<PolityDescription>This policy has generic rules against some common network threats: Denial of Service, Spoofing, malformed protocols, port scans, OS fingerprints....</PolityDescription>
<PolityName>Generic Application Control Policy (ACR) for Windows Systems</PolityName>
<PolityDescription>This policy has generic Application Control Rules (ACR) for all Windows Systems. ACR block some dangerous behaviour detected when an application is exploited by a vulnerability</PolityDescription>
<PolityName>Specific Application Control (AC) Policy for NT Systems</PolityName>
<PolityDescription>This policy has specific Application Control Rules (ACR) for NT Systems. ACR block some dangerous behaviour detected when an application is exploited by a vulnerability</PolityDescription>
<PolityName>Generic Firewall Access Control List (FACL) Policy for Windows Systems</PolityName>
<PolityDescription>This policy has generic Firewall Rules for all Windows Systems. These policy includes rules for: network virus protection, network access control for common applications and protocols</PolityDescription>
<PolityName>Specific Application Control (AC) Policy for Servers</PolityName>
<PolityDescription>This policy has specific Application Control Rules (ACR) for Servers. ACR block some dangerous behaviour detected when an application is exploited by a vulnerability</PolityDescription>
<PolityName>Specific Application Control (AC) Policy for Internet Information Server</PolityName>
<PolityDescription>This policy has specific Application Control Rules (ACR) for Internet Information Server. ACR block some dangerous behaviour detected when an application is exploited by a vulnerability</PolityDescription>
<PolityName>Specific Application Control (AC) Policy for SQL Server</PolityName>
<PolityDescription>This policy has specific Application Control Rules (ACR) for SQL Server. ACR block some dangerous behaviour detected when an application is exploited by a vulnerability</PolityDescription>
<PolityName>Specific Application Control (AC) Policy for Exchange Server</PolityName>
<PolityDescription>This policy has specific Application Control Rules (ACR) for Exchange Server. ACR block some dangerous behaviour detected when an application is exploited by a vulnerability</PolityDescription>
<ContainerDescription>This container has High Priority Rules of Panda. These Rules are matched in first place (All OS except 9x)</ContainerDescription>
<ContainerName>Zero Policy Container for 9x</ContainerName>
<ContainerDescription>This container has High Priority Rules of Panda. These Rules are matched in first place (Only for 9x Systems)</ContainerDescription>
<ContainerDescription>This container has generic rules against some common network threats: Denial of Service, Spoofing, malformed protocols, port scans, OS fingerprints....</ContainerDescription>
<ContainerName>Generic Application Control Rules (ACR) Container for Windows Systems</ContainerName>
<ContainerDescription>This container has generic Application Control Rules (ACR) for all Windows Systems.ACR block some dangerous behaviour detected when an application is exploited by a vulnerability</ContainerDescription>
<RuleDescription>All process can execute Microsoft Doctor Watson error reportings tools There are rules to block execution of executables to some applications. This rule avoid false positives with Doctor Watson tools</RuleDescription>
<RuleDescription>In a normal behaviour, email clients, MSN, IM, video/sound players, text editors, Office app., compressors, .don't have to execute administration, network or command shell tools. If you receive an alert,some kind of vulnerability is being exploited</RuleDescription>
<RuleDescription>A lot of SpyWare use always the same CLSID's. They create these CLSID in the registry: to execute as a BHO, to be integrated with Internet Explorer o explorer, to start at every reboot, If you receive an alert, some kind of spyware is being installed in your system.</RuleDescription>
<RuleDescription>Windows will allways look if c:\explorer.exe exists, if this file exists,Windows will execute it instead of the real Windows Explorer. If you receive an alert, some kind of malware is trying to create or execute the file c:\explorer.exe. This is a dangerous operation</RuleDescription>
<RuleDescription>MSHTA (Microsoft HTML Application Host) is a scripting language. MSHTA can write .exe, .scr, .pif and .com files. Some IE vulnerabilities create .hta files and execute it with MSHTA interpreter. If you receive an alert, some kind of IE vulnerability is being exploited.</RuleDescription>
<RuleDescription>Modifications of Windows HOSTS file allow malware to redirect your web request (Ex: www.google.com) to malware sites. If you receive an alert, some application is trying to modify the host file. Some legal applications need to modify it, but most of the time it's a malware action.</RuleDescription>
<RuleDescription>In a normal behaviour, Web browsers (like IE, Firefox, Opera) don't have to execute administration, network or command shell tools. If you receive an alert, some kind of vulnerability is being exploited</RuleDescription>
<RuleDescription>In a normal behaviour Web navigators can't execute files from downloaded programs directories.This prevent some IE vulnerabilities (exploited by downloaders). If you receive an alert, some kind of vulnerability is being exploited</RuleDescription>
<RuleDescription>Registry tools (regedit or regedt32) are used to modify system configuration parameters. Windows File Protection monitor modifications of the core files system, and restore the modified files. If you receive an alert, some kind of malware is disabling registry tools and WFP</RuleDescription>
<RuleDescription>MSHTA (Microsoft HTML Application Host) is a scripting language. MSHTA can write or execute .exe, .scr, .pif and .com files. Some IE vulnerabilities create .hta files and execute it with MSHTA interpreter. If you receive an alert, some kind of IE vulnerability with Object Data is being exploited.</RuleDescription>
<RuleDescription>MSHTA (Microsoft HTML Application Host) is a scripting language. MSHTA can modify IE settings. Some IE vulnerabilities can allow IE to create .hta files and execute it with MSHTA interpreter. If you receive an alert, some kind of IE vulnerability is being exploited and we prevent modifications of IE settings like Start Page, Search Page, Search default Bar...</RuleDescription>
<RuleDescription>Some IE settings (Start Page, Search Bar, Use Search Asst) are modified by legal programs (Google Toolbar, MSN Messenger,...) or manually by the user. If you receive an alert you have to decide if these are legal modifications (if you are installing software or modifying IE settings by hand) or it can be a malware action (For example if you aren't installing software)</RuleDescription>
<RuleDescription>Some IE settings (Start Page, Search Bar, Use Search Asst) are modified by legal programs (Google Toolbar, MSN Messenger,...) or manually by the user. If you receive an alert you have to decide if these are legal modifications (if you are installing software or modifying IE settings by hand) or it can be a malware action (For example if you aren't installing software)</RuleDescription>
<RuleDescription>Winlogon Shell Application (explorer.exe) is the default Windows shell. It is configured in the windows Registry. In a normal behaviour this application never change, so if we receive an alert, some kind of malware is trying to change this setting to execute a malicious program.</RuleDescription>
<RuleDescription>Some Sony programs have a rootkit technology. This is a potential flaw and can be used by malware to be "invisible". If you receive an alert, some kind of malware is trying to exploit the Sony Rootkit flaw</RuleDescription>
<RuleDescription>Some Sony programs have a rootkit technology. This is a potential flaw and can be used by malware to be "invisible". If you receive an alert, some kind of malware is trying to exploit the Sony Rootkit flaw</RuleDescription>
<RuleDescription>Recent PowerPoint vulnerabilities has been discovered. Basically, vulnerable ppt files try to create executables files in the system. In a normal behaviour PowerPoint can copy pptview.exe to allow "PowerPoint Presentation on CD" feature</RuleDescription>
<RuleDescription>Recent MS Office, Acrobat and Windows Multimedia vulnerabilities have been discovered (PowerPoint, Excel, Word, Wmplayer, Acrobat Reader,... are vulnerable). In a normal behaviour this applications can't create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.</RuleDescription>
<RuleDescription>Recent MS Office, Acrobat and Windows Multimedia vulnerabilities have been discovered (PowerPoint, Excel, Word, Wmplayer, Acrobat Reader,... are vulnerable). In a normal behaviour this applications can't create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited. (Protection for MS06-012)</RuleDescription>
<RuleDescription>Recent WinAmp vulnerabilities have been discovered. In a normal behaviour WinAmp can't execute files. So if you receive an alert, some kind of vulnerability is being exploited.</RuleDescription>
<RuleDescription>All W32/Viking virus variants create files with a common name, so we don't allow execution o creation of these files. This is a rule to prevent W32/Viking Infections. So if you receive an alert, a W32/Viking variant is trying to infect your system</RuleDescription>
<RuleDescription>Foxit Reader can't create executable files in the system. So if you receive an alert, some kind of vulnerability is being exploited.</RuleDescription>
<ContainerName>Specific Application Control (AC) Container for NT Systems</ContainerName>
<ContainerDescription>This container has specific Application Control Rules (ACR) for NT Systems. ACR block some dangerous behaviour detected when an application is exploited by a vulnerability</ContainerDescription>
<RuleDescription>Some Sony programs have a rootkit technology. This is a potential flaw and Sony has published an Unistaller as an ActiveX. But this ActiveX has a danger vulnerability so If you receive an alert, some kind of malware is trying to exploit the Sony Rootkit ActiveX Uninstaller</RuleDescription>
<ContainerName>Generic Firewall Access Control List (FACL) Container for Windows Systems</ContainerName>
<ContainerDescription>This container has generic Firewall Rules for all Windows Systems. These policy includes rules for: network virus protection, network access control for common applications and protocols</ContainerDescription>
<DPIFLanguage>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Exploit/ms08-067 rule 3"; content:"|1F 00|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|";)</DPIFLanguage>
<DPIFLanguage>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Exploit/ms08-067 rule 4"; content:"|1F 00|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|";)</DPIFLanguage>
<DPIFLanguage>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Exploit/ms08-067 rule 7"; content:"|20 00|"; content:"|00 2E 00 2E 00 2F 00 2E 00 2E 00 2F|";)</DPIFLanguage>
<DPIFLanguage>alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"Exploit/ms08-067 rule 8"; content:"|20 00|"; content:"|00 2E 00 2E 00 5C 00 2E 00 2E 00 5C|";)</DPIFLanguage>
<RuleDescription>SafeBoot SVCHOST.EXE [incoming] (Svchost is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. It manages 32-bit DLLs and other services. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. This program is important for the stable and secure running of the computer, and controls services like, NTP, epmap, Remote Desktop, ...)</RuleDescription>
<RuleDescription>SafeBoot SVCHOST.EXE [outgoing] (Svchost is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. It manages 32-bit DLLs and other services. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. This program is important for the stable and secure running of the computer, and controls services like, NTP, epmap, Remote Desktop, ...)</RuleDescription>
<RuleDescription>SafeBoot SERVICES.EXE [Incoming] (Services.exe manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program is important for the stable and secure running of the computer)</RuleDescription>
<RuleDescription>SafeBoot SERVICES.EXE [Outgoing] (Services.exe manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program is important for the stable and secure running of the computer)</RuleDescription>
<RuleDescription>SafeBoot LSASS.EXE [Incoming] (Lsass is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. This program is important for the stable and secure running of the computer)</RuleDescription>
<RuleDescription>SafeBoot USERINIT.EXE [Incoming] (On boot-up it manages the different start up sequences needed, such as establishing network connection and starting up the Windows shell. This program is important for the stable and secure running of your computer)</RuleDescription>
<RuleDescription>SafeBoot WINLOGON.EXE [Incoming] (Winlogon is a process belonging to the Windows login manager. It handles the login and logout procedures on your system. This program is important for the stable and secure running of your computer )</RuleDescription>
<RuleDescription>SafeBoot SYSTEM [Incoming] (Windows Memory Handler System Process [SYSTEM] is the core of the Windows System. This core process control protocols and services like: ARP, Microsoft-DS, Netbios)</RuleDescription>
<RuleDescription>SafeBoot SYSTEM [Outgoing] (Windows Memory Handler System Process [SYSTEM] is the core of the Windows System. This core process control protocols and services like: ARP, Microsoft-DS, Netbios)</RuleDescription>
<RuleDescription>SafeBoot TCPSVCS.EXE [Incoming] (This process is a part of Microsoft Windows networking components. This essential system process is initiated when the computer uses special TCP/IP networking services such as DHCP, Simple TCP and print services. This program is important for the stable and secure running of the compute)</RuleDescription>
<RuleDescription>SafeBoot TCPSVCS.EXE [Outgoing] (This process is a part of Microsoft Windows networking components. This essential system process is initiated when the computer uses special TCP/IP networking services such as DHCP, Simple TCP and print services. This program is important for the stable and secure running of the compute)</RuleDescription>
<RuleDescription>SafeBoot DNS.EXE [Incoming] (Dns.exe is the main process which handles the Microsoft Windows DNS server, if enabled. This program is important for the stable and secure running of your server)</RuleDescription>
<RuleDescription>SafeBoot DNS.EXE [Outgoing] (Dns.exe is the main process which handles the Microsoft Windows DNS server, if enabled. This program is important for the stable and secure running of your server)</RuleDescription>
<RuleDescription>SafeBoot MPREXE.EXE (It allows the computer to use multiple network protocols, and network adapters by routing between both. e.g. connection to a windows and novell network at the same time)</RuleDescription>
<RuleDescription>Deny NetBIOS (UDP) in secure network devices. Incoming connections (except port 137 to allow NetBIOS resolution in W9X)</RuleDescription>
<ContainerName>Specific Application Control (AC) Container for Servers</ContainerName>
<ContainerDescription>This container has specific Application Control Rules (ACR) for Servers. ACR block some dangerous behaviour detected when an application is exploited by a vulnerability</ContainerDescription>
<RuleDescription>In a normal behaviour, Network Server Applications (dns, wins, snmp) don't have to execute administration, network or command shell tools. If you receive an alert, some kind of vulnerability is being exploited</RuleDescription>
<RuleDescription>In a normal behaviour, Network Server Applications (dns, wins, snmp) don't have to modify system registry entries of Windows System Settings (AutoRuns, IE Settings). If you receive an alert, some kind of vulnerability is being exploited</RuleDescription>
<RuleDescription>In a normal behaviour, DNS Server Application (dns.exe) don't have to create or execute any executable. If you receive an alert, some kind of vulnerability is being exploited</RuleDescription>
<ContainerName>Specific Application Control (AC) Container for Internet Information Server</ContainerName>
<ContainerDescription>This container has specific Application Control Rules (ACR) for Internet Information Server. ACR block some dangerous behaviour detected when an application is exploited by a vulnerability</ContainerDescription>
<RuleDescription>In a normal behaviour, IIS Web Server Applications don't have to execute administration, network or command shell tools. If you receive an alert, some kind of IIS vulnerability is being exploited</RuleDescription>
<ContainerName>Specific Application Control (AC) Container for SQL Server</ContainerName>
<ContainerDescription>This container has specific Application Control Rules (ACR) for SQL Server. ACR block some dangerous behaviour detected when an application is exploited by a vulnerability</ContainerDescription>
<RuleDescription>In a normal behaviour, SQL Server Applications don't have to execute administration, network or command shell tools. If you receive an alert, some kind of SQL Server vulnerability is being exploited</RuleDescription>
<RuleDescription>In a normal behaviour, SQL Server Applications don't have to execute administration, network or command shell tools. If you receive an alert, some kind of SQL Server vulnerability is being exploited</RuleDescription>
<ContainerName>Specific Application Control (AC) Container Exchange Server</ContainerName>
<ContainerDescription>This container has specific Application Control Rules (ACR) for Exchange Server. ACR block some dangerous behaviour detected when an application is exploited by a vulnerability</ContainerDescription>
<RuleDescription>In a normal behaviour, Exchange Server Applications don't have to execute administration, network or command shell tools. If you receive an alert, some kind of Exchange Server vulnerability is being exploited</RuleDescription>
<GroupDescription>List of extensions that cannot be run directly from the mail client. Microsoft Outlook updates are available that prevent extensions considered dangerous, which are often used by viruses, worms and Trojans, from being run or accessed.</GroupDescription>
<GroupDescription>Microsoft's security subsystem executable files (which ensure the correct functioning of the authentication and authorization services, for example: Kerberos and LDAP, required by Winlogon).</GroupDescription>
<GroupDescription>Virtual directories that can be accessed via the Internet. For example: the virus W32/CodeRed.D modifies Registry entries to allow full access to the file system.</GroupDescription>
