Regarding the command line, I've read it is included in the rule, so does it mean that every single switch and argument combination require a rule? Or can you accept any switch/argument? Can you disallow an exe unless there are specific argument? Can you allow an exe unless there's a specific switch you don't want to see?

-RE

Hi Reve_Etrange,

-{ Quote: "Regarding the command line, I've read it is included in the rule, so does it mean that every single switch and argument combination require a rule? Or can you accept any switch/argument?" }-
Like RegDefend, there will be a unique rule for each executable+parameter combination.

-{ Quote: "Can you disallow an exe unless there are specific argument?" }-
With the next public beta, Jason will probably include command-line filtering for rundll32.exe and svchost.exe. In my tests today with filtering rundll32.exe, I restricted rundll32.exe to only Display Properties by creating an Allow rule specifying "c:\windows\system32\rundll32.exe" /d g:\windows\system32\shell32.dll,control_rundll desk.cpl followed by a second rule for rundll32.exe with no parameters and set to Block execution.

-{ Quote: "Can you allow an exe unless there's a specific switch you don't want to see?" }-Yes, by creating a rule with that parameter, and setting it to Block execution. If you follow that with a rule for the same executable with no parameters, and set it to Allow execution, everything else will be permitted.

Hope that makes sense.

Nick

Will it be possible to use wildcards (ie. ? and * like in RegDefend rules) for AD rules ?

TY for your answer nick_s.
Wildcards would be very useful indeed.

-RE