5 Replies Latest reply on Sep 9, 2009 5:42 AM by gerryrigney

    Rogue System Issue

      First, I am relatively new to administering EPO. Our environment has ~24,000 machines and we are running EPO agent 3.6.0 and VSE 8.5 and we utilize Rogue System Sensors. I did not configure the environment, so maybe there's a configuration issue somewhere that I don't know about. I appreciate any help or guidance you can give me.

      I have an apparent issue with the way Rogue Systems are detected or handled. I will try to make sense. :P

      We get a large number of rogue systems detected daily (300-500). The problem is two fold:

      1) The vast majority of these systems are not rogues. They have functioning agents on them. The agents communicate with the epo server and update their details without issue.

      2) These rogue systems are thrown into our Lost&Found/Rogue systems folder in the directory. My problem here is that a very large percentage of these rogue machines are reported simply as IP addresses. It is as if they're not being resolved in some way? But, not all machines are reported this way. REAL rogue systems without functioning agents are placed in this directory with a hostname as they should.

      At this point, it is an administrative nightmare to take care of this list. Where should I look to begin addressing this issue? I have attached a sample pic. This list accumulated over just a couple hours, and nearly all of these machines have valid agents and have valid entrys in EPO when identified by it's associated hostname.

      Thank you.

        • 1. RE: Rogue System Issue
          As i can see you are using ePolicy Orchestrator 3.6.1... I advise you to upgrade to 4.0 or 4.5 because ePO 3.6.1 will be end of life at 31. december 2009...

          The Rogue System Detection is different in ePO 4.x, so you better start in these version...
          • 2. RE: Rogue System Issue
            We are in process of making the upgrade to 4.0.

            Is this a known issue with 3.6 or was that just a generic "upgrade to the latest version and hope it goes away" response. :P

            edit: I didn't mean that to sound rude. Just looking for clarification.
            • 3. RE: Rogue System Issue
              The problem which you describe can have many reasons...

              Please check the following:
              - Is the DNS working properly (reverse dns lookup)?
              - Have these clients more than one IP adress assigned?

              My note was not just a "upgrade to latest version"...

              I have read that you are new to McAfee and the Rogue System Detection in ePO 4.x has been redesigned... So it is may easier to learn...
              • 4. Could be cloned agents
                Dvanmeter
                You could have a case of cloned agents. Check the machine guid numbers and verify they are indeed unique.
                • 5. RE: Could be cloned agents
                  As previously mentioned, covered machines still show up as rogues if they have 2 IPS, primary example would be a laptop that connected over wired and wireless. In my experience though they usually show up with the correct computer name.

                  Printers, routers and other network devices usually show up as IPS though, might explain some of them?

                  EDIT: Sorrt for dragging up an old post, thought it was this month not last month!