I have illustrated in a previous article how we can deploy and configure the Endpoint Protection Server role so to protect the network from unwanted malware and spyware software.
As illustrated in the article the Endpoint Protection role takes advantage of existing SCCM framework to automatically download definitions and deploy them to the clients via the standard Software Update mechanism.
In this article we are going to see how a malware outbreak are contained and managed for the purpose I will assume you have a ConfigMgr server with the endpoint protection role installed a client with either Forefront Client Protection or Windows Defender installed and managed by SCCM
SCCM Endpoint Protection Manage an Outbreak
ConfigMgr allows us to monitor the protection status of the clients directly from the admin console. Navigate to [Monitoring] / [Endpoint Protection Status] / [System Center Endpoint Protection Status]
As you can see in the picture no client is at risk and no malware incidents have been recorded, scrolling down in the same page you can see the Operational State of the endpoint protection component
Again even the operational status of the client is green with no outbreak or malware. Let’s change this, of course introducing a real malware in the lab, even if technically possible, is not the best approach but luckily you can download a sample Malware from the Eicar website
As you can see there 4 files that you can download and while they are the same file with different extension I suggest to try downloading each of them both from the HTTP or HTTPS links.
As soon as the download link is clicked the malware will be recognized and the Endpoint Protection component will display an alert similar the following
As you can see Windows Defender detected the Virus and blocked it immediately opening Windows Defender under History tab you can find all quarantined items
The Endpoint Protection Client (or Windows Defender in this case) continuality send information about any detected malware to the Endpoint Protection Server role where it can be monitored.
Back in the ConfigMgr console navigate again to [Monitoring] / [Endpoint Protection Status] / [System Center Endpoint Protection Status] where the number of detected malware is changed
If have deployed the Reporting Point in your hierarchy there are out of the box reports you can use to gain insight on your clients’ health
Here’s a partial screenshot of the antimalware activity report showing us the overall activity of the endpoint protection