McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual page 118

Appendix A — Writing Custom Signatures and Exceptions
Windows custom signatures
Section
Class
Id
level
time
user_name
Executable
keys
dest_keys
values
new_data
directives
Note 1
HKEY_LOCAL_MACHINE in a registry path is replaced by \REGISTRY\MACHINE\ and
CurrentControlSet is replaced by ControlSet. For example the registry value "abc" under registry
key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa is represented as
\REGISTRY\MACHINE\SYSTEM\\ControlSet\\Control\\Lsa\\abc.
118 McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Values
Registry
See Common sections .
Registry key operation
Registry key operation
Registry key value operation
Registry key value operation.
New data of the value.
registry:delete
registry:modify
registry:create
registry:permissions
registry:read
registry:enumerate
registry:monitor
registry:restore
registry:replace
registry:load
registry:open_existing_key
registry:rename
Notes
One of the required parameters. Use with key
operations (create, delete, rename, enumerate,
monitor, restore, read, replace, load). See Note
1.
Optional. Only for registry:rename when a key is
renamed. The target is the name of the key.
One of the required parameters. Use with registry
value operations (delete, read, modify, create).
Optional. Only for registry:modify or
registry:create. See Note 2.
Deletes a registry key or value.
Modifies the content of a registry value or the info
of a registry key.
Allows a registry key to be created.
Modifies the permissions of a registry key.
Obtains registry key information (number of
subkeys, etc), or gets the content of a registry
value.
Enumerates a registry key, that is, gets the list of
all the key's subkeys and values.
Requests to monitor a registry key.
Restores a hive from file, like the regedit32 restore
function.
Restores a registry setting but only after a restart.
Loads registry keys or values from a file.
Opens an existing registry key.
Renames a registry key.