Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 2557 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Computer Details show Events for users not using the device

hfs

Hi all,

Just wondering how the computer details of one device can have web events showing the user field as someone who doesn't use that device.

Example we have a laptop that only on person has ever used, but in computer details it is showing Latest Web Events and Device Control events from users other than the person acutally using that laptop.

Any help would be great.

:40049


This thread was automatically locked due to age.
  • 0

    Hello hfs,

    the only reason I know of are computers that have been cloned after Sophos has been installed and RMS hasn't been "reset" on them. Usually computers are renamed and you should see a different name at least in the Computer column of the event. Do you know which computer the "other" users use and are these in SEC?

    Christian 

    :40057
  • 0

    Thanks QC,

    What do you mean by RMS hasn't been "reset".

    :40059
  • 0

    Hello hfs,

    the details are in Sophos Anti-Virus for Windows 2000+: incorporating current versions in a disk image, including for use with cloned virtual machines. When Sophos is installed and RMS is initialized a unique "identity" for the computer is generated. If you then clone the machine without following the instructions given in the article the clones will appear as one computer (which frequently changes its IP and possibly name) to SEC.

    Christian   

    :40061
  • 0

    Thanks QC,

    That makes perfect sense.

    How do I go about fixing the current clients we have deployed?

    Do I need to perform these tasks, delete the client from the console and start the services again? Will that make them unique?

    Would you recommend a DBPurge to clear any erroneous data?

    :40113
  • 0

    Hello hfs,

    Would you recommend a DBPurge to clear any erroneous data?

    hm,  rather no unless you really know what you are doing - no offence meant! As you apparently didn't notice the "missing" endpoints your data is - apart from the merged clients - likely not absolutely correct anyway. The number and type of detections are correct, the number of clients (and clients with detections) as well as the events-user-computer association are not - so whatever you do, whether you keep them or purge them, the historical data are incorrect.

    Do I need to perform these tasks? ... Will that make them unique?

    Yes. I have done it (the cloning was outside my control) on running computers. Basically - using a script - I've stopped the relevant services (Message Router, Patch, Web Control), removed the registry keys and files and restarted the services. This should then cause the clients to obtain a unique ID and they will soon after appear as individual endpoints in SEC.

    Deleting the "merged" computer(s) from SEC has not much effect - likely one of the clients will be matched to the old entry (delete just "hides" the endpoint, all data is kept) and this one will retain all the accumulated data.

    Christian 

    :40117