Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 35 replies
  • Subscribers 1 subscriber
  • Views 149064 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Duplicate PC names in enterprise console

CDC

I've noticed after upgrading the Enterprise Console to version 4.5 and AV to 9.5 that duplicate PC names have started appearing.  This normally happens after a PC's AV has either not upgraded properly or has stopped updating so i've uninstalled and it and then redeployed it down.  One of the PC names will say its connected & managed (although not properly as the 'up to date' colum is blank and you can't deploy any policies down)  whilst the other will be greyed out.

I've tried deleting both entries in the Enterprise Console in an attempt for the AD sync to sort it but they both re-appear again.  Is this a known issue with the 4.5 upgrade?

:4224


This thread was automatically locked due to age.
  • 0
    Hello LoXodonte,

    dunno if it fails to do its work but PurgeDB starts and displays its usage info on 64bit systems.

    It's late Friday, so ... anyway
    3) you should be able to figure this out from the article
    As for the other two you'd likely have to work directly with the database, details are scattered in various threads on these boards. I'll search for relevant posts on Monday but meanwhile you could search in the "Products" section using "SQL, ComputersAndDeletedComputers, DELETE" and perhaps "GroupID".

    Christian
    :57433
  • 0

    Sounds good, I'll poke around. Thanks and have a good weekend!

    :57434
  • 0

    Hello LoXodonte,

    just in case, some relevant posts/threads:

    Duplicate computers in enterprise console

    Duplicate PC names in enterprise console

    PC Listed Twice: Unassigned Group & Correct GPO

    To make sure - [Sophos] do[es] not recommend any direct SQL commands, that write to the Sophos database, are used and if using PurgeDB.exe The "delete" action should only be used when specifically asked to do so by Sophos Technical Support. Backup the database - before :smileywink:

    Be aware that information (alerts,events, ...) associated with the computers you delete from the database will be lost.

    Christian

    :57440
  • 0

    so I ended up running the command PurgeDB.exe -action=purge -category=computers -HistoryLengthInDays=90

    Result: 1941 rows affected- It seems though some duplicates were cleaned out by this.

    I tried to track down commonality factors today and it seems that 75% of the machines with duplicates are laptops, which tells me that ip address changes and network adapter changes are being translated incorrectly by the console, resulting in duplicate entries. Our laptops have wireless capability, ethernet capability, and VPN capability...each of which has an associated physical or virtual adapter.

    About 25% of the duplciates are desktops, but all of the duplicate desktops I saw had different computer descriptions. This tells me that the desktops were rebuilds...yet again, the console is confused.

    Is there any chance for some sort of feature implementation either in PurgeDB, or the consonle itself that would allow for specifically finding duplicate entries, comparing them, and throwing out whatever duplicate has been offline the longest (perhaps based on a threshold like history in days) If this were an option I would set up a scheduled task and hopefully rid myself of this duplicate issue!

    :57664
  • 0

    Hello LoXodonte,

    as said, the logic in SEC tries "to do it right" while not imposing (too m)any restrictions. From an administrator's POV a duplicate is simply an unwanted entry in the database. At the same time you want that all your endpoints have their individual and easily recognizable entries (see changing the description of virtual machines and Computers in Enterprise Console appear to update the same record). 

    From the former article it's clear that using arbitrary descriptions when rebuilding will result in duplicates (indeed having the same name, description, OS version and domain/workgroup the endpoint should be matched to the existing entry) whereas the latter shows that cloning a computer which already has an identity in terms of SEC might result in "overlapping".

    ip address changes and network adapter changes

    shouldn't cause duplicates otherwise the same record problem wouldn't exist. Furthermore using DHCP without reservation would cause chaos. If this really were the cause I should have already more than a few duplicates.

    The question is are there new duplicates (apart from the unwanted but per application correct entries) or appears more than one entry of set to be active (i.e. the Last Message Time changes)? 

    Note BTW that -action=purge affects only entries with no associated alerts, events or errors.       

    Christian

    :57681
Unfiltered HTML