I've been running a campaign for some time now and I've mostly given the matrix a very basic treatment.
What I want to do now is beef up my cyber security to give a bit more depth to the matrix.

My question is; how does an agent or IC know if a runner in one of their nodes with a user/security/admin isn't meant to be there?

I know you would get the agent or IC to do a Analyze Icon/Node simple action but if the runner had an account for the node why would the agent or IC do anything about it?

Thanks, and any help constructing matrix systems would also be appreciated.

Knowing basic hacking techniques, admin accounts could set an authorized list of users. If a new account appears without an existing admin either creating it or tagging it as okay, that might raise some alarms, if the hacker didn't technobabble to get around that when creating a new account. Perhaps the IC is coded with some signs to look for that appear on legitimate users that a hacker probably wouldn't know about (abstracted in game with the stealth program ), such as a certain icon style.

Though you have given yourself a certain level of access you don't necessarily have all the correct coding on your icon. So while the system will respond to commands from your persona its heuristic system is constantly checking to make sure that everything is legit (or at least not corrupt or broken). When a security agent/IC encounters a new persona it checks it against whatever safe list it has or tags the persona is supposed to have. It is likely the character is not on that list or has the correct coding. That is why most hackers/techno run in stealth mod. Keeps those pesky programs from even detecting you there. I have seen the matrix run at least a dozen different ways and the cheese answer is find a way that is most fun for your players and yourself. If getting admin access grants near immunity to analyze and IC in your campaign then that is fine. If you want to slog through every guys rating 2 commlink with tons of opposed tests that is also a way to go.

So putting in an IC with a beefy scan program to pick up illegitimate users in nodes where I want a bit of cyberspace action to occur would be a good way to go?

Indeed, but after the first few times you pull this, your players will wise up and grab the Disarm program from Unwired, start using it on the node they're on first thing to make Analyze literally unable to do any thing unpleasant to them.

Or they start with viral warefare, getting analyze infected with an "inertia" Virus and all running programs with "Swiss Cheese" Virus is very effective.

For really secure systems you can use some of the alternate methods of verification in Unwired, like the various passkeys (biometric, alchemical, etc). If the PC commlink doesn't have one of these plugged in, then they are pretty much guaranteed to be tagged as intruders. Nothing preventing them from stealing one from someone of course, or just using some poor shmuck's commlink with the right passcodes. But that puts them into social engineering or kidnapping and gets the whole group involved in the hack, which is a good thing.

Analyze, not Scan, but yes.