Forefront Endpoint Security 2010 (FEP) Release Candidate was just released. In this post, we will discuss ways for administrators to monitor FEP. There are several monitoring features provided with FEP2010 - this is the first in a series of posts about these monitoring features.
One of the key architecture changes from FCS is FEP’s alignment with System Center Configuration Manager. Configuration Manager provides the platform for client distribution and policy settings, as well as data collection to and from clients.
The FEP Dashboard is an extension to the Configuration Manager console. After deploying the FEP console extension to Configuration Manager (either on the server or on administrator’s laptop), a new node appears in the navigation tree called “Forefront Endpoint Protection” (see Figure 1).
- Provide a single pane of information to an administrator who needs to know how FEP is doing, as well as a starting point for drill down into FEP features and troubleshooting.
- Serves as a Launchpad for the administrator to drill down to troubleshooting or other day to day tasks.
Figure 1 - FEP Dashboard
Capabilities of the FEP dashboard (see the labeled figure above):
- Computers targeted by FEP: Unlike other security suites, FEP does not require a new discovery mechanism for computers in the organization. Instead, it queries the Configuration Manager database for workstations, laptops and servers (dropping mobile devices). Once discovered, the administrator may decide to protect the clients by creating a software distribution advertisement for collections containing all the clients.
- Tip: Administrators can open the FEP collections and drill down to the “Deployment\Not Targeted” collection to identify those computers that are going to be unprotected without manual intervention (e.g. creating an advertisement).
- Tip: The only way to capture administrator’s intention is to have the FEP related advertisement to active (never expire). Make sure you have this checked when creating your own.
- Deployment status: Once an administrator starts to deploy FEP on clients, the clients are moved from the “not targeted” collection to one of the following deployment states:
- Locally Removed - Computers where the FEP client was locally removed either by a user with local administrator permission or by another software (e.g. malware).
- Failed - Computers for which the FEP client setup program reported a failure.
- Pending – Computers for which an active Configuration Manager software distribution advertisement is trying to install the FEP client.
- Out of date – Computers for which the reported FEP version is older than the one installed at the server.
- Deployed – Computers with FEP client deployed.
- Health status: For those computers either in “deployed” or “out of date” state, the FEP dashboard provides additional health information:
- Protection inactive – The FEP service is reported to be turned off.
- Not responding – Computers which have not reported for the last 14 days.
- Healthy – Neither of the above.
- Malware activity status: Shows computers with malware activity. FEP surfaces computers with the following infection states:
- Infected – Computers where FEP could not fully mitigate a malware instance.
- Restart\Full scan required – Computers where FEP mitigated a malware incident but requires additional action in order to complete the mitigation.
- Recent activity – Computers where malware was detected and successfully mitigated (within the last 24 hours).
- Definition status: Enables administrators to drill down into computers which failed to update their FEP definitions.
- Policy distribution: Enables administrators to drill down into computers where Configuration Manager failed to distribute FEP policy.
- FEP baselines: Presents administrators with a quick compliance view into the FEP baselines.
- Tip: Administrators may create their own DCM baselines and use FEP Configuration Items (CIs). In order to add (or remove) baselines to the FEP dashboard, a “FEP” category should be added (or removed) to the baseline.
- Note: The FEP dashboard is built on top of Configuration Manager collections. Each of the hyperlinks in the FEP dashboard leads to a collection which holds the actual computers sharing the same symptom.
Senior Program Manager