Jump to content

Recommended Posts

The syntax used in version 1.6 no longer works after upgrading to version 2.0.
I'm aware that there are syntax changes in 2.0.

----------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<rule>
    <description>
        <name>no run on normal path </name>
        <os>Windows</os>
        <explanation>
            TEST
        </explanation>
        <maliciousCauses>          
            No run on normal path.
        </maliciousCauses>
        <category>
           Default
        </category>
    </description>
    <definition>
        <process>
                <operator type="AND">
                    <!--- Path for normal installation programs - -->
                    <condition component="FileItem" condition="notstarts" property="Path" value="%ProgramData%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%LocalAppData%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%LocalAppDataLow%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%AppData%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%System%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%ProgramFiles%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%ProgramFiles(X86)%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%WINDIR%" />
                </operator>
        </process>
    </definition>
</rule>
------------------------
Originally, it was meant to identify applications running outside these paths.
Could you please advise me on how to modify it?
I've been trying for two days with the latest rule PDF, but still failing.
I have added syntax below.(</definition>----</rule>), Still no event triggered.
-----------------------
<maliciousProcess process="current" />
<actions>
<action name="TriggerDetection" />
<action name="StoreEvent" />
</actions>
-----------------------

Thank you.

Link to comment
Share on other sites

  • Administrators

There seems to be no obvious error and the syntax checker didn't report any either. Please raise a support ticket and elaborate more on the problem you are having with this rule.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...