Endpoint Protection

I disagree with, or have trouble believing the explanation on the "technical" side of how the unmanaged detector works.

(see this thread:  https://www-secure.symantec.com/connect/forums/unmanaged-detector-usage

This is part of what was stated:
When a device starts up, its operating system sends ARP traffic to the network to let other computers know of the device's presence. A client that is enabled as an unmanaged detector collects and sends the ARP packet information to the management server. The management server searches the ARP packet for the device's MAC address and the IP address. The server compares these addresses to the list of existing MAC and IP addresses in the server's database. If the server cannot find an address match, the server records the device as new. You can then decide whether the device is secure. Because the client only transmits information, it does not use additional resources.

First, the alerts I get are NOT from machines just starting up.  So the bit about catching the arp packets from a machine starting up can't be 100% correct. Some of the machines have been on for a week, yet are detected time after time.

Second - arp packets for IP and MAC - maybe, but I wonder - because it's giving us information that's bogus. I get a full page email that shows 4 IP addresses associated with 1 MAC, or 4 MAC addresses associated with 1 IP. Further, some of the devices have not been here for over 2 weeks.

So my question is - and so far, support (yeah, I opened a ticket!) can't deal with my questions - and point me here to info that's old and not complete or correct.
WHY am I getting emails for machines not even in our building or on our subnets?
WHY does this email include devices that have not been on the network for weeks?
WHY does the report/email show anywhere from 1 to 4 MAC addresses associated with a single IP address?
WHY does my own computer show up on the list 2 times? Once at the top, then again later down after a few other address ranges?
WHY does it not start fresh each time and send an email with CURRENT information?????? It's annoying when the email keeps growing as it won't "forget" things detected weeks ago, but which aren't even on our network any more? Where is this info kept and why does it keep sending the same old tired information?
Should it not keep detecting, then when it sends me the report, send ONLY what new info it gathered in the last hour (or whatever time-frame I request)?
How does one purge this old info - keeping in mind it took hours to set this up and configure every one of 30 some detectors with all the exculsions.....

I opened a ticket and requested very technical info, and instead I get info from the forum that's just guess-work or not even correct. Sorry, this isn't what I expected out of support. I'd like an engineer to answer, otherwise I'd have posted here to begin with!!! When I open a ticket, it means I've done all the searching here and elsewhere - all online resources and came up empty. So I open a ticket, hoping for a tech who can then forward the request as needed.

Sorry, still waiting for a technically correct reply, hopefully from an engineer who can explain the above. Yeah, I've been tasked with this and my very technical team lead would like to know what all the bad info in the report, and why it keeps reporting the same stuff - even stuff that's been gone for weeks.

Have you gotten an answer on this? I have the same questions...

No - in fact, I've finally had to stop using this as it's pretty much worthless. After a few weeks, you get emails loaded with hundreds of computers listed, IP and MAC address duplication, stuff from weeks if not month ago, yet a check from the console shows NO unmanaged clients!!!

Don't bother with a support ticket - the tech will simply link you back to this forum with answers that are wrong, incorrect, or that don't actually answer the question.

Bad timing for me - we're evaluating all the endpoint protection products and coming up with criteria - support will be done of them and I've got to say that of the 3 things I've asked or created support tickets for in the past few months - only 1 really got a good reply. I do a bit better on the forums, but this is among multiple unanswered questions for me, so I will have to be honest - great product, but their support doesn't really know much about it.

LOL - my ADHD digression here - in short, no - no answer, support couldn't even answer me, so I had to stop using it and mark it in my manual here at work as pretty much "ignore, it doesn't really work well".

Do you have an SE?

I'm just curious because the one we have is very helpful. I was always told to open a ticket so it is in the system and can be tracked and from there they can get it escalated all the way to the back line engineers. From which point, I get my problems resolved. I don't open many support cases but when I do they get solved pretty quickly.

I've always questioned the first level of support but when it gets escalated, I usually get a great amount of help.

wish I had that sort of luck. Mine was closed with no further ado.

Maybe I need to start all over again (I get sick to death of restating the facts 10 times to as many different folks instead of them noting and sharing the info so I often give up. I don't have time or patience to be typing it all that many times over and over until I feel like I'm talking to myself as no one else is listening)

I wanted to state to them "what part of BAD ANSWER don't they get" but gave up instead. If they can't answer it to my satisfaction, it should automatically be kicked up. I shouldn't have to work so hard on it.

It takes less time to run the scans for computers MANUALLY than to deal with support for many hours. Problem is, then things might get missed.

We are government - support is minimal, no platinum, etc. I have no idea any more who are SE or engineer, etc. are as I've had no contact from anyone in what may be a year or more. When the boss does, he keeps it to himself.

Last time I tried to ask a question, I got a "I'll have to check with xxxx" and it was never brought up again.

Our things to do and hats to wear mean I can't follow-up on every issue unless it totally breaks or blows up, so a lot of stuff we just live with.

hi shadow

Is your issue reolved ?

I face same issue long long time and suffered the same pain of u !!

I doubt may be it is becouse of Ghosting / Imaging technique used along with symantec endpoint installed

Is your network systems are ghosted / imaged ?