Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

rootkit exception not working for some users.

I have some users that keep reporting the following rootkit

\WINDOWS\system32\drivers\KProcDef.sys' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted

I have created an exception, both manually and with the wizard, to allow this

**\**\KProcDef.sys

I have even disabled rule 46 and reset the clients, even with the rule disabled they still report this rootkit. It's almost like these users are not picking up the new rules. Anybody have any ideas on this

1 REPLY
Community Member

Re: rootkit exception not working for some users.

Have you tried un-installing the Agent on the host computer and deleting the host in the MC? Then, you would re-install the Agent on the host. That will force the Agent to register with the MC, get all the new rules, and start fresh.

I get the feeling it's not responding because once those rules were downloaded to the Agent, it went into Lockdown mode (no traffic comes in or goes out), so that might include MC traffic.

Also, if you want to try enabling Rule 46 and re-enforcing the rootkit protection, I would put that Rule Module into Test Mode. That way you only see what it would do and it won't actually lockdown a host.

98
Views
0
Helpful
1
Replies
CreatePlease to create content