Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Unmanaged Detectors in User Mode

Created: 21 Aug 2013 | 10 comments

We currently have approximately 200 desktop machines running SEP in Computer Mode that we are in the process of switching to User Mode.

We're doing this mainly to satisfy the issues with device control.  Permissions will travel with a user and it will stop those without permission from logging into machines with USB access open!

We've always used the Unmanaged Detectors to let us know if SEP is not installed on one of the desktop machines.  It's quite rare but sometimes helpdesk staff can forget to install it when building PCs so having an extra level or checks is never a bad thing.

I know that User Mode clients cannot run as Unmanaged Detectors.

Is there any way that we can be automatically notified if one of our desktop machines doesn't have SEP installed when the whole subnet is running in User Mode?

 

Operating Systems:

Comments 10 CommentsJump to latest comment

Rafeeq's picture

Good Question. 

 User Mode clients or clients without the firewall component (NTP) cannot act as unmanaged detectors.

http://www.symantec.com/business/support/index?page=content&id=TECH105722

xGemmax's picture

Unfortunately the article only tells me what I already know - I cannot have Unmanaged Detectors that are in User Mode.

I'm looking for an alternative to Unmanaged Detectors that can be utilised in User Mode.

Mithun Sanghavi's picture

Hello,

In order to act as an unmanaged detector, SEP clients must have Network Threat Protection (NTP) enabled and be in Computer Mode. User Mode clients or clients without the firewall component (NTP) cannot act as unmanaged detectors.

Check this Article:

What does it mean to set a client as an Unmanaged Detector?

http://www.symantec.com/docs/TECH183746

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

xGemmax's picture

Unfortunately the article only tells me what I already know - I cannot have Unmanaged Detectors that are in User Mode.

I'm looking for an alternative to allow me to keep an eye on what machines don't have SEP installed.

Mithun Sanghavi's picture

Hello,

Currently, there is no alternative for UnManaged Detector in SEP 12.1.

Listening for ARP requests is the canonical way to do this. Independent of DHCP or not, any connected computer that wishes to communicate with the outside world will have to make an ARP request for the address of the default router. This request will go out as a broadcast, and contain the source interface's MAC and IP adresses.

If the other computer uses DHCP, it will make an ARP request for it's own address as part of duplicate address detection, which is also a broadcast you can snoop on.

(This works more or less the same way for IPv6, except you need to look for neighbor discovery or router soliciation packets instead.)

Like the answer alluded to, if you have a switch to which you can telnet or use SNMP on, you can extract the MAC table. That will give you a list of MAC adresses on each port in the switch. If you want the IP addresses however, you still need to listen for ARP:s.

On the other hand, if you have access to the default gateway on the network, you can also look at the ARP table there. That will give you MAC and IP addresses for anyone that has recently (for different values of recently...) communicated with it.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Rafeeq's picture

Only unmanaged detector can give you that  info.

Earlier we used to have NST.exe its no more and they removed the link to the KB as well.

 

greg12's picture

No, it's not possible. To know the unmanaged clients (i.e., endpoints being unmanaged or without SEP) SEPM needs the informations of Unmanaged detectors to trigger a notification.

In SEP 12.1, you can misuse the Client Deployment Wizard to gather all the PCs without SEP, but of course this does not trigger a notification (and does not differentiate between unmanaged and managed clients).

xGemmax's picture

All this sounds like a very roundabout way of doing things.

I think I've sort of fixed the issue by running one PC on the subnet in Client Mode and using that as an Unmanaged Detector!

Voila!

Will let you know if it works.

xGemmax's picture

So the solution worked and I am getting a notification of the unmanaged computers - excellent!

However, the report contains two subnets.  One of which is our VOIP phone system that is connected to the same switch.

How can I tell the Unmanaged detector not to look at this subnet, or the notification to not tell me about it?