Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
2
Replies

Untrusted rootkit detected

teperjesi
Level 1
Level 1

‎07-21-2006 01:45 AM - edited ‎03-10-2019 03:06 AM

Hi,

What does it exatly mean "Untrusted rootkit detected".

Is there any documentation for that?

How can I know, what was the reason for that kind of detection?

Thanks

Tamas

Labels:
0 Helpful
2 Replies 2

tsteger1
Level 8
Level 8

‎07-21-2006 01:11 PM

If you are talking about CSA, it means that the agent saw something loading at boot or modifying the kernel after boot and it classified it as untrusted according to the rule.

This is default and by design. It allows CSA to identify items and alerts you when new ones are found.

0 Helpful

joseph.hamilton
Level 1
Level 1
In response to tsteger1

‎07-31-2006 10:33 AM

We had several problems with this in our CSA deployment...We actually had to open a case with Cisco to get it taken care of.

The only things I can reccomend if you have it is to look over details of the event where it sets the rootkit to Untrusted. See if you can locate any patterns in the details. Also, you can look into using an Exception rule if you know your system is safe already.

In our case, we had done a fresh install and the computer had never connected to the network, so we knew it was. However, the event in question was , so we had to locate a pattern in one of the String fields, which we put into the "Included code patterns" field of a Kernel protection rule.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card