Endpoint Protection

Hi,

I have been searching for a specific issue regarding UNMANAGED DETECTOR on the forum but could not find anything on it and so posting this issue.

We have couple clients assigned role of unmanaged detectors One of the unmanaged detector shows clients having IP address 0.0.0.0. You can see that there are many such clients listed having different MAC addresses.

Below result is obtained from the Dashboard --> Security Status --> More Details. ABC is the unmanaged detector.We are also getting such type of results from some other unmanaged detectors.

What are the possible reasons for this? And how do we track these clients?

ABC	0.0.0.0	00-1e-3a-02-7b-5b
ABC	0.0.0.0	00-1e-c2-79-94-a0
ABC	0.0.0.0	00-1e-c2-83-d9-e4
ABC	0.0.0.0	00-23-12-bb-2e-78
ABC	0.0.0.0	00-23-32-35-d4-ba
ABC	0.0.0.0	00-23-76-47-8b-74
ABC	0.0.0.0	00-25-48-18-25-15
ABC	0.0.0.0	00-25-4b-31-03-09
ABC	0.0.0.0	00-26-37-19-84-51
ABC	0.0.0.0	00-26-b0-25-95-f5
ABC	0.0.0.0	00-26-b0-fb-64-28
ABC	0.0.0.0	00-26-cc-27-db-63
ABC	0.0.0.0	0c-dd-ef-59-15-cd
ABC	0.0.0.0	24-21-ab-db-17-54
ABC	0.0.0.0	3c-f7-2a-e6-48-76
ABC	0.0.0.0	40-61-86-5d-73-53
ABC	0.0.0.0	5c-57-c8-24-74-db
ABC	0.0.0.0	60-fb-42-e2-dc-88
ABC	0.0.0.0	7c-6d-62-e4-87-ee
ABC	0.0.0.0	90-e6-ba-69-59-a9
ABC	0.0.0.0	c0-38-f9-9e-cf-ae
ABC	0.0.0.0	d4-9a-20-c2-a3-ac
ABC	0.0.0.0	d8-d3-85-0b-f3-b2

 

whats the version of sep u r running?
check this bug here
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216360648

We have SEP RU5.

Also the link you have provided has lots of bugs specified. I am unable to locate the exact bug. Please let me know the exact description of the bug.

do a search with 0.0.0.
the report is not specifying the exact ip address of the client, i think that should be the bug.

Even after upgrading the SEP with latest RU6a it is still showing the 0.0.0.0 entries.Does anybody have any solution on this?

you may need to open a support case with Symantec. If you want there are tools which shows ip addresseses and MAC addresses in the network, so exporting that you may find those IP's.

It is detecting around 100's of MAC addresses as 0.0.0.0. We have confirmed with our network team. These MAC addresses doesn't exist in our network. It seems that these are some stale entries or entries generated itself are fake.

as I understand this is ARP request based on the clients are listed. It's weird that the clienst not in the network ( respond to ARP request)! and also that itself generates fakes entries.

Open the Support case with Symantec.

We are experiencing the exact same problem. Did you ever find a solution for this?

We had logged a support case with Symantec. We got reply from them that they wil be coming up with a fix by September 2010.