Endpoint Protection

Has anyone tested the SEP unmanaged detector with SAV10 clients in the environment? I know it's only supposed to work with SEP but I was wondering if SAV10 would work as well.

I know that the SEP client used as a unmanaged detector uses the IP and MAC to look for a managed client in the SEPM DB. If a SAV10 client came on to the network the SEP client would detect it as unmanaged since the MAC and IP isnt found in the SEPM DB.

Since were sending SAV10.x logs to our SEPM DB i'm wondering if we could place a SEP unmanaged detector client on a subnet and use it to report on systems not running SAV10 or SEP.

Thoughts? I'm planning to test this over the next few days.

sometimes it actually does
http://service1.symantec.com/support/ent-security.nsf/docid/2009081719391348?Open&seg=ent

For the same reason at times we need to create exceptions for known machines with Managed Symantec Endpoint Protection(SEP) client not installed. This may be true for all the following scenarios:

1. Non-Windows legitimate machine are installed in the same Network
2. Windows machines with third-party Antivirus software is installed
3. Known machines which have Symantec Endpoint Protection(SEP) installed as self-managed
4. Known machines which have legacy Symantec Antivirus installed
5. Group of machines which already have an Unmanaged detector assigned

 

I believe the information you provided discusses the use of unmanaged detector exception so clients running older Symantec products (i.e. SAV10) are not reported as unmanaged.

What I was wondering is if the unmanaged detector could recognize a SAV10 client as managed since it shows up in the SEPM DB using the legacy log feature. If it could then I could assume that systems on my report were missing either SAV10 or SEP.

In that case it wont show up as managed..
Under the database schema the sav clients are not entered in SEP_Computer field. I dont think
SEPM would rip client names from logs and update this field to know that its managed.