Microsoft System Center 2012 Endpoint Protection Client

Version 1

    This template allows you to monitor the status of the System Center 2012 Endpoint Protection client installed on a Windows computer by using PowerShell and event monitors.


    Prerequisites: WinRM must be installed and properly configured on the target server and WMI access to the target server.

    Credentials: Windows Administrator on the target server.

    Monitored Components

    Note: All event monitors should return values of zero. Returned values other than zero may indicate an abnormality. If you believe an abnormality exists, you should examine the Windows system log for details.

     

    Antimalware Health and Firewall Status

    This monitor returns the antimalware health and firewall status of System Center 2012 Endpoint Protection client.

    Returned values:

          0 – Service is enabled.
          1 – Service is disabled.
          255 – Script cannot check the service status from WMI.

         This component returns the status of the following services:

         Antivirus Enabled – This component returns the status of the antivirus component.

         Antispyware Enabled – This component returns the status of the antispyware component.

         Protection Enabled – This component returns the status of System Center 2012 Endpoint Protection protection technology.

         Behavior Monitor Enabled – This component returns the status of the behavior monitor.

         NIS Enabled – This component returns the status of the Network Inspection System (NIS). 

     

    Antimalware Infection Status

    This monitor returns antimalware infection status of the System Center 2012 Endpoint Protection client.

    Returned values:

          0 – Action not required.
          1 – Action required.
          255 – Script cannot check the action status from WMI.

         This component returns the status of the following services:

         Pending Full Scan – This component returns whether there is a need for a full scan due to a threat action.

         Pending Manual Steps – This component returns whether there is a need for manual steps due to a threat action.

         Pending Offline Scan – This component returns whether there is a need for an offline scan.

         Pending Reboot – This component returns whether there is a need for a reboot due to a threat action.

     

    Days passed from last definition update

    This component monitor returns the number of days that have passed from the last definition update of the antivirus and antispyware modules. In the message field, this component returns the date of the last installed update.

     

    Microsoft Antimalware Service

    This monitors returns the CPU and memory usage of the Microsoft antimalware service. This service helps protect users from malware and other potentially unwanted software.

     

    Event: Scan encountered error and stopped

    This monitor returns the number of events since the System Center 2012 Endpoint Protection scan has encountered an error and stopped.

         Event ID: 1005.

         This error record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error. Try to run the scan again. If it fails in the same way, look up the error code.

     

    Event: Malware or other potentially unwanted software detected

    This monitor returns the number of events when the System Center 2012 Endpoint Protection has detected malware or other potentially unwanted software.

         Event ID: 1116.

         No user action is required. System Center 2012 Endpoint Protection can suspend and take routine action on this threat. To remove the virus manually, in the System Center 2012 Endpoint Protection interface, click Clean Computer.

     

    Events: Error when taking action on malware

    This monitor returns the number of events when the System Center 2012 Endpoint Protection has encountered a non-critical or critical error when taking action on malware or other potentially unwanted software.

         Event ID: 1118, 1119.

         Perform a signature update and then verify that the quarantine succeeded and that the user has permission to access the necessary resources.

     

    Events: Error during signature or engine updating

    This monitor returns the number of events when the System Center 2012 Endpoint Protection has encountered an error trying to update signatures or the engine.

         Event ID: 2001, 2003.

         If you are having problems updating definitions, the following steps can help:

    1. Ensure your configuration for definition updates is correct;
    2. Check your WSUS configuration settings.
    3. Try to update the definitions manually by downloading the full definitions files.

         If you are having problems updating the engine, the following steps can help:

    1. Restart the computer and try again.
    2. Check the configuration of definition updates.
    3. Manually download the latest definitions from the Microsoft Malware Protection Center.

     

    Event: Error during signature reverting

    This monitor returns the number of events when the System Center 2012 Endpoint Protection has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.

         Event ID: 2004.

         This error can occur if the System Center 2012 Endpoint Protection has encountered an error while trying to load the definitions or if the file is corrupt. System Center 2012 Endpoint Protection will attempt to revert back to a known-good set of definitions. You should restart the computer and check the configuration of definition updates.

     

    Event: Error during using Dynamic Signature Service

    This monitor returns the number of events when the System Center 2012 Endpoint Protection has encountered an error trying to use the Dynamic Signature Service.

         Event ID: 2012.

         This error is likely caused by a network connectivity issue. Check your Internet connectivity settings.

     

    Event: Real-Time Protection feature error

    This monitor returns the number of events when the System Center 2012 Endpoint Protection Real-Time Protection feature has encountered an error and failed.

         Event ID: 3002.

         Try to restart the following two services: Antimalware engine and NIS engine.

     

    Event: Client engine terminated due to error

    This monitor returns the number of events when the System Center 2012 Endpoint Protection engine has been terminated due to an unexpected error.

         Event ID: 5008.

         Try to restart the following two services: Antimalware engine and NIS engine.

     

    Configuring Windows Remote Management (WinRM)

    1. If not already done so, install PowerShell 2.0 and WinRM on the SAM and target servers. Powershell 2.0 can be found here: http://support.microsoft.com/kb/968930.
    2. On the SAM server, open a command prompt as an administrator. To do this, perform the following step:
    • Go to the Start menu and right-click the cmd.exe and then select Run as Administrator.
    1. Enter the following in the command prompt:
             winrm quickconfig
      winrm set winrm/config/client @{TrustedHosts="*"}
    2. 4.     On the target server, open a command prompt as an Administrator and enter the following:
             winrm quickconfig
      winrm set winrm/config/client @{TrustedHosts="IP_ADDRESS"}

    where IP address is the IP address of your SAM server.

     

    Portions of this document are based on the following document: Microsoft Antimalware located at http://azure.microsoft.com/blog/2012/03/26/microsoft-endpoint-protection-for-windows-azure-customer-technology-preview-now-available-for-free-download/

    Last updated: 7/18/2014