Edu 0 Posted July 16, 2020 Posted July 16, 2020 Hey team, I looked for this subject but didn't solve my issue... In ESMC, on the botton we have the statistcs for Rogue Computers, how can I delete them ? Most of them are disable on AD, others are printers, vms... Running: ESET Security Management Center (Server), Version 7.2 (7.2.2233.0)ESET Security Management Center (Web Console), Version 7.2 (7.2.221.0)
Most Valued Members Nightowl 206 Posted July 16, 2020 Most Valued Members Posted July 16, 2020 3 hours ago, Edu said: Hey team, I looked for this subject but didn't solve my issue... In ESMC, on the botton we have the statistcs for Rogue Computers, how can I delete them ? Most of them are disable on AD, others are printers, vms... Running: ESET Security Management Center (Server), Version 7.2 (7.2.2233.0)ESET Security Management Center (Web Console), Version 7.2 (7.2.221.0) A rogue computer is just a device that is connected to the network and doesn't have ESET Agent / Endpoint installed. It is fine even if it shows you the rogue devices , it's fine , there could be an option to hide/ignore these.
ESET Staff MartinK 384 Posted July 16, 2020 ESET Staff Posted July 16, 2020 I would recommend to use filter as available in Rogue Detection Sensor to filter out devices that are known are should not be reported: with more details mentioned in description. There is also a client task Rogue Detection Sensor Database Reset available in ESMC that might help.
Edu 0 Posted July 19, 2020 Author Posted July 19, 2020 On 7/16/2020 at 8:23 PM, Nightowl said: A rogue computer is just a device that is connected to the network and doesn't have ESET Agent / Endpoint installed. It is fine even if it shows you the rogue devices , it's fine , there could be an option to hide/ignore these. Yes Nightowl, but there wasn't any option to hide or even delete these IP/MAC address. On 7/17/2020 at 5:56 AM, MartinK said: I would recommend to use filter as available in Rogue Detection Sensor to filter out devices that are known are should not be reported: with more details mentioned in description. There is also a client task Rogue Detection Sensor Database Reset available in ESMC that might help. Thanks for the suggestion MartinK. Is this policy supposed to run just on machines running ESET right? Because, I applied your suggestion for 2 printers, blacklisted the IP's and they continues showed in the Rogue report. How to clean this number? Currently, I have 157 "ghost machines" there.
ESET Staff MartinK 384 Posted July 20, 2020 ESET Staff Posted July 20, 2020 10 hours ago, Edu said: Yes Nightowl, but there wasn't any option to hide or even delete these IP/MAC address. Thanks for the suggestion MartinK. Is this policy supposed to run just on machines running ESET right? Because, I applied your suggestion for 2 printers, blacklisted the IP's and they continues showed in the Rogue report. How to clean this number? Currently, I have 157 "ghost machines" there. I thinks that task I mentioned in previous commend should perform cleanup, as it is possible that filter set in policy will affect only newly detected devices, not those already detected. Policy should be applied at least to devices where Rogue Detection Sensor is installed.
Most Valued Members ewong 8 Posted July 21, 2020 Most Valued Members Posted July 21, 2020 Funny thing. I was just trying to figure this out. I have put all the Rogue IPs into a static group. The confusion that I'm having is how to set the filter. If I have a static group which contains rogue ips ( that aren't really rogue), how do I set the filter such that the they are ignored and aren't displayed in the list of computers when I select "All Subgroups"? Do I need to actually copy all those IPs to the filter list of the Policy? Thanks
Most Valued Members ewong 8 Posted July 24, 2020 Most Valued Members Posted July 24, 2020 I've played around with the filter list and I'm still not getting it. If someone with experience with this part of the console can clarify it. I have added a bunch of ips to the ipv4 list[via the "Edit IPv4 list" Since I don't want them to be detected, I select the blacklist radio button [since as the description says: "By enabling filter, only computers whose IP addresses are part of the whitelist in the IPv4 filter list will be detected, or only those that are not part of the blacklist." I apply the policy to the server that has the RDS installed. I waited for about an hour and then I went to the Status Overview page, yet the number of Rogue computers detected still includes the list of supposed systems that it should ignore. Am I misunderstanding the function? My confusion stems from the description and what I want to do. I'd like the RDS to ignore rogue systems(not really rogue, since I know what they are). So with that in mind, I add all those ips to the IPv4 list. Now since I don't want them detected, that list should be a blacklist. Am I correct in my setup? Thanks Edmund
Edu 0 Posted July 24, 2020 Author Posted July 24, 2020 20 minutes ago, ewong said: I've played around with the filter list and I'm still not getting it. If someone with experience with this part of the console can clarify it. I have added a bunch of ips to the ipv4 list[via the "Edit IPv4 list" Since I don't want them to be detected, I select the blacklist radio button [since as the description says: "By enabling filter, only computers whose IP addresses are part of the whitelist in the IPv4 filter list will be detected, or only those that are not part of the blacklist." I apply the policy to the server that has the RDS installed. I waited for about an hour and then I went to the Status Overview page, yet the number of Rogue computers detected still includes the list of supposed systems that it should ignore. Am I misunderstanding the function? My confusion stems from the description and what I want to do. I'd like the RDS to ignore rogue systems(not really rogue, since I know what they are). So with that in mind, I add all those ips to the IPv4 list. Now since I don't want them detected, that list should be a blacklist. Am I correct in my setup? Thanks Edmund I understand exactly, I've tried filters suggested here, policies, reset the rogue, re-sync the server after each filter applied and after that, checked the Rogue report and...The IPs still there. Thanks for share your experience with us, I'm still waiting for some update/solution from ESET team. Need to have some options on rogue to delete or "hide" these IPs from printers, phones and others stuff.
LesRMed 26 Posted September 23, 2020 Posted September 23, 2020 Did anybody ever have any luck with this?
Edu 0 Posted September 28, 2020 Author Posted September 28, 2020 On 9/24/2020 at 9:06 AM, LesRMed said: Did anybody ever have any luck with this? Not yet...Thanks for asking. I tried a lot of things and the number just increase, still waiting some solution from ESET Staff.
Vast 0 Posted October 2, 2020 Posted October 2, 2020 Hi, Its not the best solution but a quick workaround that I used is to create a sub-group for devices that are not computers. I have printers and IP phones. So once I established that a device is a printer I just added it to the printer subgroup. I didn't want to filter/whitelist IP address because everything is on DHCP at the moment and sort of defeats the purpose of rogue detection as I wanted to make sure the IP address linked to that device is visible incase another device/PC took its IP address. Its still a work in progress, but I have reduced the number of rogue devices that I can verify by 80%. I'm still new at ESMC and haven't had time to fully look into the filters and white/black listing. Hope this helps.
Nick2020 0 Posted November 12, 2020 Posted November 12, 2020 On 10/2/2020 at 6:25 AM, Vast said: Hi, Its not the best solution but a quick workaround that I used is to create a sub-group for devices that are not computers. I have printers and IP phones. So once I established that a device is a printer I just added it to the printer subgroup. I didn't want to filter/whitelist IP address because everything is on DHCP at the moment and sort of defeats the purpose of rogue detection as I wanted to make sure the IP address linked to that device is visible incase another device/PC took its IP address. Its still a work in progress, but I have reduced the number of rogue devices that I can verify by 80%. I'm still new at ESMC and haven't had time to fully look into the filters and white/black listing. Hope this helps. Hello Vast, In addition to your workaround, run the Rogue Reset Task as suggested in this post: https://forum.eset.com/topic/8420-how-to-reset-rogue-detection-sensor/?do=findComment&comment=44899 It'll clean up the remaining detections and sort of "reset to Zero". Any further Rogue Detections that come in can be closely monitored.
Recommended Posts