Class Files
The following table lists the possible sections of the class Files.
Section
|
Values
|
Notes
|
Class
|
Files
|
|
Id
|
4000 - 7999
|
|
level
|
0, 1, 2, 3, 4
|
|
time
|
*
|
|
user-name
|
user of system account
|
|
application
|
path + application name
|
|
files
|
File or folders involved in the operation
|
See Note 1, 2
|
dest_file
|
Destination file, if the operation involves source and destination files
|
This section is optional. See Note 1, 2
|
directives -c -d
|
files:create
|
Create file directly, or move file into directory
|
|
files:read
|
Open the file in Read mode
|
|
files:write
|
Open the file in Write mode
|
|
files:execute
|
Execute file (executing a directory means that this directory will become the current directory)
|
|
files:delete
|
Delete file from a directory, or move it to another directory
|
|
files:rename
|
Rename a file in the same directory; see Note 2
|
|
files:attribute
|
Change the file attributes. Monitored attributes are “Read-only”, “Hidden”, “Archive” and “System”. The Windows 2000 only attributes “Index”, “Compress” and “Encrypt” are not monitored.
|
Note 1
If the section files is used, the path to a monitored folder or file can be the full path or a wildcard. For example, the following are valid path representations:
files { Include “C:\\test\\abc.txt” }
files { Include “*\\test\\abc.txt” }
files { Include “*\\abc.txt” }
If the section dest_file is used, the absolute path cannot be used and a wildcard must be present in the beginning of the path to represent the drive. For example, the following are valid path representations:
dest_file { Include “*\\test\\abc.txt” }
dest_file { Include “*\\abc.txt” }
Note 2
The directive files:rename has a different meaning when combined with section files and section dest_file.
- When combined with section files, it means that renaming of the file in the section files is monitored. For example, the following rule monitors renaming of file C:\test\abc.txt to any other name:
Rule {
Class Files
Id 4001
level 1
files { Include “C:\\test\\abc.txt” }
time { Include “*” }
application { Include “*”}
user_name { Include “*” }
directives -c -d files:rename
}
- Combined with section dest_file, it means that no file can be renamed to the file in the section dest_file. For example, the following rule monitors renaming of any file to C:\test\abc.txt:
Rule {
Class Files
Id 4001
level 1
dest_file { Include “*\\test\\abc.txt” }
time { Include “*” }
application { Include “*”}
user_name { Include “*” }
directives -c -d files:rename
}
|
The section files is not mandatory when the section dest_file is used. If section files is used, both sections files and dest_file need to match.
|
Copyright © 2006 McAfee, Inc. All Rights Reserved.