Filter
Top Products
171
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Writing Custom Signatures
Windows Custom Signatures
A
Note 1
If the section files is used, the path to a monitored folder or file can either be the full
path or a wildcard. For example, the following are valid path representations:
files { Include “C:\\test\\abc.txt” }
files { Include “*\\test\\abc.txt” }
files { Include “*\\abc.txt” }
If the section dest_file is used, the absolute path cannot be used and a wildcard must
be present in the beginning of the path to represent the drive. For example, the
following are valid path representations:
dest_file { Include “*\\test\\abc.txt” }
dest_file { Include “*\\abc.txt” }
Note 2
The directive files:rename has a different meaning when combined with section files
and section dest_file.
When combined with section files, it means that renaming of the file in the section
files is monitored. For example, the following rule monitors renaming of file
C:\test\abc.txt to any other name:
Rule {
Class Files
Id 4001
level 1
files { Include “C:\\test\\abc.txt” }
time { Include “*” }
application { Include “*”}
user_name { Include “*” }
directives -c -d files:rename
}
Combined with section dest_file, it means that no file can be renamed to the file in
the section dest_file. For example, the following rule monitors renaming of any file
to C:\test\abc.txt:
Rule {
Class Files
Id 4001
level 1
dest_file { Include “*\\test\\abc.txt” }
time { Include “*” }
application { Include “*”}
user_name { Include “*” }
directives -c -d files:rename
}
Note
The section files is not mandatory when the section dest_file is used. If section files is
used, both sections files and dest_file need to match.