topic Re: CSA 5.2 & rootkit detection in Network Security

CSA 5.2 & rootkit detection

m.vuckovic — Sun, 10 Mar 2019 10:46:01 GMT

Hello !

On two of our PCs there is special SW installed (Winternals and VMWare. During boot CSA detects this SW as rootkits and puts the systems in untrusted state. What is disturbing is that both machines are then begining to work in TESTMODE. After I reset system state of both agents systems continue to work normal, meaning that CSA is not in test mode anymore.

Any clue, how can I avoid putting in test mode when systems start ?

Re: CSA 5.2 & rootkit detection

tsteger1 — Tue, 28 Aug 2007 05:24:39 GMT

Hello Marko, the Rootkit Lockdown Module is in testmode (by default) so anything triggered by the system state will also be in testmode.

I don't believe the systems are in testmode, just the alerts from this rule.

Tom

Re: CSA 5.2 & rootkit detection

m.vuckovic — Tue, 28 Aug 2007 12:20:45 GMT

Tom,

thank you very much. You're absolutely right. I trust those applications, so I will make an exclusion for them.

Best regards, Marko