Sunday, February 12, 2012

3.0 Configure and Install SCEP Antimalware Policies


To be performed by SCCM Administrators and security team


SCEP Client policies define where the client can obtain the defintion updates, when does it perform scans, and what files are scanned.
In order to create a new policy, right click on Assets and Compliance and click on Create Antimalware Policy. As a best practice, a new policy should be created and deployed to a limited number of computers using a collection.

 The SCCM Antimalware Policy allows us to set the following options:
  • Scheduled Scans
  • Scan Settings
  • Default Actions
  • Real-Time Protection
  • Exclusion Settings
  • Advanced Settings
  • Threat Overrides
  • Microsoft Active Protection Service
  • Definition updates
The section below provides the best practice settings for the Antimalware Policy settings. The details of each scan setting are available at the following link:
http://www.microsoft.com/sqlserver/en/us/get-sql-server/try-it.aspx



Scheduled Scans
The schedules scans settings enable to specify the behavior of the scan details for a client.


Setting DescriptionSettingDefault
Scan time 4:00pm2:00am
Check for the latest definitions updates before running a scan TrueFalse
Randomize the scheduled scan start time (within 30 minutes)TrueFalse


Scan Settings

The scans settings specify the content that should be scanned on a client.




Setting DescriptionSettingDefault
Scan email and email attachments TrueFalse
Scan archived files TrueFalse
Randomize the scheduled scan start time (within 30 minutes)TrueFalse


Default Actions
The default actions allow SCEP to respond to certain threats in a specified manner.



Real-Time Protection
The real-time protection settings allow SCEP to ascertain whether to scan real time files such as program activity, scripts, and system files etc.




Exclusion Settings
The exclusion settings allows SCEP to exclude certain files and file types from Antivirus scans

The following files are excluded from any antivirus scans.

Advanced Settings

Advances settings allow SCEP to configure additional settings such as user interaction with the agent and other antivirus settings.


Threat Overrides

Threat Override settings allow SCEP to define remediation actions that can be taken for a specified threat name when detected during a scheduled scan.


All the threats are enlisted in SCEP and an appropriate action can be ascertained.

Microsoft Active Protection Service
The Microsoft Active Protection Service enables MS to collect and send information about and detected Malware.




Definition updates


The defintion updates setting allows SCEP to determine the methodology to deploy definitions.



Setting DescriptionSettingDefault
Check for EndPoint 6 hours8 hours
Check for end point protection definitions daily at 12 PM3 PM
Set sources and Order for Endpoint Protection definition updates3
  • Updates from SCCM
  • Updates from UNC Share
  • Updates from Malware Protection Center
1


Antivirus definitions will also be downloaded manually to a UNC path on the Primary Site Server such that the definitions are available to all clients even if the SCCM CAS server goes down and is not able to dync the latest definitions from Microsoft.

Other guides:
  1. Setup End Point Protection Server
  2. Configure and Install SCEP Antimalware Policies
  3. Configure and Install Antivirus Definition
  4. Validate SCEP Settings on Client
  5. Configure Alerts in SCEP
  6. Configure and Install SCEP Client Agent

No comments:

Post a Comment