roga 2 Posted July 1, 2016 Share Posted July 1, 2016 Is it possible to mark mac addresses as "safe" if they show up in rogue detector. It seems network switches and hardware routers are identified as "rogue" as they have mac and ip addresses on the network, but of course for AV purposes they are safe. regards Roger Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted July 1, 2016 ESET Staff Share Posted July 1, 2016 Is it possible to mark mac addresses as "safe" if they show up in rogue detector. It seems network switches and hardware routers are identified as "rogue" as they have mac and ip addresses on the network, but of course for AV purposes they are safe. regards Roger Configuration of Rogue Detection sensor contains black/white lists -> therefore you may modify it using configuration policy and they will be ignored. Link to comment Share on other sites More sharing options...
roga 2 Posted July 1, 2016 Author Share Posted July 1, 2016 Configuration of Rogue Detection sensor contains black/white lists -> therefore you may modify it using configuration policy and they will be ignored. How about telling me where I can do this? Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted July 1, 2016 ESET Staff Share Posted July 1, 2016 You have to go to "Policies", create a new policy for "ESET Rogue Detection Sensor", configure the details (check tooltips for the correct option) and then assign it to the computer where RD sensor is running. Link to comment Share on other sites More sharing options...
roga 2 Posted July 1, 2016 Author Share Posted July 1, 2016 I found the correct section, but not sure about the tooltip. Usually a "whitelist" are for hosts that are OK, but given the tooltip I'm not sure if I should put the false positives into the whitelist or the blacklist. Is it me or does the tooltip (attached) read almost opposite to how you would expect it to work? No doubt next time I'm at the server I'll see if my whitelisting is helpful. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted July 1, 2016 ESET Staff Share Posted July 1, 2016 You are right, using include/exclude instead of whitelist/blacklist would be better as it is not so dependent on context. Regardless of this, description seems to be correct. If you want to NOT detect specific list of computers: use blacklist. Link to comment Share on other sites More sharing options...
roga 2 Posted July 4, 2016 Author Share Posted July 4, 2016 OK I have moved the ip address I want excluded to the "blacklist", however 12 hours later and the dash board still shows my cisco firewall etc. as a rouge computer. I have stopped the service, renamed the "dectectedmachines.log" and restarted. I have forced a refresh on the console and I still have the false +ve "rouge" hosts showing. What do I do now? Link to comment Share on other sites More sharing options...
ESET Staff Solution MartinK 384 Posted July 5, 2016 ESET Staff Solution Share Posted July 5, 2016 Have you tried to execute (client) task Rogue Detection Sensor Database Reset on this machine? Also I can see you tried to manually reset detected machines - but you removed only trace log instead of database of detected machines which is stored in file called rds.db if I recall correctly. Link to comment Share on other sites More sharing options...
roga 2 Posted July 6, 2016 Author Share Posted July 6, 2016 (edited) Yes finally got there. This is really not the most friendly piece of software. Would be so much easier if we could select the addresses from the RD report and mark them as safe. Edited July 6, 2016 by roga Link to comment Share on other sites More sharing options...
Recommended Posts