Solved

Cisco CSA (v5.1) Rootkit Detected module triggers and locks down systems; Now what?

Posted on 2007-03-21
9
1,455 Views
Last Modified: 2013-12-04
Hello;

We are currently deploying Cisco CSA v5.1 on a Windows 2K3 AD multi-domain environment.  The target platforms are mostly Dell PoerEdge, Opti-Plex, and Latitude clients.  We have initially cloned the supplied "Desktops-All" and "Desktops-Remote" groups to deploy.  Included is a "Rootkit Detected" module and rule that is now apparently triggering on several machines with new builds.  Once a host is designated with a System State of "Rootkit Detected". the CSA agent on that machine locks down most network traffic (ports 80, 53, 135, 137, 139, etc.).  Some of these machines are new builds on totally different network segments.  We have run two separate Rootkit detection utilities (McAfee, Symantec) on these machines with clean results.  How do I determine which specific application is triggering the Rootkit detection module, and if that application is a legitimate utility (which we suspect), how do I create the correct exemption in the Cisco Management Center so that the offending utility no longer triggers the Rootkit Detection module and these machines are no longer locked down?   I hope to be able to resolve this before my users saunter into work tomorrow with their Latte'.  Any help would be greatly appreciated.  Thanks.

Jeff
0
Comment
Question by:jbainc
  • 3
  • 3
  • 2
9 Comments
 
LVL 27

Expert Comment

by:Tolomir
ID: 18770048
no logs on the client available?
0
 

Author Comment

by:jbainc
ID: 18772104
Unfortunately, the clients are geogrphically distant.  I do have the logs from the MC.  The MC does tell me that a rootkit has been detected on a client, but not what file(s) has triggered the alarm.  I can not seem to figure out how to pull that specific information from the MC.  I would have thought this should have had some sort of large, flashing red balloon.  As a client powers on, they can initially access http addresses.  Very shortly (less than 5 minutes), the client machine can no longer access http.  I was wondering whether the CSA Network Shim could be the root cause of this.  Thanks for your time on this.   Please let me know if I can supply more detail.

Jeff
0
 
LVL 11

Expert Comment

by:billwharton
ID: 18804332
1) You can find out which applications are triggering the rootkit module by following these steps:
a) find out which rules are contained in the rootkit module. I believe there's only one
b) click on that rule and choose 'find related events'. That'll show you all events that the rule triggered
c) within the log entry you see, you'll see which application triggered it. Quite often, it's a symantec file itself called symevent.sys which is possible since you're running this. If it's this file, you can safely create an exception

2) The rootkit module by default is experimental and isn't supposed to block all in & out network access. The module and only the RM should be configured for 'test mode'. This would prevent it from taking any actions though it'll continue detecting root kits and you'll see the relevant logs in the MC. I don't know how many Cisco SE's themselves trust the rootkit module and in my experience, I have learn not to. It can prove very dangerous and can block all your workstations from accessing the network one fine day. Risky proposition to keep it turned on

CSA is a monster and unlike network devices, undoing configurations isn't easy and can be time-consuming. You're better off knowing the product very well before implementing it in a network. Any installation that isn't perfect can cause problems in the future. Not to scare you but I'm talking through years of CSA experience..

I'm heading out but will have my Blackberry with me; you can email me at <// email removed - see member profile //Tolomir EE ZA > if you like

Good luck with your users tomorrow ;)
0
 

Author Comment

by:jbainc
ID: 18804762
Bill;

Thanks very much for your help.  We had been running fine under v4.5, but moved away from CSA as CiscoWorks (with its Win 2000 host) became too cumbersome.  CSA v5.1 was a much needed upgrade, but brought with it this new Rootkit feature (which apparently installed active, by default).

I've discovered that the CSA v5.1 agent RootKit module was being triggered by three separate files:  apoint.exe (Dell driver for laptop mouse-like devices); quickset.exe (another Dell driver); and vsdatant.sys (a Cisco VPN Client driver, I believe...go figure).   This log entry was:  
Kernel functionality has been modified by the module C:\WINDOWS\system32\vsdatant.sys. The module 'C:\WINDOWS\system32\vsdatant.sys' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted. Rule 46
 
One other entry was tripping the Rootkit trigger:
Kernel functionality has been modified by the module <unknown>. Code referenced by a system call table entry has been modified. The specified action was taken to set detected rootkit as Untrusted. Rule 46
 
I am also seeing this entry:
 An unauthorized Network Component, 'BogusDriver' was detected registering with the system. The operation was allowed.  Rule 53
 
Since most of these alerts are over legitimate files, I would like to restrict the Rootkit module to Monitor and Report, but not initially trigger and lock down a system.  What is the best way to approach this?  
Thanks again for the invaluable help.

Jeff

Do you recommend any other CSA user forums?
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 11

Accepted Solution

by:
billwharton earned 500 total points
ID: 18804787
To go backwards, there are a limited number of CSA forums out there and I was surprised to see a CSA-related question here. You'll have to create exceptions for every file you find legitimate but make sure you're sure about its legitimacy - trusted vendor, etc. As for the module <unknown>, you'll have to create a rule using the wizard for that. Next time it reoccurs, you can simply look at the event for the PSTRING1, PSTRING2 values and add these to the original rule you created. You shouldn't create more than 1-2 rootkit exception events. I've seen engineers create an exception for every event they see and this becomes a big mess very soon.

To only use it for monitor and report, I stated the procedure in my previous post. Simply find the rootkit module and configure it as 'test mode'. Test mode is available for hosts as a whole as well as particular rule modules.

I hang out here sometimes but not very often so next time you're unable to get expert help here, feel free to email me
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 18806096
@billwharton: Regarding your email address, instead of posting it here, you should just reference to your member's profile, where you posted it already. That is not crawled by search engines.

My previous post of cause still applies.

Tolomir
0
 
LVL 11

Expert Comment

by:billwharton
ID: 18807138
got it
thx
0
 

Author Comment

by:jbainc
ID: 18807781
Bill;
Your advice was right on target.  We've been able to isolate the offending (and mostly legitimate) files that were tripping the Rootkit Detected' module.  We have also placed the 'Rootkit Module' in 'Test' mode for the indeterminate future.  Thanks very much for your help.  I'm sure we'll have more posts here since CSA is such a beast at times.

Thanks, again.

Jeff
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now