Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA Starting Point

We are in the process of deploying CSA ver5.0 in our company. I have read through the 2 Cisco Press books but wanted to get a feel for what real companies are using as their groups. We have the All Windows, Desktops All Types, Desktops Remote or Mobile and CTA. Anyone think this is overkill or under protection for a starting point?

The only problem we have run into so far is the IBM laptop touchpad driver is being detected as a un-trusted root kit. If anyone else has encountered this I would like to hear about your solution. TAC is still working with us on this to create an exception that works.

Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: CSA Starting Point

Dvergau,

I think that may be over-kill for a pilot group. Which is where I hope you plan to start. You will want to import a few, you decide what a few is, then slowly adjust and add. What I mean is that you should adjust those rules that are blocking operation. Then add a few more policies and such.

Several people have several ways of doing things. Some will suggest to just use the wizard for everything, many will tell you to clone all the groups and modify those only. Cloning is a pretty smart way to keep a reference point. Again, I'm suggesting that you start off small and build up to the baseline.

Regarding the rootkit, that is a hard one. The only way to allow rootkits are to use the wizard. The wizard will pull the hashes and application and make the exception. I have found a similar issue with Symantec. Leaving me the only option to disable the notification, or to add hashes on the fly.

Hope this helps, if you need any info and rule/policy creation just ask. I will help as best I can.

Regards,

Christopher

Blue

Re: CSA Starting Point

I was able to add several drivers including the Synaptics Touchpad driver as a trusted rootkits by creating a Kernel Protection rule that sets them as trusted.

You should be able to do the same with the IBM driver. You can use the wizard to create the initial rule and then modify it to set the drivers as trusted.

I removed the hashes and added a relative path wildcard in front of the drivers and left the code pattern alone.

It takes a while for the "Untrusted Rootkit Detected" status to go away, but it does.

Tom

3 REPLIES
New Member

Re: CSA Starting Point

Dvergau,

I think that may be over-kill for a pilot group. Which is where I hope you plan to start. You will want to import a few, you decide what a few is, then slowly adjust and add. What I mean is that you should adjust those rules that are blocking operation. Then add a few more policies and such.

Several people have several ways of doing things. Some will suggest to just use the wizard for everything, many will tell you to clone all the groups and modify those only. Cloning is a pretty smart way to keep a reference point. Again, I'm suggesting that you start off small and build up to the baseline.

Regarding the rootkit, that is a hard one. The only way to allow rootkits are to use the wizard. The wizard will pull the hashes and application and make the exception. I have found a similar issue with Symantec. Leaving me the only option to disable the notification, or to add hashes on the fly.

Hope this helps, if you need any info and rule/policy creation just ask. I will help as best I can.

Regards,

Christopher

Blue

Re: CSA Starting Point

I was able to add several drivers including the Synaptics Touchpad driver as a trusted rootkits by creating a Kernel Protection rule that sets them as trusted.

You should be able to do the same with the IBM driver. You can use the wizard to create the initial rule and then modify it to set the drivers as trusted.

I removed the hashes and added a relative path wildcard in front of the drivers and left the code pattern alone.

It takes a while for the "Untrusted Rootkit Detected" status to go away, but it does.

Tom

New Member

Re: CSA Starting Point

Great fix to a common problem!

118
Views
14
Helpful
3
Replies
CreatePlease login to create content