Cisco CSA (v5.1) Rootkit Detected module triggers and locks down systems; Now what?
Posted on 2007-03-21
We are currently deploying Cisco CSA v5.1 on a Windows 2K3 AD multi-domain environment. The target platforms are mostly Dell PoerEdge, Opti-Plex, and Latitude clients. We have initially cloned the supplied "Desktops-All" and "Desktops-Remote" groups to deploy. Included is a "Rootkit Detected" module and rule that is now apparently triggering on several machines with new builds. Once a host is designated with a System State of "Rootkit Detected". the CSA agent on that machine locks down most network traffic (ports 80, 53, 135, 137, 139, etc.). Some of these machines are new builds on totally different network segments. We have run two separate Rootkit detection utilities (McAfee, Symantec) on these machines with clean results. How do I determine which specific application is triggering the Rootkit detection module, and if that application is a legitimate utility (which we suspect), how do I create the correct exemption in the Cisco Management Center so that the offending utility no longer triggers the Rootkit Detection module and these machines are no longer locked down? I hope to be able to resolve this before my users saunter into work tomorrow with their Latte'. Any help would be greatly appreciated. Thanks.