McAfee Rogue System Detection 2.0 - HIPS 7.0 Port Scan Alerts
I installed Rogue System Detection 2.0 for ePolicy Orchestrator 4.0 yesterday. Setup completed without a hitch, and I didn't even need to install it separately as an extension like most of their products.
It's not much different than the 1.0 version. The sensor deployment seems a bit more reliable, and the new web frontend is definitely slick. I spent the better part of the day methodically identifying and excluding networking devices and the like, and I'm pleased to say that there are a negligible number of malfunctioning McAfee agents in our environment. Deploying an agent package cleared most of the issues up and I'm addressing the few remain individually.
The one thing I've noticed is that HIPS is flagging a Port Scan threat from the RSD sensor as it interrogates the client. I've tried writing an exception for HIPS to disregard alerts for Port Scans against the IP's in question, but it doesn't seem to work. Even excluding the signature altogether doesn't seem to do it. Actually, it doesn't appear that the exclusions work all that well in HIPS 7 period... 6.x worked far more reliably and would say it was definitely easier to manage.
I am curious whether disabling "Device details detection" in the Rogue System Detection policy would resolve this, or whether it just does an aggressive nmap style scan on detected systems altogether... in which case changing this would likely accomplish nothing. Either way, I don't think it's the preferred method to take, as I'll have a lot less data available for identifying IP's that don't report hostnames etc.
I suppose I'll wait another day to see if client policy catches up and the HIPS clients stop sending me these darn alerts. More to follow.