Class Files

The following table lists the possible sections of the class Files.

Section
Values
Notes
Class
Files
 
Id
4000 - 7999
 
level
0, 1, 2, 3, 4
 
time
*
 
user-name
user of system account
 
application
path + application name
 
files
File or folders involved in the operation
See Note 1, 2
dest_file
Destination file, if the operation involves source and destination files
This section is optional. See Note 1, 2
directives -c -d
files:create
Create file directly, or move file into directory
 
files:read
Open the file in Read mode
 
files:write
Open the file in Write mode
 
files:execute
Execute file (executing a directory means that this directory will become the current directory)
 
files:delete
Delete file from a directory, or move it to another directory
 
files:rename
Rename a file in the same directory; see Note 2
 
files:attribute
Change the file attributes. Monitored attributes are “Read-only”, “Hidden”, “Archive” and “System”. The Windows 2000 only attributes “Index”, “Compress” and “Encrypt” are not monitored.

Note 1

If the section files is used, the path to a monitored folder or file can be the full path or a wildcard. For example, the following are valid path representations:

files { Include “C:\\test\\abc.txt” }

files { Include “*\\test\\abc.txt” }

files { Include “*\\abc.txt” }

If the section dest_file is used, the absolute path cannot be used and a wildcard must be present in the beginning of the path to represent the drive. For example, the following are valid path representations:

dest_file { Include “*\\test\\abc.txt” }

dest_file { Include “*\\abc.txt” }

Note 2

The directive files:rename has a different meaning when combined with section files and section dest_file.

Copyright © 2006 McAfee, Inc. All Rights Reserved.