3.0 Configure and Install SCEP Antimalware Policies

To be performed by SCCM Administrators and security team


SCEP Client policies define where the client can obtain the defintion updates, when does it perform scans, and what files are scanned.
In order to create a new policy, right click on Assets and Compliance and click on Create Antimalware Policy. As a best practice, a new policy should be created and deployed to a limited number of computers using a collection.

 The SCCM Antimalware Policy allows us to set the following options:

• Scheduled Scans
• Scan Settings
• Default Actions
• Real-Time Protection
• Exclusion Settings
• Advanced Settings
• Threat Overrides
• Microsoft Active Protection Service
• Definition updates

The section below provides the best practice settings for the Antimalware Policy settings. The details of each scan setting are available at the following link:
http://www.microsoft.com/sqlserver/en/us/get-sql-server/try-it.aspx



Scheduled Scans
The schedules scans settings enable to specify the behavior of the scan details for a client.

Setting Description	Setting	Default
Scan time	4:00pm	2:00am
Check for the latest definitions updates before running a scan	True	False
Randomize the scheduled scan start time (within 30 minutes)	True	False

Scan Settings

The scans settings specify the content that should be scanned on a client.

Setting Description	Setting	Default
Scan email and email attachments	True	False
Scan archived files	True	False
Randomize the scheduled scan start time (within 30 minutes)	True	False

Default Actions
The default actions allow SCEP to respond to certain threats in a specified manner.

Real-Time Protection
The real-time protection settings allow SCEP to ascertain whether to scan real time files such as program activity, scripts, and system files etc.

Exclusion Settings
The exclusion settings allows SCEP to exclude certain files and file types from Antivirus scans

The following files are excluded from any antivirus scans.

Advanced Settings

Advances settings allow SCEP to configure additional settings such as user interaction with the agent and other antivirus settings.

Threat Overrides

Threat Override settings allow SCEP to define remediation actions that can be taken for a specified threat name when detected during a scheduled scan.

All the threats are enlisted in SCEP and an appropriate action can be ascertained.

Microsoft Active Protection Service
The Microsoft Active Protection Service enables MS to collect and send information about and detected Malware.

Definition updates


The defintion updates setting allows SCEP to determine the methodology to deploy definitions.

Setting Description	Setting	Default
Check for EndPoint	6 hours	8 hours
Check for end point protection definitions daily at	12 PM	3 PM
Set sources and Order for Endpoint Protection definition updates	3 Updates from SCCM Updates from UNC Share Updates from Malware Protection Center	1

Antivirus definitions will also be downloaded manually to a UNC path on the Primary Site Server such that the definitions are available to all clients even if the SCCM CAS server goes down and is not able to dync the latest definitions from Microsoft.

Other guides:

1. Setup End Point Protection Server
3. Configure and Install SCEP Antimalware Policies
4. Configure and Install Antivirus Definition
5. Validate SCEP Settings on Client
6. Configure Alerts in SCEP
Configure and Install SCEP Client Agent