cancel
Showing results for 
Search instead for 
Did you mean: 

Correct Syntax for OBJECT_SIZE Match Type Value

Hi all I was wondering if anyone could confirm the correct syntax to use with OBJECT_SIZE, I've not been able to find it documented anywhere. If anyone knows where I can find this information please let me know :-). I'm hoping to write a rule that will apply to files of less than a certain size, and whilst I can get my rule to compile it is not working as I would expect. As a POC the rule below should stop me from reading a 4 byte file named 'test.txt' with notepad. Rule { Process { Include OBJECT_NAME { -v NOTEPAD.EXE* } } Target { Match FILE { Include OBJECT_NAME { -v "**\\test.txt" } Include OBJECT_SIZE {-v " > 0 "} Include ACCESS_MASK {-v "READ"} } } } thanks for any help!
1 Reply
McAfee Employee rCreecy
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Correct Syntax for OBJECT_SIZE Match Type Value

Hello!

 

OBJECT_SIZE for expert rule creation accepts only INT64 values and does not have the ability to call comparison methods from within the integer value declaration. In order to target a 4 byte file directly with the rule, the following syntax must be used.

 

Rule {
    Process {
        Include OBJECT_NAME { -v NOTEPAD.EXE* }
        } Target {
            Match FILE {
                Include OBJECT_NAME { -v "**\\test.txt" }
                Include OBJECT_SIZE {-v "4"}
                Include ACCESS_MASK {-v "READ"}
            }
      }

}

 

If after configuring the rule, you are still not observing the intended behavior, enable debug logging for the Threat Prevention module and reach out to support. Debug logging may show further insight into why the rule is crashing or failing to function properly.

 

https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-client-product-guide-windo...

Each Match_type value uses a specific data type for his possible values. The supported data types are:

  • INTx/UINTx — All match numeric values.
  • String — A text string.
  • Bitmask — A numeric value expressed in hexadecimal notation, which is logically evaluated.

 

Thank you!

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community