McAfee® Host Intrusion Prevention 6.1 Product Guide | Writing Custom Signatures |
| Windows Custom Signatures |
Advanced Details
Some or all of the following parameters appear in the Advanced Details tab of security events for the class Services. The values of these parameters can help you understand why a signature is triggered.
GUI Name | Explanation | Possible Values |
|
|
|
display names | Name of the Windows service |
|
| as it is displayed in the Services |
|
| Manager control panel. |
|
|
|
|
services | System name of the Windows |
|
| service (shown in |
|
| HKLM\CurrentControlSet\Servic |
|
| es\); this may be different from |
|
| the name displayed in the |
|
| Services Manager control panel. |
|
|
|
|
params | Only applicable for starting a |
|
| service: parameters passed to |
|
| the service upon activation. |
|
|
|
|
old startup | Only applicable for creating or | Boot, System, Automatic, Manual, |
| changing the startup mode of a | Disabled |
| service: indicates the startup |
|
| mode before it was changed or |
|
| attempted to be changed. |
|
|
|
|
new startup | Only applicable for changing the | Boot, System, Automatic, Manual, |
| startup mode of a service: | Disabled |
| indicates the startup mode that a |
|
| service has after it was changed, |
|
| or that it would have if the |
|
| change went through. |
|
|
|
|
logon | Only applicable for changes in |
|
| the logon mode of a service: |
|
| logon information (system or |
|
| user account)used by the |
|
| service. |
|
|
|
|
The following rule would prevent deactivation of the Alerter service.
Rule {
Class Services Id 4001 level 4
Service { Include “Alerter” } time { Include “*” } application { Include “*”} user_name { Include “*” } directives
}
The various sections of this rule have the following meaning:
Class Services: indicates that this rule relates to file operations class.
Id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same ID.
A
179
