McAfee HISCDE-AB-IA Product Guide - Page 119
Note 2, Advanced details, value \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\abc must
View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 119 highlights
Appendix A - Writing Custom Signatures and Exceptions Windows custom signatures Note 2 The data of the section new data must be in hexadecimal. For example, the data 'def' of registry value "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\abc" must be represented as old_data { Include "%64%65%66"}. Advanced details Some or all of the following parameters appear in the Advanced Details tab of security events for the class Registry. The values of these parameters can help you understand why a signature is triggered. GUI name Registry Key Explanation Name of the registry key affected, including the path name. Note the following: For this key HKEY_LOCAL_MACHINE\ HKEY_CURRENT_USER\ HKEY_CLASSES_ROOT\ HKEY_CURRENT_CONFIG\ HKEY_USERS\ Use this syntax \REGISTRY\MACHINE\ \REGISTRY\CURRENT_USER\ \REGISTRY\MACHINE\SOFTWARE\CLASSES\ REGISTRY\MACHINE\SYSTEM\ControlSet\HARDWARE PROFILES\0001\ \REGISTRY\USER\ Registry Values Name of the registry value concatenated with the full name of its key. Note the following: For values in this key Use this syntax HKEY_LOCAL_MACHINE\Test \REGISTRY\MACHINE\Test\* HKEY_CURRENT_USER\Test \REGISTRY\CURRENT_USER\Test\* HKEY_CLASSES_ROOT\Test \REGISTRY\MACHINE\SOFTWARE\CLASSES\Test\* HKEY_CURRENT_CONFIG\Test REGISTRY\MACHINE\SYSTEM\ControlSet\HARDWARE PROFILES\0001\Test\* HKEY_USERS\Test \REGISTRY\USER\Test\* old data new data old data type new data type Only applicable for registry value changes: data that a registry value contained before it was changed or attempted to be changed. Only applicable for registry value changes: data that a registry value contains after it was changed or that it would contain if the change went through. Only applicable for registry value changes: type of data type that a registry value contains before it was changed or attempted to be changed. Only applicable for registry value changes: type of data that a registry value would contain after it was changed or that it would contain if the change went through. The following rule would prevent anybody and any process from deleting the registry value "abc" under registry key "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" Rule { tag "Sample8" Class Registry Id 4001 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 119