6 Replies Latest reply: Mar 21, 2014 10:44 AM by Kary Tankink RSS

    Exception Wildcards Traversing Dot Characters in File Paths

    damageinc

      Is there any possible way to account for files with multiple dots in their names or file paths with folders that contain dots when writing HIPS 8 exceptions?

       

      For example, let's say you have the following paths in an event:

       

      C:\WINDOWS\EPO.4.6\TEST\TEST\123.exe

       

      If you're using wildcards, you can't make an exception like this:

       

      ?:\WINDOWS\**\123.exe

       

      or this:

       

      ?:\WINDOWS\*\TEST\TEST\123.exe

       

      You would have to make the exception like this:

       

      ?:\WINDOWS\*.*.*\**\123.exe

       

      Is there some way to account for multiple dots in a path when doing HIPS 8 exceptions with wildcards?  Surely I must be missing something obvious.

        • 1. Re: Exception Wildcards Traversing Dot Characters in File Paths
          Kary Tankink

          If you're using wildcards, you can't make an exception like this:

           

          ?:\WINDOWS\**\123.exe

          You can't use a wildcard for the drive letter, but the rest works.

           

           

          C:\WINDOWS\**\123.exe

          **\WINDOWS\**\123.exe

           

          C:\WINDOWS\*\TEST\TEST\123.exe

          **\\WINDOWS\*\TEST\TEST\123.exe

           

           

          For C:\WINDOWS\EPO.4.6\TEST\TEST\123.exe, these all should work:

           

          C:\WINDOWS\*.*.*\TEST\TEST\123.exe

          C:\WINDOWS\*.4.6\TEST\TEST\123.exe

          **\WINDOWS\EPO.*.*\TEST\TEST\123.exe

          **\WINDOWS\EPO.**\TEST\TEST\123.exe

          • 2. Re: Exception Wildcards Traversing Dot Characters in File Paths
            damageinc

            Are you sure you can't use "?" as a single character wildcard for a drive letter?  I have a lot of exceptions like this, and they do work.

             

            Also, what is the significance of the double stars and the double slashes at the beginning of some of your examples?

             

            Ultimately, the group of the four examples tells me that you can't use double or single asterisk wildcards to traverse a path that has period characters in it.  Why, however, is **\WINDOWS\EPO.**\TEST\TEST\123.exe valid?  Shouldn't it fail because there would be an extra period in the EPO.4.6 folder?

            • 3. Re: Exception Wildcards Traversing Dot Characters in File Paths
              Kary Tankink
              Are you sure you can't use "?" as a single character wildcard for a drive letter?  I have a lot of exceptions like this, and they do work.

               

              Hmm, it does seem to work for Exectuables (haven't seen it work before), but if you use the FILES parameter, it does not.

               

               

              Also, what is the significance of the double stars and the double slashes at the beginning of some of your examples?

              ** and * are treated differently in HIPS (and VSE).  ** ignores the backslash characters, per the product documentation (KB71522). 

               

               

              Ultimately, the group of the four examples tells me that you can't use double or single asterisk wildcards to traverse a path that has period characters in it.  Why, however, is **\WINDOWS\EPO.**\TEST\TEST\123.exe valid?  Shouldn't it fail because there would be an extra period in the EPO.4.6 folder?
              The ** covers any characters (including backslashes) between EPO. and \TEST.  Using one * would exclude backslashes, but would still work.

              • 4. Re: Exception Wildcards Traversing Dot Characters in File Paths
                Kary Tankink

                Also, sorry, the double slashes was a mistype (\ and W together are hard to distinguish).  That was supposed to be a single \ character.

                • 5. Re: Exception Wildcards Traversing Dot Characters in File Paths
                  greatscott

                  sort of off topic but sort of on topic:

                   

                  can you use wildcards in the threat source username field? specifically when working to wildcard out the domain or system name before the username?

                   

                  so instead of creating exceptions for:

                   

                  systemderp\ktankink

                  domainderp\ktankink

                   

                  could you just write:

                  *\ktankink

                   

                  Thanks!

                   

                  Message was edited by: greatscott on 3/21/14 9:59:23 AM CDT
                  • 6. Re: Exception Wildcards Traversing Dot Characters in File Paths
                    Kary Tankink

                    I tested the following (including local system names and domain names with wildcards) and it worked fine.

                     

                    *\administrator

                    systemna*\administrator

                    domainna*\administrator