Jump to content

Recommended Posts

Posted

The syntax used in version 1.6 no longer works after upgrading to version 2.0.
I'm aware that there are syntax changes in 2.0.

----------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<rule>
    <description>
        <name>no run on normal path </name>
        <os>Windows</os>
        <explanation>
            TEST
        </explanation>
        <maliciousCauses>          
            No run on normal path.
        </maliciousCauses>
        <category>
           Default
        </category>
    </description>
    <definition>
        <process>
                <operator type="AND">
                    <!--- Path for normal installation programs - -->
                    <condition component="FileItem" condition="notstarts" property="Path" value="%ProgramData%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%LocalAppData%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%LocalAppDataLow%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%AppData%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%System%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%ProgramFiles%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%ProgramFiles(X86)%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%WINDIR%" />
                </operator>
        </process>
    </definition>
</rule>
------------------------
Originally, it was meant to identify applications running outside these paths.
Could you please advise me on how to modify it?
I've been trying for two days with the latest rule PDF, but still failing.
I have added syntax below.(</definition>----</rule>), Still no event triggered.
-----------------------
<maliciousProcess process="current" />
<actions>
<action name="TriggerDetection" />
<action name="StoreEvent" />
</actions>
-----------------------

Thank you.

  • Administrators
Posted

There seems to be no obvious error and the syntax checker didn't report any either. Please raise a support ticket and elaborate more on the problem you are having with this rule.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...