Administration

This guide is intended for administrators who are responsible for managing Forefront/System Center Endpoint Protection clients. Before you perform the tasks in this guide, please ensure you have correctly installed Specops Deploy Endpoint Protection.

Key Components


Specops Deploy GPMC-snap in: You can use the Specops Deploy GPMC-snap in to create new Specops Deploy Endpoint Protection GPOs. You can also add settings to an existing GPO, and use security filtering to gain more granular control over which computers should have which settings.

Specops Reporting: You can use Specops Reporting to view reports and monitor the status of your Endpoint Protection clients. Specops Reporting creates reports of the data contained in the Specops Deploy Endpoint Protection feedback database. Specops Reporting contains several predefined reports, but also allows you to create your own report definitions.

Managing policies


The Specops Deploy GPMC snap-in can be used to manage GPOs. You can access the Specops Deploy GPMC snap-in from the Group Policy Management Editor.

Create a new policy

The Specops Deploy GPMC snap-in works within the context of one GPO. The scope of the GPO should contain all the computers and users that you want to manage software for.

  1. In the GPMC, expand your domain node, and locate the GPO node.
  2. Right-click on the GPO node, and select New.
  3. Enter a name for the Group Policy Object, and click OK.
  4. Right click on the new GPO node, and select Edit.
  5. In the Group Policy Management Editor expand Computer Configuration, Policies, Software Settings, and select Specops Deploy Endpoint Protection.
  6. Click
  7. Configure the policy, and click OK.

Edit an existing policy

  1. In the GPMC, expand your domain node, and locate the GPO you want to edit.
  2. Right click on the new GPO node, and select Edit.
  3. In the Group Policy Management Editor expand Computer Configuration, Policies, Software Settings, and select Specops Deploy Endpoint Protection.
  4. Click
  5. Configure the policy, and click OK.

GPO settings


The table below provides an overview of available settings that you can use to determine the customization your organization will need. The hierarchal approach allows you to enable the specific settings you wish to modify at each level in Active Directory. Settings passed on from higher policies will be merged and the resulting configuration will be applied to the Endpoint Protection client.

General settings

Setting Description
Schedule Scan This settings sets the time when a scan should be ran on the computer.
> Scan type This policy setting allows you to specify the scan type to use during a scheduled scan. The scan type options are:
  • Quick Scan
  • Full Scan
> When This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all.
> Around This policy setting allows you to specify the time of the day at which to perform a daily quick scan.
Note: The schedule is based on local time on the computer where the scan is executing.
> Daily quick scan time around This policy settings allows you to specify the time of day at which to perform a daily quick scan.
> Check for the latest virus and spyware definitions before running a scheduled scan This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan.
> Start the scheduled scan when my computer is on but not in use This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use.
> Limit CPU usage during scan to This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan.
Default actions This policy setting allows you to set a default action to take when System Center Endpoint Protection finds a potential or known threat based on alert level. There are four threat levels:
  • Severe
  • High
  • Medium
  • Low
This setting will also allow you to set whether SCEP will Remove, Quarantine, or Allow a threat for the level.
Real-time protection This policy setting allows you to configure real-time protection. This setting controls all real-time protection components.
> Scan all download This policy allows you to configure scanning for all downloaded files and attachments.
> Monitor file and program activity on your computer This policy setting allows you to configure monitoring for file and program activity.
> Enable behaviour monitoring This policy setting allows you to configure behavior monitoring.
> Enable Network Inspection System This policy setting allows you to configure network protection against exploits of known vulnerabilities.
Exclude files and locations This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified.
Exclude file types This policy setting allows you to specify a list of the file types that should be excluded from scheduled, custom, and real-time scanning.
Exclude processes This policy setting allows you to disable schedule and real-time scanning for any file opened by any of the specified processes.
Advanced N/A
> Scan archive files This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB
> Scan removable drives This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan.
> Create a system restore point This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning.
> Allow all users to view the full history results This policy setting allows all the users of the computer to see the history results for that computer (Not recommended to set this).
> Remove quarantined files after This policy setting defines the number of days items should be kept in the Quarantine folder before being removed.
Maps This setting allows you to control what information is sent to Microsoft about the current potentially unwanted software, malware, and viruses. The recommended setting is Basic membership and is the default setting for Managed client users.

Advanced settings

Setting Description
General Settings
> Allow anti-malware service to startup with normal priority This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance.
> Turn on spyware definitions This policy setting allows you to manage whether spyware definitions are used during a scan.
> Turn on virus definitions This policy setting allows you to manage whether virus definitions are used during a scan.
> Configure local administrator merge behaviour for lists This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and exclusions.
> Define addresses to bypass proxy server This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL.
> Define proxy server for connecting to the network This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for definition updates and SpyNet reporting. If the named proxy fails or if there is no proxy specified, the following settings will be used (in order):
  1. Internet Explorer proxy settings
  2. Autodetect
  3. None
> Randomized scheduled task times This policy setting allows you to enable or disable randomization of the scheduled scan time and the scheduled definition update start time.
> Allow anti-malware service to remain running always This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware definitions are disabled. It is recommended that this setting remains disabled.
Client interface
> Display notifications to clients when they need to perform actions This policy setting allows you to configure whether or not to display notifications to client when they need to perform the following actions:
  • Run a full scan
  • Download the latest virus and spyware definitions
  • Download Standalone System Sweeper
> Display additional text to clients when they need to perform an action This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action.
Network Inspection System
> Turn on protocol recognition This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities.
> Turn on definition retirement This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities.
> Define the rate of detections events for logging This policy setting limits the rate at which detection events for network protection against exploits of known vulnerabilities will be logged.
Specify additional definition sets for network traffic inspection This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting.
IP address range exclusions This policy, if defined, will prevent network protection against exploits of known vulnerabilities from inspecting the specified IP addresses.
Port number exclusions This policy setting defines a list of TCP port numbers from which network traffic inspection will be disabled.
Process exclusions for outbound traffic This policy setting defines processes from which outbound network traffic will not be inspected.
Threat ID exclusions This policy setting defines threats which will be excluded from detection during network traffic inspection.
Quarantine
> Configure local setting override for the removal of items from Quarantine This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed.
> Configure removal of items from Quarantine folder This policy setting defines the number of days items should be kept in the Quarantine folder before being removed.
Real-time Protection
> Turn on Information Protection Control This policy setting allows you to configure Information Protection Control.
> Turn on raw volume write notifications This policy setting controls whether raw volume write notifications are sent to behavior monitoring.
> Turn on process scanning whenever real-time protection is enabled This policy setting allows you to configure process scanning when real-time protection is turned on.
> Define the maximum size of downloaded files and attachments to be scanned This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned.
> Configure local setting override for turn on behaviour monitoring This policy setting configures a local override for the configuration of behavior monitoring.
> Configure local setting override for scanning all downloaded files and attachments This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy.
> Configure local setting override to turn off Intrusion Prevention System This policy setting configures a local override for the configuration of network protection against exploits of known vulnerabilities.
> Configure local setting override for monitoring file and program activity on your computer This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy.
> Configure local setting override to turn on real-time protection This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy.
> Configure local setting override for monitoring for incoming and outgoing file activity This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity.
Remediation
> Configure local setting override for the time of day to run a scheduled full scan to complete remediation This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation.
> Specify the day of the week to run a scheduled full scan to complete remediation This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation.
> Specify the time of day to run a scheduled full scan to complete remediation This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation.
Reporting
> Configure time out for detections requiring additional action This policy setting configures the time in minutes before a detection in the “additional action” state moves to the “cleared” state.
> Configure time out for detections in critically failed state This policy setting configures the time in minutes before a detection in the “critically failed” state moves to either the “additional action” state or the “cleared” state.
> Configure Watson events This policy setting allows you to configure whether or not Watson events are sent.
> Configure time out for detections in non-critical failed state This policy setting configures the time in minutes before a detection in the “non-critically failed” state moves to the “cleared” state.
> Configure time out for detections in recently remediated state This policy setting configures the time in minutes before a detection in the “completed” state moves to the “cleared” state.
> Configure Windows software trace preprocessor components This policy configures Windows software trace preprocessor (WPP Software Tracing) components.
> Configure WPP tracing level This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing).
Scan
> Allow users to pause scan This policy setting allows you to manage whether or not end users can pause a scan in progress.
> Specify the maximum depth to scan archive files This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0.
> Specify the maximum size of archive files to be scanned This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned.
> Scan archive files This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
> Turn on catch-up full scan This policy setting allows you to configure catch-up scans for scheduled full scan. A catch-up scan is a scan that is initiates because a regularly scheduled scan was missed.
> Turn on catch-up quick scan This policy setting allows you to configure catch-up scans scheduled quick scans. A catch-up scan is a scan that is initiates because a regularly scheduled scan was missed.
> Turn on e-mail scanning This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files according to their specified format, in order to analyze the mail bodies and attachments.
> Turn on heuristics This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client.
> Scan packed executables This policy setting allows you to configure scanning for packed executables.
> Scan removable drives This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan.
> Turn on reparse point scanning This policy setting allows you to configure reparse point scanning.
> Create a system restore point This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning.
> Run full scan on mapped network drives This policy setting allows you to configure scanning mapped network drives.
> Scan network files This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting.
> Configure local setting override for maximum percentage of CPU utilization This policy setting configures a local override for maximum percentage of CPU utilization.
> Configure local setting override for the scan type to use for a scheduled scan This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan.
> Configure local setting override for schedule scan day This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy.
> Configure local setting override for scheduled quick scan time This policy setting configures a local override for the configuration of scheduled quick scan time.
> Configure local setting override for scheduled scan time This policy setting configures a local override for the configuration of scheduled scan time.
> Turn on removal of items from scan history folder This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed.
> Specify the interval to run quick scans per day This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans.
Signature Updates
> Define the number of days before spyware definitions are considered out of date This policy setting allows you to define the number of days that must pass before spyware definitions are considered out of date.
> Define the number of days before virus definitions are considered out of date This policy setting allows you to define the number days that must pass before virus definitions are considered out of date.
> Define file shares for downloading definition updates This policy setting allows you to configure UNC file share sources for downloading definition updates.
> Turn on scan after signature update This policy setting allows you to configure the automatic scan which starts after a definition update has occurred.
> Allow definition updates when running on battery power This policy setting allows you to configure definition updates when the computer is running on battery power.
> Initiate definition update on startup This policy setting allows you to configure definition updates on startup when there is no anti-malware engine present.
> Define the order of sources for downloading definition updates This policy setting allows you to define the order in which different definition update sources should be contacted.
> Allow definition updates from Microsoft Update This policy setting allows you to enable download of definition updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update.
> Allow real-time definition updates based on reports to Microsoft SpyNet This policy setting allows you to enable real-time definition updates in response to reports sent to Microsoft SpyNet.
> Specify the day of the week to check for definition updates This policy setting allows you to specify the day of the week on which to check for definition updates.
> Specify the time to check for definition updates This policy setting allows you to specify the time of day ay which to check for definition updates.
> Allow notifications to disable definition based reports to Microsoft SpyNet This policy setting allows you to configure antimalware service to receive notifications to disable individual definitions in reponse to reports it sends to Microsoft SpyNet.
> Define the number of days after which a catch-up definition update is required This policy setting allows you to define the number of days after which a catch-up definition update will be required.
> Specify the interval to check for definition updates This policy setting allows you to specify an interval at which to check for definition updates.
> Check for the latest virus and spyware definitions on startup This policy setting allows you to manage whether a check for new virus and spyware definition will occur immediately after service startup.
SpyNet
> Configure local setting override for reporting to Microsoft SpyNet This policy setting configures a local override for the configuration to join Microsoft SpyNet.
Threat Id Default Action This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan.

Reporting


The Specops Reporting component is entirely web based and can be accessed from your browser. You can access Specops Reporting using your browser. The URL for Specops Reporting depends on where the component was installed. Endpoint Protection reports provide a good overview of the feedback gathered from your Endpoint Protection clients.

View predefined Reports

  1. Enter the URL for Specops Reporting.
  2. In the navigation pane, expand Specops Reporting, and click Specops Endpoint Protection.
  3. Select the report you want to view. The following is a list of the predefined reports you can view:
  • Incident reports: Allow you to monitor any reported issues with malware or viruses:
    • Antimalware/Virus for a computer
    • Antimalware/Virus information
    • Antispyware status per computer
    • Antivirus status per computer
  • Client status reports: Allow you to quickly find information of the client computer.
  • Client status per computer
  • Endpoint Protection Client Installation Status
  • Last full scan information per computer
  • Last quick scan information per computer
  • Missing Endpoint Protection Client
  • Threat reports: Allow you to monitor a summary of the current threat status.
    • Threat outbreak last 24 hours
    • Threat outbreak last 7 days

Create a new report

You can customize the view of the information gathered by creating a new report definition.

  1. Enter the URL for Specops Reporting.
  2. In the navigation pane, click create new report.
  3. Specify the following fields:
    FieldStep
    Report nameEnter a report name
    Report categorySpecify a report category
    Report descriptionEnter a report description
    Columns Add Columns to the report. You will be able to specify the Column heading, Field, and Display name
    Groupings To group data in the report, select a column and drag and drop it in the group panel. This will remove the column from the visible columns and display a grouping rectangle for the column in the group panel.
    Filters Add any filtering of data by clicking on the Filters tab and selecting additional filter data field and values to filter by.
    Import report definition You can import report definition from the import web page or from a file.
    Export report definition You can export a report definition from the export web page. The export page displays a complete list of all reports in the database grouped by report categories.
  4. Click Save.

Edit an existing report

  1. Enter the URL for Specops Reporting.
  2. In the navigation pane, expand Specops Reporting, and click Specops Endpoint Protection.
  3. Click Edit next to the report you want to modify.
  4. Make the necessary changes, and click Save.

Export Report data

You can export report data in a PDF or a CSV format for further processing.

  1. Enter the URL for Specops Reporting.
  2. In the navigation pane, expand Specops Reporting, and click Specops Endpoint Protection.
  3. Select the Report you want to export.
  4. If required, select the client computer from the Computer drop box.
  5. Specify the page size in the Page size drop box.
  6. From the Export to drop box, select the report format.
  7. If you selected PDF, you will also need to specify the page layout from the drop box.
  8. Click the green button.

Delete a Report

  1. Enter the URL for Specops Reporting.
  2. In the navigation pane, expand Specops Reporting, and click Specops Endpoint Protection.
  3. Click Delete next to the report you want to delete.
  4. Click OK.