This template allows you to monitor the status of the System Center 2012 Endpoint Protection client installed on a Windows computer by using PowerShell and event monitors.
Prerequisites: WinRM must be installed and properly configured on the target server and WMI access to the target server.
Credentials: Windows Administrator on the target server.
Monitored Components
Note: All event monitors should return values of zero. Returned values other than zero may indicate an abnormality. If you believe an abnormality exists, you should examine the Windows system log for details.
Antimalware Health and Firewall Status
This monitor returns the antimalware health and firewall status of System Center 2012 Endpoint Protection client.
Returned values:
0 – Service is enabled.
1 – Service is disabled.
255 – Script cannot check the service status from WMI.
This component returns the status of the following services:
Antivirus Enabled – This component returns the status of the antivirus component.
Antispyware Enabled – This component returns the status of the antispyware component.
Protection Enabled – This component returns the status of System Center 2012 Endpoint Protection protection technology.
Behavior Monitor Enabled – This component returns the status of the behavior monitor.
NIS Enabled – This component returns the status of the Network Inspection System (NIS).
Antimalware Infection Status
This monitor returns antimalware infection status of the System Center 2012 Endpoint Protection client.
Returned values:
0 – Action not required.
1 – Action required.
255 – Script cannot check the action status from WMI.
This component returns the status of the following services:
Pending Full Scan – This component returns whether there is a need for a full scan due to a threat action.
Pending Manual Steps – This component returns whether there is a need for manual steps due to a threat action.
Pending Offline Scan – This component returns whether there is a need for an offline scan.
Pending Reboot – This component returns whether there is a need for a reboot due to a threat action.
Days passed from last definition update
This component monitor returns the number of days that have passed from the last definition update of the antivirus and antispyware modules. In the message field, this component returns the date of the last installed update.
Microsoft Antimalware Service
This monitors returns the CPU and memory usage of the Microsoft antimalware service. This service helps protect users from malware and other potentially unwanted software.
Event: Scan encountered error and stopped
This monitor returns the number of events since the System Center 2012 Endpoint Protection scan has encountered an error and stopped.
Event ID: 1005.
This error record includes the scan ID, type of scan (antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error. Try to run the scan again. If it fails in the same way, look up the error code.
Event: Malware or other potentially unwanted software detected
This monitor returns the number of events when the System Center 2012 Endpoint Protection has detected malware or other potentially unwanted software.
Event ID: 1116.
No user action is required. System Center 2012 Endpoint Protection can suspend and take routine action on this threat. To remove the virus manually, in the System Center 2012 Endpoint Protection interface, click Clean Computer.
Events: Error when taking action on malware
This monitor returns the number of events when the System Center 2012 Endpoint Protection has encountered a non-critical or critical error when taking action on malware or other potentially unwanted software.
Event ID: 1118, 1119.
Perform a signature update and then verify that the quarantine succeeded and that the user has permission to access the necessary resources.
Events: Error during signature or engine updating
This monitor returns the number of events when the System Center 2012 Endpoint Protection has encountered an error trying to update signatures or the engine.
Event ID: 2001, 2003.
If you are having problems updating definitions, the following steps can help:
- Ensure your configuration for definition updates is correct;
- Check your WSUS configuration settings.
- Try to update the definitions manually by downloading the full definitions files.
If you are having problems updating the engine, the following steps can help:
- Restart the computer and try again.
- Check the configuration of definition updates.
- Manually download the latest definitions from the Microsoft Malware Protection Center.
Event: Error during signature reverting
This monitor returns the number of events when the System Center 2012 Endpoint Protection has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
Event ID: 2004.
This error can occur if the System Center 2012 Endpoint Protection has encountered an error while trying to load the definitions or if the file is corrupt. System Center 2012 Endpoint Protection will attempt to revert back to a known-good set of definitions. You should restart the computer and check the configuration of definition updates.
Event: Error during using Dynamic Signature Service
This monitor returns the number of events when the System Center 2012 Endpoint Protection has encountered an error trying to use the Dynamic Signature Service.
Event ID: 2012.
This error is likely caused by a network connectivity issue. Check your Internet connectivity settings.
Event: Real-Time Protection feature error
This monitor returns the number of events when the System Center 2012 Endpoint Protection Real-Time Protection feature has encountered an error and failed.
Event ID: 3002.
Try to restart the following two services: Antimalware engine and NIS engine.
Event: Client engine terminated due to error
This monitor returns the number of events when the System Center 2012 Endpoint Protection engine has been terminated due to an unexpected error.
Event ID: 5008.
Try to restart the following two services: Antimalware engine and NIS engine.
Configuring Windows Remote Management (WinRM)
- If not already done so, install PowerShell 2.0 and WinRM on the SAM and target servers. Powershell 2.0 can be found here: http://support.microsoft.com/kb/968930.
- On the SAM server, open a command prompt as an administrator. To do this, perform the following step:
- Go to the Start menu and right-click the cmd.exe and then select Run as Administrator.
- Enter the following in the command prompt:
winrm quickconfig
winrm set winrm/config/client @{TrustedHosts="*"} - 4. On the target server, open a command prompt as an Administrator and enter the following:
winrm quickconfig
winrm set winrm/config/client @{TrustedHosts="IP_ADDRESS"}
where IP address is the IP address of your SAM server.
Portions of this document are based on the following document: Microsoft Antimalware located at http://azure.microsoft.com/blog/2012/03/26/microsoft-endpoint-protection-for-windows-azure-customer-technology-preview-now-available-for-free-download/
Last updated: 7/18/2014