Cmd line

Discussion in 'Ghost Security Suite (GSS)' started by Reve_Etrange, Nov 22, 2005.

Thread Status:
Not open for further replies.
  1. Reve_Etrange

    Reve_Etrange Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    108
    Regarding the command line, I've read it is included in the rule, so does it mean that every single switch and argument combination require a rule? Or can you accept any switch/argument? Can you disallow an exe unless there are specific argument? Can you allow an exe unless there's a specific switch you don't want to see?

    -RE
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Reve_Etrange,

    Like RegDefend, there will be a unique rule for each executable+parameter combination.

    With the next public beta, Jason will probably include command-line filtering for rundll32.exe and svchost.exe. In my tests today with filtering rundll32.exe, I restricted rundll32.exe to only Display Properties by creating an Allow rule specifying "c:\windows\system32\rundll32.exe" /d g:\windows\system32\shell32.dll,control_rundll desk.cpl followed by a second rule for rundll32.exe with no parameters and set to Block execution.

    Yes, by creating a rule with that parameter, and setting it to Block execution. If you follow that with a rule for the same executable with no parameters, and set it to Allow execution, everything else will be permitted.

    Hope that makes sense.

    Nick
     
  3. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Will it be possible to use wildcards (ie. ? and * like in RegDefend rules) for AD rules ?
     
  4. Reve_Etrange

    Reve_Etrange Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    108
    TY for your answer nick_s.
    Wildcards would be very useful indeed.

    -RE
     
Thread Status:
Not open for further replies.