cancel
Showing results for 
Search instead for 
Did you mean: 
Jpatje
Level 7
Report Inappropriate Content
Message 1 of 4

No action taken on Rogue Systems

We have ePO 4.0 with patch 5. Every day, we see rogue systems, and some of them have no agent installed on them.
However, we set an automatic response on rogue systems, to deploy an agent to that system. Only, no action is taken. The system remains unmanaged and without antivirus.

A manual deploy of the agent works fine. But why no action is taken, puzzles me.
In the filter part of the automatic response rule, I copied the IP range of the DHCP.
I checked that the 'problem system' falls within that range.

Can anyone help in solving this mystery? Many thanks.
3 Replies
Jpatje
Level 7
Report Inappropriate Content
Message 2 of 4

RE: No action taken on Rogue Systems

In the logging I see action IS taken... time to investigate why some systems remain agent-less...!
Jpatje
Level 7
Report Inappropriate Content
Message 3 of 4

RE: No action taken on Rogue Systems

This must be in (major) bug in EPO... when I look at the detected system details it shows:

Source: Rogue System Sensor (Broadcast)
Exception: No
Rogue Action: Agent Deployment in Progress
Rogue State: No Agent

When reading this, everything looks fine. But nothing happens on that system. No agent is deployed. I've looked through the EPO logs but couldn't find anything.
Also the event log on the system shows nothing.

When I manually deploy an agent, using the same credentials, it is almost immediately deployed.
Time for patch 6?
Jpatje
Level 7
Report Inappropriate Content
Message 4 of 4

Re: RE: No action taken on Rogue Systems

Trying to bump this post to the top of the list

We still have an issue with PC's that have been re-installed (using the same name).

EPO still sees there is an agent on the system, although the agent cannot be contacted. In fact, since the system was reinstalled there is no agent and no VSE present.

The system does come up as rogue, but no action is taken.

The detected system properties are as follows.

Rogue Action:
Rogue State:Inactive Agent
Last Agent Communication:12/9/09 4:26:01 PM
Agent Version:4.0.0.1494


Nothing seems to happen and the only thing I can do is push the agent manually (which works perfectly).

There must be a way to automate this... any ideas?