Application Rule Behavior Question

I have been running this through my mind ever since Robyn's thread IE-SPYAD merge, https://www.wilderssecurity.com/showthread.php?t=100089, and would like an answer from the experts. My question is in reference to gottadoit's reply, https://www.wilderssecurity.com/showpost.php?p=572900&postcount=2, this section in particular:

IF an Application Rule group was created for regedit with multiple entries for different calling programs and the command line parameters for each program were used, would that work? i.e. for IE-Spyad there are 2 command line parameters used, regedit.exe /s ie-ads-uninst.reg and regedit.exe /s ie-ads.reg. So there would be 2 entries for IE-Spyad using the above parameters, then if other entry/entries for regedit were added and the calling programs parameters added would RD use those permissions even if they are not first in the Rules list?

I hope this makes sense to you reading the above, if not I will do my best to describe the situation better.

 

Hi Disciple,

If I am reading you correctly, the only way to filter events by command line is to create individual application groups, for the same executable, with each having a unique group name and command line statement. It is not possible to assign multiple command line statements to or within one application group.

Nick