Jump to content

How to clean/delete "Rogue Computers" ?


Edu
 Share

Recommended Posts

Hey team,

I looked for this subject but didn't solve my issue...

In ESMC, on the botton we have the statistcs for Rogue Computers, how can I delete them ? Most of them are disable on AD, others are printers, vms...

Running:

ESET Security Management Center (Server), Version 7.2 (7.2.2233.0)
ESET Security Management Center (Web Console), Version 7.2 (7.2.221.0)

 

Link to comment
Share on other sites

  • Most Valued Members
3 hours ago, Edu said:

Hey team,

I looked for this subject but didn't solve my issue...

In ESMC, on the botton we have the statistcs for Rogue Computers, how can I delete them ? Most of them are disable on AD, others are printers, vms...

Running:

ESET Security Management Center (Server), Version 7.2 (7.2.2233.0)
ESET Security Management Center (Web Console), Version 7.2 (7.2.221.0)

 

A rogue computer is just a device that is connected to the network and doesn't have ESET Agent / Endpoint installed.

It is fine even if it shows you the rogue devices , it's fine , there could be an option to hide/ignore these.

Link to comment
Share on other sites

  • ESET Staff

I would recommend to use filter as available in Rogue Detection Sensor to filter out devices that are known are should not be reported:

image.png

with more details mentioned in description.

There is also a client task Rogue Detection Sensor Database Reset available in ESMC that might help.

Link to comment
Share on other sites

On 7/16/2020 at 8:23 PM, Nightowl said:

A rogue computer is just a device that is connected to the network and doesn't have ESET Agent / Endpoint installed.

It is fine even if it shows you the rogue devices , it's fine , there could be an option to hide/ignore these.

Yes Nightowl, but there wasn't any option to hide or even delete these IP/MAC address.

On 7/17/2020 at 5:56 AM, MartinK said:

I would recommend to use filter as available in Rogue Detection Sensor to filter out devices that are known are should not be reported:

image.png

with more details mentioned in description.

There is also a client task Rogue Detection Sensor Database Reset available in ESMC that might help.

Thanks for the suggestion MartinK. Is this policy supposed to run just on machines running ESET right? Because, I applied your suggestion for 2 printers, blacklisted the IP's and they continues showed in the Rogue report.

How to clean this number? Currently, I have 157 "ghost machines" there.

2020-07-16_16h49_34.png

Link to comment
Share on other sites

  • ESET Staff
10 hours ago, Edu said:

Yes Nightowl, but there wasn't any option to hide or even delete these IP/MAC address.

Thanks for the suggestion MartinK. Is this policy supposed to run just on machines running ESET right? Because, I applied your suggestion for 2 printers, blacklisted the IP's and they continues showed in the Rogue report.

How to clean this number? Currently, I have 157 "ghost machines" there.

2020-07-16_16h49_34.png

I thinks that  task I mentioned in previous commend should perform cleanup, as it is possible that filter set in policy will affect only newly detected devices, not those already detected.

Policy should be applied at least to devices where Rogue Detection Sensor is installed.

Link to comment
Share on other sites

  • Most Valued Members

Funny thing.  I was just trying to figure this out.  I have put all the Rogue IPs into a static group.  The confusion that I'm  having is how to set the filter.  

If I have a static group which contains rogue ips ( that aren't really rogue), how do I set the filter such that the they are ignored and aren't displayed in the list of computers when I select "All Subgroups"?    Do I need to actually copy all those IPs to the filter list of the Policy?

Thanks

 

Link to comment
Share on other sites

  • Most Valued Members

I've played around with the filter list and I'm still not getting it.

If someone with experience with this part of the console can clarify it.

I have added a bunch of ips to the ipv4 list[via the "Edit IPv4 list"   Since I don't want them to be detected, I select the blacklist radio button [since as the description says:  "By enabling filter, only computers whose IP addresses are part of the whitelist in the IPv4 filter list will be detected, or only those that are not part of the blacklist."   I apply the policy to the server that has the RDS installed.

I waited for about an hour and then I went to the Status Overview page, yet the number of Rogue computers detected still includes the list of supposed systems that it should ignore.   Am I misunderstanding the function?

My confusion stems from the description and what I want to do.   I'd like the RDS to ignore rogue systems(not really rogue, since I know what they are).  So with that in mind, I add all those ips to the IPv4 list.   Now since I don't want them detected, that list should be a blacklist.

Am I correct in my setup?

Thanks

 

Edmund

 

Clipboard01.jpg

Link to comment
Share on other sites

20 minutes ago, ewong said:

I've played around with the filter list and I'm still not getting it.

If someone with experience with this part of the console can clarify it.

I have added a bunch of ips to the ipv4 list[via the "Edit IPv4 list"   Since I don't want them to be detected, I select the blacklist radio button [since as the description says:  "By enabling filter, only computers whose IP addresses are part of the whitelist in the IPv4 filter list will be detected, or only those that are not part of the blacklist."   I apply the policy to the server that has the RDS installed.

I waited for about an hour and then I went to the Status Overview page, yet the number of Rogue computers detected still includes the list of supposed systems that it should ignore.   Am I misunderstanding the function?

My confusion stems from the description and what I want to do.   I'd like the RDS to ignore rogue systems(not really rogue, since I know what they are).  So with that in mind, I add all those ips to the IPv4 list.   Now since I don't want them detected, that list should be a blacklist.

Am I correct in my setup?

Thanks

 

Edmund

 

Clipboard01.jpg

I understand exactly, I've tried filters suggested here, policies, reset the rogue, re-sync the server after each filter applied and after that, checked the Rogue report and...The IPs still there.

Thanks for share your experience with us, I'm still waiting for some update/solution from ESET team.

Need to have some options on rogue to delete or "hide" these IPs from printers, phones and others stuff.

Link to comment
Share on other sites

  • 1 month later...
On 9/24/2020 at 9:06 AM, LesRMed said:

Did anybody ever have any luck with this?

Not yet...Thanks for asking.

I tried a lot of things and the number just increase, still waiting some solution from ESET Staff.

Link to comment
Share on other sites

Hi,

Its not the best solution but a quick workaround that I used is to create a sub-group for devices that are not computers. I have printers and IP phones. So once I established that a device is a printer I just added it to the printer subgroup. I didn't want to filter/whitelist IP address because everything is on DHCP at the moment and sort of defeats the purpose of rogue detection as I wanted to make sure the IP address linked to that device is visible incase another device/PC took its IP address.  Its still a work in progress, but I have reduced the number of rogue devices that I can verify by 80%.

I'm still new at ESMC and haven't had time to fully look into the filters and white/black listing. Hope this helps.

Link to comment
Share on other sites

  • 1 month later...
On 10/2/2020 at 6:25 AM, Vast said:

Hi,

Its not the best solution but a quick workaround that I used is to create a sub-group for devices that are not computers. I have printers and IP phones. So once I established that a device is a printer I just added it to the printer subgroup. I didn't want to filter/whitelist IP address because everything is on DHCP at the moment and sort of defeats the purpose of rogue detection as I wanted to make sure the IP address linked to that device is visible incase another device/PC took its IP address.  Its still a work in progress, but I have reduced the number of rogue devices that I can verify by 80%.

I'm still new at ESMC and haven't had time to fully look into the filters and white/black listing. Hope this helps.

Hello Vast,

In addition to your workaround, run the Rogue Reset Task as suggested in this post:

https://forum.eset.com/topic/8420-how-to-reset-rogue-detection-sensor/?do=findComment&comment=44899

It'll clean up the remaining detections and sort of "reset to Zero". Any further Rogue Detections that come in can be closely monitored.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...