Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Rootkit

Hi, I've just installed CSA agent on a host and right away CSA has detected the dsload.sys has modified the kernel and put the host into rootkit system state. I've searched the sites and found out dsload.sys is belong to Oracle however I am not able to find any information about this file. Will this file be a threat to the system? Have any one seen this before?

Kernel functionality has been modified by the module C:\WINNT\System32\drivers\dsload.sys. The module 'C:\WINNT\System32\drivers\dsload.sys' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted.

  • Other Security Subjects
1 REPLY
Blue

Re: Rootkit

It sounds like it is the Oracle driver if it is in the correct location.

You should be safe creating a trusted rootkit exception rule for @System\drivers\dsload.sys.

Tom

453
Views
0
Helpful
1
Replies
This widget could not be displayed.