Filter
Top Products
179
McAfee
®
Host Intrusion Prevention 6.1 Product Guide Writing Custom Signatures
Windows Custom Signatures
A
Advanced Details
Some or all of the following parameters appear in the Advanced Details tab of security
events for the class Services. The values of these parameters can help you understand
why a signature is triggered.
The following rule would prevent deactivation of the Alerter service.
Rule {
Class Services
Id 4001
level 4
Service { Include “Alerter” }
time { Include “*” }
application { Include “*”}
user_name { Include “*” }
directives -c -d service:stop
}
The various sections of this rule have the following meaning:
Class Services: indicates that this rule relates to file operations class.
Id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules,
every one of these rules would need to use the same ID.
GUI Name Explanation Possible Values
display names Name of the Windows service
as it is displayed in the Services
Manager control panel.
services System name of the Windows
service (shown in
HKLM\CurrentControlSet\Servic
es\); this may be different from
the name displayed in the
Services Manager control panel.
params Only applicable for starting a
service: parameters passed to
the service upon activation.
old startup Only applicable for creating or
changing the startup mode of a
service: indicates the startup
mode before it was changed or
attempted to be changed.
Boot, System, Automatic, Manual,
Disabled
new startup Only applicable for changing the
startup mode of a service:
indicates the startup mode that a
service has after it was changed,
or that it would have if the
change went through.
Boot, System, Automatic, Manual,
Disabled
logon Only applicable for changes in
the logon mode of a service:
logon information (system or
user account)used by the
service.