Several of the default Custom rules included in v8.0.0 are Expert rules. You can examine the following rules to get an idea of the rules you can create.
- Examine powershell script contents
- Block powershell scripts that execute memory
- Do not treat these processes as .NET applications
- Report read-only memory map operations on unapproved executables by .NET applications
- [Sample] Prompt for read-only memory map operations on unapproved executables by .NET applications in medium enforcement
- [Sample] Deny read-only memory map operations on unapproved executables by .NET applications in high enforcement
- Deny read-only memory map operations on banned executables by .NET applications
Note: Registry or Memory rules, present by default in this release, do not use
Expert Mode.