Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

CSA-How to allow a keylogger/screen capture?

I need to allow a screen capture/keylogger component of some software we use to function.

The software records phone calls and matches them with key strokes and screen captures for customer service management.

This software uses \WINDOWS\System32\Drivers\PHW2KSYS.SYS.

CSA keeps setting the hosts to Rootkit Untrusted.

I have created a rule to reset the hosts to Trusted, but would rather address this at the source.

The Wizard allwed me to set the hosts to Trusted, but only uses the module hash.

Is there a way I can tell the MC that this file (and probably others to follow)should be allowed?

3 REPLIES
Blue

Re: CSA-How to allow a keylogger/screen capture?

Just modify the path to make it broader.

Try \**\PHW2KSYS.SYS

Tom

Community Member

Re: CSA-How to allow a keylogger/screen capture?

Thanks for the input, but the problem isn't the path.

The problem is that phw2ksys.sys is recognized as part of a keylogger, and is treated as such.

I need to either find the rule causing the host to be put into untrusted rootkit and modify it, or try to create a rule from scratch to do this.

I'm hoping that someone else has run into this and done the groundwork for me :)

Blue

Re: CSA-How to allow a keylogger/screen capture?

Sorry, maybe I didn't read or answer your first post correctly.

You need to create a "set as trusted" rootkit rule with *\**\phw2ksys.sys in the "Modules modify kernel functionality" field. (I had the syntax wrong before)

CSA will process the "set as trusted" rule first and then it won't keep resetting the system state to untrusted rootkit detected.

Tom

306
Views
0
Helpful
3
Replies
CreatePlease to create content