Archive

Archive for the ‘SCEP’ Category

Shields up on potentially unwanted applications in your enterprise

November 26th, 2015 No comments

Has your enterprise environment been bogged down by a sneaky browser-modifier which tricked you into installing adware from a seemingly harmless software bundle? Then you might have already experienced what a potentially unwanted application (PUA) can do.

The good news is, the new opt-in feature for enterprise users in Windows can spot and stop PUA in its tracks. If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it's good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature.  If enabled, PUA will be blocked at download and install time.

 

What is PUA and why bother?

Potential Unwanted Application (PUA) refers to unwanted application bundlers or their bundled applications.

These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications.

Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.

Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims.

 

PUA protection for enterprise

The Potentially Unwanted Application protection feature is available only for enterprise customers.  If you are already one of Microsoft's existing enterprise customers, you need to opt-in to enable and use PUA protection.

PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft's enterprise customers. No additional configuration is required besides opting into PUA protection.

 

Deploying PUA protection

Systems administrators can deploy the PUA protection feature as a Group Policy setting by the following registry key policy setting according to your product version:

System Center Endpoint Protection, Forefront Endpoint Protection

Key Path:            HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftMicrosoft AntimalwareMpEngine

Value Name:      MpEnablePus

 

Note: The following configuration is available for machines that are managed by System Center Endpoint Protection.

Windows Defender

Key Path:            HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows DefenderMpEngine

Value Name:      MpEnablePus

 

The group policy value for MpEnablePus can be configured as a DWORD type as follows:

Value (DWORD)    Description
 0 (default) Potentially Unwanted Application protection is disabled
1 Potentially Unwanted Application protection is enabled. The applications with unwanted behavior will be blocked at download and install-time.

 

After enabling this feature, PUA blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances.

The user experience can vary according to the policy settings that are configured in your enterprise. However, when enabled, the default behavior is that PUA will be blocked and automatically quarantined.

 

PUA threat file-naming convention

When enabled, we will start identifying unwanted software with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.

Specific researcher-driven signatures identify the following:

  • Software bundling technologies
  • PUA applications
  • PUA frameworks

 

What does PUA protection look like?

By default, PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it meets one of the following conditions:

  • The file is being scanned from the browser
  • The file has Mark of the Web set
  • The file is in the %downloads% folder
  • Or if the file in the %temp% folder

 

The user experience of the blocking depends on the product you have installed.

With System Center Endpoint Protection deployed, the following dialog box will be shown upon detection:

SCEP dialog box indicates detection status

 The user can view the blocked software in the History tab.

You can take a look at the list of blocked applications from the History tab

In Windows 10, where its endpoints including Windows Defender are managed, the following dialog box will be shown:

Detection message in Windows Defender

PUA protection roll-out scenario

Like all good processes, it is best to plan your PUA protection deployment to get the most out of it. Here are some best practices to plan your PUA protection roll-out.

As blocking PUA in your enterprise is an explicit choice, it is best practice to do the necessary due diligence such as having a corporate policy or guidance that defines that potentially unwanted applications are not to be installed or downloaded in your corporate environment.

With a corporate policy or guidance in place, it's recommended to also sufficiently inform your end-users and your IT Helpdesk about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment. This will preemptively inform your end-users as to why SCEP or FEP is blocking their download. By informing your helpdesk about your new policy or guidance, they can resolve end-user questions.

Finally, if you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection. In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you'd want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported – file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines

 

Handling false positives

If you think that an application has been wrongfully identified as PUA, submit the file here, and add ‘PUA’ along with the detection name in the comments section.

 

We look forward to providing you with a great protection experience.

Geoff McDonald, Deepak Manohar, and Dulce Montemayor

MMPC

Shields up on potentially unwanted applications in your enterprise

November 26th, 2015 No comments

Has your enterprise environment been bogged down by a sneaky browser-modifier which tricked you into installing adware from a seemingly harmless software bundle? Then you might have already experienced what a potentially unwanted application (PUA) can do.

The good news is, the new opt-in feature for enterprise users in Windows can spot and stop PUA in its tracks. If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it's good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature.  If enabled, PUA will be blocked at download and install time.

 

What is PUA and why bother?

Potential Unwanted Application (PUA) refers to unwanted application bundlers or their bundled applications.

These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications.

Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.

Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims.

 

PUA protection for enterprise

The Potentially Unwanted Application protection feature is available only for enterprise customers.  If you are already one of Microsoft's existing enterprise customers, you need to opt-in to enable and use PUA protection.

PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft's enterprise customers. No additional configuration is required besides opting into PUA protection.

 

Deploying PUA protection

Systems administrators can deploy the PUA protection feature as a Group Policy setting by the following registry key policy setting according to your product version:

System Center Endpoint Protection, Forefront Endpoint Protection

Key Path:            HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\MpEngine

Value Name:      MpEnablePus

 

Note: The following configuration is available for machines that are managed by System Center Endpoint Protection.

Windows Defender

Key Path:            HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine

Value Name:      MpEnablePus

 

The group policy value for MpEnablePus can be configured as a DWORD type as follows:

Value (DWORD)    Description
 0 (default) Potentially Unwanted Application protection is disabled
1 Potentially Unwanted Application protection is enabled. The applications with unwanted behavior will be blocked at download and install-time.

 

After enabling this feature, PUA blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances.

The user experience can vary according to the policy settings that are configured in your enterprise. However, when enabled, the default behavior is that PUA will be blocked and automatically quarantined.

 

PUA threat file-naming convention

When enabled, we will start identifying unwanted software with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.

Specific researcher-driven signatures identify the following:

  • Software bundling technologies
  • PUA applications
  • PUA frameworks

 

What does PUA protection look like?

By default, PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it meets one of the following conditions:

  • The file is being scanned from the browser
  • The file has Mark of the Web set
  • The file is in the %downloads% folder
  • Or if the file in the %temp% folder

 

The user experience of the blocking depends on the product you have installed.

With System Center Endpoint Protection deployed, the following dialog box will be shown upon detection:

SCEP dialog box indicates detection status

 The user can view the blocked software in the History tab.

You can take a look at the list of blocked applications from the History tab

In Windows 10, where its endpoints including Windows Defender are managed, the following dialog box will be shown:

Detection message in Windows Defender

PUA protection roll-out scenario

Like all good processes, it is best to plan your PUA protection deployment to get the most out of it. Here are some best practices to plan your PUA protection roll-out.

As blocking PUA in your enterprise is an explicit choice, it is best practice to do the necessary due diligence such as having a corporate policy or guidance that defines that potentially unwanted applications are not to be installed or downloaded in your corporate environment.

With a corporate policy or guidance in place, it's recommended to also sufficiently inform your end-users and your IT Helpdesk about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment. This will preemptively inform your end-users as to why SCEP or FEP is blocking their download. By informing your helpdesk about your new policy or guidance, they can resolve end-user questions.

Finally, if you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection. In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you'd want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported – file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines

 

Handling false positives

If you think that an application has been wrongfully identified as PUA, submit the file here, and add ‘PUA’ along with the detection name in the comments section.

 

We look forward to providing you with a great protection experience.

Geoff McDonald, Deepak Manohar, and Dulce Montemayor

MMPC

Shields up on potentially unwanted applications in your enterprise

November 26th, 2015 No comments

Has your enterprise environment been bogged down by a sneaky browser-modifier which tricked you into installing adware from a seemingly harmless software bundle? Then you might have already experienced what a potentially unwanted application (PUA) can do.

The good news is, the new opt-in feature for enterprise users in Windows can spot and stop PUA in its tracks. If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it’s good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature.  If enabled, PUA will be blocked at download and install time.

 

What is PUA and why bother?

Potential Unwanted Application (PUA) refers to unwanted application bundlers or their bundled applications.

These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications.

Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.

Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims.

 

PUA protection for enterprise

The Potentially Unwanted Application protection feature is available only for enterprise customers.  If you are already one of Microsoft’s existing enterprise customers, you need to opt-in to enable and use PUA protection.

PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft’s enterprise customers. No additional configuration is required besides opting into PUA protection.

 

Deploying PUA protection

Systems administrators can deploy the PUA protection feature as a Group Policy setting by the following registry key policy setting according to your product version:

System Center Endpoint Protection, Forefront Endpoint Protection

Key Path:            HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftMicrosoft AntimalwareMpEngine

Value Name:      MpEnablePus

 

Note: The following configuration is available for machines that are managed by System Center Endpoint Protection.

Windows Defender

Key Path:            HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows DefenderMpEngine

Value Name:      MpEnablePus

 

The group policy value for MpEnablePus can be configured as a DWORD type as follows:

Value (DWORD)    Description
 0 (default) Potentially Unwanted Application protection is disabled
1 Potentially Unwanted Application protection is enabled. The applications with unwanted behavior will be blocked at download and install-time.

 

After enabling this feature, PUA blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances.

The user experience can vary according to the policy settings that are configured in your enterprise. However, when enabled, the default behavior is that PUA will be blocked and automatically quarantined.

 

PUA threat file-naming convention

When enabled, we will start identifying unwanted software with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.

Specific researcher-driven signatures identify the following:

  • Software bundling technologies
  • PUA applications
  • PUA frameworks

 

What does PUA protection look like?

By default, PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it meets one of the following conditions:

  • The file is being scanned from the browser
  • The file has Mark of the Web set
  • The file is in the %downloads% folder
  • Or if the file in the %temp% folder

 

The user experience of the blocking depends on the product you have installed.

With System Center Endpoint Protection deployed, the following dialog box will be shown upon detection:

SCEP dialog box indicates detection status

 The user can view the blocked software in the History tab.

You can take a look at the list of blocked applications from the History tab

In Windows 10, where its endpoints including Windows Defender are managed, the following dialog box will be shown:

Detection message in Windows Defender

PUA protection roll-out scenario

Like all good processes, it is best to plan your PUA protection deployment to get the most out of it. Here are some best practices to plan your PUA protection roll-out.

As blocking PUA in your enterprise is an explicit choice, it is best practice to do the necessary due diligence such as having a corporate policy or guidance that defines that potentially unwanted applications are not to be installed or downloaded in your corporate environment.

With a corporate policy or guidance in place, it’s recommended to also sufficiently inform your end-users and your IT Helpdesk about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment. This will preemptively inform your end-users as to why SCEP or FEP is blocking their download. By informing your helpdesk about your new policy or guidance, they can resolve end-user questions.

Finally, if you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection. In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you’d want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported – file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines

 

Handling false positives

If you think that an application has been wrongfully identified as PUA, submit the file here, and add ‘PUA’ along with the detection name in the comments section.

 

We look forward to providing you with a great protection experience.

Geoff McDonald, Deepak Manohar, and Dulce Montemayor

MMPC

MAPS in the cloud: How can it help your enterprise?

January 21st, 2015 No comments

Malware can easily send a huge enterprise infrastructure into a tailspin. However, you can get greater protection from malware by using services in the cloud.  

Yes, there’s an opportunity to get real-time results from suspicious malware triggers where your system can:

  1. Consult the cloud upon detecting suspicious malware behaviors.
  2. Respond by blocking malware based on derived logic from the account ecosystem data, and local signals from the client.

How? Through the Microsoft Active Protection Service (MAPS). 

What is MAPS?

The Microsoft Active Protection Service is the cloud service that enables:

  • Clients to report key telemetry events and suspicious malware queries to the cloud
  • Cloud to provide real-time blocking responses back to the client

The MAPS service is available for all Microsoft's antivirus products and services, including:

  • Microsoft Forefront Endpoint Protection
  • Microsoft Security Essentials
  • System Center Endpoint Protection
  • Windows Defender on Windows 8 and later versions

What can MAPS do for your enterprise software security?

Enabling MAPS in your system gives you:

  • Greater malware protection through cloud-delivered malware-blocking decisions

Enable MAPS to trigger cloud calls for suspicious events. Doing so helps ensure that the machine uses the latest malware information available from the Microsoft Malware Protection Center (MMPC) research team, back-end big data, and machine learning logic.

  • Aggregated protection telemetry

    Leverage the latest ecosystem-wide detection techniques offered through the cloud. Microsoft aggregates protection telemetry from over one billion clients, and cross-references them with numerous signals.

MMPC threat intelligence leverages algorithms to construct and manage a view of threats in the ecosystem. When the endpoint product encounters suspicious activities, it can consult the cloud for real-time analysis before acting on it.

The vast data and computing resources available in the cloud allows the fast detection of polymorphic and emerging threats and the application of advanced protection techniques.

At a high level, here's what the MAPS protection looks like:

How the MAPS cloud protection and telemetry works from the endpoint and back

Figure 1: How the cloud protection and telemetry works from the endpoint and back.

Client machines selectively send telemetry in real-time (for detection), or periodically (for health checks) to the Microsoft Malware Protection Center’s (MMPC) cloud service which includes:

  • Threat telemetry –  to identify the threats, threat-related resources, and remediation results
  • Suspicious behavior – to collect samples, determine what to monitor and remediate
  • Heartbeat – to check the system's pulse to know if the antivirus application is still running, and if it has the updated version

The MMPC cloud service responds to client telemetry with: 

  • Cloud actions – which include context and a set of instructions from the cloud on how to handle a potential threat (for example, block it).
  • Cloud false positive mitigation response – to suppress false positive malware detections

The data gathered is treated with confidentiality. See the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details. To help protect your privacy, reports are sent to Microsoft over an encrypted connection. Relevant data is analyzed

 

What the data shows

Figure 2: Percentage of protection MAPS can contribute over a six-month period

Figure 2: Percentage of protection MAPS can contribute over a six-month period

If we take the System Center Endpoint Protection data as an example, you'll see how MAPS is contributing 10% of protection to enterprise users on SCEP systems.

Imagine living without it – there'll be 10% more machines infected, and 10% more chance of intruders.

 

Prerequisites 
Both Basic membership and Advanced membership enable cloud protection. See the Microsoft Active Protection Service (MAPS) section of the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details.

By default, MAPS Basic is enabled in all of Microsoft’s new antimalware products. For enterprise customers, you have to enable it to get cloud protection from new threats that are coming in.

With the Advanced membership, you can get more information about the malware and/or suspicious behaviour. Such information can give your enterprise infrastructure better protection.

To get your system ready for MAPS, see the Introduction to Endpoint Protection in Configuration Manager.   

 

So, what can you do to protect your enterprise? 

Keep MAPS enabled on your system.  

Join the Microsoft Active Protection Service Community.

To check if MAPS is enabled in your Microsoft security product, select Settings and then select MAPS:

With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

Figure 3: With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

 

MMPC

MAPS in the cloud: How can it help your enterprise?

January 21st, 2015 No comments

Malware can easily send a huge enterprise infrastructure into a tailspin. However, you can get greater protection from malware by using services in the cloud.  

Yes, there’s an opportunity to get real-time results from suspicious malware triggers where your system can:

  1. Consult the cloud upon detecting suspicious malware behaviors.
  2. Respond by blocking malware based on derived logic from the account ecosystem data, and local signals from the client.

How? Through the Microsoft Active Protection Service (MAPS). 

What is MAPS?

The Microsoft Active Protection Service is the cloud service that enables:

  • Clients to report key telemetry events and suspicious malware queries to the cloud
  • Cloud to provide real-time blocking responses back to the client

The MAPS service is available for all Microsoft's antivirus products and services, including:

  • Microsoft Forefront Endpoint Protection
  • Microsoft Security Essentials
  • System Center Endpoint Protection
  • Windows Defender on Windows 8 and later versions

What can MAPS do for your enterprise software security?

Enabling MAPS in your system gives you:

  • Greater malware protection through cloud-delivered malware-blocking decisions

Enable MAPS to trigger cloud calls for suspicious events. Doing so helps ensure that the machine uses the latest malware information available from the Microsoft Malware Protection Center (MMPC) research team, back-end big data, and machine learning logic.

  • Aggregated protection telemetry

    Leverage the latest ecosystem-wide detection techniques offered through the cloud. Microsoft aggregates protection telemetry from over one billion clients, and cross-references them with numerous signals.

MMPC threat intelligence leverages algorithms to construct and manage a view of threats in the ecosystem. When the endpoint product encounters suspicious activities, it can consult the cloud for real-time analysis before acting on it.

The vast data and computing resources available in the cloud allows the fast detection of polymorphic and emerging threats and the application of advanced protection techniques.

At a high level, here's what the MAPS protection looks like:

How the MAPS cloud protection and telemetry works from the endpoint and back

Figure 1: How the cloud protection and telemetry works from the endpoint and back.

Client machines selectively send telemetry in real-time (for detection), or periodically (for health checks) to the Microsoft Malware Protection Center’s (MMPC) cloud service which includes:

  • Threat telemetry –  to identify the threats, threat-related resources, and remediation results
  • Suspicious behavior – to collect samples, determine what to monitor and remediate
  • Heartbeat – to check the system's pulse to know if the antivirus application is still running, and if it has the updated version

The MMPC cloud service responds to client telemetry with: 

  • Cloud actions – which include context and a set of instructions from the cloud on how to handle a potential threat (for example, block it).
  • Cloud false positive mitigation response – to suppress false positive malware detections

The data gathered is treated with confidentiality. See the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details. To help protect your privacy, reports are sent to Microsoft over an encrypted connection. Relevant data is analyzed

 

What the data shows

Figure 2: Percentage of protection MAPS can contribute over a six-month period

Figure 2: Percentage of protection MAPS can contribute over a six-month period

If we take the System Center Endpoint Protection data as an example, you'll see how MAPS is contributing 10% of protection to enterprise users on SCEP systems.

Imagine living without it – there'll be 10% more machines infected, and 10% more chance of intruders.

 

Prerequisites 
Both Basic membership and Advanced membership enable cloud protection. See the Microsoft Active Protection Service (MAPS) section of the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details.

By default, MAPS Basic is enabled in all of Microsoft’s new antimalware products. For enterprise customers, you have to enable it to get cloud protection from new threats that are coming in.

With the Advanced membership, you can get more information about the malware and/or suspicious behaviour. Such information can give your enterprise infrastructure better protection.

To get your system ready for MAPS, see the Introduction to Endpoint Protection in Configuration Manager.   

 

So, what can you do to protect your enterprise? 

Keep MAPS enabled on your system.  

Join the Microsoft Active Protection Service Community.

To check if MAPS is enabled in your Microsoft security product, select Settings and then select MAPS:

With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

Figure 3: With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

 

MMPC

Network Device Enrollment Service (NDES) now on the TechNet Wiki

April 19th, 2012 No comments

The Network Device Enrollment Service (NDES) whitepaper is now on the TechNet Wiki and I have already made a few updates that were requested. The old download center location has been updated to reflect that we’ve posted to the update to the TechNet Wiki.

Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)

Note: Previously the NDES service was called Microsoft Simple Certificate Enrollment Protocol (MS SCEP). You will notice that the Registry and the web interfaces still have that acronym MSCEP.

 

Categories: Microsoft SCEP, NDES, SCEP Tags:

Network Device Enrollment Service (NDES) now on the TechNet Wiki

April 19th, 2012 No comments

The Network Device Enrollment Service (NDES) whitepaper is now on the TechNet Wiki and I have already made a few updates that were requested. The old download center location has been updated to reflect that we’ve posted to the update to the TechNet Wiki.

Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)

Note: Previously the NDES service was called Microsoft Simple Certificate Enrollment Protocol (MS SCEP). You will notice that the Registry and the web interfaces still have that acronym MSCEP.

 

Categories: Microsoft SCEP, NDES, SCEP Tags: