Filter
Top Products
176
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Writing Custom Signatures
Windows Custom Signatures
A
Class Registry
The following table lists the possible sections of the class Registry.
Note 1
HKEY_LOCAL_MACHINE in a registry path is replaced by \REGISTRY\MACHINE\ and
CurrentControlSet is replaced by ControlSet. For example the registry value “abc”
under registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
is represented as \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet\\Control\\Lsa\\abc
.
Note 2
The data of the sections old data and new data must be in hexadecimal. For example,
the data ‘def’ of registry value
“\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\abc” must be
represented as old_data { Include “%64%65%66”}.
Section Values Notes
Class Registry
Id 4000 - 7999
level 0, 1, 2, 3, 4
time *
user_name user or system account
application path + application name
keys or values registry key or value See Note 1
old data Previous data of the value This section is optional. It is only for
<directive> Modify; see Note 2.
new data New data of the value This section is optional. It is only for
<directive> Modify or Create; see Note 2.
directives -c -d registry:delete Deletion of a registry key/value
registry:modify Modification of the content of a registry
value or the modification of the info of a
registry key
registry:permissions Modification of the permissions of a
registry key.
registry:read Obtaining registry key information
(number of subkeys, etc), or, getting the
content of a registry value.
registry:enumerate Enumeration of a registry key, that is,
getting the list of all the key’s subkeys and
values.