I disagree with, or have trouble believing the explanation on the "technical" side of how the unmanaged detector works.
(see this thread: https://www-secure.symantec.com/connect/forums/unmanaged-detector-usage
This is part of what was stated:
When a device starts up, its operating system sends ARP traffic to the network to let other computers know of the device's presence. A client that is enabled as an unmanaged detector collects and sends the ARP packet information to the management server. The management server searches the ARP packet for the device's MAC address and the IP address. The server compares these addresses to the list of existing MAC and IP addresses in the server's database. If the server cannot find an address match, the server records the device as new. You can then decide whether the device is secure. Because the client only transmits information, it does not use additional resources.
First, the alerts I get are NOT from machines just starting up. So the bit about catching the arp packets from a machine starting up can't be 100% correct. Some of the machines have been on for a week, yet are detected time after time.
Second - arp packets for IP and MAC - maybe, but I wonder - because it's giving us information that's bogus. I get a full page email that shows 4 IP addresses associated with 1 MAC, or 4 MAC addresses associated with 1 IP. Further, some of the devices have not been here for over 2 weeks.
So my question is - and so far, support (yeah, I opened a ticket!) can't deal with my questions - and point me here to info that's old and not complete or correct.
WHY am I getting emails for machines not even in our building or on our subnets?
WHY does this email include devices that have not been on the network for weeks?
WHY does the report/email show anywhere from 1 to 4 MAC addresses associated with a single IP address?
WHY does my own computer show up on the list 2 times? Once at the top, then again later down after a few other address ranges?
WHY does it not start fresh each time and send an email with CURRENT information?????? It's annoying when the email keeps growing as it won't "forget" things detected weeks ago, but which aren't even on our network any more? Where is this info kept and why does it keep sending the same old tired information?
Should it not keep detecting, then when it sends me the report, send ONLY what new info it gathered in the last hour (or whatever time-frame I request)?
How does one purge this old info - keeping in mind it took hours to set this up and configure every one of 30 some detectors with all the exculsions.....
I opened a ticket and requested very technical info, and instead I get info from the forum that's just guess-work or not even correct. Sorry, this isn't what I expected out of support. I'd like an engineer to answer, otherwise I'd have posted here to begin with!!! When I open a ticket, it means I've done all the searching here and elsewhere - all online resources and came up empty. So I open a ticket, hoping for a tech who can then forward the request as needed.
Sorry, still waiting for a technically correct reply, hopefully from an engineer who can explain the above. Yeah, I've been tasked with this and my very technical team lead would like to know what all the bad info in the report, and why it keeps reporting the same stuff - even stuff that's been gone for weeks.