cancel
Showing results for 
Search instead for 
Did you mean: 
rdasso
Level 9
Report Inappropriate Content
Message 1 of 11

Undocumented AAC Expert Rule Options

Jump to solution

There's another post that found an undocumented MATCH_type... if you find other undocumented MATCH_types, please post them so everyone can benefit. 

EXP_USER_NAME - Matches the user name... doesn't seem to check the domain. Works for PROCESS Object_Type_Values. Example: Match PROCESS { Include EXP_USER_NAME { -v "admin" } }

Syntax for FILE_PROPERTIES does not require -v... it's simply Target { Match FILE { Include FILE_PROPERTIES 0x2 } }

Tags (1)
1 Solution

Accepted Solutions
Highlighted
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 4 of 11

Re: Undocumented AAC Expert Rule Options

Jump to solution

@rdasso We do have internal teams working on an "Expert Rule Cookbook" so to speak, that will have more detailed examples for each Match_type, different complexity levels, and examples. However, this endeavor does take time to complete, and is targeted for sometime early next year.

Considering what you're asking for in this instance, here's an example that contains OBJECT_NAME and FILE_PROPERTIES Match_types. The rule will block CMD from creating files in a network path:

            Rule {

                Process {

                    Include OBJECT_NAME { -v cmd.exe }                }

                Target {

                    Match FILE {

                        Include OBJECT_NAME { -v ** }

                        Include -file_properties "FILE_NETWORK"

                        Include -access "CREATE"

                    }

               }

            }

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

10 Replies
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 2 of 11

Re: Undocumented AAC Expert Rule Options

Jump to solution

Hi @rdasso

Just to add, some of the options including FILE_PROPERTIES are documented here:

https://kc.mcafee.com/corporate/index?page=content&id=PD27227 

- or in the latest product guide (Chapter 9): 

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27574/en_US/...

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
rdasso
Level 9
Report Inappropriate Content
Message 3 of 11

Re: Undocumented AAC Expert Rule Options

Jump to solution

Yes, the various Match_types are listed there... but there's no example on how to actually use them in a rule. The syntax for FILE_PROPERTIES is not the same as examples given for other Match_types (like OBJECT_NAME). This is a major problem with the documentation. 

Highlighted
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 4 of 11

Re: Undocumented AAC Expert Rule Options

Jump to solution

@rdasso We do have internal teams working on an "Expert Rule Cookbook" so to speak, that will have more detailed examples for each Match_type, different complexity levels, and examples. However, this endeavor does take time to complete, and is targeted for sometime early next year.

Considering what you're asking for in this instance, here's an example that contains OBJECT_NAME and FILE_PROPERTIES Match_types. The rule will block CMD from creating files in a network path:

            Rule {

                Process {

                    Include OBJECT_NAME { -v cmd.exe }                }

                Target {

                    Match FILE {

                        Include OBJECT_NAME { -v ** }

                        Include -file_properties "FILE_NETWORK"

                        Include -access "CREATE"

                    }

               }

            }

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

rdasso
Level 9
Report Inappropriate Content
Message 5 of 11

Re: Undocumented AAC Expert Rule Options

Jump to solution

That's good to hear! FWIW, I'm not asking for help with any particular rule in this thread... the goal is to note undocumented options.... to get them into one place. 

In the example, you gave us a good new undocumented option: Include -file_properties "FILE_NETWORK"

Do you have other file properties we can use with this? Is this different from the (half) documented FILE_PROPERTIES match type? (Include FILE_PROPERTIES 0x1) If not, what are the equivalent names (ie: NETWORK (0x1) = "FILE_NETWORK"... what does REMOVABLE (0x2) map to?)

Your example also uses the 'shortcut' syntax that is otherwise only noted for use with processor_mode, vtp_trust and access_types... do you know of any other Match_type shortcuts? For example, can we do this: Include -file_attributes "Archive"

 

 

rdasso
Level 9
Report Inappropriate Content
Message 6 of 11

Re: Undocumented AAC Expert Rule Options

Jump to solution

I found another undocumented feature...

Include/Exclude AggregateMatch { } appears to be a way to group multiple Include/Exclude's. 

As an example, you could exclude notepad.exe when it is running in user mode. 

Exclude AggregateMatch {

   Include OBJECT_NAME { -v "notepad.exe }

   Include -processor_mode user

   }

 

 

 

bertels
Level 8
Report Inappropriate Content
Message 7 of 11

Re: Undocumented AAC Expert Rule Options

Jump to solution

Valid file properties values are:

FILE_NETWORK

FILE_REMOVABLE

FILE_FLOPPY

FILE_CD

FILE_DFS

FILE_REDIRECTOR

cn
Level 7
Report Inappropriate Content
Message 8 of 11

Re: Undocumented AAC Expert Rule Options

Jump to solution

Does EXP_USER_NAME still work?  I tried using it in an AAC Expert Process rule and it did not seem to work for me at all.  I tried it as the initiator and under the target, but whenever I use the account that should trigger it, nothing shows up.  I take it out and it works fine.  Did this get removed in 10.6 or am I simply not using it correctly?  The admin user is something like someadmin1, but when I launch any of the browser processes with the account and even never gets generated unless I remove EXP_USER_NAME from the rule.  Please help.  We are currently on 10.6.0.542 ENS and Threat Prevention 10.6.0.672.

Rule {
Process {
Include OBJECT_NAME { -v ** }
Include EXP_USER_NAME { -v "*admin*" }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v iexplore.exe }
Include OBJECT_NAME { -v chrome.exe }
Include OBJECT_NAME { -v firefox.exe }
Include OBJECT_NAME { -v MicrosoftEdge.exe }
Include -access "CREATE"
}
}
}

OR 

 

Rule {
Process {
Include OBJECT_NAME { -v ** }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v iexplore.exe }
Include OBJECT_NAME { -v chrome.exe }
Include OBJECT_NAME { -v firefox.exe }
Include OBJECT_NAME { -v MicrosoftEdge.exe }
Include EXP_USER_NAME { -v "*admin*" }
Include -access "CREATE"
}
}
}
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 9 of 11

Re: Undocumented AAC Expert Rule Options

Jump to solution

@cn Try changing the variable syntax to just USER_NAME and see how it goes. 

Here's an excerpt from a previous syntax guide (PD27574) which shows the variable as that and not having the EXP_ part

Rule {
service { Include "Alerter" }
application { Include "*"}
user_name { Include "*" }
directives service:stop
}

 

user_name { Include
“*” }
Indicates that this rule is valid for all users (or more precisely, the security context in
which a process runs).
To limit the rule to specLfic user contexts, list them using the form Local/user or
Domain/user.

 

Also, when in the expert rule creation screen, if you have "use Expert Rule template" checked, and select "Illegal API use" as the type, you can see in the example template that the variable is just user_name {Include"*"}

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Reliable Contributor Daniel_S
Reliable Contributor
Report Inappropriate Content
Message 10 of 11

Re: Undocumented AAC Expert Rule Options

Jump to solution

Are there any news on the cookbook so far?

Best regards
Dan
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator