McAfee HISCDE-AB-IA Product Guide - Page 116

Windows class Program, Common s

Get McAfee HISCDE-AB-IA - Host Intrusion Prevention PDF manuals and user guides View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals

Page 116 highlights

Appendix A - Writing Custom Signatures and Exceptions Windows custom signatures The various sections of this rule have the following meaning: • Class Isapi: indicates that this rule relates to the Isapi operations class. • Id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same ID. • level 4: Assigns the severity level 'high' to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same level. • query { Include "*subject*" }: Indicates that the rule matches any (GET) request that contains the string "subject" in the query part of the HTTP request. If the rule were to cover multiple query parts files, you would add them in this section in different lines. • method { Include "GET" }: Indicates that the rule can only match GET requests. • Executable { Include "*"}: Indicates that this rule is valid for all processes. If you want to limit your rule to specific processes, spell them out here, complete with path name. • user_name { Include "*" }: Indicates that this rule is valid for all users (or more precisely, the security context in which a process runs). If you want to limit your rule to specific user contexts, spell them out here in the form Local/user or Domain/user. See Common Sections for details. • directives isapi:request: Indicates that this rule covers an HTTP request. Windows class Program The following table lists the possible sections and values for the Windows class Program: Section Class Id level time user_name Executable filename path directives Values Program See Common sections. Notes Name of the process in the operation. Path name of the process. program:run program:open_with_any One of the required parameters. One of the required parameters. Select to prevent a target executable from running. (Run target executable, in the user interface.) The "program:open_with_x" directives handle process access rights created with OpenProcess(). Select to prevent these process-specific access rights: • PROCESS_TERMINATE - Required to terminate a process. • PROCESS_CREATE_THREAD - Required to create a thread. • PROCESS_VM_WRITE - Required to write to memory. • PROCESS_DUP_HANDLE - Required to duplicate a handle. 116 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
The various sections of this rule have the following meaning:
Class Isapi: indicates that this rule relates to the Isapi operations class.
Id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules, every
one of these rules would need to use the same ID.
level 4: Assigns the severity level ‘high’ to this rule. If the custom signature had multiple
rules, every one of these rules would need to use the same level.
query { Include “*subject*” }: Indicates that the rule matches any (GET) request that
contains the string “subject” in the query part of the HTTP request. If the rule were to cover
multiple query parts files, you would add them in this section in different lines.
method { Include “GET” }: Indicates that the rule can only match GET requests.
Executable { Include “*”}: Indicates that this rule is valid for all processes. If you want to
limit your rule to specific processes, spell them out here, complete with path name.
user_name { Include “*” }: Indicates that this rule is valid for all users (or more precisely,
the security context in which a process runs). If you want to limit your rule to specific user
contexts, spell them out here in the form Local/user or Domain/user. See
Common Sections
for details.
directives isapi:request: Indicates that this rule covers an HTTP request.
Windows class Program
The following table lists the possible sections and values for the Windows class Program:
Notes
Values
Section
Program
Class
See
Common sections
.
Id
level
time
user_name
Executable
One of the required parameters.
Name of the process in the
operation.
filename
One of the required parameters.
Path name of the process.
path
Select to prevent a target executable from
running. (Run target executable, in the user
interface.)
program:run
directives
The "program:open_with_x" directives handle
process access rights created with OpenProcess().
program:open_with_any
Select to prevent these process-specific access
rights:
PROCESS_TERMINATE — Required to
terminate a process.
PROCESS_CREATE_THREAD — Required to
create a thread.
PROCESS_VM_WRITE — Required to write to
memory.
PROCESS_DUP_HANDLE — Required to
duplicate a handle.
Appendix A — Writing Custom Signatures and Exceptions
Windows custom signatures
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
116