jia_yang 1 Posted March 11 Share Posted March 11 The syntax used in version 1.6 no longer works after upgrading to version 2.0. I'm aware that there are syntax changes in 2.0. ---------------------------------------- <?xml version="1.0" encoding="utf-8"?> <rule> <description> <name>no run on normal path </name> <os>Windows</os> <explanation> TEST </explanation> <maliciousCauses> No run on normal path. </maliciousCauses> <category> Default </category> </description> <definition> <process> <operator type="AND"> <!--- Path for normal installation programs - --> <condition component="FileItem" condition="notstarts" property="Path" value="%ProgramData%" /> <condition component="FileItem" condition="notstarts" property="Path" value="%LocalAppData%" /> <condition component="FileItem" condition="notstarts" property="Path" value="%LocalAppDataLow%" /> <condition component="FileItem" condition="notstarts" property="Path" value="%AppData%" /> <condition component="FileItem" condition="notstarts" property="Path" value="%System%" /> <condition component="FileItem" condition="notstarts" property="Path" value="%ProgramFiles%" /> <condition component="FileItem" condition="notstarts" property="Path" value="%ProgramFiles(X86)%" /> <condition component="FileItem" condition="notstarts" property="Path" value="%WINDIR%" /> </operator> </process> </definition> </rule> ------------------------ Originally, it was meant to identify applications running outside these paths. Could you please advise me on how to modify it? I've been trying for two days with the latest rule PDF, but still failing. I have added syntax below.(</definition>----</rule>), Still no event triggered. ----------------------- <maliciousProcess process="current" /> <actions> <action name="TriggerDetection" /> <action name="StoreEvent" /> </actions> ----------------------- Thank you. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,231 Posted March 11 Administrators Share Posted March 11 There seems to be no obvious error and the syntax checker didn't report any either. Please raise a support ticket and elaborate more on the problem you are having with this rule. Link to comment Share on other sites More sharing options...
Recommended Posts