on a Windows 7 operating system, you wont see the Forefront Endpoint Protection icon in the notification area (unless you manually added the icon to the notification area). However, when you click the arrow in the notification area, you can see additional icons, including the Forefront Endpoint Protection icon. Double-clicking the icon will display the scan's progress.
What are advanced scanning options? When scanning your computer, you can choose from these additional options:
Scan archive filesScanning these files might increase the time required to complete a scan, but malicious software, including viruses, spyware, and other potentially unwanted software, can install itself and attempt to "hide" in these files. Scan removable drivesUse this option to scan the contents of removable drives, such as USB flash drives.
Technical Reference
Page number 243
Create a system restore point before applying actions to detected itemsSystem restore helps you restore your computer's system files to an earlier point in time. It's a way to undo system changes to your computer without affecting your personal files, such as e-mail, documents, or photos. These restore points contain information about registry settings and other system information that Windows uses. When you select this option, Forefront Endpoint Protection creates a system restore point on your computer on a daily basis before cleaning your computer. This option allows you to restore software that you didn't intend to remove.
To set advanced scanning options 1. Click Settings, and then click Advanced. 2. Select the check box next to each option that you want to use, and then click Save changes. If you're prompted for an administrator password or confirmation, type the password or confirm the action. Excluding items from a scan To help speed up scans running on your computer, you can choose to exclude certain files, locations, file types, and processes from the scan. Warning: Exclusions can help speed up the scan, but may leave your computer less protected. Only select them if you're sure that the excluded files, locations, or processes do not contain malicious software. Important: Exclusions are applied to both on-demand scans and real-time protection.
To exclude certain files and locations 1. Click the Settings tab, and then click Excluded files & locations. 2. Click Add, and then select the files, folders, and locations (such as drives) that you want to exclude. 3. Click OK, and then click Save changes. If you're prompted for an administrator password or confirmation, type the password or confirm the action. To exclude certain file types 1. Click the Settings tab and then click Excluded file types. 2. In the field at the top of the tab, enter the file type to exclude, and then click Add. 3. Repeat step 2 until you've added all the file types that you want to exclude.
Technical Reference
Page number 244 4. Click Save changes. If you're prompted for an administrator password or confirmation, type the password or confirm the action. To exclude processes running on your computer 1. Click the Settings tab and then click Excluded processes. 2. Click Add, and then select the processes you want to exclude. Make sure that you add only files that use one of the extensions listed below. 3. Click OK, and then click Save changes. If you're prompted for an administrator password or confirmation, type the password or confirm the action. You can exclude the following process types: Executable files (.exe)

Command files (.cmd) Batch files (.bat) Program information files (.pif) Windows Explorer shell command files (.scf) Windows screen saver file (.scr)
What's real-time protection?

Real-time protection enables Forefront Endpoint Protection to monitor your computer all the time and alert you when potential threats, such as viruses and spyware, are trying to install themselves or run on your computer. Because this feature is an important element of the way that Endpoint Protection helps protect your computer, you should make sure real-time protection is always turned on. If real-time protection gets turned off, Endpoint Protection notifies you, and changes your computers status to At risk. Whenever real-time protection detects a threat or potential threat, Endpoint Protection displays a notification. You can now choose from the following options:
Click Clean computer to remove the detected item. Endpoint Protection will automatically remove the item from your computer. Click the Show details link to display the Potential threat details window, and then choose which action to apply to the detected item. For more information, see What should I do if Forefront Endpoint Protection detects malicious software on my computer?.
Understanding real-time protection options You can choose the software and settings that you want Forefront Endpoint Protection to monitor, but we recommend that you turn on real-time protection and enable all real-time protection options. The following table explains the available options.
Technical Reference
Page number 245
Real-time Purpose protection option Scan all downloads This option monitors files and programs that are downloaded, including files that are automatically downloaded via Windows Internet Explorer and Microsoft Outlook Express, such as ActiveX controls and software installation programs. These files can be downloaded, installed, or run by the browser itself. Malicious software, including viruses, spyware, and other potentially unwanted software, can be included with these files and installed without your knowledge. Using the real-time protection option, Endpoint Protection monitors your computer all the time and checks for any malicious files or programs that you may have downloaded. This monitoring feature means that Endpoint Protection doesn't need to slow down your browsing or e-mail experience by requiring a check of any files or programs you may want to download. Monitor file and program activity on your computer This option monitors when files and programs start running on your computer, and then it alerts you about any actions they perform and actions taken on them. This is important, because malicious software can use vulnerabilities in programs that you have installed to run malicious or unwanted software without your knowledge. For example, spyware can run itself in the background when you start a program that you frequently use. Forefront Endpoint Protection monitors your programs and alerts you if it detects suspicious activity. This option monitors collections of behavior for suspicious patterns that might not be detected by traditional antivirus detection methods. This option helps protect your computer against zero day exploits of known vulnerabilities, decreasing the window of time between the moment a vulnerability is discovered and an update is applied.
Enable behavior monitoring Enable Network Inspection System
Turning real-time protection on and off To help prevent viruses, spyware, or other potentially unwanted software from running on your computer, you should make sure you've turned on real-time protection and selected both real-time
Technical Reference
Page number 246 protection options. Real-time protection alerts you when viruses, spyware, or other potentially unwanted software attempts to install or run on your computer. To help protect your privacy and your computer, we recommend that you select all real-time protection options. For more information about real-time protection, see What's real-time protection? When you install Forefront Endpoint Protection on your computer, the real-time protection feature is turned on by default. Although it is not recommended, you can turn off real-time protection. To turn off real-time protection 1. Click Settings, and then click Real-time protection. 2. Clear the real-time protection options you want to turn off, and then click Save changes. If you're prompted for an administrator password or confirmation, type the password or confirm the action. You can also turn on or off specific features of real-time protection individually. To learn more, see Understanding real-time protection options.
How do I know that Forefront Endpoint Protection is running on my computer?

After you install Forefront Endpoint Protection on your computer, you can close the main window and let Endpoint Protection run quietly in the background. Endpoint Protection will continue running on your computer, monitor it, and help protect it against threats. Of course, you'll know that Endpoint Protection is running whenever it displays notification messages in the notification area. These notifications alert you to potential threats that Endpoint Protection has detected. You'll also receive other alert notifications, for example, if for some reason real-time protection has been turned off, if you haven't updated your virus and spyware definitions for a number of days, or when upgrades to the program become available. Endpoint Protection also briefly displays a notification to let you know that it's scanning your computer.
You can also refer to the Endpoint Protection icon that appears in the notification area:
Tip:
Technical Reference
Page number 247 If you dont see the Endpoint Protection icon in the notification area, click the arrow in the notification area to show hidden icons, including the Endpoint Protection icon. The icon color depends on your computer's current status:

Green indicates that your computer's status is "protected." Yellow indicates that your computer's status is "potentially unprotected." Red indicates that your computer's status is "at risk."
How to set up Forefront Endpoint Protection alerts When Microsoft Forefront Endpoint Protection 2010 is running on your computer, it automatically alerts you if it detects viruses, spyware, or other potentially unwanted software. You can also set Forefront Endpoint Protection to alert you if you run software that has not yet been analyzed, and you can choose to be alerted when software makes changes to your computer. To set up Endpoint Protection alerts 1. Click Settings, and then click Real-time protection. 2. Make sure the Turn on real-time protection (recommended) check box is selected. 3. Select the check boxes next to the real-time protections options you want to run, and then click Save changes. If you're prompted for an administrator password or confirmation, type the password or confirm the action.
What are virus and spyware definitions?

When you use Forefront Endpoint Protection, it is important to have up-to-date virus and spyware definitions. Definitions are files that act like an ever-growing encyclopedia of potential software threats. Endpoint Protection uses definitions to determine if software that it detects is a virus, spyware, or other potentially unwanted software, and then to alert you to potential risks. To help keep your definitions up to date, Endpoint Protection works with Microsoft Update to install new definitions automatically as they are released. You can also set Endpoint Protection to check online for updated definitions before scanning. For information about keeping your definitions up to date and how to download the latest definitions manually, see How do I keep virus and spyware definitions up to date?. How do I keep virus and spyware definitions up to date? Virus and spyware definitions are files that act like an encyclopedia of known malicious software, including viruses, spyware, and other potentially unwanted software. Because malicious software is continually being developed, Forefront Endpoint Protection relies on up-to-date definitions to determine if software that is trying to install, run, or change settings on your computer is a virus, spyware, or other potentially unwanted software. To automatically check for new definitions before scheduled scans (recommended) 1. Click Settings, and then click Scheduled scan.
Technical Reference
Page number 248 2. Make sure the Check for the latest virus and spyware definitions before running a scheduled scan check box is selected, and then click Save changes. If you're prompted for an administrator password or confirmation, type the password or confirm the action. To check for new definitions manually 1. Endpoint Protection updates the virus and spyware definitions on your computer automatically. If the definitions havent been updated for over seven days (for example, if you didnt turn on your computer for a week), Endpoint Protection will notify you that the definitions are out of date. 2. To check for new definitions manually, click the Update tab and then click Update. Note: While updating definitions, if you're running Endpoint Protection on the Windows XP (with Service Pack 2 (SP2) or a later service pack) operating system or on the Windows Vista operating system, the program displays an "updating" icon in the notification area.
Running a scan using the latest updates To maximize the scan's effectiveness, you should make sure the computer is scanned using the very latest virus and spyware definitions, which contain the latest updates on potential threats. To make sure the scan is using the latest virus and spyware definitions 1. Click Settings, and then click Scheduled scan. 2. Make sure the Check for the latest virus and spyware definitions before running a scheduled scan check box is selected, and then click Save changes. If you're prompted for an administrator password or confirmation, type the password or confirm the action.
How do I remove or restore items quarantined by Forefront Endpoint Protection?

When Forefront Endpoint Protection quarantines software, it moves the software to another location on your computer, and then it prevents the software from running until you choose to restore it or to remove it from your computer. For all the steps mentioned in this procedure, if you're prompted for an administrator password or confirmation, type the password or provide confirmation. To remove or restore quarantined items 1. Click the History tab, and then select the Quarantined items option. 2. In Windows Vista or Windows 7, click View details to see all of the items. 3. In Windows XP, you'll need to log on as an administrator on the computer to see of the all items.
Technical Reference
Page number 249 4. Review each item, and then for each, click Remove or Restore. If you want to remove of the all quarantined items from your computer, click Remove All. Warning: Do not restore software with severe or high alert ratings, because it can put your privacy and the security of your computer at risk.
How do I add or remove items from the Forefront Endpoint Protection allowed list? If you trust software that Forefront Endpoint Protection has detected, you can stop Forefront Endpoint Protection from alerting you about risks that the software might pose to your privacy or your computer. To stop receiving alerts for this software, you must add the software to the Forefront Endpoint Protection allowed list. If you decide that you want to monitor the software again later, you can remove it from the Forefront Endpoint Protection allowed list at any time. To add an item to the allowed list 1. The next time Endpoint Protection alerts you about the software, click the Show details link. 2. In the Potential threat details dialog box, click the down arrow in the Recommendation column, and then click Allow. To remove an item from the allowed list and enable Endpoint Protection to monitor it 1. Click the History tab, and then select the Allowed items option. 2. In Windows Vista or Windows 7, click View details to see all of the items. If you're prompted for an administrator password or confirmation, type the password or confirm the action. 3. In Windows XP, you'll need to log on as an administrator on the computer to see all of the items. 4. Select the item that you want to monitor, and then click Remove. If you're prompted for an administrator password or confirmation, type the password or confirm the action. Warning:
Do not allow software with severe or high alert ratings to run on your computer, because it can put your privacy and the security of your computer at risk.
How do I view or clear the history in Forefront Endpoint Protection? The history displays the actions you applied to viruses, spyware, and other potentially unwanted software that Forefront Endpoint Protection has detected on your computer.
Technical Reference
Page number 250 To view or clear the history 1. Click the History tab. 2. In Windows Vista or Windows 7, click View details to see all of the items. If you are prompted for an administrator password or confirmation, type the password or confirm the action. 3. In Windows XP, you need to log on as an administrator on the computer to see all of the items. 4. To delete all of the items in the list, click Delete history. If you are prompted for an administrator password or confirmation, type the password or confirm the action. What if I want to download or run a program that Forefront Endpoint Protection detects as potentially harmful? When Forefront Endpoint Protection detects a potentially harmful program, it alerts you by displaying a notification. However, if you trust a program that Forefront Endpoint Protection has detected as potentially harmful, you can allow it to run on your computer. Warning:
If Endpoint Protectionassigns a severe or high alert level to a program, it's a widespread or exceptionally malicious program or it is a program that might collect your personal information without your knowledge. These programs can negatively affect your privacy and the security of your computer and can damage your computer. We strongly advise you not to run these programs on your computer. 1. Download the program that you want to run. 2. When Forefront Endpoint Protection displays the notification, click the Show details link. 3. In the Potential threat details dialog box, select the program, click the down arrow in the Recommendation column, and then click Allow. 4. Click Apply actions. If you're prompted for an administrator password or confirmation, type the password or confirm the action. Privacy settings for detected items To help protect user privacy, Forefront Endpoint Protection enables the local computer administrator to limit viewing the detected items for all of the users on the computer in the History tab. To allow only the local computer administrator to view all detected items 1. Click Settings, and then click Advanced.
Technical Reference
Page number 251 2. Clear the Allow all users to view the full History results check box, and then click Save changes. If you're prompted for an administrator password or confirmation, type the password or confirm the action.
What is the Microsoft SpyNet Community?

Microsoft SpyNet is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions to better protect your computer. The information sent can include the location of detected items on your computer if a virus, spyware, or potentially harmful software has been removed. The information will be automatically collected and sent. Reporting suspicious software to Microsoft SpyNet If Forefront Endpoint Protection detects software on your computer that has not yet been classified for risks, you might be asked to send a sample of the software to Microsoft SpyNet for analysis. When you're prompted to send a sample, Endpoint Protection displays a list of files that can help analysts determine if the software is malicious. You can choose to send some or all of the files in the list. For information on Microsoft SpyNet, see Changing your Microsoft SpyNet community membership. To send files to Microsoft SpyNet If Endpoint Protection detects a file or program on your computer that might be malicious or harmful, you can send it to Microsoft. To submit a malicious software sample 1. On the Help menu, click Submit malicious software sample. 2. The Microsoft Malware Protection Center site opens. Follow the instructions, and submit the sample. To report software that might be incorrectly classified If Endpoint Protection alerts you about software that you don't believe is malicious or unwanted, you can report the problem to Microsoft by completing the False Positive Report Form on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=155581). Changing your Microsoft SpyNet community membership When you installed Forefront Endpoint Protection, you agreed to join Microsoft SpyNet using a basic membership. You have the following membership options: Basic membershipEndpoint Protection sends basic information to Microsoft about software that Endpoint Protection detects, including where the software came from, the actions that you apply or that Endpoint Protection applies automatically, and whether the actions were successful. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or to contact you. Advanced membershipIn addition to basic information, Endpoint Protection sends more information to Microsoft about malicious software, spyware, and potentially unwanted software,
Technical Reference
Page number 252 including the location of the software, file names, how the software operates, and how it has affected your computer. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or to contact you. To change your Microsoft SpyNet community membership 1. Click Settings, and then click Microsoft SpyNet. 2. Select the level of participation that you want by clicking Basic membership or Advanced membership, and then click Save changes. If you're prompted for an administrator password or confirmation, type the password or confirm the action. To learn more about Microsoft SpyNet:
Reporting suspicious software to Microsoft SpyNet
Where can I find the Forefront Endpoint Protection privacy statement? The updated privacy statement is available through the Help menu or through the Forefront Endpoint Protection Web site. To view the privacy statement 1. On the Help menu, click View privacy statement. Where can I find the Forefront Endpoint Protection license agreement? The license agreement is available through the Help menu or through the Microsoft Forefront Endpoint Protection 2010 Web site. To view the license agreement 1. On the Help menu, click View license agreement.
Troubleshooting
If you encounter problems with Forefront Endpoint Protection, contact your security administrator for support. Troubleshooting Update Issues Microsoft Forefront Endpoint Protection 2010 works automatically with Microsoft Update to ensure that your virus and spyware definitions are kept up to date. Symptoms This article addresses common issues with automatic updates, including the following situations:

You see error messages indicating that updates have failed. When you check for updates, you receive an error message that the virus and spyware definition updates cannot be checked, downloaded, or installed. Even though you are connected to the Internet, the updates fail. Updates are not automatically installing as scheduled.
Technical Reference
Page number 253 Cause The most common causes for update issues are problems with Internet connectivity. For help with Internet connectivity, see I can't connect to the Internet issue (General topic). However, if you know you are connected to the Internet because you can browse to other Web sites, the issue might be caused by conflicts with your settings in Windows Internet Explorer. Solution Important: You have to exit Internet Explorer to complete these steps. Therefore, print them, write them down, or copy them to another file, and then bookmark this topic for future access. Step 1: Reset your Internet Explorer settings 1. Exit all open programs, including Internet Explorer. Note: Resetting these settings in Internet Explorer deletes your temporary files, cookies, browsing history, and your online passwords. But, your favorites are not deleted. 2. Click Start, and in the Start Search box, type inetcpl.cpl, and then press Enter. 3. In the Internet Options dialog box, click the Advanced tab. 4. Under the Reset Internet Explorer settings, click Reset, and then click Reset again. 5. Wait until Internet Explorer finishes resetting the settings, and then click OK. 6. Open Internet Explorer. 7. Open Microsoft Security Essentials, click the Update tab, and then click Update. 8. If the issue persists, proceed to the next step. Step 2: Set Internet Explorer as the default browser 1. Exit all open programs, including Internet Explorer. 2. Click Start, and in the Start Search box, type inetcpl.cpl, and then press Enter. 3. In the Internet Options dialog box, click the Programs tab. 4. Under Default Web browser, click Make default. 5. Click OK.
Technical Reference
Page number 254 6. Open Microsoft Forefront Endpoint Protection 2010. Click the Update tab, and then click Update. 7. If the issue persists, proceed to the next step. Step 3: Ensure that the date and time are set correctly on your computer 1. Open Forefront Endpoint Protection. 2. If the error message that you received contains the code 0x80072f8f, the problem is most likely caused by an incorrect date or time setting on your computer. 3. To reset your computer's date or time setting, follow the steps in Fix broken desktop shortcuts and common system maintenance tasks (http://go.microsoft.com/fwlink/?LinkId=155579). Step 4: Rename the Software Distribution folder on your computer 1. Stop the Automatic Updates service a. Click Start, click Run, type services.msc, and then click OK. b. Right-click the Automatic Updates service, and then click Stop. c. Minimize the Services snap-in. 2. Rename the SoftwareDistribution directory as follows: a. Click Start, click Run, type cmd, and then click OK. b. Type cd %windir%, and then press Enter. c. Type ren SoftwareDistribution SDTemp, and then press Enter. d. Type exit, and then press Enter. 3. Start the Automatic Updates service as follows: a. Maximize the Services snap-in. b. Right-click Automatic Updates service, and then click Start. c. Close the Services snap-in window. Step 5: Reset the Microsoft antivirus update engine on your computer 1. Click Start, click All Programs, click Accessories, and then right-click Command Prompt, and then select Run as administrator. 2. In the Command Prompt window, type the following commands and press Enter after each command:
Technical Reference
Page number 255 Cd\ Cd program files\microsoft security essentials Mpcmdrun removedefinitions all Exit 3. Restart your computer. 4. Open Forefront Endpoint Protection, click the Update tab, and then click Update. 5. If the issue persists, proceed to the next step. Step 6: Manually install the virus and spyware definition updates
If you are running a 32-bit Windows operating system, download the latest updates manually at http://go.microsoft.com/fwlink/?LinkID=87342 (http://go.microsoft.com/fwlink/?LinkID=87342). If you are running a 64-bit Windows operating system, download the latest updates manually at http://go.microsoft.com/fwlink/?LinkID=87341 (http://go.microsoft.com/fwlink/?LinkID=87341). Click Run. The latest updates are manually installed on your computer.
Note: If you were able to manually install virus and spyware definitions, the problem is most likely caused by a download issue. To learn how to resolve download issues, see Resolving download issues during setup or upgrade. Step 7: Contact Support
If the steps did not resolve the issue, contact support. For more information, see Customer Support (http://go.microsoft.com/fwlink/?LinkID=196174).
I can't start the Forefront Endpoint Protection service Symptom You receive a message notifying you that Microsoft Forefront Endpoint Protection 2010 isn't monitoring your computer because the program's service stopped. You should restart it now. Solution Step 1: Restart your computer.
Close all applications and restart your computer.
Technical Reference
Page number 256 Step 2: Make sure the Microsoft Forefront Endpoint Protection 2010 service is set to automatic and is started 1. In Windows XP, click Start, click Run, type services.msc, and then press Enter. or In Windows Vista and Windows 7, click Start, click in the Start Search box, type services.msc, and then press Enter. 2. Search for Microsoft Antimalware Service. Right click it and select Properties or double-click it to open the service. 3. Check to make sure that the "Startup Type" is set to "Automatic". 4. Click the Start button to start the service. If the Start button is not available, click the Stop button, and then click the Start button to restart the service. 5. Make sure you note any errors that may appear during this process, submit a case online, and include the error information. Step 3: Remove any existing Internet security programs 1. In Windows XP, click Start, click Run, type appwiz.cpl, and then press Enter. or In Windows Vista or Windows 7, click Start, click in the Start Search box, type appwiz.cpl, and then press Enter. 2. In the list of installed programs, uninstall any third-party Internet security programs.* 3. Restart your computer, and then try to install Microsoft Forefront Endpoint Protection 2010 again. Note: Some Internet security applications do not uninstall completely. You may need to download and run a cleanup utility for your previous security application in order for it to be completely removed. Caution: When you remove Internet security programs, your computer is unprotected. If you have problems installing Forefront Endpoint Protection after you remove existing Internet security programs, contact Forefront Endpoint Protection Support immediately by submitting a case
Technical Reference
Page number 257 online (for more information, see How to submit a case online ). Step 4: Uninstall/reinstall Microsoft Forefront Endpoint Protection 2010 1. In Windows XP, click Start, click Run, type appwiz.cpl, and then press Enter. -orIn Windows Vista and Windows 7, click Start, and in the Start Search box, type appwiz.cpl, and then press Enter. 2. In the list of installed programs, click Microsoft Forefront Endpoint Protection 2010, and then uninstall it. 3. If prompted, restart your computer, and then try to install Microsoft Forefront Endpoint Protection 2010 again. I can't install Forefront Endpoint Protection This topic contains solutions for issues you may encounter while installing Microsoft Forefront Endpoint Protection 2010. Symptoms Installation fails for an unknown reason, or you receive an error message with error code, such as 0x80070643, 0X8007064A, 0x8004FF2E, 0x8004FF01, 0x8004FF07, 0x80070002, 0x8007064C, 0x8004FF00, 0x80070001, 0x80070656, 0x8004FF40, 0xC0000156, 0x8004FF41 0x8004FF0B, 0x8004FF11, 0x80240022, 0x8004FF04, 0x80070660, 0x800106B5, 0x80070715, 0x80070005, 0x8004EE00, 0x8007003, 0x800B0100, 0x8007064E, or 0x8007007E. If your computer is running Windows XP Service Pack 2 (SP2), you might see one or more of the following error messages:
Installation Wizard is missing a filter manager rollup package needed to complete the installation. KB914882 Setup Error, Setup cannot update your Windows XP files because the language installed on your system is different from the update language.
Cause Microsoft Forefront Endpoint Protection 2010 cannot be installed on a computer that is running other security programs. Sometimes, even if you remove other security programs, they do not completely uninstall. You must be running a genuine version of the Windows operating system to install Forefront Endpoint Protection. If your computer is running Windows XP SP2, you might be missing one or more of the following prerequisites for installing Forefront Endpoint Protection:
Windows Installer 3.1
Technical Reference
Page number 258
Forefront Client Security Filter Manager QFE for Windows XP/SP2
Solution Important: You will need to restart your computer while resolving this issue. Bookmark this page (mark it as a Favorite) to make it easier to find this topic again or print it for easy reference. Step 1: Remove any existing security programs 1. Completely uninstall any existing Internet security programs by following the steps in the topic: How do I uninstall existing antivirus or antispyware programs? 2. Restart your computer. 3. Install Microsoft Forefront Endpoint Protection 2010 again. If this does not resolve the issue, continue to the next step. Step 2: Ensure that the Windows Installer service is running 1. In Windows XP, click Start, click Run, type services.msc, and then press Enter. or In Windows Vista, click Start. In the Start Search box, type services.msc, and then press Enter. or In Windows 7, click Start. In the Search programs and files box, type services.msc, and then press Enter. 2. Right-click Windows Installer, and then click Start. If Start is unavailable and the Stop and Restart options are available, this tells you that the service is already started. 3. On the Services page, on the File menu, click Exit. 4. In Windows XP, click Start, click Run, type cmd, and then press Enter. or In Windows Vista, click Start. In the Start Search box, type command prompt. Right-click Command Prompt, and then click Run as administrator. or In Windows 7, click Start. In the Search programs and files box, type command prompt. Right-click Command Prompt, and then click Run as administrator. 5. Type MSIEXEC /REGSERVER, and then press Enter.
Technical Reference
Page number 259 Note: There is no indication that this command has succeeded or failed. 6. Install Microsoft Forefront Endpoint Protection 2010 again. If this does not resolve the issue, continue to the next step. Step 3: If your computer is running Windows XP SP2, verify that it has the required prerequisites 1. If you are running Windows XP and Windows Installer 3.1 is not installed on your computer, download and install Windows Installer 3.1 from Windows Installer 3.1 v2 (3.1.4000.2435) is available (http://go.microsoft.com/fwlink/?LinkId=110600). 2. Download and install the required hotfix for client computers running Windows XP SP2: a. Go to Forefront Client Security Filter Manager QFE for Windows XP/SP2 (http://www.microsoft.com/downloads/details.aspx?FamilyID=B18A6BA9-AF434B0A-BABD-1E60A2D5E08A&amp;displaylang=en&displaylang=en). b. On the Web page, click the link for the download package that is the same language as the version of Windows XP running on the client computer. c. Follow the instructions to download and install the hotfix package. d. Restart your computer. e. Install Microsoft Forefront Endpoint Protection 2010. If this does not resolve the issue, continue to the next step. Step 4: Start Windows in Selective Startup mode 1. In Windows XP, click Start, click Run, type msconfig, and then press Enter. or In Windows Vista, click Start. In the Start Search box, type msconfig, and then press Enter. or In Windows 7, click Start. In the Search programs and files box, type msconfig, and then press Enter. 2. On the General tab, click Selective Startup, and then clear the Load Startup Items check box. 3. On the Services tab, select the Hide All Microsoft Services check box, and then clear all the check boxes for the services that remain in the list. 4. Click OK, and then click Restart to restart the computer. 5. Try to install Microsoft Forefront Endpoint Protection 2010 again.
Technical Reference
Page number 260
I can't connect to the Internet issue (General topic) In order to make sure that your computer receives the latest updates from Windows Update, you must be connected to the Internet. Symptom You receive a notification that Microsoft Forefront Endpoint Protection 2010 is unable to install the latest updates because you are not connected to the Internet. Cause Internet issues might be due to connection problems between your computer and your router.
Solution Note: Before you begin, print, or write down these instructions. You will restart your computer during this procedure, so you'll need a copy of the steps to refer to. The steps may contain a link to another Web site, so you may want to bookmark this topic before you begin. Step 1: Test your Internet connection by trying to visit several Web sites and checking other Internet-enabled applications
If you are able to access Web sites, continue to the next step.
Step 2: Verify that your computer is connected to the Internet 1. In Windows XP, click Start, click Run, type ncpa.cpl, and then press Enter. or In Windows Vista, click Start, click in the Start Search box, type ncpa.cpl, and then press Enter. or In Windows 7, click Start, click in the Search programs and files box, type ncpa.cpl, and then press Enter. 2. Right-click the connection name and then click Status. 3. If your computer is connected, in Windows XP the connection status will appear as Connected, Enabled, or Authentication succeeded. In Windows Vista and Windows 7, the IPv4 status will appear as Internet. 4. If your computer doesn't appear to be connected, right-click the connection name, and then click Connect, Enable, Authenticate, or Repair.
Technical Reference
Page number 261 Step 3: Restart your computer
Close any open programs and restart your computer.
Step 4: If you still can't connect to the Internet, check your connections 1. If you use a dial-up connection, make sure the telephone cord connection in the wall jack and in your modem are firmly connected. 2. If you use a cable modem, make sure the cable connection to the modem and the connection from the modem to your computer are firmly connected. 3. If you use a cable modem or DSL router, make sure the connections to the router and to the computer are firmly connected. Try unplugging and turning off the router and modem. Wait a few minutes, plug in the modem in first, wait one minute, then plug in the router, and restart your computer. Step 5: Use the Windows Network Diagnostic tool For computers running Windows Vista and Windows 7 1. In Windows Vista, click Start, click in the Start Search box, type ncpa.cpl, and then press Enter. or In Windows 7, click Start, click in the Search programs and files box, type ncpa.cpl, and then press Enter. 2. Right-click the network connection that the computer would use to connect to the Internet, click Diagnose, and then follow the on-screen instructions. 3. If you use a cable modem or DSL router, make sure the connections to the router and to the computer are firmly connected. 4. Try unplugging and turning off the router and modem. Wait a few minutes, plug in the modem in first, wait one minute, then plug in the router, and restart your computer. For computers running Windows XP 1. In the Control Panel, click Network and Internet Connections, and then click Network Diagnostics. 2. If you do not see the Network and Internet Connections option in Control Panel, click Start, and then click Help and Support. On the Help and Support Center page, under Pick a Task, click Use Tools to view your computer information and diagnose problems. In the left hand column of the tools page, click Network Diagnostics. Step 6: If you still can't connect to the Internet, contact your Internet Service Provider (ISP) or the company that provides your access to the Internet
Technical Reference
Page number 262 Error 0x8******* encountered while virus and spyware definition updates or product upgrades Forefront Endpoint Protection uses the Microsoft Updates (MU) service to deliver virus and spyware definition updates and product upgrades. Definition updates failures that are caused by this service result in a 0x8******* error. If you encounter these errors, please write down the exact error code and follow these steps. Step 1: Restart the Microsoft Update (MU) service 1. In Windows XP, click Start, click Run, type services.msc, and then press Enter. 2. Right-click Automatic Updates, and then click Start. If Start is unavailable, click Restart. In Windows Vista and Windows 7 1. In Windows Vista, click Start, and in the Start Search box, type services.msc, and then press Enter. -orIn Windows 7, click Start, and in the Search programs and files box, type services.msc, and then press Enter. 2. Right-click Windows Update, and then click Start. If Start is unavailable, click Restart. Step 2: Troubleshoot Microsoft Update (MU) errors 1. Visit Windows Vista Help & How-to Windows Vista Help & How-to (http://go.microsoft.com/fwlink/?LinkId=166390). 2. In the search box, enter the error code that you received. 3. Follow the steps provided and try again. 4. To update the virus and spyware definitions, click the Update tab, and then click Update. Forefront Endpoint Protection detects a threat but can't remediate it When Microsoft Forefront Endpoint Protection 2010 detects a potential threat that's hiding inside a compressed file with a .zip file name extension or within a network share, it tries to deal with the threat by quarantining or removing the threat. Symptom You might receive a notice that Forefront Endpoint Protection was not able to apply your actions. Cause In most cases, this problem occurs because Forefront Endpoint Protection doesn't have access to the location where the infection is located. Solution Remove or scan the file
Technical Reference
Page number 263
If the detected threat was in a .zip file, browse to the .zip file, and then either remove the file or scan it by right-clicking the file and selecting Scan with Forefront Endpoint Protection. If Forefront Endpoint Protection detects additional threats in the file, it notifies you about these threats and enables you to choose an appropriate action. If the detected threat was in a network share, browse to the network share and scan it by right-clicking the file and selecting Scan with Forefront Endpoint Protection. If Forefront Endpoint Protection detects additional threats in the network share, it notifies you about these threats and enables you to choose an appropriate action. If you're not sure of the file's origin, one of the best solutions is to run a full scan on your computer. (For more information, see Scanning for viruses, spyware, and other potentially unwanted software.) A full scan may take some time to complete, but it makes it possible for Forefront Endpoint Protection to look for the source of the infection and clean it.
Technical Reference

Forefront Endpoint Protection

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Forefront Endpoint Protection

Загружено:

Авторское право:

Доступные форматы

Forefront Endpoint Protection

Microsoft Forefront Endpoint Protection 2010

Administratorslocal group Domain Administratorsdomain group

Microsoft Forefront Endpoint Protection 2010 Client Software

Operating system upgrade

Custom scan on virtual drives in Windows XP

Why Use Forefront Endpoint Protection

You are managing any branch offices or non-domain-joined clients

You need historical reporting for malware events

Removed Failed Pending Out of date Deployed

Forefront Endpoint Protection Baselines

Computer Details Report Deployment Overview

Deployment for a specific collection

Computers with a specific deployment state Policy Distribution Overview

Prerequisites for Installing Forefront Endpoint Protection on a Server

Page number 19 Standard, Enterprise, or Datacenter Service Pack 1 (x86 or x64), or

Addition al require ments for installing Forefron t

The following client agents are installed and configured:

Hardware Inventory Software Distribution

Addition al require ments

Page number 23 system architecture.

Prerequisites for Deploying Forefront Endpoint Protection on a Client

Available disk space Additional

Windows Installer 3.1 or later versions

8. Planning and Architecture

Forefront Endpoint Protection 2010

Planning and Architecture

Planning and Architecture

About Configuration Manager Site Topologies and FEP 2010

Parent and child sites Parent site Child sites

Planning and Architecture

Yes Yes Yes

Yes Yes Yes

Planning and Architecture

Deployed Out of date

Planning and Architecture

Yes Yes Yes

About Basic Setup

Planning and Architecture

Configuration Manager site server.

About Basic with Remote Reporting Database Setup

Planning and Architecture

Configuration Manager site server

FEP 2010 Security Management Pack

Forefront Endpoint Protection Client

Planning and Architecture

Planning and Architecture

Planning and Architecture

About Configuring Clients by Using Policies

Planning and Architecture

GPEDIT with the FEP ADMX

Group Policy. Script. FEP client installation.

Planning and Architecture

Policy settings merge behavior Policy merging is not available.

Policy merging is available.

Planning and Architecture

Planning and Architecture

Planning for Definition Updates

For Software Update or Windows Server Update Services definition updates:

For Microsoft Update definition updates:

For File-Share-Based definition updates:

Planning and Architecture

The antimalware definitions The network-based exploit definitions