This is a rogue sensor/ePO system that has been in place some time before I came on and managed it.  Are you saying that rogue sensors should only be deployed to workstations that never touch the external internet to be a true rogue device sensor?  For example, they ONLY have visibility to internally routed IP addresses and subnets?  Will I have to manually now go and add these IP blocks as they come up as rogues to our "ignored" section in detected subnets?

Thanks.

No, a sensor does not have to be installed on a system that never goes out to the Internet.  What I meant was one that physically connects to other networks outside of the internal network such as a laptop that connects to home network, etc.  That will pick up all kind of unwanted traffic.  This is the way ignored subnets are supposed to work.  That is from the 5.0.3 rsd product guide, but should not have changed any in later versions.  If you are finding it is not ignoring the subnets as they should, then I would suggest opening a ticket with McAfee or test using the latest version/extension.

Ignore subnets
You can ignore subnets that you don't want to receive information about from Rogue System
Detection.
Ignoring a subnet deletes all detected interfaces associated with that subnet. All further detections on
that subnet are also ignored. To view the list of ignored subnets, click the Ignored link in the Subnet Status
monitor. This link appears only when there are subnets being ignored.
McAfee recommends that you do not choose to ignore subnets. If you ignore subnets, you have decided
that a subnet can have rogue systems connected.
For option definitions, click ? in the interface.
Task
1 To open the Detected Subnets page, click Menu | Systems Section | Detected Systems, then click any
category in the Subnet Status monitor.
To ignore subnets from the Detected Subnets Details page:
• Click Menu | Systems Section | Detected Systems, any category in the Subnet Status monitor, then any
subnet.
• Click Menu | Systems Section | Detected Systems
2 Select the subnets that you want to ignore, click Actions, then select Detected Systems | Ignore.
3 In the Ignore dialog box, click OK.
4 When ignoring a subnet on the Detected Systems page in the Top 25 Subnets list, a dialog box
opens. Click OK.
The software ignores the selected subnets and does not provide information about rogue systems on
them.

Thanks for the reply.  Unfortunately the current situation that we are being affected by globally, we have many employees working from home and connecting to home networks as part of the VPN connectivity process.  These particular rogues in question occurred at a location of ours that is a multi-tenant building, but we have plenty of employees working at home right now whose workstations could (and would) become rogue sensors during the rotation period.

Yea, with systems connected to external networks, unfortunately, you would almost have to ignore all networks except your internal ones, or keep ignoring the ones that show up in ignored subnets.  If you see behavior not expected on an ignored subnet, please open a ticket so we can check with dev.  You might also want to consider instead installing the sensor on a dhcp server for your environment.