Appendix A — Writing Custom Signatures and Exceptions
Windows custom signatures
Executable { Include "*"}
user_name { Include "*" }
vulnerability_name {Include "Vulnerable ActiveX Control Loading ?"}
detailed_event_info { Include
"0002E533-0000-0000-C000-000000000046"\"0002E511-0000-0000-C000-000000000046"}
directives files:illegal_api_use:bad_parameter illegal_api_use:invalid_call
attributes -not_auditable
}
Windows class Illegal Use
The following table lists the possible sections and values for the Windows class Illegal Use:
Section
Class
Id
level
time
user_name
Executable
name
directives
Windows class Isapi (HTTP)
The following table lists the possible sections and values for the Windows class Isapi with IIS:
Section
Class
Id
level
time
user_name
Executable
url
query
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Values
Illegal_Use
See Common sections .
One of three values:
LsarLookupNames,
LsarLookupSids, or
ADMCOMConnect
illegal:api
Values
Isapi
See Common sections .
Notes
Notes
One of the required parameters. Matched against
the URL part of an incoming request. See Notes
1-4.
One of the required parameters. Matched against
the query part of an incoming request. See Notes
1-4.
113