cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rbecker
Level 9
Report Inappropriate Content
Message 1 of 6

Rogue Detection alerting to traffic from Google and Apple

We have several odd rogue devices showing up that appear inconsistent in terms of reporting and accuracy.  The rogues in question show up in ePO as you can see in the attachment "rogue issue 1".  Running netstat -a on my workstation (seen in the attachment "netstat") you can see the top entry is the same canonical name as what shows up in the ePO dashboard.

These rogues were NOT detected by my workstation although it would appear that my workstation and the workstation that was detecting the rogue were both connected to this particular device while on different subnets.

Other rogues that came up with identical issues were with IPs attributed to Apple and Akamai (Microsoft).

 

Please advise, as these appear as false positives but something looks to be incorrect with how rogue devices are being detected. Thanks!

5 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Rogue Detection alerting to traffic from Google and Apple

A sensor will detect all traffic that it sees, regardless of where it is from.  You can limit what the sensor scans and exclude subnets in server settings.  Under server settings, rogue system sensor, you can exclude external subnets.  Otherwise ensure the sensor is not installed on systems that will go external at times out of your network, such as a laptop.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

rbecker
Level 9
Report Inappropriate Content
Message 3 of 6

Re: Rogue Detection alerting to traffic from Google and Apple

This is a rogue sensor/ePO system that has been in place some time before I came on and managed it.  Are you saying that rogue sensors should only be deployed to workstations that never touch the external internet to be a true rogue device sensor?  For example, they ONLY have visibility to internally routed IP addresses and subnets?  Will I have to manually now go and add these IP blocks as they come up as rogues to our "ignored" section in detected subnets?

 

Thanks.

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Rogue Detection alerting to traffic from Google and Apple

No, a sensor does not have to be installed on a system that never goes out to the Internet.  What I meant was one that physically connects to other networks outside of the internal network such as a laptop that connects to home network, etc.  That will pick up all kind of unwanted traffic.  This is the way ignored subnets are supposed to work.  That is from the 5.0.3 rsd product guide, but should not have changed any in later versions.  If you are finding it is not ignoring the subnets as they should, then I would suggest opening a ticket with McAfee or test using the latest version/extension.

Ignore subnets
You can ignore subnets that you don't want to receive information about from Rogue System
Detection.
Ignoring a subnet deletes all detected interfaces associated with that subnet. All further detections on
that subnet are also ignored. To view the list of ignored subnets, click the Ignored link in the Subnet Status
monitor. This link appears only when there are subnets being ignored.
McAfee recommends that you do not choose to ignore subnets. If you ignore subnets, you have decided
that a subnet can have rogue systems connected.
For option definitions, click ? in the interface.
Task
1 To open the Detected Subnets page, click Menu | Systems Section | Detected Systems, then click any
category in the Subnet Status monitor.
To ignore subnets from the Detected Subnets Details page:
• Click Menu | Systems Section | Detected Systems, any category in the Subnet Status monitor, then any
subnet.
• Click Menu | Systems Section | Detected Systems
2 Select the subnets that you want to ignore, click Actions, then select Detected Systems | Ignore.
3 In the Ignore dialog box, click OK.
4 When ignoring a subnet on the Detected Systems page in the Top 25 Subnets list, a dialog box
opens. Click OK.
The software ignores the selected subnets and does not provide information about rogue systems on
them.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

rbecker
Level 9
Report Inappropriate Content
Message 5 of 6

Re: Rogue Detection alerting to traffic from Google and Apple

Thanks for the reply.  Unfortunately the current situation that we are being affected by globally, we have many employees working from home and connecting to home networks as part of the VPN connectivity process.  These particular rogues in question occurred at a location of ours that is a multi-tenant building, but we have plenty of employees working at home right now whose workstations could (and would) become rogue sensors during the rotation period.

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Rogue Detection alerting to traffic from Google and Apple

Yea, with systems connected to external networks, unfortunately, you would almost have to ignore all networks except your internal ones, or keep ignoring the ones that show up in ignored subnets.  If you see behavior not expected on an ignored subnet, please open a ticket so we can check with dev.  You might also want to consider instead installing the sensor on a dhcp server for your environment.

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community