Endpoint Protection

Hi,

I am getting notifications of "unmanaged devices" on a particular subnet in my network.    I would like to disable the unmanaged detector and kill these notifications because they are being seen in the Security Status report of the Home tab by administrators outside of the subnet in question.

I have gone into the Clients view and checked machine by machine for unmanaged detectors, and I cannot find any.

So my question is:   How can I determine what machine is causing these alerts, and turn off unmanaged detector if it doesn't show up in the clilents view?

Doug

The machine icon to the far left when in client view in the console, looking at the lsit of clients. Normally it will have the green ball or light, the detector will have an icon that is like a PC screen with a couple smaller screens to the left and above that one.
The icon will be different. AND if you right click on that machine in the console client view, "configure unmanaged detector" will be in the menu.

They can only detect on the same subnet so whatever subnet is being reported about is the subnet that machine is on in case you have several dozen subnets like we do here.........
If the report is about machines on 10.01.10.xx then the machine that is the unmanaged detector is on 10.01.10.xx as well.

Hi,

       Unmanaged Detector Basics

Upon booting, a computer sends out Address Resolution Protocol (ARP) traffic to identify itself on a network. Once enabled, the Unmanaged Detector listens for gratuitous ARP traffic and collects Internet Protocol (IP) and Machine Address (MAC) data from traffic passing it on the local network.  This data is then forwarded to the Unmanaged Detector’s SEPM which compares the IP address and MAC address of detected systems against its known list of managed endpoint clients and reports on the unmanaged endpoint clients.

An unmanaged detector is configured by right-clicking a managed SEP client in the Clients page of the SEPM console, and selecting "Make unmanaged detector".

Use Unmanaged Detector when you want to:
Be proactively notified (by setting a notification for "unmanaged computers".  Also under the Security Status details from Home page in Symantec Endpoint Protection Manager).
Coverage over time and not a "snapshot" of systems currently connected to the network.

This is the icon for Unmanaged Detector.

You can search for a LOT of attributes to find a computer in SEP/SEM, but you can't search for unmanaged detector.

If disabling the client as an unmanaged detector does not remove the detections, you can delete the client from your manager and any detections made by the client should be deleted.

Hi All,

Thanks - but I do already understand what the Unmanaged Detector does, how it does it, and how is should look in the console.  My problem is, I am not seeing any of the devices with the proper UnManaged Detector ICON.

That is why I was hoping there was some other way to determine which machine is creating the notifications.

The subnet its reporting on is a registered IP range, so I do know exactly which site/location its coming from... I just can't find the machine.

Doug

Doug

I had a similar problem.   I've taken to putting a description on each computer as I enable unmanaged detector.        To hopefully answer your question on the home page click more details in the security status section.   The unknown device failures section of this report shows the name of the machine that did the detecting.   The list is truncated by a setting in preferences. But assuming you've only got one or two detectors and are trying to disable them it should help.

By the way the icon under clients can vary.  If its connected to the local management server its the one shown above.  If its on a remote server then its a clock.

John

Whether you was having an unmanaged detector in that subnet?
If yes then this may be the problem
Symantec Endpoint Protection Manager Home Page "Security Status . Attention Needed" lists old data in details
Fix ID: 1745613
Symptom: Symantec Endpoint Protection ManagerHomePage "Security Status . Attention Needed" lists old data in details.
Solution: The algorithm to create the hardware key was changed such that the hardware key should not change with minor hardware changes, such as disabling of NICs.
This problem was fixed in RU5 .So I recoment you to upgrade to RU5

Also try by creating a notification as follows
Then in SEPM - Monitors - Notificaations - ADD- Notification Type--Unmanaged Computers-
fill in the name,email add. etc.

If nothing is working oout, you can probably pull the info directly from the database... The information about unmanaged detectore can be found in two tables... LAN_DEVICE_DETECTED and LAN_DEVICE_EXCLUDED ....  I guess you will be able to pull info with the table name given... :)