2 Replies Latest reply on Apr 14, 2014 5:43 PM by mvm_101

    Rogue system detection & managed systems

    mvm_101

      Hi,

       

      Our ePO 5.1 (RSD 4.7.1.120) generally works well, but it seems that the RSD agents keeps "re-discovering" managed systems. This leads to HIPS triggering TCP port scan alerts and producing lots of events.

       

      Is there a way to stop RSD from portscanning managed systems?

       

      I don't want to stop RSD from port scanning in general as that certainly has its uses. I'd just like RSD to not portscan known managed systems.....

       

      Message was edited by: mvm_101 on 3/18/14 2:23:17 PM CDT
        • 1. Re: Rogue system detection & managed systems
          andrep1

          You can only "except" systems marked as exceptions.

          If you don't have too many sensors, you can add the sensor IP in the trusted network policy for HIPS or you can disable the port scanning rule in HIPS (rule 3700/3701). I'm not sure if it is still the case but those rules couldn't be disabled, so if you want to do that and if it is still the case that they can't be disabled you can reduce the level of the rule to "informational" instead of "high" or "medium"

          1 of 1 people found this helpful
          • 2. Re: Rogue system detection & managed systems
            mvm_101

            I have filed a PER to either make RSD not port scan managed nodes, or make it such that RSD can automatically configure host IPS to not trigger alerts for th eport scanning traffic RSD creates.