Endpoint Protection

The title of this might be confusing so will explain some more!  We use unmanaged detectors on SEP 12, one on each subnet.  My query is once SEPM has recieved a report of a "unmanaged" device does it keep that info on the notifications even when the device is no longer connected to the network?

Our problem is we recieve a list of unmanaged devices and when it comes to pinging these 50% don't respond anymore or are false positives as the device that may have been on that IP has now changed as we use DHCP so the MAC that SEPM reports as unmanaged is no longer assigned to that IP.  Is there a way of:

a) Checking the timestamp that SEPM was made aware of these.

b) Clearing out old information from the database (stuff that is no longer live)

See here:

https://www-secure.symantec.com/connect/forums/unmanaged-detectors-and-syslog

Does not appear the log is created

Great description on how the process works here:

https://www-secure.symantec.com/connect/forums/how-unmanaged-detector-works#comment-8448451

The SEPM gets the data from the client, the SEPM checks the IP address and MAC and if not present in the SEPM, it sends an alert.

So the only way to purge the "useless" data is to manually disable the unmanaged detector and then re-enable it?

It does not seem to purge them at regular intervals, whenever there are false positives or IP addresses of systems which are not even in the network we just delete the unmanaged detector.

Once we make unmanged detector again we never got those alerts.

Yes, that worked for us all the time :)

Thanks guys have just implemented that process and pleased to say we have now have a reduction in the unmanaged devices - make our job much easier!

Good to hear !! Have a wonderful day ahead..