cancel
Showing results for 
Search instead for 
Did you mean: 
uzanatta
Level 10

HIPS Custom Rule

Hi there,

I created the following custom rule:

Rule {

tag "USB Rule"

Class Files

Id 4005

level 4

files {Include "*"}

Executable {Include "*"}

user_name {Include "*"}

drive_type { Include "OtherRemovable" }

directives files:read

}

This rule works very well whether I try to read a file but if I create a new file this rule works too (the file is blocked as well), because the new file is being created with the following "directives": read,write,attribute,create. The attribute "read" matches on of them so the file will be blocked.

Is there a way to enable this behavior only when "read" attribute is matching?

Thank you.

Rgds,

0 Kudos