So here goes…..
SEP 14.2, Windows installation, Within the firewall policy the checkbox for Enable anti-MAC spoofing is turned on. All is good to here.
We have 3 sites, A, B and C. All clients have the same clients on them, they have not been updated since Feb and the SEPM hasn’t been touched either.
In the last month we have seen several machine get the usual popup in the botton right of the desktop with – “Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer. Packet data is shown in the right window.”
Now, we can see in the logs some activity, like one here and there across the 2 other site `A` and `B`, but for the site `C` we are seeing a lot more, like 60 a day.
We know the ARP requests are coming from two (2) wireless contollers but not every client is alerting, off the 200 clients, only 3 have alerted so far.
Is there a limit which is hit for a client which triggers the popup message on the client?
So in trying to get to the bottom of the issue and reading every community MAC/ ARP spoofing thread I have not been able to get any closer.
If I look at the logs in SEP under, monitor> logs> Network and Host exploit mitigation> Attacks and choose a device i have a question on the way it presents the log of a device when viewed in DETAIL view.
Log from the SEPM on the client
When event occurred: LaptopHostname
Current: 10.2.xx4.136 **(this is the actual Laptop’s IP)
When event occurred: 10.2.xx4.254 **(This is the wireless controller/AP)
Local MAC: 1C4D7072Dxxx **(this is the Laptops MAC address)
User Name: Username
Operating system: Windows 10 Enterprise Edition
Location Name: Default
Domain Name: exampledomain.com
Group Name: My CompanyexampledomainClient DevicesC **(site `C`)
Server Name: xxx-SEPM-01
Site Name: Site:xxx_SEPM
Event Time: 18/07/2019 18:04:29
Begin Time: 18/07/2019 18:03:25
End Time: 18/07/2019 18:03:25
Event Description: Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer. Packet data is shown in the right window.
Event Type: MAC Spoofing
Hack Type: 0
Severity: Minor and above
Application Name: NA
Network Protocol: Other
Traffic Direction: Inbound
Remote IP: 10.2.xx4.136 **(this is the Laptops IP address)
Remote MAC: B40C25E08010 **(this is the wireless controller/AP MAC address)
Remote Host Name: N/A
Local Port: 0
Remote Port: 0
So I am confused with why the SEPM log has picked up the wireless IP address as its IP address (also actual client IP address and MAC) under – When Event Occured (under IP address section)? This then inturn looks like it then analysing the remote IP (which is the laptops actual IP address) and the Remote MAC of the wireless device, so all confused and now alerting.
Am i reading the above log correctly?
Any help would be appreciated.