You can restrict the running of an Intellisig script to occur only when specific conditions or triggers are met. This restriction enables efficient Intellisigs to be designed. Each Intellisig need not search a file system for specific files. You can instruct the scanner to scan for specific files, registry entries, services or installed packages, and the Intellisig script runs if these conditions are met. The scanner only performs the file system search once, irrespective of the number of file criteria specified.
Note: These triggers are defined in the same way as the traditional signature definitions. Experience in creating traditional signatures using these criteria is a prerequisite.
The types of triggers that can be associated with an Intellisig are as follows:
Supports checking for file presence, specifying criteria for search paths, filename content patterns, file creation and modification date ranges, file size ranges, MD5 hash values, and permissions.
Supports checking for registry entries on specific keys, pattern matching of values, and 32-bit and 64-bit hive checks.
Checks for an installed package, specifying version, and release. On Windows, this option checks the Add/Remove programs database. On UNIX, it checks the installation database of the platform.
Searches for an installed service or daemon.
Supports checking attributes such as the platform, processor, OS release, OS name, and OS version.
Multiple trigger criteria can be specified on an Intellisig, and the triggers can be grouped with logical AND, OR, and NOT operators. The logical operators are defined as groups with a type. The type being either and, or, or not, which defines how the results from items that are contained within the group are combined. A group (except not groups) can contain any number of additional trigger criteria, including more groups. A group of type not can only contain a single item, although this single item could be another group.
You can specify to exclude directories when defining an Intellisig trigger. The directories listed in the exclude directories are excluded when the signature scanner searches the file system for the files specified in file trigger criteria.
When writing a trigger, specify criteria using XML.
Include a top-level group in each trigger. Each group contains a type. The type is either and, or, or not. The type defines the logical operation that is applied to the criteria contained in the group.
<group type=”and”> …<other citeria>… </group>
File criteria are defined with the <file> tag. The file tag supports the following attributes:
Specifies the file to search for
Specifies the path the search
Scans the specified file for a match of the specified pattern
Compares the MD5 hash of the file with the specified value
Compares the version of the specified file with the value provided
Compares the version of the specified file with the value provided
Compares the file creation date of the specified file with the value provided
Compares the file creation date of the specified file with the value provided
Compares the file modification date of the specified file with the value provided
Compares the file modification date of the specified file with the value provided
Compares the file size of the specified file with the size value specified
Compares the file size of the specified file with the size value specified
Excludes permissions
Includes permissions
Specifies the root owner of the file
Allows ACL
Denies ACL
Specifies the architecture of a binary file on the Windows platform
Example:
<group type=”and”> <file name=”msword.exe” path=”*” /> </group>
Registry criteria are specified with the <registry> tag. The registry tag supports the following attributes:
Specifies the registry Key to search
Specifies the pattern to match against
Allows ACL
Denies ACL
Specifies the behavior on a 64-bit machine. Supported values are 32, or 64, and any. On a 64-bit Windows computer, specifying 64 only searches the 64-bit hive for the specified key. Specifying 32 only searches the 32-bit hive on a 64-bit computer. This value is ignored on a 32-bit computer. If the architecture is not specified, the 32 behavior is the default behavior.
Example:
<group type=”and”> <registry name="HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Adobe Acrobat\6.0\Language\UI" match="ENU" /> </group>
Package criteria are specified with the <package> tag. The package tag supports the following attributes:
Specifies the name of the installed product to search for
Specifies the version of the installed product to search for
Example:
<group type="and"> <package name="DameWare Mini Remote Control" version="6.0.*" />
Service criteria are specified with the <service> tag. The service tag supports the following attributes:
Specifies the name of the installed service to search for
Specifies the (UNIX only) path to the installed service
Example:
<group type="and"> <service name="SNMP"/> </group>
Sysinfo criteria is specified with the <sysinfo> tag. The sysinfo tag supports the following attributes:
Specifies whether the platform is x86 or x64 on Windows
Identifies the processor
Identifies the OS Release
Identifies the OS Name
Identifies the OS Version
Example:
<group type=”and”> <sysinfo osname="Windows" /> </group>
When a trigger is satisfied, and the Intellisig script is executed, a string is passed to the script defining the criteria that contributed to the triggering of the Intellisig. The trigger is passed to the Intellisig script using the –t flag. The format of the trigger string that is passed to the script depends on the criteria types used in the trigger definition. The following table provides examples of trigger strings with different trigger criteria types used. Where multiple triggers are contributing to the running of an Intellisig script, the individual criteria are specified with a separating | character. An Intellisig script must be able to parse the trigger string to leverage the processing that has been done in the trigger evaluation.
|
File |
Trigger Example |
-t parameter examples |
|---|---|---|
|
file |
<group type=”and”> <file name=”file1.test” path=”*” /> </group> <group type=”not”> <file name=”file1.test” path=”*” /> </group> |
Positive trigger: -t “file:c:\file1.test” NOT trigger: -t “!file:file1.test” For the NOT trigger a full path cannot be provided. |
|
registry |
<group type="and”> <registry name="HKEY_LOCAL_MACHINE\SOFTWARE\iSigTest\T1" match="V1"/> </group> <group type="not”> <registry name="HKEY_LOCAL_MACHINE\SOFTWARE\iSigTest\T1" match="V1"/> </group> |
Positive trigger: -t "registry:HKEY_LOCAL_MACHINE\SOFTWARE\iSigTest\T1" NOT trigger: -t "!registry:HKEY_LOCAL_MACHINE\SOFTWARE\iSigTest\T1" |
|
service |
<group type="and"> <service name="DNS Client"/> </group> <group type="not"> <service name="DNS Client"/> </group> |
Positive trigger: -t "service:DNS Client" NOT trigger -t "!service:DNS" |
|
sysinfo |
<group type="and"> <sysinfo osname="windows" platform="x86"/> </group>
<group type="not"> <sysinfo osname="windows" platform="x86"/> </group> |
Positive trigger: -t "sysinfo:osname=Windows;platform=x86" NOT trigger: -t "!sysinfo:osname=Linux;platform=x86" |
|
package |
<group type="and"> <package name="CA DSM Explorer"/> </group>
<group type="not"> <package name="CA DSM Explorer"/> </group> |
Positive trigger: -t "package:CA DSM Explorer"
NOT trigger: -t "!package:CA DSM Explorer EXTRA123" |
|
Copyright © 2013 CA.
All rights reserved.
|
|
