I'm trying to determine if the logs I'm getting in CSA are an accurate report of a rootkit, or could they be false positive?
CSA reports two of my hosts both XP Pro are in Untrusted Rootkit mode. error messages look similar, but using 3rd party tools show no sign of a rootkit. How can I determine if this is a false positive?
Description Set Rootkit detected as Untrusted, All hashes and codes modify kernel functionality
Module System Hardening Module [W, V5.0 r176]
? Event details:
Event Text Kernel functionality has been modified by the module <unknown@0xe3370400>. The module '<unknown@0xe3370400>' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted.
I see Cisco released BugID CSCsd04310 which basically lines up with what I'm seeing, at least that there is the potential for false positives. Is there a way I can be 100% sure? would the 5.1 CSA help at all?
5.1 probably won't make a difference. We have several ugly apps that give us similar messages.
AutoCAD and Powerbuilder 10 are the two ugliest I've seen with regards to unknown processes. I'm not sure how I'll deal with this one when we move to 5.X. I may need to create a DAC that ignores rootkits discovered after these apps fire off.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :