jia_yang

YES,To block a software, even if it's trusted.

In version 2.0, does the action BlockProcessExecutable only execute when the status in LiveGuard is untrusted or absent?

BlockProcessExecutable—blocks a process hash (ban hash via the rule, only if not trusted or LiveGrid® info is missing) this ations , I do a test, one with a lock and one without a lock. Regardless of passing through LiveGrid or not, I have specified to block the file by name. In version 1.6, it is not necessary to pass through LiveGrid, just specify the file name. ------------------------------- <?xml version="1.0" encoding="utf-8"?> <rule> <definition> <process> <operator type="and"> <operator type="or"> <condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="s123456" /> <condition component="FileItem" condition="is" property="FileNameWithoutExtension" value="2123456" /> </operator> <condition component="FileItem" property="Extension" condition="is" value="exe" /> </operator> </process> </definition> <maliciousTarget name="current" /> <actions> <action name="TriggerDetection" /> <action name="BlockProcessExecutable" /> <action name="StoreEvent" /> </actions> <description> <name>TEST block [AVI008] </name> <explanation> BlockTEST </explanation> <maliciousCauses> BlockTEST </maliciousCauses> <category> Default </category> </description> </rule> ------------------------------

The syntax used in version 1.6 no longer works after upgrading to version 2.0. I'm aware that there are syntax changes in 2.0. ---------------------------------------- <?xml version="1.0" encoding="utf-8"?> <rule> <description> <name>no run on normal path </name> <os>Windows</os> <explanation> TEST </explanation> <maliciousCauses> No run on normal path. </maliciousCauses> <category> Default </category> </description> <definition> <process> <operator type="AND"> <!--- Path for normal installation programs - --> <condition component="FileItem" condition="notstarts" property="Path" value="%ProgramData%" /> <condition component="FileItem" condition="notstarts" property="Path" value="%LocalAppData%" /> <condition component="FileItem" condition="notstarts" property="Path" value="%LocalAppDataLow%" /> <condition component="FileItem" condition="notstarts" property="Path" value="%AppData%" /> <condition component="FileItem" condition="notstarts" property="Path" value="%System%" /> <condition component="FileItem" condition="notstarts" property="Path" value="%ProgramFiles%" /> <condition component="FileItem" condition="notstarts" property="Path" value="%ProgramFiles(X86)%" /> <condition component="FileItem" condition="notstarts" property="Path" value="%WINDIR%" /> </operator> </process> </definition> </rule> ------------------------ Originally, it was meant to identify applications running outside these paths. Could you please advise me on how to modify it? I've been trying for two days with the latest rule PDF, but still failing. I have added syntax below.(</definition>----</rule>), Still no event triggered. ----------------------- <maliciousProcess process="current" /> <actions> <action name="TriggerDetection" /> <action name="StoreEvent" /> </actions> ----------------------- Thank you.

Reports Can add another program name in the next update? It would be more like an execution path. Like the third picture, in Inspect. Path and Program name,They can be presented separately. 1 2 3

Is exclusion the only method available for handling it?

I understand that currently there is an event triggered. May I ask how to set up rules for triggering? The desired frequency for recurring events is once a day or once an hour.

I'm trying to create rules, and now I want to delete the previous events. How can I do that?

firewall service deny or give it a try.

THX

How to check detection rules is being updated? Double click rules the time is the same.