Exception Rule wizard

integrixSS · ‎07-10-2007

Events in CSA MC for agents shows system state along with details,rule & wizard. Why does system state mean?

When i follow the wizard to create an exception rule,when i click finish it gives an error "see csamclog.txt for details".I checked the log file it shows

"[PID=3800] [webadmin]: {Invalid network interface specification Broadcom NetXtreme Gigabit Ethernet.<br> Expected components for wireless interfaces (separated by backslash characters): type, mode, encryption, SSID.<br> Expected components for PPP interfaces (separated by backslash characters): interface type, device type, device, remote computer.<br> Expected components for other interfaces: type, name.} {Invalid network interface specification VMware Virtual Ethernet Adapter for VMnet1.<br> Expected components"

tsteger1 · ‎07-10-2007

System state is used to apply additional rules to a host and is usually set when a "set" rule is triggered.

An example is "Untrusted Rootkit Detected".

If the Kernel Protection rule detects a driver loading dynamically that it doesn't recognize as trusted, it applies the "Untrusted Rootkit Detected" system state to the host.

It then activates the "Rootkit lockdown module" dynamically which prevents the host from communicating as a client or server.

The system state must be reset from the MC and should be done after you've made an exception (for a false positive) or disinfected the machine.

Not sure why the wizard was giving you errors unless it didn't recognize the network interfaces discovered.

You should be able to view all your network interface variables under:

Configuration > Variables > Network Interface Sets

Tom

TradeSecrets · ‎07-11-2007

Hi there,

Also be careful.

CSA Shims don't install on the VMware server when installing on one of the hosts, I ran into a small problem with this.