Jump to content

"Potential computer cloning or hardware change detected" false positives


Recommended Posts

I keep getting false positives regarding "Potential computer cloning or hardware change detected" from certain I.T. staff computers (7.2). I'm assuming it's because the calculated hardware fingerprint is changing but without knowing how that's calculated I don't know what's causing it.

Is it a safe assumption that all (excluding perhaps Displays and IP addresses?) information on the Details > Hardware section is used to calculate the hardware fingerprint?

It should go without saying that the hardware on affected systems isn't changing nor are any systems cloned.

Edited by Staj
Link to post
Share on other sites
  • ESET Staff

Unfortunately detail as detected changes is not communicated as it is hard to analyze it, even for developers. So called hardware fingerprint in this case compromises of multiple HW details. As oppose to legacy algorithm used years ago, new mechanisms avoids use of properties that are often changing (IP addresses, MAC addresses) and prefers various serial numbers of device identifiers. Also mechanisms involves weighted evaluation of changes, i.e. single change should not trigger change of HW, therefore I am surprised it happens so often. Value is calculated on client device, by AGENT, so it is not possible to see differences in console.

Could you please specify deployment method used? For example is so called remote deployment task used? Asking as it might result in "cloned" installation of AGENT.

Any chance disk drivers are often exchanged between those devices? Or are those even physical devices or virtual machines? Or maybe hardware of other "employees" is used by this IT devices, and thus confusing fingerprint changes detection?

Also are those problematic devices somehow specific in terms of used hardware? For example are those some special devices, or standard desktop PCs or notebooks? Asking as we have detected devices in history which had all the same "dummy" serial numbers on all HW components, which results in similar state.

Link to post
Share on other sites

These specific machines are for I.T. staff and are manually installed via Windows installation media (except for laptops, they are deployed by SCCM Task Sequence). Given they are for I.T. staff they have many things on there which could be causing issues (Eg: VMware Workstation, WinPCap, USBPCap etc.).

That said, one of the workstations is a manual build but isn't being used at the moment and, despite this, has the alert pop-up twice in two days. One laptop affected is just a Dell Latitude.

Edited by Staj
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...