I have some users that keep reporting the following rootkit
\WINDOWS\system32\drivers\KProcDef.sys' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted
I have created an exception, both manually and with the wizard, to allow this
I have even disabled rule 46 and reset the clients, even with the rule disabled they still report this rootkit. It's almost like these users are not picking up the new rules. Anybody have any ideas on this
Have you tried un-installing the Agent on the host computer and deleting the host in the MC? Then, you would re-install the Agent on the host. That will force the Agent to register with the MC, get all the new rules, and start fresh.
I get the feeling it's not responding because once those rules were downloaded to the Agent, it went into Lockdown mode (no traffic comes in or goes out), so that might include MC traffic.
Also, if you want to try enabling Rule 46 and re-enforcing the rootkit protection, I would put that Rule Module into Test Mode. That way you only see what it would do and it won't actually lockdown a host.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...