Exception Rule wizard

Unanswered Question
Jul 10th, 2007
User Badges:

Events in CSA MC for agents shows system state along with details,rule & wizard. Why does system state mean?

When i follow the wizard to create an exception rule,when i click finish it gives an error "see csamclog.txt for details".I checked the log file it shows

"[PID=3800] [webadmin]: {Invalid network interface specification Broadcom NetXtreme Gigabit Ethernet.<br> Expected components for wireless interfaces (separated by backslash characters): type, mode, encryption, SSID.<br> Expected components for PPP interfaces (separated by backslash characters): interface type, device type, device, remote computer.<br> Expected components for other interfaces: type, name.} {Invalid network interface specification VMware Virtual Ethernet Adapter for VMnet1.<br> Expected components"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tsteger1 Tue, 07/10/2007 - 13:51
User Badges:
  • Red, 2250 points or more

System state is used to apply additional rules to a host and is usually set when a "set" rule is triggered.

An example is "Untrusted Rootkit Detected".

If the Kernel Protection rule detects a driver loading dynamically that it doesn't recognize as trusted, it applies the "Untrusted Rootkit Detected" system state to the host.

It then activates the "Rootkit lockdown module" dynamically which prevents the host from communicating as a client or server.

The system state must be reset from the MC and should be done after you've made an exception (for a false positive) or disinfected the machine.

Not sure why the wizard was giving you errors unless it didn't recognize the network interfaces discovered.

You should be able to view all your network interface variables under:

Configuration > Variables > Network Interface Sets


TradeSecrets Wed, 07/11/2007 - 06:02
User Badges:
  • Bronze, 100 points or more

Hi there,

Also be careful.

CSA Shims don't install on the VMware server when installing on one of the hosts, I ran into a small problem with this.


This Discussion