CSA-How to allow a keylogger/screen capture?

tim_graham · ‎07-10-2007

I need to allow a screen capture/keylogger component of some software we use to function.

The software records phone calls and matches them with key strokes and screen captures for customer service management.

This software uses \WINDOWS\System32\Drivers\PHW2KSYS.SYS.

CSA keeps setting the hosts to Rootkit Untrusted.

I have created a rule to reset the hosts to Trusted, but would rather address this at the source.

The Wizard allwed me to set the hosts to Trusted, but only uses the module hash.

Is there a way I can tell the MC that this file (and probably others to follow)should be allowed?

tsteger1 · ‎07-10-2007

Just modify the path to make it broader.

Try \**\PHW2KSYS.SYS

Tom

tim_graham · ‎07-10-2007

Thanks for the input, but the problem isn't the path.

The problem is that phw2ksys.sys is recognized as part of a keylogger, and is treated as such.

I need to either find the rule causing the host to be put into untrusted rootkit and modify it, or try to create a rule from scratch to do this.

I'm hoping that someone else has run into this and done the groundwork for me :)

tsteger1 · ‎07-10-2007

Sorry, maybe I didn't read or answer your first post correctly.

You need to create a "set as trusted" rootkit rule with *\**\phw2ksys.sys in the "Modules modify kernel functionality" field. (I had the syntax wrong before)

CSA will process the "set as trusted" rule first and then it won't keep resetting the system state to untrusted rootkit detected.

Tom