Why would a process be labeled '<Unknown: nnnn>' by CSA?
Recently, a few Windows XP clients have been experiencing a very annoying behavior. A whole raft of processes are showing up in the logs as '<Unknown: [pid]>' and user query responses about actions performed on or by these processes do not get associated with anything else done later on the box, even if the user is doing exactly the same thing.
What would cause a process to be labelled 'unknown'? Is this a misconfiguration in one of my rule modules or a bug?
Re: Why would a process be labeled '<Unknown: nnnn>' by CSA?
We run CSA 5.2. The rule that gets triggered is 834 in the stock Base Application Permissions - Medium Security rule module. The rule queries user about a process writing to memory owned by another process. The applications that trip this rule in our environment include Firefox, Word, Outlook, Explorer and cmd.exe, always against an unknwown process. Known processes are typically logged with the path to the file holding the executable code being run by the process. So, does this mean that these applications generate dynamic code in system memory and execute it as a separate process? Or, does CSA give up when trying to identify the filesystem path of certain kinds of code?
I think I need an exception to rule 834, but I can't see how to define the target applications.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...