When the term Operation Task is used in the context of an AV solution, it generally refers to something such as kicking off a non-scheduled quick or full scan, or perhaps forcing an out-of-band definition update. These are things you would likely be doing in response to malware detection or a malware outbreak.
Having a solid understanding of how these tasks can be accomplished within SCEP will help you to respond quickly to a developing situation.
This recipe has been written in accordance with a scenario in which an administrator is responding to a malware detection alert on a specific PC. For the purposes of this scenario, it is assumed that the administrator's corporate security policy dictates that any PC that has a malware detection alert has to receive an out-of-band definition update and must run a full scan.
To complete this recipe, you will need to be using an account that has at least the SCEP administrator role granted to it.
Follow these steps:
- Log into your SCCM CAS server and launch the SCCM 2012 management console.
- Type the name of the client system that you wish to target into the search bar and press Enter.
- The target system should now be the only one in the list, as shown in the following screenshot:
- To review this PC's individual malware history, first select the PC from the list, and then click on Malware Detail at the bottom of the interface, as shown in the following screenshot:
- To force an unscheduled definition update on this client, right-click on the PC name in the center of the interface. Select Endpoint Protection, and then left-click on Download Definition. Click on OK on the information pop-up window to complete this step, as shown in the following screenshot:
- It's usually a good idea to wait for about 10 minutes after sending the download definition command before proceeding to the next step. This will allow for the target client to download the new definition file before you kick off a scan.
- To force a full scan, right-click again on the PC's name, select Endpoint Protection, and then left-click on Full Scan. Click on OK on the information pop-up window to complete the task.
As you can see from this recipe, SCEP's integration with the right-click menu in SCCM 2012 makes most operational tasks a snap to complete. Typically, the hardest part of the procedure is finding the target system in a list of potentially thousands of workstations and servers.
This is mitigated by the built-in search function of the SCCM console; by going to the All Systems collection and searching there, you are guaranteed to find any machine on your network that has an SCCM client. In a large corporate network with tens of thousands of systems, searching the All Systems collection can take a while to return results. If you are certain that the PC you are looking for is a member of smaller sub-collection, it may be less time-consuming to search against the smaller collection.
It's also worth mentioning that the definition source your clients will go to for a new definition is defined in their SCEP policy. For example, if your SCEP policy listed WSUS as the first definition source, then a client that receives the definition update command will go to WSUS for a new definition. Meaning, if WSUS does not have a newer SCEP definition than the client has, nothing will happen. If you are dealing with an outbreak and want clients to have the absolute newest definitions, it is a good idea to perform a manual synchronization of your definition update sources beforehand.
Pushing tasks to multiple systems:
But wait, what if you're getting malware hits from multiple PCs all at the same time and you want all of them to run a full scan with the latest definitions? Well, you're in luck, except for the part where multiple machines on your network are detecting malware; you can select multiple machines in a collection at the same time by using the Shift key, then right-click, and push a SCEP task to all of them at the same time.
A word of caution though, it's probably not a good idea to select a huge number of PCs at the same time to do this. Selecting every computer in the All Systems collection and telling them all to do a full scan would probably result in a Resume Generating Event (RGE), as it would likely bring your network to a screeching halt.
If you are dealing with a major virus outbreak and you want every computer on your network to do a full scan for peace of mind, it's probably a better idea to modify existing SCEP policies to perform a full scan in the near future, rather than waiting for normally scheduled scan time to come around. It takes a little while for policy changes to replicate, but the full scans will run, in a smoother staggered fashion.