cancel
Showing results for 
Search instead for 
Did you mean: 
shakira
Level 10

Is it possible to exclude a File Path within a Program class rule?

Is it possible to take this rule:

Rule {

tag "bad.exe opening"

Class Program

Id 4122

level 3

Executable { Include { -path "*\\bad.exe" }

}

directives programSmiley Surprisedpen_with_wait programSmiley Surprisedpen_with_any programSmiley Surprisedpen_with_create_thread programSmiley Surprisedpen_with_terminate program:run programSmiley Surprisedpen_with_modify

}

and add something that whitelists a FILE PATH inside of it instead of making an exception rule for the rule? It's not possible in the GUI, but was wondering if it work as I would hope it would in an expert rule.

ex: When the program "bad.exe" opens the file "good.exe" I don't want an event to fire. The reason I'm using file name i sbecause the log calls "good.exe" target_file_name.

Message was edited by: shakira on 1/27/14 8:43:19 AM CST
0 Kudos
1 Reply
shakira
Level 10

Re: Is it possible to exclude a File Path within a Program class rule?

Here is an example. Will these "and" together or not?:

Rule {

                Class "Buffer_Overflow"

                Id "xxxx"

                level x

                application {Include "*"}

                dependencies -d -c "432" "434"

                attributes -no_trusted_apps -not_auditable

                directives -c -d "bo:call_not_found"

Can I add:

file {Exclude "*good directory*" }

directives -c -d "bo:call_not_found" "files:create"

0 Kudos