Changeset 1622

Timestamp:

06/12/08 17:37:32 (6 months ago)

Author:

xkovah

Message:

some excel whitelist entries

Files:

• honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/FileMonitor.exl (modified) (1 diff)
• honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/ProcessMonitor.exl (modified) (1 diff)
• honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/RegistryMonitor.exl (modified) (1 diff)

honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/FileMonitor.exl

@@ -406 +406 @@
-+   Write   C:\\Program Files\\WinZip\\WINZIP32\.EXE    C:\\Documents and Settings\\All Users\\Application Data\\WinZip\\.+
-+   Delete  C:\\Program Files\\WinZip\\WINZIP32\.EXE    C:\\Documents and Settings\\All Users\\Application Data\\WinZip\\.+
+
+#### HONEYCLIENT AUTO EXCLUDE SCRIPT
+#MS Word 2003 sp0
++   Delete  C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\.+
++   Write   C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\.+
++   Delete  C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE C:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\.+
++   Write   C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE C:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\.+
+
+#### HONEYCLIENT AUTO EXCLUDE SCRIPT
+#Assumes all files will be launched from the Desktop...if they are stored elsewhere, then we need to whitelist that...
++   Write   C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE C:\\Documents and Settings\\Administrator\\Desktop\\.+
++   Delete  C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE C:\\Documents and Settings\\Administrator\\Desktop\\.+
+
+
+#### HONEYCLIENT AUTO EXCLUDE SCRIPT
+#MS PowerPoint 2003 sp0
++   Delete  C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\\Content\.MSO\\.+
++   Write   C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\\Content\.MSO\\.+
++   Write   C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    C:\\Documents and Settings\\Administrator\\Desktop\\.+
++   Delete  C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    C:\\Documents and Settings\\Administrator\\Desktop\\.+
++   Write   C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\Office\\.+
++   Delete  C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\Office\\.+
++   Write   C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\PowerPoint\\.+
++   Delete  C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\PowerPoint\\.+
+
+#### HONEYCLIENT AUTO EXCLUDE SCRIPT
+#MS Excel 2003 sp0
++   Write   C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL\.EXE   C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\Office\\.+
++   Delete  C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL\.EXE   C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\Office\\.+
++   Delete  C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL\.EXE   C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\\Content\.MSO\\.+
++   Write   C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL\.EXE   C:\\Documents and Settings\\Administrator\\Local Settings\\Temporary Internet Files\\Content\.MSO\\.+
++   Write   C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL\.EXE   C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\.+
++   Delete  C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL\.EXE   C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\.+
+

honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/ProcessMonitor.exl

@@ -66 +66 @@
-#Seems to be valid for WinZip 8.0-11.1
-+   WINZIP32.EXE    .*  C:\\Program Files\\WinZip\\WINZIP32.EXE
+
+
+#### HONEYCLIENT AUTO EXCLUDE SCRIPT
+#MS Office 2003 sp0
++   WINWORD.EXE .*  C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE
++   POWERPNT.EXE    .*  C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE
++   EXCEL.EXE   .*  C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE

honeyclient/branches/exp/xkovah-app_whitelists/thirdparty/capture-mod/RegistryMonitor.exl

@@ -501 +501 @@
-+   DeleteValueKey  C:\\Program Files\\WinZip\\WINZIP32\.EXE    HKCU\\Software\\Nico Mak Computing\\Common\\.+
-+   SetValueKey C:\\WINDOWS\\explorer\.exe  HKLM\\SOFTWARE\\Classes\\Applications\\winzip32\.exe\\.+
+
+#### HONEYCLIENT AUTO EXCLUDE SCRIPT
+#MS Word 2003 sp0
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE HKCU\\Software\\Microsoft\\Office\\11\.0\\.+
++   DeleteValueKey  C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE HKCU\\Software\\Microsoft\\Office\\11\.0\\.+
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE HKCU\\Software\\Microsoft\\Office\\Common\\.+
++   DeleteValueKey  C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE HKCU\\Software\\Microsoft\\Office\\Common\\.+
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\.+
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE HKCU\\Software\\Microsoft\\Shared Tools\\.+
++   DeleteValueKey  C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE HKCU\\Software\\Microsoft\\Shared Tools\\.+
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD\.EXE HKCU\\Software\\Microsoft\\Shared
+
+#### HONEYCLIENT AUTO EXCLUDE SCRIPT
+#MS PowerPoint 2003 sp0
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    HKCU\\Software\\Microsoft\\Office\\11\.0\\.+
++   DeleteValueKey  C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    HKCU\\Software\\Microsoft\\Office\\11\.0\\.+
++   DeleteValueKey  C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    HKCU\\Software\\Microsoft\\Office\\Common\\.+
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    HKCU\\Software\\Microsoft\\Office\\Common\\.+
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\.+
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\.+
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT\.EXE    HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
++   SetValueKey C:\\WINDOWS\\explorer\.exe  HKLM\\SOFTWARE\\Classes\\Applications\\POWERPNT\.EXE\\.+
++   DeleteValueKey  C:\\WINDOWS\\explorer\.exe  HKLM\\SOFTWARE\\Classes\\Applications\\POWERPNT\.EXE\\.+
+
+
+#### HONEYCLIENT AUTO EXCLUDE SCRIPT
+#MS Excel 2003 sp0
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL\.EXE   HKCU\\Software\\Microsoft\\Office\\11\.0\\.+
++   DeleteValueKey  C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL\.EXE   HKCU\\Software\\Microsoft\\Office\\11\.0\\.+
++   DeleteValueKey  C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL\.EXE   HKCU\\Software\\Microsoft\\Office\\Common\\.+
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL\.EXE   HKCU\\Software\\Microsoft\\Office\\Common\\.+
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL\.EXE   HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL\.EXE   HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
++   SetValueKey C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL\.EXE   HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\.+