2 - McAfee AV rules for OSSEC.
4 - Copyright (C) 2008 Michael Starks
6 - This program is a free software; you can redistribute it
7 - and/or modify it under the terms of the GNU General Public
8 - License (version 3) as published by the FSF - Free Software
12 <var name="MCAFEE_ERROR">^259|^100|^1000|^1001|^1002|^1003|^1004|^1005|^1006|^1007|^1008|^5003|^5005|^5008|^5010|^5011|^5019|^5020|^5021|^5022|^5030|^5031|^5032|^5033|^5034|^5035|^5046|^5047|^5048|^5049|^5051|^5054|^5057|^5059|^5060|^5063|^5063</var>
13 <var name="MCAFEE_WARN">^258|^5001|^5028|^5036|^5037|^5038|^5039|^5040|^5041|^5053|^5056|^5061|^5062|^5065</var>
14 <var name="MCAFEE_INFO">^257|^5000|^5026|^5052|^5055</var>
15 <var name="MCAFEE_VIRUS_OK">quarantined|moved to quarantine|file was deleted|deleted successfully|has been deleted|message deleted|deleted after|cleaned|successfully deleted</var>
16 <var name="MCAFEE_VIRUS">The file \.+ contain|infected with|User defined detection|scan found|error attempting to clean</var>
17 <var name="MCAFEE_FREQ">10</var>
19 <group name="mcafee,">
20 <rule id="7500" level="0">
21 <if_sid>18101,18102,18103</if_sid>
22 <category>windows</category>
23 <extra_data>^McLogEvent</extra_data>
24 <description>Grouping of McAfee Windows AV rules.</description>
27 <rule id="7501" level="2">
30 <description>McAfee Windows AV informational event.</description>
33 <rule id="7502" level="3">
36 <description>McAfee Windows AV warning event.</description>
39 <rule id="7503" level="4">
41 <id>$MCAFEE_ERROR</id>
42 <description>McAfee Windows AV error event.</description>
45 <rule id="7504" level="12">
47 <regex>$MCAFEE_VIRUS</regex>
49 <description>McAfee Windows AV - Virus detected and not removed.</description>
52 <rule id="7505" level="7">
54 <match>$MCAFEE_VIRUS_OK</match>
56 <description>McAfee Windows AV - Virus detected and properly removed.</description>
59 <rule id="7506" level="7">
61 <match>Will be deleted</match>
63 <description>McAfee Windows AV - Virus detected and file will be deleted.</description>
66 <rule id="7507" level="3">
68 <match>scan started|scan stopped</match>
69 <description>McAfee Windows AV - Scan started or stopped.</description>
72 <rule id="7508" level="3">
75 <match>completed. No detections</match>
76 <description>McAfee Windows AV - Scan completed with no viruses found.</description>
79 <rule id="7509" level="7">
81 <match>scan was cancelled |has taken too long</match>
82 <description>McAfee Windows AV - Virus scan cancelled.</description>
85 <rule id="7510" level="5">
87 <match>scan was canceled because</match>
88 <description>McAfee Windows AV - Virus scan cancelled due to shutdown.</description>
91 <rule id="7511" level="3">
93 <match>update was successful</match>
94 <description>McAfee Windows AV - Virus program or DAT update succeeded.</description>
97 <rule id="07512" level="7">
99 <match>update failed</match>
100 <description>McAfee Windows AV - Virus program or DAT update failed.</description>
103 <rule id="7513" level="7">
104 <if_sid>7500</if_sid>
105 <match>update was cancelled</match>
106 <description>McAfee Windows AV - Virus program or DAT update cancelled.</description>
109 <rule id="7514" level="5">
110 <if_sid>7505</if_sid>
111 <match>contains the EICAR test file</match>
112 <options>alert_by_email</options>
113 <description>McAfee Windows AV - EICAR test file detected.</description>
116 <!-- Composite rules -->
118 <rule id="7550" level="10" frequency="$MCAFEE_FREQ" timeframe="240">
119 <if_matched_sid>7502</if_matched_sid>
120 <description>Multiple McAfee AV warning events.</description>