cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

282
Views
0
Helpful
2
Replies
teperjesi
Beginner

Untrusted rootkit detected

Hi,

What does it exatly mean "Untrusted rootkit detected".

Is there any documentation for that?

How can I know, what was the reason for that kind of detection?

Thanks

Tamas

2 REPLIES 2
tsteger1
Collaborator

If you are talking about CSA, it means that the agent saw something loading at boot or modifying the kernel after boot and it classified it as untrusted according to the rule.

This is default and by design. It allows CSA to identify items and alerts you when new ones are found.

We had several problems with this in our CSA deployment...We actually had to open a case with Cisco to get it taken care of.

The only things I can reccomend if you have it is to look over details of the event where it sets the rootkit to Untrusted. See if you can locate any patterns in the details. Also, you can look into using an Exception rule if you know your system is safe already.

In our case, we had done a fresh install and the computer had never connected to the network, so we knew it was. However, the event in question was , so we had to locate a pattern in one of the String fields, which we put into the "Included code patterns" field of a Kernel protection rule.

Content for Community-Ad