This is where we are going to write the expert rules why?
- we can check the rule
- impact is low because it's local (unlike ePO)
"C:\Program Files\Common Files\McAfee\SystemCore\aacinfo.exe"
Command that can be used to get events in real time
aacinfo report
Command used to get all AAC rules (we can reverse engineer McAfee's rules with this tool)
aacinfo query > outputFile.xml
The name of the expert rule is kept in the output file, so we can search by it
aacinfo /?
- Initiator, the object commiting the action (can Match only PROCESS/THREAD)
- Target, the object the action comitted on (can Match all objects)
The rules are Include/Exclude inside the Match section
In/Exclude ACCESS_MASK {-v "XXXX" "YYYY" "ZZZZ"} = In/Exclude -access "XXXX YYYY ZZZZ"
? - every single char
* - zero to infinity chars (except \)
** - zero to infinity chars (including \)
| - removes the functionality of the following char
\ - an escape char for TCL
set <variable_name> <value>
lappend <list_name> <value>
-l $<list_name>
We can use -v and -l $ together
In/Exclude MatchType {
-l $someList
-v "someValue"
}
-v "value"
-l $list
-pfx "prefix"
-sfx "suffix"
we can use this function to join a group of in/exclude
iEnv <ENV_VAR>
iSystem <var>
examples: os_arch (640 = 64-bit, 320 = 32-bit)
iTerminate "Some Message" ;# Stops the rule from applying on current computer
iReg value <KEY> <VALUE>
llength $<object> - returns the length of the object
lindex $<list_obj> $<index>
iUtil cvt2args $<string> ;# Converts to args (splits spaces, keeps "" as one arg)
string trim $<var> <chars> ;# Removes the chosen chars from the given var
if {$<var_name> == "someValue"} {
<whatever>
}
else {
<something>
}
for {set x <start_value>} {condition} {<changing x>} {
<something>
}
TCL Version is 7.6
", $, [, ], \, _