https://community.cisco.com/t5/network-security/rootkit-detected-csa-5-0/m-p/690710#M87381 <P>I'm trying to determine if the logs I'm getting in CSA are an accurate report of a rootkit, or could they be false positive?</P><P></P><P>CSA reports two of my hosts both XP Pro are in Untrusted Rootkit mode. error messages look similar, but using 3rd party tools show no sign of a rootkit. How can I determine if this is a false positive?</P><P></P><P> Description Set Rootkit detected as Untrusted, All hashes and codes modify kernel functionality </P><P> Module System Hardening Module [W, V5.0 r176] </P><P>? Event details: </P><P> Event Text Kernel functionality has been modified by the module &lt;unknown@0xe3370400&gt;. The module '&lt;unknown@0xe3370400&gt;' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted. </P><P> Event Time 3/2/2007 5:38:03 PM </P><P> Code MODULE_MODIFY_TAG </P><P> PInt 46 </P><P> PInt2 12 </P><P> PString detected rootkit as Untrusted </P><P> PString2 &lt;unknown@0xe3370400&gt; </P><P> PInt3 6 </P><P> args(4) 8b542420528b542420a14cc914e3528b5424208b08528b542420528b542420528b542420528b542420528b542420525 0ff1183c424c220009090909090909090 </P><P> args(5) &lt;unknown&gt; </P><P> time 82.2 (seconds since boot) </P><P> type EVTU </P><P> EvSrcComp 9 </P><P> EvDst 1 </P><P> EvDstComp 7 </P><P> EvCode MODULE_USED_BY_SYS_TABLE </P><P> EvPInt 1 </P><P> EvPString &lt;unknown@0xe3370400&gt; </P><P> EvPInt2 31 </P><P> EvPString2 8b542420 528b5424 20a14cc9 14e3528b </P><P>5424208b 08528b54 2420528b 54242052 </P><P>8b542420 528b5424 20528b54 24205250 </P><P>ff1183c4 24c22000 90909090 90909090 </P><P> </P><P> EvPInt3 -482933760 </P><P> EvPString3 ConnectPort </P><P> FlattenedForm (t-1172875082 n-678166400 z--18000 sm-114 sc-13 dm-1 dc-7 cd-762 hp-2 p*(i-46 i-12 a-detected%20rootkit%20as%20Untrusted a-&lt;unknown@0xe3370400&gt; i-6 a- a-8b542420528b542420a14cc914e3528b5424208b08528b542420528b542420528b542420528b542420528b5424205 250ff1183c424c220009090909090909090 a-&lt;unknown&gt; r*(type-11 time-822 rev*(sc-9 dm-1 dc-7 cd-175 p*(i-1 a-&lt;unknown@0xe3370400&gt; i-31 d-lsfjGi1IurciHYuYumUulsfjGSicsTivKaIulsfjGi1IurcisTivKaIulsfjGifu*hXGetIWGaaKqcjKqcjKqc i--482933760 a-ConnectPort ) ) ) ) ) </P><P> </P> Sun, 10 Mar 2019 10:29:36 GMT jt3rry 2019-03-10T10:29:36Z https://community.cisco.com/t5/network-security/rootkit-detected-csa-5-0/m-p/690710#M87381 <P>I'm trying to determine if the logs I'm getting in CSA are an accurate report of a rootkit, or could they be false positive?</P><P></P><P>CSA reports two of my hosts both XP Pro are in Untrusted Rootkit mode. error messages look similar, but using 3rd party tools show no sign of a rootkit. How can I determine if this is a false positive?</P><P></P><P> Description Set Rootkit detected as Untrusted, All hashes and codes modify kernel functionality </P><P> Module System Hardening Module [W, V5.0 r176] </P><P>? Event details: </P><P> Event Text Kernel functionality has been modified by the module &lt;unknown@0xe3370400&gt;. The module '&lt;unknown@0xe3370400&gt;' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted. </P><P> Event Time 3/2/2007 5:38:03 PM </P><P> Code MODULE_MODIFY_TAG </P><P> PInt 46 </P><P> PInt2 12 </P><P> PString detected rootkit as Untrusted </P><P> PString2 &lt;unknown@0xe3370400&gt; </P><P> PInt3 6 </P><P> args(4) 8b542420528b542420a14cc914e3528b5424208b08528b542420528b542420528b542420528b542420528b542420525 0ff1183c424c220009090909090909090 </P><P> args(5) &lt;unknown&gt; </P><P> time 82.2 (seconds since boot) </P><P> type EVTU </P><P> EvSrcComp 9 </P><P> EvDst 1 </P><P> EvDstComp 7 </P><P> EvCode MODULE_USED_BY_SYS_TABLE </P><P> EvPInt 1 </P><P> EvPString &lt;unknown@0xe3370400&gt; </P><P> EvPInt2 31 </P><P> EvPString2 8b542420 528b5424 20a14cc9 14e3528b </P><P>5424208b 08528b54 2420528b 54242052 </P><P>8b542420 528b5424 20528b54 24205250 </P><P>ff1183c4 24c22000 90909090 90909090 </P><P> </P><P> EvPInt3 -482933760 </P><P> EvPString3 ConnectPort </P><P> FlattenedForm (t-1172875082 n-678166400 z--18000 sm-114 sc-13 dm-1 dc-7 cd-762 hp-2 p*(i-46 i-12 a-detected%20rootkit%20as%20Untrusted a-&lt;unknown@0xe3370400&gt; i-6 a- a-8b542420528b542420a14cc914e3528b5424208b08528b542420528b542420528b542420528b542420528b5424205 250ff1183c424c220009090909090909090 a-&lt;unknown&gt; r*(type-11 time-822 rev*(sc-9 dm-1 dc-7 cd-175 p*(i-1 a-&lt;unknown@0xe3370400&gt; i-31 d-lsfjGi1IurciHYuYumUulsfjGSicsTivKaIulsfjGi1IurcisTivKaIulsfjGifu*hXGetIWGaaKqcjKqcjKqc i--482933760 a-ConnectPort ) ) ) ) ) </P><P> </P> Sun, 10 Mar 2019 10:29:36 GMT https://community.cisco.com/t5/network-security/rootkit-detected-csa-5-0/m-p/690710#M87381 jt3rry 2019-03-10T10:29:36Z https://community.cisco.com/t5/network-security/rootkit-detected-csa-5-0/m-p/690711#M87382 <HTML><HEAD></HEAD><BODY><P>I see Cisco released BugID CSCsd04310 which basically lines up with what I'm seeing, at least that there is the potential for false positives. Is there a way I can be 100% sure? would the 5.1 CSA help at all?</P><P></P><P></P></BODY></HTML> Sat, 03 Mar 2007 15:27:27 GMT https://community.cisco.com/t5/network-security/rootkit-detected-csa-5-0/m-p/690711#M87382 jt3rry 2007-03-03T15:27:27Z https://community.cisco.com/t5/network-security/rootkit-detected-csa-5-0/m-p/690712#M87383 <HTML><HEAD></HEAD><BODY><P>5.1 probably won't make a difference. We have several ugly apps that give us similar messages.</P><P></P><P>AutoCAD and Powerbuilder 10 are the two ugliest I've seen with regards to unknown processes. I'm not sure how I'll deal with this one when we move to 5.X. I may need to create a DAC that ignores rootkits discovered after these apps fire off.</P><P></P><P>A pain...</P><P></P><P>Tom</P></BODY></HTML> Wed, 07 Mar 2007 18:03:08 GMT https://community.cisco.com/t5/network-security/rootkit-detected-csa-5-0/m-p/690712#M87383 tsteger1 2007-03-07T18:03:08Z