CSA 6.0 Problem with \??\ preceding a file.

Unanswered Question
Aug 12th, 2009
User Badges:
  • Silver, 250 points or more

We have a message in the Event Log about a Kernel functionality being modified by the module:


\\??\Windows\system32\drivers\mkbd.sys


\\??\Windows\system32\drivers\mkbd.sys is monitoring the keyboard.


Any idea what the "??" mean? We can't use the wizard to tune it.


Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jan.nielsen Fri, 08/14/2009 - 14:36
User Badges:
  • Gold, 750 points or more

Could be vmware workstation virtual keyboard driver. You should be able to whitelist as an option in the wizard.

pmccubbin Sun, 08/16/2009 - 08:52
User Badges:
  • Silver, 250 points or more


Hi Jan,

Thanks for the reply.


When we try to whitelist via the Wizard the CSAMC throws an error and doesn't allow this operation to procede.


I am opening a TAC case and will post results.



jan.nielsen Mon, 08/17/2009 - 04:31
User Badges:
  • Gold, 750 points or more

What is the error that it throws ?

pmccubbin Wed, 08/26/2009 - 09:26
User Badges:
  • Silver, 250 points or more

Just wanted to offer an update. We have a TAC case open and the Business Unit is looking into the case.


Attached is the error message.


As a bit of background we are running the CSAMC on a VMWare machine.


When I hear more I will post it. Thanks.



deshaw Fri, 08/28/2009 - 01:34
User Badges:

We have also faced similar issues with CSA 6.0 and this known issue is fixed in 6.0.0.220 and later versions.


daneilhudson Fri, 09/11/2009 - 04:13
User Badges:

You could manually write a rule using **\Windows\system32\drivers\mkbd.sys as a definition for the application. I suspect that @system would work as well. Just create an application class and add that as an exception to the triggering rule.

Actions

This Discussion