Swedish Windows Security User Group

Has your enterprise environment been bogged down by a sneaky browser-modifier which tricked you into installing adware from a seemingly harmless software bundle? Then you might have already experienced what a potentially unwanted application (PUA) can do.

The good news is, the new opt-in feature for enterprise users in Windows can spot and stop PUA in its tracks. If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it's good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature.  If enabled, PUA will be blocked at download and install time.

 

What is PUA and why bother?

Potential Unwanted Application (PUA) refers to unwanted application bundlers or their bundled applications.

These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications.

Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.

Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims.

 

PUA protection for enterprise

The Potentially Unwanted Application protection feature is available only for enterprise customers.  If you are already one of Microsoft's existing enterprise customers, you need to opt-in to enable and use PUA protection.

PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft's enterprise customers. No additional configuration is required besides opting into PUA protection.

 

Deploying PUA protection

Systems administrators can deploy the PUA protection feature as a Group Policy setting by the following registry key policy setting according to your product version:

System Center Endpoint Protection, Forefront Endpoint Protection

Key Path:            HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftMicrosoft AntimalwareMpEngine

Value Name:      MpEnablePus

 

Note: The following configuration is available for machines that are managed by System Center Endpoint Protection.

Windows Defender

Key Path:            HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows DefenderMpEngine

Value Name:      MpEnablePus

 

The group policy value for MpEnablePus can be configured as a DWORD type as follows:

Value (DWORD)	Description
0 (default)	Potentially Unwanted Application protection is disabled
1	Potentially Unwanted Application protection is enabled. The applications with unwanted behavior will be blocked at download and install-time.

 

After enabling this feature, PUA blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances.

The user experience can vary according to the policy settings that are configured in your enterprise. However, when enabled, the default behavior is that PUA will be blocked and automatically quarantined.

 

PUA threat file-naming convention

When enabled, we will start identifying unwanted software with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.

Specific researcher-driven signatures identify the following:

• Software bundling technologies
• PUA applications
• PUA frameworks

 

What does PUA protection look like?

By default, PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it meets one of the following conditions:

• The file is being scanned from the browser
• The file has Mark of the Web set
• The file is in the %downloads% folder
• Or if the file in the %temp% folder

 

The user experience of the blocking depends on the product you have installed.

With System Center Endpoint Protection deployed, the following dialog box will be shown upon detection:

 The user can view the blocked software in the History tab.

In Windows 10, where its endpoints including Windows Defender are managed, the following dialog box will be shown:

PUA protection roll-out scenario

Like all good processes, it is best to plan your PUA protection deployment to get the most out of it. Here are some best practices to plan your PUA protection roll-out.

As blocking PUA in your enterprise is an explicit choice, it is best practice to do the necessary due diligence such as having a corporate policy or guidance that defines that potentially unwanted applications are not to be installed or downloaded in your corporate environment.

With a corporate policy or guidance in place, it's recommended to also sufficiently inform your end-users and your IT Helpdesk about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment. This will preemptively inform your end-users as to why SCEP or FEP is blocking their download. By informing your helpdesk about your new policy or guidance, they can resolve end-user questions.

Finally, if you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection. In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you'd want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported – file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines

 

Handling false positives

If you think that an application has been wrongfully identified as PUA, submit the file here, and add ‘PUA’ along with the detection name in the comments section.

 

We look forward to providing you with a great protection experience.

Geoff McDonald, Deepak Manohar, and Dulce Montemayor

MMPC

Has your enterprise environment been bogged down by a sneaky browser-modifier which tricked you into installing adware from a seemingly harmless software bundle? Then you might have already experienced what a potentially unwanted application (PUA) can do.

The good news is, the new opt-in feature for enterprise users in Windows can spot and stop PUA in its tracks. If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it's good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature.  If enabled, PUA will be blocked at download and install time.

 

What is PUA and why bother?

Potential Unwanted Application (PUA) refers to unwanted application bundlers or their bundled applications.

These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications.

Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.

Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims.

 

PUA protection for enterprise

The Potentially Unwanted Application protection feature is available only for enterprise customers.  If you are already one of Microsoft's existing enterprise customers, you need to opt-in to enable and use PUA protection.

PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft's enterprise customers. No additional configuration is required besides opting into PUA protection.

 

Deploying PUA protection

Systems administrators can deploy the PUA protection feature as a Group Policy setting by the following registry key policy setting according to your product version:

System Center Endpoint Protection, Forefront Endpoint Protection

Key Path:            HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\MpEngine

Value Name:      MpEnablePus

 

Note: The following configuration is available for machines that are managed by System Center Endpoint Protection.

Windows Defender

Key Path:            HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine

Value Name:      MpEnablePus

 

The group policy value for MpEnablePus can be configured as a DWORD type as follows:

Value (DWORD)	Description
0 (default)	Potentially Unwanted Application protection is disabled
1	Potentially Unwanted Application protection is enabled. The applications with unwanted behavior will be blocked at download and install-time.

 

After enabling this feature, PUA blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances.

The user experience can vary according to the policy settings that are configured in your enterprise. However, when enabled, the default behavior is that PUA will be blocked and automatically quarantined.

 

PUA threat file-naming convention

When enabled, we will start identifying unwanted software with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.

Specific researcher-driven signatures identify the following:

• Software bundling technologies
• PUA applications
• PUA frameworks

 

What does PUA protection look like?

By default, PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it meets one of the following conditions:

• The file is being scanned from the browser
• The file has Mark of the Web set
• The file is in the %downloads% folder
• Or if the file in the %temp% folder

 

The user experience of the blocking depends on the product you have installed.

With System Center Endpoint Protection deployed, the following dialog box will be shown upon detection:

 The user can view the blocked software in the History tab.

In Windows 10, where its endpoints including Windows Defender are managed, the following dialog box will be shown:

PUA protection roll-out scenario

Like all good processes, it is best to plan your PUA protection deployment to get the most out of it. Here are some best practices to plan your PUA protection roll-out.

As blocking PUA in your enterprise is an explicit choice, it is best practice to do the necessary due diligence such as having a corporate policy or guidance that defines that potentially unwanted applications are not to be installed or downloaded in your corporate environment.

With a corporate policy or guidance in place, it's recommended to also sufficiently inform your end-users and your IT Helpdesk about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment. This will preemptively inform your end-users as to why SCEP or FEP is blocking their download. By informing your helpdesk about your new policy or guidance, they can resolve end-user questions.

Finally, if you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection. In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you'd want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported – file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines

 

Handling false positives

If you think that an application has been wrongfully identified as PUA, submit the file here, and add ‘PUA’ along with the detection name in the comments section.

 

We look forward to providing you with a great protection experience.

Geoff McDonald, Deepak Manohar, and Dulce Montemayor

MMPC

Has your enterprise environment been bogged down by a sneaky browser-modifier which tricked you into installing adware from a seemingly harmless software bundle? Then you might have already experienced what a potentially unwanted application (PUA) can do.

The good news is, the new opt-in feature for enterprise users in Windows can spot and stop PUA in its tracks. If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it’s good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature.  If enabled, PUA will be blocked at download and install time.

 

What is PUA and why bother?

Potential Unwanted Application (PUA) refers to unwanted application bundlers or their bundled applications.

These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time cleaning up the applications.

Since the stakes are higher in an enterprise environment, the potential disaster that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field.

Typical examples of behavior that we consider PUA include ad-injection, many types of software bundling, and persistent solicitation for payment for services based on fraudulent claims.

 

PUA protection for enterprise

The Potentially Unwanted Application protection feature is available only for enterprise customers.  If you are already one of Microsoft’s existing enterprise customers, you need to opt-in to enable and use PUA protection.

PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft’s enterprise customers. No additional configuration is required besides opting into PUA protection.

 

Deploying PUA protection

Systems administrators can deploy the PUA protection feature as a Group Policy setting by the following registry key policy setting according to your product version:

System Center Endpoint Protection, Forefront Endpoint Protection

Key Path:            HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftMicrosoft AntimalwareMpEngine

Value Name:      MpEnablePus

 

Note: The following configuration is available for machines that are managed by System Center Endpoint Protection.

Windows Defender

Key Path:            HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows DefenderMpEngine

Value Name:      MpEnablePus

 

The group policy value for MpEnablePus can be configured as a DWORD type as follows:

Value (DWORD)	Description
0 (default)	Potentially Unwanted Application protection is disabled
1	Potentially Unwanted Application protection is enabled. The applications with unwanted behavior will be blocked at download and install-time.

 

After enabling this feature, PUA blocking takes effect on endpoint clients after the next signature update or computer restart. Signature updates take place daily under typical circumstances.

The user experience can vary according to the policy settings that are configured in your enterprise. However, when enabled, the default behavior is that PUA will be blocked and automatically quarantined.

 

PUA threat file-naming convention

When enabled, we will start identifying unwanted software with threat names that start with “PUA:”, such as, PUA:Win32/Creprote.

Specific researcher-driven signatures identify the following:

• Software bundling technologies
• PUA applications
• PUA frameworks

 

What does PUA protection look like?

By default, PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it meets one of the following conditions:

• The file is being scanned from the browser
• The file has Mark of the Web set
• The file is in the %downloads% folder
• Or if the file in the %temp% folder

 

The user experience of the blocking depends on the product you have installed.

With System Center Endpoint Protection deployed, the following dialog box will be shown upon detection:

 The user can view the blocked software in the History tab.

In Windows 10, where its endpoints including Windows Defender are managed, the following dialog box will be shown:

PUA protection roll-out scenario

Like all good processes, it is best to plan your PUA protection deployment to get the most out of it. Here are some best practices to plan your PUA protection roll-out.

As blocking PUA in your enterprise is an explicit choice, it is best practice to do the necessary due diligence such as having a corporate policy or guidance that defines that potentially unwanted applications are not to be installed or downloaded in your corporate environment.

With a corporate policy or guidance in place, it’s recommended to also sufficiently inform your end-users and your IT Helpdesk about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment. This will preemptively inform your end-users as to why SCEP or FEP is blocking their download. By informing your helpdesk about your new policy or guidance, they can resolve end-user questions.

Finally, if you expect a lot of end-users in your environment to be downloading or installing PUA, then it is recommended that machines be gradually enrolled into the PUA protection. In other words, deploy the PUA opt-in policy to a subset of machines, observe the number of detections, determine if you’d want to allow any of them in your enterprise, add exclusions for them (all exclusions mechanisms are supported – file name, folder, extension, process) and then gradually roll-out the opt-in policy to a larger set of machines

 

Handling false positives

If you think that an application has been wrongfully identified as PUA, submit the file here, and add ‘PUA’ along with the detection name in the comments section.

 

We look forward to providing you with a great protection experience.

Geoff McDonald, Deepak Manohar, and Dulce Montemayor

MMPC

Malware can easily send a huge enterprise infrastructure into a tailspin. However, you can get greater protection from malware by using services in the cloud.  

Yes, there’s an opportunity to get real-time results from suspicious malware triggers where your system can:

How? Through the Microsoft Active Protection Service (MAPS). 

What is MAPS?

The Microsoft Active Protection Service is the cloud service that enables:

The MAPS service is available for all Microsoft's antivirus products and services, including:

What can MAPS do for your enterprise software security?

Enabling MAPS in your system gives you:

• Greater malware protection through cloud-delivered malware-blocking decisions

Enable MAPS to trigger cloud calls for suspicious events. Doing so helps ensure that the machine uses the latest malware information available from the Microsoft Malware Protection Center (MMPC) research team, back-end big data, and machine learning logic.

• Aggregated protection telemetry

  Leverage the latest ecosystem-wide detection techniques offered through the cloud. Microsoft aggregates protection telemetry from over one billion clients, and cross-references them with numerous signals.

MMPC threat intelligence leverages algorithms to construct and manage a view of threats in the ecosystem. When the endpoint product encounters suspicious activities, it can consult the cloud for real-time analysis before acting on it.

The vast data and computing resources available in the cloud allows the fast detection of polymorphic and emerging threats and the application of advanced protection techniques.

At a high level, here's what the MAPS protection looks like:

Figure 1: How the cloud protection and telemetry works from the endpoint and back.

Client machines selectively send telemetry in real-time (for detection), or periodically (for health checks) to the Microsoft Malware Protection Center’s (MMPC) cloud service which includes:

• Threat telemetry –  to identify the threats, threat-related resources, and remediation results
• Suspicious behavior – to collect samples, determine what to monitor and remediate
• Heartbeat – to check the system's pulse to know if the antivirus application is still running, and if it has the updated version

The MMPC cloud service responds to client telemetry with: 

• Cloud actions – which include context and a set of instructions from the cloud on how to handle a potential threat (for example, block it).
• Cloud false positive mitigation response – to suppress false positive malware detections

The data gathered is treated with confidentiality. See the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details. To help protect your privacy, reports are sent to Microsoft over an encrypted connection. Relevant data is analyzed. 

 

What the data shows

Figure 2: Percentage of protection MAPS can contribute over a six-month period

If we take the System Center Endpoint Protection data as an example, you'll see how MAPS is contributing 10% of protection to enterprise users on SCEP systems.

Imagine living without it – there'll be 10% more machines infected, and 10% more chance of intruders.

 

Prerequisites 
Both Basic membership and Advanced membership enable cloud protection. See the Microsoft Active Protection Service (MAPS) section of the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details.

By default, MAPS Basic is enabled in all of Microsoft’s new antimalware products. For enterprise customers, you have to enable it to get cloud protection from new threats that are coming in.

With the Advanced membership, you can get more information about the malware and/or suspicious behaviour. Such information can give your enterprise infrastructure better protection.

To get your system ready for MAPS, see the Introduction to Endpoint Protection in Configuration Manager.   

 

So, what can you do to protect your enterprise? 

Keep MAPS enabled on your system.  

Join the Microsoft Active Protection Service Community.

To check if MAPS is enabled in your Microsoft security product, select Settings and then select MAPS:

Figure 3: With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

 

MMPC

Malware can easily send a huge enterprise infrastructure into a tailspin. However, you can get greater protection from malware by using services in the cloud.  

Yes, there’s an opportunity to get real-time results from suspicious malware triggers where your system can:

How? Through the Microsoft Active Protection Service (MAPS). 

What is MAPS?

The Microsoft Active Protection Service is the cloud service that enables:

The MAPS service is available for all Microsoft's antivirus products and services, including:

What can MAPS do for your enterprise software security?

Enabling MAPS in your system gives you:

• Greater malware protection through cloud-delivered malware-blocking decisions

Enable MAPS to trigger cloud calls for suspicious events. Doing so helps ensure that the machine uses the latest malware information available from the Microsoft Malware Protection Center (MMPC) research team, back-end big data, and machine learning logic.

• Aggregated protection telemetry

  Leverage the latest ecosystem-wide detection techniques offered through the cloud. Microsoft aggregates protection telemetry from over one billion clients, and cross-references them with numerous signals.

MMPC threat intelligence leverages algorithms to construct and manage a view of threats in the ecosystem. When the endpoint product encounters suspicious activities, it can consult the cloud for real-time analysis before acting on it.

The vast data and computing resources available in the cloud allows the fast detection of polymorphic and emerging threats and the application of advanced protection techniques.

At a high level, here's what the MAPS protection looks like:

Figure 1: How the cloud protection and telemetry works from the endpoint and back.

Client machines selectively send telemetry in real-time (for detection), or periodically (for health checks) to the Microsoft Malware Protection Center’s (MMPC) cloud service which includes:

• Threat telemetry –  to identify the threats, threat-related resources, and remediation results
• Suspicious behavior – to collect samples, determine what to monitor and remediate
• Heartbeat – to check the system's pulse to know if the antivirus application is still running, and if it has the updated version

The MMPC cloud service responds to client telemetry with: 

• Cloud actions – which include context and a set of instructions from the cloud on how to handle a potential threat (for example, block it).
• Cloud false positive mitigation response – to suppress false positive malware detections

The data gathered is treated with confidentiality. See the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details. To help protect your privacy, reports are sent to Microsoft over an encrypted connection. Relevant data is analyzed. 

 

What the data shows

Figure 2: Percentage of protection MAPS can contribute over a six-month period

If we take the System Center Endpoint Protection data as an example, you'll see how MAPS is contributing 10% of protection to enterprise users on SCEP systems.

Imagine living without it – there'll be 10% more machines infected, and 10% more chance of intruders.

 

Prerequisites 
Both Basic membership and Advanced membership enable cloud protection. See the Microsoft Active Protection Service (MAPS) section of the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details.

By default, MAPS Basic is enabled in all of Microsoft’s new antimalware products. For enterprise customers, you have to enable it to get cloud protection from new threats that are coming in.

With the Advanced membership, you can get more information about the malware and/or suspicious behaviour. Such information can give your enterprise infrastructure better protection.

To get your system ready for MAPS, see the Introduction to Endpoint Protection in Configuration Manager.   

 

So, what can you do to protect your enterprise? 

Keep MAPS enabled on your system.  

Join the Microsoft Active Protection Service Community.

To check if MAPS is enabled in your Microsoft security product, select Settings and then select MAPS:

Figure 3: With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

 

MMPC

Here’s a cool article I found while going through what was new over on our community-driven TechNet Wiki. This one discusses some best practices for WSUS that should ease Microsoft  Forefront Endpoint Protection and Client Security deployments. And as with all of the Wiki articles, if you have some tips of your own please feel free to add them in.

Forefront Client Security and Endpoint Protection both use WSUS infrastructure in different ways. This, unless your Forefront update policy uses a network share to deploy the updates. The goal of this article is not to explain the relationship between Forefront and WSUS in details, but to provide best practices regarding WSUS management and administration, that will surely ease FCS/FEP deployment, and even avoid certain issues (eg: updating failures).

The key point to remember is that FCS and FEP may really rely a lot on the WUA’s (Windows Updates Agent) health and performance, on the client computers. Below are a few points, role-based: clients, and Server-based (mostly WSUS), that are known to ease Forefront deployment and updating…

You can continue reading the rest of the article here:

J.C. Hornbeck | System Center & Security Knowledge Engineer

Get the latest System Center news on Facebook and Twitter:

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

by Jeramy Skidmore

You can move the Configuration Manager site database and associated Forefront Endpoint Protection (FEP) databases after setup has completed to a different SQL Server computer system by:

1. Backing up the FEP data warehouse (FEPDW_<sitecode>)
2. Backing up the Configuration Manager Site Database (SMS_<sitecode>)
3. Uninstalling the FEP reporting component
4. Restoring the site database and FEP data warehouse to their new locations
5. Relocating the site database via Configuration Manager setup
6. And then reinstalling the FEP Reporting component

Detailed steps follow.

Note

Configuration Manager 2007 does support moving the site database from a remote SQL Server to the local site server computer if the site server computer is running a supported version of Microsoft SQL Server. For a list of supported SQL Server versions, see Configuration Manager Supported Configurations.

Note

FEP hosts two databases, the FEP database (FEPDB_sitecode) and the FEP data warehouse (FEPDW_sitecode). The FEP database serves as a proxy database for extracting data from the Configuration Manager site database. It does not need to be backed up or moved, and will be recreated when the FEP Reporting component is reinstalled.

To move the databases

Important: You will require access to the FEP 2010 installation media in order to successfully complete these steps.

1. Back up the site database on the current site database server and restore it on the new site database server computer using the SQL Server Management Studio. For more information, see How to Move the Site Database.
2. Back up the FEP data warehouse (FEPDW_sitecode) on the current FEP Reporting SQL Server and restore it to the new Reporting SQL Server. (If you have a remote reporting database and are not moving the FEP reporting database, you can skip this step.)
   

   Note

   Ensure that the database access permissions are the same on the new databases as they are on the original databases.

3. On the site server, in Add/Remove programs, uninstall Microsoft Forefront Endpoint Protection 2010 Reporting.
4. Ensure the primary site server computer account has administrative privileges over the new site database server computer.
5. Close any open Configuration Manager console connections to the site server.
6. On the primary site server computer, use the hierarchy maintenance tool (Preinst.exe) to stop all site services by using the following command: Preinst /stopsite.
7. On the primary site server computer, click Start, click All Programs, click Microsoft System Center, click Configuration Manager 2007, and click ConfigMgr Setup, or navigate to the .\bin\i386 directory of the Configuration Manager 2007 installation media and double-click Setup.exe.
8. Click Next on the Configuration Manager Setup Wizard Welcome page.
9. Click Perform site maintenance or reset this site on the Configuration Manager Setup Wizard Setup Options page.
10. Select Modify SQL Server configuration on the Configuration Manager Setup Wizard Site Maintenance page.
11. Enter the appropriate SQL Server name and instance (if applicable) for the new site database server as well as the site database name on the Configuration Manager Setup Wizard SQL Server Configuration page.
    Configuration Manager Setup performs the SQL Server configuration process.
12. Restart the primary site server computer, and verify the site is functioning normally.
13. On the site server, run serversetup.exe from the FEP installation media.
14. On the Installation Options step, choose Advanced Topology.
15. On the Advanced Toplogy step, ensure that FEP 2010 Reporting and Alerts is selected.
16. On the Reporting Configuration step, provide the proper computer, instance, and database name for your SQL implementation. Ensure the Reuse existing database check box is selected.
17. Proceed through setup. This process will recreate the FEP database alongside the relocated site database, and recreate the SQL jobs necessary to move information from the site database into the FEP databases. The FEPDB will be repopulated according to the information stored in the site database.

Hi folks,

There have been some questions about these two areas of definition updates, so I wanted to clarify this a bit.

Whenever FEP does a definition update, a silent rescan of all running processes and loaded modules is performed. If there is malware running that is now detected by the new definitions, that malware is detected within a few seconds of performing the update. There is no action needed on your part after new definitions are downloaded – this silent rescan happens automatically.

Additionally, the FEP client can be configured to check for definition updates automatically on service start. The behavior is the same as described in Checking for definition updates when starting (yes, that particular blog article deals with FCS, but the FEP behavior is the same). The registry key already exists in the FEP ADMX, which you can download as part of the FEP2010grouppolicytools-<locale>.exe here. For full documentation about all the values in the ADMX, see the FEP ADMX Reference.

Thanks!

 By Adwait Joshi

Hello,

An Update Rollup for Forefront Endpoint Protection 2010 is now available here: http://go.microsoft.com/fwlink/?LinkId=223229 .

 In addition to hotfixes, this Update also includes some important changes to note:

1. Support for Windows Embedded 7 platforms:  With this update, the FEP client software is supported on certain Windows Embedded 7 platforms (including Windows Thin PC) and Windows Server 2008 Server Core.  For more information about the additional support, see Prerequisites for Deploying Forefront Endpoint Protection on a Client Computer.
2. Signature Update Automation Tool used with Configuration Manager Software Update:  This tool automates downloading FEP definition updates using Configuration Manager 2007 Software Updates.  This is a command line tool that uses Configuration Manager APIs to get new definitions from Microsoft Update via the Configuration Manager software update feature, distribute the content to distribution points, and deploy the updates to Endpoint Protection clients on a recurring schedule.  The automation of the tool is done through the Windows task scheduler. To download the tool, see http://go.microsoft.com/fwlink/?LinkID=221205
3. Two new preconfigured policy templates for the following server workloads:
1. Microsoft Forefront Threat Management Gateway
2. Microsoft Lync 2010

You can find more details in the “What’s New” document on the  Technet site.  Please check out this KB article for a full list of fixes included in this Update Rollup.

Thanks,

Adwait Joshi

Sr. Technical Product Manager

Forefront Endpoint Protection

 By Adwait Joshi

Hello,

An Update Rollup for Forefront Endpoint Protection 2010 is now available here: http://go.microsoft.com/fwlink/?LinkId=223229 .

 In addition to hotfixes, this Update also includes some important changes to note:

1. Support for Windows Embedded 7 platforms:  With this update, the FEP client software is supported on certain Windows Embedded 7 platforms (including Windows Thin PC) and Windows Server 2008 Server Core.  For more information about the additional support, see Prerequisites for Deploying Forefront Endpoint Protection on a Client Computer.
2. Signature Update Automation Tool used with Configuration Manager Software Update:  This tool automates downloading FEP definition updates using Configuration Manager 2007 Software Updates.  This is a command line tool that uses Configuration Manager APIs to get new definitions from Microsoft Update via the Configuration Manager software update feature, distribute the content to distribution points, and deploy the updates to Endpoint Protection clients on a recurring schedule.  The automation of the tool is done through the Windows task scheduler. To download the tool, see http://go.microsoft.com/fwlink/?LinkID=221205
3. Two new preconfigured policy templates for the following server workloads:
1. Microsoft Forefront Threat Management Gateway
2. Microsoft Lync 2010

You can find more details in the “What’s New” document on the  Technet site.  Please check out this KB article for a full list of fixes included in this Update Rollup.

Thanks,

Adwait Joshi

Sr. Technical Product Manager

Forefront Endpoint Protection

From Angela Latimer, CSS

If you are using Forefront Endpoint Protection (FEP) 2010, you may have tried running one of the three default FEP reports and noticed that not all areas or sub-reports display properly. You may see an error in processing the reporting data or retrieving the data, similar to the error displayed below:

Error while trying to run the Antimalware Activity Report:

We found this error was due to the installed version of Microsoft SQL Server not being up-to-date with the latest Cumulative Update package. Cumulative Update packages contain hot fixes that address issues in the currently installed version of Microsoft SQL Server which may be versions ranging from Release to Manufacturing (RTM), Service Pack (SP), or Feature Release (R).

In digging into the details of the error related to FEP reports not displaying properly, we found the following errors in the System Center Configuration Manager Console and/or in the %drive%:\Program Files (x86)\Microsoft Configuration Manager\Logs\SRSRP.log file, reporting Error ID 7403 related to the health of SRS Reporting Point thread:

STATMSG: ID=7403 SEV=E LEV=M SOURCE=”SMS Server” COMP=”SMS_SRS_REPORTING_POINT” SYS= SITE= PID=2880 TID=5572 GMTDATE=Wed Oct 21 17:57:26.302 2009 ISTR0=”HACM01″ ISTR1=”” ISTR2=”” ISTR3=”” ISTR4=”” ISTR5=”” ISTR6=”” ISTR7=”” ISTR8=”” ISTR9=”” NUMATTRS=0 SMS_SRS_REPORTING_POINT 10/21/2009 10:57:26 AM 5572 (0x15C4)  
Failures reported during periodic health check by the SRS Server . Will retry check in 57 minutes SMS_SRS_REPORTING_POINT 10/21/2009 10:57:26 AM 5572 (0x15C4)

In the two environments we discovered this issue, Microsoft SQL Server 2008 and SQL Server 2008 R2 were running, but had NOT had the Cumulative Update package installed. As soon as this update was installed, the FEP reports began displaying properly.

At the time of this blog, these are the most current Cumulative Update Packages for Microsoft SQL Server 2008 and 2008 R2. However, you should do a Bing search to ensure you are always installing the latest version.

• For SQL Server 2008 R2: Cumulative Update Package 7 for SQL Server 2008 R2 – http://support.microsoft.com/kb/2507770
• For SQL Server 2008 SP2: Cumulative Update Package 4 for SQL Server 2008 SP2 – http://support.microsoft.com/kb/2527180
• For SQL Server 2008: Cumulative Update Package 4 for SQL Server 2008 – http://support.microsoft.com/kb/963036

From Jeff Tondt

Visio is one of the most popular tools for creating diagrams that describe effective systems and processes. In every project in which I participate, when it comes to documenting what you did I always have to create a diagram where I defined architecture, server configuration, network, etc. A picture is worth a thousand words and Visio is the tool of choice in these documentation tasks.

With SMSMap you can read FEP components and ConfigMgr/SMS site roles through COM and automate Visio to draw a diagram of the hierarchy including the FEP SQL Reporting Server, FEP Data Warehouse SQL Server, and the FEP Reporting Component.

Developed by Jeff Tondt this free utility is available at http://www.tondtware.com and works on ConfigMgr SP2 / R3 and down to SMS 2003. Seeing the whole FEP/ConfigMgr hierarchy as a picture can help you quickly understand how your infrastructure is laid out. This handy tool automates creation of your infrastructure documentation and frees you up for other Forefront product installations.

Some screenshots of SMSMap:

Hello folks!

Did you know that Windows 7 SP1 is available for download? Windows 7 SP1 brings some great features to the platform, and everyone’s pretty excited about it.

We want to make absolutely clear that Windows 7 SP1 is supported by the following endpoint security products:

• FCS with KB2394433 or later
• MSE v1 with KB2254596 or later
• MSE v2
• FEP 2010  

If in doubt about what you have installed, view your version number, on the Help menu, click About.

If your version is reported in the range of 2.0.1677 to 2.0.2530, then you should:

• Uninstall the unsupported pre-release version of the of the client currently installed, and
• Install one of the release antimalware packages listed above, according to your organizational needs.

Thanks!

Note:  The same statements apply for Windows Server 2008 R2 SP1 as well; you need the same update to allow FCS function. (Douglas Hill 3/23/2010)

 

So have you ever wondered what the Microsoft SpyNet opt in page is really all about?

Microsoft SpyNet is a cloud service that allows the FEP or MSE client on your computer to report information about programs that exhibit suspicious behavior to the Microsoft Malware Protection Center (MMPC) researchers. When this information is reported, definitions for previously unknown threats can be created and distributed, minimizing the time that a new threat is spreading in the wild before protection is available. (Note: older clients, like FCS and Windows Defender, also participate in SpyNet, but to get the full benefits of SpyNet, which includes Dynamic Signature Service, you should move to FEP or MSE.)

Additionally, when your FEP or MSE client reports new malware to the Microsoft SpyNet cloud service, the Dynamic Signature Service can recognize when a definition is available but not yet released, and deliver that definition for that specific threat in real-time from the cloud. Upon delivery of the dynamic signature, the threat will be detected and can be removed from the system

Hey – here’s a thought. Take 3 minutes and watch this – Microsoft SpyNet and the Dynamic Signature Service in action:

(Please visit the site to view this video)

Hello!

A while back we posted a reporting workbook for the Forefront Endpoint Protection Security Management Pack. This workbook allows you to connect to your FEP Security Management Pack database and create custom reports based on the data contained within the database.

We have a new addition to this – a workbook you can use to create custom FEP reports. This new workbook works in much the same way as the one previously released. You must first connect the workbook to your FEP database, and then you can use the worksheets to generate custom reports based on the data contained within the database.

In order to make it easier for you to find both workbooks, I’ve attached a zip file that contains both of them to this blog article (if you already downloaded the one for the FEP Security Management Pack, it has not changed). Each workbook has instructions on the first worksheet on how to connect it to your database.

Enjoy!

 

The MscSupport tool is a tool designed to collect support data to troubleshoot Forefront Endpoint Protection. You can download the tool from the Forefront Endpoint Protection 2010 Tools download page (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=04f7d456-24a2-4061-a2ed-82fe93a03fd5).

When to use the MscSupport tool

It is a troubleshooting tool, so you only need to run the tool when you have a problem with Forefront Endpoint Protection.
On the other hand, you don’t need to run the tool with every occasion. Typically you need to collect the MscSupport data in the following scenarios:

• Remote online troubleshooting is difficult
• The cause of the problem is not clear
• You have a Support case with Microsoft

What data does the tool collect

The data collected depends on the system you run the tool on. The tool collects additional information when it is run on the server hosting the FEP2010 server roles.

• Support files (see below), like the FEP log files. For more information about the FEP log files, see http://technet.microsoft.com/en-us/library/gg477022.aspx
• Complete event logs
• Configuration Manager log files (server and/or client) . For more information about Configuration Manager log files, see http://technet.microsoft.com/en-us/library/bb892800.aspx
• Services information
• Running processes
• drivers
• Autoruns
• System info
• Firewall policy

The Support files are files that contain FEP2010 specific information. This information can be gathered when you run the below command (located in C:\Program Files\Microsoft Security Client\Antimalware) in a Command Prompt:

Mpcmdrun -GetFiles

The following data is collected:

• Any trace files from Microsoft Antimalware Service
• The Windows Update history log
• All Microsoft Antimalware Service events from the System event log
• All relevant Microsoft Antimalware Service registry locations
• The log file of this tool
• The log file of the signature update helper tool

Microsoft is committed to protecting your privacy. Please read the Microsoft Privacy Statement<http://go.microsoft.com/fwlink/?LinkId=81184> for more information.

How to run the MscSupport tool

The tool must be executed with Administrator privileges on the system you want to collect the data from, otherwise the data collected by the tool may not be complete.

The data the tool collects will be placed in a cabinet file and is located in %SystemDrive%\MscSupportData

1. Open Windows Explorer and navigate to the location where you stored the tool
2. Right-click MscSupportTool.exe and click Run as administrator
3. The tool will start to collect the support data

   

4. When data gathering is complete, you can close or open the folder that contains the CAB file

   

Kurt Sarens, Senior Support Engineer

The FEP2010 Reporting account is defined during the FEP server setup, with the installation of the Reporting role to be exact.
The account is used by SQL Reporting Services (SRS) to access the FEP data source used by reporting. Incorrect credentials may result in an error as below or similar:

This post is to provide you with the steps needed to change the reporting account in the occasion you have a need to do so.

Note: all below steps must be executed with an administrator account.

Access to the FEP database used by reporting

These steps must be executed on the SQL Server hosting the data warehouse database (FEPDW_XXX, where XXX is your Configuration Manager site code).

1. Open SQL Management Studio and select Database engine from the Server type list. Enter or browse the SQL Server name hosting the reporting database.
2. Under the Security container in SQL Management Studio, right-click Logins and then click New Login.
3. Enter the login name (including domain) for your new reporting account.
4. On the left-hand side in the Page selection area, select User Mappings.
5. On the right-hand side, select the FEPDW_XXX database.
6. In the Database role membership area below, check AN_ReaderRole and then click OK.

Access to the OLAP cube

These steps must be executed on the SQL server hosting the data warehouse database (FEPDW_XXX, where XXX is your Configuration Manager site code).

1. In SQL Management Studio, select Connect Object Explorer from the File menu.
2. In the Connect to Server window, select Analysis Services from the Server type list.
3. Expand the FEPDW_XXX database and the Roles container.
4. Right-click the ReportsUserReadRole and click Properties.
5. Click the Membership page on the right-hand side.
6. Add your new reporting account if it is not listed on the right-hand pane by clicking the Add button.
7. Remove the old reporting account from the list.

Change the account on the Reporting server

These steps can be executed from any system. XXX is your Configuration Manager site code.

1. Open http://<reportserver>/reports (replace <reportserver> with the name of the report server).
2. Click the Forefront Endpoint Protection_XXX link.
3. Click the Show Details button in the top right.
4. Click the DataSources link.
5. Click the DefaultDataSource link
6. Enter the credentials of the new reporting account and click Apply.

Update the reporting account in the registry

These steps must be executed on the server hosting the FEP2010 Reporting role.

1. Open the registry editor on the reporting server.
2. Navigate to HKLM\Software\Microsoft\Microsoft Forefront\Forefront Endpoint Protection 2010\Server
3. Double-click REPORTUSER and enter the new reporting account (in the format domain\username).
4. Close the registry editor.

Kurt Sarens, Senior Support Engineer

One of our support engineers, Jeramy Skidmore, has posted a fantastic article on how to provision a limited FEP Administrator in the Configuration Manager console.

He walks you through the process of provisioning the new FEP Administrator, installing the Configuration Manager console and then the FEP console extensions for Configuration Manager, and then creating the custom MMC for the newly provisioned FEP Admin.

Take a look: http://social.technet.microsoft.com/wiki/contents/articles/setting-up-a-new-fep-administrator.aspx

Thanks Jeramy!!

We wanted to update you about an issue with FEP that you may have seen in your organization. This is a known issue, and we’ll keep you up to date with developments.

Symptoms:

Periodically, the FEP data collection job (FEP_GetNewData_FEPDW_xyz) fails. When the job fails, the FEP Health Management Pack for Operations Manager and the FEP BPA report an error with the FEP datawarehouse job either failing or not running. The failure is in one of the following job steps:

• Step 6: End raise error section on DW, raise errors that were thrown from DW DB
• Step 7: ssisFEP_GetErrorsDuringUpload_FEPDW_xyz

Cause:

This happens because of the following scenario:

1. The antimalware client is from time to time sending a malformed malware detection data item to the FEP server.
2. The server tries to process this data item as part of the data collection job (FEP_GetNewData_FEPDW_xyz).
3. During data item processing, the job sees that this data item is malformed and ignores it.
4. After processing completes, the data collection job (FEP_GetNewData_FEPDW_xyz) looks to see if any data items were malformed, and if so, it fails the job.

Impact:

• Malformed data items are lost (they don’t get processed); all properly-formed data items are processed.
• You may experience a small performance impact during the data collection job (FEP_GetNewData_FEPDW_xyz) due to the handling of malformed data items.
• The data collection job (FEP_GetNewData_FEPDW_xyz) appears as failed in the job history.
• If the SQL Server Monitoring Management Pack is installed on your Operations Manager server, the data collection job (FEP_GetNewData_FEPDW_xyz) appears with an error.
• If the Forefront Endpoint Protection Server Health Monitoring Management Pack is installed on your Operations Manager server, the FEP deployment appears as critical and an alert is issued.

Greetings!

Attached to this blog post is the FEP Datawarehouse Space Capacity Planning worksheet. You can use this worksheet to help estimate the amount of disk space needed based on the following values:

• Number of client computers in your FEP 2010 deployment
• The number of days to retain data (the retention period)
• The average number of Configuration Manager collections to which each client computer belongs
• The average number of detections per client computer, per day

After you enter in your values in the yellow area, the calculated results appear in the next set of rows. Each row contains information about average record sizes, number of records per computer per day, total size of the record type in the database, and the percent of the total space used by the record item.

The final row in the spreadsheet, in green, gives you the total estimated size of the FEP Datawarehouse, given the values you supplied.

Enjoy!