Changeset 1612

Timestamp:

06/10/08 10:42:43 (3 months ago)

Author:

xkovah

Message:

Added builtin XP unzip and WinZip whitelist entries

Files:

• honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/FileMonitor.exl (modified) (1 diff)
• honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/ProcessMonitor.exl (modified) (1 diff)
• honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/RegistryMonitor.exl (modified) (1 diff)

honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/FileMonitor.exl

@@ -399 +399 @@
-+   Write   System  C:\\Documents and Settings\\Administrator\\Recent\\.*
-+   Delete  System  C:\\Documents and Settings\\Administrator\\Recent\\.*
+
+#### HONEYCLIENT AUTO EXCLUDE SCRIPT
+#Seems to be valid for WinZip 8.0-11.1
++   Delete  C:\\Program Files\\WinZip\\WINZIP32\.EXE    C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\.+
++   Write   C:\\Program Files\\WinZip\\WINZIP32\.EXE    C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\.+
++   Write   C:\\Program Files\\WinZip\\WINZIP32\.EXE    C:\\Documents and Settings\\All Users\\Application Data\\WinZip\\.+
++   Delete  C:\\Program Files\\WinZip\\WINZIP32\.EXE    C:\\Documents and Settings\\All Users\\Application Data\\WinZip\\.+

honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/ProcessMonitor.exl

@@ -62 +62 @@
-+   AcroRd32.exe    .*  C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe
-+   AcroRd32Info.exe    .*  C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32Info.exe
+
+#### HONEYCLIENT AUTO EXCLUDE SCRIPT
+#Seems to be valid for WinZip 8.0-11.1
++   WINZIP32.EXE    .*  C:\\Program Files\\WinZip\\WINZIP32.EXE

honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/RegistryMonitor.exl

@@ -481 +481 @@
-+   DeleteValueKey  C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
-+   DeleteValueKey  C:\\Program Files\\Common Files\\Adobe\\Updater5\\AdobeUpdater\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
+
+#### HONEYCLIENT AUTO EXCLUDE SCRIPT
+#WinXP Builtin Unzip: This was the only action seen when double clicking a zip file with the default builtin WinXP unzip
+#(to be more specific, this was on a specific "Locked" key which was set to 1, and it's always reproducible)
++   SetValueKey C:\\WINDOWS\\explorer\.exe  HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar
+
+
+#### HONEYCLIENT AUTO EXCLUDE SCRIPT
+#Seems to be valid for WinZip 8.0-11.1
++   SetValueKey C:\\Program Files\\WinZip\\WINZIP32\.EXE    HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
++   SetValueKey C:\\Program Files\\WinZip\\WINZIP32\.EXE    HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
++   SetValueKey C:\\Program Files\\WinZip\\WINZIP32\.EXE    HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\.+
++   SetValueKey C:\\Program Files\\WinZip\\WINZIP32\.EXE    HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell
++   SetValueKey C:\\Program Files\\WinZip\\WINZIP32\.EXE    HKCU\\Software\\Nico Mak Computing\\WinZip\\.+
++   DeleteValueKey  C:\\Program Files\\WinZip\\WINZIP32\.EXE    HKCU\\Software\\Nico Mak Computing\\WinZip\\.+
++   SetValueKey C:\\Program Files\\WinZip\\WINZIP32\.EXE    HKLM\\SOFTWARE\\Nico Mak Computing\\WinZip\\.+
++   DeleteValueKey  C:\\Program Files\\WinZip\\WINZIP32\.EXE    HKLM\\SOFTWARE\\Nico Mak Computing\\WinZip\\.+
++   SetValueKey C:\\Program Files\\WinZip\\WINZIP32\.EXE    HKCU\\Software\\Nico Mak Computing\\Common\\.+
++   DeleteValueKey  C:\\Program Files\\WinZip\\WINZIP32\.EXE    HKCU\\Software\\Nico Mak Computing\\Common\\.+
++   SetValueKey C:\\WINDOWS\\explorer\.exe  HKLM\\SOFTWARE\\Classes\\Applications\\winzip32\.exe\\.+