McAfee HISCDE-AB-IA Product Guide - Page 111
Windows class Hook, Advanced Details
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 111 highlights
Appendix A - Writing Custom Signatures and Exceptions Windows custom signatures Advanced Details Some or all of the following parameters appear in the Advanced Details tab of security events for the class Files. The values of these parameters can help you understand why a signature is triggered. GUI name files dest_file Explanation Name of the file that was accessed Only applicable for renaming files. The new name that the file was changed to. The following rule would prevent anybody and any process from creating the file abc.txt in the folder C:\test\. Rule { tag "Sample3" Class Files Id 4001 level 4 files { Include "C:\\test\\abc.txt" } Executable { Include "*"} user_name { Include "*" } directives files:create } The various sections of this rule have the following meaning: • Class Files: indicates that this rule relates to file operations class. • id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same ID. • level 4: Assigns the severity level 'high' to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same level. • files { Include "C:\\test\\abc.txt" }: Indicates that the rule covers the specific file and path C:\test\abc.txt. If the rule were to cover multiple files, you would add them in this section in different lines. For example when monitoring for files C:\test\abc.txt and C:\test\xyz.txt the section changes to: files { Include "C:\\test\\abc.txt" "C:\\test\\xyz.txt" }. • Executable { Include "*"}: Indicates that this rule is valid for all processes. If you want to limit your rule to specific processes, spell them out here, complete with path name. • user_name { Include "*" }: Indicates that this rule is valid for all users (or more precisely, the security context in which a process runs). If you want to limit your rule to specific user contexts, spell them out here in the form Local/user or Domain/user. See Common Sections for details. • directives files:create: Indicates that this rule covers the creation of a file. Windows class Hook The following table lists the possible sections and values for the Windows class Hook: Section Class Values Hook Notes McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 111