Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA 5.2 & rootkit detection

Hello !

On two of our PCs there is special SW installed (Winternals and VMWare. During boot CSA detects this SW as rootkits and puts the systems in untrusted state. What is disturbing is that both machines are then begining to work in TESTMODE. After I reset system state of both agents systems continue to work normal, meaning that CSA is not in test mode anymore.

Any clue, how can I avoid putting in test mode when systems start ?

1 ACCEPTED SOLUTION

Accepted Solutions
Blue

Re: CSA 5.2 & rootkit detection

Hello Marko, the Rootkit Lockdown Module is in testmode (by default) so anything triggered by the system state will also be in testmode.

I don't believe the systems are in testmode, just the alerts from this rule.

Tom

2 REPLIES
Blue

Re: CSA 5.2 & rootkit detection

Hello Marko, the Rootkit Lockdown Module is in testmode (by default) so anything triggered by the system state will also be in testmode.

I don't believe the systems are in testmode, just the alerts from this rule.

Tom

New Member

Re: CSA 5.2 & rootkit detection

Tom,

thank you very much. You're absolutely right. I trust those applications, so I will make an exclusion for them.

Best regards, Marko

109
Views
5
Helpful
2
Replies