jrioux 2 Posted April 21, 2016 Share Posted April 21, 2016 Hello, I'm having an issue with my managed computers (from Active Directory) being detected by the ERDS because of a different interface / mac address. Is there a way I can cleanup Rogue list by ignoring already managed computers? Seems like only one interface is considered in ERA. Example for my computer (Mac) : As I can see in ERA Console : NETWORK ADAPTERS Name : en0IPv4 : 192.168.10.208MAC : FF-FF-FF-FF-FF-F5Subnet : 192.168.10.0Subnet Mask : 255.255.254.0 Name : en0IPv6 : fe80::f65c:89ff:fe9e:5af5MAC : FF-FF-FF-FF-FF-F5Subnet : fe80::/64 And if I list the adapters on my computer : en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether ff:ff:ff:ff:ff:f5 inet6 fe80::f65c:89ff:fe9e:5af5%en0 prefixlen 64 scopeid 0x5 inet 192.168.10.208 netmask 0xfffffe00 broadcast 192.168.11.255 nd6 options=1<PERFORMNUD> media: autoselect status: active en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500 options=60<TSO4,TSO6> ether ff:ff:ff:ff:ff:70 media: autoselect <full-duplex> status: inactive en2: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500 options=60<TSO4,TSO6> ether ff:ff:ff:ff:ff:71 media: autoselect <full-duplex> status: inactive en6: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV> ether ff:ff:ff:ff:ff:45 nd6 options=1<PERFORMNUD> media: autoselect (none) status: inactive Link to comment Share on other sites More sharing options...
ESET Staff MartinK 376 Posted April 21, 2016 ESET Staff Share Posted April 21, 2016 (edited) Your assumption is correct. It is caused by incomplete list of detected network interfaces on this client - we are collecting only data for ethernet interfaces with assigned IP address . As a temporary workaround you have two possibilities: modify report template of this report (filters section) so that mentioned computer is excluded from list. create new configuration policy for ESET Rogue Detection Sensor with blacklisted specific mac addresses. Policy has to be applied on client(s) running sensor. We would also appreciate if you could describe what type of network interfaces are those missing from client details? Their are missing IP address because they are currently not connected to network, but were previously and thus detected by Rogue Detection Sensor? Edited April 21, 2016 by MartinK Link to comment Share on other sites More sharing options...
bbahes 29 Posted April 21, 2016 Share Posted April 21, 2016 Your assumption is correct. It is caused by incomplete list of detected network interfaces on this client - we are collecting only data for ethernet interfaces with assigned IP address . As a temporary workaround you have two possibilities: modify report template of this report (filters section) so that mentioned computer is excluded from list. create new configuration policy for ESET Rogue Detection Sensor with blacklisted specific mac addresses. Policy has to be applied on client(s) running sensor. We would also appreciate if you could describe what type of network interfaces are those missing from client details? Their are missing IP address because they are currently not connected to network, but were previously and thus detected by Rogue Detection Sensor? This happens very often in my company. We have clients that have notebooks. In one part of company they are connected with LAN, but when they move to conference hall they are connected to WLAN. There are also clients that connect via VPN and they get IP in different subnet. Link to comment Share on other sites More sharing options...
jrioux 2 Posted April 22, 2016 Author Share Posted April 22, 2016 Your assumption is correct. It is caused by incomplete list of detected network interfaces on this client - we are collecting only data for ethernet interfaces with assigned IP address . As a temporary workaround you have two possibilities: modify report template of this report (filters section) so that mentioned computer is excluded from list. create new configuration policy for ESET Rogue Detection Sensor with blacklisted specific mac addresses. Policy has to be applied on client(s) running sensor. We would also appreciate if you could describe what type of network interfaces are those missing from client details? Their are missing IP address because they are currently not connected to network, but were previously and thus detected by Rogue Detection Sensor? This happens very often in my company. We have clients that have notebooks. In one part of company they are connected with LAN, but when they move to conference hall they are connected to WLAN. There are also clients that connect via VPN and they get IP in different subnet. Exactly what I wanted to describe. Most people here have MacBooks and Thunderbolt display. When moving around the office, they are using Wifi. When connected to the monitor, it's using the ethernet interface. When connected from home, it's through a VPN tunnel. In mac, I can choose which network adapter will update DNS by running this command : dsconfigad -restrictDDNS "en0, en1, en2" where en0, en1 are my interfaces. It prevents virtual network interfaces or VPN connections to be registered in my DNS thus making the computer unreachable from hostname. There is the same type of configuration in Windows to prevent a network connection from registering its IP on the DNS server. Could these settings be used so that ESET inventories all network interfaces that would normally register an IP to the DNS server? Link to comment Share on other sites More sharing options...
ESET Staff MartinK 376 Posted April 22, 2016 ESET Staff Share Posted April 22, 2016 Your assumption is correct. It is caused by incomplete list of detected network interfaces on this client - we are collecting only data for ethernet interfaces with assigned IP address . As a temporary workaround you have two possibilities: modify report template of this report (filters section) so that mentioned computer is excluded from list. create new configuration policy for ESET Rogue Detection Sensor with blacklisted specific mac addresses. Policy has to be applied on client(s) running sensor. We would also appreciate if you could describe what type of network interfaces are those missing from client details? Their are missing IP address because they are currently not connected to network, but were previously and thus detected by Rogue Detection Sensor? This happens very often in my company. We have clients that have notebooks. In one part of company they are connected with LAN, but when they move to conference hall they are connected to WLAN. There are also clients that connect via VPN and they get IP in different subnet. Exactly what I wanted to describe. Most people here have MacBooks and Thunderbolt display. When moving around the office, they are using Wifi. When connected to the monitor, it's using the ethernet interface. When connected from home, it's through a VPN tunnel. In mac, I can choose which network adapter will update DNS by running this command : dsconfigad -restrictDDNS "en0, en1, en2" where en0, en1 are my interfaces. It prevents virtual network interfaces or VPN connections to be registered in my DNS thus making the computer unreachable from hostname. There is the same type of configuration in Windows to prevent a network connection from registering its IP on the DNS server. Could these settings be used so that ESET inventories all network interfaces that would normally register an IP to the DNS server? Thanks both of you. It is reported as bug/improvement as it may require more work. We have one more question: how do you use rogue computers list in ERA? From this report it seems you regularly monitor list of new machines, is it correct? We expected it to be used primarily before first deployment in network and that is why we missed this issue. Link to comment Share on other sites More sharing options...
bbahes 29 Posted April 22, 2016 Share Posted April 22, 2016 Your assumption is correct. It is caused by incomplete list of detected network interfaces on this client - we are collecting only data for ethernet interfaces with assigned IP address . As a temporary workaround you have two possibilities: modify report template of this report (filters section) so that mentioned computer is excluded from list. create new configuration policy for ESET Rogue Detection Sensor with blacklisted specific mac addresses. Policy has to be applied on client(s) running sensor. We would also appreciate if you could describe what type of network interfaces are those missing from client details? Their are missing IP address because they are currently not connected to network, but were previously and thus detected by Rogue Detection Sensor? This happens very often in my company. We have clients that have notebooks. In one part of company they are connected with LAN, but when they move to conference hall they are connected to WLAN. There are also clients that connect via VPN and they get IP in different subnet. Exactly what I wanted to describe. Most people here have MacBooks and Thunderbolt display. When moving around the office, they are using Wifi. When connected to the monitor, it's using the ethernet interface. When connected from home, it's through a VPN tunnel. In mac, I can choose which network adapter will update DNS by running this command : dsconfigad -restrictDDNS "en0, en1, en2" where en0, en1 are my interfaces. It prevents virtual network interfaces or VPN connections to be registered in my DNS thus making the computer unreachable from hostname. There is the same type of configuration in Windows to prevent a network connection from registering its IP on the DNS server. Could these settings be used so that ESET inventories all network interfaces that would normally register an IP to the DNS server? Thanks both of you. It is reported as bug/improvement as it may require more work. We have one more question: how do you use rogue computers list in ERA? From this report it seems you regularly monitor list of new machines, is it correct? We expected it to be used primarily before first deployment in network and that is why we missed this issue. I myself only test v6 for possible production use. However I don't plan to use rogue detection feature. Two reasons. One, we don't have deployment tool that could benefit the list of computers, second, no unknown client is allowed in our production VLAN. The only possible reason I could see it in use is for additional layer of protection, if someone really tries to connect rogue client. Our plan is to deploy agents manually and then push endpoint product on clients once agents connect to ERA. Link to comment Share on other sites More sharing options...
jrioux 2 Posted April 22, 2016 Author Share Posted April 22, 2016 I use Active Directory to list my computers. I use ERDS to monitor computers connecting to the network while not being part of the domain. Link to comment Share on other sites More sharing options...
Recommended Posts