projects / ossec-hids.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Imported Upstream version 2.5.1
[ossec-hids.git] / src / rootcheck / db / win_applications_rcl.txt
1 # @(#) $Id$
2 #
3 # OSSEC Application detection - (C) 2007 Daniel B. Cid - dcid@ossec.net
4 #
5 # Released under the same license as OSSEC.
6 # More details at the LICENSE file included with OSSEC or online
7 # at: http://www.ossec.net/en/licensing.html
8
9 # [Application name] [any or all] [reference]
10 # type:<entry name>;
11 #
12 # Type can be:
13 #             - f (for file or directory)
14 #             - r (registry entry)
15 #             - p (process running)
16 #
17 # Additional values:
18 # For the registry , use "->" to look for a specific entry and another
19 # "->" to look for the value. 
20 # For files, use "->" to look for a specific value in the file.
21
22 # Values can be preceeded by: =: (for equal) - default
23 #                             r: (for ossec regexes)
24 #                             >: (for strcmp greater)
25 #                             <: (for strcmp  lower)
26 # Multiple patterns can be specified by using " && " between them.
27 # (All of them must match for it to return true).
28
29
30
31 [Chat/IM/VoIP - Skype] [any] []
32 f:\Program Files\Skype\Phone;
33 f:\Documents and Settings\All Users\Documents\My Skype Pictures;
34 f:\Documents and Settings\Skype;
35 f:\Documents and Settings\All Users\Start Menu\Programs\Skype;
36 r:HKLM\SOFTWARE\Skype;
37 r:HKEY_LOCAL_MACHINE\Software\Policies\Skype;
38 p:r:Skype.exe;
39
40
41 [Chat/IM - Yahoo] [any] []
42 f:\Documents and Settings\All Users\Start Menu\Programs\Yahoo! Messenger;
43 r:HKLM\SOFTWARE\Yahoo;
44
45
46 [Chat/IM - ICQ] [any] []
47 r:HKEY_CURRENT_USER\Software\Mirabilis\ICQ;
48
49
50 [Chat/IM - AOL] [any] [http://www.aol.com]
51 r:HKEY_LOCAL_MACHINE\SOFTWARE\America Online\AOL Instant Messenger;
52 r:HKEY_CLASSES_ROOT\aim\shell\open\command;
53 r:HKEY_CLASSES_ROOT\AIM.Protocol;
54 r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-aim;
55 f:\Program Files\AIM95;
56 p:r:aim.exe;
57
58
59 [Chat/IM - MSN] [any] [http://www.msn.com]
60 r:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSNMessenger;
61 r:HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSNMessenger;
62 f:\Program Files\MSN Messenger;
63 f:\Program Files\Messenger;
64 p:r:msnmsgr.exe;
65
66
67 [Chat/IM - ICQ] [any] [http://www.icq.com]
68 r:HKLM\SOFTWARE\Mirabilis\ICQ;
69
70
71 [P2P - UTorrent] [any] []
72 p:r:utorrent.exe;
73
74
75 [P2P - LimeWire] [any] []
76 r:HKEY_LOCAL_MACHINE\SOFTWARE\Limewire;
77 r:HKLM\software\microsoft\windows\currentversion\run -> limeshop;
78 f:\Program Files\limewire;
79 f:\Program Files\limeshop;
80
81
82 [P2P/Adware - Kazaa] [any] []
83 f:\Program Files\kazaa;
84 f:\Documents and Settings\All Users\Start Menu\Programs\kazaa;
85 f:\Documents and Settings\All Users\DESKTOP\Kazaa Media Desktop.lnk;
86 f:\Documents and Settings\All Users\DESKTOP\Kazaa Promotions.lnk;
87 f:%WINDIR%\System32\Cd_clint.dll;
88 r:HKEY_LOCAL_MACHINE\SOFTWARE\KAZAA;
89 r:HKEY_CURRENT_USER\SOFTWARE\KAZAA;
90 r:HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\KAZAA;
91
92
93 # http://vil.nai.com/vil/content/v_135023.htm
94 [Adware - RxToolBar] [any] [http://vil.nai.com/vil/content/v_135023.htm]
95 r:HKEY_CURRENT_USER\Software\Infotechnics;
96 r:HKEY_CURRENT_USER\Software\Infotechnics\RX Toolbar;
97 r:HKEY_CURRENT_USER\Software\RX Toolbar;
98 r:HKEY_CLASSES_ROOT\BarInfoUrl.TBInfo;
99 r:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RX Toolbar;
100 f:\Program Files\RXToolBar;
101
102
103 # http://btfaq.com/serve/cache/18.html
104 [P2P - BitTorrent] [any] [http://btfaq.com/serve/cache/18.html]
105 f:\Program Files\BitTorrent;
106 r:HKEY_CLASSES_ROOT\.torrent;
107 r:HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-bittorrent;
108 r:HKEY_CLASSES_ROOT\bittorrent;
109 r:HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrent;
110
111
112 # http://www.gotomypc.com
113 [Remote Access - GoToMyPC] [any] []
114 f:\Program Files\Citrix\GoToMyPC;
115 f:\Program Files\Citrix\GoToMyPC\g2svc.exe;
116 f:\Program Files\Citrix\GoToMyPC\g2comm.exe;
117 f:\Program Files\expertcity\GoToMyPC;
118 r:HKLM\software\microsoft\windows\currentversion\run -> gotomypc;
119 r:HKEY_LOCAL_MACHINE\software\citrix\gotomypc;
120 r:HKEY_LOCAL_MACHINE\system\currentcontrolset\services\gotomypc;
121 p:r:g2svc.exe;
122 p:r:g2pre.exe;
123
124
125 [Spyware - Twain Tec Spyware] [any] []
126 r:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1;
127 r:HKEY_LOCAL_MACHINE\SOFTWARE\twaintech;
128 f:%WINDIR%\twaintec.dll;
129
130
131 # http://www.symantec.com/security_response/writeup.jsp?docid=2004-062611-4548-99&tabid=2
132 [Spyware - SpyBuddy] [any] []
133 f:\Program Files\ExploreAnywhere\SpyBuddy\sb32mon.exe;
134 f:\Program Files\ExploreAnywhere\SpyBuddy;
135 f:\Program Files\ExploreAnywhere;
136 f:%WINDIR%\System32\sysicept.dll;
137 r:HKEY_LOCAL_MACHINE\Software\ExploreAnywhere Software\SpyBuddy;
138
139
140 [Spyware - InternetOptimizer] [any] []
141 r:HKLM\SOFTWARE\Avenue Media;
142 r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho.1;
143 r:HKEY_CLASSES_ROOT\\safesurfinghelper.iebho;
144
145
146 # EOF #
ossec-hids