System Center 2012 Endpoint Protection and False Positives
Endpoint Protection has just identified a key business application as malware. What do you do?
Summary Points
Though Microsoft’s antimalware technologies have one of the lowest false-positive rates in the industry, you should always be ready to address Endpoint Protection false-positive situations if they occur in your environment. There are some basic steps you can take to mitigate and remediate the problem. The case study below presents a hypothetical example of how Kevin, the security administrator at Contoso, addressed a false-positive situation at his company. The summary points are below, followed by the full case study. Note: This document references System Center 2012 Endpoint Protection, but the steps are valid for Forefront Endpoint Protection 2010 as well.
- Opt-in to the Microsoft Active Protection Service (MAPS, formerly known as Spynet) . MAPS provides cloud-based analytics and rapid responses for providing the latest good, and revoking known-bad definitions. Opting into Basic membership at a minimum is highly recommended.
- Watch and listen for alarms. False positives are most likely to start occurring due to the distribution of a new definition that is misidentifying a good application as malware. A malware outbreak event is not common, so that might your first indicator that an unintended clean is occurring. Configure your Endpoint Protection outbreak alert with email notifications, and set the threshold to a relatively low percentage so you get alerted when a particular number of clients all start reporting the same malware. Look at the impacted path in reports, or in-console, and assure legitimately suspicious files are being cleaned.
- Set default actions to quarantine. In antimalware policy, setting the default actions for threats by alert level to quarantine assures that in the case of a false-positive, you are able to restore the quarantined files without redeploying the application.
- Fix the impacted clients. Use the process Kevin uses in this case-study to override the threat or exclude the path, and then restore the files if quarantined. In the case that the application is removed, not quarantined, be prepared to re-deploy the application rapidly after the definition causing the false-positive has been updated.
- Resume Endpoint Protection. After the issue has been resolved, and the definition issue has been fixed by Microsoft, resume normal operations and reset or revoke the mitigations you put into place for the issue. From the malware encyclopedia, you can find the entry for the malware that the application was detected as, which will have details on the false-positive event, and which signature version the issue has been resolved in.
Full Case Study
Sitting down for at his desk in the morning, Kevin’s phone rang. It was Melissa, incensed that the IT Department had removed her key business application, Widget Maker Pro. Kevin assured Melissa that IT had nothing to do with this, but that he’d look into it immediately. Getting off the phone with Melissa to take a look at the issue, Kevin got an email notification from Endpoint Protection indicating a virus outbreak was occurring. Then the helpdesk called, saying multiple users were calling to report Widget Maker Pro gone. Uh oh.
Kevin’s stomach twisted up—no breakfast that day—because it appeared as if malware was removing the company’s most critical line of business application! He opened up the Endpoint Protection reports, and found the malware that was generating the outbreak alert (this information is also available in-console). Looking at the malware details, Kevin saw that it was being effectively cleaned. Then he saw the path and executable name of the malware being quarantined: it was the primary executable for Widget Maker Pro. Endpoint Protection was removing Widget Maker Pro thinking that it was malware! Clicking on the link for this malware in reports, Kevin was able to research this malware through the online encyclopedia, but at this point, nothing had been posted yet.
Kevin knew that a new definition had been released and deployed that morning—as they were every morning at Contoso—and it seemed to be falsely identifying Widget Maker Pro as Virus Foo/32. Kevin had a couple of options at this point: he could temporarily override this threat completely, or he could exclude the path to Widget Maker Pro executable from Endpoint Protection. The override option is good in situations where the real malware can be tolerated if an infection is found before a fixed definition is released. The path-based approach is a good one to use when there are a small number of unique path references across all clients impacted, so variable path exclusions can easily be added to antimalware policy.
In Kevin’s case, a very specific path and file was being affected—“program fileswidgetmakerprowmpro.exe”—so he added an exclusion for that path and file to his antimalware policies. Also, he could have set an override of Virus_Foo/32 and set it to “allow” temporarily. In either remediation scenario, Kevin was able to get the details he needed from the Endpoint Protection reports (or console).
Now that Kevin had excluded the path from antimalware protection, he had to address the clients where Widget Maker Pro had been quarantined so he could restore it. Kevin had previously configured all of his antimalware policies to have a default action of quarantine, so he knew the files were available for restoration. He’d also prepared a “restore” package and program in advance in case this situation ever came up, so he got that process started.
The program put the quarantined files back into their working directory. The details of Kevin’s rollback and restore programs are:
The program to restore is: Mpcmdrun.exe –Restore -Name <Malware Name>
The startup folder for this binary is: %programfiles%Microsoft Security ClientAntimalware
Kevin simply updated the command line in the restore program to the threat name of Widget Maker Pro that was being returned (Virus_Foo/32), and deployed that program to the “All Forefront Desktops” collection.
Once the crisis was mitigated, he reported the issue to the Microsoft Malware Protection team, by submitting a sample of the .exe and indicating on the submission that this should not be identified as malware. They researched the issue, fixed the definition causing the problem, and published a fixed definition to Microsoft Update. As with all false-positive submissions, the Malware Protection Center added this file to its clean-file list to make sure no false-positives would occur again for this application.
After they informed Kevin that the issue with the definition had been addressed, he updated his definition source, which brought in the new, fixed definition. Kevin tested the new definition and confirmed it was no longer removing Widget Maker Pro, and then deployed it. Confirming that his clients were all updated with the latest definition through Endpoint Protection reports/console, Kevin removed the exception he’d set in the antimalware policies. A couple of days later, he removed the advertisement of the restore package and program.
One thing Kevin missed in his otherwise excellent response, however, was declining to opt-in to Basic membership for Microsoft Active Protection Service (MAPS) when he configured his Endpoint Protection policies. Opting into MAPS is a simple antimalware policy setting. Had Kevin also opted-in to MAPS, his clients would have received a Signature Disable Notification (SDN) as soon as the Microsoft analysts realized the error. The SDN is something MAPS-enabled clients can pull down when a known false-positive issue with a published signature has been identified by analysts. Opting into MAPS also provides a number of valuable services, including a layer of false-positive protection. If the Malware Protection Center had already seen this problem, and if Kevin had opted into MAPS, this would have been addressed for him automatically, before any false-positive downtime occurred.
There are multiple variations to this scenario, but the key lesson to address false-positives is to be prepared and to have a rollback contingency in place like Kevin did. Follow the summary steps at the beginning of this document, to assure that you are prepared. These are not frequent occurrences, but with the volume of malware that has to be analyzed, this can happen.
Jason Githens
Sr. Program Manager
System Center 2012 Configuration Manager & System Center 2012 Endpoint Protection