Jump to content

Recommended Posts

The syntax used in version 1.6 no longer works after upgrading to version 2.0.
I'm aware that there are syntax changes in 2.0.

----------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<rule>
    <description>
        <name>no run on normal path </name>
        <os>Windows</os>
        <explanation>
            TEST
        </explanation>
        <maliciousCauses>          
            No run on normal path.
        </maliciousCauses>
        <category>
           Default
        </category>
    </description>
    <definition>
        <process>
                <operator type="AND">
                    <!--- Path for normal installation programs - -->
                    <condition component="FileItem" condition="notstarts" property="Path" value="%ProgramData%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%LocalAppData%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%LocalAppDataLow%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%AppData%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%System%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%ProgramFiles%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%ProgramFiles(X86)%" />
                    <condition component="FileItem" condition="notstarts" property="Path" value="%WINDIR%" />
                </operator>
        </process>
    </definition>
</rule>
------------------------
Originally, it was meant to identify applications running outside these paths.
Could you please advise me on how to modify it?
I've been trying for two days with the latest rule PDF, but still failing.
I have added syntax below.(</definition>----</rule>), Still no event triggered.
-----------------------
<maliciousProcess process="current" />
<actions>
<action name="TriggerDetection" />
<action name="StoreEvent" />
</actions>
-----------------------

Thank you.

Link to comment
Share on other sites

  • Administrators

There seems to be no obvious error and the syntax checker didn't report any either. Please raise a support ticket and elaborate more on the problem you are having with this rule.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...