We are in the process of deploying CSA ver5.0 in our company. I have read through the 2 Cisco Press books but wanted to get a feel for what real companies are using as their groups. We have the All Windows, Desktops All Types, Desktops Remote or Mobile and CTA. Anyone think this is overkill or under protection for a starting point?
The only problem we have run into so far is the IBM laptop touchpad driver is being detected as a un-trusted root kit. If anyone else has encountered this I would like to hear about your solution. TAC is still working with us on this to create an exception that works.
I was able to add several drivers including the Synaptics Touchpad driver as a trusted rootkits by creating a Kernel Protection rule that sets them as trusted.
You should be able to do the same with the IBM driver. You can use the wizard to create the initial rule and then modify it to set the drivers as trusted.
I removed the hashes and added a relative path wildcard in front of the drivers and left the code pattern alone.
It takes a while for the "Untrusted Rootkit Detected" status to go away, but it does.
I think that may be over-kill for a pilot group. Which is where I hope you plan to start. You will want to import a few, you decide what a few is, then slowly adjust and add. What I mean is that you should adjust those rules that are blocking operation. Then add a few more policies and such.
Several people have several ways of doing things. Some will suggest to just use the wizard for everything, many will tell you to clone all the groups and modify those only. Cloning is a pretty smart way to keep a reference point. Again, I'm suggesting that you start off small and build up to the baseline.
Regarding the rootkit, that is a hard one. The only way to allow rootkits are to use the wizard. The wizard will pull the hashes and application and make the exception. I have found a similar issue with Symantec. Leaving me the only option to disable the notification, or to add hashes on the fly.
Hope this helps, if you need any info and rule/policy creation just ask. I will help as best I can.