JokerTux1337

Thank you for the information, it's brilliant!

Thank you for your asnwer. That's the primary issue, I'm unsure how to test the rules. All my attempts to download a malicious file have been unsuccessful bcs of the AV system I've generated a new rule, and while the syntax was accepted, I'm not sure if it works correctly If anyone can provide guidance on testing these rules safely, please share your knowladge! :P <rule> <definition> <operations> <operation type="WriteFile"> <operator type="AND"> <condition component="LiveGrid" property="Popularity" condition="less" value="1000" /> <condition component="LiveGrid" property="Reputation" condition="less" value="3" /> </operator> </operation> </operations> </definition> <description> .....

Hi , I've created a rule designed to identify a file with a low reputation, but for some reasons, it isn't successfully detecting it. <?xml version="1.0" encoding="utf-8"?> <rule> <definition> <process> <operator type="AND"> <condition component="LiveGrid" property="Popularity" condition="less" value="1000" /> <condition component="LiveGrid" property="Reputation" condition="less" value="3" /> </operator> </process> </definition> <description> <name>Low reputation file found</name> <category>File system</category> <os>Windows</os> <severity>86</severity> <explanation>A file with a diminished reputation has been detected on the system. It could potentially be malicious, so kindly inspect it.</explanation> <benignCauses>The file likely originated from either a USB drive/CD or was downloaded.</benignCauses> <recommendedActions>1. Verify the reputation using Virustotal. 2. If the hash is identified as malicious, proceed to block it. </recommendedActions> </description> <maliciousProcess process="current" /> <actions> <action name="TriggerDetection" /> <action name="StoreEvent" /> </actions> </rule> I would greatly appreciate some advice.