CSA detects rootkit, but no process is shown in event

Unanswered Question
Jun 6th, 2007
User Badges:
  • Gold, 750 points or more

I am getting a strange event during a csa 5.2 pilot, csa detects a rootkit but it does not in the details tell me what process it is, but only this memory address as Pstring : [email protected]


Anybody know what this is, and how i could find out what process is doing this ? pslist doesn't show any unknown processes that would indicate some sort of malware.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
228822549 Tue, 06/12/2007 - 11:05
User Badges:

Requesting guidance... I'm having a very hard time finding CSA professionals who can manage multiple implementation on CSA. I thought the best thing to do was to go to the source and ask for suggestions as to how I can find these "hard to find" gems.


Your assistance is greatly appreciated.

EA

tsteger1 Tue, 06/12/2007 - 13:27
User Badges:
  • Red, 2250 points or more

Hi Eileen


Are you looking for implementation guidance or someone to manage the implementations?


Tom

tsteger1 Tue, 06/12/2007 - 13:53
User Badges:
  • Red, 2250 points or more

Eileen, can you put a contact email address in your profile?


Thanks,

Tom

228822549 Wed, 06/13/2007 - 06:20
User Badges:

Tom,


I checked the box off in my profile so that you can view my e-mail address. I also sent you an e-mail message.


Looking forward to receiving a message from you.


Thanks,

Eileen

tsteger1 Tue, 06/12/2007 - 13:43
User Badges:
  • Red, 2250 points or more

Hi Jan


Is this only happening on one hardware platform?


Rootkit positives are usually hardware drivers like keyboard filters or monitors and touchpad drivers.


Uphclean also reports as a rootkit.


You might be able to make an exception using the memory address string if it rarely changes.


You could also try running Process Explorer from Sysinternals http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx and logging the processes for a while then examining the logs.


The tricky part is that it may only show up at logon or logoff.


Tom

jan.nielsen Tue, 06/12/2007 - 23:07
User Badges:
  • Gold, 750 points or more

Hi Tom


Thanks for the reply, i am well aware of the problems with detecting rootkits properly. I am just worried that this is an actual rootkit and not a false positive. I have run pslist and rootkit revealer from sysinternals with no luck, but maybe i should try to monitor a little closer during boot, and my next step is to go to the site where the pc is located and check it myself.

Actions

This Discussion