Endpoint Protection

I'm aware of the use of the unmanaged detector.

What I'd like to know is "how" it works (logic, data written in the DB and so on).

I mean, I think something like this:

• the machine enabled as unamanged detector collect the MAC addresses in its own subnet and this list is sent to the SEPM;
• SEPM compares this list with the list of MAC address already managed;
• if there are MACs detected but not managed, then these MACs are written in the DB (with probably time of detection).

Something similar?

Thanks!

Hi,

Check this thread

https://www-secure.symantec.com/connect/forums/scheduled-report-question-about-pcs-network-without-sep#comment-6631751

https://www-secure.symantec.com/connect/forums/unmanaged-detector-works

Thanks but... my questions are still open 

What does it mean "look ARP traffic in the subnet in order to understand if SEP is installed?"

And, moreover, I relly need to know exactly the logic, the steps performed.

Hi,

Check Chetan Comments on below thread

https://www-secure.symantec.com/connect/forums/it-possible-sepm-discover-machines-without-sep-network#comment-8140321

Unmanaged Detector, where it listens for an ARP broadcast when a device joins the subnet that the Unmanaged Detector is on.  The Unmanaged Detector then queries the "new" machine and sees if it gets a response from a SEP agent.  If it does not get a response, it will send this info to the SEPM, which you can configure to send you an alert as being unmanged.

Uhm...

"The Unmanaged Detector then queries the "new" machine and sees if it gets a response from a SEP agent."

This is different from 

"A client that is enabled as an unmanaged detector collects and sends the ARP packet information to the SEPM. This management server searches the ARP packet for the device's MAC and IP address. The server compares these addresses to the list of existing MAC and IP addresses in the server's database. If the server cannot find an address match, the server records the device as new."

What of the two behaviours is the real one?

First one :)

coz if I have a client  package exported with SEP package and  installed (offline). when it connects to the network, this will be the first time it will talk to the manager. if second one was the case then it would flag the machine as unmanged coz there wont be any data of the client in the DB. In this case you will have to approve the client if thats secure. AFAIK the unmanged detector will check if there is any sep client installed on it. 

I'd personally suggest that an unmanaged detector is passive in its collection of data rather than active as Rafeeq suggests.

My reasoning is that for a SEP client to perform an active query against a machine for a SEP client, then the SEP client software would have to be capable of listening for such request and responding to it (which it isn't).  If the active querying happens outside of SEP, then the unmanaged detector would need something to talk to.  If Windows then it'd need a way of authenticating against windows, in which case what creds would it use?  Finally, if it were an active query, then we wouldn't need to add exceptions for printers/routers/switches/etc.

My understanding (similar to the OP's interpretation) has always been that an unmanaged detector:

• listens for ARP traffic
• pings the MAC/IP info to the SEPM
• SEPM decides if the endpoint is known or not

@diabolicus23 This is how unmanaged Detector works

""When a device starts up, its operating system sends ARP traffic to the network to let other computers know of the device's presence. A client that is enabled as an unmanaged detector collects and sends the ARP packet information to the management server. The management server searches the ARP packet for the device's MAC address and the IP address. The server compares these addresses to the list of existing MAC and IP addresses in the server's database. If the server cannot find an address match, the server records the device as new. You can then decide whether the device is secure. Because the client only transmits information, it does not use additional resources.""

This is the way I think it works.

Simple collector of MAC/IP in its own subnet. Nothing more. The real work is performed by SEPM.

But, in this way, the SEPM should indicate as "unprotected" also a client that has SEP but referred to another SEPM architecture.

Thanks Vikram.

So if a pc is protected by SEP but it's connected to another SEPM architecture (let me say, a consultant with its own SEP of its own company), this pc is detected as unmanaged.

Is this correct?

SEPM compares MAC/IP with MAC/IP that are managed by itself.

Correct..Simply going by its name..Unmanaged (not managed by the SEPM doing the search)

From

Paul Murgatroyd

SYMANTEC EMPLOYEEPARTNERACCRED

the unmanaged detector works on a local network and looks at ARP traffic on that subnet to determine whether or not a client is running SEP. If its not running SEP, we report it back to the SEPM and it will appear in the security report (you can also configure notifications for this). Two things to bear in mind:

1. This works on a per subnet basis - you need a detector in each subnet your company has to guarantee coverage
2. This won't detect clients that have SEP installed but are not managed by your SEPM (either "unmanaged" SEP clients or other companies SEP clients because we look to see if SEP is *installed* There are things we can potentially do in the future, depending on how the feature evolves and what customers request.

This is simlillar to what everone shared about unmanged detector.

 my comment on ""The Unmanaged Detector then queries the "new" machine and sees if it gets a response from a SEP agent.""
 

->>this is when we search for clients with no sep installed using a subnet range under Find Unmanged computers tab ( in migration and deployment wizard)

if it does not get a response It will list that computer so that we can push the package.

Ah ok, mistery solved

I was talking about 12.1 version, so I don't have Find Unmanaged.

Thanks all!

Yes, its now Client deployment wizard. Lets all vote to get it back :) 

It says Impliemted

https://www-secure.symantec.com/connect/ideas/sepm12-bring-back-find-unmanaged-computers-sepm11

Even for Unmanaged detector it dint used to detect unmanaged or SEP managed from different SEPM in older version of SEP 11.

But now it does detect the ones which are managed by other SEPMs.

I think this leads us back to the OP's initial question then.  Can anyone provide us a comprehensive description of how the unmanaged detector works?

If it is checking each endpoint for SEP, then how does it do it?  Is it monitoring for SEP heartbeats coming out of the endpoint?  If so, does this require the endpoints to be attached to a hub rather than a switch?

If it's doing an active query, then how does it do it?  It's not like SEP is listening for requests to make itself known.  If it's asking Windows if SEP is installed, then what creds are used to authenticate to it?

Just to confuse things further, my own initial tests here indicate unmanaged SEP clients and SEP clients managed by another SEPM are logged by the unmanaged detector (or at the very least, a SEP12.1RU1MP1 unmanaged detector is unable to detect the presence of SEP11RU6MP2 on another endpoint and says it's unmanaged).

This behaviour is consistent with how I believe the unmanaged detector works, but conflicts with what the Symantec guys have posted.  As such, a conprehensive writeup would be much appreciated.

Hi

How Unmanaged detector/Lan Sensor works:

When a client is configured as unmanaged detector it listens to the gratuitous ARP requests from all the devices and nodes in a particular broadcast domain/VLAN/subnet and sends that raw data to SEPM. SEPM then compares it with the clients that are already registered with it, if any IPs/MACs is not registered, SEPM triggers a notification for that IP or MAC as an unknown/unmanaged device. Please note that this may include an IP of a router/switch/printer or any other device in the network. That’s the reason it is important to configure exclusions as highlighted by Sameer. The unmanaged detector works completely on ARP traffic that it gets and doesn’t creates anything on its own. Normally within a network the ARP broadcast is limited within a broadcast domain/subnet/VLAN so you may want to configure an unmanaged detector for each broadcast domain. In case you see one unmanaged detector is detecting IPs from another subnet then you need to take care of it from network level as it is just passing on the traffic that it got. Please note that in order for a client to serve as an unmanaged detector, NTP has to be installed.

Please find the procedure to configure unmanaged detector
1 In the console, click Clients.
2 Under View Clients, select the group that contains the client that you want
to enable as an unmanaged detector.
3 On the Clients tab, right-click the client that you want to enable as an
unmanaged detector, and then click Enable as Unmanaged Detector.
4 To specify one or more devices to exclude from detection by the unmanaged
detector, click Configure Unmanaged Detector.
5 In the Unmanaged Detector Exceptions for client name dialog box, click Add.
6 In the Add Unmanaged Detector Exception dialog box, click one of the following options:
■ Exclude detection of an IP address range, and then enter the IP address range for several devices.
■ Exclude detection of a MAC address, and then enter the device's MAC address.
7 Click OK.
To display the list of unauthorized devices that the client detects
1 In the console, click Home.
2 On the Home page, in the Security Status section, click More Details.
3 In the Security Status Details dialog box, scroll to the Unknown Device Failures table.
4 Close the dialog box.
Also you can schedule a notification for unmanaged clients by following the below steps
Goto Monitors => Notifications => Add Notification and Select Unmanaged Computers
Give name to notification and set the time period in the damper tab
Configure the email id to whom which the report should be send

Regards

To summarise then diabolicus, yours and my own intepretation of how the Unmanaged Detector works is correct.  It works passively to collect and forward ARP data to the SEPM for analysis.

As my tests confirmed, it is unable to detect if an unmanaged version of SEP is installed on a machine not known to the SEPM.

Hi

Diabolicus23 have found any suitable answers to your questions

Regards

To keep it simple..Unamanged Detector will detect any machine/device that broadcasts ARP during boot.

Doesn't matter what is installed on the machine it will collect the ARP of everyone it finds in its subnet send it to SEPM.

SEPM will check from its own databse and whoever is not in the DB it will report it as Unmanaged.

Remember Unmanaged Detector works without any authentication so it has no way of getting into the system to check what is installed.