cancel
Showing results for 
Search instead for 
Did you mean: 
rdasso
Level 9
Report Inappropriate Content
Message 1 of 7

Undocumented AAC Expert Rule Options

Jump to solution

There's another post that found an undocumented MATCH_type... if you find other undocumented MATCH_types, please post them so everyone can benefit. 

EXP_USER_NAME - Matches the user name... doesn't seem to check the domain. Works for PROCESS Object_Type_Values. Example: Match PROCESS { Include EXP_USER_NAME { -v "admin" } }

Syntax for FILE_PROPERTIES does not require -v... it's simply Target { Match FILE { Include FILE_PROPERTIES 0x2 } }

Tags (1)
1 Solution

Accepted Solutions
Highlighted
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Undocumented AAC Expert Rule Options

Jump to solution

@rdasso We do have internal teams working on an "Expert Rule Cookbook" so to speak, that will have more detailed examples for each Match_type, different complexity levels, and examples. However, this endeavor does take time to complete, and is targeted for sometime early next year.

Considering what you're asking for in this instance, here's an example that contains OBJECT_NAME and FILE_PROPERTIES Match_types. The rule will block CMD from creating files in a network path:

            Rule {

                Process {

                    Include OBJECT_NAME { -v cmd.exe }                }

                Target {

                    Match FILE {

                        Include OBJECT_NAME { -v ** }

                        Include -file_properties "FILE_NETWORK"

                        Include -access "CREATE"

                    }

               }

            }

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

6 Replies
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Undocumented AAC Expert Rule Options

Jump to solution

Hi @rdasso

Just to add, some of the options including FILE_PROPERTIES are documented here:

https://kc.mcafee.com/corporate/index?page=content&id=PD27227 

- or in the latest product guide (Chapter 9): 

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27574/en_US/...

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
rdasso
Level 9
Report Inappropriate Content
Message 3 of 7

Re: Undocumented AAC Expert Rule Options

Jump to solution

Yes, the various Match_types are listed there... but there's no example on how to actually use them in a rule. The syntax for FILE_PROPERTIES is not the same as examples given for other Match_types (like OBJECT_NAME). This is a major problem with the documentation. 

Highlighted
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Undocumented AAC Expert Rule Options

Jump to solution

@rdasso We do have internal teams working on an "Expert Rule Cookbook" so to speak, that will have more detailed examples for each Match_type, different complexity levels, and examples. However, this endeavor does take time to complete, and is targeted for sometime early next year.

Considering what you're asking for in this instance, here's an example that contains OBJECT_NAME and FILE_PROPERTIES Match_types. The rule will block CMD from creating files in a network path:

            Rule {

                Process {

                    Include OBJECT_NAME { -v cmd.exe }                }

                Target {

                    Match FILE {

                        Include OBJECT_NAME { -v ** }

                        Include -file_properties "FILE_NETWORK"

                        Include -access "CREATE"

                    }

               }

            }

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

rdasso
Level 9
Report Inappropriate Content
Message 5 of 7

Re: Undocumented AAC Expert Rule Options

Jump to solution

That's good to hear! FWIW, I'm not asking for help with any particular rule in this thread... the goal is to note undocumented options.... to get them into one place. 

In the example, you gave us a good new undocumented option: Include -file_properties "FILE_NETWORK"

Do you have other file properties we can use with this? Is this different from the (half) documented FILE_PROPERTIES match type? (Include FILE_PROPERTIES 0x1) If not, what are the equivalent names (ie: NETWORK (0x1) = "FILE_NETWORK"... what does REMOVABLE (0x2) map to?)

Your example also uses the 'shortcut' syntax that is otherwise only noted for use with processor_mode, vtp_trust and access_types... do you know of any other Match_type shortcuts? For example, can we do this: Include -file_attributes "Archive"

 

 

rdasso
Level 9
Report Inappropriate Content
Message 6 of 7

Re: Undocumented AAC Expert Rule Options

Jump to solution

I found another undocumented feature...

Include/Exclude AggregateMatch { } appears to be a way to group multiple Include/Exclude's. 

As an example, you could exclude notepad.exe when it is running in user mode. 

Exclude AggregateMatch {

   Include OBJECT_NAME { -v "notepad.exe }

   Include -processor_mode user

   }

 

 

 

Re: Undocumented AAC Expert Rule Options

Jump to solution

Valid file properties values are:

FILE_NETWORK

FILE_REMOVABLE

FILE_FLOPPY

FILE_CD

FILE_DFS

FILE_REDIRECTOR

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.