Host Intrusion Prevention 6.1 Product Guide Writing Custom Signatures
Windows Custom Signatures
time { Include “*” }: This section is currently not used, but must be included in this
way in the rule.
application { Include “*”}: Indicates that this rule is valid for all processes. If you’d
want to limit your rule to specific processes, you would spell them out here,
complete with their path name.
user_name { Include “*” }: Indicates that this rule is valid for all users (or more
precisely, the security context in which a process runs). If you’d want to limit your
rule to specific user contexts, you would spell them out here in the form Local/user
or Domain/user. See paragraph “Mandatory Common Sections” for details.
directives -c -d registry:delete: Indicates that this rule covers deletion of a registry
key or value. The switches –c and –d must always be used in the directives section.
Class Services
The following table lists the possible sections of the class Services.
Note 1
The section service must contain the name of the service of the corresponding registry
key under HKLM_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.
The section display_names must contain the display name of the service, the name
shown in the Services Control Panel, which is found in registry value
section values meaning/remarks
Class Services
Id 4000 - 7999
level 0, 1, 2, 3, 4
time *
user_name user or system account
application path + application name
services name of the service
which is the subject of
the operation creating
the instance
either section “services” or “display_names”
must be used; the name of a service is found
in the registry under
see Note 1
display_names display name of the
this name is shown in Services Control Panel;
see Note 1
directives -c -d services:delete Deletion of a Service
services:create Creation of a Service
services:start Giving a start command to a service
services:stop Giving a stop command to a service
services:pause Giving a pause command to a service
services:continue Giving a continue command to a service
services:startup Modifying the startup mode of a service
services:profile_enable Enabling a Hardware profile
services:profile_disable Disabling a Hardware profile
services:logon Modifying the logon information of a service