home *** CD-ROM | disk | FTP | other *** search
/ PC Advisor 2007 June / PC Advisor 2007 June.iso / ESSENTIALS / zlsSetup_70_337_000_en.exe / PROTECTION_SWITCH.XML < prev    next >
Encoding:
Text File  |  2007-03-09  |  47.5 KB  |  616 lines
  1. <osfirewall>
  2.  
  3. <rulegroup name="protourfiles">
  4.     <ruleentry event="file" match="any" allow="false" notify="true" customtext="2002">
  5.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINDIR\Internet Logs\BACKUP.RDB" />
  6.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINDIR\Internet Logs\IAMDB.RDB" />
  7.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINDIR\Internet Logs\ZALog.txt" />
  8.  
  9.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\avsys\ScanningProcess.exe" />       
  10.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\avsys\Monitor.exe" />       
  11.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\avsys\klif.sys" />       
  12.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\avsys\kave.dll" />       
  13.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\avsys\FSSync.dll" />       
  14.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\avsys\prloader.dll" />       
  15.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\avsys\inv.dll" />       
  16.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\avsys\appinfo.kli" />       
  17.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\avsys\00140FFE.key" />       
  18.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\avsys\000F529D.key" />       
  19.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\av.dll" />
  20.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\boot.dat" />
  21.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\cafix.exe" />
  22.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\camupd.dll" />
  23.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\cerbprovider.pvx" />
  24.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\dbghelp.dll" />
  25.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\imsecure.dll" />
  26.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\lib" />
  27.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\osfwrules.xml" />
  28.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\plugins" />
  29.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\qrbase.dll" />
  30.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\qrsrecl.dll" />
  31.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\oemconfig.xml" />
  32.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\safePrograms.xml" />
  33.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\scheduler.dll" />
  34.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\spyware.dat" />
  35.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\srescan.dll" />
  36.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\ssleay32.dll" />
  37.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\streamapi" />
  38.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\vsavpro.dll" />
  39.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\vsdb.dll" />
  40.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\vsinit.dll" />
  41.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\vsmon.exe" />
  42.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\vsruledb.dll" />
  43.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\vsvault.dll" />
  44.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\ZLCommDB.xml" />
  45.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\zlparser.dll" />
  46.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\zlquarantine.dll" />
  47.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\zlsre.dll" />
  48.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\zlasdbup.dat" />
  49.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\zlsrepluginsupd.zip" />
  50.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\zlsreupd.zip" />
  51.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\zlqrtdb.dat" />
  52.  
  53.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\vswmi.dll" />
  54.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\fbl.dll" />
  55.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\featuremap.dll" />
  56.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\streamapi.config.xml" />
  57.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\vsmon.config.xml" />
  58.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\updating.dll" />
  59.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\updclient.exe" />
  60.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\vsmondll.dll" />
  61.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\zlupdate.dll" />
  62.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\ZoneAlarm.xml" />
  63.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\lib\zlsvc.zip.dll" />
  64.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\lib\zpy.zip.dll" />
  65.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\lib\pyd\_socket.pyd" />
  66.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\lib\pyd\pyexpat.pyd" />
  67.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\lib\pyd\pyvsinit.pyd" />
  68.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\lib\pyd\signedDll.pyd" />
  69.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\plugins\rpc_server\manifest.xml" />
  70.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\plugins\rpc_server\rpc_server.dll" />
  71.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\plugins\vsmon_plugin\manifest.xml" />
  72.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\plugins\vsmon_plugin\vsmon_plugin.dll" />
  73.  
  74.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\streamapi\httpblocker\httpblocker.dll" />
  75.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\streamapi\httpblocker\manifest.xml" />
  76.  
  77.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\streamapi\imslsp\imslsp.dll" />
  78.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\streamapi\imslsp\manifest.xml" />
  79.  
  80.         <itementry param="filename" operator="equalnocase" type="ansi" value="VSDATANTDIR\vsconfig.xml" />
  81.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\vsdata.dll" />
  82.         <itementry param="filename" operator="equalnocase" type="ansi" value="VSDATANTDIR\vsdatant.sys" />
  83.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\vsinit.dll" />
  84.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\vsmonapi.dll" />
  85.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\vspubapi.dll" />
  86.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\vsregexp.dll" />
  87.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\vsutil.dll" />
  88.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\vsxml.dll" />
  89.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\zlcomm.dll" />
  90.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\zlcommdb.dll" />
  91.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\zpeng24.dll" />
  92.  
  93.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\alert.zap" />
  94.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\email.zap" />
  95.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\expert.dll" />
  96.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\filter.zap" />
  97.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\firewall.zap" />
  98.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\framewrk.dll" />
  99.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\idlock.zap" />
  100.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\imf_editor.exe" />
  101.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\imsecure.zap" />
  102.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\multiscan.exe" />
  103.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\privacy.zap" />
  104.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\programs.zap" />
  105.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\scan.zap" />
  106.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\scan.zmx" />
  107.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\security.zap" />
  108.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\vsinit.dll" />
  109.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\zatutor.exe" />
  110.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\zauninst.exe" />
  111.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\zlavscan.dll" />
  112.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\zonealarm.exe" />
  113.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\zlclient.exe" />
  114.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\repair\vsdb.dll" />
  115.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\repair\vsinit.dll" />
  116.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\repair\vsmon.exe" />
  117.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\repair\vsruledb.dll" />
  118.         <itementry param="filename" operator="equalnocase" type="ansi" value="ZLDIR\repair\vsutil.dll" />
  119.         <itementry param="filename" operator="equalnocase" type="ansi" value="WINSYSDIR\Zonelabs\srescan.sys" />
  120.     </ruleentry>
  121. </rulegroup>
  122. <rulegroup name="protourreg">
  123.     <ruleentry event="registry" match="any" allow="false" notify="true" customtext="2003">
  124.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs" />
  125.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\MiniLog" />
  126.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\TrueVector" />
  127.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\TrueVector\LocalStoreDir" />
  128.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\TrueVector\LogStoreDir" />
  129.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions" />
  130.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.ADE" />
  131.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.ADP" />
  132.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.ASX" />
  133.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.BAS" />
  134.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.BAT" />
  135.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.CHM" />
  136.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.CMD" />
  137.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.COM" />
  138.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.CPL" />
  139.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.CRT" />
  140.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.DBX" />
  141.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.DLL" />
  142.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.EML" />
  143.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.EXE" />
  144.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.HLP" />
  145.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.HTA" />
  146.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.INF" />
  147.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.INS" />
  148.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.ISP" />
  149.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.JS" />
  150.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.JSE" />
  151.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.LNK" />
  152.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.MDA" />
  153.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.MDB" />
  154.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.MDE" />
  155.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.MDZ" />
  156.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.MHT" />
  157.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.MSC" />
  158.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.MSI" />
  159.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.MSP" />
  160.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.MST" />
  161.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.NCH" />
  162.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.OCX" />
  163.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.PCD" />
  164.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.PIF" />
  165.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.PRF" />
  166.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.RAR" />
  167.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.REG" />
  168.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.SCF" />
  169.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.SCR" />
  170.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.SCT" />
  171.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.SHB" />
  172.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.SHS" />
  173.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.SYS" />
  174.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.URL" />
  175.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.VB" />
  176.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.VBE" />
  177.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.VBS" />
  178.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.WMS" />
  179.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.WSC" />
  180.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.WSF" />
  181.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.WSH" />
  182.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\MailSafe Extensions\.ZIP" />
  183.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm\Registration" />
  184.         <itementry param="key" operator="equalnocase" type="ansi" value="HKCS\Services\Vsdatant" />
  185.         <itementry param="key" operator="equalnocase" type="ansi" value="HKCS\Services\Vsdatant\enum" />
  186.         <itementry param="key" operator="equalnocase" type="ansi" value="HKCS\Services\Vsdatant\parameters" />
  187.         <itementry param="key" operator="equalnocase" type="ansi" value="HKCS\Services\Vsdatant\security" />
  188.         <itementry param="key" operator="equalnocase" type="ansi" value="HKCS\Services\Vsmon" />
  189.         <itementry param="key" operator="equalnocase" type="ansi" value="HKCS\Services\Vsmon\enum" />
  190.         <itementry param="key" operator="equalnocase" type="ansi" value="HKCS\Services\Vsmon\security" />
  191.         <itementry param="key" operator="equalnocase" type="ansi" value="HKCS\Services\srescan" />
  192.     </ruleentry>                                                                            
  193. </rulegroup>
  194.  
  195. <rulegroup name="protourreg1">
  196.     <ruleentry event="registry" match="all" allow="false" notify="true" customtext="2003">
  197.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm" />
  198.         <itementry param="value" operator="equalnocase" type="ansi" value="InstallDirectory" />
  199.     </ruleentry>
  200. </rulegroup>
  201.  
  202. <rulegroup name="protourreg2">
  203.     <ruleentry event="registry" match="all" allow="false" notify="true" customtext="2003">
  204.         <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm" />
  205.         <itementry param="value" operator="equalnocase" type="ansi" value="IntegrityMode" />
  206.     </ruleentry>
  207. </rulegroup>
  208.  
  209. <rulegroup name="protourreg3">
  210.   <ruleentry event="registry" match="all" allow="false" notify="true" customtext="2003">
  211.     <itementry param="key" operator="equalnocase" type="ansi" value="HKLM\SOFTWARE\Zone Labs\ZoneAlarm" />
  212.     <itementry param="value" operator="equalnocase" type="ansi" value="AltDir" />
  213.   </ruleentry>
  214. </rulegroup>
  215.  
  216. <imageentry
  217.     imagename="ScanningProcess.exe"
  218.     eventgroupref="ZLServiceGroup">
  219.     <itementry
  220.         param="md5"
  221.         operator="equal"
  222.         type="binary"
  223.         value="81cdf1aa-b2ed1d5d-dafef8d1-f1368782"
  224.     />
  225. </imageentry>
  226. <imageentry
  227.     imagename="Monitor.exe"
  228.     eventgroupref="ZLServiceGroup">
  229.     <itementry
  230.         param="md5"
  231.         operator="equal"
  232.         type="binary"
  233.         value="23846d4e-bf6d6665-ffb19aa6-c61ea830"
  234.     />
  235. </imageentry>
  236.  
  237.  
  238.     <ruleset name="rs-reg-block" allow="true">
  239.         <rulerefentry rulegroupref="protourreg"/>
  240.     </ruleset>
  241.  
  242.     <ruleset name="rs-file-block" allow="true">
  243.         <rulerefentry rulegroupref="protourfiles"/>
  244.     </ruleset>
  245.  
  246.  
  247.     <eventgroup name="ZLDefaultGroup" description="ZLDefaultGroup" weight="00" allowweightranges="FE-FE" default="true" severityref="suspicious">
  248.         <evententry class="srcproc" event="process" subevent="openprocess" ask="true" />
  249.         <evententry class="srcproc" event="process" subevent="openthread"  allow="true" />
  250.         <evententry class="srcproc" event="process" subevent="spawnprocess"  allow="true" />
  251.         <evententry class="srcproc" event="process" subevent="startupprocess" ask="true" />
  252.         <evententry class="srcproc" event="process" subevent="terminateprocess" ask="true" />
  253.         <evententry class="srcproc" event="process" subevent="oleconnect" ask="true" />
  254.         <evententry class="srcproc" event="message" subevent="keyboard"  ask="true" />
  255.         <evententry class="srcproc" event="message" subevent="mouse"  ask="true" />
  256.         <evententry class="srcproc" event="message" subevent="dde"  ask="true" />
  257.         <evententry class="srcproc" event="message" subevent="message"  allow="true" />
  258.         <evententry class="srcproc" event="execution" subevent="callback"  allow="true" />
  259.         <evententry class="srcproc" event="execution" subevent="windowshook"  allow="true" />
  260.         <evententry class="srcproc" event="execution" subevent="globalwindowshook"  allow="true" />
  261.  
  262.         <evententry class="srcproc" event="registry" subevent="setkey" rulesetref="rs-reg-block"/>
  263.         <evententry class="srcproc" event="registry" subevent="setvalue" rulesetref="rs-reg-block"/>
  264.         <evententry class="srcproc" event="registry" subevent="delkey" rulesetref="rs-reg-block"/>
  265.         <evententry class="srcproc" event="registry" subevent="delvalue" rulesetref="rs-reg-block"/>
  266.         <evententry class="srcproc" event="registry" subevent="createkey" rulesetref="rs-reg-block"/>
  267.  
  268.         <evententry class="srcproc" event="file" subevent="write" rulesetref="rs-file-block"/>
  269.         <evententry class="srcproc" event="file" subevent="delete" rulesetref="rs-file-block"/>
  270.  
  271.         <evententry class="srcproc" event="module" subevent="load" notify="true" />
  272.         <evententry class="srcproc" event="driver" subevent="load" allow="true" />
  273.         <evententry class="srcproc" event="driver" subevent="unload" allow="true" />
  274.         <evententry class="srcproc" event="driver" subevent="connect" allow="true" />
  275.         <evententry class="srcproc" event="driver" subevent="create" allow="true" />
  276.         <evententry class="srcproc" event="driver" subevent="modify" allow="true" />
  277.         <evententry class="srcproc" event="driver" subevent="delete" allow="true" />
  278.         <evententry class="srcproc" event="physmem" subevent="map" allow="true" />
  279.         <evententry class="dstproc" event="process" subevent="openprocess" allow="true" />
  280.         <evententry class="dstproc" event="process" subevent="openthread" allow="true" />
  281.         <evententry class="dstproc" event="process" subevent="startupprocess" allow="true" />
  282.         <evententry class="dstproc" event="process" subevent="terminateprocess" allow="true" />
  283.         <evententry class="dstproc" event="process" subevent="oleconnect" allow="true" />
  284.         <evententry class="dstproc" event="message" subevent="keyboard" allow="true" />
  285.         <evententry class="dstproc" event="message" subevent="mouse" allow="true" />
  286.         <evententry class="dstproc" event="message" subevent="dde" allow="true" />
  287.         <evententry class="dstproc" event="message" subevent="message" allow="true" />
  288.         <evententry class="dstproc" event="execution" subevent="callback" allow="true" />
  289.         <evententry class="dstproc" event="execution" subevent="windowshook" allow="true" />
  290.     </eventgroup>
  291.  
  292.     <eventgroup name="ZLDebug" description="ZLDebugGroup" weight="FE" allowweightranges="0-FE" severityref="dangerous">
  293.         <evententry class="srcproc" event="process" subevent="openprocess" allow="true" />
  294.         <evententry class="srcproc" event="process" subevent="openthread"  allow="true" />
  295.         <evententry class="srcproc" event="process" subevent="spawnprocess"  allow="true" />
  296.         <evententry class="srcproc" event="process" subevent="startupprocess" allow="true" />
  297.         <evententry class="srcproc" event="process" subevent="terminateprocess" allow="true" />
  298.         <evententry class="srcproc" event="process" subevent="oleconnect" allow="true" />
  299.         <evententry class="srcproc" event="message" subevent="keyboard"  allow="true" />
  300.         <evententry class="srcproc" event="message" subevent="mouse"  allow="true" />
  301.         <evententry class="srcproc" event="message" subevent="dde"  allow="true" />
  302.         <evententry class="srcproc" event="message" subevent="message"  allow="true" />
  303.         <evententry class="srcproc" event="execution" subevent="callback"  allow="true" />
  304.         <evententry class="srcproc" event="execution" subevent="windowshook"  allow="true" />
  305.         <evententry class="srcproc" event="execution" subevent="globalwindowshook"  allow="true" />
  306.         <evententry class="srcproc" event="registry" subevent="setkey" allow="true" />
  307.         <evententry class="srcproc" event="registry" subevent="setvalue" allow="true" />
  308.         <evententry class="srcproc" event="registry" subevent="delkey" allow="true" />
  309.         <evententry class="srcproc" event="registry" subevent="delvalue" allow="true" />
  310.         <evententry class="srcproc" event="registry" subevent="createkey" allow="true" />
  311.         <evententry class="srcproc" event="file" subevent="write" allow="true" />
  312.         <evententry class="srcproc" event="file" subevent="delete" allow="true" />
  313.         <evententry class="srcproc" event="module" subevent="load" allow="true" />
  314.         <evententry class="srcproc" event="driver" subevent="load" allow="true" />
  315.         <evententry class="srcproc" event="driver" subevent="unload" allow="true" />
  316.         <evententry class="srcproc" event="driver" subevent="connect" allow="true" />
  317.         <evententry class="srcproc" event="driver" subevent="create" allow="true" />
  318.         <evententry class="srcproc" event="driver" subevent="modify" allow="true" />
  319.         <evententry class="srcproc" event="driver" subevent="delete" allow="true" />
  320.         <evententry class="srcproc" event="physmem" subevent="map" allow="true" />
  321.         <evententry class="dstproc" event="process" subevent="openprocess" allow="true" />
  322.         <evententry class="dstproc" event="process" subevent="openthread" allow="true" />
  323.         <evententry class="dstproc" event="process" subevent="startupprocess" allow="true" />
  324.         <evententry class="dstproc" event="process" subevent="terminateprocess" allow="true" />
  325.         <evententry class="dstproc" event="process" subevent="oleconnect" allow="true" />
  326.         <evententry class="dstproc" event="message" subevent="keyboard" allow="true" />
  327.         <evententry class="dstproc" event="message" subevent="mouse" allow="true" />
  328.         <evententry class="dstproc" event="message" subevent="dde" allow="true" />
  329.         <evententry class="dstproc" event="message" subevent="message" allow="true" />
  330.         <evententry class="dstproc" event="execution" subevent="callback" allow="true" />
  331.         <evententry class="dstproc" event="execution" subevent="windowshook" allow="true" />
  332.     </eventgroup>
  333.  
  334.     <eventgroup name="ZLServiceGroup" description="ZLServiceGroup" weight="E0" allowweightranges="0-E0,FE-FE" severityref="dangerous">
  335.         <evententry class="srcproc" event="process" subevent="openprocess" allow="true" />
  336.         <evententry class="srcproc" event="process" subevent="openthread"  allow="true" />
  337.         <evententry class="srcproc" event="process" subevent="spawnprocess"  allow="true" />
  338.         <evententry class="srcproc" event="process" subevent="startupprocess" allow="true" />
  339.         <evententry class="srcproc" event="process" subevent="terminateprocess" allow="true" />
  340.         <evententry class="srcproc" event="process" subevent="oleconnect" allow="true" />
  341.         <evententry class="srcproc" event="message" subevent="keyboard"  allow="true" />
  342.         <evententry class="srcproc" event="message" subevent="mouse"  allow="true" />
  343.         <evententry class="srcproc" event="message" subevent="dde"  allow="true" />
  344.         <evententry class="srcproc" event="message" subevent="message"  allow="true" />
  345.         <evententry class="srcproc" event="execution" subevent="callback"  allow="true" />
  346.         <evententry class="srcproc" event="execution" subevent="windowshook"  allow="true" />
  347.         <evententry class="srcproc" event="execution" subevent="globalwindowshook"  allow="true" />
  348.         <evententry class="srcproc" event="registry" subevent="setkey" allow="true" />
  349.         <evententry class="srcproc" event="registry" subevent="setvalue" allow="true" />
  350.         <evententry class="srcproc" event="registry" subevent="delkey" allow="true" />
  351.         <evententry class="srcproc" event="registry" subevent="delvalue" allow="true" />
  352.         <evententry class="srcproc" event="registry" subevent="createkey" allow="true" />
  353.         <evententry class="srcproc" event="file" subevent="write" allow="true" />
  354.         <evententry class="srcproc" event="file" subevent="delete" allow="true" />
  355.         <evententry class="srcproc" event="module" subevent="load" allow="true" />
  356.         <evententry class="srcproc" event="driver" subevent="load" allow="true" />
  357.         <evententry class="srcproc" event="driver" subevent="unload" allow="true" />
  358.         <evententry class="srcproc" event="driver" subevent="connect" allow="true" />
  359.         <evententry class="srcproc" event="driver" subevent="create" allow="true" />
  360.         <evententry class="srcproc" event="driver" subevent="modify" allow="true" />
  361.         <evententry class="srcproc" event="driver" subevent="delete" allow="true" />
  362.         <evententry class="srcproc" event="physmem" subevent="map" allow="true" />
  363.         <evententry class="dstproc" event="process" subevent="openprocess" allow="false" />
  364.         <evententry class="dstproc" event="process" subevent="openthread" allow="false" />
  365.         <evententry class="dstproc" event="process" subevent="startupprocess" allow="true" />
  366.         <evententry class="dstproc" event="process" subevent="terminateprocess" allow="false" />
  367.         <evententry class="dstproc" event="process" subevent="oleconnect" allow="false" />
  368.         <evententry class="dstproc" event="message" subevent="keyboard" allow="false" />
  369.         <evententry class="dstproc" event="message" subevent="mouse" allow="false" />
  370.         <evententry class="dstproc" event="message" subevent="dde" allow="false" />
  371.         <evententry class="dstproc" event="message" subevent="message" allow="false" />
  372.         <evententry class="dstproc" event="execution" subevent="callback" allow="false" />
  373.         <evententry class="dstproc" event="execution" subevent="windowshook" allow="false" />
  374.     </eventgroup>
  375.  
  376.     <eventgroup name="ZLClientGroup" description="ZLClientGroup" weight="66" allowweightranges="0-66,FE-FE" severityref="dangerous">
  377.         <evententry class="srcproc" event="process" subevent="openprocess" allow="true" />
  378.         <evententry class="srcproc" event="process" subevent="openthread"  allow="true" />
  379.         <evententry class="srcproc" event="process" subevent="spawnprocess"  allow="true" />
  380.         <evententry class="srcproc" event="process" subevent="startupprocess" allow="true" />
  381.         <evententry class="srcproc" event="process" subevent="terminateprocess" allow="true" />
  382.         <evententry class="srcproc" event="process" subevent="oleconnect" allow="true" />
  383.         <evententry class="srcproc" event="message" subevent="keyboard"  allow="true" />
  384.         <evententry class="srcproc" event="message" subevent="mouse"  allow="true" />
  385.         <evententry class="srcproc" event="message" subevent="dde"  allow="true" />
  386.         <evententry class="srcproc" event="message" subevent="message"  allow="true" />
  387.         <evententry class="srcproc" event="execution" subevent="callback"  allow="true" />
  388.         <evententry class="srcproc" event="execution" subevent="windowshook"  allow="true" />
  389.         <evententry class="srcproc" event="execution" subevent="globalwindowshook"  allow="true" />
  390.         <evententry class="srcproc" event="registry" subevent="setkey" allow="true" />
  391.         <evententry class="srcproc" event="registry" subevent="setvalue" allow="true" />
  392.         <evententry class="srcproc" event="registry" subevent="delkey" allow="true" />
  393.         <evententry class="srcproc" event="registry" subevent="delvalue" allow="true" />
  394.         <evententry class="srcproc" event="registry" subevent="createkey" allow="true" />
  395.         <evententry class="srcproc" event="file" subevent="write" allow="true" />
  396.         <evententry class="srcproc" event="file" subevent="delete" allow="true" />
  397.         <evententry class="srcproc" event="module" subevent="load" allow="true" />
  398.         <evententry class="srcproc" event="driver" subevent="load" allow="true" />
  399.         <evententry class="srcproc" event="driver" subevent="unload" allow="true" />
  400.         <evententry class="srcproc" event="driver" subevent="connect" allow="true" />
  401.         <evententry class="srcproc" event="driver" subevent="create" allow="true" />
  402.         <evententry class="srcproc" event="driver" subevent="modify" allow="true" />
  403.         <evententry class="srcproc" event="driver" subevent="delete" allow="true" />
  404.         <evententry class="srcproc" event="physmem" subevent="map" allow="true" />
  405.         <evententry class="dstproc" event="process" subevent="openprocess" allow="false" />
  406.         <evententry class="dstproc" event="process" subevent="openthread" allow="false" />
  407.         <evententry class="dstproc" event="process" subevent="startupprocess" allow="true" />
  408.         <evententry class="dstproc" event="process" subevent="terminateprocess" allow="false" />
  409.         <evententry class="dstproc" event="process" subevent="oleconnect" allow="false" />
  410.         <evententry class="dstproc" event="message" subevent="keyboard" allow="false" />
  411.         <evententry class="dstproc" event="message" subevent="mouse" allow="false" />
  412.         <evententry class="dstproc" event="message" subevent="dde" allow="false" />
  413.         <evententry class="dstproc" event="message" subevent="message" allow="false" />
  414.         <evententry class="dstproc" event="execution" subevent="callback" allow="false" />
  415.         <evententry class="dstproc" event="execution" subevent="windowshook" allow="false" />
  416.     </eventgroup>
  417.     <eventgroup name="ZLSignedApps" description="ZLSignedApps" weight="65" allowweightranges="0-66,FE-FE" severityref="dangerous">
  418.         <evententry class="srcproc" event="process" subevent="openprocess" allow="true" />
  419.         <evententry class="srcproc" event="process" subevent="openthread"  allow="true" />
  420.         <evententry class="srcproc" event="process" subevent="spawnprocess"  allow="true" />
  421.         <evententry class="srcproc" event="process" subevent="startupprocess" allow="true" />
  422.         <evententry class="srcproc" event="process" subevent="terminateprocess" allow="true" />
  423.         <evententry class="srcproc" event="process" subevent="oleconnect" allow="true" />
  424.         <evententry class="srcproc" event="message" subevent="keyboard"  allow="true" />
  425.         <evententry class="srcproc" event="message" subevent="mouse"  allow="true" />
  426.         <evententry class="srcproc" event="message" subevent="dde"  allow="true" />
  427.         <evententry class="srcproc" event="message" subevent="message"  allow="true" />
  428.         <evententry class="srcproc" event="execution" subevent="callback"  allow="true" />
  429.         <evententry class="srcproc" event="execution" subevent="windowshook"  allow="true" />
  430.         <evententry class="srcproc" event="execution" subevent="globalwindowshook"  allow="true" />
  431.         <evententry class="srcproc" event="registry" subevent="setkey" allow="true" />
  432.         <evententry class="srcproc" event="registry" subevent="setvalue" allow="true" />
  433.         <evententry class="srcproc" event="registry" subevent="delkey" allow="true" />
  434.         <evententry class="srcproc" event="registry" subevent="delvalue" allow="true" />
  435.         <evententry class="srcproc" event="registry" subevent="createkey" allow="true" />
  436.         <evententry class="srcproc" event="file" subevent="write" allow="true" />
  437.         <evententry class="srcproc" event="file" subevent="delete" allow="true" />
  438.         <evententry class="srcproc" event="module" subevent="load" allow="true" />
  439.         <evententry class="srcproc" event="driver" subevent="load" allow="true" />
  440.         <evententry class="srcproc" event="driver" subevent="unload" allow="true" />
  441.         <evententry class="srcproc" event="driver" subevent="connect" allow="true" />
  442.         <evententry class="srcproc" event="driver" subevent="create" allow="true" />
  443.         <evententry class="srcproc" event="driver" subevent="modify" allow="true" />
  444.         <evententry class="srcproc" event="driver" subevent="delete" allow="true" />
  445.         <evententry class="srcproc" event="physmem" subevent="map" allow="true" />
  446.         <evententry class="dstproc" event="process" subevent="openprocess" allow="false" />
  447.         <evententry class="dstproc" event="process" subevent="openthread" allow="false" />
  448.         <evententry class="dstproc" event="process" subevent="startupprocess" allow="true" />
  449.         <evententry class="dstproc" event="process" subevent="terminateprocess" allow="false" />
  450.         <evententry class="dstproc" event="process" subevent="oleconnect" allow="false" />
  451.         <evententry class="dstproc" event="message" subevent="keyboard" allow="false" />
  452.         <evententry class="dstproc" event="message" subevent="mouse" allow="false" />
  453.         <evententry class="dstproc" event="message" subevent="dde" allow="false" />
  454.         <evententry class="dstproc" event="message" subevent="message" allow="false" />
  455.         <evententry class="dstproc" event="execution" subevent="callback" allow="false" />
  456.         <evententry class="dstproc" event="execution" subevent="windowshook" allow="false" />
  457.     </eventgroup>
  458.     <eventgroup name="sys-level3" description="sys-level3" weight="66" allowweightranges="0-69,FE-FE" severityref="dangerous" trustDisplay="super">
  459.  
  460.         <evententry class="srcproc" event="process" subevent="openprocess"  weight="E1" allow="true" />
  461.         <evententry class="srcproc" event="process" subevent="openthread"  weight="E1" allow="true" />
  462.         <evententry class="srcproc" event="process" subevent="spawnprocess"  weight="E1" allow="true" />
  463.         <evententry class="srcproc" event="process" subevent="startupprocess"   weight="E1" allow="true" />
  464.         <evententry class="srcproc" event="process" subevent="terminateprocess"  weight="E1" allow="true" />
  465.         <evententry class="srcproc" event="process" subevent="oleconnect"  weight="E1" allow="true" />
  466.         <evententry class="srcproc" event="message" subevent="keyboard"  weight="E1" allow="true" />
  467.         <evententry class="srcproc" event="message" subevent="mouse"  weight="E1" allow="true" />
  468.         <evententry class="srcproc" event="message" subevent="dde"  weight="E1" allow="true" />
  469.         <evententry class="srcproc" event="message" subevent="message"  weight="E1" allow="true" />
  470.         <evententry class="srcproc" event="execution" subevent="callback"  weight="E1" allow="true" />
  471.         <evententry class="srcproc" event="execution" subevent="windowshook"  weight="E1" allow="true" />
  472.  
  473.         <evententry class="srcproc" event="execution" subevent="globalwindowshook"  allow="true" />
  474.         <evententry class="srcproc" event="registry" subevent="setvalue" rulesetref="rs-reg-allow" />
  475.         <evententry class="srcproc" event="registry" subevent="setkey" rulesetref="rs-reg-allow" />
  476.         <evententry class="srcproc" event="registry" subevent="delvalue" rulesetref="rs-reg-allow" />
  477.         <evententry class="srcproc" event="registry" subevent="delkey" rulesetref="rs-reg-allow" />
  478.         <evententry class="srcproc" event="registry" subevent="createkey" rulesetref="rs-reg-allow" />
  479.         <evententry class="srcproc" event="file" subevent="write" rulesetref="rs-files-allow" />
  480.         <evententry class="srcproc" event="file" subevent="delete" rulesetref="rs-files-allow" />
  481.         <evententry class="srcproc" event="module" subevent="load" rulegroupref="rg-modld-ok" />
  482.         <evententry class="srcproc" event="driver" subevent="load" allow="true" />
  483.         <evententry class="srcproc" event="driver" subevent="unload" allow="true" />
  484.         <evententry class="srcproc" event="driver" subevent="connect" allow="true" />
  485.         <evententry class="srcproc" event="driver" subevent="create" allow="true" />
  486.         <evententry class="srcproc" event="driver" subevent="modify" allow="true" />
  487.         <evententry class="srcproc" event="driver" subevent="delete" allow="true" />
  488.         <evententry class="srcproc" event="physmem" subevent="map" allow="true" />
  489.  
  490.         <evententry class="dstproc" event="process" subevent="openprocess" ask="true" />
  491.         <evententry class="dstproc" event="process" subevent="openthread" ask="true" />
  492.         <evententry class="dstproc" event="process" subevent="startupprocess" allow="true" />
  493.         <evententry class="dstproc" event="process" subevent="terminateprocess" ask="true" />
  494.         <evententry class="dstproc" event="process" subevent="oleconnect" ask="true" />
  495.         <evententry class="dstproc" event="message" subevent="keyboard" ask="true" />
  496.         <evententry class="dstproc" event="message" subevent="mouse" allow="true" />
  497.         <evententry class="dstproc" event="message" subevent="dde" ask="true" />
  498.         <evententry class="dstproc" event="message" subevent="message"  ask="true" />
  499.         <evententry class="dstproc" event="execution" subevent="callback" ask="true" />
  500.         <evententry class="dstproc" event="execution" subevent="windowshook" ask="true" />
  501.  
  502.     </eventgroup>
  503.  
  504.     <imageentry
  505.         imagename="iclient.exe"
  506.         eventgroupref="ZLClientGroup">
  507.         <itementry
  508.             param="md5"
  509.             operator="equal"
  510.             type="binary"
  511.             value="43fbddce-e66aa62c-af54ecd6-9c64b15d"
  512.         />
  513.     </imageentry>
  514.     <imageentry
  515.         imagename="zlclient.exe"
  516.         eventgroupref="ZLClientGroup">
  517.         <itementry
  518.             param="md5"
  519.             operator="equal"
  520.             type="binary"
  521.             value="3e1731c5-5f77d150-791d4c7e-87ad4e5c"
  522.         />
  523.     </imageentry>
  524.     <imageentry
  525.         imagename="vsmon.exe"
  526.         eventgroupref="ZLServiceGroup">
  527.         <itementry
  528.             param="md5"
  529.             operator="equal"
  530.             type="binary"
  531.             value="de716616-65a86a23-05918e8b-91acedb9"
  532.         />
  533.     </imageentry>
  534.     <imageentry
  535.         imagename="updclient.exe"
  536.         eventgroupref="ZLClientGroup">
  537.         <itementry
  538.             param="md5"
  539.             operator="equal"
  540.             type="binary"
  541.             value="9aa2cea5-c63143fb-dcc93537-1dce00a1"
  542.         />
  543.     </imageentry>
  544.     <imageentry
  545.         imagename="userdump.exe"
  546.         eventgroupref="ZLServiceGroup">
  547.         <itementry
  548.             param="md5"
  549.             operator="equal"
  550.             type="binary"
  551.             value="065b463f-6ed0b195-027ed99c-0c3b3250"
  552.         />
  553.     </imageentry>
  554.     <imageentry
  555.         imagename="csrss.exe"
  556.         eventgroupref="sys-level3">
  557.         <itementry
  558.             param="path"
  559.             operator="equalnocase"
  560.             type="ansi"
  561.             value="WINSYSDIR\csrss.exe"
  562.         />
  563.     </imageentry>
  564.         <imageentry
  565.             imagename="lsass.exe"
  566.             eventgroupref="sys-level3">
  567.             <itementry
  568.                 param="path"
  569.                 operator="equalnocase"
  570.                 type="ansi"
  571.                 value="WINSYSDIR\lsass.exe"
  572.             />
  573.     </imageentry>
  574.     <imageentry 
  575.         imagename="umdh.exe" 
  576.         eventgroupref="ZLDebug">
  577.         <itementry 
  578.             param="md5" 
  579.             operator="equal" 
  580.             type="binary" 
  581.             value="f7501800-45b7d5fb-849143b5-c4f4071d" 
  582.         /> 
  583.     </imageentry>
  584.     <imageentry 
  585.         imagename="umdh.exe" 
  586.         eventgroupref="ZLDebug">
  587.         <itementry 
  588.             param="md5" 
  589.             operator="equal" 
  590.             type="binary" 
  591.             value="2D62A217-5AFEC25C-B020CE2D-B63DC25D" 
  592.         /> 
  593.     </imageentry>
  594.     <imageentry 
  595.         imagename="umdh.exe" 
  596.         eventgroupref="ZLDebug">
  597.         <itementry 
  598.             param="md5" 
  599.             operator="equal" 
  600.             type="binary" 
  601.             value="F51A70B3-1EEA2849-97010B6F-F750455D"
  602.         /> 
  603.     </imageentry>
  604.     <imageentry 
  605.         imagename="umdh.exe" 
  606.         eventgroupref="ZLDebug">
  607.         <itementry 
  608.             param="md5" 
  609.             operator="equal" 
  610.             type="binary" 
  611.             value="94C8F0B5-5BAB646E-DE45AE5C-9C2DDF8D"
  612.         /> 
  613.     </imageentry>
  614.  
  615. </osfirewall>
  616.