I want to be sure I understand the Threat list as it is used with continuous scan in LANsurveyor.
Let’s say an open map is being continuously scanned for the addition of rogue devices. Then a device that has already been mapped is disconnected from the network, LS scans the network, then the device is reconnected to the network.
When a new device (a device that is not on the map and not part of the Threat List) is found through Continuous Scan, the item is added to the Threat List. A device that has been mapped will not go into the Threat List if the device is not found in subsequent scan even if it is found again in later scan.
I was thinking that even if a device has been ever mapped one time, it could be on the threat list: for example if that device changed switch port connection or switch address (and options correctly checked).
Something that I noticed: if connect a new device which is detected is threat list. I changed IP address and switch port connection. Continuous scan update the switch port connection but on the old IP address. So if I try to "find node", LS is unable to find my node with new IP address. Is is normal?
About Continuous Scan, I have also one question: what is the difference between threat with a green ticket and a red exclamation? Green ticket for authenticated nodes or node ever been mapped?
A feedback about Continuous scan: I think that a delete button or a button to change status to "Approved node" or "Authenticated node" would be great. Delete button is not intuitive for all.
Hi Arcastor,
You are correct: an existing node on a map can be added to the Threat List. Your example is a good one: depending on how options are set in Continuous Scan, if a node changes its Layer 2 connectivity (changes switches or switch ports), it can be added to the Threat List.
Regarding the green check or red exclamation, I think you are referring to the icons at the far left of a Threat List entry (to the left of the Node Name). These icons indicate whether a node is authenticated or not. By default, the authentication methods are via the LANsurveyor Responder and SNMP. Click the Options button in the Continuous Scan window, then select "IP Node Responses" tab to select additional authentication methods.
Finally, thanks for your feedback regarding Delete/Approve button.