Appendix A — Writing Custom Signatures and Exceptions
Non-Windows custom signatures
Section
Note 1
Relevant directives per section:
Directive
chdir
chmod
chown
create
link
mkdir
read
rename
rmdir
setattr
symlink
unlink
write
Note 2
The value of the sections file permissions and new permissions corresponds to the Access
Control List (acl). These can have values of "SUID" or "SGID" only.
128
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5
Values
unixfile:link
unixfile:mkdir
unixfile:read
unixfile:rename
unixfile:rmdir
unixfile:symlink
unixfile:unlink
unixfile:write
unixfile:setattr
unixfile:mknod
unixfile:access
unixfile:foolaccess
unixfile:priocntl
File
Source
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Notes
Creates a hard link. See Note 3.
Creates a directory.
Opens a file in read only mode.
Renames a file. See Note 4.
Removes a directory.
Creates a symbolic link.
Deletes a file from a directory or deletes a
directory.
Opens a file in read/write mode.
Linux only. Changes the permissions and
ownership of the directory or file.
Creates a node.
Changes the file attributes. Monitored attributes
are "Read-only", "Hidden", "Archive" and
"System".
Solaris Only. File name has 512 consecutive '/'.
Solaris Only. Displays or sets scheduling
parameters.
File Permission
New Permission
X
X
X
X
X
X