McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual page 109

Appendix A — Writing Custom Signatures and Exceptions
Windows custom signatures
Section
time
user_name
Executable (Use this parameter
to distinguish between remote
and local file access. See Note
3.)
files
dest_file
drive_type
directives
Note 1
If the section files is used, the path to a monitored folder or file can either be the full path or
a wildcard. For example, the following are valid path representations:
files { Include "C:\\test\\abc.txt" }
files { Include "*\\test\\abc.txt" }
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Values
File or folder involved in the
operation
Destination files if the operation
involves source and destination
files
• Network — Network file
access
• Floppy — Floppy drive
access
• CD — CD or DVD access
• OtherRemovable — USB or
other removable drive
access
• OtherFixed — Local hard
disk or other fixed hard disk
access
files:create
files:read
files:write
files:execute
files:delete
files:rename
files:attribute
files:hardlink
Notes
One of the required parameters. See Note 1 and
Note 2.
One of the required parameters. Used only with
files:rename and files:hardlink. See Note 1 and
Note 2.
Allows creation of files class rules specific to drive
types.
Creates a file in a directory, or moves file into
another directory.
Opens the file with read only access.
Opens the file with read-write access.
Executes the file (executing a directory means
that this directory will become the current
directory).
Deletes the file from a directory, or moves it to
another directory.
Renames a file in the same directory. See Note
2.
Changes the file attributes. Monitored attributes
include:
• read-only
• hidden
• archive
• system
Creates a hard link.
109