9 Replies Latest reply on Feb 22, 2010 1:29 AM by Attila Polinger

    EPO/RSD think all my machines are rogue

      Was running EPO 4.0 with RSD and all was working well.


      Recently upgraded to 4.5 and am now having a issue where EPO thinks all my desktops and servers are rogue.


      The machines are all reporting correctly to EPO, updates working fine, policies being enforced correctly etc. How come EPO thinks the machines are all rogue?


      I've tried to uninstall all of the RSD's and just reinstalled one - same issue. Also installed SP1 - made no difference.


      About to open a call with McAfee but is there anything I'm overlooking.


      I've got a automated task which tries to deploy the agent when a rogue machine is detected. i've had to disable the task otherwise EPO kills the network trying to deploy the agent to all machines



      Message was edited by: gmc_za on 1/26/10 1:55:15 AM CST
        • 1. Re: EPO/RSD think all my machines are rogue
          Attila Polinger



          What is the version of the McAfee Agent that these clients run? Is it v4.x or earlier? Is it v 4.5 ?


          How many clients are there in ePO (estimate)? Several tens, hundreds or more?


          What is the exact rogue state of these rogue clients? No Agent or Alien Agent? Which is more?



          • 2. Re: EPO/RSD think all my machines are rogue

            All are on - were still busy testing MA4.5 so only have 10 machines are so on v4.5


            We have about 5000 clients in EPO.


            Its weird - the machines are being detected as rogue but they  are not appearing under detected systems as rogue.


            I get a email from the system saying its reported a rogue machine and it tries to deploy the agent. Apart from that I can't see anywhere where it says its rogue.


            If I look under Detected Systems/Managed the machine appears there.

            • 3. Re: EPO/RSD think all my machines are rogue
              Attila Polinger

              Well, I suppose first you need to verify your RSD configuration, too, to exclude detections that are not managed systems (such as printers, and devices that generate network traffic).


              Check all RSD detection responses and apart from the primary action (like supposedly you now is trying to push MA to such client), as secondary action immediately delete the detected system from the Detected Systems table (there is an action like this), so it does not increase the statistics until next time. This could be a primary action for non-Windows detections.


              A computer can be a rogue, furthermore, when the GUID of the MA on the client matches another managed node in the ePO. This could happen mostly due to using incorrectly prepared imaging on the clients. This is called duplicate GUID issue.

              With MA version 4.5, there is a functionality to regenerate this GUID when the ePO server instructs the agent. Earlier MA versions (like you have) do not have this functionality.

              To check if there are really clients with duplicate GUIDs, look in the \Program Files\McAfee\ePolicy Orchestrator\DB\Logs\server.log on the ePO server and look for messages like this:


              20100126104828 E #2812 EPOServer Rejecting agent due to an invalid or duplicate sequence number
              20100126104828 E #2812 mod_epo Failed to process agent request


              this will confirm the duplicate GUID issue.

              1 of 1 people found this helpful
              • 4. Re: EPO/RSD think all my machines are rogue

                Thanks - I think your onto something there.


                just checked the server log  and there are tons of entries for:


                Rejecting agent due to an invalid or duplicate sequence number


                I'll have a look into speeding up the rollout of MA4.5 to fixup the guid problem.

                • 5. Re: EPO/RSD think all my machines are rogue
                  Attila Polinger

                  Until then, here is a quick fix to the problem.  You might want to include this in the login script of the domain for a short period, or convert into DOS script commands and deploy with SMS, etc for a single execution:


                  1. Stop McAfee Framework Service on the client

                  2. Delete the AgentGUID entry entirely under HKLM\Software\Network Associates\ePolicy Orchestrator\Agent

                  3. Start the McAfee Framework service on the client.


                  The AgentGUID entry reappears with a different value.



                  • 6. Re: EPO/RSD think all my machines are rogue

                    I've checked out the duplicate guid's - its not the cause of the problem. I've found a handfull of machines with duplicate guids which i fixed up.


                    I've also removed all the rogue sensors and reinstalled one of them. As soon as i activate it, it again starts deploying to all machines. (which are already in EPO)


                    I've also upgrade another epo server to 4.5 in another region and its giving the same problem.


                    I spoke to a local mcafee guy and he says the policy I've got setup is incorrect.


                    I've got a automatic policy to trigger on rogue event/rogue machine detected. On the filter I've got if domain = ABC then push the agent using ABC/administrator.


                    The guy says because I've got domain = ABC it will always trigger for every machine in the domain? surely this can't be right - I've setup the policy for only rogue machine detected? This is how I set it up on EPO4 and it worked 100%


                    Before I log a call with McAfee I just want to double check this.

                    • 7. Re: EPO/RSD think all my machines are rogue
                      Attila Polinger

                      The rogue sensor basically informas the rogue detection server (installed on the ePO server) of any host that it finds, irrelevant of the fact that the host fouind is or is not in ePO database. The rogue sensor policy only controls the timout that should elapse until an already detected host should be noticed again if detected multiple times after the firts detection.


                      So I think the rogue detection server might not be able to query the database for the host and therefore assumes it is missing from there.


                      The filter for domain=ABC itself should not be a problem, you are right, because it applies to rogue detection server on the assumption that it did not find the host.


                      Is the RSD version extension, etc. compatible with ePO 4.5 that you are using? (We're not running ePO 4.5 here so I am not sure if it uses RSD 2.0 or later) Some KB article says RSD 2.0 is compatible, but RSD 4.5 is recommended.


                      So I would check out these two things next (DB access and versions)

                      • 8. Re: EPO/RSD think all my machines are rogue

                        Looks like it a a common problem with something going wrong during the upgrade.




                        Just opened a case - will feedback the results.

                        • 9. Re: EPO/RSD think all my machines are rogue
                          Attila Polinger


                          may be a bit outdated question, but have you managed to solve this issue of yours?

                          I am in the same situation like you were, with a hint of why this is happening...