Endpoint Protection

I have configured an Unmanaged detector computer in every subnet in our building.  I have also configured a notification to notify me when it finds Unmanaged computers and gone to the Security Status page on the Home SEPM page and clicked More details and it shows 0 unmanaged computers.   When I run the 'find unmanaged computers' option from the clients section it is finding a LOT of unmanaged computers.  I don't understand why the unmanaged detector is not working.  Have I done something wrong?  There really aren't any configuration options when you choose the unmanaged detectors.

Help please?

Thanks

Are you sure you configured the notifications properly?

See - http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008050813205048

Title: 'Best Practices: When to use the "Find Unmanaged Computers" or "Unmanaged Detector" features in Symantec Endpoint Protection 11.0'
Document ID: 2008030514404548
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008030514404548?Open&seg=ent


Title: 'Setting notifications when using the "Unmanaged Detector" feature in the SEPM'
Document ID: 2008050813205048
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008050813205048?Open&seg=ent


Title: 'How do I configure exceptions for the "unmanaged detector" from Symantec Endpoint Protection Manager (SEPM)?'
Document ID: 2009081719391348
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2009081719391348?Open&seg=ent

Cycle - yes thank you - I used that same document when I configured my notifications

Prachand - Thank you for the links, I have used all three of the links you posted and still no luck.

I was just thinking about this.  Could this be a problem that I have my computers sorted into groups in SEPM?  Or does it matter?  I put the detectors like I said on the computer in each subnet but would it being in a group make a difference?  We sort our computers in SEPM into groups (by department).

Any other help would be greatly appreciated!!

Thanks

Groups don't matter - it's subnets. We've got a number of groups and the detector doesn't care.
Might check that manual method again as I've noted it alerts me to unmanaged computers, but when I check them out, they are REALLY managed. The unmanaged detectors do a better job for me here than the scan for unmanaged computers does. It gives me a lot of false alerts. The UmD option never has......... Please double check and see if the scan that gives you a lot of unmanaged computers-  see if they REALLY are unmanaged.

Here, if the unmanaged detectors to miss, or even "false alert" I've found in each case it was a DNS and/or reverse lookup or WINS issue here, not with the detector.

When a client is set as an Unmanaged Detector, it locates unmanaged clients on its own network and reports them to Symantec Endpoint Protection Manager. An Unmanaged Detector cannot detect unmanaged clients on networks other than its own.
Unmanged detector is independent of the group it is in, it is not dependent on that

We need  to confirm whether the Unmanaged Detector is operational and sending details to Symantec Endpoint Protection Manager for that we need the sylink log from the machine, will you please paste the logs here.

http://service1.symantec.com/support/ent-security.nsf/docid/2008041812561948

OR Run Sylink Toggle

https://www-secure.symantec.com/connect/downloads/sylink-toggle

How to get the sylink log

Prachand....
Sorry to ask but where should the sylink log file be?  I did a search on that machine and did not find one.

Thank you!

The sylink file will be on The Root of c    C;/Sylink.log

Once  you run the sylinktoogle then only the file wil be created .

Prachand -
Thank you.  I did not understand your previous post.  I thought you meant the file should be there or then run the utility.   What section of the log file should I look for.  I don't want to post the full logfile here as it has server names, Ip addresses and User names in it.  Let me know what to look for and I can post that section here.

Thanks

In the log search for SMS and paste  2-3 the lines before and  after that

10/06 14:35:05 [1636] ************CSN=44445
10/06 14:35:05 [1636] <mfn_MakeGetIndexUrl:>Request is: action=12&hostid=A124F3270A4A4A3F00D78DF0A007C383&chk=393FAA960AFE86606AC6FC3F82C1FEF1&ck=984A946017C76B7C2345C24F348DE1E3&uchk=73C3C608853BBEFE15F127BDC919F052&uck=D6843600F0C92BFA2B7870A1B493D832&hid=BF607179266AE1ECEDE6E9B62BA63321&groupid=989BACD00A4A4A3F006407D891659BAF&mode=0&hbt=1200&as=44445&cn=[hex]4C3133324A42&lun=[hex]61616A626C61636B&udn=[hex]444F4D41494E
10/06 14:35:05 [1636] <GetIndexFileRequest:>http://Symantec:8014/secars/secars.dll?h=D2AE66D99FE0E3B19B708EF7D7CCC5BBFC38EAC98B1E8317C4337FF0136731451BDF2315EA0ADF73DC2AB153E244246E5EC08EEFBDE73C2FC7EF8FCB362CB5DD5AD0EC077D106FA8944BBCDF0A3856463106AA13151D385DE2DD96E624C0CF9FE8FA5AC0461AC05118E0D8FD787540EB65D439BBA394A7B8D7F33311CFC53BF0B4C651A1C7DBE7EC3D9D1665DB4B85DCCF6AE4403378C844CD220D234DF53A573F05C95677D0C1EA3287421AA4A733E6749DF8D4C3255AD7C8CC80BED2445765D2273006A2A553EF0DF59E265C8D884E9EA3B4215E50497B709AE862E2B93978357FEC7191E8604CEB7D1ED14D5510D535C5D0433D0AA348C92A6409739EC7415CE9C99324A3CC28D243F8ED440244774A94C58617DC9C7C87A829C8C14F4C0CFE3485FC68308374FB56038AE3D39C18680BA48965EBEE0144F95651B62607EDB551C55B24A51444E432F04D25944BE6AA37EA68C84BD37701E4F633B815FDB1B796288DA42A39ECB0E586EFDBBA3BEE242586FA5DDEFE504E576141472B8166
10/06 14:35:05 [1636] 14:35:5=>Send HTTP REQUEST
10/06 14:35:05 [1636] 14:35:5=>HTTP REQUEST sent
10/06 14:35:05 [1636] <GetIndexFileRequest:>SMS return=200
10/06 14:35:05 [1636] <ParseHTTPStatusCode:>200=>200 OK
10/06 14:35:05 [1636] <FindHeader>Sem-HashKey:=>393FAA960AFE86606AC6FC3F82C1FEF1
10/06 14:35:05 [1636] <FindHeader>Sem-LANSensor:=>1
10/06 14:35:05 [1636] <FindHeader>Sem-Signatue:=>87AC588D3206D3798A1DA74C7B1EFF121ADFD1648CF859C44F204B1391E987D50E9D1A459FDBF6FDA48BBDFF1AA71D3E6CCF470F02CE8A2EED8D5828DC5CD0F488C89CDADBE2E79505A24DB66F1643A8909BB04D1D7149BAF554B68A1A85C14B0F3827A8963F4707881E0BA2553454B6F0C5F6B4B355FCB07FB4DD0D7AD8FFCD
10/06 14:35:05 [1636] <mfn_DoGetIndexFile200>Content Lenght => 1365

*FYI I changed http server name to dummy server name

Will it be possible for you to  Email me the logs ? As the logs don't provide  the compelte info