My organization makes use of of a few different web portal technologies, both of which create compressed temp files on the disk. We have HIPS 7.0, and a signature for IIS6 Evelope - File Modification by IIS Process.
I know the process and the user account it's run as. I also know the location used for the temp files. The temp file names, however, change constantly. What I'd like to be able to do is create an exception to this particular signature for that location, rather than one that excludes a particular file name.
Is that possible, and if so, can anyone shed some light as to how?
The best way is to create an exception from the event itself. You can incorporate a wildcard if you need to but make sure you have other parameters to make the signature specific to that process and user account.
I can't get this to work either. Is it possible to exclude an entire folder from a signature?
I'm testing on the Adobe folder for signature 3905. I've gone bare-bones with my test case: no parameters defined aside from Executable, and within the Executable, only File Name defined. I've tried every iteration of wildcards. Right now, I have C:\**\ADOBE\**\*.EXE .
3905 is still being triggered by executables in Adobe folders though. What am I missing?
Is it possible to exclude an entire folder from a signature?
Yes, you can exclude entire directories, if you wish. The syntax would be similar to the previous suggestions.
C:\**\FOLDERNAME\ does appear to be working.
Interestingly, C:\**\FOLDERNAME\**\*.EXE also seemed to work.
But, why doesn't **\FOLDERNAME\ or just FOLDERNAME\ work?
I'm stuck. My folder exceptions aren't working 100% of the time. Some examples:
I'm trying to exclude C:\PROGRAM FILES (86)\MICROSOFT LYNC\UCMAPI.EXE with C:\**\MICROSOFT*\ or C:\MICROSOFT LYNC\, but nothing is working.
Neither is C:\USERS\NAME\APPDATA\LOCAL\CITRIX\GOTOMEETIN\3211\G2MUPLOAD.EXE with C:\**\CITRIX\.
Any thoughts on why this isn't working?
I think there might be a problem if there's a space in the file path, as in PROGRAM FILES (X86). Does anyone know about this issue or how to get around it?
If you want to exclude the hips file: "C:\PROGRAM FILES (86)\MICROSOFT LYNC\UCMAPI.EXE" then you need to write the exclusion like this (following your way above):
But my suggestions are these since you know the directory
In your example without the stars at the end, you are telling it to literally look for and ignore a directory (C:\**\MICROSOFT*\). It doesn't know to keep looking deeper for any files in that directory. This seems to be your problem for the other example well.