McAfee HISCDE-AB-IA Product Guide - Page 110
Note 2, dest_file, files:rename
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 110 highlights
Appendix A - Writing Custom Signatures and Exceptions Windows custom signatures files { Include "*\\abc.txt" } If the section dest_file is used, the absolute path cannot be used and a wildcard must be present in the beginning of the path to represent the drive. For example, the following are valid path representations: dest_file { Include "*\\test\\abc.txt" } dest_file { Include "*\\abc.txt" } Note 2 The directive files:rename has a different meaning when combined with section files and section dest_file. When combined with section files, it means that renaming of the file in the section files is monitored. For example, the following rule monitors renaming of file C:\test\abc.txt to any other name: Rule { tag "Sample1" Class Files Id 4001 level 4 files { Include "C:\\test\\abc.txt" } Executable { Include "*"} user_name { Include "*" } directives files:rename } Combined with section dest_file, it means that no file can be renamed to the file in the section dest_file. For example, the following rule monitors renaming of any file to C:\test\abc.txt: Rule { tag "Sample2" Class Files Id 4001 level 4 dest_file { Include "*\\test\\abc.txt" } Executable { Include "*"} user_name { Include "*" } directives files:rename } The section files is not mandatory when the section dest_file is used. If section files is used, both sections files and dest_file need to match. Note 3 To distinguish between remote file access and local file access for any directive, set the executable file path name to "SystemRemoteClient": Executable { Include -path "SystemRemoteClient" } This would prevent any directive to execute if the executable is not local. 110 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5