Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Unmanaged Detector works

Created: 23 Feb 2011 | 8 comments

How Unmanaged detector works

If we configure one machine as an unmanaged detector , it will send ARP packet to detect unmanaged machines. Right??????

Is it possible when ARP packet sent by Unmanaged detector it will get swiches , routers , or any Hardware device detail ( IP and MAC Address ) which is installed on network could be detect by unmanaged detector.

 

Some time it is very tough to understand which is desktop IP or swiche IP and Other's and one more thing why we require unmanaged detector.

 

Am i right with above statement , correct me if i am worng.

 

What is the positive features of Unmanaged detector

 

What is the nagative features of Unmanaged detector

Comments 8 CommentsJump to latest comment

_Brian's picture

Yes, you will also receive responses from routers, switches, or other hardware. These can be added to the exclusion list.

Positive is you can find clients not running SEP or Unmanaaged SEP clients

Negative is you get a ton of IPs showing from other devices as already mentioned aboce. Also, if you have multiple subnets, you need an unmanaged detector on each subnet unless you allow your vlans to talk to one another

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

gagandeepgulati@hotmail.com's picture

Thankx brian

One more thing that's mean we  get all internal IP's detail from Network team ( Switches, Routers, and other H/D for exclution ) right???

can you please explain nagative part of the Unmanage detector

How Unmanaged detector know that which machines has installed SEP client and which machine is not.if my unmanaged detector sent ARP packet to get the IP amd mac details so how it know about SEP agent detail ( It is installed ot not )

 

_Brian's picture

Yes, you will get all those IPs

The unmanaged detector will simply check to see if SEP is installed.

http://98.129.119.162/connect/ja/forums/what-unman...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

gagandeepgulati@hotmail.com's picture

What is your opinion , below coment is ok i i show in front of management.

 

If we create Unmanaged detector on subnet basis , so how many Unmanaged detector we need to configure and manage by us. Unless communication should be open each and every VLAN if we create 1 unmanaged detector.

 

We have to exclude switches , router and all additional Hardware IP details to add in exclusion list to avoid the IP and Mac address information.( This will un-necessary increase our load to communicate with team’s to know the IP information.

 

Please telll me many more challanges when we implement unmanage detector

_Brian's picture

Depends on the size of your network.

I manage 10k clients with hundreds of subnets with closed VLANs. I won't even bother to use the unmanaged detector. Trying to exclude unnecessary devices such as routers, switches, etc took up more time that I had. Not to mention the exclusions didn't appear to work when entered.

Your best bet is to go with SNAC.

Unmanaged detector is a nice feature in theory but doesn't work for me on a large network.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

it will list all devices which are based on IP address. End user need to know which are the devices on which SEP can be installed.

greg12's picture

There are a lot of dissenting opinions how unmanaged detectors work. As I understand, unmanaged detectors aren't sending ARP packets but just collect them from other devices and  forward them to the SEPM. That's all.

SEP RU6 admin guide, p. 74 :

"When a device starts up, its operating system sends ARP traffic to the network
to let other computers know of the device's presence. A client that is enabled as
an unmanaged detector collects and sends the ARP packet information to the
management server. The management server searches the ARP packet for the
device's MAC address and the IP address. The server compares these addresses
to the list of existing MAC and IP addresses in the server's database. If the server
cannot find an address match, the server records the device as new. You can then
decide whether the device is secure. Because the client only transmits information,
it does not use additional resources."

Mithun Sanghavi's picture

Hello,

Yes, unmanaged detectors aren't sending ARP packets but just collect them from other devices and  forward them to the SEPM. 

What does it mean to set a client as an Unmanaged Detector?

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/8e056b2507538a29882574b10077d6db?OpenDocument

 

Your Question: Is it possible when ARP packet sent by Unmanaged detector it will get swiches , routers , or any Hardware device detail ( IP and MAC Address ) which is installed on network could be detect by unmanaged detector.

 Answer:  Yes, You will also receive responses from routers, switches, or other hardware. These can be added to the exclusion list.

How do I configure exceptions for the "unmanaged detector" from Symantec Endpoint Protection Manager (SEPM)?

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/536612ff7d5ddabf49257615004db981?OpenDocument

 

 

Your Question: Some time it is very tough to understand which is desktop IP or swiche IP and Other's and one more thing why we require unmanaged detector. 

Answer: The Best way to Understand if they are Desktop IP or Switch IP, is to run a wizard "Find Unmanaged Computers.

 

Best Practices: When to use the "Find Unmanaged Computers" or "Unmanaged Detector" features in Symantec Endpoint Protection 11.0

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/237ca58329dbaf81c1257403004b2470?OpenDocument

 

 

Also, Greg Above has provided the right information from the Admin guide.

  

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.