Device Protection with Microsoft

Endpoint Manager and Microsoft

Defender for Endpoint

Module 05 : CAMP and Security

Intelligence Updates

Microsoft Services
V04.21-2010
Module Overview
• What is CAMP?
• How is EP updated?
• Lab 05: Endpoint Protection Updates
Module 05: CAMP and Security
Intelligence Updates

What is CAMP?

Microsoft Confidential
What is CAMP?
Common Anti-malware Platform(CAMP)
• Common platform for all of Microsoft’s antimalware clients.
• 660 million executions of Malicious Software Removal Tool per month.
• All of these client’s service Microsoft’s protection services and response

Microsoft
System Center Forefront
Intune/ Microsoft Azure Endpoint
Endpoint Endpoint
Endpoint Protection
Protection Protection 2010
Manager

Microsoft Diagnostics Malicious Microsoft

Microsoft
Security and Recovery Software Defender
Defender
Essentials Toolkit Removal Tool Offline
What is CAMP?
What is CAMP?
Common ClientCommon
Client
• Built on MSE proven success.
• Common client across Microsoft security products: MSE, FEP, Intune, Defender and SCEP, Microsoft Defender
Module 05: CAMP and Security
Intelligence Updates

How is EP Updated?

Microsoft Confidential
How is EP Updated?
Security Intelligence Updates (Definition Updates):
• Multiple methods and sources are available to update
antimalware definitions
• The Endpoint Protection/Defender client targets the
sources and iterates through the source list until it finds
a source.
• Order can be different as per organizational need:
• Configuration Manager
• WSUS
• Microsoft Update
• Microsoft Malware Protection Center (MMPC)
• Universal Naming Convention (UNC) file shares.
How is EP Updated?
Signature Update Distribution
Easier distribution process.
• Automatic deployment rules within ConfigMgr software updates.
Minimizes WAN impact:
• Using distribution points and reduced definition size.
• Internet clients to use Microsoft Update as a source.
Ensures always up-to-date security regardless of the client location.

MICROSOFT UPDATE
Delta update size: 50-2048 KB
Update Frequency: 3 times/day
ON THE ROAD
Fallback to online update
Corporate Network
Updates distributed through
ConfigMgr, WSUS or Windows
File Share
How is EP Updated?
Using Software Updates Point
• Configuration Manager SUPs can deliver definition
updates to the client computers:
• This is done by configuring ADRs.
Prerequisite: To create ADR, Configuration
Manager SUP must be configured.
• Using ADRs effectively disables EP client polling
through client source-order options until the update
is older than “X” hours specified in the policy.
• Optimized deployment of definition updates.
• Minimal impact on network connections.
• Built in Templates.
How is EP Updated?
Endpoint Protection Updates
• Endpoint Protection/Defender Clients rely on regular updates:
• Antimalware and NIS Engines.
Released monthly
• Antivirus and AntiSpyware definitions.
Typically released every eight hours.
• NIS definitions
Released in coincidence with the monthly security bulletin release (or as required).
• All content released to MMPC and Microsoft Update.
• Distributed for scale and availability.
• Can be hosted in-house via WSUS or file shares.
• Distributed certification process scans each signature against ever growing collection (~25TB) of known
good files.
Reduces false positives
How is EP Updated?
Definition Packages
• Full (<120MB):
• New machine or not updated in the last 31 days.
• The full signature set (called the base) + any signatures since the last engine release (delta).
• Most recent engine.
• Delta (<10MB):
• Missed three days of delta.
• Contains the incremental signatures added since the last engine release (re-base).
• BDE (<0.5MB):
• Updates three times per day.
• Binary diff of the previous base and engine with current base and engine plus the current incremental
delta of signatures.
• BDD (ranges from ~100KB to ~1MB).
BDD package is different from a delta package since it will offer differential content from the previous
release. Hence, only new content is offered to the user.
How is SCEP Updated?
Definition Update Offering Logic (Client)
1 2 3 4 Signature
Signature Version: Version:
Signature Version: Signature Version:
1.42.2000.0
1.41.2000.0 1.42.1500.0 1.42.1700.0
First Install Engine Version: Engine Version: Engine version :
Engine
Version:
1.3000.0 1.4000.0 1.4000.0 1.4000.0

Current Definition
Full Package BDE Package Delta Package BDD Package Updates available on MU
How is SCEP Updated?
Updates Detection Logic
Windows Update Agent (WUA) internal
detection logic allows each client to
download the smallest package size
available:
• The more up-to-date the client is, the
smaller the package is that the client
needs to download.
• SCEP Updates use their own settings
instead of Software update agent
configuration from Client policy
Knowledge Measure
o What are the five methods used to update definitions on a client
machine?
o What is CAMP?
o What are the different types of Definition package downloads?
Module Summary
• CAMP is the Common Anti-Malware Platform for all
Microsoft anti-malware clients.
• Signatures can be delivered to clients via multiple methods
• The more up to date a client is, the smaller its signature
package will be.
• Delivering signatures via MECM offers additional flexibility
and control.
Lab 05: Endpoint Protection
Updates

Exercise 1: Definition Deployment

Exercise 2: Install Definition Updates
from a UNC.
Exercise 3: Setup Configuration
Manager Software Updates to Deliver
Definition Updates to Client
Computers.
Exercise 4: Install SCEP Signature as
Software Updates.
© 2015 Microsoft Corporation. All rights reserved.