Windows Class Sql - McAfee HISCDE-AB-IA - Host Intrusion Prevention Product Manual

Product guide for use with epolicy orchestrator 4.5

Table of Contents

Appendix A — Writing Custom Signatures and Exceptions

Windows custom signatures

The following rule would prevent deactivation of the Alerter service.

Rule {

tag "Sample9"

Class Services

Id 4001

level 4

Service { Include "Alerter" }

application { Include "*"}

user_name { Include "*" }

directives service:stop

}

The various sections of this rule have the following meaning:

• Class Services: indicates that this rule relates to file operations class.

• Id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules, every

one of these rules would need to use the same ID.

• level 4: Assigns the severity level 'high' to this rule. If the custom signature had multiple

rules, every one of these rules would need to use the same level.

• Service { Include "Alerter" }: Indicates that the rule covers the service with name "Alerter".

If the rule covers multiple services, add them in this section in different lines.

• application { Include "*"}: Indicates that this rule is valid for all processes. If you want to

limit your rule to specific processes, spell them out here, complete with path name.

• user_name { Include "*" }: Indicates that this rule is valid for all users (or more precisely,

the security context in which a process runs). If you want to limit your rule to specific user

contexts, spell them out here in the form Local/user or Domain/user. See Common Sections

for details.

• directives service:stop: Indicates that this rule covers deactivation of a service.