Thanks for your reply. I had a false positive this morning, and this time I have noticed that the MAC address the MAC address reported in the system information was different. The laptop reported as rogue was using the wireless card when it was reported. All our laptops have built-in wireless and NIC cards, and they would more often connect via LAN cables, however they also switch to wireless when moving around the building or visiting other sites. Is there a way to prevent this type of false positives?

What version of RSD are you running for the client and extension versions?

RSD Agent 5.0.6.125
RSD Ext. 5.0.6.123
ePO 5.9.1

Hello Linuxxo, 

Another feature we have is actually under the Automatic Response area of ePO. You can enabled the Automatic Response called "RSD: Query New Rogue Detection".

This will actively ping newly detected rogue systems in an attempt to interrogate the installed agent. 

If the agent replies, it will list it as a managed system. It does require some specific MA policy configuration so I would also ask that you review https://kc.mcafee.com/corporate/index?page=content&id=KB91544

Thanks

Brian Barnes

Thanks for your solution. I have enabled the automatic query as per suggestion. However the KB provided, seems to apply to environments that have multiple ePO servers. In our case, we only have one ePO and one standalone Agent Handler on the DMZ.

That shouldn't matter.  It is meant to query the agent for which server it belongs to.  if it finds it belongs to your epo server, it should still then list it as a managed agent instead of rogue.

So in this case, looking at the KB, I am assuming that I can skip step 1a and 1b since we do not have alternative ePO servers and we use the default 8081 port.

Whilst step two is not very clear, but it seems to refer to the McAfee Agent policies, and in that case we do have all options enabled.