5 Replies Latest reply on Nov 21, 2012 8:18 AM by pierce

    Rogue Host Detection

    trevorw2000

      Hello All,

       

      I'm sure this is a matter of me just not knowing how the system works, but hopefully you can help me understand what's going on a bit better.  The issue we're having with our Rogue System Sensors has been narrowed down to two things:  First, the automatic response for sending out an e-mail when a rogue host is detected is not functioning normally.  We haven't received rogue host notifications in just over a month despite the rogue system count changing nearly every day.  However, other automatic responses are working properly.  This seems to allign almost perfectly with the upgrade to 4.6.4, although that could be just a coincidence.

       

      The second issue is that it seems items are not being removed from the Detected Systems list, even though the agent has finally communicated in and been updated.  So when I find the system in our system tree, it's functioning normally.  Yet it's still listed in detected systems and it'll have a last detected time of a day ago or in some cases longer.  I have one system in the Detected Systems list that has a last detected time showing 9/28, but last ASCI was less than five minutes ago according to system details.  MAC Address, Host Name & IP Address haven't changed.

       

      Any suggestions on these two issues?

       

      Thanks!

       

      Trevor

        • 1. Re: Rogue Host Detection
          pierce

          Having the same issue as you: https://kc.mcafee.com/corporate/index?page=content&id=KB73602 known issue with upgrading, apparently have to start again with our automatic responses!

          • 2. Re: Rogue Host Detection
            trevorw2000

            I saw that issue, but I'm slightly skeptical that it's the source of the problem...This seemed to have happened going to 4.6.4, and that KB article mentions that the problem was resolved in 4.6.3.  I also have other automatic responses that are working.  Did you have this problem with all of your automatic responses or was it just Rogue System Detection?

            • 3. Re: Rogue Host Detection
              pierce

              Just the Rogue system responses, have some others working fine.

               

              I am upgrading to rogue system 4.7 now to see if that resolves my issues as the rogue system detection modules stayed at 4.6.1 and didnt upgrade to 4.6.4 (which I believe was a note in the release notes for the ePO upgrade), and if it dosnt at least I have upgraded another thing

              • 4. Re: Rogue Host Detection
                trevorw2000

                Thanks for the update.  Let me know if upgrading helped and/or if you decided to delete and rebuild all of your automatic responses.  We're already running the RSD 4.7 and I deleted the automatic response specficially for RSD and recreated it, but I didn't delete all of them as it suggested since some of ours are working fine.

                • 5. Re: Rogue Host Detection
                  pierce

                  Ok so upgraded to 4.7 which seemed to give me more issues around the policy vanishing but the responses did start up again.

                  Then I removed the extension (while working with support) and re-checked in and everything works once more without having to delete any of my automatic responses... BUT i did lose all my rogue sensor policy and settings, so the exception groups and what devices were in an exception.

                  A lot of this was done manually so a bit of a pain but still in my mind better than having to mess around with the automatic responses.

                   

                  If you do upgrade to 4.7 make sure you take backups of the policy + any exception list /subnet naming you have done.