NIC2012 - System Center Endpoint Protection 2012

Nicolai Henriksen Chief Infrastructure Architect EDB ErgoGroup MVP Configuration Manager

Blog: systemcenterforefront.blogspot.com Twitter: @nicolaitwitt

Whats new in Endpint Protection 2012

• Integrated in System Center Configuration Manager 2012

• Improved real time alerts and reports • Role-based management • User-centric reports (post beta) • Easy migration from FEP 2010/ConfigMgr 2007 • Support for FEP 2010 client agents

• Endpoint Protection 2012 continues to provide proactive protection against known and

unknown threats using multiple technologies in the antimalware engine like behavior monitoring, network inspection system and heuristics. With cloud based updates through the spynet service, endpoints get updated protection against new threats in real time. Benefits of enabling Dynamic Signature Service in FEP

Do we need antivirus?

Important

No exeptions

Are we ready for the market

NIC 2012

History.. ‘ It’s not a newbie..

NIC 2012

Forefront Client Security in 2006

NIC 2012

Security Essentials beta 2008

January 16, 2012 NIC 2012

Release of beta in November, 2008. They’d had some previous offerings (Windows Defender), but Security Essentials was the first to offer a complete anti-virus and anti-spyware solution that was free (Windows Live OneCare was a short-lived subscription-based precursor to Security Essentials)

NIC 2012

Security Essentials was not to compete with other “for-pay” anti-virus software, but is instead towards the 50-60% of PC users who don’t have (or won’t pay for) anti-virus and anti-malware protection

It’s clear that Microsoft was doing something right; in February 2010, a rogue anti-virus package calling itself Security Essentials 2010

Microsoft has built on the success of Security Essentials in the enterprise with the new Forefront Endpoint Protection 2010 package.

Forefront Endpoint Protection 2010 released Dec 2010

January 16, 2012 NIC 2012

NIC 2012

‘hey, if I can have free anti-virus on my home PC, why are we paying so much for it for our enterprise desktops?

System Center Endpoint Protection 2012 – RTM ..soon

NIC 2012

If I were to make a Antivirus Software..

I would have wanted it to be...

• Very Good detecting and removing malware!

• As fast as possible

• Use as little resources as possible

• Easy to deploy

• Easy to manage and good reporting

Is it any good?

http://www.virusbtn.com/vb100/archive/compare?tab=onDemand&id=23&id2=2&id3=3&id4=52&id5=&id6=

Facts

System Center Endpoint Protection 2012 is the next-generation security and antimalware solution integrated into System Center Configuration Manager 2012. FEP provides a software solution that delivers security and antimalware management for desktops, portable computers, and servers, while providing a lower total cost-of-ownership enterprise solution that enables desktop administrators in your organization to add security management to their day-to-day operations.

Endpoint Protection 2012 One infrastructure for desktop management and protection

• Built on top of Microsoft® System Center Configuration Manager

• Supports all System Center Configuration Manager topologies and scale

• Facilitates easy migration

• Deploy across various operating systems Windows® client and Server

• Protection against all type of malware

• Proactive security against zero day threats

• Productivity-oriented default configuration

• Integrated management of host firewall

• Backed by Microsoft Malware Protection Center

• Unified management interface for desktop administrators

• Effective alerts

• Simple, operation-oriented policy administration

• Historical reporting for security administrators

Ease of Deployment Enhanced Protection Simplified Desktop Management

Antimalware Realities • Malware threats used to be relatively simple…

Antimalware Realities With advances in the Web come increasingly complex threats

Malware has grown into a thriving global business

1) “Malware Author’ grows BOTNET & makes available to “buyers”

2) Access is purchased via ‘MarketPlace’

4) BOTNET attacks seen at multiple

entry points

5) BOTNET also serves to ‘recruit’ additional BOTs

3) BOTNET use granted

Antimalware Realities • The volume of malware is exploding

0

10 000 000

20 000 000

30 000 000

40 000 000

2006 2008 2010

Malicious Files

Antimalware Engineering Releases • Platform – once / yearly

• Engine – monthly

• Signatures – 3x day

• Dynamic Signatures (DSS) – realtime

Some features.. • Zip file detection/remediation • Diagnostic scan • Process/registry/network RTP

watchers • Directional scanning • Persisted file cache • Wildcard support for exclusions • Scheduled scan randomization • CPU throttling • Command line scanner • Signature update package chaining • UNC signature distribution • Signature source ordering fallback • Dynamic translation

• Kernel inspection

• Dynamic signature service

• WLSP integration

• Network vulnerability shielding (NIS)

• Kernel Support Library (KSL) driver

• Reboot tracking (remediation)

• Directed scanning improvements

• Offline scan integration

• Zip file detection/remediation

• Service hardening/anti-tampering

• State management

• Kernel-mode boot-time removal

• Live system behavior monitoring

Dynamic Signature Service (DSS) • Delivers protection for new threats not

in signature set on endpoint.

– Low Fidelity: New class of generics looks for suspicious characteristics as behavior is emulated with Dynamic Translation

– Queries SpyNet telemetry service about ‘interesting’ files

• Back-end classifiers use machine learning to identify new malware

• If the file is known bad, a new signature is delivered in real-time to the client requesting it

• Balances signature distribution time/cost with need for real-time updates

• Admins must choose to opt-in to at least ‘Basic’ SpyNet to use this feature

Firewall & Configuration Management

Malware Response “MMPC”

Generics and Heuristics

Antimalware

Behavior Monitoring

Dynamic Signature

Service

Anti-Rootkit

Vulnerability Shielding

Anti-Rootkit • Advanced rootkit scanning and remediation defends against sophisticated threats.

• New remediation features:

– Reboot Tracking Provides awareness that the system is in the process of rebooting which lets us take aggressive remediation actions that would be too risky otherwise (e.g. swapping out registry hives)

– Directed scanning improvements

– Offline scan integration

– Diagnostic Scan

Firewall & Configuration Management

Malware Response “MMPC”

Generics and Heuristics

Antimalware

Behavior Monitoring

Dynamic Signature

Service

Anti-Rootkit

Network Vulnerability Shielding

0%

20%

40%

60%

80%

100%

Detect

inactive

Detect active Remove

active

2007 83% 57% 33%

2009 100% 72% 60%

2010 100% 100% 86%

Dete

cti

on

Rate

Microsoft Anti-Rootkit Test Results

Source: AV-Test.org

Logs Log name Description Computer with log file

EndpointProtectionAgent.log Records details about the installation of the Endpoint Protection client and the application of antimalware policy to that client.

Client

EPCtrlMgr.log

Records details about the synchronization of malware threat information from the Endpoint Protection role server into the Configuration Manager database.

Site system server

EPMgr.log Monitors the status of the Endpoint Protection site system role.

Site system server

EPSetup.log Provides information about the installation of the Endpoint Protection site system role.

Site system server

PRIMARY SITES

CENTRAL ADMINISTRATION SITE

Simplified Deployment & Migration

FEP Policy: CfgMgr or Group Policy? You should consider managing policy with CfgMgr if…

You should consider managing policy with Group Policy if…

You want unified management (Recommended)

You have CfgMgr deployed on all the computers you will manage

You have non domain-joined machines

You do not want to have to understand and manage many low level settings

You don’t need more than one policy per computer, even on servers

Some of the computers you want to manage don’t have CfgMgr

You prefer to manage policy with group policy

You want extremely granular control over settings

You prefer to “layer” policies, that is to apply more than one policy per computer

Policy Templates - Client Standard High Security Perf. Optimized

Enable NIS

Scheduled Scans Weekly Quick Daily Quick Weekly Full

Weekly Quick

Scan only when idle

Force if 2 scans missed (on reboot)

Throttle CPU 50% - 30%

Force definition update after

1 day 1 day -

Firewall Block incoming in all profiles

Block incoming in all profiles

Not Configured

Available Server Workloads Policies # Server Role or Server Application

1 SQL 2005 Ent/Std (with clustering)

2 SQL 2008 Ent/Std (with clustering)

3 SCOM 2007 R2 (with clustering) in FEP-S Configuration

4 SCCM 2007 (with clustering) in FEP Configuration

5 Exchange2007 (HubTransport, ClientAccess, Mailbox)

6 Exchange2010 (HubTransport, ClientAccess, Mailbox)

7 SharePoint

8 File Services

9 Internet Information Services 6

10 Internet Information Services 7

11 DNS Server

12 Active Directory Domain Services (including SYSVOL/FRS/DFS/DFS-R)

13 DHCP Server

14 Terminal Services

15 Hyper-V

16 Forefront Protection for Exchange

Default Policies

• FEP provides 2 default policies: – Default Desktop Policy

• Weekly quick scan, RTP on, default exclusions, Firewall enabled • Assigned to Deployment Succeeded\Deployed Desktops Collection

– Default Server Policy • No scheduled scan, RTP on, default exclusions, Firewall not

enabled • Assigned to Deployment Succeeded\Deployed Servers Collection

– Can be modified but not deleted

Policy Precedence • Computers can belong to multiple Collections, so may

be candidates for multiple policies

• Only one policy can be applied via ConfigMgr at a time – ConfigMgr-delivered policy does not support “layering”

• Precedence is used to determine the effective policy

FEP Architecture

SQL

Reporting

Services

(or File Share)

ConfigMgr Software Distribution ConfigMgr

Desired Configuration Management

ConfigMgr Site

Server & DB

DATA

Config. / Dashboard

Reports

EVENTS

Desktops, Laptops, and Servers

running ConfigMgr Client & EP 2012

TELEMETRY

SpyNet

EP Capacity Planning

* Actual capacity planning depends on organization load profile, retention policy and specific hardware deployment *http://blogs.technet.com/b/clientsecurity/archive/2011/01/19/fep-capacity-planning-worksheet.aspx

Criteria Recommended Resource availability based on CM HW recommendation

EP 2012

300K topology internal test results

SQL server CPU impact by EP (delta)

20% <5%

SCCM Server CPU impact by EP (delta)

10% <2%

Memory footprint 500MB <100MB

Expected disk capacity after 1-year

500GB <400GB

Supported platforms

Windows 7 (x86 or x64), or Windows 7 XP mode, or Windows Vista (x86 or x64) or later versions, or Windows XP Service Pack 2 (x86 or x64) or later versions, or Windows Server 2008 R2 (x64) or later versions, or Windows Server 2008 R2 Server Core (x64), or Windows Server 2008 (x86 or x64) or later versions, or Windows Server 2003 Service Pack 2 (x86 or x64) or later versions, or Windows Server 2003 R2 (x86 or x64) or later versions

Migration to Endpoint Protection made simple • Automatically removal of existing AV products:

– Symantec Endpoint Protection version 11

– Symantec Endpoint Protection Small Business Edition version 12

– Symantec Corporate Edition version 10

– McAfee VirusScan Enterprise version 8.5 and version 8.7

– TrendMicro OfficeScan version 8.0 and version 10.0

– Forefront Client Security v1

If the previously installed antimalware client has a tamper protection feature enabled, for example, if the software is password protected, you need to disable that tamper protection before you can install FEP. Otherwise, the FEP installation program will not be able to uninstall the existing antimalware client.

Demo

Nicolai Henriksen Chief Infrastructure Architect EDB ErgoGroup MVP Configuration Manager

Blog: systemcenterforefront.blogspot.com Twitter: @nicolaitwitt

Thank you!