What is the syntax for an IPS registry rule that blocks all subkeys and values for a given key?
IPS version 7.0
Have tried rule for registry key using "REGISTRY\KEYNAME\*"
and registry value using "REGISTRY\VALUENAME\*"
Where may I find the full description of syntax?
We are pretty sure we used that "\*" syntax and it did not protect values and keys below the designated key.
We will retest and make sure. But it looks like a bug.
Same results here using HIPS 7 patch 8.
Rule type: Registry
Operations: Create, Modify, Delete, Change Permissions
Include registry key: \REGISTRY\MACHINE\Software\Microsoft\WINDOWS NT\CURRENTVERSION\WINLOGON\*
or registry value: \REGISTRY\MACHINE\Software\Microsoft\WINDOWS NT\CURRENTVERSION\WINLOGON\*
No events are generated (and yes, the IPS is on block mode, custom sig. is medium, policy logs on medium.)
Tried all kinds of permutations of this syntax.
Still no joy, I'm afraid.Message was edited by: ron.sokol ( I realizes that the advanced preview showing double-whacks was normal per the product documentation Host Intrusion Prevention 7.0 - Writing Custom Signatures. on 11/18/10 8:19:27 AM CST