Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Transcription

1 . All right reserved. For more information about Specops Deploy and other Specops products, visit

2 Copyright and Trademarks Specops Deploy is a trademark owned by Specops Software. All other trademarks used in this document belong to their respective owners. 2

3 Contents Key components 6 Managing policies 7 Create a new policy 7 Edit an existing policy 8 GPO settings 9 General settings 9 Advanced settings 12 Reporting 21 View predefined Reports 21 Create a new report 22 Edit an existing report 23 Export Report data 24 Delete a Report 25 template customization 26 Specops Deploy / Endpoint Protection registry settings 27 3

4 About this guide This guide is intended for administrators who are responsible for managing Forefront/System Center Endpoint Protection clients. Before you perform the tasks in this guide, please ensure you have correctly installed Specops Deploy / Endpoint Protection. You can find the Specops Deploy / Endpoint Protection Installation Guide at 4

5 About Specops Deploy / Endpoint Protection Specops Deploy / Endpoint Protection integrates Microsoft Forefront/System Center Endpoint Protection with Active Directory and Group Policy. Specops Deploy / Endpoint Protection will allow you to administer the Forefront/System Center Endpoint Protection client through Group Policy, without implementing the full System Center solution. Specops Deploy / Endpoint Protection is a component of the Specops Desktop Management suite. You can learn more about Specops Deploy and other Specops products at 5

6 Key components Specops Deploy GPMC-snap in: You can use the Specops Deploy GPMC-snap in to create new Specops Deploy / Endpoint Protection GPOs. You can also add settings to an existing GPO, and use security filtering to gain more granular control over which computers should have which settings. Specops Reporting: You can use Specops Reporting to view reports and monitor the status of your Endpoint Protection clients. Specops Reporting creates reports of the data contained in the Specops Deploy / Endpoint Protection feedback database. Specops Reporting contains several predefined reports, but also allows you to create your own report definitions. 6

7 Managing Policies The Specops Deploy GPMC snap-in can be used to manage GPOs. You can access the Specops Deploy GPMC snap-in from the Group Policy Management Editor. Create a new policy The Specops Deploy GPMC snap-in works within the context of one GPO. The scope of the GPO should contain all the computers and users that you want to manage software for. 1. In the GPMC, expand your domain node, and locate the GPO node. 2. Right-click on the GPO node, and select New. 3. Enter a name for the Group Policy Object, and click OK. 4. Right click on the new GPO node, and select Edit. 5. In the Group Policy Management Editor expand Computer Configuration, Policies, Software Settings, and select Specops Deploy / Endpoint Protection. 6. Click Edit. 7. Configure the policy, and click OK. 7

8 Edit an existing policy 1. In the GPMC, expand your domain node, and locate the GPO you want to edit. 2. Right click on the new GPO node, and select Edit. 3. In the Group Policy Management Editor expand Computer Configuration, Policies, Software Settings, and select Specops Deploy / Endpoint Protection. 4. Click Edit. 5. Configure the policy, and click OK. 8

9 GPO settings The table below provides an overview of available settings that you can use to determine the customization your organization will need. The hierarchal approach allows you to enable the specific settings you wish to modify at each level in Active Directory. Settings passed on from higher policies will be merged and the resulting configuration will be applied to the Endpoint Protection client. General settings Setting Schedule Scan Scan type When Around Daily quick scan time around Check for the latest virus and spyware definitions before running a scheduled scan Start the scheduled scan when my computer is on but not in use Limit CPU usage during scan to Default actions Description This settings sets the time when a scan should be ran on the computer. This policy setting allows you to specify the scan type to use during a scheduled scan. The scan type options are: Quick Scan Full Scan This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. This policy setting allows you to specify the time of the day at which to perform a daily quick scan. Note: The schedule is based on local time on the computer where the scan is executing. This policy settings allows you to specify the time of day at which to perform a daily quick scan. This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. scheduled scans to start only when your computer is on but not in use. the maximum percentage CPU utilization permitted during a scan. This policy setting allows you to set a default action to take when System Center Endpoint 9

10 Real-time protection Scan all download Monitor file and program activity on your computer Enable behavior monitoring Enable Network Inspection System Exclude files and locations Exclude file types Exclude processes Advanced Scan archive files Scan removable drives Protection finds a potential or known threat based on alert level. There are four threat levels: Severe High Medium Low This setting will also allow you to set whether SCEP will Remove, Quarantine, or Allow a threat for the level. realtime protection. This setting controls all real-time protection components. This policy allows you to configure scanning for all downloaded files and attachments. monitoring for file and program activity. behavior monitoring. network protection against exploits of known vulnerabilities. This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. This policy setting allows you to specify a list of the file types that should be excluded from scheduled, custom, and real-time scanning. This policy setting allows you to disable schedule and real-time scanning for any file opened by any of the specified processes. N/A scans for malicious software and unwanted software in archive files such as.zip or.cab This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable 10

11 MAPS Create a system restore point Allow all users to view the full History results Remove quarantined files after drives, such as USB flash drives, when running a full scan. This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. This policy setting allows all the users of the computer to see the history results for that computer (Not recommended to set this). This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. This setting allows you to control what information is sent to Microsoft about the current potentially unwanted software, malware, and viruses. The recommended setting is Basic membership and is the default setting for Managed client users. 11

12 Advanced settings Setting General Settings Allow antimalware service to startup with normal priority Turn on spyware definitions Turn on virus definitions Configure local administrator merge behavior for lists Define addresses to bypass proxy server Define proxy server for connecting to the network Randomize scheduled task times Allow antimalware service to remain running always Description This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance. This policy setting allows you to manage whether spyware definitions are used during a scan. This policy setting allows you to manage whether virus definitions are used during a scan. This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and exclusions. This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL. the named proxy that should be used when the client attempts to connect to the network for definition updates and SpyNet reporting. If the named proxy fails or if there is no proxy specified, the following settings will be used (in order): 1. Internet Explorer proxy settings 2. Autodetect 3. None This policy setting allows you to enable or disable randomization of the scheduled scan time and the scheduled definition update start time. whether or not the antimalware service remains running when antivirus and antispyware definitions are disabled. It is recommended that this setting remains disabled. 12

13 Client Interface Display notifications to clients when they need to perform actions Display additional text to clients when they need to perform an actions Network Inspection System Turn on protocol recognition Turn on definition retirement Define the rate of detections events for logging Specify additional definition sets for network traffic inspection IP address range exclusions Port number exclusions Process exclusions for outbound traffic Threat ID exclusions Quarantine whether or not to display notifications to client when they need to perform the following actions: Run a full scan Download the latest virus and spyware definitions Download Standalone System Sweeper whether or not to display additional text to clients when they need to perform an action. protocol recognition for network protection against exploits of known vulnerabilities. definition retirement for network protection against exploits of known vulnerabilities. This policy setting limits the rate at which detection events for network protection against exploits of known vulnerabilities will be logged. This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. This policy, if defined, will prevent network protection against exploits of known vulnerabilities from inspecting the specified IP addresses. This policy setting defines a list of TCP port numbers from which network traffic inspection will be disabled. This policy setting defines processes from which outbound network traffic will not be inspected. This policy setting defines threats which will be excluded from detection during network traffic inspection. 13

14 Configure local setting override for the removal of items from Quarantine folder Configure removal of items from Quarantine folder Real-time Protection Turn on Information Protection Control Remediation Turn on raw volume write notifications Turn on process scanning whenever real-time protection is enabled Define the maximum size of downloaded files and attachments to be scanned Configure local setting override for turn on behavior monitoring Configure local setting override for scanning all downloaded files and attachments Configure local setting override to turn off Intrusion Prevention System Configure local setting override for monitoring file and program activity on your computer Configure local setting override to turn on real-time protection Configure local setting override for monitoring for incoming and outgoing file activity This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. Information Protection Control. This policy setting controls whether raw volume write notifications are sent to behavior monitoring. process scanning when real-time protection is turned on. This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. This policy setting configures a local override for the configuration of behavior monitoring. This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. This policy setting configures a local override for the configuration of network protection against exploits of known vulnerabilities. This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. 14

15 Configure local setting override for the time of day to run a scheduled full scan to complete remediation Specify the day of the week to run a scheduled full scan to complete remediation Specify the time of day to run a scheduled full scan to complete remediation Reporting Configure time out for detections requiring additional action Scan Configure time out for detections in critically failed state Configure Watson events Configure time out for detections in non-critical failed state Configure time out for detections in recently remediated state Configure Windows software trace preprocessor components Configure WPP tracing level Allow users to pause scan Specify the maximum depth to scan archive files This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. This policy setting configures the time in minutes before a detection in the additional action state moves to the cleared state. This policy setting configures the time in minutes before a detection in the critically failed state moves to either the additional action state or the cleared state. whether or not Watson events are sent. This policy setting configures the time in minutes before a detection in the non-critically failed state moves to the cleared state. This policy setting configures the time in minutes before a detection in the completed state moves to the cleared state. This policy configures Windows software trace preprocessor (WPP Software Tracing) components. This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). This policy setting allows you to manage whether or not end users can pause a scan in progress. the maximum directory depth level into which archive files such as.zip or.cab are unpacked during scanning. The default directory depth level is 0. 15

16 Specify the maximum size of archive files to be scanned Scan archive files Turn on catch-up full scan Turn on catch-up quick scan Turn on scanning Turn on heuristics Scan packed executables Scan removable drives Turn on reparse point scanning Create a system restore point Run full scan on mapped network drives the maximum size of archive files such as.zip or.cab that will be scanned. scans for malicious software and unwanted software in archive files such as.zip or.cab files. catchup scans for scheduled full scan. A catch-up scan is a scan that is initiates because a regularly scheduled scan was missed. catchup scans scheduled quick scans. A catch-up scan is a scan that is initiates because a regularly scheduled scan was missed. scanning. When scanning is enabled, the engine will parse the mailbox and mail files according to their specified format, in order to analyze the mail bodies and attachments. heuristics. Suspicious detections will be suppressed right before reporting to the engine client. scanning for packed executables. This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. reparse point scanning. This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. scanning mapped network drives. 16

17 Scan network files Configure local setting override for maximum percentage of CPU utilization Configure local setting override for the scan type to use for a scheduled scan Configure local setting override for schedule scan day Configure local setting override for scheduled quick scan time Configure local setting override for scheduled scan time Turn on removal of items from scan history folder Specify the interval to run quick scans per day Signature Updates Define the number of days before spyware definitions are considered out of date Define the number of days before virus definitions are considered out of date Define file shares for downloading definition updates Turn on scan after signature update scanning for network files. It is recommended that you do not enable this setting. This policy setting configures a local override for maximum percentage of CPU utilization. This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy. This policy setting configures a local override for the configuration of scheduled quick scan time. This policy setting configures a local override for the configuration of scheduled scan time. This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. This policy setting allows you to define the number of days that must pass before spyware definitions are considered out of date. This policy setting allows you to define the number days that must pass before virus definitions are considered out of date. UNC file share sources for downloading definition updates. the automatic scan which starts after a definition update has occurred. 17

18 Allow definition updates when running on battery power Initiate definition update on startup Define the order of sources for downloading definition updates Allow definition updates from Microsoft Update Allow real-time definition updates based on reports to Microsoft SpyNet Specify the day of the week to check for definition updates Specify the time to check for definition updates Allow notifications to disable definition based reports to Microsoft SpyNet Define the number of days after which a catch-up definition update is required Specify the interval to check for definition updates Check for the latest virus and spyware definitions on startup SpyNet Configure local setting override for reporting to Microsoft SpyNet definition updates when the computer is running on battery power. definition updates on startup when there is no antimalware engine present. This policy setting allows you to define the order in which different definition update sources should be contacted. This policy setting allows you to enable download of definition updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update. This policy setting allows you to enable real-time definition updates in response to reports sent to Microsoft SpyNet. This policy setting allows you to specify the day of the week on which to check for definition updates. This policy setting allows you to specify the time of day ay which to check for definition updates. antimalware service to receive notifications to disable individual definitions in reponse to reports it sends to Microsoft SpyNet. This policy setting allows you to define the number of days after which a catch-up definition update will be required. This policy setting allows you to specify an interval at which to check for definition updates. This policy setting allows you to manage whether a check for new virus and spyware definition will occur immediately after service startup. This policy setting configures a local override for the configuration to join Microsoft SpyNet. 18

19 Threat Id Default Action This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. 19

20 Removing settings Removing a setting will cause the Endpoint Protection client to revert to its default values, or use the settings applied to it from a GPO linked at a higher level. 1. In the GPMC, expand your domain node, and locate the GPO you want to remove settings from. 2. Right click on the new GPO node, and select Edit. 3. In the Group Policy Management Editor expand Computer Configuration, Policies, Software Settings, and select Specops Deploy / Endpoint Protection. 4. You can: Option Step Remove all the settings that apply to the GPO In the settings overview page, click Disable. Remove individual settings 1. Click Edit. 2. Navigate to the setting you want to remove. 3. Uncheck the Enabled button. 20

21 Reporting The Specops Reporting component is entirely web based and can be accessed from your browser. You can access Specops Reporting using your browser. The URL for Specops Reporting depends on where the component was installed. Endpoint Protection reports provide a good overview of the feedback gathered from your Endpoint Protection clients. View predefined Reports 1. Enter the URL for Specops Reporting. 2. In the navigation pane, expand Specops Reporting, and click Specops Endpoint Protection. 3. Select the report you want to view. The following is a list of the predefined reports you can view: Incident reports: Allow you to monitor any reported issues with malware or viruses: o Antimalware/Virus for a computer o Antimalware/Virus information o Antispyware status per computer o Antivirus status per computer Client status reports: Allow you to quickly find information of the client computer. o Client status per computer o Endpoint Protection Client Installation Status o Last full scan information per computer o Last quick scan information per computer o Missing Endpoint Protection Client Threat reports: Allow you to monitor a summary of the current threat status. o Threat outbreak last 24 hours o Threat outbreak last 7 days 21

22 Create a new report You can customize the view of the information gathered by creating a new report definition. 1. Enter the URL for Specops Reporting. 2. In the navigation pane, click create new report. 3. Specify the following fields: Field Report name Report category Report description Columns Groupings Filters Import report definition Export report definition Step Enter a report name Specify a report category Enter a report description Add Columns to the report. You will be able to specify the Column heading, Field, and Display name. To group data in the report, select a column and drag and drop it in the group panel. This will remove the column from the visible columns and display a grouping rectangle for the column in the group panel. Add any filtering of data by clicking on the Filters tab and selecting additional filter data field and values to filter by. You can import report definition from the import web page or from a file. You can export a report definition from the export web page. The export page displays a complete list of all reports in the database grouped by report categories. 4. Click Save. 22

23 Edit an existing report 1. Enter the URL for Specops Reporting. 2. In the navigation pane, expand Specops Reporting, and click Specops Endpoint Protection. 3. Click Edit next to the report you want to modify. 4. Make the necessary changes, and click Save. 23

24 Export Report data You can export report data in a PDF or a CSV format for further processing. 1. Enter the URL for Specops Reporting. 2. In the navigation pane, expand Specops Reporting, and click Specops Endpoint Protection. 3. Select the Report you want to export. 4. If required, select the client computer from the Computer drop box. 5. Specify the page size in the Page size drop box. 6. From the Export to drop box, select the report format. a. If you selected PDF, you will also need to specify the page layout from the drop box. 7. Click the green button. 24

25 Delete a Report 1. Enter the URL for Specops Reporting. 2. In the navigation pane, expand Specops Reporting, and click Specops Endpoint Protection. 3. Click Delete next to the report you want to delete. 4. Click OK. 25

26 template customization You can customize the template that is used to send s when new threats are detected. You can find the template file on the server hosting the Specops Deploy Server service at the following path: %ProgramFiles%\Specopssoft\Deploy\Server\SEP Template.xml To edit the template, open the file in an editor and modify the content of the following tags: <Subject> <Body> 26

27 Specops Deploy / Endpoint Protection registry settings Below you will find a list of the registry settings used by the components of Specops Deploy / Endpoint Protection. Registry key HKLM\SOFTWARE\Specopssoft\Specops Deploy\Endpoint Protection\Configuration\ClearLogFile HKLM\SOFTWARE\Specopssoft\Specops Deploy\Endpoint Protection\Configuration\Debug HKLM\SOFTWARE\Specopssoft\Specops Deploy\Endpoint Protection\Configuration\LogFilePath HKLM\SOFTWARE\Specopssoft\Specops Deploy\Endpoint Protection\Configuration\MaxMbFileSize HKLM\SOFTWARE\Specopssoft\Specops Deploy\Endpoint Protection\SnapIn\ClearLogFile HKLM\SOFTWARE\Specopssoft\Specops Deploy\Endpoint Protection\SnapIn\Debug HKLM\SOFTWARE\Specopssoft\Specops Deploy\Endpoint Protection\Mail HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\windows NT\CurrentVersion\Winlogon\GPExtensions\ {A7A1D7A7-613D-4abf-8C6E- A427ADD2A200}\Debug Description Clears the log file when the server is initialized. Default value: 1 Enables or disables debug logging on the Specops Deploy Server Service. Default value: 0 Specifies the path where the debug log file will be stored. Default value: %LocalAppData%\Specopssoft\SEP.Configuration.log. Maximum size of a log file before a new log file is created. Note that only the two latest log files will be kept. Default value: 0x a (10) Indicates that the GPMC snap-in debug log file should be cleared when logging starts. Default value: 1 Enables or disables logging of the activity performed by the Specops Deploy / Endpoint Protection GPMC snap-in. Default value: 1 Holds the value for the mail configuration settings. Enables or disables debug logging of the activity performed by the Specops Deploy Client-Side Extension. Default value: 0x (0) 27

28 Support For helpful tips and solutions for troubleshooting the product, find the Specops Deploy / Endpoint Protection Troubleshooting Guide from If you are unable to resolve a product related issue, contact Specops Support for assistance. Online We recommend submitting your case directly on our website at: Telephone International Monday - Friday: 09:00-17:00 CET North America SPECOPS ( ) Monday - Friday: 09:00-17:00 EST 28