Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Unmanaged Detector in SEP 12.1

Created: 04 Feb 2012 • Updated: 08 Feb 2012 | 16 comments
Language Translations
pete_4u2002's picture
+10 10 Votes
Login to vote

To configure the client as an unmanaged detector, you must do the following actions:

  •  Enable Network Threat Protection.
  •  Switch the client to computer mode.
  •  Install the client on a computer that runs all the time.
  •  Enable only Symantec Endpoint Protection clients as unmanaged detectors.
  • A Symantec Network Access Control client cannot be an unmanaged detector.

 

To configure a client to detect unauthorized devices

1 In the console, click Clients.

2 Under View Clients, select the group that contains the client that you want to enable as an unmanaged detector.

3 On the Clients tab, right-click the client that you want to enable as an unmanaged detector, and then click Enable as Unmanaged Detector.

4 To specify one or more devices to exclude from detection by the unmanaged detector, click Configure Unmanaged Detector.

5 In the Unmanaged Detector Exceptions for client name dialog box, click Add.

6 In the Add Unmanaged Detector Exception dialog box, click one of the following options:

Exclude detection of an IP address range, and then enter the IP address range for several devices.

Exclude detection of aMACaddress, and then enter the device's MAC address.

7 Click OK.

8 Click OK.

 

To display the list of unauthorized devices that the client detects

1 In the console, click Home.

2 On the Home page, in the Security Status section, click More Details.

3 In the Security Status Details dialog box, scroll to the Unknown Device Failures table.

4 Close the dialog box.

Comments 16 CommentsJump to latest comment

Swapnil khare's picture

Nice one

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

 

+1
Login to vote
pete_4u2002's picture
0
Login to vote
Jakesty's picture

I have added exlusions, but they still show up in the list.  I'm using the IP address range to block monitoring things like network printers, etc.

What else is missing?

 

thanks, Jake

0
Login to vote
sadelphin's picture

Is there a way to add multiple mac address to exclude ? like importing from a file

0
Login to vote
pete_4u2002's picture

you can multiple MAC address one by one. we cannot import a file to exclude.

0
Login to vote
sadelphin's picture

What if i have 400 mac id's to exlude?..

0
Login to vote
pete_4u2002's picture

may be we can add it as an IDEA, going to add it in sometime.

0
Login to vote
sadelphin's picture

say if i add some mac address in exclusion list.. Where it will be saved?. in sepm or client. If it's saved in a file somewhere can we edith that ?

0
Login to vote
sadelphin's picture

Thanks pete for directing me in the right direction.

But it seems in the database the ip address range is hashed somehow.

I've excluded some ip address range in console by configure unmanaged detector. when i query in database i dont see the actual ip address mentioned, only some random number is there... attached screen shot for your reference

Exclude ip range.PNG
+1
Login to vote
Will C.'s picture

Does your network use the 172.x.x.x range?  It looks like these are just your IP addresses represented by a 4-byte integer.

For instance, if I plug the first entry "2887716761" into my decimal to hex calculator, I get AC 1F 0F 99.  Break this up into the components, and convert them back to decimal: AC=172, 1F=31, 0F=15, 99=153.  So it looks like this is 172.31.15.153.

There are various tools to do this on the Internet, as well as some code examples.

http://www.developmentnow.com/g/96_2005_8_0_0_580868/Convert-Decimal-to-IP.htm
http://www.geektools.com/geektools-cgi/ipconv.cgi

I'm tempted to insert some into our database as well.  This is a good feature, but is just about useless on mixed networks of any size without having a better user interface, especially when you have numerous printers and IP phones to contend with.

+1
Login to vote
pete_4u2002's picture

can you check this

Monitors > Notification > View Notifications from Symantec Endpoint Protection Manager you see IP addresses in the report that were excluded.does that help?

 

 

0
Login to vote
sadelphin's picture

Instaed of adding the mac address/ip address one by one i'm thinking of adding those directly  to the database.

 

0
Login to vote
pete_4u2002's picture

its not recommended to directly insert into DB without DB schema information. however if it is must you can take a backup of db and then insert the query.

0
Login to vote
John Santana's picture

cool, thanks man !

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

0
Login to vote
AjinBabu's picture

Nice One Pete

0
Login to vote