07-21-2006 01:45 AM - edited 03-10-2019 03:06 AM
Hi,
What does it exatly mean "Untrusted rootkit detected".
Is there any documentation for that?
How can I know, what was the reason for that kind of detection?
Thanks
Tamas
07-21-2006 01:11 PM
If you are talking about CSA, it means that the agent saw something loading at boot or modifying the kernel after boot and it classified it as untrusted according to the rule.
This is default and by design. It allows CSA to identify items and alerts you when new ones are found.
07-31-2006 10:33 AM
We had several problems with this in our CSA deployment...We actually had to open a case with Cisco to get it taken care of.
The only things I can reccomend if you have it is to look over details of the event where it sets the rootkit to Untrusted. See if you can locate any patterns in the details. Also, you can look into using an Exception rule if you know your system is safe already.
In our case, we had done a fresh install and the computer had never connected to the network, so we knew it was. However, the event in question was
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide