Endpoint Protection

How Unmanaged detector works

If we configure one machine as an unmanaged detector , it will send ARP packet to detect unmanaged machines. Right??????

Is it possible when ARP packet sent by Unmanaged detector it will get swiches , routers , or any Hardware device detail ( IP and MAC Address ) which is installed on network could be detect by unmanaged detector.

Some time it is very tough to understand which is desktop IP or swiche IP and Other's and one more thing why we require unmanaged detector.

Am i right with above statement , correct me if i am worng.

What is the positive features of Unmanaged detector

What is the nagative features of Unmanaged detector

Yes, you will also receive responses from routers, switches, or other hardware. These can be added to the exclusion list.

Positive is you can find clients not running SEP or Unmanaaged SEP clients

Negative is you get a ton of IPs showing from other devices as already mentioned aboce. Also, if you have multiple subnets, you need an unmanaged detector on each subnet unless you allow your vlans to talk to one another

Thankx brian

One more thing that's mean we  get all internal IP's detail from Network team ( Switches, Routers, and other H/D for exclution ) right???

can you please explain nagative part of the Unmanage detector

How Unmanaged detector know that which machines has installed SEP client and which machine is not.if my unmanaged detector sent ARP packet to get the IP amd mac details so how it know about SEP agent detail ( It is installed ot not )

Yes, you will get all those IPs

The unmanaged detector will simply check to see if SEP is installed.

http://98.129.119.162/connect/ja/forums/what-unmanaged-detector

What is your opinion , below coment is ok i i show in front of management.

If we create Unmanaged detector on subnet basis , so how many Unmanaged detector we need to configure and manage by us. Unless communication should be open each and every VLAN if we create 1 unmanaged detector.

We have to exclude switches , router and all additional Hardware IP details to add in exclusion list to avoid the IP and Mac address information.( This will un-necessary increase our load to communicate with team’s to know the IP information.

Please telll me many more challanges when we implement unmanage detector

There are a lot of dissenting opinions how unmanaged detectors work. As I understand, unmanaged detectors aren't sending ARP packets but just collect them from other devices and  forward them to the SEPM. That's all.

SEP RU6 admin guide, p. 74 :

"When a device starts up, its operating system sends ARP traffic to the network
to let other computers know of the device's presence. A client that is enabled as
an unmanaged detector collects and sends the ARP packet information to the
management server. The management server searches the ARP packet for the
device's MAC address and the IP address. The server compares these addresses
to the list of existing MAC and IP addresses in the server's database. If the server
cannot find an address match, the server records the device as new. You can then
decide whether the device is secure. Because the client only transmits information,
it does not use additional resources."

Depends on the size of your network.

I manage 10k clients with hundreds of subnets with closed VLANs. I won't even bother to use the unmanaged detector. Trying to exclude unnecessary devices such as routers, switches, etc took up more time that I had. Not to mention the exclusions didn't appear to work when entered.

Your best bet is to go with SNAC.

Unmanaged detector is a nice feature in theory but doesn't work for me on a large network.

it will list all devices which are based on IP address. End user need to know which are the devices on which SEP can be installed.

Hello,

Yes, unmanaged detectors aren't sending ARP packets but just collect them from other devices and  forward them to the SEPM. 

What does it mean to set a client as an Unmanaged Detector?

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/8e056b2507538a29882574b10077d6db?OpenDocument

Your Question: Is it possible when ARP packet sent by Unmanaged detector it will get swiches , routers , or any Hardware device detail ( IP and MAC Address ) which is installed on network could be detect by unmanaged detector.

 Answer:  Yes, You will also receive responses from routers, switches, or other hardware. These can be added to the exclusion list.

How do I configure exceptions for the "unmanaged detector" from Symantec Endpoint Protection Manager (SEPM)?

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/536612ff7d5ddabf49257615004db981?OpenDocument

Your Question: Some time it is very tough to understand which is desktop IP or swiche IP and Other's and one more thing why we require unmanaged detector. 

Answer: The Best way to Understand if they are Desktop IP or Switch IP, is to run a wizard "Find Unmanaged Computers.

Best Practices: When to use the "Find Unmanaged Computers" or "Unmanaged Detector" features in Symantec Endpoint Protection 11.0

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/237ca58329dbaf81c1257403004b2470?OpenDocument

Also, Greg Above has provided the right information from the Admin guide.