Endpoint Protection

 View Only
  • 1.  AV settings - Outlook Auto-Protect

    Posted Nov 05, 2010 04:13 PM

    In SEPM, editing the AV and Antispyware policy there is a MS Outlook Auto-Protect setting that allows me to uncheck the "Enable Microsoft Outlook Auto-Protect".

    How is unchecking this any different than in the Client Install Feature Set unchecking the box "Antivirus Email Protection"?

     

    Thanks!



  • 2.  RE: AV settings - Outlook Auto-Protect

    Posted Nov 05, 2010 04:32 PM

    Unchecking in the install will simply not add the feature to the client install package and hence not install on the client the package is distributed to.

    Consequently, if you have multiple groups, and multiple packages created and distributed to said groups, some clients might have this feature installed.

    If you had not unchecked during installation, as opposed to having to create a new package and deploy a second time, you can simply disable the feature. 

    Because groups have inheritience, you can theoretically remove this for all groups, or by removing inheritance remove from just a single group.

    Moreso, if for example, a machine were to change groups, where the original package installed this, but is no longer required for X reason in the new group, you can alternatively remove it's functionality, even though it is installed.



  • 3.  RE: AV settings - Outlook Auto-Protect

    Posted Nov 05, 2010 04:43 PM

    Nice response.

    I do have different groups and most are not inheriting policies from the parent "My Company" group. I would like to disable the Outlook Auto Protect from a group that has the AV policy shared. If I uncheck that box then wont all the groups be affected since I'm editing a shared policy? How can I make it where only that specific group is not enabled for MS Outlook Auto Protect?

    Also, for testing purposes I created a new group and edited the install feature for no AV email protection and I moved a computer that had email protection into that group and it uninstalled/installed its self with out problems. So it seems that if I uncheck the option for no email protection on the non test group there will hopefully be no issues. (restarts, etc)



  • 4.  RE: AV settings - Outlook Auto-Protect

    Posted Nov 05, 2010 05:29 PM

    To assign a new/different policy on a group you dont' have to edit the same policy or make it Non-Shared.

     

    Go to SEPM -Poilcies--AV

    Create/Add a new policy and then assign it to the group you want.

     

    Unchecking Email protection in Policy= Disabling Email Protection

    Unchecking Email Protection in Feature set= Not Installing Email Protection on your system.



  • 5.  RE: AV settings - Outlook Auto-Protect

    Posted Nov 09, 2010 10:12 AM

    You can also, remove the inherit from a group.  The policies that are in place will remain the same, as they had already been inherited from the parent group.

    From here, what you can do, is next to the rules you want to assign/change, you can click on tasks and edit.  A prompt will ask you, since the original was inherited, if you want to edit shared- meaning all policies, even though you are not sharing or edit non-shared.  By editing non-shared, only the policy you are modifying in your group will be changed. 

    If you choose to keep the existing name of the policy that you are modifying, I beleive the "new policy" will be created (in the policies tab on the left) and will be given the name of the group it was created for- by default.

    By going to policies tab on the left however, and making a copy of the existing policy and than giving it a name, you can choose to assign this policy to a group. Because of how SEP is designed, you cannot have 2 of the same Type of policy in a single group. 

    For example, if you have FW_Policy1 assigned to a parent and create FW_Policy2 and assign it to a child group; you would not be allowed inheritance of all the other policies to the child group.  Thus inheritance would need to be turned off to assign the policy. 

    There is no advantage etiher way, as it will create a policy in the same location as your other, already existing policies.

    The disadvantage, is the need to modify multiple policies in order to accomplish certain tasks or make "global changes" if you have many individual policies assigned to non-inheriting groups.

    Making changes through the policy tab however, will modify all the groups assigned that policy even if "inheritance" is not set.  Because the policy is assigned to multiple groups.

    Sorry for repetitiveness and redundancy in here.  Tried to read over, but definitely need of a coffee this morning.