cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 11
Report Inappropriate Content
Message 1 of 10

RSD and false positives

Jump to solution

Hi,

We have recently implemented RSD on our environment, and I have noticed that it is report a couple of false positives, for example laptops that already have the McAfee Agent installed, are being reported as rogue with no agent. Our Matching Detected Systems is set to the default MAC and Hostname/Domain (pair). Is there a way to find our or better understand why the laptop is being reported as rogue?

Many thanks.

1 Solution

Accepted Solutions
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 10

Re: RSD and false positives

Jump to solution

That is correct, you don't need to put in alternate port if none exists.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

9 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: RSD and false positives

Jump to solution

Look closely at the domain name pairing and properties of the system that is being counted as rogue.  Often there is something that isn't quite matching up in the criteria.  The domain name would need to match exactly.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Level 11
Report Inappropriate Content
Message 3 of 10

Re: RSD and false positives

Jump to solution

Thanks for your reply. I had a false positive this morning, and this time I have noticed that the MAC address the MAC address reported in the system information was different. The laptop reported as rogue was using the wireless card when it was reported. All our laptops have built-in wireless and NIC cards, and they would more often connect via LAN cables, however they also switch to wireless when moving around the building or visiting other sites. Is there a way to prevent this type of false positives?

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: RSD and false positives

Jump to solution

What version of RSD are you running for the client and extension versions?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Level 11
Report Inappropriate Content
Message 5 of 10

Re: RSD and false positives

Jump to solution

RSD Agent 5.0.6.125
RSD Ext. 5.0.6.123
ePO 5.9.1

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: RSD and false positives

Jump to solution

Hello Linuxxo, 

Another feature we have is actually under the Automatic Response area of ePO. You can enabled the Automatic Response called "RSD: Query New Rogue Detection".

This will actively ping newly detected rogue systems in an attempt to interrogate the installed agent. 

If the agent replies, it will list it as a managed system. It does require some specific MA policy configuration so I would also ask that you review https://kc.mcafee.com/corporate/index?page=content&id=KB91544

 

Thanks

Brian Barnes

Level 11
Report Inappropriate Content
Message 7 of 10

Re: RSD and false positives

Jump to solution

Thanks for your solution. I have enabled the automatic query as per suggestion. However the KB provided, seems to apply to environments that have multiple ePO servers. In our case, we only have one ePO and one standalone Agent Handler on the DMZ.

 

 

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 10

Re: RSD and false positives

Jump to solution

That shouldn't matter.  It is meant to query the agent for which server it belongs to.  if it finds it belongs to your epo server, it should still then list it as a managed agent instead of rogue.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Level 11
Report Inappropriate Content
Message 9 of 10

Re: RSD and false positives

Jump to solution

So in this case, looking at the KB, I am assuming that I can skip step 1a and 1b since we do not have alternative ePO servers and we use the default 8081 port.

Whilst step two is not very clear, but it seems to refer to the McAfee Agent policies, and in that case we do have all options enabled.

 

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 10

Re: RSD and false positives

Jump to solution

That is correct, you don't need to put in alternate port if none exists.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community