Hi ,
I've created a rule designed to identify a file with a low reputation, but for some reasons, it isn't successfully detecting it.
<?xml version="1.0" encoding="utf-8"?>
<rule>
<definition>
<process>
<operator type="AND">
<condition component="LiveGrid" property="Popularity" condition="less" value="1000" />
<condition component="LiveGrid" property="Reputation" condition="less" value="3" />
</operator>
</process>
</definition>
<description>
<name>Low reputation file found</name>
<category>File system</category>
<os>Windows</os>
<severity>86</severity>
<explanation>A file with a diminished reputation has been detected on the system. It could potentially be malicious, so kindly inspect it.</explanation>
<benignCauses>The file likely originated from either a USB drive/CD or was downloaded.</benignCauses>
<recommendedActions>1. Verify the reputation using Virustotal.
2. If the hash is identified as malicious, proceed to block it. </recommendedActions>
</description>
<maliciousProcess process="current" />
<actions>
<action name="TriggerDetection" />
<action name="StoreEvent" />
</actions>
</rule>
I would greatly appreciate some advice.