Detecting Rogue Systems - McAfee EPOLICY ORCHESTRATOR 4.5 Product Manual

Detecting Rogue Systems

Unprotected systems are often the weak spot of any security strategy, creating entry points
through which viruses and other potentially harmful programs can access your network. Even
in a managed network environment, some systems might not have an active McAfee Agent on
them. These can be systems that frequently log on and off the network, including test servers,
laptops, or wireless devices.
Rogue System Detection provides real-time discovery of rogue systems through the use of a
Rogue System Sensor installed throughout your network. The sensor listens to network broadcast
messages and DHCP responses to detect systems connected to the network.
When a sensor detects a system on the network, it sends a message to the ePolicy Orchestrator
server. The server then checks whether the system has an active agent installed and managed.
If the system is unknown to the ePO server, Rogue System Detection provides information to
ePolicy Orchestrator to allow you to take remediation steps, which include alerting network and
anti-virus administrators or automatically deploying an agent to the system.
In addition to Rogue System Detection, other McAfee products, like McAfee Network Access
Control, add detected systems control to ePolicy Orchestrator.
Contents
What are rogue systems
How the Rogue System Sensor works
How detected systems are matched and merged
Rogue System Detection states
Rogue Sensor Blacklist
Rogue System Detection policy settings
Rogue System Detection permission sets
Setting up Rogue System Detection
Configuring Rogue System Detection policy settings
Configuring server settings for Rogue System Detection
Working with detected systems
Working with sensors
Working with subnets
Rogue System Detection command-line options
Default Rogue System Detection queries
222 McAfee ePolicy Orchestrator 4.5 Product Guide