06-06-2007 12:52 AM - edited 03-09-2019 06:07 PM
I am getting a strange event during a csa 5.2 pilot, csa detects a rootkit but it does not in the details tell me what process it is, but only this memory address as Pstring : unknown@0x858aa898
Anybody know what this is, and how i could find out what process is doing this ? pslist doesn't show any unknown processes that would indicate some sort of malware.
06-12-2007 06:06 AM
you may hitting the bugs CSCsd04310 and CSCse54577.
06-12-2007 11:05 AM
Requesting guidance... I'm having a very hard time finding CSA professionals who can manage multiple implementation on CSA. I thought the best thing to do was to go to the source and ask for suggestions as to how I can find these "hard to find" gems.
Your assistance is greatly appreciated.
EA
06-12-2007 01:27 PM
Hi Eileen
Are you looking for implementation guidance or someone to manage the implementations?
Tom
06-12-2007 01:53 PM
Eileen, can you put a contact email address in your profile?
Thanks,
Tom
06-13-2007 06:20 AM
Tom,
I checked the box off in my profile so that you can view my e-mail address. I also sent you an e-mail message.
Looking forward to receiving a message from you.
Thanks,
Eileen
06-12-2007 01:43 PM
Hi Jan
Is this only happening on one hardware platform?
Rootkit positives are usually hardware drivers like keyboard filters or monitors and touchpad drivers.
Uphclean also reports as a rootkit.
You might be able to make an exception using the memory address string if it rarely changes.
You could also try running Process Explorer from Sysinternals http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx and logging the processes for a while then examining the logs.
The tricky part is that it may only show up at logon or logoff.
Tom
06-12-2007 11:07 PM
Hi Tom
Thanks for the reply, i am well aware of the problems with detecting rootkits properly. I am just worried that this is an actual rootkit and not a false positive. I have run pslist and rootkit revealer from sysinternals with no luck, but maybe i should try to monitor a little closer during boot, and my next step is to go to the site where the pc is located and check it myself.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide