What is the version of the McAfee Agent that these clients run? Is it v4.x or earlier? Is it v 4.5 ?
How many clients are there in ePO (estimate)? Several tens, hundreds or more?
What is the exact rogue state of these rogue clients? No Agent or Alien Agent? Which is more?
All are on 18.104.22.1684 - were still busy testing MA4.5 so only have 10 machines are so on v4.5
We have about 5000 clients in EPO.
Its weird - the machines are being detected as rogue but they are not appearing under detected systems as rogue.
I get a email from the system saying its reported a rogue machine and it tries to deploy the agent. Apart from that I can't see anywhere where it says its rogue.
If I look under Detected Systems/Managed the machine appears there.
1 of 1 people found this helpful
Well, I suppose first you need to verify your RSD configuration, too, to exclude detections that are not managed systems (such as printers, and devices that generate network traffic).
Check all RSD detection responses and apart from the primary action (like supposedly you now is trying to push MA to such client), as secondary action immediately delete the detected system from the Detected Systems table (there is an action like this), so it does not increase the statistics until next time. This could be a primary action for non-Windows detections.
A computer can be a rogue, furthermore, when the GUID of the MA on the client matches another managed node in the ePO. This could happen mostly due to using incorrectly prepared imaging on the clients. This is called duplicate GUID issue.
With MA version 4.5, there is a functionality to regenerate this GUID when the ePO server instructs the agent. Earlier MA versions (like you have) do not have this functionality.
To check if there are really clients with duplicate GUIDs, look in the \Program Files\McAfee\ePolicy Orchestrator\DB\Logs\server.log on the ePO server and look for messages like this:
20100126104828 E #2812 EPOServer Rejecting agent due to an invalid or duplicate sequence number
20100126104828 E #2812 mod_epo Failed to process agent request
this will confirm the duplicate GUID issue.
Thanks - I think your onto something there.
just checked the server log and there are tons of entries for:
Rejecting agent due to an invalid or duplicate sequence number
I'll have a look into speeding up the rollout of MA4.5 to fixup the guid problem.
Until then, here is a quick fix to the problem. You might want to include this in the login script of the domain for a short period, or convert into DOS script commands and deploy with SMS, etc for a single execution:
1. Stop McAfee Framework Service on the client
2. Delete the AgentGUID entry entirely under HKLM\Software\Network Associates\ePolicy Orchestrator\Agent
3. Start the McAfee Framework service on the client.
The AgentGUID entry reappears with a different value.
I've checked out the duplicate guid's - its not the cause of the problem. I've found a handfull of machines with duplicate guids which i fixed up.
I've also removed all the rogue sensors and reinstalled one of them. As soon as i activate it, it again starts deploying to all machines. (which are already in EPO)
I've also upgrade another epo server to 4.5 in another region and its giving the same problem.
I spoke to a local mcafee guy and he says the policy I've got setup is incorrect.
I've got a automatic policy to trigger on rogue event/rogue machine detected. On the filter I've got if domain = ABC then push the agent using ABC/administrator.
The guy says because I've got domain = ABC it will always trigger for every machine in the domain? surely this can't be right - I've setup the policy for only rogue machine detected? This is how I set it up on EPO4 and it worked 100%
Before I log a call with McAfee I just want to double check this.
The rogue sensor basically informas the rogue detection server (installed on the ePO server) of any host that it finds, irrelevant of the fact that the host fouind is or is not in ePO database. The rogue sensor policy only controls the timout that should elapse until an already detected host should be noticed again if detected multiple times after the firts detection.
So I think the rogue detection server might not be able to query the database for the host and therefore assumes it is missing from there.
The filter for domain=ABC itself should not be a problem, you are right, because it applies to rogue detection server on the assumption that it did not find the host.
Is the RSD version extension, etc. compatible with ePO 4.5 that you are using? (We're not running ePO 4.5 here so I am not sure if it uses RSD 2.0 or later) Some KB article says RSD 2.0 is compatible, but RSD 4.5 is recommended.
So I would check out these two things next (DB access and versions)
may be a bit outdated question, but have you managed to solve this issue of yours?
I am in the same situation like you were, with a hint of why this is happening...