Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
614
Views
0
Helpful
7
Replies

CSA detects rootkit, but no process is shown in event

jan.nielsen
Level 7
Level 7

‎06-06-2007 12:52 AM - edited ‎03-09-2019 06:07 PM

I am getting a strange event during a csa 5.2 pilot, csa detects a rootkit but it does not in the details tell me what process it is, but only this memory address as Pstring : unknown@0x858aa898

Anybody know what this is, and how i could find out what process is doing this ? pslist doesn't show any unknown processes that would indicate some sort of malware.

Labels:
0 Helpful
7 Replies 7

sbilgi
Level 5
Level 5

‎06-12-2007 06:06 AM

you may hitting the bugs CSCsd04310 and CSCse54577.

0 Helpful

228822549
Level 1
Level 1

‎06-12-2007 11:05 AM

Requesting guidance... I'm having a very hard time finding CSA professionals who can manage multiple implementation on CSA. I thought the best thing to do was to go to the source and ask for suggestions as to how I can find these "hard to find" gems.

Your assistance is greatly appreciated.

EA

0 Helpful

tsteger1
Level 8
Level 8
In response to 228822549

‎06-12-2007 01:27 PM

Hi Eileen

Are you looking for implementation guidance or someone to manage the implementations?

Tom

0 Helpful

tsteger1
Level 8
Level 8
In response to tsteger1

‎06-12-2007 01:53 PM

Eileen, can you put a contact email address in your profile?

Thanks,

Tom

0 Helpful

228822549
Level 1
Level 1
In response to tsteger1

‎06-13-2007 06:20 AM

Tom,

I checked the box off in my profile so that you can view my e-mail address. I also sent you an e-mail message.

Looking forward to receiving a message from you.

Thanks,

Eileen

0 Helpful

tsteger1
Level 8
Level 8

‎06-12-2007 01:43 PM

Hi Jan

Is this only happening on one hardware platform?

Rootkit positives are usually hardware drivers like keyboard filters or monitors and touchpad drivers.

Uphclean also reports as a rootkit.

You might be able to make an exception using the memory address string if it rarely changes.

You could also try running Process Explorer from Sysinternals http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx and logging the processes for a while then examining the logs.

The tricky part is that it may only show up at logon or logoff.

Tom

0 Helpful

jan.nielsen
Level 7
Level 7
In response to tsteger1

‎06-12-2007 11:07 PM

Hi Tom

Thanks for the reply, i am well aware of the problems with detecting rootkits properly. I am just worried that this is an actual rootkit and not a false positive. I have run pslist and rootkit revealer from sysinternals with no luck, but maybe i should try to monitor a little closer during boot, and my next step is to go to the site where the pc is located and check it myself.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents