Endpoint Protection

 View Only

  • 1.  Trouble with Unmanaged Detector

    Posted Apr 20, 2012 10:41 AM

    I assigned an Unmanaged Detector for a Particular Subnet in our Environment.

     

    I ran a Find Unmanaged Computer Query and get 34 computers belonging to the same subnet

     

     

     

    But when I create Notification

     

    I get an email that lists computers from OTHER subnets, and it lists NONE from the subnet I want

     

    And, when I go to SEPM > Home > More Details > Go to Unknown Device Failures, I get an entirely DIFFERENT list of IP Addresses than from the previous two lists:

     

     

     

    And when I search the Computer listed under "Unmanaged Detector", SEPM doesn't show it as an Unmanaged Detector.

     

     

    What is going on? At this point, I want to search for computers in a Subnet that (a) either don't have SEP 11 installed or (b) have UNMANAGED SEP 11.

     

    Help please!!!



  • 2.  RE: Trouble with Unmanaged Detector

    Posted Apr 22, 2012 03:27 PM

    First of all: Is NTP installed at the Unmanaged Detector?

    "Find Unmanaged Computers" and Unmanaged Detectors are different beasts. See here:

    Best Practices: When to use the "Find Unmanaged Computers" or "Unmanaged Detector" features in Symantec Endpoint Protection 11.0

    http://www.symantec.com/docs/TECH104340

    The 34 computers you found are probably from the "Find Unmanaged Computers" search, not from the UD.

    If the Unmanaged Detector does not seem to find devices, it's probably because it takes some time to collect ARP traffic and  send the IP and MAC addresses to the SEPM (check your heartbeat interval). And of course you cannot be sure that every single non-managed device is running or sending ARP broadcasts.

    If you activate a notification, you'll get a mail with a list of all clients found by UDs. If your newest UD does not yet discover an unmanaged computer, it won't be shown in the E-mail.

    And when I search the Computer listed under "Unmanaged Detector", SEPM doesn't show it as an Unmanaged Detector.

    Strange ... please double-check this. Normally, if you turn off a UD, the non-managed clients assigned to it will be deleted in the database.

    Are the list you got by E-mail and the last list totally different or is there some overlapping?

    What is going on? At this point, I want to search for computers in a Subnet that (a) either don't have SEP 11 installed or (b) have UNMANAGED SEP 11.

    If you want an instant report of unmanaged clients, use the "Find unmanaged Computers" feature. If you want to be alerted when an unmanaged device emerges, use UDs in combination with notifications.



  • 3.  RE: Trouble with Unmanaged Detector

    Posted Apr 23, 2012 09:48 AM

    You're right, they certainly are beast ;-)

     

    Will try your suggestions.



  • 4.  RE: Trouble with Unmanaged Detector

    Posted Apr 23, 2012 04:50 PM

    Hi,

    If you are using the unmanage notification on 11.x. There is a problem to finding the correct data.

    I have also tested it in my Email and I got a lot of mail in Junk. There all the ip systems which have mention in it are not system range.

    So i use unmanage detector ti find the data. It show me th data in different manner.

    If the Antivirus not installed or not manage by server it show in unmanage data and other reflect in unknown.

     



  • 5.  RE: Trouble with Unmanaged Detector

    Posted Apr 25, 2012 11:39 AM

    >>

    Strange ... please double-check this. Normally, if you turn off a UD, the non-managed clients assigned to it will be deleted in the database.<<

     

    I double-checked this and they are NOT unmanaged detectors.

     

    >>

    Are the list you got by E-mail and the last list totally different or is there some overlapping?<<

     

    They were totally different.



  • 6.  RE: Trouble with Unmanaged Detector

    Posted Apr 26, 2012 05:22 AM

    Perhaps it's interesting to check the database directly. As I believe the list of detected devices can be retrieved from the table LAN_DEVICE_DETECTED or (more convenient) from the view V_LAN_DEVICE_DETECTED.

    With a query like the following one, you should get a list of all detected unmanaged devices with their associated UDs. The DELETED column plays an important role: 1 means that the entry of the unmanaged device is deleted (e.g. because the UD was disabled), 0 means it is valid and should be shown.

    No warranty though; didn't find explicit stuff about it. The Schema reference isn't really helpful either.

    SELECT  CL.COMPUTER_NAME AS "Unmanaged Detector", DD.DELETED, 
  DD.IP_ADDRESS_TEXT
FROM V_LAN_DEVICE_DETECTED AS DD
INNER JOIN SEM_CLIENT AS CL ON DD.COMPUTER_ID = CL.COMPUTER_ID

    BTW, to refine this you could filter the result with the LAN_DEVICE_EXCLUDED table where the UD exclusions are stored.

    The query is tested on the embedded database. Should work with SQL Server as well.



  • 7.  RE: Trouble with Unmanaged Detector

    Posted Apr 27, 2012 12:35 AM

    If you are running SQL queries, John-Q posted here a query to list all machines that are configured as 'Unmanaged Detectors'.

    SELECT COMPUTER_NAME
FROM SEM_CLIENT
WHERE EXTRA_FEATURE=1 AND DELETED=0

    

    

     

     



  • 8.  RE: Trouble with Unmanaged Detector

    Posted May 01, 2012 09:30 AM

    Wow, I will try this at the earliest