cancel
Showing results for 
Search instead for 
Did you mean: 
uzanatta
Level 10

HIPS Custom signature

Jump to solution

Hi,

do you have any idea why I try to add an exclude path on "Exclude" section I get an error on return?

The following is a subrule:

Executable {Include "*"}

Executable {Exclude "C:\\file.exe"}

and the following the error:

ERROR: Tag element not found in section Executable: C:\file.exe ERROR: Section <Executable> has no values

It seems that Executable only accepts "Exclude" with "*".

Rgds,

0 Kudos
1 Solution

Accepted Solutions
shakira
Level 10

Re: HIPS Custom signature

Jump to solution

I think you're looking for something like this:

Rule {

tag "a file being created, excluding hi.exe"

Class Files

Id -1

level 4

files { Include "*" }

Executable { Exclude { -path "*\\hi.exe" }

}

directives files:create

}

You can always double check syntax by using the GUI wizard instead of an expert rule. That's how I found this. You shouldn't need to specify the inclusion of any executable as well - Or rather, remove this: {Executable {Include "*"}

0 Kudos
2 Replies
shakira
Level 10

Re: HIPS Custom signature

Jump to solution

I think you're looking for something like this:

Rule {

tag "a file being created, excluding hi.exe"

Class Files

Id -1

level 4

files { Include "*" }

Executable { Exclude { -path "*\\hi.exe" }

}

directives files:create

}

You can always double check syntax by using the GUI wizard instead of an expert rule. That's how I found this. You shouldn't need to specify the inclusion of any executable as well - Or rather, remove this: {Executable {Include "*"}

0 Kudos
uzanatta
Level 10

Re: HIPS Custom signature

Jump to solution

Hi,

Thank you very much.

Rgds,

0 Kudos