cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
197
Views
0
Helpful
1
Replies

rootkit exception not working for some users.

Patrick Weir
Level 1
Level 1

I have some users that keep reporting the following rootkit

\WINDOWS\system32\drivers\KProcDef.sys' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted

I have created an exception, both manually and with the wizard, to allow this

**\**\KProcDef.sys

I have even disabled rule 46 and reset the clients, even with the rule disabled they still report this rootkit. It's almost like these users are not picking up the new rules. Anybody have any ideas on this

1 Reply 1

joseph.hamilton
Level 1
Level 1

Have you tried un-installing the Agent on the host computer and deleting the host in the MC? Then, you would re-install the Agent on the host. That will force the Agent to register with the MC, get all the new rules, and start fresh.

I get the feeling it's not responding because once those rules were downloaded to the Agent, it went into Lockdown mode (no traffic comes in or goes out), so that might include MC traffic.

Also, if you want to try enabling Rule 46 and re-enforcing the rootkit protection, I would put that Rule Module into Test Mode. That way you only see what it would do and it won't actually lockdown a host.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: