6 Replies Latest reply on Nov 18, 2009 8:00 AM by bjanjua

    Filtering Rogue Sensor Detections

      Hi Everybody,

       

      So today I am trying to clean up the cluttered list of rogue machines on my EPO 4.0 , I was wondering if:

       

      1. It's possible to detect only those machines which are workstations or servers instead of detecting everything with a MAC address on network, since it ends up in reporting printers, routers, switches and some AIX machines which cannot have McAfee agent on them.

      2. Is there a way to have an automated task to push agent on every rogue machine, i.e. if Admin can embed credentials on a task and have a task on all rogue machines to push agent, unsuccessful installation should get reported as rogue.

      3. If the first option is not possible, how can I filter these rogues on the bases of OS platform and then mark rest of them as exception/s or delete them?

      4. If I mark an IP address as exception or delete it, and then the same IP gets assigned to a different machine, will this IP show up under list of rogues again, especially if its deleted?

      5. I can't remember the last question, may above four would do it !

       

      Cheers!

       

      BJ

       

       

        • 1. Re: Filtering Rogue Sensor Detections
          tonyb99

          yes you can do those things but first please advise what version of epo you are using

          • 2. Re: Filtering Rogue Sensor Detections

            EPO 4.0  patch 4 and Rogue Sensor 2.0 Patch 2

            • 3. Re: Filtering Rogue Sensor Detections
              tonyb99

              OK that good...

               

              1)Create a (basic) table query based on the detected systems data set and call it something like Mark Exceptions.

              In the filtering choose rogue = true then add in all the non windows os platforms as additional filters (with or not and)

              eg where rogue  is true and os platform is router/printer/mac etc they are all their in the drop down box

              Once you have the report make it public and then create a server task which runs the query as a n action

              Now choose the action detected system to be mark as exception

              Now schedule this to run every hour

               

              2) create automated responses in the sutomation section where if  a rogue is detected and its windows and of a certain domain then push agent with specififced credentials

              I have one for each domain covered

               

              3) default rogue dashboard already references the default RSD OS queries look at these

               

              4) in server settings, rogue systems matching I use mac and name, also I have netbios calls for more info enabled. Don't have this issue as its matching MAC

              • 4. Re: Filtering Rogue Sensor Detections

                Thats awesome, filtering non windows machines works like a charm, Thanks a lot!

                 

                Now, I am wondering, if a printer is removed from a subnet and this IP address gets assigned to a workstation, will that workstation also show up in Rogue?

                 

                Secondly, when I try to run a query to differentiate  Windows Server machines from Workstations, it returns nothing:\

                 

                BJ

                • 5. Re: Filtering Rogue Sensor Detections
                  tonyb99

                  1) they would have different mac addresses, so should be ok

                  2) you can add the os version field from detected systems data source to your query and filter on this

                  • 6. Re: Filtering Rogue Sensor Detections

                    Great...you are the guru!