CSA detects rootkit, but no process is shown in event

Unanswered Question
Jun 6th, 2007

I am getting a strange event during a csa 5.2 pilot, csa detects a rootkit but it does not in the details tell me what process it is, but only this memory address as Pstring : [email protected]

Anybody know what this is, and how i could find out what process is doing this ? pslist doesn't show any unknown processes that would indicate some sort of malware.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
228822549 Tue, 06/12/2007 - 11:05

Requesting guidance... I'm having a very hard time finding CSA professionals who can manage multiple implementation on CSA. I thought the best thing to do was to go to the source and ask for suggestions as to how I can find these "hard to find" gems.

Your assistance is greatly appreciated.

EA

tsteger1 Tue, 06/12/2007 - 13:27

Hi Eileen

Are you looking for implementation guidance or someone to manage the implementations?

Tom

tsteger1 Tue, 06/12/2007 - 13:53

Eileen, can you put a contact email address in your profile?

Thanks,

Tom

228822549 Wed, 06/13/2007 - 06:20

Tom,

I checked the box off in my profile so that you can view my e-mail address. I also sent you an e-mail message.

Looking forward to receiving a message from you.

Thanks,

Eileen

tsteger1 Tue, 06/12/2007 - 13:43

Hi Jan

Is this only happening on one hardware platform?

Rootkit positives are usually hardware drivers like keyboard filters or monitors and touchpad drivers.

Uphclean also reports as a rootkit.

You might be able to make an exception using the memory address string if it rarely changes.

You could also try running Process Explorer from Sysinternals http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx and logging the processes for a while then examining the logs.

The tricky part is that it may only show up at logon or logoff.

Tom

jan.nielsen Tue, 06/12/2007 - 23:07

Hi Tom

Thanks for the reply, i am well aware of the problems with detecting rootkits properly. I am just worried that this is an actual rootkit and not a false positive. I have run pslist and rootkit revealer from sysinternals with no luck, but maybe i should try to monitor a little closer during boot, and my next step is to go to the site where the pc is located and check it myself.

Actions

This Discussion