Microsoft Forefront Endpoint Protection 2010 (Server)

Microsoft Forefront Endpoint Protection 2010 (Server)

This template allows you to monitor the status of Microsoft Forefront Endpoint Protection (FEP) 2010 Server installed on a Windows machine by using PowerShell and Service monitors.

Prerequisites: WinRM must be installed and properly configured on the target server and WMI access to the target server.

Configuring Windows Remote Management (WinRM)

1.     If not already done so, install PowerShell 2.0 and WinRM on the APM and target servers. Powershell 2.0 can be found here: http://support.microsoft.com/kb/968930.

2.     On the SAM server, open a command prompt as an administrator. To do this, perform the following step:

  • Go to the Startmenu and right-click the cmd.exe and then select Run as Administrator.

3.     Enter the following in the command prompt:

winrm quickconfig -q
winrm set winrm/config/client @{TrustedHosts="*"}

4.     On the target server, open a command prompt as an Administrator and enter the following:

winrm quickconfig
winrm set winrm/config/client @{TrustedHosts="IP_ADDRESS"}

where IP address is the IP address of your APM server.

Credentials:Administrator on target server.

Each PowerShell monitor uses the same argument.

For Example:

S01

where S01is the 3-character site code where FEP installed (This code you provide during installation of Microsoft System Center Configuration Manager (SCCM));

Note: You must specify the correct arguments for each monitored component in the Script Arguments field. If you fail to do this, the monitor will return with a status error of "Undefined."

Components Monitors

Deployment Status

This monitor returns the deployment status of FEP. The returned values are as follows:

Deployment Succeeded - This component returns the number of computers with FEP clients deployed. The value returned should be as high as possible. You should set thresholds according to your requirements.

Out of Date- This component returns the number of computers for which the reported FEP version is older than the one installed at the server.

Deployment Failed- This component returns the current number of operations queued and waiting on a read lock. The returned value should be as low as possible.

Deployment Pending - This component returns the number of computers for which an active Configuration Manager software distribution advertisement is trying to install the FEP client.

Locally Removed- This component returns the number of computers where the FEP client was locally removed either by a user with local administrator permission or by some other software (e.g. malware). The returned value should be as low as possible.

Not Targeted- This component returns the number of computers in your organization to which the client software was not targeted. The returned value should be as low as possible.

Policy Distribution Status

This monitor returns FEP policy distribution status. The returned values are as follows:

Distribution Failed - This component returns the number of computers to which a policy could not be deployed. The returned value should be as low as possible.

Distribution Pending - This component returns the number of computers to which a policy is in the process of being deployed.

Policy Distributed - This component returns the number of computers to which a policy was successfully deployed.

Definition Status

This monitor returns the definition status of FEP. The returned values are as follows:

Up to Date - This component returns the number of client computers with up-to-date definitions. The returned value should be as high as possible.

Up to 3 Days- This component returns the number of client computers with definitions that are up to three days old. The returned value should be as low as possible.

Up to 7 Days- This component returns the number of client computers with definitions that are up to seven days old. The returned value should be as low as possible.

Older Than 1 Week - This component returns the number of client computers with definitions more than one week old. The returned value should be as low as possible.

Malware Activity Status

This monitor returns the malware activity status of FEP. The returned values are as follows:

Infected - This component returns the number of computers on which the FEP client software has detected active malware. The returned value should be as low as possible.

Restart Required- This component returns the number of computers running the FEP client software that require a restart in order to complete malware cleaning.

Full Scan Required - This component returns the number of computers running the FEP client software that require a full scan.

Recent Malware Activity - This component returns the number of computers on which the FEP client software detected and cleaned malware within the last 24 hours.

Health Status

This monitor returns the malware activity status of FEP. The returned values are as follows:

Protection Service Off - This component returns the number of computers on which the FEP antimalware service is turned off. The returned value should be as low as possible.

Not Reporting- This component returns the number of computers to which the FEP client has been deployed, but have not sent a status report back to the Configuration Manager server in the past 14 days. The returned value should be as low as possible.

Healthy - This component returns the number of computers running the FEP client software and have sent a status report back to the Configuration Manager server in the past 14 days.

Service: Forefront Endpoint Protection Monitoring

This monitors returns the CPU and memory usage of the Forefront Endpoint Protection Monitoring service. This service monitors security events from computers that are protected by Microsoft Forefront Endpoint Protection.

Portions of this document were originally created by and are excerpted from the following sources:

Microsoft Corporation, “MSDN Library,” Copyright Copyright 2012 Microsoft Corporation. 
All rights reserved. Available at
http://msdn.microsoft.com/en-us/library/ee694763.aspx