How rogue systems are detected

To configure and manage Rogue System Detection, it is important to understand which components are used and how the rogue systems are detected.

McAfee Agent

The ideal ePolicy Orchestrator managed network has a McAfee Agent installed on all systems in the network. Using the McAfee Agent, those systems actively communicate their status back to the McAfee ePO server regularly. To eliminate rogue systems, when systems are added to the ePolicy Orchestrator managed network, make sure that they have the McAfee Agent installed:

  • As part of the image installed on the system before connection
  • Automatically when synchronized with Active Directory
  • As an automatic response associated to an ePolicy Orchestrator System Tree
  • Manually by the administrator from the System Tree

Rogue System Detection components

Rogue System Detection uses the following to discover and report rogue systems:

  • Rogue System Detection extension — Installed on the McAfee ePO server
  • Rogue System Detection server settings — Configured as part of the advanced server settings
  • Rogue System Sensors — Configured as policy and server settings
  • Automatic Responses — Automatically adds the McAfee Agent to the rogue system or notifies the administrator of the rogue system
Note: Optionally, you can configure a Rogue System group in the System Tree. This group is a place to move the rogue systems to until the McAfee Agent is deployed and the system can be moved to an appropriate group.

Rogue System Sensors

Rogue System Sensors detect rogue systems on the local subnets they are installed on.

Sensors can be installed on the subnet:

  • Using all systems in a subnet — Configure the Rogue System Sensor election feature to determine which sensors are active and which are passive
  • Deploying to specific systems — Use a System Tree action or a client task to deploy the sensor to selected systems

Rogue System Detection active sensors are configured on subnets depending on, for example:

  • Type of systems on the subnet — If the subnet is a server farm with mission-critical systems, you can install the sensor on a system with the least traffic and the least downtime.
    Note: Mission-critical systems can also be blacklisted to ensure that they are not used as active sensors.
  • Size of the managed network — If the managed network is small, you can configure the McAfee ePO server to determine which sensors are active.
  • Type of traffic on the subnet — If the subnet is a broadcast network managed with a DHCP server that has an IP address configured on the subnet, then the DHCP server is an acceptable place to install the active sensor.
    Note: If the DHCP server can't support the sensor, you can install sensors on all systems and configure them to elect which system or systems are active during a specific time. You can also install the sensors on specific systems and let the McAfee ePO server determine which ones are active.