src/rootcheck/db/win_applications_rcl.txt

   1 # @(#) $Id: ./src/rootcheck/db/win_applications_rcl.txt, 2011/09/08 dcid Exp $
   2
   3 #
   4 # OSSEC Application detection - (C) 2007 Daniel B. Cid - dcid@ossec.net
   5 #
   6 # Released under the same license as OSSEC.
   7 # More details at the LICENSE file included with OSSEC or online
   8 # at: http://www.ossec.net/en/licensing.html
   9 #
  10 # [Application name] [any or all] [reference]
  11 # type:<entry name>;
  12 #
  13 # Type can be:
  14 #             - f (for file or directory)
  15 #             - r (registry entry)
  16 #             - p (process running)
  17 #
  18 # Additional values:
  19 # For the registry , use "->" to look for a specific entry and another
  20 # "->" to look for the value.
  21 # For files, use "->" to look for a specific value in the file.
  22 #
  23 # Values can be preceeded by: =: (for equal) - default
  24 #                             r: (for ossec regexes)
  25 #                             >: (for strcmp greater)
  26 #                             <: (for strcmp  lower)
  27 # Multiple patterns can be specified by using " && " between them.
  28 # (All of them must match for it to return true).
  29
  30
  31
  32 [Chat/IM/VoIP - Skype] [any] []
  33 f:\Program Files\Skype\Phone;
  34 f:\Documents and Settings\All Users\Documents\My Skype Pictures;
  35 f:\Documents and Settings\Skype;
  36 f:\Documents and Settings\All Users\Start Menu\Programs\Skype;
  37 r:HKLM\SOFTWARE\Skype;
  38 r:HKEY_LOCAL_MACHINE\Software\Policies\Skype;
  39 p:r:Skype.exe;
  40
  41
  42 [Chat/IM - Yahoo] [any] []
  43 f:\Documents and Settings\All Users\Start Menu\Programs\Yahoo! Messenger;
  44 r:HKLM\SOFTWARE\Yahoo;
  45
  46
  47 [Chat/IM - ICQ] [any] []
  48 r:HKEY_CURRENT_USER\Software\Mirabilis\ICQ;
  49
  50
  51 [Chat/IM - AOL] [any] [http://www.aol.com]
  52 r:HKEY_LOCAL_MACHINE\SOFTWARE\America Online\AOL Instant Messenger;
  53 r:HKEY_CLASSES_ROOT\aim\shell\open\command;
  54 r:HKEY_CLASSES_ROOT\AIM.Protocol;
  55 r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-aim;
  56 f:\Program Files\AIM95;
  57 p:r:aim.exe;
  58
  59
  60 [Chat/IM - MSN] [any] [http://www.msn.com]
  61 r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSNMessenger;
  62 r:HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSNMessenger;
  63 f:\Program Files\MSN Messenger;
  64 f:\Program Files\Messenger;
  65 p:r:msnmsgr.exe;
  66
  67
  68 [Chat/IM - ICQ] [any] [http://www.icq.com]
  69 r:HKLM\SOFTWARE\Mirabilis\ICQ;
  70
  71
  72 [P2P - UTorrent] [any] []
  73 p:r:utorrent.exe;
  74
  75
  76 [P2P - LimeWire] [any] []
  77 r:HKEY_LOCAL_MACHINE\SOFTWARE\Limewire;
  78 r:HKLM\software\microsoft\windows\currentversion\run -> limeshop;
  79 f:\Program Files\limewire;
  80 f:\Program Files\limeshop;
  81
  82
  83 [P2P/Adware - Kazaa] [any] []
  84 f:\Program Files\kazaa;
  85 f:\Documents and Settings\All Users\Start Menu\Programs\kazaa;
  86 f:\Documents and Settings\All Users\DESKTOP\Kazaa Media Desktop.lnk;
  87 f:\Documents and Settings\All Users\DESKTOP\Kazaa Promotions.lnk;
  88 f:%WINDIR%\System32\Cd_clint.dll;
  89 r:HKEY_LOCAL_MACHINE\SOFTWARE\KAZAA;
  90 r:HKEY_CURRENT_USER\SOFTWARE\KAZAA;
  91 r:HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\KAZAA;
  92
  93
  94 # http://vil.nai.com/vil/content/v_135023.htm
  95 [Adware - RxToolBar] [any] [http://vil.nai.com/vil/content/v_135023.htm]
  96 r:HKEY_CURRENT_USER\Software\Infotechnics;
  97 r:HKEY_CURRENT_USER\Software\Infotechnics\RX Toolbar;
  98 r:HKEY_CURRENT_USER\Software\RX Toolbar;
  99 r:HKEY_CLASSES_ROOT\BarInfoUrl.TBInfo;
 100 r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RX Toolbar;
 101 f:\Program Files\RXToolBar;
 102
 103
 104 # http://btfaq.com/serve/cache/18.html
 105 [P2P - BitTorrent] [any] [http://btfaq.com/serve/cache/18.html]
 106 f:\Program Files\BitTorrent;
 107 r:HKEY_CLASSES_ROOT\.torrent;
 108 r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-bittorrent;
 109 r:HKEY_CLASSES_ROOT\bittorrent;
 110 r:HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrent;
 111
 112
 113 # http://www.gotomypc.com
 114 [Remote Access - GoToMyPC] [any] []
 115 f:\Program Files\Citrix\GoToMyPC;
 116 f:\Program Files\Citrix\GoToMyPC\g2svc.exe;
 117 f:\Program Files\Citrix\GoToMyPC\g2comm.exe;
 118 f:\Program Files\expertcity\GoToMyPC;
 119 r:HKLM\software\microsoft\windows\currentversion\run -> gotomypc;
 120 r:HKEY_LOCAL_MACHINE\software\citrix\gotomypc;
 121 r:HKEY_LOCAL_MACHINE\system\currentcontrolset\services\gotomypc;
 122 p:r:g2svc.exe;
 123 p:r:g2pre.exe;
 124
 125
 126 [Spyware - Twain Tec Spyware] [any] []
 127 r:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1;
 128 r:HKEY_LOCAL_MACHINE\SOFTWARE\twaintech;
 129 f:%WINDIR%\twaintec.dll;
 130
 131
 132 # http://www.symantec.com/security_response/writeup.jsp?docid=2004-062611-4548-99&tabid=2
 133 [Spyware - SpyBuddy] [any] []
 134 f:\Program Files\ExploreAnywhere\SpyBuddy\sb32mon.exe;
 135 f:\Program Files\ExploreAnywhere\SpyBuddy;
 136 f:\Program Files\ExploreAnywhere;
 137 f:%WINDIR%\System32\sysicept.dll;
 138 r:HKEY_LOCAL_MACHINE\Software\ExploreAnywhere Software\SpyBuddy;
 139
 140
 141 [Spyware - InternetOptimizer] [any] []
 142 r:HKLM\SOFTWARE\Avenue Media;
 143 r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho.1;
 144 r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho;
 145
 146
 147 # EOF #