4 Replies Latest reply on Jul 19, 2010 3:25 AM by Attila Polinger

    duplicate non compliant computers detection & false positives

    mcdave

      Hello

       

      I've got a query to detect (non)compliant computers.

       

      Displays a boolean pie chart of  managed systems in your environment which are compliant or  non-compliant by version of VirusScan Enterprise (for Windows), McAfee  Agent, and DAT files.
      Agent At Least 3.6
      VirusScanner At Least 8.5
      Dat  Files Within last 33 Versions

       

      In the output of the querie for non compliant clients I see many clients multiple times.

      example:

       

       

      System   Name
      (Bold = deleted)
      IP AddressDomain NameOS PlatformAssignment PathProduct Version   (Agent)Engine Version   (VirusScan Enterprise)DAT Version   (VirusScan Enterprise)Last   CommunicationLast Agent   CommunicationLast Detected   TimeFirst Detected   TimeFirst Recorded   TimeLast Detected   TimeLast Recorded   Time
      XPD33910.11.30.50TANDProfessionalMy   Organization\TAND\Europe\Desktops\Workstations\ 5400.11586043.00007/15/10 5:47:05 PM7/15/10 5:47:05 PM6/18/10 6:00:57 PM10/22/09 2:27:50 PM10/22/09 2:27:50 PM6/18/10 6:00:57 PM6/18/10 6:00:57 PM
      XPD33910.11.30.50TANDProfessionalMy   Organization\TAND\Europe\Desktops\Workstations\4.5.0.1270 7/15/10 5:47:05 PM7/15/10 5:47:05 PM6/18/10 6:00:57 PM10/22/09 2:27:50 PM10/22/09 2:27:50 PM6/18/10 6:00:57 PM6/18/10 6:00:57 PM
      XPD33910.11.30.50TANDProfessionalMy   Organization\TAND\Europe\Desktops\Workstations\ 7/15/10 5:47:05 PM7/15/10 5:47:05 PM6/18/10 6:00:57 PM10/22/09 2:27:50 PM10/22/09 2:27:50 PM6/18/10 6:00:57 PM6/18/10 6:00:57 PM

       

       

      Now I've got a few questions:

      Where do these duplicates lines come from when these clients don't have any duplicate objects in epo?

      also weird is that most of these clients are up to date (following the query) as you can see in one of the output rows?
      Is this a bug?

       

      What exactly does the following fields mean (what are the  differences)?

       

      • Last Communication (Time)
      • Last  Agent Communication (Time)
      • Last Detected Time
      • Last  Recorded Time

       

      as you can see the example client still communicates but  the detect & record time is far behind? What am I missing here? I don't get it.

       

      Regards
      Dave

        • 1. Re: duplicate non compliant computers detection & false positives
          Attila Polinger

          Hello Dave,

           

          are you using rogue system detection sensors? These sensors record system the way you saw it in a different table and this is not cleaned up by the duplicate agent cleanup task, nor do they appear as duplicates in the relevant ePO duplicates report. However this report you cited here might use the Detected Systems as the source thus counting nodes from two origins, appearing as "duplicates".

          I think you can delete the "duplicates" safely leaving the node(s) that is(are) registered as communicating and up to date.

          (what is the epo system version and patch level, by the way?)

           

          Attila

          • 2. Re: duplicate non compliant computers detection & false positives
            mcdave

            Hi Attila,

             

            We don't use rogue sensors.

            But we do use Agent Handlers

             

            Is it normal that these (duplicates) are detected as 1 same system?
            (If I check one of the duplicates ALL of them are getting (un)marked.)

             

            We're using epo 4.5 + Patch 1

             

            grtz

            Dave

            • 3. Re: duplicate non compliant computers detection & false positives
              Attila Polinger

              Hi,

               

              would you check what source this report uses? Managed systems or Detected Systems? You may want to recreate the same report from Managed systems source (personally I see no reason why such report would use Detected Systems, which means "detected" and not "managed" so compliancy should not be based on detection rather on managedness).

              Also I recommend deleting the duplicates via the console (I mean that which do not have ASCI time recorded).

              I have learned from others that the ePO agent creates records in the Detected Systems table just like it would in the Managed Systems table, the delay for the latter is random within 10 minutes whereas the prior happens instantly. But Detected Systems record does have ASCI time filled with value so without value a record can be deleted if you do not use rogue system sensor (that would create records here, too with far less information).

               

              So although others here might answer you more reasonably, I suggest you simply delete the unwanted duplicates and only bother yourself if they get recreated again. Also use the query on Managed Systems which seems more reasonable.

               

              Attila

              • 4. Re: duplicate non compliant computers detection & false positives
                mcdave

                Hi,

                 

                The report uses managed systems as source.

                I'll delete the the duplicates and keep an eye on them.

                 

                regards

                Dave