Configuring a client to detect unknown devices

Article:HOWTO27421  |  Created: 2010-01-08  |  Updated: 2010-01-20  |  Article URL
Article Type
How To



Configuring a client to detect unknown devices

Unauthorized devices can connect to the network in many ways, such as physical access in a conference room or rogue wireless access points. To enforce policies on every endpoint, you must be able to quickly detect the presence of new devices. Unknown devices are the devices that are unmanaged and that do not run the client software. You must determine whether the devices are secure. You can enable any client as an unmanaged detector to detect the unknown devices.

When a device starts up, its operating system sends ARP traffic to the network to let other computers know of the device's presence. A client that is enabled as an unmanaged detector collects and sends the ARP packet information to the management server. The management server searches the ARP packet for the device's MAC address and the IP address. The server compares these addresses to the list of existing MAC and IP addresses in the server's database. If the server cannot find an address match, the server records the device as new. You can then decide whether the device is secure. Because the client only transmits information, it does not use additional resources.

You can configure the unmanaged detector to ignore certain devices, such as a printer. You can also set up email notifications to notify you when the unmanaged detector detects an unknown device.

To configure the client as an unmanaged detector, you must do the following actions:

  • Enable Network Threat Protection.

  • Switch the client to computer mode.

    See Switching a client between user mode and computer mode.

  • Install the client on a computer that runs all the time.

  • Enable only Symantec Endpoint Protection clients as unmanaged detectors.

    A Symantec Network Access Control client cannot be an unmanaged detector.

To configure a client to detect unauthorized devices

  1. In the console, click Clients.

  2. Under View Clients, select the group that contains the client that you want to enable as an unmanaged detector.

  3. On the Clients tab, right-click the client that you want to enable as an unmanaged detector, and then click Enable as Unmanaged Detector.

  4. To specify one or more devices to exclude from detection by the unmanaged detector, click Configure Unmanaged Detector.

  5. In the Unmanaged Detector Exceptions for client name dialog box, click Add.

  6. In the Add Unmanaged Detector Exception dialog box, click one of the following options:

    • Exclude detection of an IP address range, and then enter the IP address range for several devices.

    • Exclude detection of a MAC address, and then enter the device's MAC address.

  7. Click OK.

  8. Click OK.

To display the list of unauthorized devices that the client detects

  1. In the console, click Home.

  2. On the Home page, in the Security Status section, click More Details.

  3. In the Security Status Details dialog box, scroll to the Unknown Device Failures table.

  4. Close the dialog box.

    You can also display a list of unauthorized devices on the Unknown Computers tab of the Find Unmanaged Computers dialog box.

    For more information, see the Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices