McAfee HISCDE-AB-IA Product Guide - Page 103
Use of Include and Exclude
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 103 highlights
Appendix A - Writing Custom Signatures and Exceptions Rule structure Section Executable Value Description {Include/Exclude file name path, fingerprint, signer or description} Each executable is specified inside the brackets using -path, -hash, -sdn, -desc. There can be multiple brackets for each section and inside the brackets you can have one or more options. The -path (file path name), -sdn (file signer), and -desc (file description) values are strings and need to be TCL escaped if they contain spaces or other TCL reserved characters. The -hash (MD5 hash) value is a 32-character hexbin string. Example: Executable {Include -path "C:\\Program Files\\McAfee\\VirusScan Enterprise\\Mcshield.exe" -sdn "CN=\"mcafee,inc.\", OU=iss, OU=digital id class 3 - microsoft software validation v2, O=\"mcafee, inc.\", L=santa clara, ST=california, C=us" -desc "On-Access Scanner service"} If a rule applies to all executables, use *. On UNIX this section is case-sensitive. directives operation type The operation types are class dependent, and are listed for each class in the later sections. NOTE: You can create a signature with multiple rules by simply adding one rule after another. Keep in mind that each rule in the same signature must have the same value for its id and level sections. Use of Include and Exclude When you mark a section value as Include, the section works on the value indicated; when you mark a section value as Exclude, the section works on all values except the one indicated. When you use these keywords, they are enclosed in brackets { ... }. NOTE: With the standard subrule, use a single backslash in file paths; with the export subrule, use double backslashes in file paths. The standard subrule translates the single slashes to required double slashes, while the expert subrule performs no translation. For example, to monitor all the text files in C:\test\: files { Include C:\\test\\*.txt } and to monitor all the files except the text files in C:\test\: files { Exclude C:\\test\\*.txt } Combine the keywords to exclude values from a set of included values. To monitor all the text files in folder C:\test\ except file abc.txt:, files { Include C:\\test\\*.txt } files { Exclude C:\\test\\abc.txt } Each time you add the same section with the same keyword, you add an operation. To monitor any text file in folder C:\test\ whose name starts with the string "abc": files { Include C:\\test\\*.txt } files { Include C:\\test\\abc* } NOTE: In precedence order, exclude wins over include. Here are three examples: McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 103