We installed Rogue System Detection on our ePO 4.0 server with one sensor in our network. We noticed that sensor scanned some ports(8000, 8001) which are used for specific services on our unix servers. The consequence was that during this scan we was getting erros on these services.
We can not put easily all our unix servers in exception list of Rogue System Detection since we do not reserve a specific range of ip addresses for our unix servers. All our servers (unix or windows) can have any ip address in our network range.
Is this behaviour of Rogue System sensor (scan all ports ) it normal ? Can we restrict port scanned by sensor ?
Do you know how exactly sensor works regarding network connection to systems ? I mean which ports on systems sensor contact to scan systems ?
which services sensor used to get information from systems ?
Any help or suggestion will be good for me
My suggestion would be to locate the RSD sensor policies in the ePO dashboard and change the settings for Detect system OS details. This feature does the OS fingerprinting which can cause problems on some machines and print servers.
In the dashboard go to Systems icon at the top. Next in the horizontal menu bar choose Policy Catalog, Now use the drop down menu to select the Rouge System Detection policy. You can edit the default unless you have already created a custom one. Click on Edit. Now choose the fourth tab over label Detection. This screen you would want to look for Device details detection: Uncheck Scan detected system for OS details.
The OS finger printing option scans all the ports in hopes of determining the operating system. This is normal behavior if this feature is enabled. In answer to your question about what ports are scanned here is a list.
53 67 69 123 137 161 500 1434
21 22 23 25 79 80 110 113 139 264 265 443 1025 1433 1723 5000
53 68-69 123 135 137-138 161 260 445 500 514 520 1434 1645-1646 1812-1813 2049 31337 43981
7 9 11 13 15 19 21-23 25 43 49 53 66-68 79-81 88-89 98 109-111 113 118-119 135 139 143 150 156 256-259 264 389 396 427 443 445 465 512-515 524 563 593 636 799 900-901 1024-1040 1080 1214 1243 1313 1352 1433 1494 1498 1521 1524-1525 1541-1542 1720 1723 1745 1755 1813 2000-2001 2003 2049 2080 2140 2301 2447 2766 2998 3128 3268 3300 3306 3372 3389 4045 4321 4665 4899 5222 5556 5631-5632 5800-5802 5900 6000 6112 6346 6666-6667 7000-7001 7070 7777 7947 8000-8001 8010 8080-8081 8100 8888 10000 12345 20034 30821 32768-32790 49152-49157
I hope this helps.
Thanks William for your suggestion. I will test it and will let you know.
Just to confirm something: the list of ports scanned that you gave me below is when option "Detect system OS details" is checked. is it right ?
That is correct the ports listed are the list of ports the RSD sensor scans when the "Detect system OS details" is selected. This is essentially doing an OS fingerprint whereby it determines the OS based on the response it gets from those ports. You cannot disable any of the ports because doing so would make the fingerprint invalid so its all or nothing.
In ePO 4.0 if this causes a problem your only real solution is to either disable the aforementioned option or set the RSD sensor to ignore whatever subnet the problematic servers reside on.
In ePO 4.5 you can specify a list of MAC addresses on the Menu | Configuration | Server Settings | RSD Sensor page that the RSD sensor should never scan.
Message was edited by: Jeremy Stanley on 1/8/10 6:13:57 PM CST
Hello William, Jeremy,
To test your suggestion, I need to installa RDS sensor on my computer for example; but when I tried to deploy RDS sensor 4.5 from my ePO 4.5 server, I got error about SNOWCAP_2000 installation on my computer . I have mcafee agent version 184.108.40.2061 installed on my computer.
Can I install RDS sensor 4.5 with my mcafee agent 220.127.116.111 ? If it is not possible, how can I install manually RDS sensor on my computer (windows XP SP2 ) to do the test ?
Thanks for your help
The RSD 4.5 sensor is compatible with MA 18.104.22.1681; however, I would recommend upgrading to MA 22.214.171.1244 at a minimum (that's MA 4.0 patch 3).
You can manually install the sensor by grabbing a copy of the sensor install package from your ePO master repository. By default that is here:
<ePO install directory\DB\Software\Current\SNOWCAP_2000\Install\0409\
Copy the entire 0409 folder to the client and you should be able to install the sensor by launching setup.exe.
You may want to review the sensor install log. Its called RSDSEN450-Install-MSI.logand by default it should be located in %windir%\temp\McAfeeLogs.
I have installed manually RSD sensor 4.5 on my computer has indicated by Jeremy (thanks).
You can find atttached the configuration of my RDS sensor on my ePO server.
I don't understand why my RDS sensor does not communicate with my ePO server on port 8444. Could you help me ?
Check the RSSensor_out.log on the sensor machine - there should be more information there.
Last information in my RSDSensor_out.log file was from 12/01/2010 when I tried to install RSD sensor from ePO server. It failed and I installed RSD sensor manually on my computer.
I have not any information about what my sensor is doing now and why it does not connect to my ePO server. I have a process call RSSensor.exe.
Is my configuration (sent in my last message) correct ?
If you have an RSensor.exe process running then you should have a RSDSensor_out.log. Without this log we have no way of knowing why the sensor is not communicating. I using ePO 4.5 with RSD 4.5 this log should be located here by default:
C:\Program Files\McAfee\RSD Sensor\RSDSensor_out.log
I can give you some generic suggestions:
Message was edited by: Jeremy Stanley on 1/18/10 9:17:28 AM CST
Message was edited by: Jeremy Stanley on 1/18/10 9:18:03 AM CST