Why would a process be labeled '<Unknown: nnnn>' by CSA?

Unanswered Question
Oct 7th, 2008

Recently, a few Windows XP clients have been experiencing a very annoying behavior. A whole raft of processes are showing up in the logs as '<Unknown: [pid]>' and user query responses about actions performed on or by these processes do not get associated with anything else done later on the box, even if the user is doing exactly the same thing.

What would cause a process to be labelled 'unknown'? Is this a misconfiguration in one of my rule modules or a bug?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tsteger1 Tue, 10/07/2008 - 21:32

I would look for an autoupdate or other automatic process on the PCs in question.

We had some similar messages when AutoCAD tried to check for licenses and had to create a kernel only exception for it.


moore_j58 Thu, 10/09/2008 - 06:00


Automatic updates aplenty. We run WSUS. In addition Trend Micro, Firefox, Abobe Acrobat, and Sun's JRE all run scheduled automatic updates on our clients from time to time.

Help me out with the 'kernel only' exception. How do you build this?

Jim Moore

tsteger1 Thu, 10/09/2008 - 13:35

Hi Jim,

Our machines run all of those too (except Firefox) but they don't cause the alerts in CSA 5.2.

Below is a link to a Cisco Security Agent Kernel-only Protection Configuration Example.

It's for version 4.5 though so may be dated.

What version are you running?



moore_j58 Fri, 10/10/2008 - 10:11


We run CSA 5.2. The rule that gets triggered is 834 in the stock Base Application Permissions - Medium Security rule module. The rule queries user about a process writing to memory owned by another process. The applications that trip this rule in our environment include Firefox, Word, Outlook, Explorer and cmd.exe, always against an unknwown process. Known processes are typically logged with the path to the file holding the executable code being run by the process. So, does this mean that these applications generate dynamic code in system memory and execute it as a separate process? Or, does CSA give up when trying to identify the filesystem path of certain kinds of code?

I think I need an exception to rule 834, but I can't see how to define the target applications.


This Discussion