3 Replies Latest reply on Jun 23, 2017 5:17 AM by boschind

    ePO 5.3.2 - RSD 5.x - oui sensor scanning list ignored

    boschind

      hello , i'm trying to instruct RSD sensors to not probe a list of OUIs

       

      00000C,000048,00005E,000074,000085,000145,00016C,000187,0001E6,0001F0,000345,000 349,00034A,000364,000400,00051E,000533,00074D,000830,000896,

      00089B,0008A2,0008E3,0008EF,00090F,000A83,000A8A,000AB0,000AB8,000AF6,000BAB,000 BBE,000C85,000D29,000D5A,000DBC,000DED,000E4B,000E7F,000F24,

      000F90,000FB6,001018,001023,0010BE,0010F3,00113B,00115C,00115F,001185,001193,001 27F,001280,0012AA,0012D9,0012DA,001319,001321,001348,00137F,0013C3,00

      13FA,00146A,001570,001599,001708,001723,001759,00175A,001794,001795,001818,00187 3,001885,0018AE,0018B9,0018BA,0018FE,001906,00192F,001955,001956,

      001970,0019AA,001A2F,001AD4,001B2A,001B82,001C0E,001C57,001C58,001DA2,001E13,001 E37,001EBE,001EC0,001ECC,001F9E,00204A,00206B,0020BE,0020C2,

      002156,00215A,0021A0,0021A1,0021D8,00220D,0022F3,002324,002333,002368,002413,002 414,002477,002498,0024C4,002536,002546,0025B3,00260B,002652,

      002655,002673,002698,002699,0026CA,0026CB,0027F8,00351A,00402C,00409D,0040AF,004 0C1,0041D2,004268,005017,005027,005060,0050B6,0050C2,00562B,

      0057D2,005F86,006003,006016,0060E9,0060EF,0062EC,006CBC,007686,008067,008087,008 091,00809F,0080E5,008731,008CFA,008E73,00901E,0090C2,0090E8,

      00A034,00A058,00A0B8,00A0F8,00A2EE,00AF1F,00C0EE,00CDFE,00D02D,00D089,00D0D9,00E 04B,00E08A,00E0D8,00E16D,00EBD5,00FEC8,042AE2,044BED,

      046C9D,04FE7F,08000E,0821EF,085B0E,0894EF,08D09F,08ECA9,08EE8B,08FD0E,0C5101,0CD 746,1005CA,149A10,14B484,182666,18A6F7,18E3BC,18E728,18EF63,

      1C1AC0,1C6A7A,1CE85D,204C9E,206274,242642,24B657,24DBED,285261,286336,288023,28A 02B,2C3033,2C3F38,2C86D2,2CAE2B,300ED5,30E171,30F70D,34145F,

      381C1A,382056,38256B,38CADA,38F23E,3CCE73,406C8F,4083DE,408805,40B395,442A60,44D 3CA,481214,48137E,483C0C,484BAA,485073,48D705,4C11BF,4C4E35,

      4C6641,50C8E5,549F13,54A274,5835D9,586D8F,587F57,5897BD,58F39C,5C0E8B,5CA86A,5CB 901,60735C,649EF3,64A0E7,64BC0C,64E950,680571,684898,68B599,

      68BC0C,6C9CED,6CFA89,705A0F,70700D,708105,70CA9B,741BB2,7467F7,74A2E6,784F43,78A CC0,78D75F,78DA6E,78F882,7C1EB3,804E81,80717A,80EA96,80EE73,

      84248D,84B153,84B261,888322,88908D,88ADD2,88F031,8C1ABF,8C8EF2,901B0E,90A2DA,94E 96A,98DED0,98E7F4,9C4E20,9CAFCA,9CE6E7,A08CFD,A0D795,A408EA,

      A4BA76,A89FBA,A8B1D4,A8C83A,ACA016,B0C559,B0E892,B47443,B499BA,B4C799,B4E1C4,B85 7D8,B8621F,B8BEBF,BC5436,BC671C,BCC493,BCD1D3,BCF1F2,C01173,

      C0626B,C067AF,C4143C,C4B301,C80084,C8D3FF,CC167E,CC46D6,CCC3EA,CCD8C1,D0A637,D0C 282,D0D0FD,D40B1A,D81D72,D85B2A,D8CB8A,DC4A3E,DCD916,

      E0F847,E4C722,EC107B,EC1F72,EC8EB5,EC9BF3,ECB1D7,ECE1A9,F025B7,F05B7B,F40F1B,F41 FC2,F431C3,F84ABF,F84F57,FC0A81,FC15B4,FC3FDB,FCE998,

      FCF528

       

      in fact the sensors seems to ignore the list and still probe devices on subnets belonging to those OUIs

      any suggestion ?

      thanks

      regards

        • 1. Re: ePO 5.3.2 - RSD 5.x - oui sensor scanning list ignored
          boschind

          hello is anyone successfully implementing RSD ?

          we have epo 5.3.2 agents 5.0.5 and rsd sensors 5.0.5 - but as outlined above we are in trouble in excluding a long list of OUIs that we identified as non-PC devices (printers , routers , bar code readers and other IoT devices)

           

          thanks in advance for cooperation

          • 2. Re: ePO 5.3.2 - RSD 5.x - oui sensor scanning list ignored
            boschind

            hello - i opened a case to mcafee support on 16 jun.

            they requested as usual the MER reports from one system that is acting as RSD sensor - but unfortunately they say they are not able to understand where is the problem and are requesting more....

             

            "I checked the MER and I can only see one single line in balash.log (that's the RSD log):

            18-Jun-17 04:13:42.180 (2608 : 3 : Pcap Subsystem[#1]) Sniffer.Sink.PacketSink: [Error] No thread available

            Not enough information to continue troubleshooting i'm afraid..

            Can you please do the following to collect more information:

            1. Enable Log Level 8 on the ePO server:

            McAfee Corporate KB - How to enable Log Level 8 for ePolicy ...
            https://kc.mcafee.com/corporate/index?page=content&id=KB56207

            2. For RSD, enable Log All messages in the policy:
            Log File Settings policy configuration under the General tab > select Log all messages

            3. Remove from system tree the devices that should not have been detected (any of the excluded) and wait until the issue reproduces

            4. Collect MER from ePO and MER from the RSD sensor system.

            5. Send us a few example names of devices that were wrongly added

            We will continue the investigation once we have the complete data and get back to you with an update.
            "

             

            has anyone else in the community has this RSD setting working as designed ?

            thanks in advance for cooperation

            • 3. Re: ePO 5.3.2 - RSD 5.x - oui sensor scanning list ignored
              boschind

              hello

              by chance i think i fixed the problem by myself.

              i was reviewing RSD policy again, and checking the prod guide.


              as shown below , in the communication tab i changed from 5 to 10min the fist two fileds

              then i selected "use local sensor election" and "All sensor active" as somehow suggested in the guide.

              even if these changes seems not having anything in relation with the OUIs exclusion, the fact is that now the exclusion is working....

              not sure if you have an explanation for this, but anyway...


               

              thanks

              regards