Archive

Archive for the ‘fep console’ Category

Monitoring Forefront Endpoint Protection 2010 – Security alerts

November 15th, 2010 Comments off

In previous posts, I’ve described the monitoring experience in Forefront Endpoint Protection 2010 (FEP) Release Candidate. Those descriptions includes the FEP dashboard as well as built-in reports. In real life, however, no one expects an administrator to stare at the dashboard and wait for something to happen. Instead, administrators expect to get notified when security incidents are detected.

FEP security alerts are used to detect incidents about which administrators want to get notified. When designing FEP alerts, we’ve used the following guidelines:

  1. Important – Administrators should be actively notified on FEP alerts (by email notification).
  2. Actionable – There should be a recommended action associated with each alert.
  3. Timely – Administrators should be notified on security incidents in a timely manner.
  4. Manageable – Enable administrators to control the number of alerts issued per day.
  5. Correct – Avoid false positives by providing threshold based alerts
The following alert types are provided with FEP 2010:

Alert Name

Scenario

Configuration

Recommended action

Malware Detection

Malware was detected on a computer. This alert is triggered based on mitigation. 

  • Collection to monitor
  • Detection level (sensitivity) based on the result of FEP mitigation.

Navigate to FEP computer details report to identify the malware(s) detected on the computer.

Malware Outbreak

A malware is spreading across the organization. This alert is triggered based on number of detections.

Number of computers detected with the same malware in 24 hours.

Navigate to FEP malware detail report to learn more about the malware and see the list of infected computers.

Repeated Malware Detection

A computer is being repeatedly infected by the same malware. This alert is triggered based on number of repeated detections.

  • Collection to monitor
  • Number of repeated detections
  • Time interval for detection

Navigate to FEP computer details report to learn more about the computer as well as the malware

Multiple Malware Detection

A computer is being infected with multiple malware types. This alert is triggered based on number of malware detections on a single computer. 

  • Collection to monitor
  • Number of different malware types
  • Time interval for detection

Navigate to FEP computer details report to learn more about the computer as well as the malware types

Tip: In addition to email notifications, FEP alerts are kept as event log entries in the FEP server as well as in the FEP DB. These event logs are useful when alert forwarding is required (e.g. Operations Manager, SNMP).

clip_image002

Ziv Rafalovich,
Senior Program Manager

Categories: FEP, fep console, FEP dashboard, FEP2010, reports Tags:

Monitoring Forefront Endpoint Protection 2010 – FEP operational reports

November 11th, 2010 Comments off

In an earlier post we mentioned the integration of FEP with Configuration Manager and described the FEP dashboard, which is an extension to the Configuration Manager console. Another aspect of this integration is the FEP troubleshooting reports, which make usage of Configuration Manager reporting framework.

To begin with, each operation going from the server to FEP clients (or vice versa) is performed by Configuration Manager. It is only natural that troubleshooting should use the information kept in the Configuration Manager database and surface that to administrators trying to troubleshoot FEP operations.

Two main tasks performed by administrators are client roll out (deployment) and policy distribution. These two tasks use the Configuration Manager software distribution capabilities (a SW package being advertised to a collection).

FEP provides two troubleshooting scenarios, which can be found at the bottom of the FEP dashboard.

clip_image003

Figure 1 – Links to FEP troubleshooting reports

  • Deployment Overview: Identify deployment success ratio, which FEP client versions are found in the org, as well as errors reported while trying to roll out FEP to clients.
  • Policy Distribution Overview: Identify distribution success ratio, which policies are actually applied on clients, as well as errors reported while trying to apply policies.

The third link brings administrators to a single report where all of the Configuration Manager related activity is presented (including network data) for a single computer. This is useful when administrator is trying to work out a problem on a specific computer.

Deployment Overview report

After opening the deployment overview report, an administrator immediately sees the deployment status for each collection in his Configuration Manager deployment. This is extremely useful since the FEP dashboard is not filtered by collections.

Next, the administrator can select a collection and drill down to see more deployment details.

Note: Like any Configuration Manager report, an administrator may click the icon on the left (clip_image005) to drill down for more.

Tip: In order to generate a report for the entire organization, simply select the “all systems” collection

clip_image007

Figure 2 – FEP Deployment overview

After the report has been filtered by collection, the administrator is presented with breakdown of FEP versions found, as well as deployment states and failures.

Having computers grouped by their deployment state (or failure) enables an administrator to troubleshoot a single computer and apply the fix to all computers facing the same symptom.

clip_image009

Figure 3 – FEP Deployment for a specific collection

Finally, the administrator can drill down to a specific computer and see FEP related data such as deployment activities, policy distribution and network related data.

clip_image011

Figure 4 – Computer details report

Policy Distribution Overview

Since policy distribution is similar to client roll out (both use the Configuration Manager software distribution capabilities), troubleshooting follows the same concepts and uses similar reports.

clip_image013

Figure 5 – FEP Policy Distribution Overview

Ziv Rafalovich,
Senior Program Manager