roga 2 Posted July 1, 2016 Posted July 1, 2016 Is it possible to mark mac addresses as "safe" if they show up in rogue detector. It seems network switches and hardware routers are identified as "rogue" as they have mac and ip addresses on the network, but of course for AV purposes they are safe. regards Roger
ESET Staff MartinK 384 Posted July 1, 2016 ESET Staff Posted July 1, 2016 Is it possible to mark mac addresses as "safe" if they show up in rogue detector. It seems network switches and hardware routers are identified as "rogue" as they have mac and ip addresses on the network, but of course for AV purposes they are safe. regards Roger Configuration of Rogue Detection sensor contains black/white lists -> therefore you may modify it using configuration policy and they will be ignored.
roga 2 Posted July 1, 2016 Author Posted July 1, 2016 Configuration of Rogue Detection sensor contains black/white lists -> therefore you may modify it using configuration policy and they will be ignored. How about telling me where I can do this?
ESET Staff MichalJ 434 Posted July 1, 2016 ESET Staff Posted July 1, 2016 You have to go to "Policies", create a new policy for "ESET Rogue Detection Sensor", configure the details (check tooltips for the correct option) and then assign it to the computer where RD sensor is running.
roga 2 Posted July 1, 2016 Author Posted July 1, 2016 I found the correct section, but not sure about the tooltip. Usually a "whitelist" are for hosts that are OK, but given the tooltip I'm not sure if I should put the false positives into the whitelist or the blacklist. Is it me or does the tooltip (attached) read almost opposite to how you would expect it to work? No doubt next time I'm at the server I'll see if my whitelisting is helpful.
ESET Staff MartinK 384 Posted July 1, 2016 ESET Staff Posted July 1, 2016 You are right, using include/exclude instead of whitelist/blacklist would be better as it is not so dependent on context. Regardless of this, description seems to be correct. If you want to NOT detect specific list of computers: use blacklist.
roga 2 Posted July 4, 2016 Author Posted July 4, 2016 OK I have moved the ip address I want excluded to the "blacklist", however 12 hours later and the dash board still shows my cisco firewall etc. as a rouge computer. I have stopped the service, renamed the "dectectedmachines.log" and restarted. I have forced a refresh on the console and I still have the false +ve "rouge" hosts showing. What do I do now?
ESET Staff Solution MartinK 384 Posted July 5, 2016 ESET Staff Solution Posted July 5, 2016 Have you tried to execute (client) task Rogue Detection Sensor Database Reset on this machine? Also I can see you tried to manually reset detected machines - but you removed only trace log instead of database of detected machines which is stored in file called rds.db if I recall correctly.
roga 2 Posted July 6, 2016 Author Posted July 6, 2016 (edited) Yes finally got there. This is really not the most friendly piece of software. Would be so much easier if we could select the addresses from the RD report and mark them as safe. Edited July 6, 2016 by roga
Recommended Posts