I have a client MacBook Pro which shows up every single day under connected clients, and listed under MX events as an IDS alert. This mac was never connected through VPN, and has not been in the building for over a month. The ip address that is resolves to varies, but sometimes resolves to the firewall itself. I will be honest I am a little worried, but the MX does always pick it up and blocks it. Almost 2 months ago I went over this mac with a fine tooth comb, did extensive malware/spyware/rootkit/virus scanning of the device which ALL came out clean. Sometimes the ip address it resolves to is one of our VMware ip's. So in summary, the device is not in the building, nor is it connected through VPN. It shows up every day in MX events as an IDS alert, with the reported ip as either the MX itself, or one of the ip's associated with our VMware severs. Another tidbit, this mac was never domain joined, was before my time. I like a good puzzle, but I have tried to figure this one out by myself long enough. Nothing in DNS, or DHCP. I thought scavenging maybe wasn't working but it looks ok. Nothing listed in AD at all the references this, computer nor user. Don't know if this matters, it says MacBook-Pro, Meraki Network OS in the IDS alert. Thank you in advance! I appreciate it.
... View more