1 2 Previous Next 15 Replies Latest reply: Jan 21, 2010 4:07 AM by ghislaine.balifi RSS

    Issue with Rogue System Detection Sensor which scan some critical port of our servers

      Hello,

       

      We installed Rogue System Detection on our ePO 4.0 server with one sensor in our network. We noticed that sensor scanned some ports(8000, 8001) which are used for specific services on our unix servers. The consequence was that  during this scan we was getting erros on these services.

       

      We can not put easily all our unix servers in exception list of Rogue System Detection since we do not reserve a specific range of ip addresses for our unix servers. All our servers (unix or windows) can have any ip address in our network range.

       

      Is this behaviour of Rogue System sensor (scan all ports ) it  normal ? Can we restrict port scanned by sensor ?

      Do you know how exactly sensor works regarding network connection to systems ? I mean which ports on systems sensor contact to scan systems ?

      which services sensor used to get information from systems ?

       

      Any help or suggestion will be good for me

       

      Thanks

      Ghislaine

        • 1. Re: Issue with Rogue System Detection Sensor which scan some critical port of our servers

          ghislaine.balifi

           

          My suggestion would be to locate the RSD sensor policies in the ePO dashboard and change the settings for  Detect system OS details. This feature does the OS fingerprinting which can cause problems on some machines and print servers.

           

          In the dashboard go to Systems icon at the top. Next in the horizontal menu bar choose Policy Catalog,  Now use the drop down menu to select the Rouge System Detection policy. You can edit the default unless you have already created a custom one.  Click on Edit. Now choose the fourth tab over label Detection.  This screen you would want to look for Device details detection: Uncheck Scan detected system for OS details.

           

          The OS finger printing option scans all the ports in hopes of determining the operating system. This is normal behavior if this feature is enabled. In answer to your question about what ports are scanned here is a list.

           

          Host discovery

          UDP ports

          53 67 69 123 137 161 500 1434

          Host discovery

          TCP ports

          21 22 23 25 79 80 110 113 139 264 265 443 1025 1433 1723 5000

          Service discovery

          UDP ports

          53 68-69 123 135 137-138 161 260 445 500 514 520 1434 1645-1646 1812-1813 2049 31337 43981

          Service discovery

          TCP ports

          7 9 11 13 15 19 21-23 25 43 49 53 66-68 79-81 88-89 98 109-111 113 118-119 135 139 143 150 156 256-259 264 389 396 427 443 445 465 512-515 524 563 593 636 799 900-901 1024-1040 1080 1214 1243 1313 1352 1433 1494 1498 1521 1524-1525 1541-1542 1720 1723 1745 1755 1813 2000-2001 2003 2049 2080 2140 2301 2447 2766 2998 3128 3268 3300 3306 3372 3389 4045 4321 4665 4899 5222 5556 5631-5632 5800-5802 5900 6000 6112 6346 6666-6667 7000-7001 7070 7777 7947 8000-8001 8010 8080-8081 8100 8888 10000 12345 20034 30821 32768-32790 49152-49157

           

          I hope this helps.

          William

          • 2. Re: Issue with Rogue System Detection Sensor which scan some critical port of our servers

            Thanks William for your suggestion. I will test it and will let you know.

             

            Just to confirm something: the list of ports scanned that you gave me below is when option "Detect system OS details" is checked. is it right ?

             

             

            Regards

            Ghislaine

            • 3. Re: Issue with Rogue System Detection Sensor which scan some critical port of our servers
              jstanley

              That is correct the ports listed are the list of ports the RSD sensor scans when the "Detect system OS details" is selected. This is essentially doing an OS fingerprint whereby it determines the OS based on the response it gets from those ports. You cannot disable any of the ports because doing so would make the fingerprint invalid so its all or nothing.

               

              In ePO 4.0 if this causes a problem your only real solution is to either disable the aforementioned option or set the RSD sensor to ignore whatever subnet the problematic servers reside on.

               

              In ePO 4.5 you can specify a list of MAC addresses on the Menu | Configuration | Server Settings | RSD Sensor page that the RSD sensor should never scan.

               

               

              Message was edited by: Jeremy Stanley on 1/8/10 6:13:57 PM CST
              • 4. Re: Issue with Rogue System Detection Sensor which scan some critical port of our servers

                Hello William, Jeremy,

                 

                To test your suggestion, I need to installa RDS sensor on my computer for example; but when I tried to deploy RDS sensor 4.5 from my ePO 4.5 server, I got error about SNOWCAP_2000 installation on my computer . I have mcafee agent version 4.0.0.1421 installed on my computer.

                 

                Can I install RDS sensor 4.5 with my mcafee agent 4.0.0.1421 ? If it is not possible, how can I install manually RDS sensor on my computer (windows XP SP2 ) to do the test ?

                 

                Thanks for your help

                • 5. Re: Issue with Rogue System Detection Sensor which scan some critical port of our servers
                  jstanley

                  The RSD 4.5 sensor is compatible with MA 4.0.0.1421; however, I would recommend upgrading to MA 4.0.0.1494 at a minimum (that's MA 4.0 patch 3).

                   

                  You can manually install the sensor by grabbing a copy of the sensor install package from your ePO master repository. By default that is here:

                  <ePO install directory\DB\Software\Current\SNOWCAP_2000\Install\0409\

                   

                  Copy the entire 0409 folder to the client and you should be able to install the sensor by launching setup.exe.

                   

                  You may want to review the sensor install log. Its called RSDSEN450-Install-MSI.logand by default it should be located in %windir%\temp\McAfeeLogs.

                  • 6. Re: Issue with Rogue System Detection Sensor which scan some critical port of our servers

                    Hello,

                     

                    I have installed manually RSD sensor 4.5 on my computer has indicated by Jeremy (thanks).

                    You can find atttached the configuration of my RDS sensor on my ePO server.

                     

                    I don't understand why my RDS sensor does not communicate with my ePO server on port 8444. Could you help me ?

                     

                     

                    Regards

                    Ghislaine

                    • 7. Re: Issue with Rogue System Detection Sensor which scan some critical port of our servers
                      JoeBidgood

                      Check the RSSensor_out.log on the sensor machine - there should be more information there.

                       

                      HTH -

                       

                      Joe

                      • 8. Re: Issue with Rogue System Detection Sensor which scan some critical port of our servers

                        Last information in my RSDSensor_out.log file was from 12/01/2010 when I tried to install RSD sensor from ePO server. It failed and I installed RSD sensor manually on my computer.

                        I have not any information about what my sensor is doing now and why it does not connect to my ePO server. I have a process call RSSensor.exe.

                         

                        Is my configuration (sent in my last message) correct ?

                         

                        Regards

                        Ghislaine

                        • 9. Re: Issue with Rogue System Detection Sensor which scan some critical port of our servers
                          jstanley

                          If you have an RSensor.exe process running then you should have a RSDSensor_out.log. Without this log we have no way of knowing why the sensor is not communicating. I using ePO 4.5 with RSD 4.5 this log should be located here by default:

                          C:\Program Files\McAfee\RSD Sensor\RSDSensor_out.log

                           

                          I can give you some generic suggestions:

                          • Make sure tomcat5.exe is listening on port 8444 on your ePO server
                          • Make sure you can telnet into port 8444 from the client: telnet <IP address of ePO server> 8444

                           

                           

                          Message was edited by: Jeremy Stanley on 1/18/10 9:17:28 AM CST

                           

                           

                          Message was edited by: Jeremy Stanley on 1/18/10 9:18:03 AM CST
                          1 2 Previous Next