Symptoms:
When you use the Forefront Endpoint Protection (FEP) 2010 Group Policy Tool to import a policy file that was exported from System Center 2012 Endpoint Protection, it will fail with a screenshot similar to the following:
Cause:
The XML namespace is missing and a couple of registry value types have changed in System Center 2012 Endpoint Protection, which results in the error.
Resolution:
You can use the script in the Script section to make the changes to the policy file. You can also write a Java script tool to automate the script. For example, you can name the script in the Script section FepGPFileCorrector.js, and then use a command such as the following:
cscript.exe FepGPFileCorrector.js <originpolicyfile>.xml
Where, originpolicyfile is the exported System Center 2012 Endpoint Protection policy file. Currently, the following is supported:
The target/output policy file is named Converted-<originpolicyfile>.xml.
References:
The Forefront Endpoint Protection Group Policy Tool is used to convert policy settings contained in configured FEP policies to the format that is used by Group Policy. This tool can be obtained from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=207729) as part of the FEP 2010 Group Policy Tools download package.
System Center 2012 Endpoint Protection provides several default policy template files that you can find in subfolder AdminConsole\XmlStorage\EPTemplates of site server installation directory. You can import the policy template files by using FEP 2010 Forefront Endpoint Protection Group Policy Tool by default.
Script:
@set @debug = false
//******************************************************************************
//
// Constants
var c_sSecurityPolicy = "SecurityPolicy";
var c_sPolicySection = "PolicySection";
var c_sLocalGroupPolicySettings = "LocalGroupPolicySettings";
var c_sXmlns = "xmlns";
var c_sNameSpace = "http://forefront.microsoft.com/FEP/2010/01/PolicyData";
var c_sAddKey = "AddKey";
var c_sAddValue = "AddValue";
var c_sName = "Name";
var c_sType = "Type";
var c_sDisabled = "Disabled";
var c_sFallbackOrder = "FallbackOrder";
var c_sDefinitionUpdateFileShareSources = "DefinitionUpdateFileSharesSources";
var c_sDWord = "REG_DWORD";
var c_sSZ = "REG_SZ";
var c_sHelp = "cscript.exe FepGPFileCorrector.js <originpolicyfile> \r\n"
+ "\r\n"
+ "originpolicyfile Original exported SCEp2012 policy file.\r\n"
// Globals
var g_fso = null;// Scripting.FileSystemObject
var g_xmlSource = null;// Source XML document
var g_xmlTarget = null;// Target XML document
var g_shell = null;
var g_environment = null;
var g_sScriptDir = null;// cscript.exe running directory
var g_sOriginPolicyFile = null;// Original FEP2012 exported policy file
var g_sOriginFileName = null;// Original FEP2012 exported policy file name
var g_sOriginPolicyPath = null;// The directory hosting original FEP2012 exported policy file
// GetAttribute
function GetAttribute(oNode, sAttrib, bAllowNull)
{
var attrib = oNode.attributes.getNamedItem(sAttrib);
if (attrib != null)
return attrib.text;
}
else if (bAllowNull)
return null;
// Validate script host version
if (Number(WScript.Version) < 5.6)
WScript.Echo(
"This script requires Windows Script Host v5.6 or later. "
+ "Go to http://www.microsoft.com/scripting for download"
);
WScript.Quit(1);
if (WScript.FullName.toLowerCase().indexOf("cscript.exe") < 0)
"This script can only be executed with Cscript."
if ((WScript.Arguments.length < 1) || (WScript.Arguments(0) == "/?"))
WScript.Echo(c_sHelp);
// Initialize
g_fso = new ActiveXObject("Scripting.FileSystemObject");
g_shell = new ActiveXObject("WScript.Shell");
g_environment = g_shell.Environment("Process");
g_sScriptDir = g_fso.GetParentFolderName(WScript.ScriptFullName);
g_sOriginPolicyFile = String(WScript.Arguments(0));
// If g_sOriginPolicyFile has not path
if ((g_sOriginPolicyFile.indexOf(":") > 0) && (g_sOriginPolicyFile.charAt(0) != "."))
g_sOriginPolicyPath = g_sOriginPolicyFile.substr(0, g_sOriginPolicyFile.lastIndexOf("\\"));
g_sOriginFileName = g_sOriginPolicyFile.substr(g_sOriginPolicyFile.lastIndexOf("\\") + 1);
else if ((g_sOriginPolicyFile.charAt(0) == "\\") && (g_sOriginPolicyFile.charAt(1) == "\\"))
else
g_sOriginPolicyPath = g_sScriptDir;
g_sOriginFileName = g_sOriginPolicyFile;
if (!g_fso.FileExists(g_sOriginPolicyFile))
WScript.Echo("XML file " + g_sOriginPolicyFile + " does not exist!");
throw new Error(1, "The XML file does not exist!");
//var oFile = g_fso.GetFile(g_sOriginPolicyFile);
//oFile.Attributes = oFile.Attributes & (~1);
g_xmlSource = new ActiveXObject("MSXML2.DOMDocument.6.0");
// Load original SCEP2012 exported policy file
if (!g_xmlSource.load(g_sOriginPolicyFile))
var pe = g_xmlSource.parseError;
INFO(
"XML load failed:\n"
+ " Location: " + pe.line + ", " + pe.linepos + "\n"
+ " Source: " + pe.srcText + "\n"
+ " Reason: " + pe.reason + "\n"
throw new Error(-1, "Policy file is invalid.");
var oSrcSecurityPolicyNode;
//var oRootNodes = g_xmlSource.documentElement.selectNodes(c_sSecurityPolicy);
var oRootNodes = g_xmlSource.childNodes;
if (!g_xmlSource.hasChildNodes())
WScript.Echo("XML file " + g_sOriginPolicyFile + " might not need to process, exit directly.");
for (var iIndex = 0; iIndex < oRootNodes.length; iIndex++)
if (oRootNodes[iIndex].nodeName == c_sSecurityPolicy)
oSrcSecurityPolicyNode = oRootNodes[iIndex];
if (oSrcSecurityPolicyNode != null)
if (oSrcSecurityPolicyNode.attributes.getNamedItem(c_sXmlns) != null)
break;
g_xmlTarget = new ActiveXObject("MSXML2.DOMDocument.6.0");
var sTargetXmlFile = g_sOriginPolicyPath + "\\Converted-" + g_sOriginFileName;
if (g_fso.FileExists(sTargetXmlFile))
var oFile = g_fso.GetFile(sTargetXmlFile);
oFile.Attributes = oFile.Attributes & (~1);
g_fso.DeleteFile(sTargetXmlFile);
WScript.Echo("The target converted policy file: " + sTargetXmlFile);
var oSrcAddKeyNodes;
var oSrcAddValueNodes;
var sNameAttribute;
var sTypeAttribute;
var sDisabledAttribute;
var sNodeValue;
var oTargetAddKeyNode;
var oTargetAddValueNode;
var oAttributes;
// Check "SecurityPolicy" node in source XML
// Create "SecurityPolicy" node for target XML
var oTargetSecurityPolicyNode = g_xmlTarget.createNode(1, c_sSecurityPolicy, c_sNameSpace);
// Add attributes under "SecurityPolicy" child node to target node
oAttributes = oSrcSecurityPolicyNode.attributes;
for (var index = 0; index < oAttributes.length; index++)
if (oAttributes.item(index).name != c_sXmlns)
oTargetSecurityPolicyNode.setAttribute(oAttributes.item(index).name, oAttributes.item(index).nodeValue);
// Check "PolicySection" child node in source XML
var oSrcPolicySectionNode = oSrcSecurityPolicyNode.selectSingleNode(c_sPolicySection);
if (oSrcPolicySectionNode != null)
// Create "PolicySection" node for target XML
var oTargetPolicySectionNode = g_xmlTarget.createNode(1, c_sPolicySection, c_sNameSpace);
// Add attributes under "PolicySection" child node to target node
oAttributes = oSrcPolicySectionNode.attributes;
oTargetPolicySectionNode.setAttribute(oAttributes.item(index).name, oAttributes.item(index).nodeValue);
// Check "LocalGroupPolicySettings" child node
var oSrcLocalGroupPolicySettingsNode = oSrcPolicySectionNode.selectSingleNode(c_sLocalGroupPolicySettings);
if (oSrcLocalGroupPolicySettingsNode != null)
// Create "LocalGroupPolicySettings" node for target XML
var oTargetLocalGroupPolicySettingsNode = g_xmlTarget.createNode(1, c_sLocalGroupPolicySettings, c_sNameSpace);
oSrcAddKeyNodes = oSrcLocalGroupPolicySettingsNode.selectNodes(c_sAddKey);
for (var iKeyIndex = 0; iKeyIndex < oSrcAddKeyNodes.length; iKeyIndex++)
// Create one "AddKey" node for target XML
oTargetAddKeyNode = g_xmlTarget.createNode(1, c_sAddKey, c_sNameSpace);
// Add attributes under "AddKey" child node to target node
oAttributes = oSrcAddKeyNodes[iKeyIndex].attributes;
oTargetAddKeyNode.setAttribute(oAttributes.item(index).name, oAttributes.item(index).nodeValue);
oSrcAddValueNodes = oSrcAddKeyNodes[iKeyIndex].selectNodes(c_sAddValue);
for (var iValueIndex = 0; iValueIndex < oSrcAddValueNodes.length; iValueIndex++)
// Create "AddValue" node
oTargetAddValueNode = g_xmlTarget.createNode(1, c_sAddValue, c_sNameSpace);
// Add attributes under "AddValue" child node to target node
sNameAttribute = GetAttribute(oSrcAddValueNodes[iValueIndex], c_sName);
oTargetAddValueNode.setAttribute(c_sName, sNameAttribute);
sTypeAttribute = GetAttribute(oSrcAddValueNodes[iValueIndex], c_sType);
if (sNameAttribute == c_sFallbackOrder)
if (sTypeAttribute == c_sDWord)
oTargetAddValueNode.setAttribute(c_sType, c_sSZ);
oTargetAddValueNode.setAttribute(c_sType, sTypeAttribute);
else if (sNameAttribute == c_sDefinitionUpdateFileShareSources)
if (oSrcAddValueNodes[iValueIndex].attributes.getNamedItem(c_sDisabled) != null)
sDisabledAttribute = GetAttribute(oSrcAddValueNodes[iValueIndex], c_sDisabled);
oTargetAddValueNode.setAttribute(c_sDisabled, sDisabledAttribute);
sNodeValue = oSrcAddValueNodes[iValueIndex].text;
oTargetNodeValue = g_xmlTarget.createTextNode(sNodeValue);
oTargetAddValueNode.appendChild(oTargetNodeValue);
// Append "AddValue" child node under current "AddKey" node
oTargetAddKeyNode.appendChild(oTargetAddValueNode);
// Append "AddKey" child node under "LocalGroupPolicySettings" node
oTargetLocalGroupPolicySettingsNode.appendChild(oTargetAddKeyNode);
// Append "LocalGroupPolicySettings" child node under "PolicySection" node
oTargetPolicySectionNode.appendChild(oTargetLocalGroupPolicySettingsNode);
// Append "PolicySection" child node under "SecurityPolicy" node
oTargetSecurityPolicyNode.appendChild(oTargetPolicySectionNode);
// Append "SecurityPolicy" node
g_xmlTarget.appendChild(oTargetSecurityPolicyNode);
g_xmlTarget.save(sTargetXmlFile);
--Weitao Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
On the FEP Support team, we occasionally receive cases from customers who need to allow a “known threat” to run in their environment for various reasons. Most of these have tried (unsuccessfully) to make this work by using File, Folder, or Process exclusions. While it may be possible to achieve this goal using these methods, this would be an unsupported use of exclusions, and this is really “the wrong tool for the job.” The recommended and supported method for allowing known threats to run is with the Threat Override policy.
Before we get too far into this, you may be thinking, “Why would I ever allow malware to run on my computers?” There are several typical reasons:
1. Your business requires a certain application, typically in the Remote Control Software, Monitoring Software, or Potentially Unwanted Software categories, that you have licensed and use for legitimate purposes. So even though Forefront Endpoint Protection classifies it as ‘malware’, in your environment, it is legitimate, licensed software. Note: many of the threats in these categories are also used by attackers for nefarious purposes.
2. You are in the IT Security department and are examining the behavior of malware in a controlled environment (lab).
3. You are part of a company’s IT Security department and use some tools that are classified as malware as penetration testing tools.
OK, back to the customer issues we see occasionally, here is one recent example:
“Problem Description: FEP is currently flagging some 'malware' on a couple of our servers. It's not necessarily a false positive as it can be used for nefarious purposes. However, I would like to exclude it from the scans on a few of our servers. The problem I'm encountering is that I haven't been able to figure out how to exclude it using wildcards. I've searched for documentation, but examples and explanations are currently lacking. Here are some of the sites I've looked at:
http://technet.microsoft.com/en-us/library/gg398037.aspx
http://technet.microsoft.com/en-us/library/ff823837.aspx
http://blogs.technet.com/b/clientsecurity/archive/2010/03/08/wildcards-in-path-exclusions.aspx
If I put in the full path to the ISO file, it's no longer scanned. However the path to the ISO file can (and does) vary from server to server, including different drive letters. I would rather not have to enter 5-10 (or more) hard coded exclusion paths for the same exclusion, I would rather be able to use wildcards to exclude this ISO file regardless of it's location on a given server.”
Here was my response to the customer:
Hi <customer>, what you’re trying to do (allow a known threat to run) is accomplished by using the ‘Threat Override’ feature of Forefront Endpoint protection. The file/folder/process exclusions are provided primarily for performance and compatibility reasons, not for allowing known threats to run. So, for example, if you had a folder with a huge number of data files (i.e. millions) created by an application, and FEP was taking a long time to scan that folder, or a folder structure with many complex/nested zip files, you might need to exclude those files/folders. Or, for process exclusions, if you had an application that performed poorly with FEP enabled, then you would exclude that process from being scanned by FEP.
The ‘Threat Override’ policy is the supported method for allowing known threats (executables which could potentially do ‘bad things’) to run.
It’s very easy to create and deploy a threat override.
Our documentation on creating policy and defining threat overrides is located here:
Either you edit an existing policy or you create a new policy. A procedure to create a new policy can be found here: http://technet.microsoft.com/en-us/library/ff823835.aspx
When you have your policy, you need to modify it to define a threat override. For guidance on how to edit a policy, see http://technet.microsoft.com/en-us/library/gg398037.aspx
Here is an example:
To enable a Threat Override, you would create a policy like this:
Then select a policy template, such as this:
Then finish creating the policy, and go to the Properties for the new policy, and click on the ‘Antimalware’ tab, and click ‘Overrides’ on the left hand side.Type in ‘MonitoringTool:Win32/MSNSniffer’, ensure the ‘Override action’ is set to the default (Allow), and click ‘Add’.
Note: If you aren’t sure of the exact threat name, go to the System Event log on the client where the threat was detected, and there should be an event with ‘Source: FCSAM’ and an Event ID of 3004. The Description field will include the link to the Microsoft Security Portal entry for that particular threat, including the Threat Name that you enter below.
Then click ‘OK’, and assign that policy to computers where you want to allow this to run.
Please let me know if you have questions about this.
Here was the customer’s response, once he enabled the Threat Override:
“Faron,
Thank you for the additional information, it was very helpful. Once I added the Threat Override, it no longer flagged during the scans.
Thanks for your help on this.”
For reference, here are links to more information on creating & editing FCS/FEP policy:
Creating a policy: http://technet.microsoft.com/en-us/library/ff823835.aspx
Editing a policy: http://technet.microsoft.com/en-us/library/gg398037.aspx
Hopefully this article is helpful in explaining the correct purpose and usage of Threat Overrides in Forefront Endpoint Protection.
Faron Faulk
Microsoft Platforms Security Technical Lead
[Updated 12/16/2011]
Earlier today we released an updated version (found here) of the Definition Update Automation Tool for Forefront Endpoint Protection 2010 Update Rollup 1. This document provides steps for how to use this tool.
Important Note: We recommend installing the hotfix here if you are using the Definition Update Automation Tool.
With Forefront Endpoint Protection 2010 Update Rollup 1, you now can deploy Forefront Endpoint Protection definition updates to clients by using the Configuration Manager console. There are multiple definition update releases per day, thus making it time-consuming to manually download and deploy each definition update through the Configuration Manager Console. The Definition Update Automation Tool can be used to automate the steps required to keep a deployment of Forefront Endpoint Protection update definitions up to date. The tool will download the latest definition update and update the specified software update deployment with the latest definition. Configuring this tool to run automatically with Windows Task Scheduler or via a Configuration Manager Status Filter Rule can keep a deployment up to date without continuous and repetitive manual processes.
To learn more about managing software updates click here.
This tool was first released with Forefront Endpoint Protection 2010 Update Rollup 1. This release addresses a number of supportability issues, primarily around logging.
Bug Fixes:
Usage: SoftwareUpdateAutomation.exe parameters
Parameters:
/Help: Get program usage
/SiteServer: Site server computer name
/UpdateFilter: Filter for selecting software updates that are used for the destination packages
/AssignmentName: Name of destination software updates assignment
/PackageName: Name of destination software update package
/DisableRefreshDP: Disable automatic propagation of updated package to Distribution Points
/Verbose: Enable additional logging.
SoftwareUpdateAutomation.exe /AssignmentName FEPDeployment /Package FEP
This example will use local machine as Site Server and use the default UpdateFilter. It will add the latest Forefront Endpoint Protection definition update into Assignment “FEPDeployment” and Package “FEP” and refresh the Distribution Points if any updates were made to the deployment package.
To run this tool, you must copy the binaries to the Admin UI bin folder:
Now you can run this tool manually from a command line, or use Task Scheduler or a Status Filter Rule to run it automatically.
Note: This tool will only download the latest Forefront Endpoint Protection definition update and add it to the existing deployment and package. It will not synchronize the definition update into Configuration Manager. It is still necessary to run software update synchronization to synchronize the latest Forefront Endpoint Protection definition update into the Configuration Manager database before you run this tool. Please refer to How to Configure Software Updates Synchronization(http://technet.microsoft.com/en-us/library/bb632893.aspx) for information on how to configure the software update synchronization. As a best practice, before you run this tool, always make sure that a scheduled software update synchronization has completed.
/AssignmentName AssignmentName /PackageName PackageName
Where AssignmentName is the name of the software deployment for the definitions which you recorded earlier and PackageName is the name of the software package that contains the definitions which you recorded earlier. Parameters are not case sensitive.
Note: This is the recommended scheduling option as it allows the Definition Update Automation Tool to automatically run after a WSUS synchronization completes successfully.
Sample RunSoftwareUpdateAutomation.bat:
“<ConfigMgr Install Dir>\AdminUI\bin\SoftwareUpdateAutomation.exe” /AssignmentName ”AssignmentName” /PackageName “PackageName”
Note: It is recommended to put the Definition Update Automation Tool command line in a batch file to prevent problems with the quotes (“).
The status filter Rule runs the tool under the System account. To enable the tool to download, make sure the system account has the appropriate proxy settings. One option to configure the proxy settings for localsystem is to use the BITSAdmin Tool (for more information on the BITSAdmin Tool, click here).
You can use the command: bitsadmin /util /setieproxy localsystem to set the proxy setting for system account. (eg: bitsadmin /util /setieproxy localsystem myproxy *.mydomain.com)
A proper schedule for software update point synchronization is necessary to keep your Forefront Endpoint Protection clients up-to-date. Below is the recommended setting for these schedules when using this tool:
In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site name> / Site Settings / Component Configuration.
Right-click Software Update Point Component, click Properties.
Click Sync Schedule Tab, check Enable Synchronization on a schedule, check Simple schedule and Run every 1 Days.
There are four suggested Configuration Manager and Forefront Endpoint Protection 2010 topologies: See http://technet.microsoft.com/en-us/library/gg412503.aspx. In this section, we will give suggestions on where to run this tool for each topology.
Run this tool on each central site.
Run this tool on each child site. Note: the assignment and package you used for this tool must also be created on child site.
SoftwareUpdateAutomation.log will always be the first place to investigate. The log file is located in %ALLUSERSPROFILE%.
You can use the parameter /Verbose to enable verbose logging.
When using Task Scheduler to run the tool, the task must be selected to run as highest privilege. Otherwise, no log file will be created.
Error in SoftwareUpdateAutomation.log
Possible Reason and Resolution
Error:Error Downloading SourceURL…… Result: 12007
Verify that the proxy is set correctly.
If you run the tool with domain user account, check the proxy with command: netsh winhttp show proxy;
If you run the tool with system account (eg. You use Status Filter Rule to run the tool), check the proxy with command: bitsadmin /util /getieproxy localsystem.
Cannot find the log
The log is under %ProgramData% folder;
If you run it on Windows 2003 Server, there is no %ProgramData% environment variable. You can always use %ALLUSERSPROFILE% to access the folder contains the log file.
If you run the tool with a Task Sequence ensure that the user account used to run the tool has permission to create the log under that folder (and run as highest privilege is selected).
Make sure the command line parameters are set correctly; otherwise no log will be created.
--Jason Lewis
This posting is provided "AS IS" with no warranties and confers no rights.
Users like you make all the difference in the quality of our products. The Microsoft Assessment and Planning (MAP) Toolkit Team will soon start recruiting Beta participants for our next version’s Beta program.
We’re currently recruiting users of Forefront Endpoint Protection 2010. We of course welcome anybody who is interested in the MAP product. Click here to find more about what MAP has to offer. MAP helps customers and partners with a host of scenarios as software usage tracking, software and hardware inventory, assessments for migration, virtualization and the cloud.
We really look forward to having you involved in our Beta program and hearing your thoughts on the features we’ve added.
As a way of saying thank you there will be prizes. We don’t have all the details yet but in the past we gave away prizes such as Xbox 360s, Kinect for Xbox, and Zune media Players to a randomly selected subset of participants.
Sincerely,
The Map Toolkit Team
To proactively express your interest in MAP please
This announcement is sponsored by the Microsoft Solution Accelerators Team. You can contact us at mapfdbk@microsoft.com
by Michael Cureton
We’ve become aware of two issues when using the Definition Update Automation Tool. This blog article presents workarounds for the issues.
The FEP 2010 Definition Update Automation Tool may fail to add new definition updates to your deployment package. Reviewing the %ProgramData%\SoftwareUpdateAutomation.log file shows the following exception:
SmsAdminUISnapIn Error: 1 : Unexpected exception: System.ArgumentException: An item with the same key has already been added. at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource) at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add) at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value) at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SccmUtilities.CalculateCleanupDelta(ConnectionManagerBase connection, ICollection`1 freshUpdateFilesObjectList, IResultObject destinationPackageObject) at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Update(SoftwareUpdateAutomationArguments arguments) at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Main(String[] args)
More than one FEP 2010 definition update is being detected as active by the tool.
The FEP 2010 Definition Update Automation tool queries WMI (SELECT * FROM SMS_SoftwareUpdate WHERE ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1) to get the single active FEP 2010 definition update. The exception happens as a result of more than one update being returned. The tool may detect more than one update as being active when one of the two conditions is TRUE:
To confirm if you’re experiencing condition #1 or #2, run the below WMI query:
SELECT * FROM SMS_SoftwareUpdate WHERE ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0
If the query only returns one row, then you are experiencing condition #1. If two or more rows are returned, you are experiencing condition #2.
If you are experiencing condition #1, you can prevent the symptom by simply adding the /UpdateFilter flag to the command line for the tool (SoftwareUpdateAutomation.exe) with the appropriate values to filter out expired definition updates that are not superseded.
For example:
SoftwareUpdateAutomation.exe /AssignmentName <AssignmentName> /PackageName <DeploymentPkgName> /UpdateFilter “ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0”
If you are experiencing condition #2, you will need to manually decline the orphaned updates via the WSUS administration console. For each update returned from the WMI query that you used to confirm that you have condition #2, double-click on the LocalizedDisplayName property and note the definition version. The update with the highest definition version will be the active one. The update(s) with the lower definition versions have been orphaned.
For example, using the list below, 1.107.713.0 would be the active update and the other two updates are orphaned and would need to be declined manually in WSUS.
Definition Update for Microsoft Forefront Endpoint Protection 2010 - KB2461484 (Definition 1.103.1405.0) Definition Update for Microsoft Forefront Endpoint Protection 2010 - KB2461484 (Definition 1.105.2231.0) Definition Update for Microsoft Forefront Endpoint Protection 2010 - KB2461484 (Definition 1.107.713.0)
After you have determined the orphaned update(s) title (and version), load the WSUS snap-in and drill down to the Updates node. On the action pane, click New Update View. Select “Updates are in a specific classification” and “Updates are for a specific product”. In step 2, click any classification and ensure that only Definition Updates is checked. Next click any product and ensure that only Forefront Endpoint Protection 2010 is checked. In step 3, specify a name for the view and click OK.
Locate the created view in the WSUS console. Change the Approval value to "Any Except Declined" and the Status to "Any" and hit Refresh. Click the Title column so that the results are sorted using the version. Find the orphaned update(s) that you identified by version and select the Decline action for each. Once this is complete, you’ll need to wait for the next scheduled Software Update Point (SUP) sync to complete, at which time the updates that you declined will be marked as expired in the ConfigMgr database.
NOTE: Running a manual SUP sync will NOT expire the declined updates. Only a scheduled sync will perform this operation.
Once the sync is complete, you can run the WMI query used to determine condition to confirm that only one row is now returned. You will also need to run the tool going forward using the condition #1 workaround with the /UpdateFilter flag.
The FEP 2010 Definition Update Automation Tool does not refresh distribution points (DPs) by default. Even though the help output for the tool states that /RefreshDP is set by default, it is not.
Add /RefreshDP to the command line for the tool (SoftwareUpdateAutomation.exe). For example:
SoftwareUpdateAutomation.exe /AssignmentName <AssignmentName> /PackageName <DeploymentPkgName> /RefreshDP
You can move the Configuration Manager site database and associated Forefront Endpoint Protection (FEP) databases after setup has completed to a different SQL Server computer system by:
Detailed steps follow.
Note
Configuration Manager 2007 does support moving the site database from a remote SQL Server to the local site server computer if the site server computer is running a supported version of Microsoft SQL Server. For a list of supported SQL Server versions, see Configuration Manager Supported Configurations.
FEP hosts two databases, the FEP database (FEPDB_sitecode) and the FEP data warehouse (FEPDW_sitecode). The FEP database serves as a proxy database for extracting data from the Configuration Manager site database. It does not need to be backed up or moved, and will be recreated when the FEP Reporting component is reinstalled.
Important: You will require access to the FEP 2010 installation media in order to successfully complete these steps.
Ensure that the database access permissions are the same on the new databases as they are on the original databases.
Hi folks,
There have been some questions about these two areas of definition updates, so I wanted to clarify this a bit.
Whenever FEP does a definition update, a silent rescan of all running processes and loaded modules is performed. If there is malware running that is now detected by the new definitions, that malware is detected within a few seconds of performing the update. There is no action needed on your part after new definitions are downloaded – this silent rescan happens automatically.
Additionally, the FEP client can be configured to check for definition updates automatically on service start. The behavior is the same as described in Checking for definition updates when starting (yes, that particular blog article deals with FCS, but the FEP behavior is the same). The registry key already exists in the FEP ADMX, which you can download as part of the FEP2010grouppolicytools-<locale>.exe here. For full documentation about all the values in the ADMX, see the FEP ADMX Reference.
Thanks!
By Adwait Joshi
Hello,
An Update Rollup for Forefront Endpoint Protection 2010 is now available here: http://go.microsoft.com/fwlink/?LinkId=223229 .
In addition to hotfixes, this Update also includes some important changes to note:
You can find more details in the “What’s New” document on the Technet site. Please check out this KB article for a full list of fixes included in this Update Rollup.
Thanks,
Adwait Joshi
Sr. Technical Product Manager
Forefront Endpoint Protection
Hey folks!
I wanted to let you know that we have guidance for migrating from FCS v1 to FEP 2010 here (http://technet.microsoft.com/en-us/library/gg477033.aspx).
The process involves the following high level steps:
Kim Ditto-EhlertSenior Technical Writer
If you are using Forefront Endpoint Protection (FEP) 2010, you may have tried running one of the three default FEP reports and noticed that not all areas or sub-reports display properly. You may see an error in processing the reporting data or retrieving the data, similar to the error displayed below:
Error while trying to run the Antimalware Activity Report:
We found this error was due to the installed version of Microsoft SQL Server not being up-to-date with the latest Cumulative Update package. Cumulative Update packages contain hot fixes that address issues in the currently installed version of Microsoft SQL Server which may be versions ranging from Release to Manufacturing (RTM), Service Pack (SP), or Feature Release (R).
In digging into the details of the error related to FEP reports not displaying properly, we found the following errors in the System Center Configuration Manager Console and/or in the %drive%:\Program Files (x86)\Microsoft Configuration Manager\Logs\SRSRP.log file, reporting Error ID 7403 related to the health of SRS Reporting Point thread:
STATMSG: ID=7403 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_SRS_REPORTING_POINT" SYS= SITE= PID=2880 TID=5572 GMTDATE=Wed Oct 21 17:57:26.302 2009 ISTR0="HACM01" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_SRS_REPORTING_POINT 10/21/2009 10:57:26 AM 5572 (0x15C4) Failures reported during periodic health check by the SRS Server . Will retry check in 57 minutes SMS_SRS_REPORTING_POINT 10/21/2009 10:57:26 AM 5572 (0x15C4)
In the two environments we discovered this issue, Microsoft SQL Server 2008 and SQL Server 2008 R2 were running, but had NOT had the Cumulative Update package installed. As soon as this update was installed, the FEP reports began displaying properly.
At the time of this blog, these are the most current Cumulative Update Packages for Microsoft SQL Server 2008 and 2008 R2. However, you should do a Bing search to ensure you are always installing the latest version.
Forefront Endpoint Protection 2012 beta is here! We are extremely excited to announce the availability of Forefront Endpoint Protection 2012 Beta. Customers can download the Beta software immediately here. You can also download the pre-requisite System Center Configuration Manager 2012 Beta 2 here.
Forefront Endpoint Protection 2012 continues to deliver on the promise of Forefront Endpoint Protection 2010, simplifying and improving endpoint protection while also greatly reducing infrastructure costs. It builds on System Center Configuration Manager 2012, allowing customers to implement endpoint protection as part of a unified infrastructure for securing and managing physical, virtual, and mobile client environments. This shared infrastructure lowers ownership costs while providing improved visibility and control over endpoint management and security.
Forefront Endpoint Protection 2012 continues to provide proactive protection against known and unknown threats using multiple technologies in the antimalware engine like behavior monitoring, network inspection system and heuristics. With cloud based updates through the spynet service, endpoints get updated protection against new threats in real time. See the benefits of enabling Dynamic Signature Service in FEP here.
You can find more product details on our Website or TechCenter. And for more information about convergence of management and security, please visit our new Windows Optimized Desktop page.
You can now evaluate Forefront Endpoint Protection 2012 beta and System Center Configuration Manager 2012 beta with a community of early adopters. Join the Community Evaluation Program for System Center Configuration Manager and evaluate the products with guidance from the product team and by sharing of experiences and best practices among a community of peers.
We hope you will evaluate the early version and give us your feedback!
Forefront Endpoint Protection team
Using a CNAME (alias) DNS record for the server name when installing the Configuration Manager site database server components is supported in Configuration manager setup. However, it is not allowed by FEP and causes errors during setup.
A workaround for this issue is to avoid using the CNAME and change the site database server name in Configuration manager to the name of the site database server that is listed in Active Directory. Use the following steps to work around this issue.
When using a CNAME, you experience a FEP installation failure during the Reporting Services database installation. The FEP installation user interface displays a generic failure error. When reviewing the ServerSetup_<date_time>.log file, an error similar to the following is logged –
[2/7/2011 3:02:38 PM][Verbose] Successfully retrieved site info: Site server: SCCMSVR. Site Name: CONTOSO Development Site. Site Code: TEST. Site DB server: DB1. DB Name: CONFIGMANAGER_TEST. DB Instance: MSSQLSERVER. SRS Computers: SCCMSVR.CONTOSO.COM[2/7/2011 3:02:38 PM][Verbose] Machine account resolver received machine name 'DB1'[2/7/2011 3:02:38 PM][Verbose] Successfully connected to Domain Controller. LDAP path: 'LDAP://contoso.com'[2/7/2011 3:02:38 PM][Verbose] Successfully constructed AD search filter. Filter: '(&(objectclass=computer)(objectCategory=computer)(cn=DB1))'[2/7/2011 3:02:38 PM][Verbose] Successfully constructed AD search filter. Filter: '(&(objectclass=computer)(objectCategory=computer)(dnsHostName=DB1))'[2/7/2011 3:02:38 PM][Verbose] AD query result is empty[2/7/2011 3:02:38 PM][Verbose] Unexpected exception while resolving machine account. Domain Controller: 'DB1'. Exception: Microsoft.Forefront.EndpointProtection.Configure.Utility.ActiveDirectoryUtilitiesException: Setup cannot resolve the fully qualified domain name for the following computer in Active Directory. [2/7/2011 3:02:38 PM][Verbose]> Verify the following: the computer name is correct, the local computer is connected to the domain, the specified computer is a member of the same domain as the local computer, the specified computer is connected to the domain. Computer name: DB1[2/7/2011 3:02:38 PM][Verbose]> at Microsoft.Forefront.EndpointProtection.Configure.Utility.ActiveDirectoryUtilities.GetMachineAccount(String comuterName)[2/7/2011 3:02:38 PM][Normal] The SQL Server computer cannot be found in Active Directory. Please verify that the provided computer name is valid, and that the computer is properly joined to the domain. If the specified computer is a SQL Server cluster, make sure that you have specified the cluster's SQL Network Name, and that the cluster is properly joined to the domain using 'Cluster Administrator'. SQL Server computer name: DB1. Error message: Failed to resolve machine account for DB1. Exception: Setup cannot resolve the fully qualified domain name for the following computer in Active Directory. [2/7/2011 3:02:38 PM][Normal]> Verify the following: the computer name is correct, the local computer is connected to the domain, the specified computer is a member of the same domain as the local computer, the specified computer is connected to the domain. Computer name: DB1
We have been working hard on a solution for customers that encountered issues with our update in March. I wanted to let you know what we are planning to address this.
We are authoring a package that is specifically designed to find systems that have a failed upgrade to our March update. To do this, we will be pushing a package from Microsoft Update that looks for several specific conditions:
The SSA package from Forefront Client Security to be present.
Several Antimalware registry keys are present, even though Antimalware software had been removed due to an upgrade.
You are running Vista or higher OS (including Server OS like Windows Server 2008)
If all of these items are true, then we will reinstall the update package and return the system to normal.
If a system fails any one of these conditions, we aren’t going to install. The first case is a safe check because only FCSv1 customers have this particular package. The second one is equally important, because if a admin has actually intentionally removed FCSv1, the Antimwalware keys we are looking for would no longer exist. The third obviously focuses the package on machines that it applies to.
We are planning to release this package on 4/5. Our intention is to make this available and visible before the upcoming patch Tuesday window so administrators and users can choose to deploy it ahead of any other updates pending the following Tuesday. WSUS admins will be able to find this package by its KB number 2524280.
Please note that this package is intended to fix only a very specific case of an upgrade failure. There are many technical reasons that a package may fail to upgrade that we cannot address in this manner. Examples include a damaged registry, Windows installer repository issues or binaries being held by external processes beyond our control. If you need additional assistance please contact your support professional or visit http://support.microsoft.com/ph/12632 .
Forefront Client Security Engineering team
So I’ve been around here at Microsoft for a bit, and have been working with Microsoft products (and products related to Microsoft) for some time, but even now things slip under radar and get missed.
Fortunately, folks like Stefan Schörling (links to his blog) are fantastic at finding tidbits that can make your job easier.
I wanted to call out a blog post by Stefan about a Codeplex tool called Package This - that allows you to build a custom help file, using the TechNet Library as a source. Coolness in a major way. Wish I had this tool when I was out in the field….
Enjoy!
Hi Everyone,
Microsoft Management Summit is just a few days away in Las Vegas. We hope to see you there. You will see a lot of Forefront Endpoint Protection (FEP) at MMS this year!
Here’s the list of Forefront Endpoint Protection Sessions at MMS, please make sure to check them out. Please stop by at the FEP kiosk and share your feedback with the FEP extended team of engineers and consultants from around the world.
Wed 3/23
10:15a - 11:30a
BI01 Advanced Malware Threat Detection and Removal with Forefront Endpoint Protection 2010
4:00p - 5:15p
BI02 Forefront Endpoint Protection Overview: Managing desktop security and antimalware solution with System Center Configuration Manager
Thu 3/24
Integrating Management & Security at Microsoft: Forefront Endpoint Protection 2010 deployment case study at Microsoft
11:45a - 1:00p
Forefront Endpoint Protection Overview-Instructor Led Lab
5:30p - 6:30p
BOF: Forefront Endpoint Protection 2010 Setup and Configuration (Birds of Feather-Interactive session)
Looking forward to meeting you in Las Vegas!
AJ
Adwait JoshiSr. Technical Product ManagerManagement and Security Division
We have received reports of an installation issue with our March update of Forefront Client Security when the option of “install updates and shutdown” is used. We wanted to be clear on the issue and exactly what steps we are taking to rectify it.
Symptom:
A computer attempts to use the install updates and shutdown Windows feature to update to the latest version of FCSv1. After restart, the computer does not have the Antimalware agent installed, but will still have the Security State Assessment(SSA) and Microsoft Operation Manager components installed.
The problem:
This issue only occurs on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. It does not occur on Windows XP, Windows Server 2003 or Windows 2000. This issue was not introduced in the March Update. It is caused by a previously undetected problem in the October 2010 update. Please review the steps below for what options you should take.
For the bug to occur, the system must have either th policy setting changing the default shutdown behavior or the user clicks on “Apply updates at Shutdown”. If the update is deployed or manually installed in other ways, this bug does not occur.
Key facts:
What can I do to address this issue myself?
There are a number of workarounds that can be used currently.
Avoiding the issue
Issue correction
If you have computers which experience this issue and are now unprotected, there are a number of options
What is Microsoft doing to address this?
We are doing the following:
We take the support of our customers very seriously. If you need additional assistance please contact your support professional or visit http://support.microsoft.com/ph/12632 .
Sincerely, the Microsoft Forefront Client Security Engineering team.
Hello all,
Today (8 March 2011), we released an update to FCSv1. Changes include:
For already installed FCS client installations, install the update for Microsoft Knowledge Base article 2508823 (http://support.microsoft.com/kb/2508823).For new FCS Client installations, deploy the client components listed in Microsoft Knowledge Base article 2508824 (http://support.microsoft.com/kb/2508824).
For more information about the update, Microsoft Knowledge Base article 2508823 (http://support.microsoft.com/kb/2508823) has the detail.
Visio is one of the most popular tools for creating diagrams that describe effective systems and processes. In every project in which I participate, when it comes to documenting what you did I always have to create a diagram where I defined architecture, server configuration, network, etc. A picture is worth a thousand words and Visio is the tool of choice in these documentation tasks.
With SMSMap you can read FEP components and ConfigMgr/SMS site roles through COM and automate Visio to draw a diagram of the hierarchy including the FEP SQL Reporting Server, FEP Data Warehouse SQL Server, and the FEP Reporting Component.
Developed by Jeff Tondt this free utility is available at http://www.tondtware.com and works on ConfigMgr SP2 / R3 and down to SMS 2003. Seeing the whole FEP/ConfigMgr hierarchy as a picture can help you quickly understand how your infrastructure is laid out. This handy tool automates creation of your infrastructure documentation and frees you up for other Forefront product installations.
Some screenshots of SMSMap:
Hello folks!
Did you know that Windows 7 SP1 is available for download? Windows 7 SP1 brings some great features to the platform, and everyone's pretty excited about it.
We want to make absolutely clear that Windows 7 SP1 is supported by the following endpoint security products:
If in doubt about what you have installed, view your version number, on the Help menu, click About.
If your version is reported in the range of 2.0.1677 to 2.0.2530, then you should:
Note: The same statements apply for Windows Server 2008 R2 SP1 as well; you need the same update to allow FCS function. (Douglas Hill 3/23/2010)
So have you ever wondered what the Microsoft SpyNet opt in page is really all about?
Microsoft SpyNet is a cloud service that allows the FEP or MSE client on your computer to report information about programs that exhibit suspicious behavior to the Microsoft Malware Protection Center (MMPC) researchers. When this information is reported, definitions for previously unknown threats can be created and distributed, minimizing the time that a new threat is spreading in the wild before protection is available. (Note: older clients, like FCS and Windows Defender, also participate in SpyNet, but to get the full benefits of SpyNet, which includes Dynamic Signature Service, you should move to FEP or MSE.)
Additionally, when your FEP or MSE client reports new malware to the Microsoft SpyNet cloud service, the Dynamic Signature Service can recognize when a definition is available but not yet released, and deliver that definition for that specific threat in real-time from the cloud. Upon delivery of the dynamic signature, the threat will be detected and can be removed from the system
Hey – here’s a thought. Take 3 minutes and watch this – Microsoft SpyNet and the Dynamic Signature Service in action:
(Please visit the site to view this video)
Hello!
A while back we posted a reporting workbook for the Forefront Endpoint Protection Security Management Pack. This workbook allows you to connect to your FEP Security Management Pack database and create custom reports based on the data contained within the database.
We have a new addition to this – a workbook you can use to create custom FEP reports. This new workbook works in much the same way as the one previously released. You must first connect the workbook to your FEP database, and then you can use the worksheets to generate custom reports based on the data contained within the database.
In order to make it easier for you to find both workbooks, I’ve attached a zip file that contains both of them to this blog article (if you already downloaded the one for the FEP Security Management Pack, it has not changed). Each workbook has instructions on the first worksheet on how to connect it to your database.
The MscSupport tool is a tool designed to collect support data to troubleshoot Forefront Endpoint Protection. You can download the tool from the Forefront Endpoint Protection 2010 Tools download page (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=04f7d456-24a2-4061-a2ed-82fe93a03fd5).
It is a troubleshooting tool, so you only need to run the tool when you have a problem with Forefront Endpoint Protection. On the other hand, you don’t need to run the tool with every occasion. Typically you need to collect the MscSupport data in the following scenarios:
The data collected depends on the system you run the tool on. The tool collects additional information when it is run on the server hosting the FEP2010 server roles.
The Support files are files that contain FEP2010 specific information. This information can be gathered when you run the below command (located in C:\Program Files\Microsoft Security Client\Antimalware) in a Command Prompt:
Mpcmdrun -GetFiles
The following data is collected:
Microsoft is committed to protecting your privacy. Please read the Microsoft Privacy Statement<http://go.microsoft.com/fwlink/?LinkId=81184> for more information.
The tool must be executed with Administrator privileges on the system you want to collect the data from, otherwise the data collected by the tool may not be complete.
The data the tool collects will be placed in a cabinet file and is located in %SystemDrive%\MscSupportData
Kurt Sarens, Senior Support Engineer
The FEP2010 Reporting account is defined during the FEP server setup, with the installation of the Reporting role to be exact.The account is used by SQL Reporting Services (SRS) to access the FEP data source used by reporting. Incorrect credentials may result in an error as below or similar:
This post is to provide you with the steps needed to change the reporting account in the occasion you have a need to do so.
Note: all below steps must be executed with an administrator account.
These steps must be executed on the SQL Server hosting the data warehouse database (FEPDW_XXX, where XXX is your Configuration Manager site code).
These steps must be executed on the SQL server hosting the data warehouse database (FEPDW_XXX, where XXX is your Configuration Manager site code).
These steps can be executed from any system. XXX is your Configuration Manager site code.
These steps must be executed on the server hosting the FEP2010 Reporting role.
An issue has been identified in Forefront Client Security (FCS) where when viewing the computer details report from the Forefront Client Security management console, the antimalware client version on 64-bit clients is not reported accurately. This is because of an error in the way the Operations Manger 2005 Management Pack collects this information.
During Forefront Client Security installation, the antimalware package creates several registry keys and creates files in several different directories. During the antimalware installation on 64-bit computers, the following key is created under [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Forefront\Client Security\1.0\AM]
"InstallLocation=C:\\Program Files (x86)\\Microsoft Forefront\\Client Security\\Client\\Antimalware\\"
The antimalware version is not reported because the MOM agent is 32-bit and on 64-bit computers runs under Windows on windows subsystem. Because of this the MOM agent queries the WOW6432 node of HKEY_LOCAL_MACHINE. When the MOM script queries for the installation path and gets a value of “C:\Program Files (x86)\Microsoft Forefront\Client Security\Client\Antimalware,” it then attempts to discover the file version for MsMpEng.exe, which is not located in this directory. On 64-bit computers MsMpEng.exe is located in “c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware. When this query fails, the AM version property is set to “N/A”.
If you are experiencing this issue, we suggest you open a support case with using one of the methods documented here: http://support.microsoft.com/select/Default.aspx?target=assistance
Chris Norman, Senior Escalation Engineer
One of our support engineers, Jeramy Skidmore, has posted a fantastic article on how to provision a limited FEP Administrator in the Configuration Manager console.
He walks you through the process of provisioning the new FEP Administrator, installing the Configuration Manager console and then the FEP console extensions for Configuration Manager, and then creating the custom MMC for the newly provisioned FEP Admin.
Take a look: http://social.technet.microsoft.com/wiki/contents/articles/setting-up-a-new-fep-administrator.aspx
Thanks Jeramy!!
We wanted to update you about an issue with FEP that you may have seen in your organization. This is a known issue, and we’ll keep you up to date with developments.
Periodically, the FEP data collection job (FEP_GetNewData_FEPDW_xyz) fails. When the job fails, the FEP Health Management Pack for Operations Manager and the FEP BPA report an error with the FEP datawarehouse job either failing or not running. The failure is in one of the following job steps:
This happens because of the following scenario: