cancel
Showing results for 
Search instead for 
Did you mean: 
Cruzmissile
Level 7

What is the syntax for an IPS registry rule that blocks all subkeys and values for a given key?

What is the syntax for an IPS registry rule that blocks all subkeys and values for a given key?

IPS version 7.0

Have tried rule for registry key using "REGISTRY\KEYNAME\*"

and registry value using "REGISTRY\VALUENAME\*"

Where may I find the full description of syntax?

0 Kudos
3 Replies
McAfee Employee

Re: What is the syntax for an IPS registry rule that blocks all subkeys and values for a given key?

Please see: KB69116

0 Kudos
Cruzmissile
Level 7

Re: What is the syntax for an IPS registry rule that blocks all subkeys and values for a given key?

Thanx.

We are pretty sure we used that "\*" syntax and it did not protect values and keys below the designated key.

We will retest and make sure. But it looks like a bug.

0 Kudos
ron.sokol
Level 10

Re: What is the syntax for an IPS registry rule that blocks all subkeys and values for a given key?

Same results here using HIPS 7 patch 8.

Syntax:

Rule type: Registry

Operations: Create, Modify, Delete, Change Permissions

Include registry key: \REGISTRY\MACHINE\Software\Microsoft\WINDOWS NT\CURRENTVERSION\WINLOGON\*

or registry value: \REGISTRY\MACHINE\Software\Microsoft\WINDOWS NT\CURRENTVERSION\WINLOGON\*

No events are generated (and yes, the IPS is on block mode, custom sig. is medium, policy logs on medium.)

Tried all kinds of permutations of this syntax.

}

Still no joy, I'm afraid.

Message was edited by: ron.sokol ( I realizes that the advanced preview showing double-whacks was normal per the product documentation Host Intrusion Prevention 7.0 - Writing Custom Signatures. on 11/18/10 8:19:27 AM CST
0 Kudos