Application Rule Behavior Question

Discussion in 'Ghost Security Suite (GSS)' started by Disciple, Oct 10, 2005.

Thread Status:
Not open for further replies.
  1. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    I have been running this through my mind ever since Robyn's thread IE-SPYAD merge, https://www.wilderssecurity.com/showthread.php?t=100089, and would like an answer from the experts. My question is in reference to gottadoit's reply, https://www.wilderssecurity.com/showpost.php?p=572900&postcount=2, this section in particular:

    IF an Application Rule group was created for regedit with multiple entries for different calling programs and the command line parameters for each program were used, would that work? i.e. for IE-Spyad there are 2 command line parameters used, regedit.exe /s ie-ads-uninst.reg and regedit.exe /s ie-ads.reg. So there would be 2 entries for IE-Spyad using the above parameters, then if other entry/entries for regedit were added and the calling programs parameters added would RD use those permissions even if they are not first in the Rules list?

    I hope this makes sense to you reading the above, if not I will do my best to describe the situation better.
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Disciple,

    If I am reading you correctly, the only way to filter events by command line is to create individual application groups, for the same executable, with each having a unique group name and command line statement. It is not possible to assign multiple command line statements to or within one application group.

    Nick
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.