Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Still found Unmanaged detector - false positive in SEP 12 RU1 MP1

Created: 24 Sep 2012 • Updated: 24 Sep 2012 | 12 comments
Revenge's picture

I have several unmanaged dectors in my network (one per subnet).  I'm having one unmanaged detector WIN 2003 12.MR1 MP1 giving me 5 IP addresses that I know SEP is already installed on those 5 machines (XP SP2) with all features enabled and with green dots on the SEPM with the latest policies.  Both computers also have the latest definitions and are in computer mode and managed by a SEPM in the same subnet.

alos all this systems showing in SEPM console, then why i got logs in SEPM Unmanaged detector.

We found same issue in 11 all version still found 12 version !!! What exactly is the unmanaged detector looking for?????

Also i found diff MAC add of same IP compare to SEPM database

pls find below snap..

Comments 12 CommentsJump to latest comment

Ashish-Sharma's picture

HI,

Are you using Image OS ?

SEP 12.1: How to prepare a Symantec Endpoint Protection 12.1 client for cloning (image)

http://www.symantec.com/business/support/index?page=content&id=HOWTO54706
  

Configuring Symantec Endpoint Protection client for deployment as part of a drive image (SEP 11)
http://www.symantec.com/business/support/index?page=content&id=TECH102815

Check your thread

http://www.symantec.com/connect/forums/symantec-unknown-device-failures-list

Thanks In Advance

Ashish Sharma

Revenge's picture

thanks for repaly

we are not using image OS..

Ashish-Sharma's picture

Configure SEPM to remove clients which have not connected within a specific number of days.

  1. Open SEPM and select the Admin panel.
  2. Click on Servers
  3. Right click on the Site where your management servers are located and choose Edit Properties
  4. Check "Delete Clients that have not connected for __ Days"
  5. Enter a value for Days.
  6. Click OK.

NOTE: In version 12.1 of the SEPM, the location for adjusting the setting to delete clients which have not connected for X number of days has moved:

  1. In the SEPM, go to the Admin page.
  2. Select Domains.
  3. Under Tasks, select Edit Domain Properties
  4. In the Edit Domain Properties window, on the default General tab, note the option to "Delete clients that have not connected for specified time."

Configuring a low value for this setting would clear up the duplicates more quickly. 

It is important to consider clients that are offline over the weekend. Setting this value to 1 or 2 will likely cause all your clients to be removed after a weekend.
A recommended value for large enterprise environments would be 7 to 14 days.
 
Check this artical

Thanks In Advance

Ashish Sharma

Revenge's picture

already set on 7 days. its removed automaticly.

any solution for why MAC showing diff SEPM logs and UD logs..

Ashish-Sharma's picture

hi,

Both of client are online and updated Latest Defination ?

Thanks In Advance

Ashish Sharma

Ashish-Sharma's picture

HI,

Try to remove Hardware id both system and check ,

How to repair duplicate IDs on cloned Symantec Endpoint Protection 12.1 clients

http://www.symantec.com/business/support/index?page=content&id=TECH163349

Thanks In Advance

Ashish Sharma

Ashish-Sharma's picture

Hi,

What happend if you have delete one host name in SEPM console ?

Thanks In Advance

Ashish Sharma

Ashish-Sharma's picture

HI,

 both machine host name are different ?

Have you configure Manually IP address.

I think same Ip address are available two ifferent machine.

Thanks In Advance

Ashish Sharma

Mithun Sanghavi's picture

Hello,

I would suggest you to follow the steps below:

1. Disable Unmanaged detector on the machine sending the wrong report.
2. If the firewall is not installed on the machine configured as a unmanaged detector
    a) Install firewall component on the client.
    b) Reboot the machine after installation.
3. If the firewall is installed on the machine configured as a unmanaged detector
    a) Repair the client.
    b) Reboot the machine
4. Verify if the firewall (teefer) driver is running.
    To verify if the driver is running
      a) Start > Run
      b) Open cmd.
      c) Type in sc query teefer2.
5. Once the driver has been verified as running, re-enable the client as an unmanaged detector.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.