Cylance - Duplicate Devices
Description
Table of Contents
- Reasons for Duplicate Devices
- Cylance’s Device Fingerprint
- VMware Image - Duplicate Devices
- Searching for Duplicate Devices
- Related Pages
Reasons for Duplicate Devices
- The most common reason for duplicate devices is non-persistent virtual environments.
- To prevent these duplicate devices it is important to review the VDI Best Practices.
- VDI Best Practices can be found here: Windows installation parameters
- Requirements and considerations for using CylancePROTECT on virtual machines can be found here: Considerations for CylancePROTECT on Virtual Machines
- To prevent these duplicate devices it is important to review the VDI Best Practices.
- Some additional reasons for duplicate devices are:
- Hardware changes
- Significant OS updates/changes (less common)
- Changes that would effect the WMI details queried for the Cylance Device Fingerprint.
Newly registered duplicate devices may be Unzoned and have the Default policy applied.
- It is recommended to periodically check your device list for any devices that have the Default policy.
-
- Tag the new device(s) with the appropriate zone and has the correct policy assigned.
- Remove any old/offline instances of the new device(s) via the ASSETS > Devices page in your Cylance tenant.
- The Cylance Report Cards, sent twice a month, will also indicate if there are unprotected devices that should be reviewed.
Cylance’s Device Fingerprint
CylancePROTECT uses a device fingerprint to uniquely identify devices on which the PROTECT agent is installed.
- When the agent service starts up, it interrogates the device to create a fingerprint.
- Various details are obtained by querying Windows Management Instrumentation (WMI) on the device:
- WMI - root\cimv2: Win32_OperatingSystem. Properties: SerialNumber
- WMI - root\cimv2: Win32_BIOS. Properties: SerialNumber, Manufacturer, IdentificationCode
- WMI - root\cimv2: Win32_Processor. Properties: ProcessorID, Manufacturer, UniqueID, Name, Revision, ProcessorType
- WMI - root\cimv2: Win32_DiskDrive. Properties: SerialNumber, Model, Signature, TotalHeads
- WMI - root\cimv2: Win32_BaseBoard. Properties: SerialNumber, Manufacturer, Model, Product, Version
Any changes to the above properties will cause a new fingerprint to be generated and a new instance created in the console. - If CylancePROTECT fails to generate a device fingerprint on a physical or virtual device, you will need to validate if WMI is working properly.
- The fingerprint algorithm has evolved over time to incorporate more reliable attributes in the fingerprint and bug-fixes. This means that the fingerprint calculated by different versions of the algorithm (for the same device) could be different.
VMware Image - Duplicate Devices
Problem:
- Duplicate devices show in the CylancePROTECT Console when creating and deleting virtual machines based on a VMware gold image (base image).
Cause:
- CylancePROTECT uses a device fingerprint to uniquely identify devices on which the PROTECT agent is installed.
- This feature lets you deploy the agent as part of a gold image or clone virtual machines without any pre-deployment tasks.
- When the agent service starts up, it interrogates the device to create a fingerprint.
- If the fingerprint is different from the one previously seen (for the same device), PROTECT creates a new device in the console.
This issue occurs in the following circumstances:
- A user creates a virtual machine based on a gold image, and deletes it when
they are done with it. - The user creates a new virtual machine with the same gold image.
- CylancePROTECT creates a new UUID, as the device fingerprint has changed. This creates a duplicate device in the console.
Solution:
- VMware View QuickPrep is used to build a machine off of a base image.
- Before using this machine, it is recommended to create a snapshot of the machine.
- After the machine has served its purpose, instead of deleting it, revert back to the snapshot.
- This will keep the virtual machine's UUID and not create duplicates.
Searching for Duplicate Devices
The Name column represents the Cylance friendly name. - The Cylance friendly name can be changed by the Cylance administrator in the console for convenience or better device representation.
- This does not change the device’s FQDN (Fully Qualified Domain Name).
- The Cylance friendly name can be changed by the Cylance administrator in the console for convenience or better device representation.
- The DNS Name column represents the FQDN name and cannot be changed in the Cylance console.
- Export a complete list of the devices from the ASSETS > Devices tab in your Cylance tenant.
- Keep only the following columns:
- DNS Name
- MAC Addresses
- State
- Offline Date
- Added
- Zones
- Sort all data alphabetically by DNS Name.
- Be sure to “Expand the selection” when given the option.
- Be sure to “Expand the selection” when given the option.
- Use Conditional Formatting to highlight duplicate values in the following columns.
- DNS Name
- MAC Addresses
- Any highlighted devices should be reviewed to determine if a duplicate will need to be removed.
- If there is a duplicate:
- The older/offline instance of a duplicate device should be removed from the Cylance tenant via the ASSETS > Devices page.
- Make sure the new/online instance is tagged with the appropriate zone and has the correct policy assigned. Devices with the same DNS Name but different MAC addresses could be the result of a device that has been decommissioned but never removed from the Cylance tenant.
Related Articles
not finding your answers?