Computer Active Guide 2009 February

home *** CD-ROM | disk | FTP | other *** search

/ Computer Active Guide 2009 February / UG2.ISO / Programos / OutpostSecuritySuiteProInstall_samag.exe / {code_GetDest} / machine.ini < prev next >

Wrap

INI File | 2009-01-23 | 33.3 KB | 894 lines

; Warning! Agnitum Ltd. is not responsible for your system security and proper functioning ; in case of manual modification of this file ; ------------------------------------------------------------------------------------------------------------------------- ; General Settings ; ------------------------------------------------------------------------------------------------------------------------- [General] ; This value configures firewall driver behavior in case of unexpected ACS shutdown. ; If TRUE, all network activity is blocked. ExitProtection=TRUE ; Protection of Outpost files and registry after service shutdown. SelfProtectinOnExit=TRUE ; Enable or disable TCP telnet server on 805 port EnableDebugTCPServer=false ; Enable or disable monitor(op_mon) start/stop service(acs) MonitorControllService=true ; Do you want to start acs service if outpost gui is started StartACSOnMonitorStartup=yes ; Disables sending and receiving rules to/from driver. Use for debug purposes DisableSendDriverRules=false ; Enable or disable corporate mode functionality CorporateMode=false [GeneralDebug] ; ; This value configures firewall driver behavior in case of unexpected ACS shutdown. ; If TRUE, all network activity is blocked. ExitProtection=FALSE ; Protection of Outpost files and registry after service shutdown. SelfProtectinOnExit=FALSE ; Enable or disable TCP telnet server on 805 port EnableDebugTCPServer=true ; Enable or disable monitor(op_mon) start/stop service(acs) MonitorControllService=false ; Do you want to start acs service if outpost gui is started StartACSOnMonitorStartup=true ; Disables sending and receiving rules to/from driver. Use for debug purposes DisableSendDriverRules=false ; Enable or disable corporate mode functionality CorporateMode=false [GlobalFirewallRules] ; block netbios rules BlockNetbios=yes ; block no-first fragments arrives before first fragment BlockNoOrderedFragment=yes ; block icmp do not allowed by settings BlockNotAllowedICMP=yes ; ------------------------------------------------------------------------------------------------------------------------- ; Antileak Settings ; ------------------------------------------------------------------------------------------------------------------------- [Antileak] ; Allow controlling the TerminateProcess API ProcessTerminateControl=yes ; Allow controlling the Direct Disk access DirectDiskControl=yes ; ------------------------------------------------------------------------------------------------------------------------- ; AFW Driver Settings ; ------------------------------------------------------------------------------------------------------------------------- [AFW] ; Allow traffic processing in user mode. EnableContentHandler=TRUE EnableContentProcessing=TRUE ; ------------------------------------------------------------------------------------------------------------------------- ; On Access Virus Scanner Settings ; ------------------------------------------------------------------------------------------------------------------------- [OnAccessScanner] ; Enable on-access scanner functionality. This functionality can be disanled due to compatibility reason ; with third-party AV software EnableScanner=true ; If enabled, on-access scanner do not scan files on close. CompatibilityMode=false ; If enabled, on-access scanner do not scan files on any access CompatibilityDisableOnAnyAccess=false ; If enabled, use extended attributes for cache files(not modified attributes) ; depricated EnableAttributes=true CompatibilityEnableAttributes=true ; ------------------------------------------------------------------------------------------------------------------------- ; Antimalware Settings ; ------------------------------------------------------------------------------------------------------------------------- [Antimalware] Engines=hax,asw,vb RebootScanProfile= RebootScan=FALSE ; ------------------------------------------------------------------------------------------------------------------------- ; Autoupdate Settings ; ------------------------------------------------------------------------------------------------------------------------- [update] ; Path to the update server including root folder. server=http://updates.agnitum.com/update_suite20 ; Local path for update operation. This folder will contain all files, created during update operation. update_dir=update_oss20 [ConfigWizard] UpdatePreset=FALSE SmartScan=TRUE ; ------------------------------------------------------------------------------------------------------------------------- ; News download Settings ; ------------------------------------------------------------------------------------------------------------------------- [news] ; news download path from the root of acs.exe NewsPath=news ; date of last news downloaded from server ;LastNewsBuild=1 [Languages] CurrentLang=en LangList=en|ru ; ------------------------------------------------------------------------------------------------------------------------- ; Multimacros Description ; ------------------------------------------------------------------------------------------------------------------------- ; Records containing such fragments will be expanded into several records. ; For example: ; REGISTRY\{MachineOrUser}\Software\Microsoft\Windows\CurrentVersion\Run ; will be expanded as: ; REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run ; REGISTRY\<User>\Software\Microsoft\Windows\CurrentVersion\Run [SoftwareClasses64] ; 'Software' registry section description for x86 and x64 Windows platforms. SOFTWARE\CLASSES\ SOFTWARE\CLASSES\Wow6432Node [MachineOrUser] ; Description of registry sections that are common for a user and a system. MACHINE <User> [OpenOrRunAs] ; Registry records - either Open, or RunAs - for shell. open runas [ControlSet] ; x64 interceptor identifies ControlSet* as CurrentControlSet. ControlSet* CurrentControlSet ; pre-defined groups: ; [System64] ; [Software64] ; [SoftwareClasses64] ; ------------------------------------------------------------------------------------------------------------------------- ; Macros Description ; ------------------------------------------------------------------------------------------------------------------------- [Macro] ; This section contains macro definitions. They can be applied to SelfProtection rules. ; Macros is defined in the following format: ; MacroName=Value ; Macros is used the following way: <MacroName>. <MacroName> substring is replaced by Value. ; Recursive macros definition is allowed, for example: ; Macro1=aaa ; Macro2=<Macro1>bbb ; However in direct sequence only (Macro1 macros should be defined before using Macro2). ; WindowsDir and SystemDir macroses are already defined. DriversDir=<SystemDir>\Drivers FiltDir=<SystemDir>\Filt FullAccess=read write rename delete exec connect open_process thread_start thread_stop write_mem thread_ctx NoLearn=no_learn_open no_learn_exec no_learn_read no_learn_write no_learn_create no_learn_delete no_learn_rename LimitedAccess=no_learn_open read exec thread_start no_set_hook no_send_close allow_init_dde no_send_input LimitedAccessNoLearn=<LimitedAccess> <NoLearn> AllFiles=* SystemDir32OrWow=<WindowsDir>\{System64} MachineServices=MACHINE\System\{ControlSet}\Services MachineControl=MACHINE\System\{ControlSet}\Control MachineCurrentVersion=MACHINE\Software\Microsoft\Windows\CurrentVersion MachineNTCurrentVersion3264=MACHINE\{Software64}\Microsoft\Windows NT\CurrentVersion CurrentVersionUserMachine3264={MachineOrUser}\{Software64}\Microsoft\Windows\CurrentVersion User=USER\* ; Compiler directories are added to exclusions for debug convenience. [VCDirs] e:\msdev.2005 e:\msdev.2008 C:\Program Files\Microsoft Visual Studio 8 c:\Program Files\Microsoft Visual Studio 9.0 ; Compiler files [Compilers] cl.exe link.exe ; Windbg directories are added to exclusions for debug convenience. [WinDBGDirs] c:\Program Files\Debugging Tools for Windows c:\Program Files (x86)\Debugging Tools for Windows ; Compiler files [DebuggerFiles] agestore.exe breakin.exe cdb.exe dbengprx.exe dbgrpc.exe dbgsrv.exe dbh.exe dumpchk.exe dumpexam.exe gflags.exe i386kd.exe ia64kd.exe kd.exe kdbgctrl.exe kdsrv.exe kill.exe list.exe logger.exe logviewer.exe ntsd.exe remote.exe rtlist.exe symchk.exe symstore.exe tlist.exe umdh.exe windbg.exe ; Sysinternals directories are added to exclusions for debug convenience. [SysInternalDirs] c:\Sys Internals ; Compiler files [SysInternalFiles] ProcessExplorer\procexp.exe ProcessMonitor\Procmon.exe ; Compiler files are added to exclusions for debug convenience. [VCFiles] {VCDirs}\common7\ide\devenv.exe {VCDirs}\vc\bin\x86_amd64\{Compilers} {VCDirs}\vc\bin\md64\{Compilers} {VCDirs}\vc\bin\{Compilers} {VCDirs}\Common7\IDE\Remote Debugger\x64\msvsmon.exe {VCDirs}\Common7\IDE\mspdbsrv.exe ; WinDBG files are added to exclusions for debug convenience. [WinDbgFiles] {WinDBGDirs}\{DebuggerFiles} ; SysInternals files are added to exclusions for debug convenience. [WinDbgFiles] {WinDBGDirs}\{DebuggerFiles} ; SysInternals files are added to exclusions for debug convenience. [SysIntFiles] {SysInternalDirs}\{SysInternalFiles} ; ------------------------------------------------------------------------------------------------------------------------- ; Self-Protection Settings ; ------------------------------------------------------------------------------------------------------------------------- [UserAntileakExclusions] ; This section contains applications that are not monitored by Anti-leak. <SystemDir>\alg.exe <SystemDir>\dwm.exe <SystemDir>\wmiprvse.exe <SystemDir>\wdfmgr.exe <SystemDir>\taskeng.exe [AntileakExclusions] ; This section contains applications that are not monitored by Anti-leak. <SystemDir>\ntoskrnl.exe <SystemDir>\csrss.exe <SystemDir>\lsass.exe <SystemDir>\lsm.exe <SystemDir>\smss.exe <SystemDir>\svchost.exe <SystemDir>\winlogon.exe <SystemDir>\taskeng.exe {OutpostExecutable} {UserAntileakExclusions} [SelfProtectionExclusions] ; This section contains self-protection exclusions. [OutpostExecutable] ; This section defines a set of applications that have access to Outpost folder and registry. <ExecDir>\acs.exe <ExecDir>\op_mon.exe <ExecDir>\feedback.exe <ExecDir>\unins0??.exe <ExecDir>\plugins\anti-spam\asp_srv.exe <ExecDir>\plugins\anti-spam.x64\asp_srv.exe [DriverNames] sandbox afw afwcore vbengnt [DriverPluginNames] vbfilt aswfilt [OutpostFiles] ; This section describes the set of Outpost files. <ExecDir>\* <FiltDir>\* <DriversDir>\afw.sys <DriversDir>\afwcore.sys <DriversDir>\sandbox.sys <DriversDir>\sandbox64.sys <DriversDir>\vbengnt.sys <SystemDir>\config\prcdrv.acl <SystemDir>\config\prc.acl <SystemDir>\config\afw_db.conf <SystemDir>\config\afw_hm.conf [OutpostRegistry] ; Registry keys which only Outpost has access to. REGISTRY\<MachineCurrentVersion>\Uninstall\Agnitum Outpost Firewall Pro*\* REGISTRY\<MachineCurrentVersion>\Uninstall\Agnitum Outpost Security Suite Pro*\* REGISTRY\<MachineCurrentVersion>\Run\OutpostMonitor REGISTRY\<MachineCurrentVersion>\Run\OutpostFeedBack REGISTRY\<MachineCurrentVersion>\App Paths\acs.exe\* REGISTRY\<MachineServices>\{DriverNames}\* REGISTRY\<MachineServices>\{DriverPluginNames}\* REGISTRY\<MachineServices>\acssrv\* [ProtectedObjects] ; This section describes objects protected by self-protection mechanism. {OutpostFiles} {OutpostRegistry} [TrustedApplications] ; This section describes the set of applications that have access to Outpost folder. ; In this folder self-protection exclusions are stored. ; This application should better be removed after first start. ;<SystemDir32OrWow>\runonce.exe <SystemDir32OrWow>\autochk.exe <SystemDir32OrWow>\csrss.exe <SystemDir32OrWow>\svchost.exe <SystemDir32OrWow>\dfrgntfs.exe {AntileakExclusions} {SelfProtectionExclusions} [FilteredApplications] ; This section contains applications for which write access is blocked without notification from Outpost. <SystemDir32OrWow>\mshta.exe <SystemDir32OrWow>\rundll32.exe <SystemDir32OrWow>\taskmgr.exe <SystemDir32OrWow>\searchindexer.exe [RegistryApplications] <SystemDir32OrWow>\ntoskrnl.exe ; ≤Σαδσφε ≈≥εß√ φσ ß√δε Γετ∞εµφε±≥Φ ∩≡εΦτΓεδⁿφε ∞σφ ≥ⁿ start type ;<SystemDir32OrWow>\services.exe [AntispamRegEntries] spam threshold unsure threshold enable outlook enable express [LogsExt] .log .0 [TrustedLogs] wl_hook oe_mail oe_mydb oe_scan oe_train oe_sink_old op_mail op_scan op_train op_gui selection enum expiredmail adviser asp_ipc memlog asp_srv tb_mail transact [UninstallData] unins0??.dat [SelfProtection] ; In this section self-protection rules are described. ; Rules for controlling file operations are written in the following format: ; object_set, access mask, subject_set ; ; access mask: ; Attributes available for file operations (FILE=) ; read - object read operation is allowed to the entity ; write - object write operation is allowed to the entity ; delete - operation of deleting the object file is allowed to the entity ; exec - operation of launching the object is allowed to the entity ; connect - operation of launching the object is allowed to the entity ; hidden - operation of object masquerading from the entity ; full_access - object has full access to the entity ; read_only - object has read only access to the entity ; open_process - process opening is allowed ; thread_start - remote thread starting is allowed ; thread_stop - remote thread stopping is allowed ; write_mem - remote writing to process memory is allowed ; thread_ctx - remote setting of process context is allowed ; no_scan - do not scan object with on-access antivirus ; scan_on_exec - scan file only if it is opened for execution ; no_override - do not override rule if it is already defined for given object and subject ; no_learn - on blocking by the rule, service will not be notified ; no_learn_open - service will not be notified on blocking open operation ; no_learn_exec - --""-- launch operation ; no_learn_read - --""-- read operation ; no_learn_write - --""-- write operation ; no_learn_create - --""-- creation operation ; no_learn_delete - --""-- deletion operation ; no_learn_rename - --""-- rename operation ; Entity description. If entity name ends with \*, two rules are added. ; One for the entity, another for its child structures with the specified mask {OutpostExecutable} -> {ProtectedObjects} = <FullAccess> {TrustedApplications} -> {ProtectedObjects} = <FullAccess> <AllFiles> -> {ProtectedObjects} = <LimitedAccess> <AllFiles> -> <ExecDir>\? = read write exec {FilteredApplications} -> {OutpostFiles} = <LimitedAccessNoLearn> {RegistryApplications} -> {OutpostRegistry} = <FullAccess> <WindowsDir>\explorer.exe -> <ExecDir>\Thumbs.db = <FullAccess> <WindowsDir>\explorer.exe -> {OutpostExecutable} = <LimitedAccess> allow_send_input allow_send_close ;http://btsx/ticket.aspx?id=13688 <SystemDir32OrWow>\mshta.exe -> <ExecDir>\unins0??.exe = <LimitedAccess> open_process ;<AllFiles> -> <ExecDir>\Plugins\BrowserBar\ie_bar.ini = <FullAccess> <AllFiles> -> <ExecDir>\ie_bar.ini = <FullAccess> <AllFiles> -> <ExecDir>\{UninstallData} = <FullAccess> no_scan <AllFiles> -> <ExecDir>\log\{TrustedLogs}{LogsExt} = <FullAccess> no_scan <AllFiles> -> <ExecDir>\plugins\anti-spam\data\* = <FullAccess> no_scan <AllFiles> -> <ExecDir>\plugins\anti-spam\* = <FullAccess> no_scan <AllFiles> -> <ExecDir>\plugins\anti-spam.x64\* = <FullAccess> no_scan <AllFiles> -> <ExecDir>\plugins\anti-spam.x64\data\* = <FullAccess> no_scan <AllFiles> -> REGISTRY\<User>\Software\agnitum\Security Suite\{AntispamRegEntries} = <FullAccess> ; Φ±Ωδ■≈σφΦ - ∩≡Φ Φτ∞σφσφΦΦ Ωεφ⌠Φπ≤≡α÷ΦΦ ±Φ±≥σ∞α ∩≡ε∩Φ±√Γασ≥≥ Γ ²≥Φ Γσ≥ΩΦ φεΓ√σ τφα≈σφΦ *->REGISTRY\<MachineServices>\afw\Parameters\Adapters\* = <FullAccess> *->REGISTRY\<MachineServices>\afw\Parameters\NdisAdapters\* = <FullAccess> *->REGISTRY\<MachineServices>\afw\Enum\* = <FullAccess> *->REGISTRY\<MachineServices>\afwcore\Enum\* = <FullAccess> *->REGISTRY\<MachineServices>\afwcore\Enum\* = <FullAccess> *->REGISTRY\<MachineServices>\acssrv\Enum\* = <FullAccess> *->REGISTRY\<MachineServices>\sandbox\Enum\* = <FullAccess> *->REGISTRY\<MachineServices>\sandbox64\Enum\* = <FullAccess> ; φσ τα∙Φ∙ασ∞ ßεδⁿ°σ ∩≡ε÷σ±±εΓ csrss.exe - ∩ε²≥ε∞≤ ∩≡αΓΦδε φσ ≥≡σß≤σ≥± ;<SystemDir>\services.exe -> <SystemDir>\csrss.exe = <FullAccess> [SelfProtectionDebugAdd] {VCFiles} -> {ProtectedObjects} = <FullAccess> {WinDbgFiles} -> {ProtectedObjects} = <FullAccess> {SysIntFiles} -> {ProtectedObjects} = <FullAccess> ; ------------------------------------------------------------------------------------------------------------------------- ; On Access Scanner Rules ; ------------------------------------------------------------------------------------------------------------------------- [NoScanExtensions] .log .pf .ci .dir .cdf-ms .part [RegsitryFileStorage] default components sam security software system components default.sav sam.sav security.sav software.sav system.sav default.old sam.old security.old software.old system.old [OnAccessScannerRules] ; do not scan own log files when we write them ; {OutpostExecutable} -> <ExecDir>\log\* = <FullAccess> no_scan * -> <SystemDir>\Drivers\Etc\hosts=<FullAccess> no_scan no_override ; do not allow malware to inject to outpost components {OutpostExecutable} -> * = <FullAccess> scan_on_exec *-><SystemRoot>\ProgramData\Agnitum\Security Suite\antispam_stat.ini=<FullAccess> no_scan *-><ExecDir>\plugins\anti-spam\data\base\*=<FullAccess> no_scan *-><ExecDir>\plugins\anti-spam.x64\data\base\*=<FullAccess> no_scan * -> <SystemRoot>\System Volume Information\* = <FullAccess> scan_on_exec * -> <WindowsDir>\Prefetch\* = <FullAccess> scan_on_exec * -> <SystemDir>\wbem\logs\* = <FullAccess> scan_on_exec <SystemDir>\svchost.exe -> <WindowsDir>\* = <FullAccess> scan_on_exec <SystemDir>\ntoskrnl.exe -> <WindowsDir>\* = <FullAccess> scan_on_exec <SystemDir>\DfrgNtfs.exe -> * = <FullAccess> scan_on_exec <SystemDir>\SearchIndexer.exe -> * = <FullAccess> scan_on_exec <SystemDir>\SearchFilterHost.exe -> * = <FullAccess> scan_on_exec <SystemDir>\SearchProtocolHost.exe -> * = <FullAccess> scan_on_exec <SystemDir>\wbem\wmiadap.exe -> <SystemDir>\perf*.dat = <FullAccess> no_scan * -> \EXTENSIONS\*{NoScanExtensions} = no_scan * -> <SystemDir>\config\{RegsitryFileStorage} = <FullAccess> no_scan * -> <SystemDir>\config\regback\{RegsitryFileStorage} = <FullAccess> no_scan * -> <WindowsDir>\AppPatch\sysmain.sdb = <FullAccess> no_scan * -> <WindowsDir>\AppPatch\drvmain.sdb = <FullAccess> no_scan ; ------------------------------------------------------------------------------------------------------------------------- ; System Monitor Settings (for debug purposes) ; ------------------------------------------------------------------------------------------------------------------------- [SandboxMonitor] ; This section describes monitor settings used for debug purposes only. ; Macroses do not work here. ; Operation mask for monitor. Available values: ; open exec read write close delete rename Operations= ; Whether operations with folders are monitored. FolderOperaton=TRUE ; Whether operations with registry are monitored. RegistryOperation=TRUE ; Whether operations with processes are monitored. InterprocOperation=FALSE ; Whether non-file operations are monitored. FileOperation=FALSE ; ------------------------------------------------------------------------------------------------------------------------- ; System Events Learning Settings ; ------------------------------------------------------------------------------------------------------------------------- [LearnOperations] ; This section describes learning channel settings. ; Macroses do not work in this section. ; Operation mask for the learning channel. Available values: ; open exec read write close delete rename start stop Operations=open exec read write close delete rename ; Whether operations with folders are monitored. FolderOperaton=TRUE ; Whether operations with registry are monitored. RegistryOperation=TRUE ; Whether operations with processes are monitored. InterprocOperation=TRUE ; Whether non-file operations are monitored. FileOperation=TRUE ; ------------------------------------------------------------------------------------------------------------------------- ; ImproveNet Settings ; ------------------------------------------------------------------------------------------------------------------------- [ImproveNet] ; This section describes ImproveNet settings. ; URL of the server where improve_net reports are stored URL=http://improvenet.agnitum.com/improvenet.php ; ImproveNet task scheduling settings: ; If ScheduleDay parameter is specified, ImproveNet task will be performed weekly, ; ScheduleDay specifies the number of a day, available values are 0-6 (0 corresponds to Monday). ; If ScheduleHour and ScheduleMinute are not specified, they are considered equal to 0. ScheduleDay= ; If ScheduleHour parameter is specified (without ScheduleDay parameter), ImproveNet task will be performed ; daily, ScheduleHour specifies the number of an hour, available values are 0-23. ; If ScheduleMinute not specified, it is considered equal to 0. ScheduleHour=14 ; If ScheduleMinute parameter is specified (without ScheduleDay and ScheduleHour), ImproveNet task will be ; performed hourly, ScheduleMinute specifies the number of a minute, available values are 0-59. ScheduleMinute=0 ; ScheduleDay, ScheduleHour, ScheduleMinute settings can be specified together, ; for example, if all these parameters are specified, ImproveNet task will be performed weekly on the specified day, ; at the specified time. [HTTPService] ; This section describes HTTP settings used in http_service. ; HTTPVersion parameter specifies version to be used in requests, ; available values are 0.0, 1.0, 1.1 HTTPVersion=1.0 ; AppendProductArg parameter specifies that product name should be added to each request, ; available values are TRUE, FALSE AppendProductArg=FALSE ; AllowCaching parameter enables/disables caching, ; available values are TRUE, FALSE AllowCaching=FALSE ; Proxy parameter defines whether proxy should be used, available ; values are auto, specified, disabled Proxy=auto ; ProxyAddress, ProxyPort parameters are used if Proxy=specified, ; these parameters specify proxy server address and port ProxyAddress= ProxyPort=8080 ; ProxyAuth parameter specifies that proxy requires authorization, availavle values are TRUE, FALSE; ; ProxyLogin, ProxyPassword parameters specify credentials ProxyAuth=false ; ProxyLogin, ProxyPassword parameters specify login and password for the proxy that requires autorization. ProxyLogin= ProxyPassword= ; Number of attempts http_service does when it cannot complete request successfully. ; Minimum value is 3, maximum is 12. FailureAttempts=12 [Protect] ; Protect plug-in state. If FALSE, no configuration in driver. Enable=TRUE ; Maximum number of remote hosts for each attack, after which ; the reports are stopped till report_timeout expiration. MaxReportHost=10 ; Pause before repeated message about the attack for the ; remote host, in hundreds ms. ReportTimeout=6000 ; ------------------------------------------------------------------------------------------------------------------------- ; Critical Objects Monitor Settings ; ------------------------------------------------------------------------------------------------------------------------- [SystemMonitor] ; Main object monitor section. ; This section describes records for monitor. RegAutoStart=Auto Start Entries RegAutoLoad=Auto Start Modules RegWinLogon=WinLogon Settings RegShellExtensions=Shell Extensions RegShellCriticalEntries=Shell Critical Entries RegApplicationRestrictions=Application Restrictions RegActiveDesktop=Active Desktop RegInternetSettings=Internet Settings RegInternetExplorerPlugins=Explorer Plug-Ins RegInternetExplorerSettings=Explorer Settings Reg3rdPartyApplications=Third-Party Applications LegacyConfigurationFiles=Legacy Configuration Files [DefragApp] ; Defragmentation sotfware category. <SystemDir32OrWow>\dfrgntfs.exe [RegShellExtensions] ; Shell Extensions. *->REGISTRY\<MachineCurrentVersion>\Explorer\Browser Helper Objects\*=read *->REGISTRY\<MachineCurrentVersion>\Shell Extensions\Approved\*=read *->REGISTRY\<MachineCurrentVersion>\ShellServiceObjectDelayLoad\*=read *->REGISTRY\<MachineCurrentVersion>\Explorer\RemoteComputer\NameSpace\*=read *->REGISTRY\<CurrentVersionUserMachine3264>\Explorer\SharedTaskScheduler\*=read *->REGISTRY\MACHINE\{SoftwareClasses64}\SystemFileAssociations\shellex\ContextMenuHandlers\*=read *->REGISTRY\{MachineOrUser}\{Software64}\Microsoft\Active Setup\Installed Components\*=read <WindowsDir>\explorer.exe->REGISTRY\{MachineOrUser}\{Software64}\Microsoft\Active Setup\Installed Components\*=read write [RegShellCriticalEntries] ; Object 'Windows Shell Open Commands' (85)---------- *->REGISTRY\MACHINE\{SoftwareClasses64}\exefile\shell\{OpenOrRunAs}\command\*=read *->REGISTRY\MACHINE\{SoftwareClasses64}\comfile\shell\{OpenOrRunAs}\command\*=read *->REGISTRY\MACHINE\{SoftwareClasses64}\piffile\shell\{OpenOrRunAs}\command\*=read *->REGISTRY\MACHINE\{SoftwareClasses64}\batfile\shell\{OpenOrRunAs}\command\*=read *->REGISTRY\MACHINE\{SoftwareClasses64}\cmdfile\shell\{OpenOrRunAs}\command\*=read *->REGISTRY\MACHINE\{SoftwareClasses64}\scrfile\shell\{OpenOrRunAs}\command\*=read *->REGISTRY\<CurrentVersionUserMachine3264>\Explorer\ShellExecuteHooks\*=read *->REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\*\LocalServer32\*=read [RegApplicationRestrictions] ; Application restrictions. *->REGISTRY\<User>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\*=read *->REGISTRY\<User>\Software\Microsoft\Windows\CurrentVersion\Policies\System\*=read *->REGISTRY\<User>\Software\Policies\Microsoft\Internet Explorer\Control Panel\*=read *->REGISTRY\{MachineOrUser}\{Software64}\Policies\Microsoft\Internet Explorer\Restrictions\*=read *->REGISTRY\<MachineCurrentVersion>\Policies\DisableRegistryTools=read ;[ay] not sure why i have to add this rule ;*->REGISTRY=read [RegInternetSettings] ; LSP providers. *->REGISTRY\<MachineServices>\WinSock2\Parameters\*=read *-><SystemDir>\Drivers\Etc\hosts=read no_scan <SystemDir32OrWow>\svchost.exe-><SystemDir>\Drivers\Etc\hosts=read write {DefragApp}-><SystemDir>\Drivers\Etc\hosts=read write [RegActiveDesktop] ; Active Desktop settings. *->REGISTRY\<User>\Control Panel\Desktop\*=read *->REGISTRY\<User>\Control Panel\Desktop\WindowMetrics\*=read write delete *->REGISTRY\<User>\Software\Microsoft\Internet Explorer\Desktop\General\*=read *->REGISTRY\<User>\Software\Microsoft\Internet Explorer\Desktop\Components\*=read <WindowsDir>\explorer.exe->REGISTRY\<User>\Software\Microsoft\Internet Explorer\Desktop\General\*=read write delete [RegInternetExplorerPlugins] ; Internet Explorer Plug-Ins. *->REGISTRY\{MachineOrUser}\{Software64}\Microsoft\Internet Explorer\MenuExt\*=read *->REGISTRY\{MachineOrUser}\{Software64}\Microsoft\Internet Explorer\Extensions\*=read *->REGISTRY\{MachineOrUser}\{Software64}\Microsoft\Internet Explorer\Explorer Bars\*=read *->REGISTRY\{MachineOrUser}\{Software64}\Microsoft\Internet Explorer\Plugins\Extension\*=read *->REGISTRY\{MachineOrUser}\{Software64}\Microsoft\Internet Explorer\Toolbar\ShellBrowser\*=read *->REGISTRY\{MachineOrUser}\{Software64}\Microsoft\Internet Explorer\Toolbar\WebBrowser\*=read <WindowsDir>\explorer.exe->REGISTRY\{MachineOrUser}\{Software64}\Microsoft\Internet Explorer\Toolbar\ShellBrowser\*=read write <ProgramDir>\Internet Explorer\iexplore.exe->REGISTRY\{MachineOrUser}\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\*=read write <ProgramDirWow>\Internet Explorer\iexplore.exe->REGISTRY\{MachineOrUser}\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\WebBrowser\*=read write <ProgramDir>\Internet Explorer\iexplore.exe->\REGISTRY\{MachineOrUser}\SOFTWARE\MICROSOFT\Internet Explorer\Extensions\*=read write <ProgramDirWow>\Internet Explorer\iexplore.exe->\REGISTRY\{MachineOrUser}\SOFTWARE\Wow6432Node\MICROSOFT\Internet Explorer\Extensions\*=read write <ExecDir>\op_mon.exe->REGISTRY\{MachineOrUser}\{Software64}\Microsoft\Internet Explorer\Extensions\*=read write [RegInternetExplorerSettings] ; Internet Explorer URLs *->REGISTRY\{MachineOrUser}\{Software64}\Microsoft\Internet Explorer\Main\Start Page=read *->REGISTRY\{MachineOrUser}\{Software64}\Microsoft\Internet Explorer\Main\Search Page=read *->REGISTRY\{MachineOrUser}\{Software64}\Microsoft\Internet Explorer\AboutURLs\*=read *->REGISTRY\{MachineOrUser}\{Software64}\Microsoft\Internet Explorer\URLSearchHooks\*=read <SystemDir32OrWow>\ie4uinit.exe->REGISTRY\{MachineOrUser}\{Software64}\Microsoft\Internet Explorer\*=read write delete [RegAutoStart] ; Startup Registry Files. *->REGISTRY\<CurrentVersionUserMachine3264>\Run\*=read *->REGISTRY\<CurrentVersionUserMachine3264>\RunOnce\*=read *->REGISTRY\<CurrentVersionUserMachine3264>\RunOnceEx\*=read *->REGISTRY\<CurrentVersionUserMachine3264>\RunServices\*=read *->REGISTRY\<User>\Software\Microsoft\Windows NT\CurrentVersion\Windows\load=read *->REGISTRY\<User>\Software\Microsoft\Windows NT\CurrentVersion\Windows\run\*=read *->REGISTRY\<MachineNTCurrentVersion3264>\Image File Execution Options\*=read *->REGISTRY\<MachineCurrentVersion>\policies\Explorer\Run\*=read ;*->C:\Documents and Settings\*\StartMenu\Programs\Startup\*=read <SystemDir>\ctfmon.exe->REGISTRY\USER\*\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe=read write delete <SystemDir>\ctfmon.exe->REGISTRY\USER\*\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe=read write delete <SystemDir>\wermgr.exe->REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\LHWerQueuedReporting=read write delete *-><WindowsDir>\Tasks\*=read *-><DriversDir>\*.sys=read exec <ExecDir>\op_mon.exe-><DriversDir>\*.sys=<FullAccess> ; [ay] http://btsx/ticket.aspx?id=15050 *-><WindowsDir>\System\*=read exec delete open_process *-><SystemDir32OrWow>\*=read exec delete open_process *-><SystemDir32OrWow>\config\*=<FullAccess> *-><SystemDir32OrWow>\spool\*=<FullAccess> *-><SystemDir32OrWow>\WBEM\*=<FullAccess> ; [ay] not sure these rules works ; *-><SystemDir32OrWow>\*\*=<FullAccess> ; [ay] http://btsx/ticket.aspx?id=15045 *->REGISTRY\<MachineControl>\Terminal Server\Wds\rdpwd\StartupPrograms=read *->KNOWNDLLS\*=read exec [RegAutoLoad] ; AppInit Dlls. *->REGISTRY\MACHINE\{Software64}\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=read *->REGISTRY\MACHINE\{Software64}\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs=read *->REGISTRY\MACHINE\{Software64}\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib=read ; [ay] http://btsx/ticket.aspx?id=15046 *->REGISTRY\<MachineServices>\SENS\Parameters\ServiceDll=read *->REGISTRY\MACHINE\{Software64}\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger=read [RegWinLogon] ; Windows Logon Policies. *->REGISTRY\<MachineNTCurrentVersion3264>\Winlogon\GPExtensions\*=read *->REGISTRY\<MachineNTCurrentVersion3264>\Winlogon\Notify\*=read *->REGISTRY\<MachineNTCurrentVersion3264>\WOW\boot\shell=read *->REGISTRY\<MachineNTCurrentVersion3264>\Winlogon\Userinit=read *->REGISTRY\<MachineNTCurrentVersion3264>\Winlogon\UIHost=read *->REGISTRY\{MachineOrUser}\Software\Policies\Microsoft\Windows\System\Scripts\Logon\*=read *->REGISTRY\<User>\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell*=read [Reg3rdPartyApplications] ; Critical non-MS application settings. [ProtectedConfigFiles] ; Configuration files protected from modification. <WindowsDir>\win.ini <WindowsDir>\system.ini <SystemRoot>\autoexec.bat <SystemRoot>\config.sys <WindowsDir>\winstart.bat <WindowsDir>\dosstart.bat <SystemDir>\autoexec.nt <SystemDir>\config.nt [LegacyConfigurationFiles] ; Windows win.ini file. *->REGISTRY\<MachineNTCurrentVersion3264>\IniFileMapping\system.ini\*=read *->REGISTRY\<MachineNTCurrentVersion3264>\IniFileMapping\win.ini\*=read *->REGISTRY\<MachineNTCurrentVersion3264>\IniFileMapping\control.ini\*=read *->{ProtectedConfigFiles}=read {DefragApp}->{ProtectedConfigFiles}=read write ; REGISTRY\<MachineServices>\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\* ; REGISTRY\<MachineServices>\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\* ; REGISTRY\<MachineServices>\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\* ; REGISTRY\<MachineServices>\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\* ; Off screen ; ActiveX registration ; Services registration ; Object 'Explorer Trojan' (93)---------- ; Dir: ±:\. Search explorer.exe ; FILE: 'C:\WINDOWS\control.ini' listen 'MMCPL-inetcpl.cpl' section-value. Check data for 'no' value. ; [RestrictAnonymous] ; Windows Restrict Anonymous ; REGISTRY\MACHINE\SYSTEM\ControlSet*\Control\Lsa\restrictanonymous ; [RegActiveSetup] ; Installed Components ; [license] Reseller=samag