1 Reply Latest reply on Jan 27, 2014 2:56 PM by shakira

    Is it possible to exclude a File Path within a Program class rule?

    shakira

      Is it possible to take this rule:

       

      Rule {

      tag "bad.exe opening"

      Class Program

      Id 4122

      level 3

      Executable { Include { -path "*\\bad.exe" }

      }

      directives program:open_with_wait program:open_with_any program:open_with_create_thread program:open_with_terminate program:run program:open_with_modify

      }

       

       

      and add something that whitelists a FILE PATH inside of it instead of making an exception rule for the rule? It's not possible in the GUI, but was wondering if it work as I would hope it would in an expert rule.

       

      ex: When the program "bad.exe" opens the file "good.exe" I don't want an event to fire. The reason I'm using file name i sbecause the log calls "good.exe" target_file_name.

       

      Message was edited by: shakira on 1/27/14 8:43:19 AM CST
        • 1. Re: Is it possible to exclude a File Path within a Program class rule?
          shakira

          Here is an example. Will these "and" together or not?:

           

          Rule {

                          Class "Buffer_Overflow"

                          Id "xxxx"

                          level x

                          application {Include "*"}

                          dependencies -d -c "432" "434"

                          attributes -no_trusted_apps -not_auditable

                          directives -c -d "bo:call_not_found"

           

          Can I add:

          file {Exclude "*good directory*" }

          directives -c -d "bo:call_not_found" "files:create"