Endpoint Protection

Hi All,

The other night, we received the following event notification from the SEPM server:

=========

Message from:
        Server name: qcavmgr
        Server IP: 192.168.1.197

At least one security risk found:

Risk name: Tracking Cookies
File path: .m.webtrends.com
Event time: 2011-03-03 00:58:58 GMT
Database insert time: 2011-03-03 01:00:08 GMT
User: 216-01
Computer: 814-1C
IP Address: 10.5.65.101
Domain: Default
Server: qcavmgr
Client Group: My Company\Store Wkstns
Action taken on risk: Deleted

=========

Here's the problem.  The UserID, Computer Name, and IP address are all related for these accounts:  For instance, for our "Store 216," the user ID would be 216-01, the computer name would be 216-1C, and the IP address would be 10.2.16.101.  For the "store accounts," here is what we would expect:

Store #            User ID        Computer        IP Address

Store 216        216-01          216-1C           10.2.16.101

Store 814        814-01          814-1C           10.8.14.101

Store 565        565-01          565-1C           10.5.65.101

The problem is that none of these User IDs, Computer Names, or IP Addresses seem to be in the database.  I tried doing searches with "Computer Name Like" and "IP Address Like" searches under the client section in the SEPM console, as well as exporting a list of all clients.

I think that I may need to "clean up" the database, but don't really know what I need to do.  Any help or pointers would be very much appreciated.

Thanks in advance!

Mark

Tracking Cookies are downloaded from websites and can be ignored..Do you have NAT in your Network try pinging 192.168.1.197 to see if that ip is there in your network.

I guess I don't really understand your reply.

The IP address 192.168.1.197 IS the SEPM server, qcavmgr.

The problem is with all the other reported data, specifically this information reported:

User: 216-01
Computer: 814-1C
IP Address: 10.5.65.101

None of this is consistent.  As I mentioned, user 216-01 should be logged on to computer 216-1C, with an IP address of 10.2.16.101.

But we do use nat, and more importantly, we do use a caching proxy (Barracuda Web Filter) for access to the Internet.

Mark

Now I get the issue Its reporting User for 1 machine IP of other and Name of some other machine all for one report.That does look strange..

Are you importing Active Directory Organizational Units?

Are the clients installed as User Mode or Computer Mode?

Try performing a search in the SEPM for the user names you are seeing. You may discover that they are inadvertently running in user mode which could be causing some discrepencies.

If you're importing AD OU's, make sure in AD that you don't have any users' accounts in computer OU's and that there are not any users' accounts in computer OU's. This can and will cause issues.

If this doesn't seem like the issue I would recommed to call into support, that would be the quickest way to getting this addressed as they're could be several different causes for what you are seeing.

Our SEP system is not integrated with AD, so we're not importing anything.  Basically we've got a simple managed system, so when a client is installed on a computer, it defaults to a managed client.  And all of the SEP clients are installed in computer mode.

Our "Hardware" department is responsible for the SEP client roll-out to the stores, and they're going to check the status of the SEP client, making sure that they're all up to date and managed, since they don't appear to be in the SEPM database.

We do have a support contract, so I'll be opening a case once I get a bit more information from Hardware.

Thanks!

Mark

When they are deploying are they imaging machines with SEP already installed?

Are they using SysPrep to roll out the images or some other utility to gurarantee that they are unique IDs?

It is possible that multiple IDs are having an "identity crisis"...

That's something that I'm having them do.  These are all Windows 7 Pro workstations, so they're using the built-in Sysprep before imaging them.  I was wondering if they might have forgotten to clean up the SEP client after imaging (they decided to install it BEFORE imaging), and they know that they're supposed to delete the hardware key xml file and registry key, but they might have forgotten.  Just in case, I'm having them clear the HWID, just to ensure that isn't the problem.  They tell me that they'll be getting back to me.

That might explain why the client isn't in the database, but it might not explain the fact that SEPM reported the 3 different IDs, unless (possibly) all 3 share a HWID...

Mark

Hello,

What version of SEPM and SEP are you carrying?

What type of database are you carrying?

I suspect that all 3 + at least 1 more are sharing a HWID. 

Thus, when one is reporting in, the other 3 (or more) are being overwritten in the DB.

Fingers crossed as this would a relatively easy fix, as you stated above, delete Keys, remove files...  Reboot.