Microsoft Antimalware’ Tag
The FEP dashboard located on the SCCM console has a wealth of information. It provides FEP admins with a snapshot of the overall health of your FEP deployment and various statistics including recent malware activity, definition status, and even when FEP has been disabled on an endpoint.
The dashboard information is based on a series of FEP collections automatically created when you deploy the FEP server roles. The collections are named based on the purposes they serve. For example, the FEP collection, “Recent Malware Activity,” will display all of the clients that have FEP installed and have reported malware activity in the last 24 hours. The collection membership rules for FEP are complex and since the FEP dashboard relies on this information, the collections are locked and the membership rules cannot be modified. You cannot even view the query from the SCCM console. However, where there is a will, there is a way.
If you should ever need to administer a local FEP client through CLI you’re going to need to make use of MpCmdRun.exe. This program can be found in the “C:\Program Files\Microsoft Security Client\Antimalware” directory. MpCmdRun has several important functions; in this post we’ll be discussing some of the more useful options.
First there is the “–Scan” option, this could be useful if you’re troubleshooting a system that is not allowing you access to the FEP client GUI. You’ll also need to enter a parameter for which type of scan you would like to have the client perform:
Out of the box FEP provides several channels for delivering definition updates to clients. The three basic options are, updates through WSUS/SUP, UNC file shares and connecting to Microsoft Updates. The procedure in this video presents a 4th option, which further leverages the capabilities and resources of SCCM. Essentially the procedure uses a VBS script running in task scheduler to pull delta definitions from the Microsoft Malware Protection Center, then SCCM bundles them into a package which is then pushed out to your Distribution Points and advertised to your FEP clients (on a re-occurring schedule).
While FEP has great reporting features available in the SCCM console and through SQL Reporting Services it’s completely possible that you might find yourself attempting to troubleshoot a malware issue without access to either resource. Fortunately Microsoft has added a set of detailed client
side logs for you to make use of.
The log we will be focusing on today is the MPlog, which you can locate in the “C:\ProgramData\Microsoft\Microsoft Antimalware\Support” directory. (Note: This directory is hidden by default). Below are some examples of how the MPlog can be useful to you.