Rogue System Detection Policy Settings; Considerations For Policy Settings - McAfee EPOLICY ORCHESTRATOR 4.0.2 Product Manual

Detecting Rogue Systems

Rogue System Detection policy settings

Rogue System Detection policy settings
Rogue System Detection policy settings allow you to configure and manage the instances of
the Rogue System Sensor installed throughout your network. Settings can be applied to individual
systems, groups of systems, and subnets.
You can configure policy settings for all sensors deployed by the server. This is similar to
managing policies for any deployed product, such as VirusScan Enterprise. The Rogue System
Detection policy pages are installed on the ePO server at installation.
Configure the sensor policy settings in the Rogue System Detection policy pages the same way
you would for any managed security product. Policy settings you assign to higher levels of the
System Tree are inherited by lower-level groups or individual systems. For more information
about policies and how they work, see Managing Products with Policies and Client Tasks .
TIP: McAfee recommends that you configure policy settings before you deploy sensors to your
network. Doing so ensures that the sensors work according to your intended use. For example,
DHCP monitoring is disabled by default. As a result, if you deploy sensors to DHCP servers
without enabling DHCP monitoring during your initial configuration, those sensors report limited
information to the ePO server. If you deploy sensors before you configure your policies, you
can update them to change sensor functionality.

Considerations for policy settings

Policy settings configure the features and performance of the Rogue System Sensor. These
settings are separated into four groups:
• Communication settings
• Detection settings
• General settings
• Interface settings
Communication settings
Communication settings determine:
• The communication time for inactive sensors.
• The reporting time for active sensors.
• The sensor's detected system cache lifetime.
The sensor's detected system cache lifetime is the amount of time a detected system remains
in the sensor's cache. This value controls how often the sensor reports that a system is newly
detected. The lower the value, the more often the sensor reports a system detection to the
server. Setting this value too low can overwhelm your server with system detections. Setting
this value too high prevents you from having current information on system detections.
The communication time for inactive sensors determines how often passive sensors check in
with the server. If a sensor fails to check in during this time period, it is marked as missing.
The Reporting time for active sensors determines how often active sensors report to the ePO
server. Setting this value too high or low can have the same effect as setting the value for the
sensor's detected system cache lifetime.
TIP: McAfee recommends that you set the sensor's detected system cache lifetime and the
reporting time for active sensors settings to the same value.
196 McAfee ePolicy Orchestrator 4.0.2 Product Guide