Cmd line

Discussion in 'Ghost Security Suite (GSS)' started by Reve_Etrange, Nov 22, 2005.

Thread Status:
Not open for further replies.
  1. Reve_Etrange

    Reve_Etrange Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    108
    Regarding the command line, I've read it is included in the rule, so does it mean that every single switch and argument combination require a rule? Or can you accept any switch/argument? Can you disallow an exe unless there are specific argument? Can you allow an exe unless there's a specific switch you don't want to see?

    -RE
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Reve_Etrange,

    Like RegDefend, there will be a unique rule for each executable+parameter combination.

    With the next public beta, Jason will probably include command-line filtering for rundll32.exe and svchost.exe. In my tests today with filtering rundll32.exe, I restricted rundll32.exe to only Display Properties by creating an Allow rule specifying "c:\windows\system32\rundll32.exe" /d g:\windows\system32\shell32.dll,control_rundll desk.cpl followed by a second rule for rundll32.exe with no parameters and set to Block execution.

    Yes, by creating a rule with that parameter, and setting it to Block execution. If you follow that with a rule for the same executable with no parameters, and set it to Allow execution, everything else will be permitted.

    Hope that makes sense.

    Nick
     
  3. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,110
    Will it be possible to use wildcards (ie. ? and * like in RegDefend rules) for AD rules ?
     
  4. Reve_Etrange

    Reve_Etrange Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    108
    TY for your answer nick_s.
    Wildcards would be very useful indeed.

    -RE
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.