McAfee® Host Intrusion Prevention 6.1 Product Guide | Writing Custom Signatures |
| Windows Custom Signatures |
A
Note 1
If the section files is used, the path to a monitored folder or file can either be the full path or a wildcard. For example, the following are valid path representations:
files { Include “C:\\test\\abc.txt” }
files { Include “*\\test\\abc.txt” }
files { Include “*\\abc.txt” }
If the section dest_file is used, the absolute path cannot be used and a wildcard must be present in the beginning of the path to represent the drive. For example, the following are valid path representations:
dest_file { Include “*\\test\\abc.txt” }
dest_file { Include “*\\abc.txt” }
Note 2
The directive files:rename has a different meaning when combined with section files and section dest_file.
When combined with section files, it means that renaming of the file in the section files is monitored. For example, the following rule monitors renaming of file C:\test\abc.txt to any other name:
Rule {
Class Files Id 4001 level 1
files { Include “C:\\test\\abc.txt” } time { Include “*” }
application { Include “*”} user_name { Include “*” } directives
}
Combined with section dest_file, it means that no file can be renamed to the file in the section dest_file. For example, the following rule monitors renaming of any file to C:\test\abc.txt:
Rule {
Class Files Id 4001 level 1
dest_file { Include “*\\test\\abc.txt” } time { Include “*” }
application { Include “*”} user_name { Include “*” } directives
}
The section files is not mandatory when the section dest_file is used. If section files is used, both sections files and dest_file need to match.