cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
228
Views
0
Helpful
1
Replies

CSA Rule ID 46 module '<unknown@0x860d3008>'

smjaggers
Level 1
Level 1

Hello,

I have been seeing this module kick of rule 46 at multiple clients (the 0x860d3008 memory address is varied). Has anyone successfully figured out a way to investigate what this is, and how to tune it? I know I could create a blanket rule, but I want to see what it is first. The problem is the logs get flooded with the 596 alert, even though it does not block anything, I know that most customers who look at this will stop paying attention. That whole cry wolf thing.

Thanks

1 Reply 1

tsteger1
Level 8
Level 8

Hi Shawn

What version of CSA and what specific rule type and module is this? I'm guessing either Trojan Detection (older) or Kernel Protection rule (newer).

Remember that your Rule 46 may not match someone else's because of different versions, multiple upgrades, etc..

As I recall, it was almost impossible to make an exception for this without knowing the application that triggered it.

Tom

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: