While my first instinct is to agree - today I have to DISagree because - well, the servers causing these MAC spoofing alerts here are the SEPM servers!
So I can't fully agree that there are not differences. There must be. Two of us with the exact same thing goin on? Weird for sure.
Yes, servers here running SEP are stating that there are - on a daily basis (every night middle of the night) MAC spoofing.
And get what the remote computer that is doing the spoofing or unsolicited ARP responses is -
it's our SEP manager server. Yes, servers are logging daily MAC spoofing and the remote host IP is always from our SEPM server(s)
Not another server, not even another computer. Not from Windows 7 but from a Windows 2008R2 SERVER that runs ONLY SEPM. There is nothing else on that server - ONLY SEPM.
So why do the other servers state that the SEPM server is sending unsolicited ARP responses?
Why the SEPM server? Why not our print servers, why not from our file server? Why does these ONLY come from the SEPM server here?
And why not all the time - why only evening or middle of the night? Why not at lunch time or mid-morning or early afternoon?
And if I may, respectfully, a complaint -
Why is it that whenever one of us has an issue with a feature that the response is not a fix or how to solve the problem, the response is "turn it off" or "disable it" or "don't use that feature"?
Hey, that's not a fix. Any fool can respond with "turn off/disable that feature and the issue will go away". (And get points for that??)
Sorry, but IMO that's not exactly helpful. Honestly, my wife could solve questions here with that- "doc it hurts when I do this" - she could respond to each post "then don't DO this!"
LOL - great solution.
SEP or SEPM has a little problem, we chop off that part which has the issue as our solutions.
Pretty soon we have SEP installed but to work around all the issues, we have ended up disabling it.
So - what good is IPS or a firewall if we have to turn it off to get rid of problems?
How about since other people see this issue - we have a solution OTHER than "disable it/turn it off". I want the protection. We bought SEP instead of using the Microsoft product that's FREE (well, it comes with our huge MS support contract) because SEP has all of these neat abilities, is solid, it works, and it protects in ways other software can't. But it is only better than the Microsoft or other company's products IF we can use the features SEP has. When we have to disable half of SEP to get the product to behave, then is it any better than the others? But when there's a problem the less than helpful response is "turn that feature off, don't use it". I'm sorry but that's NOT a solution and it's certainly not helpful.
Does anyone here understand what reactions I'd get from management if my report back to them was "Symantec says just turn it off". I I'd be chased out and told not to return until I had a real solution - Come back when you have a real answer.
But it does seem as if Symantec just stuck this in here never intending for it to ever be used - perhaps so marketing could list it as a feature, but turn it off by default and if someone tries to use the fake feature, just tell them it wasn't intended to work, disable it. It's sort of like a picture of a window hung on the wall to give the appearance of another window. Just don't try to use it!