Unmanaged detector - false positive
I have several unmanaged dectors in my network (one per subnet). I'm having one unmanaged detector w/ XP SP2 MR4 MP2 giving me two IP addresses that I know SEP is already installed on those two machines (XP SP2) with all features enabled and with green dots on the SEPM with the latest policies. Both computers also have the latest definitions and are in computer mode and managed by a SEPM in the same subnet. This subnet has about 70 computers, but only these two are reported as not having SEP installed. The MAC addresses for both computers are different from what the unmanaged dectector sees versus what's in SEPM.
What exactly is the unmanaged detector looking for?
Also, once the unmanaged detector finds an IP, how long is that IP stored and reported on and what setting would help to purge the length of time that IP gets reported? For example, several IP's accross different subnets have been reported for months now, but there is no physical device on those subnets matching the IP address (verified by physically looking at everthing plugged into the main switches and verifying their IP address manually).
False Positive... May Not Be...
It works like this... Upon booting, a computer sends out Address Resolution Protocol (ARP) traffic to identify itself on a network. Once enabled, the Unmanaged Detector listens for gratuitous ARP traffic and collects Internet Protocol (IP) and Machine Address (MAC) data from traffic passing it on the local network. This data is then forwarded to the Unmanaged Detector’s SEPM which compares the IP address and MAC address of detected systems against its known list of managed endpoint clients and reports on the unmanaged endpoint clients.
Pls check this article...
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008030514404548
Regards,
Mac
Thanks for your response.
Thanks for your response. Can you explain why the unmanaged detector is giving me a different MAC address than what SEPM / Clients is showing? Both of these computers are turned on and are fully functional - no IP address conflicts reported by the computers.
Yes... why do they have
Yes... why do they have different MACs...
I would also be checking ours if we have the same issue...
what about RickJDS 2nd question: "once the unmanaged detector finds an IP, how long is that IP stored and reported on and what setting would help to purge the length of time that IP gets reported?"...
Hwe could get this issue straiten up..
thanks...
Nel Ramos
Would you like to reply?
Login or Register to post your comment.