McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual page 110

Appendix A — Writing Custom Signatures and Exceptions
Windows custom signatures
files { Include "*\\abc.txt" }
If the section dest_file is used, the absolute path cannot be used and a wildcard must be present
in the beginning of the path to represent the drive. For example, the following are valid path
representations:
dest_file { Include "*\\test\\abc.txt" }
dest_file { Include "*\\abc.txt" }
Note 2
The directive files:rename has a different meaning when combined with section files and section
dest_file.
When combined with section files, it means that renaming of the file in the section files is
monitored. For example, the following rule monitors renaming of file C:\test\abc.txt to any
other name:
Rule {
tag "Sample1"
Class Files
Id 4001
level 4
files { Include "C:\\test\\abc.txt" }
Executable { Include "*"}
user_name { Include "*" }
directives files:rename
}
Combined with section dest_file, it means that no file can be renamed to the file in the section
dest_file. For example, the following rule monitors renaming of any file to C:\test\abc.txt:
Rule {
tag "Sample2"
Class Files
Id 4001
level 4
dest_file { Include "*\\test\\abc.txt" }
Executable { Include "*"}
user_name { Include "*" }
directives files:rename
}
The section files is not mandatory when the section dest_file is used. If section files is used,
both sections files and dest_file need to match.
Note 3
To distinguish between remote file access and local file access for any directive, set the
executable file path name to "SystemRemoteClient":
Executable { Include -path "SystemRemoteClient"
}
This would prevent any directive to execute if the executable is not local.
110 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5