Navigation

← Previous Changeset
Next Changeset →

Changeset 1606

Timestamp:

06/09/08 12:53:02 (3 months ago)

Author:

xkovah

Message:

more permissive versions of some regexes

Files:

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/FileMonitor.exl

r1605	r1606
373	373	#Adobe Reader 8 excludes
374	374	+ Write C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Acr.*\.tmp
	375	+ Delete C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Acr.*\.tmp
375	376	+ Write C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Adobe\\Acrobat\\8\.0\\EPICConfig\.xml
376		~~+ Delete C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Acr.*\.tmp~~
377	377	+ Delete C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Adobe\\Acrobat\\8\.0\\EPICConfig\.xml
378	378	+ Write C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\aumLib\.log
379		~~+ Delete C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe C:\\Program Files\\Adobe\\Reader 8\.0\\Resource\\Linguistics\\Providers\\Proximity10~~
380	379	+ Write C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\AdobeUpdaterPrefs\.dat
381	380	+ Write C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe C:\\Documents and Settings\\Administrator\\Application Data\\Adobe\\Acrobat\\8\.0\\UserCache\.bin
382	381	+ Write C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Acrobat\\8\.0\\Updater\\updater\.log
	382	+ Write C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe C:\\Documents and Settings\\Administrator\\NTUSER\.DAT\.LOG
	383	+ Write C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe C:\\Documents and Settings\\Administrator\\NTUSER\.DAT
	384	+ Delete C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe C:\\Program Files\\Adobe\\Reader 8\.0\\Resource\\Linguistics\\Providers\\Proximity10
	385
	386	+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Program Files\\Common Files\\Adobe\\Updater5\\.+
	387	+ Delete C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Program Files\\Common Files\\Adobe\\Updater5\\.+
	388	+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AMT\\.+
	389	+ Delete C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AMT\\.+
	390	+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\.+
	391	+ Delete C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\.+
	392
	393	+ Write C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32Info\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Acr.+
	394	+ Delete C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32Info\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\Acr.+
	395
383	396	+ Delete C:\\WINDOWS\\explorer\.exe C:\\Documents and Settings\\Administrator\\Recent\\.*
384	397	+ Write C:\\WINDOWS\\explorer\.exe C:\\Documents and Settings\\Administrator\\Recent\\.*
	398
385	399	+ Write System C:\\Documents and Settings\\Administrator\\Recent\\.*
386		+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\Data\\AdobeUpdater_meta\.txt
387		+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\AUTrans\.xml\.0
388		+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\Data\\AdobeUpdater\.aum
389		+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\crl\\.*\.crl
390		+ Delete C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\Data\\reader8rdr-en_US\.aum
391		+ Delete C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\AUTrans\.xml
392		+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\acrobatPI\.log
393		+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\Data\\reader8rdr-en_US\.aup\.xml
394		+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\aum\.log
395		+ Delete C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\AUTrans\.xml\.0
396		+ Delete C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\crl\\.*\.crl
397		+ Delete C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\Data\\AdobeUpdater\.aum
398		+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\Data\\reader8rdr-en_US\.aum
399		+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\AUTrans\.xml_
400		+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\Data\\reader8rdr-en_US_meta\.txt
401		+ Delete C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\AUTrans\.sig
402		+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\AUTrans\.sig
403		+ Delete C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\crl
404		+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\AUTrans\.xml
405		+ Delete C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\AUTrans\.xml_
406		+ Write C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Adobe\\Updater5\\AdobeUpdaterPrefs\.dat
	400	+ Delete System C:\\Documents and Settings\\Administrator\\Recent\\.*

honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/ProcessMonitor.exl

r1605	r1606
53	53	#### HONEYCLIENT AUTO EXCLUDE SCRIPT
54	54	+ AcroRd32.exe .* C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\AcroRd32.exe
55		#### HONEYCLIENT AUTO EXCLUDE SCRIPT
	55	+ AcroRd32Info.exe .* C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\AcroRd32Info.exe
56	56	+ AdobeUpdater.exe .* C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater.exe
57	57

honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/RegistryMonitor.exl

r1605	r1606
438	438
439	439	#### HONEYCLIENT AUTO EXCLUDE SCRIPT
	440	#Adobe Acrobat Reader 8 excludes
440	441	+ DeleteValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Adobe\\Acrobat Reader\\8\.0\\AdobeViewer
441	442	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Adobe\\Acrobat Reader\\8\.0\\AdobeViewer
…	…
445	446	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache\\.+
446	447	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\.*
	448	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
447	449	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
448		+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Adobe\\Acrobat Reader\\8\.0\\AVGeneral\\cRecentFiles\\c1
449		+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
	450	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
450	451	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Adobe\\Acrobat Reader\\8\.0\\AVGeneral.*
451	452	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Adobe\\Acrobat Reader\\8\.0\\Collab
452		+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\.*
453	453	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Adobe\\Adobe Acrobat\\8\.0\\DiskCabs
454		~~+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap~~
455	454	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Adobe\\Acrobat Reader\\8\.0\\RememberedViews\\.+
456
457		+ SetValueKey C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
	455	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Adobe\\Acrobat Reader\\8\.0\\Selection
	456	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Adobe\\Acrobat Reader\\8\.0\\NoTimeOut
	457	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Adobe\\Acrobat Reader\\8\.0\\Originals
	458	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Adobe\\Acrobat Reader\\8\.0\\Annots\\cAnnots\\cAnnot
	459	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Adobe\\Acrobat Reader\\8\.0\\AVTracker
	460	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Adobe\\Acrobat Reader\\8\.0\\Installer\\Migrated
	461	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Adobe\\Acrobat Reader\\8\.0\\multimedia\\cColorAndBorder
	462	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKCU\\Software\\Adobe\\Acrobat Reader\\8\.0\\Language\\next
	463	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKLM\\SOFTWARE\\Classes\\TypeLib\\.+\\1\.1\\0\\win32
	464	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32\.exe HKLM\\SOFTWARE\\Classes\\Interface\\.+\\TypeLib
	465
458	466	+ SetValueKey C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\.+
459	467	+ SetValueKey C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
	468	+ SetValueKey C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings.*
	469	+ DeleteValueKey C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings.*
	470	+ SetValueKey C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
460	471	+ SetValueKey C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe HKLM\\SYSTEM\\ControlSet001\\Hardware Profiles\\0001\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings
461		+ SetValueKey C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings.*
462		#Note, that the below actually won't work...it conflicts with a blacklist entry...
	472	+ SetValueKey C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings.*
	473	+ DeleteValueKey C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings.*
	474
	475	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32Info\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\.+
	476	+ SetValueKey C:\\Program Files\\Adobe\\Reader 8\.0\\Reader\\AcroRd32Info\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
	477
	478	+ SetValueKey C:\\WINDOWS\\explorer\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\.+
	479
	480	#Note, that the below 2 actually won't work...it conflicts with a blacklist entry...
463	481	+ DeleteValueKey C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
464	482	+ DeleteValueKey C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
465

Navigation

Changeset 1606

Legend:

honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/FileMonitor.exl

honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/ProcessMonitor.exl

honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/RegistryMonitor.exl

Download in other formats: