Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

CSA detects rootkit, but no process is shown in event

I am getting a strange event during a csa 5.2 pilot, csa detects a rootkit but it does not in the details tell me what process it is, but only this memory address as Pstring : unknown@0x858aa898

Anybody know what this is, and how i could find out what process is doing this ? pslist doesn't show any unknown processes that would indicate some sort of malware.

7 REPLIES
Silver

Re: CSA detects rootkit, but no process is shown in event

you may hitting the bugs CSCsd04310 and CSCse54577.

New Member

Re: CSA detects rootkit, but no process is shown in event

Requesting guidance... I'm having a very hard time finding CSA professionals who can manage multiple implementation on CSA. I thought the best thing to do was to go to the source and ask for suggestions as to how I can find these "hard to find" gems.

Your assistance is greatly appreciated.

EA

Blue

Re: CSA detects rootkit, but no process is shown in event

Hi Eileen

Are you looking for implementation guidance or someone to manage the implementations?

Tom

Blue

Re: CSA detects rootkit, but no process is shown in event

Eileen, can you put a contact email address in your profile?

Thanks,

Tom

New Member

Re: CSA detects rootkit, but no process is shown in event

Tom,

I checked the box off in my profile so that you can view my e-mail address. I also sent you an e-mail message.

Looking forward to receiving a message from you.

Thanks,

Eileen

Blue

Re: CSA detects rootkit, but no process is shown in event

Hi Jan

Is this only happening on one hardware platform?

Rootkit positives are usually hardware drivers like keyboard filters or monitors and touchpad drivers.

Uphclean also reports as a rootkit.

You might be able to make an exception using the memory address string if it rarely changes.

You could also try running Process Explorer from Sysinternals http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx and logging the processes for a while then examining the logs.

The tricky part is that it may only show up at logon or logoff.

Tom

Re: CSA detects rootkit, but no process is shown in event

Hi Tom

Thanks for the reply, i am well aware of the problems with detecting rootkits properly. I am just worried that this is an actual rootkit and not a false positive. I have run pslist and rootkit revealer from sysinternals with no luck, but maybe i should try to monitor a little closer during boot, and my next step is to go to the site where the pc is located and check it myself.

212
Views
0
Helpful
7
Replies