projects / ossec-hids.git / blob
? search:


2bdb9851cdf3e0eb863bbf046fcbf4bc9941cce3
[ossec-hids.git] / debian / ossec-hids / var / ossec / etc / shared / win_applications_rcl.txt
1 # OSSEC Linux Audit - (C) 2018 OSSEC Project
2 #
3 # Released under the same license as OSSEC.
4 # More details at the LICENSE file included with OSSEC or online
5 # at: https://github.com/ossec/ossec-hids/blob/master/LICENSE
6 #
7 # [Application name] [any or all] [reference]
8 # type:<entry name>;
9 #
10 # Type can be:
11 #             - f (for file or directory)
12 #             - r (registry entry)
13 #             - p (process running)
14 #
15 # Additional values:
16 # For the registry and for directories, use "->" to look for a specific entry and another
17 # "->" to look for the value.
18 # Also, use " -> r:^\. -> ..." to search all files in a directory
19 # For files, use "->" to look for a specific value in the file.
20 #
21 # Values can be preceded by: =: (for equal) - default
22 #                             r: (for ossec regexes)
23 #                             >: (for strcmp greater)
24 #                             <: (for strcmp  lower)
25 # Multiple patterns can be specified by using " && " between them.
26 # (All of them must match for it to return true).
27
28 [Chat/IM/VoIP - Skype {PCI_DSS: 10.6.1}] [any] []
29 f:\Program Files\Skype\Phone;
30 f:\Documents and Settings\All Users\Documents\My Skype Pictures;
31 f:\Documents and Settings\Skype;
32 f:\Documents and Settings\All Users\Start Menu\Programs\Skype;
33 r:HKLM\SOFTWARE\Skype;
34 r:HKEY_LOCAL_MACHINE\Software\Policies\Skype;
35 p:r:Skype.exe;
36
37 [Chat/IM - Yahoo {PCI_DSS: 10.6.1}] [any] []
38 f:\Documents and Settings\All Users\Start Menu\Programs\Yahoo! Messenger;
39 r:HKLM\SOFTWARE\Yahoo;
40
41 [Chat/IM - ICQ {PCI_DSS: 10.6.1}] [any] []
42 r:HKEY_CURRENT_USER\Software\Mirabilis\ICQ;
43
44 [Chat/IM - AOL {PCI_DSS: 10.6.1}] [any] [http://www.aol.com]
45 r:HKEY_LOCAL_MACHINE\SOFTWARE\America Online\AOL Instant Messenger;
46 r:HKEY_CLASSES_ROOT\aim\shell\open\command;
47 r:HKEY_CLASSES_ROOT\AIM.Protocol;
48 r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-aim;
49 f:\Program Files\AIM95;
50 p:r:aim.exe;
51
52 [Chat/IM - MSN {PCI_DSS: 10.6.1}] [any] [http://www.msn.com]
53 r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSNMessenger;
54 r:HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSNMessenger;
55 f:\Program Files\MSN Messenger;
56 f:\Program Files\Messenger;
57 p:r:msnmsgr.exe;
58
59 [Chat/IM - ICQ {PCI_DSS: 10.6.1}] [any] [http://www.icq.com]
60 r:HKLM\SOFTWARE\Mirabilis\ICQ;
61
62 [P2P - UTorrent {PCI_DSS: 10.6.1}] [any] []
63 p:r:utorrent.exe;
64
65 [P2P - LimeWire {PCI_DSS: 11.4}] [any] []
66 r:HKEY_LOCAL_MACHINE\SOFTWARE\Limewire;
67 r:HKLM\software\microsoft\windows\currentversion\run -> limeshop;
68 f:\Program Files\limewire;
69 f:\Program Files\limeshop;
70
71 [P2P/Adware - Kazaa {PCI_DSS: 11.4}] [any] []
72 f:\Program Files\kazaa;
73 f:\Documents and Settings\All Users\Start Menu\Programs\kazaa;
74 f:\Documents and Settings\All Users\DESKTOP\Kazaa Media Desktop.lnk;
75 f:\Documents and Settings\All Users\DESKTOP\Kazaa Promotions.lnk;
76 f:%WINDIR%\System32\Cd_clint.dll;
77 r:HKEY_LOCAL_MACHINE\SOFTWARE\KAZAA;
78 r:HKEY_CURRENT_USER\SOFTWARE\KAZAA;
79 r:HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\KAZAA;
80
81 # http://vil.nai.com/vil/content/v_135023.htm
82 [Adware - RxToolBar {PCI_DSS: 11.4}] [any] [http://vil.nai.com/vil/content/v_135023.htm]
83 r:HKEY_CURRENT_USER\Software\Infotechnics;
84 r:HKEY_CURRENT_USER\Software\Infotechnics\RX Toolbar;
85 r:HKEY_CURRENT_USER\Software\RX Toolbar;
86 r:HKEY_CLASSES_ROOT\BarInfoUrl.TBInfo;
87 r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RX Toolbar;
88 f:\Program Files\RXToolBar;
89
90 # http://btfaq.com/serve/cache/18.html
91 [P2P - BitTorrent {PCI_DSS: 10.6.1}] [any] [http://btfaq.com/serve/cache/18.html]
92 f:\Program Files\BitTorrent;
93 r:HKEY_CLASSES_ROOT\.torrent;
94 r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-bittorrent;
95 r:HKEY_CLASSES_ROOT\bittorrent;
96 r:HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrent;
97
98 # http://www.gotomypc.com
99 [Remote Access - GoToMyPC {PCI_DSS: 10.6.1}] [any] []
100 f:\Program Files\Citrix\GoToMyPC;
101 f:\Program Files\Citrix\GoToMyPC\g2svc.exe;
102 f:\Program Files\Citrix\GoToMyPC\g2comm.exe;
103 f:\Program Files\expertcity\GoToMyPC;
104 r:HKLM\software\microsoft\windows\currentversion\run -> gotomypc;
105 r:HKEY_LOCAL_MACHINE\software\citrix\gotomypc;
106 r:HKEY_LOCAL_MACHINE\system\currentcontrolset\services\gotomypc;
107 p:r:g2svc.exe;
108 p:r:g2pre.exe;
109
110 [Spyware - Twain Tec Spyware {PCI_DSS: 11.4}] [any] []
111 r:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1;
112 r:HKEY_LOCAL_MACHINE\SOFTWARE\twaintech;
113 f:%WINDIR%\twaintec.dll;
114
115 # http://www.symantec.com/security_response/writeup.jsp?docid=2004-062611-4548-99&tabid=2
116 [Spyware - SpyBuddy {PCI_DSS: 11.4}] [any] []
117 f:\Program Files\ExploreAnywhere\SpyBuddy\sb32mon.exe;
118 f:\Program Files\ExploreAnywhere\SpyBuddy;
119 f:\Program Files\ExploreAnywhere;
120 f:%WINDIR%\System32\sysicept.dll;
121 r:HKEY_LOCAL_MACHINE\Software\ExploreAnywhere Software\SpyBuddy;
122
123 [Spyware - InternetOptimizer {PCI_DSS: 11.4}] [any] []
124 r:HKLM\SOFTWARE\Avenue Media;
125 r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho.1;
126 r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho;
ossec-hids