Table of Contents
Advertisement
Appendix A — Writing Custom Signatures and Exceptions
Windows custom signatures
Note 2
The data of the section new data must be in hexadecimal. For example, the data 'def' of registry
value "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\abc" must be
represented as old_data { Include "%64%65%66"}.
Advanced details
Some or all of the following parameters appear in the Advanced Details tab of security events
for the class Registry. The values of these parameters can help you understand why a signature
is triggered.
GUI name
Explanation
Registry Key
Name of the registry key affected, including the path name. Note the following:
For this key
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
HKEY_CLASSES_ROOT\
HKEY_CURRENT_CONFIG\
HKEY_USERS\
Registry Values
Name of the registry value concatenated with the full name of its key. Note the following:
For values in this key
HKEY_LOCAL_MACHINE\Test
HKEY_CURRENT_USER\Test
HKEY_CLASSES_ROOT\Test
HKEY_CURRENT_CONFIG\Test
HKEY_USERS\Test
old data
Only applicable for registry value changes: data that a registry value contained before it was
changed or attempted to be changed.
new data
Only applicable for registry value changes: data that a registry value contains after it was
changed or that it would contain if the change went through.
old data type
Only applicable for registry value changes: type of data type that a registry value contains
before it was changed or attempted to be changed.
new data type
Only applicable for registry value changes: type of data that a registry value would contain
after it was changed or that it would contain if the change went through.
The following rule would prevent anybody and any process from deleting the registry value
"abc" under registry key "\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
Rule {
tag "Sample8"
Class Registry
Id 4001
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Use this syntax
\REGISTRY\MACHINE\
\REGISTRY\CURRENT_USER\
\REGISTRY\MACHINE\SOFTWARE\CLASSES\
REGISTRY\MACHINE\SYSTEM\ControlSet\HARDWARE
PROFILES\0001\
\REGISTRY\USER\
Use this syntax
\REGISTRY\MACHINE\Test\*
\REGISTRY\CURRENT_USER\Test\*
\REGISTRY\MACHINE\SOFTWARE\CLASSES\Test\*
REGISTRY\MACHINE\SYSTEM\ControlSet\HARDWARE
PROFILES\0001\Test\*
\REGISTRY\USER\Test\*
119
Advertisement
Table of Contents
Troubleshooting
Related Manuals for McAfee HISCDE-AB-IA - Host Intrusion Prevention
Related Products for McAfee HISCDE-AB-IA - Host Intrusion Prevention
- McAfee Agent 4.0
- MCAFEE AGENT 4.0 PATCH 2 - FOR WINDOWS S 10-03-2009
- MCAFEE ANTI-THEFT FILE PROTECTION
- McAfee AVDCDE-AA-AA - Active Virus Defense Suite
- McAfee AVDCDE-BA-CA - Active Virus Defense Suite
- McAfee AVM85M - VirusScan For Mac
- McAfee Data Loss Prevention 9.2.1
- McAfee DFFCDE-AA-DA - Endpoint Encryption For Files