McAfee HISCDE-AB-IA Product Guide - Page 109

Appendix A - Writing Custom Signatures and Exceptions Windows custom signatures Section Values Notes time user_name Executable (Use this parameter to distinguish between remote and local file access. See Note 3.) files File or folder involved in the One of the required parameters. See Note 1 and operation Note 2. dest_file Destination files if the operation One of the required parameters. Used only with involves source and destination files:rename and files:hardlink. See Note 1 and files Note 2. drive_type • Network - Network file access Allows creation of files class rules specific to drive types. • Floppy - Floppy drive access • CD - CD or DVD access • OtherRemovable - USB or other removable drive access • OtherFixed - Local hard disk or other fixed hard disk access directives files:create files:read files:write files:execute files:delete files:rename files:attribute Creates a file in a directory, or moves file into another directory. Opens the file with read only access. Opens the file with read-write access. Executes the file (executing a directory means that this directory will become the current directory). Deletes the file from a directory, or moves it to another directory. Renames a file in the same directory. See Note 2. Changes the file attributes. Monitored attributes include: • read-only • hidden • archive • system files:hardlink Creates a hard link. Note 1 If the section files is used, the path to a monitored folder or file can either be the full path or a wildcard. For example, the following are valid path representations: files { Include "C:\\test\\abc.txt" } files { Include "*\\test\\abc.txt" } McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 109