Jump to content

How to clean/delete "Rogue Computers" ?

Edu
 Share

Recommended Posts

Edu

Edu 0

Posted
Posted

Hey team,

I looked for this subject but didn't solve my issue...

In ESMC, on the botton we have the statistcs for Rogue Computers, how can I delete them ? Most of them are disable on AD, others are printers, vms...

Running:

ESET Security Management Center (Server), Version 7.2 (7.2.2233.0)
ESET Security Management Center (Web Console), Version 7.2 (7.2.221.0)

 

Link to comment
Share on other sites
  • Most Valued Members
Nightowl

Nightowl 202

Posted
  • Most Valued Members
Posted
3 hours ago, Edu said:

Hey team,

I looked for this subject but didn't solve my issue...

In ESMC, on the botton we have the statistcs for Rogue Computers, how can I delete them ? Most of them are disable on AD, others are printers, vms...

Running:

ESET Security Management Center (Server), Version 7.2 (7.2.2233.0)
ESET Security Management Center (Web Console), Version 7.2 (7.2.221.0)

 

A rogue computer is just a device that is connected to the network and doesn't have ESET Agent / Endpoint installed.

It is fine even if it shows you the rogue devices , it's fine , there could be an option to hide/ignore these.

Link to comment
Share on other sites
  • ESET Staff
MartinK

MartinK 378

Posted
  • ESET Staff
Posted

I would recommend to use filter as available in Rogue Detection Sensor to filter out devices that are known are should not be reported:

image.png

with more details mentioned in description.

There is also a client task Rogue Detection Sensor Database Reset available in ESMC that might help.

Link to comment
Share on other sites
Edu

Edu 0

Posted
  • Author
Posted
On 7/16/2020 at 8:23 PM, Nightowl said:

A rogue computer is just a device that is connected to the network and doesn't have ESET Agent / Endpoint installed.

It is fine even if it shows you the rogue devices , it's fine , there could be an option to hide/ignore these.

Yes Nightowl, but there wasn't any option to hide or even delete these IP/MAC address.

On 7/17/2020 at 5:56 AM, MartinK said:

I would recommend to use filter as available in Rogue Detection Sensor to filter out devices that are known are should not be reported:

image.png

with more details mentioned in description.

There is also a client task Rogue Detection Sensor Database Reset available in ESMC that might help.

Thanks for the suggestion MartinK. Is this policy supposed to run just on machines running ESET right? Because, I applied your suggestion for 2 printers, blacklisted the IP's and they continues showed in the Rogue report.

How to clean this number? Currently, I have 157 "ghost machines" there.

2020-07-16_16h49_34.png

Link to comment
Share on other sites
  • ESET Staff
MartinK

MartinK 378

Posted
  • ESET Staff
Posted
10 hours ago, Edu said:

Yes Nightowl, but there wasn't any option to hide or even delete these IP/MAC address.

Thanks for the suggestion MartinK. Is this policy supposed to run just on machines running ESET right? Because, I applied your suggestion for 2 printers, blacklisted the IP's and they continues showed in the Rogue report.

How to clean this number? Currently, I have 157 "ghost machines" there.

2020-07-16_16h49_34.png

I thinks that  task I mentioned in previous commend should perform cleanup, as it is possible that filter set in policy will affect only newly detected devices, not those already detected.

Policy should be applied at least to devices where Rogue Detection Sensor is installed.

Link to comment
Share on other sites
  • Most Valued Members
ewong

ewong 7

Posted
  • Most Valued Members
Posted

Funny thing.  I was just trying to figure this out.  I have put all the Rogue IPs into a static group.  The confusion that I'm  having is how to set the filter.  

If I have a static group which contains rogue ips ( that aren't really rogue), how do I set the filter such that the they are ignored and aren't displayed in the list of computers when I select "All Subgroups"?    Do I need to actually copy all those IPs to the filter list of the Policy?

Thanks

 

Link to comment
Share on other sites
  • Most Valued Members
ewong

ewong 7

Posted
  • Most Valued Members
Posted

I've played around with the filter list and I'm still not getting it.

If someone with experience with this part of the console can clarify it.

I have added a bunch of ips to the ipv4 list[via the "Edit IPv4 list"   Since I don't want them to be detected, I select the blacklist radio button [since as the description says:  "By enabling filter, only computers whose IP addresses are part of the whitelist in the IPv4 filter list will be detected, or only those that are not part of the blacklist."   I apply the policy to the server that has the RDS installed.

I waited for about an hour and then I went to the Status Overview page, yet the number of Rogue computers detected still includes the list of supposed systems that it should ignore.   Am I misunderstanding the function?

My confusion stems from the description and what I want to do.   I'd like the RDS to ignore rogue systems(not really rogue, since I know what they are).  So with that in mind, I add all those ips to the IPv4 list.   Now since I don't want them detected, that list should be a blacklist.

Am I correct in my setup?

Thanks

 

Edmund

 

Clipboard01.jpg

Link to comment
Share on other sites
Edu

Edu 0

Posted
  • Author
Posted
20 minutes ago, ewong said:

I've played around with the filter list and I'm still not getting it.

If someone with experience with this part of the console can clarify it.

I have added a bunch of ips to the ipv4 list[via the "Edit IPv4 list"   Since I don't want them to be detected, I select the blacklist radio button [since as the description says:  "By enabling filter, only computers whose IP addresses are part of the whitelist in the IPv4 filter list will be detected, or only those that are not part of the blacklist."   I apply the policy to the server that has the RDS installed.

I waited for about an hour and then I went to the Status Overview page, yet the number of Rogue computers detected still includes the list of supposed systems that it should ignore.   Am I misunderstanding the function?

My confusion stems from the description and what I want to do.   I'd like the RDS to ignore rogue systems(not really rogue, since I know what they are).  So with that in mind, I add all those ips to the IPv4 list.   Now since I don't want them detected, that list should be a blacklist.

Am I correct in my setup?

Thanks

 

Edmund

 

Clipboard01.jpg

I understand exactly, I've tried filters suggested here, policies, reset the rogue, re-sync the server after each filter applied and after that, checked the Rogue report and...The IPs still there.

Thanks for share your experience with us, I'm still waiting for some update/solution from ESET team.

Need to have some options on rogue to delete or "hide" these IPs from printers, phones and others stuff.

Link to comment
Share on other sites
  • 1 month later...
Edu

Edu 0

Posted
  • Author
Posted
On 9/24/2020 at 9:06 AM, LesRMed said:

Did anybody ever have any luck with this?

Not yet...Thanks for asking.

I tried a lot of things and the number just increase, still waiting some solution from ESET Staff.

Link to comment
Share on other sites
Vast

Vast 0

Posted
Posted

Hi,

Its not the best solution but a quick workaround that I used is to create a sub-group for devices that are not computers. I have printers and IP phones. So once I established that a device is a printer I just added it to the printer subgroup. I didn't want to filter/whitelist IP address because everything is on DHCP at the moment and sort of defeats the purpose of rogue detection as I wanted to make sure the IP address linked to that device is visible incase another device/PC took its IP address.  Its still a work in progress, but I have reduced the number of rogue devices that I can verify by 80%.

I'm still new at ESMC and haven't had time to fully look into the filters and white/black listing. Hope this helps.

Link to comment
Share on other sites
  • 1 month later...
Nick2020

Nick2020 0

Posted
Posted
On 10/2/2020 at 6:25 AM, Vast said:

Hi,

Its not the best solution but a quick workaround that I used is to create a sub-group for devices that are not computers. I have printers and IP phones. So once I established that a device is a printer I just added it to the printer subgroup. I didn't want to filter/whitelist IP address because everything is on DHCP at the moment and sort of defeats the purpose of rogue detection as I wanted to make sure the IP address linked to that device is visible incase another device/PC took its IP address.  Its still a work in progress, but I have reduced the number of rogue devices that I can verify by 80%.

I'm still new at ESMC and haven't had time to fully look into the filters and white/black listing. Hope this helps.

Hello Vast,

In addition to your workaround, run the Rogue Reset Task as suggested in this post:

https://forum.eset.com/topic/8420-how-to-reset-rogue-detection-sensor/?do=findComment&comment=44899

It'll clean up the remaining detections and sort of "reset to Zero". Any further Rogue Detections that come in can be closely monitored.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...