Reporting and Detection
After wed created our policies, we were ready to deploy them via Active Directory. From the FCS console we assigned one of the policies wed drafted to a Security Group or an Organizational Unit, which triggered the creation of a new Group Policy Object consisting of a number of specific registry changes, which Forefront then automatically linked to our targeted AD object. We could also assign the FCS policy directly to an existing GPO or we could copy it to a file for manual distribution using FCSs command-line policy distribution tool.The FCS console presents a dashboard with executive-level view of the deployment, presenting at-a-glance insight into the ratio of clients reporting issues versus those without problems and those who have not reported in recently. The dashboard also presents quick links to create a variety of summary reports that provide a top-level view of infection status with total systems affected, aggregate malware reports and enterprise-wide security state assessments. We particularly like the Deployment Summary report, which breaks down the status of policy deployment, spyware and anti-virus signature distribution, and client engine deployment onto a single page, and even singles out some of the information on a per-security policy basis. From these high-level reports, we could quickly drill down to more specific details and instances as needed by administrators tasked with resolving the problems, for instance identifying exactly what patches are missing and unnecessary services are present from a specific machine on the network. The reports are initially presented as a Web page, but we could easily export reports to XML, CSV, Excel or PDF formats. Using the included MOM reporting Engine, we could access the same reports as above plus a few others, or design our own reports with the SQL Report Builder. We found we could use the MOM report engine to schedule periodic snapshot reports to provide regular insight into ongoing system behavior. Detection In our malware detection tests, we quickly noticed that FCS real-time file system did not initially work in our tests using virtualized client instances. For instance, with all protections enabled, we were able to download our malware bundles to the virtualized clients hard drive either from the Web, a file share or a thumb drive. Fortunately, the real time protections worked as expected on a Windows XP-based laptop client, and we suspect that FCS does not interact in an expected fashion with VMwares virtualized disk drives. Although this circumstance is certainly not a deal breaker, it may hinder the FCS testing process in some organizations. During a disk sweep, FCS did detect 10 different malware strains infecting 14 of our sample files. The Windows Filter Manager, meanwhile, helped identify these plus four additional infected bundles during installation before they could take root on our system. However, our malware test suite consisted of 29 different executables known to contain malware (a mix of viruses, adware, trojans, and other malware)—which added up to a lackluster 62 percent (18 of 29) detection rate. We verified this by individually submitting the samples to www.virustotal.com, which ran each of our samples through 31 different scanners and assessment solutions. But even this marginal success was tempered by some buggy behavior. When we found the malware with our manual scan, we noticed the icon in the system tray changed from its usual state (green check mark) to a warning (a red x). When we closed the client interface without choosing a course of action to clean the found infections, we discovered that the next time we opened the interface, the system tray icon had reverted to a green check mark, and the history contained no mention of the previous scans findings. Findings were correctly reported to the central console, however. Hayden acknowledged that FCS has not yet coped with some minor threats (like toolbars) around his network as well, but he was quite happy with the softwares performance nonetheless. FCS had already detected many malware instances around his network that Analogs previous solution had missed. But more importantly, Hayden said Microsofts Premier Support Services were ready to assist when an outbreak hit the network. Microsofts team even went so far as to accept a full disk image to help isolate an unknown infection, something his previous AV vendor was unwilling to do. Senior Technical Analyst Andrew Garcia can be reached at firstname.lastname@example.org.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.