CSA 5.2 & rootkit detection

Answered Question
Aug 26th, 2007

Hello !

On two of our PCs there is special SW installed (Winternals and VMWare. During boot CSA detects this SW as rootkits and puts the systems in untrusted state. What is disturbing is that both machines are then begining to work in TESTMODE. After I reset system state of both agents systems continue to work normal, meaning that CSA is not in test mode anymore.

Any clue, how can I avoid putting in test mode when systems start ?

I have this problem too.
0 votes
Correct Answer by tsteger1 about 9 years 4 months ago

Hello Marko, the Rootkit Lockdown Module is in testmode (by default) so anything triggered by the system state will also be in testmode.

I don't believe the systems are in testmode, just the alerts from this rule.

Tom

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
tsteger1 Mon, 08/27/2007 - 22:24

Hello Marko, the Rootkit Lockdown Module is in testmode (by default) so anything triggered by the system state will also be in testmode.

I don't believe the systems are in testmode, just the alerts from this rule.

Tom

m.vuckovic Tue, 08/28/2007 - 05:20

Tom,

thank you very much. You're absolutely right. I trust those applications, so I will make an exclusion for them.

Best regards, Marko

Actions

This Discussion