I have some users that keep reporting the following rootkit
\WINDOWS\system32\drivers\KProcDef.sys' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted
I have created an exception, both manually and with the wizard, to allow this
I have even disabled rule 46 and reset the clients, even with the rule disabled they still report this rootkit. It's almost like these users are not picking up the new rules. Anybody have any ideas on this
Have you tried un-installing the Agent on the host computer and deleting the host in the MC? Then, you would re-install the Agent on the host. That will force the Agent to register with the MC, get all the new rules, and start fresh.
I get the feeling it's not responding because once those rules were downloaded to the Agent, it went into Lockdown mode (no traffic comes in or goes out), so that might include MC traffic.
Also, if you want to try enabling Rule 46 and re-enforcing the rootkit protection, I would put that Rule Module into Test Mode. That way you only see what it would do and it won't actually lockdown a host.
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS...
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b...
Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli...
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA:
Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.
We make improvement...