If you have local administrators they might uninstall Forefront Endpoint Protection 2010 from their system, to keep track of this and automatically remediating this. Then you have the option to advertise a FEP installation to the built-in collection for FEP called “Locally Removed”. So if a user uninstalls the client they will get it automatically again.
Don’t forget to set the advertisement to always rerun. Its also a good idea to keep track of the advertisement to make sure you don’t have clients that end up in a loop.
Note: I have seen some cases where there is an issue with clients ending up in this collection without having the client uninstalled. Usually triggering a Hardware Inventory resolves this.
As some of you might have noticed there is no Tamper protection with Forefront Endpoint Protection 2010. So how would you handle this in your environment ?
Usually the issue comes if you have your users as local administrators on their PCs they have full control over their PC.
So there are different ways to go around this. My first way to handle this is to configure a GPO that controls the Microsoft Antimalware Service. And set the Service to automatically start and only your real administrators to have the Start and Stop Rights.
My option 2 is to have a advertisement with a reoccurring script or startup script to set the service to start automatically and start the service it if its stopped. The target is the Built-in Collection
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootcimv2")
Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name = ‘MsMpSvc’")
For Each objService in colServiceList
errReturnCode = objService.StartService()
Quite frequently the question where do I see what the latest release definition updates are from Microsoft. Sometime you want to compare and check so you have the latest definitions in your environent.
At the url posted below you will find the latest information about definitions and the ability to download them manually.
After the session I got some questions regarding the MOM Agent for the FCS Client when upgrading. Apparently my tongue slipped and I misstated the behavior of the MOM Agent uninstallation. My apologies for that.
The intended action is that the MOM Agent should get uninstalled although there has been some minor issues detected with this. But the normal behavior should be that the MOM Agent should get uninstalled! Although if the MOM agent is multihomed uninstallation will prompt for this. If you encounter the behavior where the client is not uninstalled please contact Microsoft Support.
Below you will find a link with the presentation as promised. At the end you will find the links discussed in the presentation. For those of you who have other question feel free to contact me.
I forgot to mention our Swedish based System Center User Group that is found @ www.scug.se
ALL CODE IS PROVIDED AS IS WITH NO WARRANTIES
Forefont can use Microsoft Update to get definitions and sometime you need to open proxy servers and firewalls for this. It is not a must to use this source but if you are using this method , I have posted a list below of known urls for Microsoft Update that you can exclude or allow in your proxy or firewall.
If you have viruses or malware that hasn’t been detected by Forefront Endpoint Protection, you can use this link below to submit samples for analysis.
The answer is it depends, this information is from a icrosoft presentation and the information may change without further notice.
Microsoft reset the definition updates through a process they call ‘re-base’ – currently once a month as part of the engine release
Today there are 4 types of packages which can be used to update FEP clients
- Full (~55MB)
The full signature set (called the base) + any signatures since the last engine release (delta)Most recent engine
- Delta (ranges from ~200KB to ~5MB)
Contains the incremental signatures added since the last engine release (rebase).
- Binary Delta Engine (BDE) (ranges from ~2MB to ~15MB)
Binary diff of the previous base and engine with current base and engine plus the current incremental delta of signatures
- Binary Delta Delta (BDD) (ranges from ~100KB to ~1MB)
BDD package is different than Delta package since it will offer differential content from the previous release. Hence only new content is offered to the user.
All three package types are available on MU
Only Full packages are available on the Download Center
Internal detection logic allows each client to download the smallest package size available
The more up-to-date the client, the smaller package that client needs to download.
- First install or really out-dated (>2 engine releases behind) => Full package
- Older signatures, old engine => BDE package
- signature > 36h, current engine => delta package
- signature < 36h, current engine => bdd package
If you want to track definitions and se how your client behaves have alook in this folder (Win7)
ProgramDataMicrosoftMicrosoft AntimalwareDefinition UpdatesBackup