Considerations for installing Rogue System Detection

When planning your deployment of Rogue System Detection 5.x, it is important to consider how it affects existing McAfee products and how the policy works.

Deployment of Rogue System Detection 5.x sensors

Although the Rogue System Detection 5.x sensor technology continues to support deployment on DHCP servers, McAfee recommends that you deploy sensors on every subnet. This provides the best visibility of rogue systems, full coverage of the entire enterprise network, fastest detection time, and best accuracy for determining rogue device attributes, such as OS detection.

Ports used for active detection

Rogue System Detection 5.x uses sensor technology to detect rogue systems. The sensor uses a combination of passive and active detection techniques. For active detection, the Rogue System Sensor (5.x) requires a smaller number of ports than previous releases. It attempts to use ports that are already known to be open or closed. Otherwise, it uses the following ports:

  • TCP — Ports 22, 80, 443, and 445.
  • UDP — Ports 65534, 65533, and 65532. The software selects the first unused port.

Interaction with other McAfee products

The Rogue System Sensor integrates with McAfee Agent on managed systems. The Rogue System Sensor 4.x integrates with the McAfee® Rogue Database Detection (RDD) sensor. The Rogue System Sensor 5.x does not support integration with RDD. If you use RDD, you can maintain existing 4.x sensors and deploy additional new Rogue System Detection 5.x sensors.

Use of WinPCap

You cannot deploy the Rogue System Sensor to a system that is running WinPCap or any software using WinPCap. If WinPCap is installed, the sensor installation stops and logs an error message.

If you install WinPCap on a system that already has a sensor installed, it can cause the sensor to stop functioning properly.

Microsoft KB2563894 security update required on systems running the sensor

Any system you install a sensor on requires the Microsoft KB2563894 security update. If the update is not present, the sensor installation stops and logs an error message. This update is required to fix an issue that can cause the system to stop responding due to network traffic types used by the Rogue System Sensor.

Rogue System Detection policies

Rogue System Detection can simultaneously manage Rogue System Sensor versions 4.x and 5.x. Rogue System Detection sends the same policy to all sensors. Some policy settings are relevant only for 4.x sensors, some for 5.x sensors, and some for all sensors. When a sensor receives a Rogue System Detection policy from McAfee ePO, it uses the policy settings that apply to its version.

A revision number was added to the policy and to the server settings. This number can be used to easily identify which specific policy and server setting versions are applied to a specific sensor.

Internal database

Rogue System Sensor 5.x maintains a state of all detected and profiled systems on the network that is encrypted for security. The encryption key is unique for each Rogue System Detection installation.

If you uninstall and then reinstall Rogue System Detection, the software generates a new encryption key. This means that all managed sensors drop their existing database, create a new database, and redetect the systems on the network. To prevent the extra load and network traffic, avoid uninstalling and reinstalling Rogue System Detection unless required or instructed by McAfee support.

Sensor components and log files

Rogue System Sensor 5.x is designed to detect rogue systems for its local subnet only. It runs two components on the systems they are installed on:

  • RSDPP — A Windows service that is responsible for managing communications with Rogue System Detection through the McAfee Agent.
  • Balash — A Windows process that is responsible for discovering and profiling devices operating on the network.

Rogue System Sensor 5.x maintains two log files that can be used to solve issues:

  • rsdpp.log — The log file of the RSDPP service contains information about the sensor installation process and communications with ePolicy Orchestrator through the McAfee Agent.
  • balash.log — The log file of the Balash process contains information about the network detection performed by the sensor and the devices that were discovered and profiled.

The balash.log file can contain sensitive information, such as the media access control addresses (MAC) and IP addresses of systems on the network. By default, the file contains only messages tagged with Error and Critical priority. For troubleshooting, you can gather more detailed information by setting the Log File Settings configuration on the policy's General tab to Log all messages (recommended for troubleshooting and debugging). It is important to reset this configuration to the default level once you finish troubleshooting.