Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
754
Views
14
Helpful
3
Replies

CSA Starting Point

Go to solution
dvergau
Level 1
Level 1

‎02-19-2007 02:17 PM - edited ‎03-10-2019 03:28 AM

We are in the process of deploying CSA ver5.0 in our company. I have read through the 2 Cisco Press books but wanted to get a feel for what real companies are using as their groups. We have the All Windows, Desktops All Types, Desktops Remote or Mobile and CTA. Anyone think this is overkill or under protection for a starting point?

The only problem we have run into so far is the IBM laptop touchpad driver is being detected as a un-trusted root kit. If anyone else has encountered this I would like to hear about your solution. TAC is still working with us on this to create an exception that works.

Thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
chickman
Level 1
Level 1

‎02-20-2007 05:48 AM

Dvergau,

I think that may be over-kill for a pilot group. Which is where I hope you plan to start. You will want to import a few, you decide what a few is, then slowly adjust and add. What I mean is that you should adjust those rules that are blocking operation. Then add a few more policies and such.

Several people have several ways of doing things. Some will suggest to just use the wizard for everything, many will tell you to clone all the groups and modify those only. Cloning is a pretty smart way to keep a reference point. Again, I'm suggesting that you start off small and build up to the baseline.

Regarding the rootkit, that is a hard one. The only way to allow rootkits are to use the wizard. The wizard will pull the hashes and application and make the exception. I have found a similar issue with Symantec. Leaving me the only option to disable the notification, or to add hashes on the fly.

Hope this helps, if you need any info and rule/policy creation just ask. I will help as best I can.

Regards,

Christopher

View solution in original post

Go to solution
tsteger1
Level 8
Level 8

‎02-20-2007 11:53 AM

I was able to add several drivers including the Synaptics Touchpad driver as a trusted rootkits by creating a Kernel Protection rule that sets them as trusted.

You should be able to do the same with the IBM driver. You can use the wizard to create the initial rule and then modify it to set the drivers as trusted.

I removed the hashes and added a relative path wildcard in front of the drivers and left the code pattern alone.

It takes a while for the "Untrusted Rootkit Detected" status to go away, but it does.

Tom

View solution in original post

3 Replies 3

Go to solution
chickman
Level 1
Level 1

‎02-20-2007 05:48 AM

Dvergau,

I think that may be over-kill for a pilot group. Which is where I hope you plan to start. You will want to import a few, you decide what a few is, then slowly adjust and add. What I mean is that you should adjust those rules that are blocking operation. Then add a few more policies and such.

Several people have several ways of doing things. Some will suggest to just use the wizard for everything, many will tell you to clone all the groups and modify those only. Cloning is a pretty smart way to keep a reference point. Again, I'm suggesting that you start off small and build up to the baseline.

Regarding the rootkit, that is a hard one. The only way to allow rootkits are to use the wizard. The wizard will pull the hashes and application and make the exception. I have found a similar issue with Symantec. Leaving me the only option to disable the notification, or to add hashes on the fly.

Hope this helps, if you need any info and rule/policy creation just ask. I will help as best I can.

Regards,

Christopher

Go to solution
tsteger1
Level 8
Level 8

‎02-20-2007 11:53 AM

I was able to add several drivers including the Synaptics Touchpad driver as a trusted rootkits by creating a Kernel Protection rule that sets them as trusted.

You should be able to do the same with the IBM driver. You can use the wizard to create the initial rule and then modify it to set the drivers as trusted.

I removed the hashes and added a relative path wildcard in front of the drivers and left the code pattern alone.

It takes a while for the "Untrusted Rootkit Detected" status to go away, but it does.

Tom

Go to solution
chickman
Level 1
Level 1
In response to tsteger1

‎02-20-2007 12:31 PM

Great fix to a common problem!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card