ERA Rogue Detection Sensor - Additional Information?

[LocknetSSmith 6]

Just checking - is there any documentation out there describing more specifically how the rogue detection sensor works?  The ERA user guide is pretty generic on the matter, and I was unable to find anything substantial on the Knowledge Base.  

 

We're asking simply so we can determine why it picks up certain devices that are "false positives," such as printers.  

 

Specifically, how does it look for rogues, or maybe the better question, what is is looking for and where?  

 

Thanks. 

[MartinK 378]

Just checking - is there any documentation out there describing more specifically how the rogue detection sensor works?  The ERA user guide is pretty generic on the matter, and I was unable to find anything substantial on the Knowledge Base.  

 

We're asking simply so we can determine why it picks up certain devices that are "false positives," such as printers.  

 

Specifically, how does it look for rogues, or maybe the better question, what is is looking for and where?  

 

Thanks. 

 

Hello,

 

technically it listens for network traffic on all available ethernet-based network interfaces (=passive detection) and once network peer is detected, attempt to detect operating system is performed using similar methods than nmap detection uses. What operating system it detects for mentioned false-positives? is it correctly detected? In case you are using predefined report template Rogue computers you may try to clone or modify it so that used filtering will exclude false-positives.

 

EDIT: just realized you can create configuration policy for ESET Rogue Detection Sensor and configure exclusions in Filters section. In case you have many devices from the same vendor, it would be quite easy using MAC prefix.

Edited January 8, 2016 by MartinK