Video Screencast Help

Unmanaged detector not working

Created: 29 Mar 2013 | 13 comments

I have setup a single server as an unmanaged detector.  It is on the same subnet as a machine I have uninstalled SEP 12 from.  NTP is enabled on the server.  It is not detecting the client on the network without SEP installed on it, though.

The client originally had SEP 12 installed on it.  I uninstalled it and then ran CleanWipe on it just to make sure.  The client was turned off overnight as I read on another discussion that the machine needed to be off for a while.  When I came in this morning and powered it on it still did not get detected by the unmanaged detector.

The server acting as the unmanaged detector has NTP enabled on it.  It originally did not have NTP enabled, but I enabled it yesterday afternoon via a command I ran on it through SEPM.  When logging in on the server it shows that NTP is active and working. 

I did not reboot the server after I enabled NTP on it.  I have seen nothing stating that needs to happen though.  It is just not detecting the clients without SEP installed on them.  Any thoughts?

Operating Systems:

Comments 13 CommentsJump to latest comment

ᗺrian's picture

What is exact SEP version?

Has the client that you removed SEP from been removed from the SEPM? If it is still showing up in the SEPM, it won't be detected until it is purged from the SEPM DB.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

jeremyboger's picture

Current version of SEP that was on the client is 12.1.2015.2015.  Yes, I removed it from the SEPM as soon as I uninstalled SEP from the client.

ᗺrian's picture

And you configured the alert so you get an email when something is detected? What did you set the damper period to?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

jeremyboger's picture

I did configure the alert.  The damper is set to auto.  I have also looked under for unknown computers (Home->Security Status->View Details) and nothing has been listed there.

Of course, as soon as I type that, devices show up there.  I am getting detections from another server on another network, but not from the server on the network with the client I know doesn't have SEP on it.  The devices that are being reported, of course, are switches and printers I will have to exclude.

Mithun Sanghavi's picture

Hello,

When a device starts up, its operating system sends ARP traffic to the network to let other computers know of the device's presence. A client that is enabled as an unmanaged detector collects and sends the ARP packet information to the SEPM. This management server searches the ARP packet for the device's MAC and IP address. The server compares these addresses to the list of existing MAC and IP addresses in the server's database. If the server cannot find an address match, the server records the device as new. You can then decide whether the device is secure. Because the client only transmits information, it does not use additional resources. 

http://www.symantec.com/docs/TECH105722

http://www.symantec.com/docs/HOWTO27421

When you are uninstalling the managed SEP client from the machine, the MAC address and SEP client entry is still remaining in the Database as well as on the SEPM.

I would suggest you to try to delete the SEP client entry from the SEPM manually and try performing this step:

  1. In the SEPM, go to the Admin page.
  2. Select Domains.
  3. Under Tasks, select Edit Domain Properties
  4. In the Edit Domain Properties window, on the default General tab, note the option to "Delete clients that have not connected for specified time."

Setting this value to 1 or 2 will likely cause this clients to be removed over the period of 1 to 2 days.

Secondly, To configure the client as an unmanaged detector, you must do the following actions:

  •  Enable Network Threat Protection.
  •  Switch the client to computer mode.
  •  Install the client on a computer that runs all the time.
  •  Enable only Symantec Endpoint Protection clients as unmanaged detectors.
  • A Symantec Network Access Control client cannot be an unmanaged detector.

Reference: https://www-secure.symantec.com/connect/articles/unmanaged-detector-sep-121

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

jeremyboger's picture

Maybe I'm wrong and the unmanaged detector (server) and the client are not on the same network.  I'm not the best at networking, but I believe they should be.  The server is at 172.28.64.xxx and the client is at 172.28.66.xxx.  They are both on subnet 255.255.240.0.  The unmanaged detector and client should be on the same network should they not?

ᗺrian's picture

The subnet is 172.28.64.x or 172.28.66.x. So in this case the client should be on the same subnet as the unmanaged detector. It needs to be on 172.28.64.x subnet.

255.255.240.0 is the subnet mask, which tells you the total address amount per subnet

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

jeremyboger's picture

I've got another server that has the same setup and it is working fine now.  It is running at 172.27.48.XXX and subnet 255.255.240.0. It just found clients at 172.27.48.XXX, 172.27.49.XXX, and 172.27.50.XXX.  One of these it found was actually a computer without SEP installed, so that made me quite happy. Most of them were IP phones I had to exclude from the search. This server is setup the same as the one in question not detecting properly, so it appears I am on the same network as the clients.

ᗺrian's picture

And being that it's a /20 that is 4096 addresses so yea I guess it should find it. You may want call support for this one.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

jeremyboger's picture

I don't know what this particular server's problem was, but it started working out of the blue this week.  After getting it working, I soon discovered what everyone else had discovered.  This is a horrible feature to try to manage.  It finds all routers as well as all IP phones we have.  The list is just going to be too large for me to handle on my own.  I only had 4 sites setup with unmanaged detectors and I was getting a ton of items every hour. 

I finally gave up and disabled them for now.  Maybe in the future there will be an easier way to enter all of the MAC addresses you want to exclude perhaps with an import feature.  Manually entering them all just was not an option for me.  The unmanaged detector is a good thought, just needs some more tweaking to make it practical in large environments such as ours.

SameerU's picture

Hi

Have a faced the issue that unmanaged detector is detecting the Managed clients also

Regards

hanl's picture

Unmanage Client Detector detects device other that computers.

We are in the VoIP enviroment (no voice VLAN created yet).

What is the best way to seperate Computers and non-computer devices apart from entering hundreds MAC addresses or IP addresses. What is Symantec's recommendation.

ᗺrian's picture

The only way is to add exceptions.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.