WIth the LDCBKillNics in place you can still talk to the vPro part of the computer even if it is the web site. You can look at the inventroy of the machine under the AMT Information there is a current policy name would list what System Defence you in place. You can also try and ping the IP address of the machine that you are working on.
This is great information. I have checked and on the machine Current Policy Name is LDCBKillNics. It now looks like communication has been killed. However, the device still isn't showing up in the System Defense Remediation.
Also, I've set the default Policy to be LDCBSYNFlood. I've checked other machines that have been provisioned and there are no entries for Current Policy Name. I set this yesterday from a remote console and checked to see if the core had held the settings and it did. I'm not sure why the other machines aren't seeing the policy.
Any suggestions into these problems?
The LDCBKillNics is not a system defense that can be remediated (it is on or off) so it would not move a machine into that. The items that can be remediated are items that have to be triggered by an event. The LDCBKillNics is a way that as an admin that if you can lock down a machines nics manually.
As far as setting the default it should only apply to new machines that get provisioned after applying the change. The changes that get made here do not get pushed out to a machine that has already been provisioned. You can multi-select machines in the inventory try and right mouse click and apply a system defense policy to multiple machines at the same time.
I have set a default defense profile and in my lab it does not look to apply this on a newly provisioned machine like I think it should. Let me address engineering about this and I will get back to you on it.
Thank you for looking into this. I really appreciate your guys' efforts. In the regards to the KillNic process I was using. I think pulled that information from an Intel document that was for vPro using LANDesk. I will try to locate the article and confirm what it said. Also, I've sent a list of 7 items to Kevin. I'm not sure if he passed it on to you. The list is more of issues I've come across that I would like to see if you have answers to or have simply come across. Again, thank you for everything.
About the LDCBKillNics I read that it apart of the four pre-defined SD policies. The article stated:
Once SD triggers an alert, the alert is displayed in the LSM log. LANDesk and Intel AMT limit network
access by replacing the current client policy with the Kill All NICs policy when SD is triggered. The client
machine is also placed in the Remediation queue, which can be found in
Configure | Intel vPro
Options | System Defense | Remediation
is removed and the previous policy is re-applied. The administrator must manually perform the actual
remediation of removing the virus or spyware, or fixing whatever caused the SD to be triggered.
I suppose becasue I thought this snippet was referring to all four of the the pre-defined SD policies UDP flood, SYN flood, FTP access, and Kill All NICs that no matter which one it was they would go to remediation.
What is the suggested method to remove the KillAllNic Policy? Simply to just send another policy such as UDP, SYN, or FTP to the machine?
Yes the way to remove the KillNics is to put a different one on the machine or the remove all