Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
478
Views
0
Helpful
4
Replies

Why would a process be labeled '<Unknown: nnnn>' by CSA?

moore_j58
Level 1
Level 1

‎10-07-2008 11:49 AM - edited ‎03-10-2019 04:19 AM

Recently, a few Windows XP clients have been experiencing a very annoying behavior. A whole raft of processes are showing up in the logs as '<Unknown: [pid]>' and user query responses about actions performed on or by these processes do not get associated with anything else done later on the box, even if the user is doing exactly the same thing.

What would cause a process to be labelled 'unknown'? Is this a misconfiguration in one of my rule modules or a bug?

Labels:
0 Helpful
4 Replies 4

tsteger1
Level 8
Level 8

‎10-07-2008 09:32 PM

I would look for an autoupdate or other automatic process on the PCs in question.

We had some similar messages when AutoCAD tried to check for licenses and had to create a kernel only exception for it.

Tom

0 Helpful

moore_j58
Level 1
Level 1
In response to tsteger1

‎10-09-2008 06:00 AM

Tom,

Automatic updates aplenty. We run WSUS. In addition Trend Micro, Firefox, Abobe Acrobat, and Sun's JRE all run scheduled automatic updates on our clients from time to time.

Help me out with the 'kernel only' exception. How do you build this?

Jim Moore

0 Helpful

tsteger1
Level 8
Level 8
In response to moore_j58

‎10-09-2008 01:35 PM

Hi Jim,

Our machines run all of those too (except Firefox) but they don't cause the alerts in CSA 5.2.

Below is a link to a Cisco Security Agent Kernel-only Protection Configuration Example.

It's for version 4.5 though so may be dated.

What version are you running?

http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fproducts%2Fsw%2Fsecursw%2Fps5057%2Fproducts_configuration_example09186a00805f0c18.shtml&pos=1&strqueryid=3&websessionid=1M8DgQUS9khEB4UKt3vRylv

Tom

0 Helpful

moore_j58
Level 1
Level 1
In response to tsteger1

‎10-10-2008 10:11 AM

Tom,

We run CSA 5.2. The rule that gets triggered is 834 in the stock Base Application Permissions - Medium Security rule module. The rule queries user about a process writing to memory owned by another process. The applications that trip this rule in our environment include Firefox, Word, Outlook, Explorer and cmd.exe, always against an unknwown process. Known processes are typically logged with the path to the file holding the executable code being run by the process. So, does this mean that these applications generate dynamic code in system memory and execute it as a separate process? Or, does CSA give up when trying to identify the filesystem path of certain kinds of code?

I think I need an exception to rule 834, but I can't see how to define the target applications.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card