Jump to content

ERA 6 rogue detector - false +ve mark as safe?


Go to solution Solved by MartinK,

Recommended Posts

Is it possible to mark mac addresses as "safe" if they show up in rogue detector. It seems network switches and hardware routers are identified as "rogue" as they have mac and ip addresses on the network, but of course for AV purposes they are safe.

 

regards

 

Roger

 

 

Link to comment
Share on other sites

  • ESET Staff

Is it possible to mark mac addresses as "safe" if they show up in rogue detector. It seems network switches and hardware routers are identified as "rogue" as they have mac and ip addresses on the network, but of course for AV purposes they are safe.

 

regards

 

Roger

 

Configuration of Rogue Detection sensor contains black/white lists -> therefore you may modify it using configuration policy and they will be ignored.

Link to comment
Share on other sites

Configuration of Rogue Detection sensor contains black/white lists -> therefore you may modify it using configuration policy and they will be ignored.

 

 

How about telling me where I can do this?

Link to comment
Share on other sites

  • ESET Staff

You have to go to "Policies", create a new policy for "ESET Rogue Detection Sensor", configure the details (check tooltips for the correct option) and then assign it to the computer where RD sensor is running. 

Link to comment
Share on other sites

I found the correct section, but not sure about the tooltip. Usually a "whitelist" are for hosts that are OK, but given the tooltip I'm not sure if I should put the false positives into the whitelist or the blacklist.

 

Is it me or does the tooltip (attached) read almost opposite to how you would expect it to work?

 

No doubt next time I'm at the server I'll see if my whitelisting is helpful.

 

 

post-1592-0-08636500-1467376788_thumb.gif

Link to comment
Share on other sites

  • ESET Staff

You are right, using include/exclude instead of whitelist/blacklist would be better as it is not so dependent on context. Regardless of this, description seems to be correct. If you want to NOT detect specific list of computers: use blacklist.

Link to comment
Share on other sites

OK I have moved the ip address I want excluded to the "blacklist", however 12 hours later and the dash board still shows my cisco firewall etc. as a rouge computer.

 

I have stopped the service, renamed the "dectectedmachines.log" and restarted. I have forced a refresh on the console and I still have the false +ve "rouge" hosts showing.

 

What do I do now?

Link to comment
Share on other sites

  • ESET Staff
  • Solution

Have you tried to execute (client) task Rogue Detection Sensor Database Reset on this machine? Also I can see you tried to manually reset detected machines - but you removed only trace log instead of database of detected machines which is stored in file called rds.db if I recall correctly.

Link to comment
Share on other sites

Yes finally got there. This is really not the most friendly piece of software. Would be so much easier if we could select the addresses from the RD report and mark them as safe.

Edited by roga
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...