Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA 5.2 - Rootkit

Does anyone know exactly what this process is doing?

Kernel functionality has been modified by the module C:\WINDOWS\system32\Drivers\uphcleanhlp.sys. The module 'C:\WINDOWS\system32\Drivers\uphcleanhlp.sys' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted.

It has triggered other rules that appear to fall into the Rootkit policy and not sure why this looks as a rootkit when its part of the profile cleanup.

Thanks!

10 REPLIES

Re: CSA 5.2 - Rootkit

Well, basically any piece of software that uses is put in the syscall table in windows, will be caught by the rootkit rule. You just need to do an exception for it. I must admit that i haven't seen this before, is it windows xp machines this is happening on ?

New Member

Re: CSA 5.2 - Rootkit

Yes, it is a Windows XP SP2 machine. I thought that it was weird too but i dont have much experience with the root-kit proctection module either.

Thanks,

New Member

Re: CSA 5.2 - Rootkit

I have seen this quite often and seems legit. Here is the details on the service.

http://www.microsoft.com/downloads/details.aspx?FamilyId=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Just add it to your Kernel Protection Set-Rootkit-Trusted rule with the hash **\*\uphcleanhlp.sys at the simplest level.

New Member

Re: CSA 5.2 - Rootkit

what is the best way to add this to the Kernal Protection Set Root-Kit-Trusted rule?

I do not like to modify the rules that cisco provides because it makes upgrading challenging.

I originally created a new Rule Module for this root-kit exception but it does not show up for me to use. I can only use previous rule modules or the default one "Operating System - Base Protection - Windows V 5.2.r203'

New Member

Re: CSA 5.2 - Rootkit

You should just be able to add a new kernel protection rule to the module you have then.

It is just a kernel protetion rule you need to add. Options are SET, ROOTKIT, TRUSTED and in the Modules modify Kernel Functionality" add the hash to the "Included module hashes:" section.

Do this manually and do not use the wizard.

New Member

Re: CSA 5.2 - Rootkit

within the kernel protection rule I do not see Options SET, ROOKIT or Trusted, but I do see Kernel Functionality and such.

Any additional help would be appreciated.

Thanks

New Member

Re: CSA 5.2 - Rootkit

It's the drop down for Take Action.

New Member

Re: CSA 5.2 - Rootkit

Bradley thanks for the screen shot. I will monitor this rule and see where it gets me but I appreciate your efforts.

New Member

Re: CSA 5.2 - Rootkit

when I click on the "system state" caption under the rule in my event logs i get the message pop up. What does this mean and how do I fix?

The rule that generated this event only triggers under the system state "rootkit=untrusted".

New Member

Re: CSA 5.2 - Rootkit

It is just saying that you need to look at the system states as that rule is only enforced for a certain system state. With the rootkit module a system is placed in that state after it fires the rootkit rule. By using the rule I put up previously it will not be tagged as a rootkit untrusted and therefore the rule module for rootkit detected will not be enforced.

After you put the rule in you will want to reset the agent on the system that had the rootkit. And you can log the new rule to make sure it is working correctly.

185
Views
20
Helpful
10
Replies