Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
271
Views
0
Helpful
1
Replies

rootkit exception not working for some users.

Patrick Weir
Level 1
Level 1

‎09-01-2006 05:43 AM - edited ‎03-09-2019 04:05 PM

I have some users that keep reporting the following rootkit

\WINDOWS\system32\drivers\KProcDef.sys' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted

I have created an exception, both manually and with the wizard, to allow this

**\**\KProcDef.sys

I have even disabled rule 46 and reset the clients, even with the rule disabled they still report this rootkit. It's almost like these users are not picking up the new rules. Anybody have any ideas on this

Labels:
0 Helpful
1 Reply 1

joseph.hamilton
Level 1
Level 1

‎09-01-2006 05:56 AM

Have you tried un-installing the Agent on the host computer and deleting the host in the MC? Then, you would re-install the Agent on the host. That will force the Agent to register with the MC, get all the new rules, and start fresh.

I get the feeling it's not responding because once those rules were downloaded to the Agent, it went into Lockdown mode (no traffic comes in or goes out), so that might include MC traffic.

Also, if you want to try enabling Rule 46 and re-enforcing the rootkit protection, I would put that Rule Module into Test Mode. That way you only see what it would do and it won't actually lockdown a host.

0 Helpful
Customers Also Viewed These Support Documents
Top