Optional Common Sections; Wildcards And Variables - McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual

Appendix A — Writing Custom Signatures and Exceptions
Rule structure
• If a single subrule includes a particular user marketing\jjohns and excludes the same user
marketing\jjohns , then the signature does not trigger even when the user marketing\jjohns
performs an action triggers the signature.
• If a subrule includes all users but excludes the particular user marketing\jjohns , then the
signature triggers if the user is NOT marketing\jjohns .
• If a subrule includes user marketing\* but excludes marketing\jjohns , then the signature
triggers only when the user is marketing\anyone , unless the user is marketing\jjohns , in
which case it does not trigger.

Optional common sections

A rule's optional sections and their values include the item below. For optional sections relevant
to the class section that is selected, see the class section under Windows and Non-Windows
custom signatures. The keywords Include and Exclude are used for both dependencies and
attributes. Include means that the section works on the value indicated, and Exclude means
that the section works on all values except the one indicated.
Section
dependencies
attributes
Use of the dependencies section
Add the optional section dependencies to prevent a more general rule from being triggering
along with a more specific rule. For example, if there is one rule to monitor for a single text file
in C:\test\
files { Include C:\\test\\abc.txt }
as well as a rule to monitor all the text files in C:\test\
files { Include C:\\test\\*.txt }
Add the section dependencies to the more specific rule, basically telling the system not to trigger
the more general rule if the specific rule is triggered.
files { Include C:\\test\\abc.txt }
dependencies "the general rule"

Wildcards and variables

Wildcards, meta-symbols, and predefined variables can be used as the value in the available
sections.
104 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Value
{Include/Exclude "id of a rule"}
—no_log
—not_auditable
—no_trusted_apps
—inactive
Description
Defines dependencies between rules and prevents
the triggering of dependent rules.
Events from the signature are not sent to the ePO
server.
No exceptions are generated for the signature
when adaptive mode is applied.
The trusted application list does not apply to this
signature.
The signature is disabled.