4 Replies Latest reply on Mar 25, 2011 8:20 AM by UNVNettech

    Rogue exception constantly being detected?

      We have been running EPO 4.5 with our rack IP KVMs (about a dozen KVMs in total) classified as exceptions for over two years with no problems.

       

      Since last Thursday, I now have one KVM that is being detected as a rogue, multiple detection instances every day like they are separate devices.  Each detection displays the same IP address & Linux OS...but no other info like the MAC address.  I've reclassified it as an exception about 40 times now and it just keeps showing up.

       

      I've turned the KVM off and the rogue disappears & nothing else is occupying that IP address.  The KVM is operating as expected with no problems or issues. We've updated the firmware on the KVM to no avail.

       

       

      Suggestions?

        • 1. Re: Rogue exception constantly being detected?
          ottawa_tech_31

          Through informal conversations with our support vendor, I've been told this is a known issue within Mcafee, where the ePO server doesn't acknowledge it's OWN agents, nor exceptions, so anything that is detected as ALIEN AGENT, or INACTIVE agent is basically a false positive, and any automated tasks that are set to automatically install the agent on new discoveries will basically spend it's time re-installing the agent on existing (and known) boxes.

           

          What I was told was that an updated AGENT as well as a patch to ePO 4.5 would be needed (both together), to fix this behavior, and both are expected in January 2011.

          • 2. Re: Rogue exception constantly being detected?

            I'm not so sure that what you suspect applies in this situation.

             

            This KVM has been classified as an exception for at least 2.5 years with out an issue until last week.

             

            It is one of a three hundered exceptions (IP-KVMs, switches, routers, printers etc) and the only device that keeps showing up like this.  We have around 800 managed agents in the network and none of them are exhibiting this behavior either.

            • 3. Re: Rogue exception constantly being detected?

              I have opened up a support incident on this issue a few days ago.  I'm already several emails deep & have provided screen shots, the support rep is still not able to grasp the nature of the issue or understand what an IP KVM is....</facepalm>

               

              The KVM is still being detected several times a day as a rogue.  I current have 9 separate detections for the same device in my rogue detection display.

               

               

              10.10.199.128
              10.10.199.128
              1/4/11 10:58:49 AM

              10.10.199.128
              10.10.199.128
              1/4/11 11:23:22 AM

              10.10.199.128
              10.10.199.128
              1/4/11 1:23:23 PM

              10.10.199.128
              10.10.199.128
              1/4/11 3:23:24 PM

              10.10.199.128
              10.10.199.128
              1/5/11 6:46:55 AM

              10.10.199.128
              10.10.199.128
              1/5/11 7:23:35 AM

              10.10.199.128
              10.10.199.128
              1/5/11 9:23:25 AM

              10.10.199.128
              10.10.199.128
              1/5/11 10:58:48 AM

              10.10.199.128
              10.10.199.128
              1/5/11 11:23:23 AM

              • 4. Re: Rogue exception constantly being detected?

                So after numerous calls and finally getting past tier 1 support, the only resolution was to add the "static IP address" criteria as a matching attribute so it would exclude this as a rogue based on IP addres.   Not really a solution, per say, but it does prevent this device from being detected constantly.

                 

                on 3/25/11 8:20:29 AM CDT