Jump to content

Managed computers detected as Rogue


jrioux
 Share

Recommended Posts

Hello,

 

I'm having an issue with my managed computers (from Active Directory) being detected by the ERDS because of a different interface / mac address. Is there a way I can cleanup Rogue list by ignoring already managed computers? Seems like only one interface is considered in ERA.

 

Example for my computer (Mac) :

 

As I can see in ERA Console :

 

NETWORK ADAPTERS
Name : en0
IPv4 : 192.168.10.208
MAC : FF-FF-FF-FF-FF-F5
Subnet : 192.168.10.0
Subnet Mask : 255.255.254.0
 
Name : en0
IPv6 : fe80::f65c:89ff:fe9e:5af5
MAC : FF-FF-FF-FF-FF-F5
Subnet : fe80::/64

 

And if I list the adapters on my computer :

 

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether ff:ff:ff:ff:ff:f5 

inet6 fe80::f65c:89ff:fe9e:5af5%en0 prefixlen 64 scopeid 0x5 

inet 192.168.10.208 netmask 0xfffffe00 broadcast 192.168.11.255

nd6 options=1<PERFORMNUD>

media: autoselect

status: active

 

en1: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500

options=60<TSO4,TSO6>

ether ff:ff:ff:ff:ff:70 

media: autoselect <full-duplex>

status: inactive

 

en2: flags=963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX> mtu 1500

options=60<TSO4,TSO6>

ether ff:ff:ff:ff:ff:71 

media: autoselect <full-duplex>

status: inactive

 

en6: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

options=10b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV>

ether ff:ff:ff:ff:ff:45 

nd6 options=1<PERFORMNUD>

media: autoselect (none)

status: inactive

Link to comment
Share on other sites

  • ESET Staff

Your assumption is correct. It is caused by incomplete list of detected network interfaces on this client - we are collecting only data for ethernet interfaces with assigned IP address . As a temporary workaround you have two possibilities:

  • modify report template of this report (filters section) so that mentioned computer is excluded from list.
  • create new configuration policy for ESET Rogue Detection Sensor with blacklisted specific mac addresses. Policy has to be applied on client(s) running sensor.

 

We would also appreciate if you could describe what type of network interfaces are those missing from client details? Their are missing IP address because they are currently not connected to network, but were previously and thus detected by Rogue Detection Sensor?

Edited by MartinK
Link to comment
Share on other sites

Your assumption is correct. It is caused by incomplete list of detected network interfaces on this client - we are collecting only data for ethernet interfaces with assigned IP address . As a temporary workaround you have two possibilities:

  • modify report template of this report (filters section) so that mentioned computer is excluded from list.
  • create new configuration policy for ESET Rogue Detection Sensor with blacklisted specific mac addresses. Policy has to be applied on client(s) running sensor.

 

We would also appreciate if you could describe what type of network interfaces are those missing from client details? Their are missing IP address because they are currently not connected to network, but were previously and thus detected by Rogue Detection Sensor?

 

This happens very often in my company. We have clients that have notebooks. In one part of company they are connected with LAN, but when they move to conference hall they are connected to WLAN. There are also clients that connect via VPN and they get IP in different subnet.

Link to comment
Share on other sites

 

Your assumption is correct. It is caused by incomplete list of detected network interfaces on this client - we are collecting only data for ethernet interfaces with assigned IP address . As a temporary workaround you have two possibilities:

  • modify report template of this report (filters section) so that mentioned computer is excluded from list.
  • create new configuration policy for ESET Rogue Detection Sensor with blacklisted specific mac addresses. Policy has to be applied on client(s) running sensor.

 

We would also appreciate if you could describe what type of network interfaces are those missing from client details? Their are missing IP address because they are currently not connected to network, but were previously and thus detected by Rogue Detection Sensor?

 

This happens very often in my company. We have clients that have notebooks. In one part of company they are connected with LAN, but when they move to conference hall they are connected to WLAN. There are also clients that connect via VPN and they get IP in different subnet.

 

 

Exactly what I wanted to describe. Most people here have MacBooks and Thunderbolt display. When moving around the office, they are using Wifi. When connected to the monitor, it's using the ethernet interface. When connected from home, it's through a VPN tunnel.

 

In mac, I can choose which network adapter will update DNS by running this command : dsconfigad -restrictDDNS "en0, en1, en2" where en0, en1 are my interfaces. It prevents virtual network interfaces or VPN connections to be registered in my DNS thus making the computer unreachable from hostname.

 

There is the same type of configuration in Windows to prevent a network connection from registering its IP on the DNS server. Could these settings be used so that ESET inventories all network interfaces that would normally register an IP to the DNS server?

Link to comment
Share on other sites

  • ESET Staff

 

 

Your assumption is correct. It is caused by incomplete list of detected network interfaces on this client - we are collecting only data for ethernet interfaces with assigned IP address . As a temporary workaround you have two possibilities:

  • modify report template of this report (filters section) so that mentioned computer is excluded from list.
  • create new configuration policy for ESET Rogue Detection Sensor with blacklisted specific mac addresses. Policy has to be applied on client(s) running sensor.

 

We would also appreciate if you could describe what type of network interfaces are those missing from client details? Their are missing IP address because they are currently not connected to network, but were previously and thus detected by Rogue Detection Sensor?

 

This happens very often in my company. We have clients that have notebooks. In one part of company they are connected with LAN, but when they move to conference hall they are connected to WLAN. There are also clients that connect via VPN and they get IP in different subnet.

 

 

Exactly what I wanted to describe. Most people here have MacBooks and Thunderbolt display. When moving around the office, they are using Wifi. When connected to the monitor, it's using the ethernet interface. When connected from home, it's through a VPN tunnel.

 

In mac, I can choose which network adapter will update DNS by running this command : dsconfigad -restrictDDNS "en0, en1, en2" where en0, en1 are my interfaces. It prevents virtual network interfaces or VPN connections to be registered in my DNS thus making the computer unreachable from hostname.

 

There is the same type of configuration in Windows to prevent a network connection from registering its IP on the DNS server. Could these settings be used so that ESET inventories all network interfaces that would normally register an IP to the DNS server?

 

 

Thanks both of you. It is reported as bug/improvement as it may require more work.

 

We have one more question: how do you use rogue computers list in ERA? From this report it seems you regularly monitor list of new machines, is it correct? We expected it to be used primarily before first deployment in network and that is why we missed this issue.

Link to comment
Share on other sites

 

 

 

Your assumption is correct. It is caused by incomplete list of detected network interfaces on this client - we are collecting only data for ethernet interfaces with assigned IP address . As a temporary workaround you have two possibilities:

  • modify report template of this report (filters section) so that mentioned computer is excluded from list.
  • create new configuration policy for ESET Rogue Detection Sensor with blacklisted specific mac addresses. Policy has to be applied on client(s) running sensor.

 

We would also appreciate if you could describe what type of network interfaces are those missing from client details? Their are missing IP address because they are currently not connected to network, but were previously and thus detected by Rogue Detection Sensor?

 

This happens very often in my company. We have clients that have notebooks. In one part of company they are connected with LAN, but when they move to conference hall they are connected to WLAN. There are also clients that connect via VPN and they get IP in different subnet.

 

 

Exactly what I wanted to describe. Most people here have MacBooks and Thunderbolt display. When moving around the office, they are using Wifi. When connected to the monitor, it's using the ethernet interface. When connected from home, it's through a VPN tunnel.

 

In mac, I can choose which network adapter will update DNS by running this command : dsconfigad -restrictDDNS "en0, en1, en2" where en0, en1 are my interfaces. It prevents virtual network interfaces or VPN connections to be registered in my DNS thus making the computer unreachable from hostname.

 

There is the same type of configuration in Windows to prevent a network connection from registering its IP on the DNS server. Could these settings be used so that ESET inventories all network interfaces that would normally register an IP to the DNS server?

 

 

Thanks both of you. It is reported as bug/improvement as it may require more work.

 

We have one more question: how do you use rogue computers list in ERA? From this report it seems you regularly monitor list of new machines, is it correct? We expected it to be used primarily before first deployment in network and that is why we missed this issue.

 

 

I myself only test v6 for possible production use. However I don't plan to use rogue detection feature. Two reasons. One, we don't have deployment tool that could benefit the list of computers, second, no unknown client is allowed in our production VLAN. The only possible reason I could see it in use is for additional layer of protection, if someone really tries to connect rogue client.

Our plan is to deploy agents manually and then push endpoint product on clients once agents connect to ERA.

Link to comment
Share on other sites

I use Active Directory to list my computers. I use ERDS to monitor computers connecting to the network while not being part of the domain.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...