How to Monitor Endpoint Protection in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 R2 Endpoint Protection, System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 Endpoint Protection SP1, System Center 2012 Endpoint Protection, System Center 2012 R2 Configuration Manager SP1

You can monitor Endpoint Protection in your Microsoft System Center 2012 Configuration Manager hierarchy by using the System Center 2012 Endpoint Protection Status node in the Monitoring workspace, the Endpoint Protection node in the Assets and Compliance workspace, and by using reports.

How to Monitor Endpoint Protection by Using the System Center 2012 Endpoint Protection Status Node

  1. In the Configuration Manager console, click Monitoring.

  2. In the Monitoring workspace, click System Center 2012 Endpoint Protection Status.

  3. In the Collection list, select the collection for which you want to view status information.

    Important

    Collections are available for selection in the following cases:

    • When you select View this collection in the Endpoint Protection dashboard on the Alerts tab of the <collection name> Properties dialog box.

    • When you deploy an Endpoint Protection antimalware policy to the collection.

    • When you enable and deploy Endpoint Protection client settings to the collection.

  4. Review the information that is displayed in the Security State and Operational State sections. You can click any status link to create a temporary collection in the Devices node in the Assets and Compliance workspace. The temporary collection contains the computers with the selected status.

    Important

    Information that is displayed in the System Center 2012 Endpoint Protection Status node is based on the last data that was summarized from the Configuration Manager database and might not be current. If you want to retrieve the latest data, on the Home tab, click Run Summarization, or click Schedule Summarization to adjust the summarization interval.

How to Monitor Endpoint Protection in the Assets and Compliance Workspace

  1. In the Configuration Manager console, click Assets and Compliance.

  2. In the Assets and Compliance workspace, perform one of the following actions:

    - Click **Devices**. In the **Devices** list, select a computer, and then click the **Malware Detail** tab.
    
    - Click **Device Collections**. In the **Device Collections** list, select the collection that contains the computer you want to monitor and then, on the **Home** tab, in the **Collection** group, click **Show Members**.
    
  3. In the <collection name> list, select a computer, and then click the Malware Detail tab.

How to Monitor Endpoint Protection by Using Reports

Use the following reports to help you view information about Endpoint Protection in your hierarchy. You can also use these reports to help troubleshoot any Endpoint Protection problems. For more information about how to configure reporting in Configuration Manager, see Reporting in Configuration Manager. The Endpoint Protection reports are in the Endpoint Protection folder.

Report name

Description

Antimalware Activity Report

Displays an overview of antimalware activity for a specified collection.

Infected Computers

Displays a list of computers on which a specified threat is detected.

Top Users By Threats

Displays a list of users with the most number of detected threats.

User Threat List

Displays a list of threats that were found for a specified user account.

Malware Alert Levels

Use the following table to identify the different Endpoint Protection alert levels that might be displayed in reports, or in the Configuration Manager console.

Alert level

Description

Failed

Endpoint Protection failed to remediate the malware. Check your logs for details of the error.

Note

For a list of Configuration Manager and Endpoint Protection log files, see the Endpoint Protection section in the Technical Reference for Log Files in Configuration Manager topic.

Removed

Endpoint Protection successfully removed the malware.

Quarantined

Endpoint Protection moved the malware to a secure location and prevented it from running until you remove it or allow it to run.

Cleaned

The malware was cleaned from the infected file.

Allowed

An administrative user selected to allow the software that contains the malware to run.

No Action

Endpoint Protection took no action on the malware. This might occur if the computer is restarted after malware is detected and the malware is no longer detected; for instance, if a mapped network drive on which malware is detected is not reconnected when the computer restarts.

Blocked

Endpoint Protection blocked the malware from running. This might occur if a process on the computer is found to contain malware.