Solved

Why is System Center Endpoint Protection 2012 SP1 inconsistent in applying antimalware policies?

Posted on 2013-06-14
9
2,348 Views
Last Modified: 2013-07-13
Folks -

I've recently created a new Client Settings Profile and Antimalware Policy within SCCM 2012 SP1.  I've created a collection with test machines (including some XP clients and some Windows 7 clients).  I deployed the Client Settings and Antimalware Policy to that collection.  My old antivirus software (Forefront Client Security) was removed and SCEP 2012 SP1 was layed down in its place.

The installation went fine on all my test machines, however, I'm noticing significant inconsistencies in the application of the antimalware policy.

Here are some bullet points of inconsistency:
- SCEP on Windows 7 machines do not receive the file extension or file path exclusion lists.

- The "Disable the client user interface" setting does not dynamically apply.  Only the setting that existed upon the client's first install takes effect.  If you change this later in the antimalware policy, the client UI will not reappear/disappear.

- If real-time protection is turned off by an administrator on the client (by unchecking it and providing a credential through the UAC prompt), it will never get reenabled even though it is required by the Antimalware Policy.

Has anyone else seen this?  Am I looking at an extremely buggy client?  Or am I missing something?  There's more to the list but these are some examples I found within only 30 minutes of testing.

The latest April 2013 update for the client (KB 2831316) has been distributed via our WSUS infrastructure and makes no difference to these items.
0
Comment
Question by:amendala
  • 5
  • 2
9 Comments
 
LVL 4

Expert Comment

by:TechOps07
Comment Utility
I came across this as well during my lab testing of SCCM 2012 with EndPoint. I realized that the policy will take affect within 24hrs unless you force a policy update via the Configuration Manager option in Control Panel on target machine.

If you think about it that would be normal as you make the changes on the Server for the said policy it will take a while for all the clients to report to the SCCM for any changes in policies.
0
 

Author Comment

by:amendala
Comment Utility
Unfortunately, that isn't my experience.  The SCEP clients I've deployed have been active for over a week.

I know policy is updating as some features work, but the fact that some work and some don't bothers me.  I'm very close to opening a Premiere case with Microsoft.

It just doesn't make sense that some policy attributes work, some don't, and of all things, some don't work on Windows 7 but they work on XP.  Wow.  :)
0
 
LVL 4

Expert Comment

by:TechOps07
Comment Utility
That is very odd needless to day. I wish I had an answer for you in this case but the only thing I can think of is conflicting policies but they are labeled by priority so that cannot be the case.

If you find a solution please post back on here because I am very curious on why and how this occurred.
0
 

Author Comment

by:amendala
Comment Utility
I'll post back when I know something.  These machines had FCS on them before which obtains its settings via GPO.  I'm wondering if tatoo'd GPO settings from the prior AV client, which obviously carries the same executable name (msmpeng.exe), implying significant similarity, are part of the problem.

I denied application of the FCS GPO to my workstation and allowed numerous SCCM policy refresh cycles to pass with no difference in behavior.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 59

Expert Comment

by:LeeTutor
Comment Utility
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 

Author Comment

by:amendala
Comment Utility
I have determined the cause of this problem.

SCEP relies on Local Group Policy Processing in order to apply its policy settings.  In organizations that have deployed a domain-global GPO to disable Local Group Policy Processing, such as my own, SCEP policy settings cannot be properly compiled and applied.

Upon removing this global GPO setting from all computers in my domain, SCEP began accurately and consistently applying policy.
0
 

Accepted Solution

by:
amendala earned 0 total points
Comment Utility
I have determined the cause of this problem.

SCEP relies on Local Group Policy Processing in order to apply its policy settings.  In organizations that have deployed a domain-global GPO to disable Local Group Policy Processing, such as my own, SCEP policy settings cannot be properly compiled and applied.

Upon removing this global GPO setting from all computers in my domain, SCEP began accurately and consistently applying policy.
0
 

Author Closing Comment

by:amendala
Comment Utility
I determined the problem and fixed it.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Back in July, I blogged about how Microsoft's new server pricing model, combined with the end of the Small Business Server package, would result in significant cost increases for many small businesses (see SBS End of Life: Microsoft Punishes Small B…
The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now