Endpoint Protection Antimalware Policy SQL 2008

We use SCCM 2012 to manage our antimalware solution (SCEP). We created policies for different servers for example SQL server 2008 R2. We created Endpoint Protection Antimalware policy SQL 2008:
To prevent performance issues MS reccomends to exclude some processes from virus scanning:
%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\MSSQL\Binn\SQLServr.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
%ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\OLAP\Bin\MSMDSrv.exe
As you can see we currently use MSSQLSERVER as instance name.
Because we use many different SQL instances we need to restrict the ammount of policies to one and don't want to create seperate policies for different SQL instances. Is it possible to use some kind of wildcard, like: %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.*\MSSQL\Binn\SQLServr.exe,
where instance name is * ?
Is it also possible to monitor the scan status real time? I would like to see which files are being scanned when starting a quick/full scan. From within the SCEP client it isn't possible.
Hope you could help me out.
Sacha

Hey
Thanks for the post ,
As i comprehension Your request  - I suggest You to exclude the Parent SQL folder : 
%ProgramFiles%\Microsoft SQL Server
It will exclude the all instances under the parent folder .
For file process You have to provide full path name .
"to see which files are being scanned when starting a quick/full scan"
You have to create reporting on the sccm for that :
http://technet.microsoft.com/en-us/library/gg712698.aspx
I'd be glad to answer any question

Similar Messages

  • System Center Endpoint Protection Antimalware client version - wont upgrade

    Hi
    Running SCCM 2012 SP1 CU4 on Server A. Endpoint Protection role on Server B. Both Servers 2008 R2. there is only one primary site server and no secondary sites in the hierarchy.
    All clients are Windows 7.
    The SCEP client is not upgrading on clients as I would have expected. After enabling the automatic client upgrade option in site hierarchy settings I found all the clients upgraded their SCCM agent. I was expecting the SCEP client to be upgraded also. Machines
    have been rebooted since the SCCM agent upgrade.
    How can I go about upgrading the SCEP agent on all computers?
    Many thanks

    Hi Daniel
    I can't find this file in %programfiles%\microsoft configuration manager\logs, or %programfiles%\sms_ccm\logs. Can you tell me where this log file is?
    I think I sorted the issue, some of the boundaries weren't in a boundary group. Now some of the SCEP agents are upgrading. There are still some issues but I guess I'll do some reinstalls and see if I can resolve this this way.
    Common installation issues I'm seeing are 0x8004FF91 or 0x8000ffff,
    for example. These are found in the c:\windows\ccm\logs\EndpointProtectionAgent.log on the clients.
    Thanks

  • How to Write Path to Exclude Specific Folder From Scanning in Endpoint Antimalware policy

    Dears,
    I have configured endpoint protection antimalware policy to make scanning windows servers, and I have some specific folders which I need excluded from scanning because of they are critical folders, so, when I wants to excluded the folder, how do I write
    the path to add the path to excluded filed? is this correct path
    C:\MyFolder or there is s special path writing?
    Thanks..

    If that's the folder you want to exclude then your doing fine. For more information see (List of Antimalware Policy Settings):
    http://technet.microsoft.com/en-us/library/hh508785.aspx
    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

  • SCCM 2012 - Endpoint Protection Reporting only using static end date

    I have created a subscription to the Endpoint Protection/Antimalware Activity Report built into SCCM2012/Endpoint Protection.
    My problem is that I am having trouble getting the dates to work correctly.  I want to have the report automaticlly emailed out every monday morning with the status from the last 7 days (i.e. since the last monday report). 
    However the subscription seems to want a static end date.  That is, every monday when the report runs it gives me a status report from the exact same 7 days.  Not the most recent 7 days. 
    How do I go about changing this so it is useful and that every monday it runs, the report it creates/sends is from the the last 7 days?

    I hope this helps (I am still testing it) but I did this by:-
    "Editing" the default report such as "Antimalware activity report".
    To avoid corrupting this default report before you change anything select SaveAs and call it something like "Antimalware activity report
    for the last 7 days".
    Open Datasets, StartEndDates and replace the query with this for the last 7 days
    "select DATEADD(day,datediff(day,0,GetDate())- 7,0) as StartDate, DATEADD(day,datediff(day,0,GetDate()),0) as EndDate"
    Then open Parameters, StartDate and under General change it to "Hidden".
    Then open Parameters, EndDate and under General change it to "Hidden".
    Save and test
    I had to set the "default value" on each parameter, per Lillonel:
    StartDate : =DateAdd("d",-7,Globals!ExecutionTime)
    EndDate : =Globals!ExecutionTime
    It looks like it is using a 7 day window now.

  • Endpoint Protection Managed Workstations: Antimalware policy application failed

    Hello,
    When looking at the Endpoint statistics I have the line for systems failing to apply policy. An easy fix to this is to delete the registry.pol file. I would like to make a collection that automates this task for me. Basically if it reports back failure,
    it gets added to a collection, an advertisement runs on it to fix it and redeploy the policy.
    The only thing I need to know is the query behind the "Endpoint Protection Managed Workstations: Antimalware policy application failed" so I can make a collection for it. Does anyone happen to know it?
    Thanks

    Client logs:
    Client 1:
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\WINDOWS\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/3/2014 12:27:00 PM 2056 (0x0808)
    Failed to apply the policy C:\WINDOWS\CCM\EPAMPolicy.xml with error (0x80004005). EndpointProtectionAgent 11/3/2014 12:27:00 PM 2056 (0x0808)
    Failed to apply policy with error 0x80004005, retry number : 1 after 60 second. EndpointProtectionAgent 11/3/2014 12:27:00 PM 2056 (0x0808)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\WINDOWS\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/3/2014 12:28:00 PM 2056 (0x0808)
    Failed to apply the policy C:\WINDOWS\CCM\EPAMPolicy.xml with error (0x80004005). EndpointProtectionAgent 11/3/2014 12:28:00 PM 2056 (0x0808)
    Failed to apply policy with error 0x80004005, retry number : 2 after 60 second. EndpointProtectionAgent 11/3/2014 12:28:00 PM 2056 (0x0808)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\WINDOWS\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/3/2014 12:29:00 PM 2056 (0x0808)
    Failed to apply the policy C:\WINDOWS\CCM\EPAMPolicy.xml with error (0x80004005). EndpointProtectionAgent 11/3/2014 12:29:00 PM 2056 (0x0808)
    Failed to apply policy with error 0x80004005, retry number : 3 after 60 second. EndpointProtectionAgent 11/3/2014 12:29:00 PM 2056 (0x0808)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\WINDOWS\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/3/2014 12:30:00 PM 2056 (0x0808)
    Failed to apply the policy C:\WINDOWS\CCM\EPAMPolicy.xml with error (0x80004005). EndpointProtectionAgent 11/3/2014 12:30:00 PM 2056 (0x0808)
    Failed to apply policy with error 0x80004005, retry number : 4 after 60 second. EndpointProtectionAgent 11/3/2014 12:30:00 PM 2056 (0x0808)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\WINDOWS\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/3/2014 12:31:00 PM 2056 (0x0808)
    Failed to apply the policy C:\WINDOWS\CCM\EPAMPolicy.xml with error (0x80004005). EndpointProtectionAgent 11/3/2014 12:31:00 PM 2056 (0x0808)
    Failed to apply policy with error 0x80004005, retry number : 5 after 60 second. EndpointProtectionAgent 11/3/2014 12:31:00 PM 2056 (0x0808)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\WINDOWS\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/3/2014 12:32:00 PM 2056 (0x0808)
    Failed to apply the policy C:\WINDOWS\CCM\EPAMPolicy.xml with error (0x80004005). EndpointProtectionAgent 11/3/2014 12:32:01 PM 2056 (0x0808)
    Save new policy state 2 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 11/3/2014 12:32:01 PM 2056 (0x0808)
    State 2 and ErrorCode -2147467259 and ErrorMsg Failed to open the local machine Group Policy and PolicyName Antimalware Policy and GroupResolveResultHash 23496E87C22E7CA5048254CC04CCF582A084C108 is NOT changed. EndpointProtectionAgent 11/3/2014 12:32:01 PM 2056 (0x0808)
    Skip sending state message due to same state message already exists. EndpointProtectionAgent 11/3/2014 12:32:01 PM 2056 (0x0808)
    Client 2:
    Apply AM Policy. EndpointProtectionAgent 11/4/2014 7:27:50 AM 2536 (0x09E8)
    Failed to generate AM policy XML with error code 0x8000ffff EndpointProtectionAgent 11/4/2014 7:27:50 AM 2536 (0x09E8)
    Save new policy state 2 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 11/4/2014 7:27:50 AM 2536 (0x09E8)
    start to send State Message with topic type = 2002, state id = 2, error code = 0x8000ffff, and message = <Instance><AppliedAmPolicies/></Instance>
    EndpointProtectionAgent 11/4/2014 7:27:50 AM 2536 (0x09E8)
    Start to send state message. EndpointProtectionAgent 11/4/2014 7:27:50 AM 2536 (0x09E8)
    Send state message successfully EndpointProtectionAgent 11/4/2014 7:27:51 AM 2536 (0x09E8)
    Firewall provider is installed. EndpointProtectionAgent 11/4/2014 7:27:51 AM 2536 (0x09E8)
    Installed firewall provider meet the requirements. EndpointProtectionAgent 11/4/2014 7:27:51 AM 2536 (0x09E8)
    Endpoint is triggered by WMI notification. EndpointProtectionAgent 11/4/2014 7:27:51 AM 2536 (0x09E8)
    File C:\Windows\ccmsetup\SCEPInstall.exe version is 4.3.215.0. EndpointProtectionAgent 11/4/2014 7:27:51 AM 2536 (0x09E8)
    EP version 4.3.215.0 is already installed. EndpointProtectionAgent 11/4/2014 7:27:51 AM 2536 (0x09E8)
    Expected Version 4.3.215.0 is exactly same with installed version 4.3.215.0. EndpointProtectionAgent 11/4/2014 7:27:51 AM 2536 (0x09E8)
    Handle EP AM policy. EndpointProtectionAgent 11/4/2014 7:27:51 AM 2536 (0x09E8)
    Apply AM Policy. EndpointProtectionAgent 11/4/2014 7:27:51 AM 2536 (0x09E8)
    Failed to generate AM policy XML with error code 0x8000ffff EndpointProtectionAgent 11/4/2014 7:27:51 AM 2536 (0x09E8)
    Save new policy state 2 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 11/4/2014 7:27:51 AM 2536 (0x09E8)
    State 2 and ErrorCode -2147418113 and ErrorMsg Failed to load WMI instances. and PolicyName Antimalware Policy and GroupResolveResultHash 2B22C160D3BC8DC4BECF08D4F632D4756D4C9622 is NOT changed. EndpointProtectionAgent 11/4/2014 7:27:51 AM 2536 (0x09E8)
    Skip sending state message due to same state message already exists. EndpointProtectionAgent 11/4/2014 7:27:51 AM 2536 (0x09E8)
    Client 3:
    Apply AM Policy. EndpointProtectionAgent 11/3/2014 12:26:00 PM 1768 (0x06E8)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/3/2014 12:26:00 PM 1768 (0x06E8)
    Failed to apply the policy C:\Windows\CCM\EPAMPolicy.xml with error (0x80004005). EndpointProtectionAgent 11/3/2014 12:26:00 PM 1768 (0x06E8)
    Failed to apply policy with error 0x80004005, retry number : 1 after 60 second. EndpointProtectionAgent 11/3/2014 12:26:00 PM 1768 (0x06E8)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/3/2014 12:27:00 PM 1768 (0x06E8)
    Failed to apply the policy C:\Windows\CCM\EPAMPolicy.xml with error (0x80004005). EndpointProtectionAgent 11/3/2014 12:27:00 PM 1768 (0x06E8)
    Failed to apply policy with error 0x80004005, retry number : 2 after 60 second. EndpointProtectionAgent 11/3/2014 12:27:00 PM 1768 (0x06E8)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/3/2014 12:28:00 PM 1768 (0x06E8)
    Failed to apply the policy C:\Windows\CCM\EPAMPolicy.xml with error (0x80004005). EndpointProtectionAgent 11/3/2014 12:28:00 PM 1768 (0x06E8)
    Failed to apply policy with error 0x80004005, retry number : 3 after 60 second. EndpointProtectionAgent 11/3/2014 12:28:00 PM 1768 (0x06E8)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/3/2014 12:29:00 PM 1768 (0x06E8)
    Failed to apply the policy C:\Windows\CCM\EPAMPolicy.xml with error (0x80004005). EndpointProtectionAgent 11/3/2014 12:29:01 PM 1768 (0x06E8)
    Failed to apply policy with error 0x80004005, retry number : 4 after 60 second. EndpointProtectionAgent 11/3/2014 12:29:01 PM 1768 (0x06E8)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/3/2014 12:30:01 PM 1768 (0x06E8)
    Failed to apply the policy C:\Windows\CCM\EPAMPolicy.xml with error (0x80004005). EndpointProtectionAgent 11/3/2014 12:30:01 PM 1768 (0x06E8)
    Failed to apply policy with error 0x80004005, retry number : 5 after 60 second. EndpointProtectionAgent 11/3/2014 12:30:01 PM 1768 (0x06E8)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/3/2014 12:31:01 PM 1768 (0x06E8)
    Failed to apply the policy C:\Windows\CCM\EPAMPolicy.xml with error (0x80004005). EndpointProtectionAgent 11/3/2014 12:31:01 PM 1768 (0x06E8)
    Save new policy state 2 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 11/3/2014 12:31:01 PM 1768 (0x06E8)
    State 2 and ErrorCode -2147467259 and ErrorMsg Failed to open the local machine Group Policy and PolicyName Antimalware Policy and GroupResolveResultHash 23496E87C22E7CA5048254CC04CCF582A084C108 is NOT changed. EndpointProtectionAgent 11/3/2014 12:31:01 PM 1768 (0x06E8)
    Skip sending state message due to same state message already exists. EndpointProtectionAgent 11/3/2014 12:31:01 PM 1768 (0x06E8)
    I have 12 systems total having issues with Policy right now.

  • DPM 2012 R2 protecting a SQL 2008 Cluster/Vss Writer problems on SQL Server

    Hola,
    I am running DPM 2012 R2 rollup 4. My Server OS is 2012 Datacenter. I have a SQL 2008 Active/Passive cluster  and MS support has kicked this to the SQL team for review. OK hear we go ..When I run the vssadmin list writer I do see the SQL Writer. Also
    says no errors. When I run diskshadow /l c:a.txt from an admin command prompt the output does show the SQL Writer information but under that should display all the meta data for each connection to the database so DPM can expand the SQL database to
    be chosen for protection. I am already confused.
    I am going to include a snippet from the vssadmin and the diskshadow command:
    vssadmin list writers:
    Writer name: 'SqlServerWriter'
       Writer Id: {a65faa63-5ea8-4ebc-9dbd-a0c4db26912a}
       Writer Instance Id: {8d773b6f-0196-4c34-9943-f258f99c2d9a}
       State: [1] Stable
       Last error: No error
    Diskshadow /l c:a.txt
     * WRITER "SqlServerWriter"
      - Writer ID   = {a65faa63-5ea8-4ebc-9dbd-a0c4db26912a}
      - Writer instance ID = {8d773b6f-0196-4c34-9943-f258f99c2d9a}
      - Supports restore events = TRUE
      - Writer restore conditions = VSS_WRE_ALWAYS
      - Restore method = VSS_RME_RESTORE_IF_CAN_REPLACE
      - Requires reboot after restore = FALSE
      - Excluded files:
     * WRITER "BITS Writer"
      - Writer ID   = {4969d978-be47-48b0-b100-f328f07ac1e0}
      - Writer instance ID = {5ad5c4f7-5f68-4c1d-a4fc-92d5ef898881}
      - Supports restore events = TRUE
      - Writer restore conditions = VSS_WRE_UNDEFINED
      - Restore method = VSS_RME_UNDEFINED
      - Requires reboot after restore = FALSE
      - Excluded files:
       - Exclude: Path = C:\Windows\System32, Filespec = bits.log
       - Exclude: Path = C:\Windows\System32, Filespec = bits.bak
       - Exclude: Path = C:\ProgramData\Microsoft\Net
    As you can see this did not return the expected results. I should see the meta data for each database. This is why DPM can't list the databases for backup in my 2008 production SQL cluster. Any thoughts? This has not been working for quite sometime. I was
    hoping the update to rollup 4 would have fixed the problem. I know this is a SQL problem but has anyone had this experience?
    Thanks
    Steve J.

    Update:
    Uninstalled SQL Server instance and downloaded SQL Server 2012 SP1 image from link in error message.  It takes you to the download page for the express edition of SQL Server 2012.  I downloaded the SQLEXPRADV_x64_ENU file and used it to re-install
    the SQL Server instance.
    Ultimately I had to use the ISO image to upgrade the instance to Standard because the SQL Server Agent will not run under the express edition and caused the DPM install to fail.
    The DPM installation then completed successfully and after immediately went to Windows Update and SQL Server 2012 SP2 was installed.
    Evidently you cannot start with SP2 until the installation is complete.

  • Forefront Endpoint Protection 2010 Antimalware Activity and Antimalware Protection Summary Reports aren't rendering properly.

    The Antimalware Activity and Antimalware Protection Summary Reports aren't rendering properly.  When I export them to PDF, they look normal but when I run either one of these reports through they don't display properly.  In the Antimalware
    Protection Summary report, the Latest Antimalware Protection Summary title bar has been extended and the Status legend is coved by white space and Latest Antimalware Definitions Summary title bar has been extended and Period legend
    are covered by white space.  On the same page the Antimalware Protection History-Week has been flushed to the right to where it only dispays Antimalw and the Antimalware Definitions History-Week has been flushed to the right to where it only dispays
    Antimalw.  On the Antimalware Activity the Actions legend has been flushed to the left.

    This is an old question but you may try it using the latest version of Forefront Endpoint Protection or System Center Endpoint Protection and let us know if you are able to reproduce the problem. There are many improvements in latest release of SCEP and
    FEP.

  • Azure Antimalware (Endpoint Protection) says "your system administrator has restricted access to this app"

    I see many posts about using SCCM to configure policies, etc., etc. However, I can't find any information about my specific issue:
    I have installed the Antimalware extension on several Azure VMs. Only one VM allows access to "System Center Endpoint Protection". All the other ones say "your system administrator has restricted access to this app". Now, since I am the
    system administrator, I am at a loss how to be able to see / configure the other VMs using this program.
    I have not installed SCCM, since I didn't think I would need it. If, in fact, I must install SCCM, it pretty much defeats the purpose of an extension.
    Any ideas would be greatly appreciated.
    --- If I am in the wrong forum, please let me know where I should post my question, since there don't appear to be any forums discussing extensions for Azure.

    Although azure endpoint protection is the same core technology as SCEP it is not managed in the same way. Also, if the ConfigMgr agent is not installed on these VMs, then it's quite impossible for ConfigMgr to the source of the issue here. You are better
    off posting to an Azure forum.
    However, did you elevate when launching the EP console?
    Jason | http://blog.configmgrftw.com | @jasonsandys

  • System Center 2012 Endpoint Protection - any user may reboot Windows Server

    Hello,
    I've got System Center 2012 Endpoint Protection client installed on a Windows Server 2008 R2 Terminal Server. I've just noticed that if System Center Endpoint Protection detects some malware that requires system restart in order to successfully clean it,
    the notification will be seen by all logged users on Terminal Server and if anyone will press on "Restart" than the Server will reboot even if User hasn't the required permission and I think this is totally unacceptable, Microsoft has to do something
    about it. In all situations only an Administrator should have the right to restart the Server.
    Please fix this issue asap, thank you.

    While there is no setting that just controls the 'SCEP needs to reboot', there are other settings that might help.
    Have you tried setting "Disable the client user interface" to Yes on the antimalware policy?  How about "Show notifications messages..."?  I don't have a way to reproduce the behavior you were seeing, but maybe you can give it a shot.
    I understand why Microsoft would want to give non-admin users a prompt to reboot a machine that needs it to remove malware.  This is the typical scenario for most workstations. However, your exception with a terminal server is definitely something that
    needs a workaround. 
    If you put in Connect feedback asking for a discreet setting to control this, please post a link to it.
    I hope that helps,
    Nash
    Nash Pherson, Senior Systems Consultant
    Now Micro -
    My Blog Posts
    If you've found a bug or want the product worked differently,
    share your feedback.
    <-- If this post was helpful, please click "Vote as Helpful".

  • Upgraded SCCM 2012 SP1 to CU5 - Problem updating Endpoint Protection Client (to V4.5.216.0)

    We upgraded SCCM SP1 to CU5. We got one primary site, on which we had no problems with running the CU setup. After the upgrade we pushed the new administrator console and client.
    SP1 CU5 - console update -> Updated on all administrator users (50 computers)
    SP1 CU5- x64 and x86 client update -> Updated on pilot group (50 computers)
    No problems so far.
    We are having troubles updating the Endpoint Protection Client version. This was V4.1.522.0 before the upgrade. When we enroll a new computer, it receives the new V4.5.216.0, which is the last version.
    But we can't update our older clients. We try to deploy the software update (Update for Forefront Endpoint Protection 2010 Client - 4.5.216.0 (KB2952678)) but it doesn't install. After 20 minutes, if I look in the Deployment logs, it says the installation
    was successfull; but it isn't, it's still the old version.
    Strange thing is, we can upgrade to an inbetween version (Update for Forefront Endpoint Protection 2010 Client - 4.3.215.0 (KB2864366)). Which installs on a test client.
    If I look to the cache files of the new EP Client update, and use the UpdateInstall.exe manually, the update does install. Then I see in the logfile EndpointProtectionAgent.log it still refers to the version 4.1.522.0.
    EP 4.5.216.0 is installed, version is higher than expected installer version 4.1.522.0. EndpointProtectionAgent 13/01/2015 14:54:00 7808 (0x1E80)
    Re-apply EP AM policy. EndpointProtectionAgent 13/01/2015 14:54:00 7808 (0x1E80)
    Apply AM Policy. EndpointProtectionAgent 13/01/2015 14:54:00 7808 (0x1E80)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\Windows\CCM\EPAMPolicy.xml". EndpointProtectionAgent 13/01/2015 14:54:00 7808 (0x1E80)
    Applied the C:\Windows\CCM\EPAMPolicy.xml with ConfigSecurityPolicy.exe successfully. EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
    Save new policy state 1 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
    State 1 and ErrorCode 0 and ErrorMsg and PolicyName Antimalware Policy and GroupResolveResultHash D277339FA77A9017801399D96266BAD42DE74F38 is NOT changed. EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
    Skip sending state message due to same state message already exists. EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
    Firewall provider is installed. EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
    Installed firewall provider meet the requirements. EndpointProtectionAgent 13/01/2015 14:54:02 7808 (0x1E80)
    This is the WindowsUpdate.log when I try to push the new EP client.
    2015-01-14 11:24:13:651 7416 1c44 Handler :::::::::
    2015-01-14 11:24:13:651 7416 1c44 Handler : Updates to install = 1
    2015-01-14 11:24:21:716 7416 1c44 Handler : WARNING: Command line install completed. Return code = 0x8004ff25, Result = Failed, Reboot required = false
    2015-01-14 11:24:21:716 7416 1c44 Handler : WARNING: Exit code = 0x8024200B
    2015-01-14 11:24:21:716 7416 1c44 Handler :::::::::
    2015-01-14 11:24:21:716 7416 1c44 Handler :: END :: Handler: Command Line Install
    2015-01-14 11:24:21:732 7416 1c44 Handler :::::::::::::
    2015-01-14 11:24:21:794 1096 c18 Agent *********
    2015-01-14 11:24:21:794 1096 edc AU Can not perform non-interactive scan if AU is interactive-only
    2015-01-14 11:24:21:794 1096 c18 Agent ** END ** Agent: Installing updates [CallerId = CcmExec]
    2015-01-14 11:24:21:794 1096 c18 Agent *************
    2015-01-14 11:24:21:794 2296 fac COMAPI >>-- RESUMED -- COMAPI: Install [ClientId = CcmExec]
    2015-01-14 11:24:21:794 2296 fac COMAPI - Install call complete (succeeded = 0, succeeded with errors = 0, failed = 1, unaccounted = 0)
    2015-01-14 11:24:21:794 2296 fac COMAPI - Reboot required = No
    2015-01-14 11:24:21:794 2296 fac COMAPI - WARNING: Exit code = 0x00000000; Call error code = 0x80240022
    2015-01-14 11:24:21:794 2296 fac COMAPI ---------
    2015-01-14 11:24:21:794 2296 fac COMAPI -- END -- COMAPI: Install [ClientId = CcmExec]
    2015-01-14 11:24:21:794 2296 fac COMAPI -------------
    2015-01-14 11:24:21:794 1096 1620 AU Can not perform non-interactive scan if AU is interactive-only
    2015-01-14 11:24:26:739 1096 1424 Report REPORT EVENT: {ED287668-4BEF-46FD-BB57-CA17680E5D3B} 2015-01-14 11:24:21:732+0100 1 182 101 {A90C3005-7B59-4268-8B11-12D9BE5C8EA0} 201 80070643 CcmExec Failure Content Install Installation Failure: Windows failed to install the following update with error 0x80070643: Update for System Center Endpoint Protection 2012 Client - 4.5.216.0 (KB2952678).
    2015-01-14 11:24:27:207 1096 1424 Report CWERReporter::HandleEvents - WER report upload completed with status 0x8
    2015-01-14 11:24:27:207 1096 1424 Report WER Report sent: 7.5.7601.17514 0x80070643 A90C3005-7B59-4268-8B11-12D9BE5C8EA0 Install 101 Managed
    2015-01-14 11:24:27:207 1096 1424 Report CWERReporter finishing event handling. (00000000)
    Thanks in advance!

    Hello,
    According to
    kb2952678:
    To apply this update, you must have one of the following installed:
    System Center 2012 R2 Configuration Manager Cumulative Update 4 for System Center 2012
    Configuration Manager Service Pack
    Service Pack 2 for System Center Configuration Manager 2007 and Update Rollup 1 for
    Forefront Endpoint Protection 2010
    Do you have Update Rollup 1 for Forefront Endpoint Protection 2010?
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • SCCM 2012 Endpoint Protection initial update not downloaded

    Hi,
    I'm new to SCCM 2012. I recently started deploying the Endpoint  Protection to all of clients (Windos 7 and XP Pro). 
    I've noticed that some clients have not been updating their initial definitions after the Endpoint Protection Software is installed. 
    Since they are not updating their detonation the client remains unprotected with the status icon in red.
    The odd thing is that some of our computers do the initial update just fine while others are effected. 
    Also if I click update manually then the update goes through no issue, but with 100+ clients not updated its not something I want to do manually. 
    The clients are set to receive auto updates via a auto deployment rule. 
    Also the antimalware policy is set to do updates as well in this order: 
    Config Mgr
    WSUS
    Microsoft Malware Protection Center
    Microsoft Update
    Has anyone seen this before? 
    If I need to upload any specific logs just let me know. 
    Many Thanks

    Do you have Software update configured (and working) thru ConfigMgr or using a standalone WSUS?
    Kent Agerlund | My blogs: blog.coretech.dk/kea and
    SCUG.dk/ | Twitter:
    @Agerlund | Linkedin: Kent Agerlund |
    Mastering ConfigMgr 2012 The Fundamentals

  • What purpose is the Data field in the registry on an individual file extension exclusion in Endpoint Protection?

    File extension exclusions for System Center Endpoint Protection are at
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions
    and consist of a REG_DWORD value, named as a file extension such as .mdf, and a corresponding Data element, which always appears to be 0x00000000
    Can this data value ever be anything else, and if so, what are the possible values and their meanings? If not, I'm curious why not just make it a REG_SZ and leave it blank, rather than a data type that requires a value.

    The data field is always 0x00000000. I think other values would be ignored. Only the Name field seems to be important.
    The funny thing is that the exclusion entry can be a REG_SZ and it will work just the same. In fact, if you use the tool that creates a GPO to deploy EP policy instead of using ConfigMgr, the entries are created as REG_SZ instead of DWORD.
    I'm not sure why both methods are used, but the antimalware engine seems to interpret them the same.

  • Locally check how Endpoint Protection client gets updates

    Hi,
    I'm in the middle of a large deployment of SCEP (ahem) System Center 2012 Endpoint Protection, and I've come across an interesting question. Is it possible to determine the method the local SCEP client used to obtain it's most recent definitions update?
    The background here is that our clients are set to obtain updates from the SCCM server, and only from the Internet as a last resort after 12 hours of failure. However, during one recent deployment, the local team reported a spike in their Internet traffic
    and believe several hundred SCEP clients updated via the Internet. Is it possible to verify this locally from log files on the computer or some other method?
    This is an issue for some of our locations where Internet bandwidth is at a premium, but we have good internal WAN links.
    Kind regards,
    Matt

    Hi,
    We could configure Definition Update sources under Antimalware Policy.
    How to Configure Definition Updates for Endpoint Protection in Configuration Manager
    Best Regards,
    Joyce Li
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Endpoint Protection Client not running run scheduled scan

    Hi,
    We are running SCCM 2012 R2 CU1 on our site system and clients, having upgraded from SCCM 2012 sp1 12 months ago.
    A few of our clients will not run a scheduled scan, even though it displays the Scan date and time in the client properties. 
    Someome did create a new EP policy and pointed the clients at it, but that didn't fix this problem.
    The AV engine and AV definitions are upto date and the real time monitor is running.
    In the SCCM console, Active Clients at Risk, the client has Endpoint Protection Enabled showing as Disabled, nothing in the Endpoint Protection Engine Version, nothing for Last Full Scan Start Time, Endpoint Protection Pending Full Scan - No.
    The MPLog-xxxx-xxx.log shows:
    Signature updated on 02-11-2015 05:57:13
    Product Version: 4.7.205.0
    Service Version: 4.7.205.0
    Engine Version: 1.1.11302.0
    AS Signature Version: 1.191.4588.0
    AV Signature Version: 1.191.4588.0
    2015-02-11T05:57:15.492Z IWscAVStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
    2015-02-11T05:57:15.492Z IWscASStatus::UpdateStatus() succceeded writing instance with state (1) and up-to-date state(1)
    2015-02-11T05:57:40.982Z Process scan (postsignatureupdatescan) started.
    2015-02-11T05:57:50.420Z Process scan (postsignatureupdatescan) completed.
    2015-02-11T06:06:47.173Z AutoPurgeWorker triggered with dwWork=0x3
    2015-02-11T06:06:47.173Z Product supports installmode: 0
    2015-02-11T06:06:47.173Z Task(Scan -ScheduleJob -RestrictPrivileges) is scheduled to run in 604800000(ms) from now with period 21957080(ms)
    2015-02-11T06:06:47.173Z Task(SignatureUpdate -ScheduleJob -RestrictPrivileges) is scheduled to run in 28800000(ms) from now with period 28800000(ms)
    2015-02-11T06:06:47.173Z Task(Scan -ScheduleJob -RestrictPrivileges -ScanType 2) is scheduled to run in 86400000(ms) from now with period 70114864(ms)
    2015-02-11T06:06:47.844Z Detection State: Finished(0) Failed(0) CriticalFailed(0) Additional Actions(0)
    The EndpointProtectionAgent.log shows:
    Endpoint is triggered by message. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    File C:\WINDOWS\ccmsetup\SCEPInstall.exe version is 4.5.216.0. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    EP version 4.7.205.0 is already installed. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    EP 4.7.205.0 is installed, version is higher than expected installer version 4.5.216.0. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    Re-apply EP AM policy. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    Apply AM Policy. EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    Create Process Command line: "c:\Program Files\Microsoft Security Client\\ConfigSecurityPolicy.exe" "C:\WINDOWS\CCM\EPAMPolicy.xml". EndpointProtectionAgent 11/02/2015 12:12:00 2692 (0x0A84)
    Applied the C:\WINDOWS\CCM\EPAMPolicy.xml with ConfigSecurityPolicy.exe successfully. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    Save new policy state 1 to registry SOFTWARE\Microsoft\CCM\EPAgent\PolicyApplicationState EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    State 1 and ErrorCode 0 and ErrorMsg  and PolicyName Default Client Antimalware Policy
    SCEP Standard Desktop EP Policy and GroupResolveResultHash 5E75089B490B85DD66BBA85BC91E15A5EA853B9C is NOT changed. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    Skip sending state message due to same state message already exists. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    Firewall provider is installed. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    Installed firewall provider meet the requirements. EndpointProtectionAgent 11/02/2015 12:12:01 2692 (0x0A84)
    Could anyone provide any pointers on why the scheduled scan wont work?
    Jaz

    Hi,
    Please verify if any GPO applied and overwrite the setting, you can check registry key:
    http://blogs.technet.com/b/mspfe/archive/2013/11/13/system-center-configuration-manager-2012-scep-policy-behavior.aspx
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • SCCM 2012 and SQL 2008 R2 Sync problems

    Hi
    I installed 2 servers for SCCM 2012:
    -1 with SCCM 2012, FEP, WSUS console admin
    -1 with SQL Server 2008 R2 complete install, WSUS complete install
    When I made or the system mades the synchronization, it shows this error in SMS_WSUS_SYNC_MANAGER:
    Error 6703: 
    WSUS Synchronization failed.
     Message: Failed to sync some of the updates.
     Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncUpdates.
    And in the wsyncmgr.log appears:
    sync: SMS synchronizing updates, processed 3336 out of 3368 items (99%), ETA in 00:00:06  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:14:11.663+300><thread=4640 (0x1220)>
    sync: SMS synchronizing updates, processed 3360 out of 3392 items (99%), ETA in 00:00:06  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:15:11.669+300><thread=4640 (0x1220)>
    sync: SMS synchronizing updates, processed 3383 out of 3415 items (99%), ETA in 00:00:07  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:16:13.206+300><thread=4640 (0x1220)>
    sync: SMS synchronizing updates, processed 3412 out of 3444 items (99%), ETA in 00:00:07  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:17:14.152+300><thread=4640 (0x1220)>
    Synchronized update 3a572bd0-5976-4abc-b2d8-955008c5466f - Definition Update for Microsoft Security Essentials - KB972696 (Definition 1.131.558.0).  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:17:18.227+300><thread=4640 (0x1220)>
    sync: SMS synchronizing updates, processed 3446 out of 3463 items (99%), ETA in 00:00:04  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:18:14.400+300><thread=4640 (0x1220)>
    Synchronized update 3eeb75c2-81aa-4cc0-9b7a-237a6a0bf737 - Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.131.574.0).  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:18:47.964+300><thread=4640 (0x1220)>
    sync: SMS synchronizing updates, processed 3482 out of 3484 items (99%), ETA in 00:00:00  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:19:15.587+300><thread=4640 (0x1220)>
    Synchronized update 74e86346-9384-4304-9625-2c865738c552 - Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.131.574.0).  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:20:05.659+300><thread=4640 (0x1220)>
    sync: SMS synchronizing updates, processed 3508 out of 3508 items (100%)  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:20:05.662+300><thread=4640 (0x1220)>
    Sync failures summary:  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:20:05.664+300><thread=4640 (0x1220)>
    Failed to sync update 1ba2d28f-75fe-49d7-9cb4-cd39b8706f48. Error: Failed to get SQL connection. Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.UpdatesManager.UpdatesManagerClass.RemoveUpdate  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012
    09:20:05.666+300><thread=4640 (0x1220)>
    Failed to sync update 8a042978-e6d7-4ae6-b3ab-687d8f9bcd9c. Error: Failed to get SQL connection. Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.UpdatesManager.UpdatesManagerClass.RemoveUpdate  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012
    09:20:05.669+300><thread=4640 (0x1220)>
    Failed to sync update a3aff37b-ad3b-4dde-9464-767a516c76e5. Error: Failed to get SQL connection. Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.UpdatesManager.UpdatesManagerClass.RemoveUpdate  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012
    09:20:05.671+300><thread=4640 (0x1220)>
    Sync failed: Failed to sync some of the updates. Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncUpdates  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:20:06.421+300><thread=3536 (0xDD0)>
    STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=GDVSCCM1.gdar.local SITE=CRP PID=1908 TID=3536 GMTDATE=mar jul 24 14:20:06.423 2012 ISTR0="Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncUpdates"
    ISTR1="Failed to sync some of the updates" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:20:06.425+300><thread=3536 (0xDD0)>
    Sync failed. Will retry in 60 minutes  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:20:06.501+300><thread=3536 (0xDD0)>
    Setting sync alert to active state on site CRP  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:20:06.503+300><thread=3536 (0xDD0)>
    Updated 173 items in SMS database, new update source content version is 36  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:20:06.526+300><thread=3536 (0xDD0)>
    Set content version of update source {6A4B4446-1B80-4CF4-838D-405D3847A8E3} for site CRP to 36  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:20:06.572+300><thread=3536 (0xDD0)>
    Sync time: 0d00h19m46s  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 09:20:06.575+300><thread=3536 (0xDD0)>
    Wakeup by SCF change  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 10:00:06.651+300><thread=3536 (0xDD0)>
    Next scheduled sync is a retry sync at 24/07/2012 10:20:06 a.m.  $$<SMS_WSUS_SYNC_MANAGER><07-24-2012 10:00:11.940+300><thread=3536 (0xDD0)>
    Why is this behavior?
    Thanks
    Doc MX

    Hi
    Today I think I discovered what was the problem:
    I used an user in the domain for deploying the role of SUP, but I forgot to put that user in the group of SQL Admins of the SQL Server.
    I done that and after reseting the servers, the error for sync with SQL didn't appear again, al least from this morning until now, before this change every hour showed the error 6703.
    Thanks to all for your comments.
    Doc MX

Maybe you are looking for