SCCM Endpoint Protection Management

Malware

I have illustrated in a previous article how we can deploy and configure the Endpoint Protection Server role so to protect the network from unwanted malware and spyware software.

As illustrated in the article the Endpoint Protection role takes advantage of existing SCCM framework to automatically download definitions and deploy them to the clients via the standard Software Update mechanism.

In this article we are going to see how a malware outbreak are contained and managed for the purpose I will assume you have a ConfigMgr server with the endpoint protection role installed a client with either Forefront Client Protection or Windows Defender installed and managed by SCCM

SCCM Endpoint Protection Manage an Outbreak

ConfigMgr allows us to monitor the protection status of the clients directly from the admin console. Navigate to [Monitoring] / [Endpoint Protection Status] / [System Center Endpoint Protection Status]

SCCM Endpoint Protection Management Client Status

As you can see in the picture no client is at risk and no malware incidents have been recorded, scrolling down in the same page you can see the Operational State of the endpoint protection component

SCCM Endpoint Protection Management Client Operational Status

Again even the operational status of the client is green with no outbreak or malware. Let’s change this, of course introducing a real malware in the lab, even if technically possible, is not the best approach but luckily you can download a sample Malware from the Eicar website

SCCM Endpoint Protection Management Eicar Sample Malware

As you can see there 4 files that you can download and while they are the same file with different extension I suggest to try downloading each of them both from the HTTP or HTTPS links.

As soon as the download link is clicked the malware will be recognized and the Endpoint Protection component will display an alert similar the following

SCCM Endpoint Protection Management Malware Detected

SCCM Endpoint Protection Management Malware Cleanup

As you can see Windows Defender detected the Virus and blocked it immediately opening Windows Defender under History tab you can find all quarantined items

SCCM Endpoint Protection Management Malware Quarantine

The Endpoint Protection Client (or Windows Defender in this case) continuality send information about any detected malware to the Endpoint Protection Server role where it can be monitored.

Back in the ConfigMgr console navigate again to [Monitoring] / [Endpoint Protection Status] / [System Center Endpoint Protection Status]  where the number of detected malware is changed

SCCM Endpoint Protection Management Client Status Report

If have deployed the Reporting Point in your hierarchy there are out of the box reports you can use to gain insight on your clients’ health

SCCM Endpoint Protection Management Reports

Here’s a partial screenshot of the antimalware activity report showing us the overall activity of the endpoint protection

SCCM Endpoint Protection Management Infection History

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s