Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 5 subscribers
  • Views 3769 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Finding unprotected computers on the network

IvanildoGalvão

Hello Gentlemen,

I have a client, a hospital with more than 300 computers, this client uses Sophos Endpoint Standard (EPS) with Enterprise Console.
Today we detected that one of his computers was trying to access a Botnet network and the UTM IPS blocked, the customer's technician picked up the computer and saw that it did not have the Sophos Endpoint agent installed.
On the Enterprise Console I see many computers that are apparently unprotected, but since Active Directory is still very dirty, with orphaned computer accounts that technicians have not removed, there is no way to be sure how many computers do not actually have Sophos Endpoint installed.

I ask: Is there a GUI tool or script that can run on the entire network, in order to find computers on which there is really no antivirus installed?



This thread was automatically locked due to age.
Parents
  • 0

    Hello IvanildoGalvão,

    managed software (AV, deployment, whatever) normally identifies its clients by means of an agent. Thus unprotected (or unmanaged, uncatalogued, whatever) is ALL minus identified. Obviously the challenge is to enumerate ALL. There are many tools to scan a network, but all depend on the target devices to return some information. I rogue device might go into almost complete stealth mode.
    SEC can scan the network - Discover has the option to scan  an IP range. As said, whether you really detect ALL this way depends. Only the network (UTM did notice it) knows which devices are connected, and only if they are directly connected. If you have other sources (like AD) that suggest non-existent devices it's impossible to separate the wheat from the chaff.

    Christian

Reply
  • 0

    Hello IvanildoGalvão,

    managed software (AV, deployment, whatever) normally identifies its clients by means of an agent. Thus unprotected (or unmanaged, uncatalogued, whatever) is ALL minus identified. Obviously the challenge is to enumerate ALL. There are many tools to scan a network, but all depend on the target devices to return some information. I rogue device might go into almost complete stealth mode.
    SEC can scan the network - Discover has the option to scan  an IP range. As said, whether you really detect ALL this way depends. Only the network (UTM did notice it) knows which devices are connected, and only if they are directly connected. If you have other sources (like AD) that suggest non-existent devices it's impossible to separate the wheat from the chaff.

    Christian

Children
No Data
Unfiltered HTML