Endpoint Protection

 View Only
Expand all | Collapse all

Unmanaged Detectors in User Mode

  • 1.  Unmanaged Detectors in User Mode

    Posted Aug 21, 2013 07:00 AM

    We currently have approximately 200 desktop machines running SEP in Computer Mode that we are in the process of switching to User Mode.

    We're doing this mainly to satisfy the issues with device control.  Permissions will travel with a user and it will stop those without permission from logging into machines with USB access open!

    We've always used the Unmanaged Detectors to let us know if SEP is not installed on one of the desktop machines.  It's quite rare but sometimes helpdesk staff can forget to install it when building PCs so having an extra level or checks is never a bad thing.

    I know that User Mode clients cannot run as Unmanaged Detectors.

    Is there any way that we can be automatically notified if one of our desktop machines doesn't have SEP installed when the whole subnet is running in User Mode?

     



  • 2.  RE: Unmanaged Detectors in User Mode

    Posted Aug 21, 2013 07:03 AM

    Good Question. 

     User Mode clients or clients without the firewall component (NTP) cannot act as unmanaged detectors.

    http://www.symantec.com/business/support/index?page=content&id=TECH105722



  • 3.  RE: Unmanaged Detectors in User Mode

    Trusted Advisor
    Posted Aug 21, 2013 08:39 AM

    Hello,

    In order to act as an unmanaged detector, SEP clients must have Network Threat Protection (NTP) enabled and be in Computer Mode. User Mode clients or clients without the firewall component (NTP) cannot act as unmanaged detectors.

    Check this Article:

    What does it mean to set a client as an Unmanaged Detector?

    http://www.symantec.com/docs/TECH183746

    Hope that helps!!



  • 4.  RE: Unmanaged Detectors in User Mode

    Posted Aug 21, 2013 09:10 AM

    Unfortunately the article only tells me what I already know - I cannot have Unmanaged Detectors that are in User Mode.

    I'm looking for an alternative to Unmanaged Detectors that can be utilised in User Mode.



  • 5.  RE: Unmanaged Detectors in User Mode

    Posted Aug 21, 2013 09:11 AM

    Unfortunately the article only tells me what I already know - I cannot have Unmanaged Detectors that are in User Mode.

    I'm looking for an alternative to allow me to keep an eye on what machines don't have SEP installed.



  • 6.  RE: Unmanaged Detectors in User Mode

    Posted Aug 21, 2013 09:34 AM

    Only unmanaged detector can give you that  info.

    Earlier we used to have NST.exe its no more and they removed the link to the KB as well.

     



  • 7.  RE: Unmanaged Detectors in User Mode

    Posted Aug 21, 2013 09:39 AM

    No, it's not possible. To know the unmanaged clients (i.e., endpoints being unmanaged or without SEP) SEPM needs the informations of Unmanaged detectors to trigger a notification.

    In SEP 12.1, you can misuse the Client Deployment Wizard to gather all the PCs without SEP, but of course this does not trigger a notification (and does not differentiate between unmanaged and managed clients).



  • 8.  RE: Unmanaged Detectors in User Mode

    Trusted Advisor
    Posted Aug 21, 2013 10:19 AM

    Hello,

    Currently, there is no alternative for UnManaged Detector in SEP 12.1.

    Listening for ARP requests is the canonical way to do this. Independent of DHCP or not, any connected computer that wishes to communicate with the outside world will have to make an ARP request for the address of the default router. This request will go out as a broadcast, and contain the source interface's MAC and IP adresses.

    If the other computer uses DHCP, it will make an ARP request for it's own address as part of duplicate address detection, which is also a broadcast you can snoop on.

    (This works more or less the same way for IPv6, except you need to look for neighbor discovery or router soliciation packets instead.)

    Like the answer alluded to, if you have a switch to which you can telnet or use SNMP on, you can extract the MAC table. That will give you a list of MAC adresses on each port in the switch. If you want the IP addresses however, you still need to listen for ARP:s.

    On the other hand, if you have access to the default gateway on the network, you can also look at the ARP table there. That will give you MAC and IP addresses for anyone that has recently (for different values of recently...) communicated with it.

    Hope that helps!!



  • 9.  RE: Unmanaged Detectors in User Mode

    Posted Aug 23, 2013 07:09 AM

    All this sounds like a very roundabout way of doing things.

    I think I've sort of fixed the issue by running one PC on the subnet in Client Mode and using that as an Unmanaged Detector!

    Voila!

    Will let you know if it works.



  • 10.  RE: Unmanaged Detectors in User Mode

    Posted Aug 28, 2013 07:50 AM

    So the solution worked and I am getting a notification of the unmanaged computers - excellent!

    However, the report contains two subnets.  One of which is our VOIP phone system that is connected to the same switch.

    How can I tell the Unmanaged detector not to look at this subnet, or the notification to not tell me about it?



  • 11.  RE: Unmanaged Detectors in User Mode

    Posted Aug 28, 2013 08:04 AM

    Thanks for the update. I learnt something from you today.

    here is how you exlude the IP

    http://www.symantec.com/business/support/index?page=content&id=HOWTO80763