For each of the Custom, Memory, and Registry rules there are expert versions having their own set of Operations choices.

Table 1. Expert Custom Rules: Operation Settings

Column Name

Attempted Operation

Description

Execute Operations

Execute

Execution of a file

Execute Operations

Image Load

Loading of a file (dll, ocx, etc.) into memory

Execute Operations

Process Create

Creation of a new process

Execute Operations

Process Terminate

Termination of a process

Execute Operations

Script Execute

Execution of a script. For App Control agents to see a script execute, the appropriate script rules should be defined in the console.

Modifying Operations

Delete On Close

This operation corresponds to someone opening/creating a file with the FILE_FLAG_DELETE_ON_CLOSE flag set (meaning someone intends to delete this file). Typically used for short-lived files, but also can be used by malware as an alternative way of deleting files.

Modifying Operations

Create New

Creation of a new file or directory

Modifying Operations

Delete

Deletion of a file

Modifying Operations

Mmap Write

Write to a memory mapped file

Modifying Operations

Owner Change

Change the owner of a file or directory

Modifying Operations

Permission Change

Change the permissions on a file or directory

Modifying Operations

Rename

Rename a file or directory

Modifying Operations

Write

Write the contents of a file; unlike other rules, “write” in the Expert Rules interface does not mean any modification at all. However, operations such as modifying the length of a file are also considered writes.

If you specify a rule that allows creation of new files but blocks writes to existing files, the agent will allow the process that created a new file to make modifications to that same file for a short period of time. Without this, the process that created the file could not write the initial content, and you would be left with a zero-byte file.

Modifying Operations

Write Delayed

Memory mapped writes in which an application "maps" a file into memory (RAM) and writes to that memory. This content is later flushed to disk by the operating system's paging mechanism.

Modifying Operations

Write Intent

This option is no longer functional in expert rules. It is scheduled to be removed from the interface in a future release.

Basic Operations

Cleanup

Cleanup is the file system report that a process is done using a file; it means the file has been “closed”. This corresponds to IRP_MJ_CLEANUP; see https://msdn.microsoft.com/en-us/library/windows/hardware/ff548608(v=vs.85).aspx. In App Control, cleanup signals that a file is ready to be analyzed, and it also triggers file deletion in a “delete on close” operation.

NOTE: Cleanup cannot be blocked since doing so would result in a handle leak. You can choose a reporting action, however.

Basic Operations

Lock File

Lock the file that matches the rule.

Basic Operations

Mmap Read

Read a memory mapped file.

Basic Operations

Open

File open action.

Basic Operations

Open Execute Intent

A file handle was acquired with the intent to execute, but execution has not happened yet.

Basic Operations

Read

Read the contents of a file.

 

Table 2. Expert Memory Rules: Operation Settings

Column Name

Attempted Operation

Description

Basic Operations

Access Kernel Memory

Rules can use this operation to close a bypass on XP and 2003 systems that prevents usermode processes from opening \Device\PhysicalMemory, which effectively allows them to read kernel memory. Windows versions from Vista forward prevent this action on their own.

Basic Operations

Allocate Memory

Corresponds to the VirtualAlloc system call, which is invoked when an application wants to obtain a block of memory with specific permissions.

Basic Operations

Debug Process

Corresponds to OB_OPERATION_PROCESS_PTRACE, which is invoked if there is an attempt to enable ptrace logging on another application.

Basic Operations

Kill Process

Corresponds to OB_OPERATION_PROCESS_KILL, which is used to signify that someone opened a handle to another process/thread and attempted to terminate it.

Process/Thread Operations

Create Handle

This operation occurs if there is an attempt to open a new handle to a process/thread. Rules can be used to strip or report the permissions on the handle to limit what the source process can do on the target object. The permissions available here are the same as those documented for non-expert memory rules in Table: Permissions Menu Options .

Process/Thread Operations

Duplicate Handle

This operation occurs if there is an attempt to duplicate a handle that is already open. Rules can strip or report the permissions on the new handle to limit what the process can do with the duplicate handle.

 

Table 3. Expert Registry Rules: Operation Settings

Column Name

Attempted Operation

Description

Key Operations

Create Key

Creation of a registry key

Key Operations

Rename Key

Not implemented. Do not use. Rename is a delete operation plus a create operation. If you want to block or report renaming of keys, you can take the action on either of those operations.

Key Operations

Delete Key

Deletion of a registry key

Key Operations

Set Security

SetSecurity is invoked when someone tries to change the permissions on a given registry key/value.

Key Operations

Open Key with Write Access

Open a registry key with write access.

Value Operations

Change Value

Change value is invoked when there is an attempt to modify a registry value. The target name of the operation is the full path to the registry value (e.g. HKLM\key\value).

Value Operations

Delete Value

Delete value is invoked when there is an attempt to delete a registry value. The target name of the operation is the full path to the registry value (e.g. HKLM\key\value).