- Class Services: indicates that this rule relates to file operations class.
- Id 4001: Assigns the ID 4001 to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same ID.
- level 4: Assigns the Security Level ‘high’ to this rule. If the custom signature had multiple rules, every one of these rules would need to use the same level.
- Service { Include “Alerter” }: Indicates that the rule covers the service with name “Alerter”. If the rule were to cover multiple services, you would add them in this section in different lines.
- time { Include “*” }: This section is currently not used, but must be included in this way in the rule.
- application { Include “*”}: Indicates that this rule is valid for all processes. If you’d want to limit your rule to specific processes, you would spell them out here, complete with their path name.
- user_name { Include “*” }: Indicates that this rule is valid for all users (or more precisely, the security context in which a process runs). If you’d want to limit your rule to specific user contexts, you would spell them out here in the form Local/user or Domain/user. See paragraph “Mandatory Common Sections” for details.
- directives -c -d service:stop: Indicates that this rule covers deactivation of a service. The switches –c and –d must always be used in the directives section.