Application Rule Behavior Question

Discussion in 'Ghost Security Suite (GSS)' started by Disciple, Oct 10, 2005.

Thread Status:
Not open for further replies.
  1. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    I have been running this through my mind ever since Robyn's thread IE-SPYAD merge, https://www.wilderssecurity.com/showthread.php?t=100089, and would like an answer from the experts. My question is in reference to gottadoit's reply, https://www.wilderssecurity.com/showpost.php?p=572900&postcount=2, this section in particular:

    IF an Application Rule group was created for regedit with multiple entries for different calling programs and the command line parameters for each program were used, would that work? i.e. for IE-Spyad there are 2 command line parameters used, regedit.exe /s ie-ads-uninst.reg and regedit.exe /s ie-ads.reg. So there would be 2 entries for IE-Spyad using the above parameters, then if other entry/entries for regedit were added and the calling programs parameters added would RD use those permissions even if they are not first in the Rules list?

    I hope this makes sense to you reading the above, if not I will do my best to describe the situation better.
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Disciple,

    If I am reading you correctly, the only way to filter events by command line is to create individual application groups, for the same executable, with each having a unique group name and command line statement. It is not possible to assign multiple command line statements to or within one application group.

    Nick
     
Thread Status:
Not open for further replies.