CSS Blog |
Most ILM/FIM implementations require some custom code extensions, and debugging these extensions is an important part of the development process. When developing code extensions for ILM and FIM, one of the configurable options is to run your code in a separate process. This is an option for ECMA, MA and …
The FEP dashboard located on the SCCM console has a wealth of information. It provides FEP admins with a snapshot of the overall health of your FEP deployment and various statistics including recent malware activity, definition status, and even when FEP has been disabled on an endpoint.
The dashboard information is based on a series of FEP collections automatically created when you deploy the FEP server roles. The collections are named based on the purposes they serve. For example, the FEP collection, “Recent Malware Activity,” will display all of the clients that have FEP installed and have reported malware activity in the last 24 hours. The collection membership rules for FEP are complex and since the FEP dashboard relies on this information, the collections are locked and the membership rules cannot be modified. You cannot even view the query from the SCCM console. However, where there is a will, there is a way.
In addition to 3 definition update mechanisms defined in the FEP policy (WSUS,UNC and Windows Update) there is actually a little known 4th update mechanism built into the client. This 4th definition update channel is designed to provide a fall back if all of the other methods should fail and the client falls more than 14 days out of date.
When deploying Forefront Endpoint Protection, making a few simple changes to your existing Antivirus Software before installing FEP can increase the success of your deployment. Below is a list of tasks:
1.) Disable any passwords for your AV software – Symantec, Trend, Etc… all have an option for password protecting the AV client. Common password protection configurations include removing the ability to view the console and uninstall the AV product. Though this feature helps lockdown the client, it can also hinder your AV removal routine.
Did you miss our FEP Webinar series? A recording is now available in our Media Library
If you should ever need to administer a local FEP client through CLI you’re going to need to make use of MpCmdRun.exe. This program can be found in the “C:\Program Files\Microsoft Security Client\Antimalware” directory. MpCmdRun has several important functions; in this post we’ll be discussing some of the more useful options.
First there is the “–Scan” option, this could be useful if you’re troubleshooting a system that is not allowing you access to the FEP client GUI. You’ll also need to enter a parameter for which type of scan you would like to have the client perform:
Out of the box FEP provides several channels for delivering definition updates to clients. The three basic options are, updates through WSUS/SUP, UNC file shares and connecting to Microsoft Updates. The procedure in this video presents a 4th option, which further leverages the capabilities and resources of SCCM. Essentially the procedure uses a VBS script running in task scheduler to pull delta definitions from the Microsoft Malware Protection Center, then SCCM bundles them into a package which is then pushed out to your Distribution Points and advertised to your FEP clients (on a re-occurring schedule).
While FEP has great reporting features available in the SCCM console and through SQL Reporting Services it’s completely possible that you might find yourself attempting to troubleshoot a malware issue without access to either resource. Fortunately Microsoft has added a set of detailed client
side logs for you to make use of.
The log we will be focusing on today is the MPlog, which you can locate in the “C:\ProgramData\Microsoft\Microsoft Antimalware\Support” directory. (Note: This directory is hidden by default). Below are some examples of how the MPlog can be useful to you.
Subscribe via RSS »
