Table of Contents
Advertisement
21
Detecting Rogue Systems
How detected systems are matched and merged
DHCP servers
If you use DHCP servers in your network, you can install sensors on them. Sensors installed on DHCP
servers report on all connected subnets by listening for DHCP responses. Using sensors on DHCP
servers reduces the number of sensors you need to install and manage on your network to ensure
coverage, but it does not eliminate the need to install sensors to network segments that use static IP
address.
Installing sensors on DHCP servers can improve coverage of your
network. However, it is still necessary to install sensors in broadcast
segments that use static IP address, or that have a mixed environment.
A sensor installed on a DHCP server does not report on systems covered
by that server if the system uses a static IP address.
How detected systems are matched and merged
When a system connects to your network, Rogue System Detection automatically checks the McAfee
ePO database to determine whether the incoming system is new or corresponds to a previously
detected system. If the system has been previously detected, Rogue System Detection automatically
matches it to the existing record in the McAfee ePO database. When a detected system is not matched
automatically, you can manually merge the system with an existing detected system.
Matching detected systems
Automatic matching of detected systems is necessary to prevent previously detected systems from
being identified as new systems on your network. By default, systems are first matched against an
agent's unique ID. If this unique ID does not exist, the McAfee ePO database uses attributes specified
in the Rogue System Matching server settings. You can specify which attributes the database uses for
matching, based on which attributes are unique in your environment.
If a system on your network has multiple NICs, each system interface can result in separate
detections. Use the Detected System Matching Server Setting to match multiple interfaces to an
existing detected system in order to eliminate duplicate systems.
Merging detected systems
When the McAfee ePO server cannot automatically match detected systems, you can merge them
manually using Merge systems. For example, the McAfee ePO server might not be able to match a
detected system interface that was generated by a system with multiple NICs, based on the matching
attributes you have specified.
Working with detected systems
Use these tasks to manage detected systems in Rogue System Detection.
®
274
McAfee
ePolicy Orchestrator
®
4.6.0 Software Product Guide
Advertisement
Chapters
Table of Contents
