Has anyone gotten this working properly?
I have been using RSD for a long time now and am trying to deploy HIPS on all the workstations. The RSD sensor is caught as a intrusion detection unless I manually add the IP to the trusted networks list. Doing that is a real pain. I have just over 20 RSD sensors on my networks and every time one of them gets a new IP address via DHCP I start getting calls about Intrusion detection warnings. So I have to run a query for RSD sensors and check it against the current exceptions. This process is very time consuming and inefficient.
If I understand the question correctly the problem is that when the RSD sensor does a port scan on a client HIPS is triggering a NIPS port scan attack signature (SignatureID 3700 or 3701). If that is true then the solution is to add the IP address of all of your RSD Sensors to the HIPS Trusted Networks policy. You have to add the IP address for each sensor individually because in my experience it doesn't seem to work when you add a range (only this particular thing does not seem to work).
This is the only solution really because you cannot add exclusions for NIPS signatures. You could turn off the port scan NIPS signatures completely I suppose but that would be less secure.
I think you understood my question correctly. I am already adding the RSD sensors to the HIPS Trusted Networks policy. However, the process of adding them to the policy every time the RSD sensor gets a new DHCP address is a pain.
I would like to automate the process somehow. I have a query setup that finds all of the RSD sensors IP address and I would like to create a server task that adds the RSD sensors to the HIPS Trusted Networks policy automagically.
I don't know if this is even possible, but I cant be the only one having this issue.
I would hate to be one of the admins on here with > 1000 nodes. I don't think it would even be possible to manage that many.
I just ran into this issue and had to turn off 'Device details detections' totally. That stopped all the detections by HIPS of the RSD agent trying to finger print the OS. I still detect Rogue systems...just not finger printing which was just a best guess anyway (seems like the same methods used in NMAP).
Sadly Mcafee didn't think to share with HIPs via ePO what systems in a subnet are RSD agents and not blindly react to RSD actions as threats.
You can add an RSD sensor to your DHCP server and then add the DHCP Server to your 'trusted network'. Depending on your environment you will have to identify the impacts of the RSD agent reaching out from one Server to all your distributed node ie WAN traffic etc. This will also not be as affective as a sensor per subnet listening to local traffic for Rogue Systems because some activity might be filtered out at the various network switches etc.
I have over 400 subnets spread across a large geographic area (thousands of km apart). I wanted a primary and backup RSD agent per subnet and adding 800+ systems to the 'trusted network' was not feasible. Since I am also using workstations as my sensors there was the issue of disappearing RSD agent systems (turned off, reimaged etc).
If you have Agent Handlers behind a firewall RSD won't work on those systems. The RSD sensors still tries to connect to the ePO DB and the ePO Server directly and doesn't even try the Agent Handler. This is confirmed in ePO 4.5 all patch levels I have tried.