Monitoring Forefront Endpoint Protection 2010 – the FEP Dashboard

Forefront Endpoint Security 2010 (FEP) Release Candidate was just released. In this post, we will discuss ways for administrators to monitor FEP. There are several monitoring features provided with FEP2010 - this is the first in a series of posts about these monitoring features.

One of the key architecture changes from FCS is FEP’s alignment with System Center Configuration Manager. Configuration Manager provides the platform for client distribution and policy settings, as well as data collection to and from clients.

The FEP Dashboard is an extension to the Configuration Manager console. After deploying the FEP console extension to Configuration Manager (either on the server or on administrator’s laptop), a new node appears in the navigation tree called “Forefront Endpoint Protection” (see Figure 1).

Goals:

• Provide a single pane of information to an administrator who needs to know how FEP is doing, as well as a starting point for drill down into FEP features and troubleshooting.
• Serves as a Launchpad for the administrator to drill down to troubleshooting or other day to day tasks.

Figure 1 - FEP Dashboard

Capabilities of the FEP dashboard (see the labeled figure above):

 

1. 1. Computers targeted by FEP: Unlike other security suites, FEP does not require a new discovery mechanism for computers in the organization. Instead, it queries the Configuration Manager database for workstations, laptops and servers (dropping mobile devices). Once discovered, the administrator may decide to protect the clients by creating a software distribution advertisement for collections containing all the clients.
      • Tip: Administrators can open the FEP collections and drill down to the “Deployment\Not Targeted” collection to identify those computers that are going to be unprotected without manual intervention (e.g. creating an advertisement).
      • Tip: The only way to capture administrator’s intention is to have the FEP related advertisement to active (never expire). Make sure you have this checked when creating your own.
   2. Deployment status: Once an administrator starts to deploy FEP on clients, the clients are moved from the “not targeted” collection to one of the following deployment states:
      • Locally Removed - Computers where the FEP client was locally removed either by a user with local administrator permission or by another software (e.g. malware).
      • Failed - Computers for which the FEP client setup program reported a failure.
      • Pending – Computers for which an active Configuration Manager software distribution advertisement is trying to install the FEP client.
      • Out of date – Computers for which the reported FEP version is older than the one installed at the server.
      • Deployed – Computers with FEP client deployed.
   3. Health status: For those computers either in “deployed” or “out of date” state, the FEP dashboard provides additional health information:
      • Protection inactive – The FEP service is reported to be turned off.
      • Not responding – Computers which have not reported for the last 14 days.
      • Healthy – Neither of the above.
   4. Malware activity status: Shows computers with malware activity. FEP surfaces computers with the following infection states:
      • Infected – Computers where FEP could not fully mitigate a malware instance.
      • Restart\Full scan required – Computers where FEP mitigated a malware incident but requires additional action in order to complete the mitigation.
      • Recent activity – Computers where malware was detected and successfully mitigated (within the last 24 hours).
   5. Definition status: Enables administrators to drill down into computers which failed to update their FEP definitions.
   6. Policy distribution: Enables administrators to drill down into computers where Configuration Manager failed to distribute FEP policy.
   7. FEP baselines: Presents administrators with a quick compliance view into the FEP baselines.
      • Tip: Administrators may create their own DCM baselines and use FEP Configuration Items (CIs). In order to add (or remove) baselines to the FEP dashboard, a “FEP” category should be added (or removed) to the baseline.
      • Note: The FEP dashboard is built on top of Configuration Manager collections. Each of the hyperlinks in the FEP dashboard leads to a collection which holds the actual computers sharing the same symptom.

Ziv Rafalovich,
Senior Program Manager

Comments

• Anonymous
  January 01, 2003
  The dashboard data is a result of WSQL queries that run every hour. These queries essentially sort the machines into the different FEP Collections based on the FEP data uploaded by the ConfigMgr client. There is no setting to determine a timeframe because there isn’t a timeframe. It’s real-time in the sense that every hour the database is queried and machines are moved based on their relative data.

• Anonymous
  January 01, 2003
  Hi Folks, Thanks for the comments! A client computer ends up in the Locally Removed collection as a result of FEP being advertised to the client, the client reports success, but the Configuration Manager inventory process returns results that do not include FEP. You can verify the inventory result by right-clicking a computer, point to Start, and then click Resource Explorer. If the inventory data does indeed report no FEP installed on the client, you should investigate just how the FEP client software got uninstalled on each client computer. This could be an action of the user, you may have other antimalware software that is removing the FEP client software, or there could be malware doing the uninstall. If the problem continues, I suggest you open a support case by using one of the resources:support.microsoft.com/.../default.aspx . You can also ask further questions via the Forefront Endpoint Protection forum, where MVPs as well as Microsoft folks answer questions… (social.technet.microsoft.com/.../fcsnext)

• Anonymous
  January 06, 2011
  All of the computers that SCCM has deployed FEP to in my environment show up under the Locally Removed collection.  The only client that shows up as being installed is the one I did manually.

• Anonymous
  January 07, 2011
  Me too.  I had the eval version of FEP installed on sccm I've since uninstalled just the client from the sccm server and manually reinstalled the RTM client. When I deploy FEP to the clients they show up in the Locally Removed collection.

• Anonymous
  January 23, 2013
  Hello - Can anyone tell me how current is the dashboard data, is it real-time or span of over a few days, etc.?  Second question is (depending on the answer to the first question), where is the  setting to set the timeframe data on the dashboard? Thanks.