Endpoint Protection

I'm biting the bullet and enabling the Unmanaged Detector feature on Symantec Endpoint Protection.  Aside from the pain of manually adding every device on the subnet that isn't a computer, I'm encountering an issue where it is reporting some false positives.

So far in each case, the client being falsely accused has multiple network interfaces.  One was a laptop with a wired and wireless adapter.  The detector was reporting the wireless NIC as unmanaged.  The strange part is that I couldn't even ping the wireless address, and ipconfig showed that it was offline.  Perhaps it was on temporarily on.  That computer has since cleared up and isn't alerting.  The other computer is a server with 5 adapters which I am able to ping.  Both clients were running version 12.1.6860.6400.

When I checked the computer properties in SEP Manager, the MAC and IP pairs being reported were missing from SEPM's list of addresses which is why it thinks they're unmanaged.  These clients are configured for a 10-minute heartbeat.  The server has been on for weeks and the NIC configuration has not changed recently.

I'm wondering if anyone has encountered this, and if they have any workarounds.  I realize that I can add the MAC address as an exception, but I'd like to avoid that if possible.

Does anyone know if/how often this client information gets refreshed?  Why wouldn't some NICs be reported in the client properties?

Thanks.

it all depends on how your client is communicating with SEPM (which NIC), the Unmanaged detector works based on reply from ARP traffic and comparing it with the IP's & MAC's present in SEPM's database. so if an IP/MAC isn't in the DB, then the chances of it showing up in the Unmanaged detector is high. unfortunately the only available work around is to add exception.

@PraveenAyappan:

I would agree with that.  I did some digging and found out why all the adapters weren't listed.  The SEPM database tables are hard coded so that there is only enough room for four MAC/IP addresses per machine.  The server that it was flagging had five adapters.  Now that I know that, I can stop wondering if it is a bug and just use the workaround  - adding MAC exclusions for the missing adapter.

Column names from the SEM_COMPUTER table:

[MAC_ADDR1] [IP_ADDR1] [GATEWAY1] [SUBNET_MASK1]
[MAC_ADDR2] [IP_ADDR2] [GATEWAY2] [SUBNET_MASK2]
[MAC_ADDR3] [IP_ADDR3] [GATEWAY3] [SUBNET_MASK3]
[MAC_ADDR4] [IP_ADDR4] [GATEWAY4] [SUBNET_MASK4]

Seems to be a limitation there. Rare for this instance I suppose with the box having five adapters but perhaps a product enahncement request is needed.

A product enhancement would be nice.  Judging by the way the database is set up, I wouldn't hold my breath.  They basically have the options of adding more columns for more NICs or splitting the interfaces off to a seperate table (preferred).  This isn't an uncommon situation for high-availability servers which have multiple NICs (redundancy, management, iSCSI), but that is a definite minority of the overall number of systems we have.

Meanwhile, I'm still waiting for the unmanaged detector to actually find all the unmanaged devices.  I've had it running for about a week and It's found some, and I get maybe a couple of new detections per day, but not nearly as many as I expected to get from enabling this feature.  With all the non-Windows devices we have that haven't been detected, I'm wondering if this feature even works.  I even tried to help it out by pinging all devices from the unmanaged detector.   It's running on a Hyper-V guest, so I'm wondering if there's some sort of filtering going on that I'm not aware of.  That's probably a separate thread, though.

I echo your thoughts Will.c, in today's demanding world HA servers with multiple NIC is not out of proposition. I suggest you to make use of this link to submit the PER to symantec.

Submit a suggestion, idea, or enhancement request for Symantec products

I posted the request, pending approval.

https://www.symantec.com/connect/ideas/sepm-support-endpoints-more-4-nics-unmanaged-detector-false-positive

Just gave a thumbs up, lets hope the development team sees this suggestion sooner and start to implement it

No chance - Idea's on here are seldom looked at/and implemented.

-Former "employee"

I am too a former employee and there are changes that some of the ideas that are getting reviewed and implemented. But not always, given the nature of this suggestion. I believe this is something doable, without having to redo the entire coding. 

yea okay mate - it's a few additonal lines of code.