cancel
Showing results for 
Search instead for 
Did you mean: 
McDuff
Level 10
Report Inappropriate Content
Message 1 of 5

ePO 3.6.1 Rogue System Discovery Detecting Invalid Single IP Subnets

Our rogue system detection is detecting thousands of uncovered subnets, yet the majority of these subnets are not valid subnets - they are denoted as a single IP subnet, in the format 10.x.y.z /32, yet we have no subnets in the format of 10.x, 10.x.y, or 10.x.y.z.

Any ideas on why this is happening would be appreciated.
4 Replies
tonyb99
Level 13
Report Inappropriate Content
Message 2 of 5

RE: ePO 3.6.1 Rogue System Discovery Detecting Invalid Single IP Subnets

WE got this from dial in users, every station that dialed in created its own subnet rule under RSS, just had to delete the subnets again.
This could be something similar
McDuff
Level 10
Report Inappropriate Content
Message 3 of 5

RE: ePO 3.6.1 Rogue System Discovery Detecting Invalid Single IP Subnets



I think you're right - the workstations that are generating these messages appear to be the laptops. I notice there's a setting in the Rogue System Sensor configuration policy that says "Only listen on an adaptor if it is included on a network found during an installation" and we have that setting unchecked - perhaps this is what's causing this to happen?

I've been deleting the subnets, but what's bothersome is that you cannot delete multiple rogue subnets at a time. You have to do them one by one, which takes forever if you have thousands of subnets listed, as we do.

RE: ePO 3.6.1 Rogue System Discovery Detecting Invalid Single IP Subnets

uncovered subnets are detected by the epo server because an agent communicates with the server and reports its ip. so rsd policies won´t affect this. the behaviour is by design - and it is one of the things why they decided to completely redesign the epo rsd component for epo 4.0

RE: ePO 3.6.1 Rogue System Discovery Detecting Invalid Single IP Subnets



We have the same condition as a result of our remote access users. Personally, I couldn't be bothered to go in a delete the subnets anymore...they just get re-established so soon after that it's not worth the effort.