McAfee EPOLICY ORCHESTRATOR 4.5 Product Manual page 230

Detecting Rogue Systems
Rogue System Detection policy settings
The communication time for inactive sensors determines how often passive sensors check in
with the server.
The Reporting time for active sensors determines how often active sensors report to the ePO
server. Setting this value too low can have the same effect as setting the value for the sensor's
detected system cache lifetime.
The sensor's detected system cache lifetime is the amount of time a detected system remains
in the sensor's cache. This value controls how often the sensor reports that a system is newly
detected. The lower the value, the more often the sensor reports a system detection to the
server. Setting this value too low can overwhelm your server with system detections. Setting
this value too high prevents you from having current information on system detections.
TIP: McAfee recommends that you set the sensor's detected system cache lifetime and the
reporting time for active sensors settings to the same value.
Detection settings
Detection settings determine whether:
• Device details detection is enabled.
• DHCP monitoring is enabled.
• Reporting on self-configured subnets is enabled.
If you use DHCP servers on your network, you can install sensors on them to monitor your
network. This allows you to use a single sensor to report on all subnets and systems that connect
to it. DHCP monitoring allows you to cover your network with fewer sensors to deploy and
manage, and reduces the potential for missed subnets and systems.
Device details detection allows you to specify the type of information the Rogue System Sensor
scans systems for.
• Operating System (OS) details — This option allows the sensor to determine detailed
information about a device's operating system. If you enable OS details scanning, you can
also choose to scan the systems you have marked as exceptions.
• You can also specify which systems and networks are scanned using OS detection by choosing
to scan all networks or only specific networks. You can limit OS detection to specific subnets
by included or excluding specific IP addresses.
The Rogue System Sensor uses NetBIOS calls and OS fingerprinting to provide more detailed
information about the devices on your network. You can enable active probing on your entire
network, or include or exclude specific subnets.
CAUTION: This Device details detection feature provides accurate matching of detected system
interfaces and should be disabled only if you have specific reasons to do so.
General settings
General settings determine:
• Sensor-to-server communication port.
• Server IP address or DNS name.
• Whether the Rogue System Sensor is enabled.
The server IP address default value is the address of the ePO server that you are using to install
sensors. Rogue System Detection reports system detections to the specified server. When this
230 McAfee ePolicy Orchestrator 4.5 Product Guide