Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
609
Views
0
Helpful
1
Replies

Rootkit

joe.ho
Level 1
Level 1

‎10-11-2007 07:42 PM - edited ‎03-09-2019 07:00 PM

Hi, I've just installed CSA agent on a host and right away CSA has detected the dsload.sys has modified the kernel and put the host into rootkit system state. I've searched the sites and found out dsload.sys is belong to Oracle however I am not able to find any information about this file. Will this file be a threat to the system? Have any one seen this before?

Kernel functionality has been modified by the module C:\WINNT\System32\drivers\dsload.sys. The module 'C:\WINNT\System32\drivers\dsload.sys' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted.

Labels:
0 Helpful
1 Reply 1

tsteger1
Level 8
Level 8

‎10-12-2007 11:37 AM

It sounds like it is the Oracle driver if it is in the correct location.

You should be safe creating a trusted rootkit exception rule for @System\drivers\dsload.sys.

Tom

0 Helpful
Customers Also Viewed These Support Documents