Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
This discussion is archived
18129 Views 15 Replies Latest reply: Jan 21, 2010 4:07 AM by ghislaine.balifi RSS 1 2 Previous Next
ghislaine.balifi Newcomer 33 posts since
Jan 7, 2010
Currently Being Moderated

Jan 8, 2010 10:57 AM

Issue with Rogue System Detection Sensor which scan some critical port of our servers

Hello,

 

We installed Rogue System Detection on our ePO 4.0 server with one sensor in our network. We noticed that sensor scanned some ports(8000, 8001) which are used for specific services on our unix servers. The consequence was that  during this scan we was getting erros on these services.

 

We can not put easily all our unix servers in exception list of Rogue System Detection since we do not reserve a specific range of ip addresses for our unix servers. All our servers (unix or windows) can have any ip address in our network range.

 

Is this behaviour of Rogue System sensor (scan all ports ) it  normal ? Can we restrict port scanned by sensor ?

Do you know how exactly sensor works regarding network connection to systems ? I mean which ports on systems sensor contact to scan systems ?

which services sensor used to get information from systems ?

 

Any help or suggestion will be good for me

 

Thanks

Ghislaine

  • McAfee SME 38 posts since
    Nov 3, 2009

    ghislaine.balifi

     

    My suggestion would be to locate the RSD sensor policies in the ePO dashboard and change the settings for  Detect system OS details. This feature does the OS fingerprinting which can cause problems on some machines and print servers.

     

    In the dashboard go to Systems icon at the top. Next in the horizontal menu bar choose Policy Catalog,  Now use the drop down menu to select the Rouge System Detection policy. You can edit the default unless you have already created a custom one.  Click on Edit. Now choose the fourth tab over label Detection.  This screen you would want to look for Device details detection: Uncheck Scan detected system for OS details.

     

    The OS finger printing option scans all the ports in hopes of determining the operating system. This is normal behavior if this feature is enabled. In answer to your question about what ports are scanned here is a list.

     

    Host discovery

    UDP ports

    53 67 69 123 137 161 500 1434

    Host discovery

    TCP ports

    21 22 23 25 79 80 110 113 139 264 265 443 1025 1433 1723 5000

    Service discovery

    UDP ports

    53 68-69 123 135 137-138 161 260 445 500 514 520 1434 1645-1646 1812-1813 2049 31337 43981

    Service discovery

    TCP ports

    7 9 11 13 15 19 21-23 25 43 49 53 66-68 79-81 88-89 98 109-111 113 118-119 135 139 143 150 156 256-259 264 389 396 427 443 445 465 512-515 524 563 593 636 799 900-901 1024-1040 1080 1214 1243 1313 1352 1433 1494 1498 1521 1524-1525 1541-1542 1720 1723 1745 1755 1813 2000-2001 2003 2049 2080 2140 2301 2447 2766 2998 3128 3268 3300 3306 3372 3389 4045 4321 4665 4899 5222 5556 5631-5632 5800-5802 5900 6000 6112 6346 6666-6667 7000-7001 7070 7777 7947 8000-8001 8010 8080-8081 8100 8888 10000 12345 20034 30821 32768-32790 49152-49157

     

    I hope this helps.

    William


    "If everyone is thinking alike, someone isn't thinking."   George Patton
  • jstanley McAfee SME 366 posts since
    Nov 6, 2009

    That is correct the ports listed are the list of ports the RSD sensor scans when the "Detect system OS details" is selected. This is essentially doing an OS fingerprint whereby it determines the OS based on the response it gets from those ports. You cannot disable any of the ports because doing so would make the fingerprint invalid so its all or nothing.

     

    In ePO 4.0 if this causes a problem your only real solution is to either disable the aforementioned option or set the RSD sensor to ignore whatever subnet the problematic servers reside on.

     

    In ePO 4.5 you can specify a list of MAC addresses on the Menu | Configuration | Server Settings | RSD Sensor page that the RSD sensor should never scan.

     

     

    Message was edited by: Jeremy Stanley on 1/8/10 6:13:57 PM CST
  • jstanley McAfee SME 366 posts since
    Nov 6, 2009

    The RSD 4.5 sensor is compatible with MA 4.0.0.1421; however, I would recommend upgrading to MA 4.0.0.1494 at a minimum (that's MA 4.0 patch 3).

     

    You can manually install the sensor by grabbing a copy of the sensor install package from your ePO master repository. By default that is here:

    <ePO install directory\DB\Software\Current\SNOWCAP_2000\Install\0409\

     

    Copy the entire 0409 folder to the client and you should be able to install the sensor by launching setup.exe.

     

    You may want to review the sensor install log. Its called RSDSEN450-Install-MSI.logand by default it should be located in %windir%\temp\McAfeeLogs.

  • JoeBidgood McAfee SME 2,868 posts since
    Sep 11, 2009

    Check the RSSensor_out.log on the sensor machine - there should be more information there.

     

    HTH -

     

    Joe




    (Please post questions to the forum, as I am unable to respond to private messages. Thanks!)



  • jstanley McAfee SME 366 posts since
    Nov 6, 2009

    If you have an RSensor.exe process running then you should have a RSDSensor_out.log. Without this log we have no way of knowing why the sensor is not communicating. I using ePO 4.5 with RSD 4.5 this log should be located here by default:

    C:\Program Files\McAfee\RSD Sensor\RSDSensor_out.log

     

    I can give you some generic suggestions:

    • Make sure tomcat5.exe is listening on port 8444 on your ePO server
    • Make sure you can telnet into port 8444 from the client: telnet <IP address of ePO server> 8444

     

     

    Message was edited by: Jeremy Stanley on 1/18/10 9:17:28 AM CST

     

     

    Message was edited by: Jeremy Stanley on 1/18/10 9:18:03 AM CST
1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points