home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
PC World 2008 March
/
PCWorld_2008-03_cd.bin
/
temacd
/
outpostfirewall
/
OutpostProInstall.exe
/
{code_GetDest}
/
machine.ini
< prev
next >
Wrap
INI File
|
2007-12-20
|
31KB
|
825 lines
; Warning! Agnitum Ltd. is not responsible for your system security and proper functioning
; in case of manual modification of this file
; -------------------------------------------------------------------------------------------------------------------------
; General Settings
; -------------------------------------------------------------------------------------------------------------------------
[General]
; This value configures firewall driver behavior in case of unexpected ACS shutdown.
; If TRUE, all network activity is blocked.
ExitProtection=TRUE
; Protection of Outpost files and registry after service shutdown.
SelfProtectinOnExit=TRUE
; Enable or disable TCP telnet server on 805 port
EnableDebugTCPServer=false
; Enable or disable monitor(op_mon) start/stop service(acs)
MonitorControllService=true
AdvancedLogs=no
; Do you want to start acs service if outpost gui is started
StartACSOnMonitorStartup=yes
[GeneralDebug]
;
; This value configures firewall driver behavior in case of unexpected ACS shutdown.
; If TRUE, all network activity is blocked.
ExitProtection=FALSE
; Protection of Outpost files and registry after service shutdown.
SelfProtectinOnExit=FALSE
; Enable or disable TCP telnet server on 805 port
EnableDebugTCPServer=true
; Enable or disable monitor(op_mon) start/stop service(acs)
MonitorControllService=false
; Do you want to start acs service if outpost gui is started
StartACSOnMonitorStartup=no
[GlobalFirewallRules]
; block netbios rules
BlockNetbios=yes
; block no-first fragments arrives before first fragment
BlockNoOrderedFragment=yes
; block icmp do not allowed by settings
BlockNotAllowedICMP=yes
; -------------------------------------------------------------------------------------------------------------------------
; AFW Driver Settings
; -------------------------------------------------------------------------------------------------------------------------
[AFW]
; Allow traffic processing in user mode.
EnableContentHandler=TRUE
EnableContentProcessing=TRUE
; -------------------------------------------------------------------------------------------------------------------------
; On Access Virus Scanner Settings
; -------------------------------------------------------------------------------------------------------------------------
[OnAccessScanner]
; Enable on-access scanner functionality. This functionality can be disanled due to compatibility reason
; with third-party AV software
EnableScanner=true
; If enabled, on-access scanner do not scan files on close.
CompatibilityMode=false
; If enabled, on-access scanner do not scan files on any access
CompatibilityDisableOnAnyAccess=false
; If enabled, use extended attributes for cache files(not modified attributes)
;EnableAttributes=true
; -------------------------------------------------------------------------------------------------------------------------
; Antimalware Settings
; -------------------------------------------------------------------------------------------------------------------------
[Antimalware]
Engines=asw
RebootScanProfile=
RebootScan=FALSE
; -------------------------------------------------------------------------------------------------------------------------
; Autoupdate Settings
; -------------------------------------------------------------------------------------------------------------------------
[update]
; Path to the update server including root folder.
server=http://updates.agnitum.com/update_suite20
; Local path for update operation. This folder will contain all files, created during update operation.
update_dir=update_oss20
[ConfigWizard]
UpdatePreset=FALSE
; -------------------------------------------------------------------------------------------------------------------------
; News download Settings
; -------------------------------------------------------------------------------------------------------------------------
[news]
; news download path from the root of acs.exe
NewsPath=news
; date of last news downloaded from server
;LastNewsBuild=1
[Languages]
CurrentLang=en
LangList=en|ru|de|es|fr
; -------------------------------------------------------------------------------------------------------------------------
; Multimacros Description
; -------------------------------------------------------------------------------------------------------------------------
; Records containing such fragments will be expanded into several records.
; For example:
; REGISTRY\{MachineOrUser}\Software\Microsoft\Windows\CurrentVersion\Run
; will be expanded as:
; REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
; REGISTRY\<User>\Software\Microsoft\Windows\CurrentVersion\Run
[System32OrWow]
; 'System' folder description for x86 and x64 Windows platforms.
System32
SysWow64
[Software32Or64]
; 'Software' registry section description for x86 and x64 Windows platforms.
SOFTWARE
SOFTWARE\Wow6432Node
[SoftwareClasses32Or64]
; 'Software' registry section description for x86 and x64 Windows platforms.
SOFTWARE\CLASSES\
SOFTWARE\CLASSES\Wow6432Node
[MachineOrUser]
; Description of registry sections that are common for a user and a system.
MACHINE
<User>
[OpenOrRunAs]
; Registry records - either Open, or RunAs - for shell.
open
runas
[ControlSet]
; x64 interceptor identifies ControlSet* as CurrentControlSet.
ControlSet*
CurrentControlSet
; -------------------------------------------------------------------------------------------------------------------------
; Macros Description
; -------------------------------------------------------------------------------------------------------------------------
[Macro]
; This section contains macro definitions. They can be applied to SelfProtection rules.
; Macros is defined in the following format:
; MacroName=Value
; Macros is used the following way: <MacroName>. <MacroName> substring is replaced by Value.
; Recursive macros definition is allowed, for example:
; Macro1=aaa
; Macro2=<Macro1>bbb
; However in direct sequence only (Macro1 macros should be defined before using Macro2).
; WindowsDir and SystemDir macroses are already defined.
DriversDir=<SystemDir>\Drivers
FiltDir=<SystemDir>\Filt
FullAccess=read write rename delete exec connect open_process thread_start thread_stop write_mem thread_ctx
NoLearn=no_learn_open no_learn_exec no_learn_read no_learn_write no_learn_create no_learn_delete no_learn_rename
LimitedAccess=no_learn_open read exec thread_start no_set_hook no_send_close allow_init_dde no_send_input no_find_window
LimitedAccessNoLearn=<LimitedAccess> <NoLearn>
AllFiles=*
SystemDir32OrWow=<WindowsDir>\{System32OrWow}
MachineServices=MACHINE\System\{ControlSet}\Services
MachineCurrentVersion=MACHINE\Software\Microsoft\Windows\CurrentVersion
MachineNTCurrentVersion3264=MACHINE\{Software32Or64}\Microsoft\Windows NT\CurrentVersion
CurrentVersionUserMachine3264={MachineOrUser}\{Software32Or64}\Microsoft\Windows\CurrentVersion
User=USER\*
; Compiler directories are added to exclusions for debug convenience.
[VCDirs]
e:\msdev.2005
C:\Program Files\Microsoft Visual Studio 8
; Compiler files
[Compilers]
cl.exe
link.exe
; Windbg directories are added to exclusions for debug convenience.
[WinDBGDirs]
c:\Program Files\Debugging Tools for Windows
c:\Program Files (x86)\Debugging Tools for Windows
; Compiler files
[DebuggerFiles]
agestore.exe
breakin.exe
cdb.exe
dbengprx.exe
dbgrpc.exe
dbgsrv.exe
dbh.exe
dumpchk.exe
dumpexam.exe
gflags.exe
i386kd.exe
ia64kd.exe
kd.exe
kdbgctrl.exe
kdsrv.exe
kill.exe
list.exe
logger.exe
logviewer.exe
ntsd.exe
remote.exe
rtlist.exe
symchk.exe
symstore.exe
tlist.exe
umdh.exe
windbg.exe
; Sysinternals directories are added to exclusions for debug convenience.
[SysInternalDirs]
c:\Sys Internals
; Compiler files
[SysInternalFiles]
ProcessExplorer\procexp.exe
ProcessMonitor\Procmon.exe
; Compiler files are added to exclusions for debug convenience.
[VCFiles]
{VCDirs}\common7\ide\devenv.exe
{VCDirs}\vc\bin\x86_amd64\{Compilers}
{VCDirs}\vc\bin\{Compilers}
{VCDirs}\Common7\IDE\Remote Debugger\x64\msvsmon.exe
{VCDirs}\Common7\IDE\mspdbsrv.exe
; WinDBG files are added to exclusions for debug convenience.
[WinDbgFiles]
{WinDBGDirs}\{DebuggerFiles}
; SysInternals files are added to exclusions for debug convenience.
[WinDbgFiles]
{WinDBGDirs}\{DebuggerFiles}
; SysInternals files are added to exclusions for debug convenience.
[SysIntFiles]
{SysInternalDirs}\{SysInternalFiles}
; -------------------------------------------------------------------------------------------------------------------------
; Self-Protection Settings
; -------------------------------------------------------------------------------------------------------------------------
[UserAntileakExclusions]
; This section contains applications that are not monitored by Anti-leak.
<SystemDir>\alg.exe
<SystemDir>\dwm.exe
<SystemDir>\wmiprvse.exe
<SystemDir>\wdfmgr.exe
<SystemDir>\taskeng.exe
[AntileakExclusions]
; This section contains applications that are not monitored by Anti-leak.
<SystemDir>\ntoskrnl.exe
<SystemDir>\csrss.exe
<SystemDir>\lsass.exe
<SystemDir>\smss.exe
<SystemDir>\svchost.exe
<SystemDir>\winlogon.exe
<SystemDir>\taskeng.exe
{OutpostExecutable}
{UserAntileakExclusions}
[SelfProtectionExclusions]
; This section contains self-protection exclusions.
[OutpostExecutable]
; This section defines a set of applications that have access to Outpost folder and registry.
<ExecDir>\acs.exe
<ExecDir>\op_mon.exe
<ExecDir>\feedback.exe
<ExecDir>\unins000.exe
<ExecDir>\unins001.exe
<ExecDir>\unins002.exe
<ExecDir>\unins003.exe
<ExecDir>\unins004.exe
<ExecDir>\unins005.exe
<ExecDir>\unins006.exe
<ExecDir>\unins007.exe
<ExecDir>\unins008.exe
<ExecDir>\unins009.exe
<ExecDir>\plugins\anti-spam\asp_srv.exe
[DriverNames]
sandbox
afw
vbengnt
[DriverPluginNames]
vbfilt
aswfilt
[OutpostFiles]
; This section describes the set of Outpost files.
<ExecDir>\*
<FiltDir>\*
<DriversDir>\afw.sys
<DriversDir>\sandbox.sys
<DriversDir>\sandbox64.sys
<DriversDir>\vbengnt.sys
<SystemDir>\config\prcdrv.acl
<SystemDir>\config\prc.acl
<SystemDir>\config\afw.conf
[OutpostRegistry]
; Registry keys which only Outpost has access to.
REGISTRY\<MachineCurrentVersion>\Uninstall\Agnitum Outpost Firewall Pro*\*
REGISTRY\<MachineCurrentVersion>\Uninstall\Agnitum Outpost Security Suite Pro*\*
REGISTRY\<MachineCurrentVersion>\Run\OutpostMonitor
REGISTRY\<MachineCurrentVersion>\Run\OutpostFeedBack
REGISTRY\<MachineCurrentVersion>\App Paths\acs.exe\*
REGISTRY\<MachineServices>\{DriverNames}\*
REGISTRY\<MachineServices>\{DriverPluginNames}\*
REGISTRY\<MachineServices>\acssrv\*
[ProtectedObjects]
; This section describes objects protected by self-protection mechanism.
{OutpostFiles}
{OutpostRegistry}
[TrustedApplications]
; This section describes the set of applications that have access to Outpost folder.
; In this folder self-protection exclusions are stored.
; This application should better be removed after first start.
;<SystemDir32OrWow>\runonce.exe
<SystemDir32OrWow>\autochk.exe
<SystemDir32OrWow>\csrss.exe
<SystemDir32OrWow>\svchost.exe
{AntileakExclusions}
{SelfProtectionExclusions}
[FilteredApplications]
; This section contains applications for which write access is blocked without notification from Outpost.
<SystemDir32OrWow>\mshta.exe
<SystemDir32OrWow>\rundll32.exe
<SystemDir32OrWow>\taskmgr.exe
<SystemDir32OrWow>\searchindexer.exe
[RegistryApplications]
<SystemDir32OrWow>\ntoskrnl.exe
<SystemDir32OrWow>\services.exe
<SystemDir32OrWow>\dfrgntfs.exe
[AntispamRegEntries]
spam threshold
unsure threshold
enable outlook
enable express
[LogsExt]
.log
.0
[TrustedLogs]
wl_hook
oe_mail
oe_mydb
oe_scan
oe_train
oe_sink_old
op_mail
op_scan
op_train
op_gui
selection
enum
expiredmail
adviser
[UninstallData]
unins000.dat
unins001.dat
unins002.dat
unins003.dat
unins004.dat
unins005.dat
unins006.dat
unins007.dat
unins008.dat
unins009.dat
[SelfProtection]
; In this section self-protection rules are described.
; Rules for controlling file operations are written in the following format:
; object_set, access mask, subject_set
;
; access mask:
; Attributes available for file operations (FILE=)
; read - object read operation is allowed to the entity
; write - object write operation is allowed to the entity
; delete - operation of deleting the object file is allowed to the entity
; exec - operation of launching the object is allowed to the entity
; connect - operation of launching the object is allowed to the entity
; hidden - operation of object masquerading from the entity
; full_access - object has full access to the entity
; read_only - object has read only access to the entity
; open_process - process opening is allowed
; thread_start - remote thread starting is allowed
; thread_stop - remote thread stopping is allowed
; write_mem - remote writing to process memory is allowed
; thread_ctx - remote setting of process context is allowed
; no_scan - do not scan object with on-access antivirus
; no_learn - on blocking by the rule, service will not be notified
; no_learn_open - service will not be notified on blocking open operation
; no_learn_exec - --""-- launch operation
; no_learn_read - --""-- read operation
; no_learn_write - --""-- write operation
; no_learn_create - --""-- creation operation
; no_learn_delete - --""-- deletion operation
; no_learn_rename - --""-- rename operation
; Entity description. If entity name ends with \*, two rules are added.
; One for the entity, another for its child structures with the specified mask
{OutpostExecutable} -> {ProtectedObjects} = <FullAccess>
{TrustedApplications} -> {ProtectedObjects} = <FullAccess>
<AllFiles> -> {ProtectedObjects} = <LimitedAccess>
<AllFiles> -> <ExecDir>\? = read write
{FilteredApplications} -> {OutpostFiles} = <LimitedAccessNoLearn>
{RegistryApplications} -> {OutpostRegistry} = <FullAccess>
<WindowsDir>\explorer.exe -> <ExecDir>\Thumbs.db = <FullAccess>
<WindowsDir>\explorer.exe -> {OutpostExecutable} = <LimitedAccess> allow_send_input allow_send_close
<AllFiles> -> <ExecDir>\Plugins\BrowserBar\ie_bar.ini = <FullAccess>
<AllFiles> -> <ExecDir>\{UninstallData} = <FullAccess> no_scan
<AllFiles> -> <ExecDir>\log\{TrustedLogs}{LogsExt} = <FullAccess> no_scan
<AllFiles> -> <ExecDir>\plugins\anti-spam\data\* = <FullAccess> no_scan
<AllFiles> -> REGISTRY\<User>\Software\agnitum\Security Suite\{AntispamRegEntries} = <FullAccess>
; Φ±Ωδ■≈σφΦ - ∩≡Φ Φτ∞σφσφΦΦ Ωεφ⌠Φπ≤≡α÷ΦΦ ±Φ±≥σ∞α ∩≡ε∩Φ±√Γασ≥≥ Γ ²≥Φ Γσ≥ΩΦ φεΓ√σ τφα≈σφΦ
*->REGISTRY\<MachineServices>\afw\Parameters\Adapters\* = <FullAccess>
*->REGISTRY\<MachineServices>\afw\Parameters\NdisAdapters\* = <FullAccess>
[SelfProtectionDebugAdd]
{VCFiles} -> {ProtectedObjects} = <FullAccess>
{WinDbgFiles} -> {ProtectedObjects} = <FullAccess>
{SysIntFiles} -> {ProtectedObjects} = <FullAccess>
; -------------------------------------------------------------------------------------------------------------------------
; On Access Scanner Rules
; -------------------------------------------------------------------------------------------------------------------------
[NoScanExtensions]
.log
.pf
.ci
.dir
.cdf-ms
.part
[RegsitryFileStorage]
default
components
sam
security
software
system
components
default.sav
sam.sav
security.sav
software.sav
system.sav
default.old
sam.old
security.old
software.old
system.old
[OnAccessScannerRules]
; do not scan own log files when we write them
; {OutpostExecutable} -> <ExecDir>\log\* = <FullAccess> no_scan
{OutpostExecutable} -> * = <FullAccess> no_scan
* -> <SystemRoot>\System Volume Information\* = <FullAccess> no_scan
* -> <WindowsDir>\Prefetch\* = <FullAccess> no_scan
* -> <SystemDir>\wbem\logs\* = <FullAccess> no_scan
<SystemDir>\svchost.exe -> <WindowsDir>\* = <FullAccess> no_scan
<SystemDir>\ntoskrnl.exe -> <WindowsDir>\* = <FullAccess> no_scan
<SystemDir>\DfrgNtfs.exe -> * = <FullAccess> no_scan
<SystemDir>\SearchIndexer.exe -> * = <FullAccess> no_scan
<SystemDir>\SearchFilterHost.exe -> * = <FullAccess> no_scan
<SystemDir>\SearchProtocolHost.exe -> * = <FullAccess> no_scan
<SystemDir>\wbem\wmiadap.exe -> <SystemDir>\perf*.dat = <FullAccess> no_scan
* -> \EXTENSIONS\*{NoScanExtensions} = no_scan
* -> <SystemDir>\config\{RegsitryFileStorage} = <FullAccess> no_scan
* -> <SystemDir>\config\regback\{RegsitryFileStorage} = <FullAccess> no_scan
* -> <WindowsDir>\AppPatch\sysmain.sdb = <FullAccess> no_scan
* -> <WindowsDir>\AppPatch\drvmain.sdb = <FullAccess> no_scan
; -------------------------------------------------------------------------------------------------------------------------
; System Monitor Settings (for debug purposes)
; -------------------------------------------------------------------------------------------------------------------------
[SandboxMonitor]
; This section describes monitor settings used for debug purposes only.
; Macroses do not work here.
; Operation mask for monitor. Available values:
; open exec read write close delete rename
Operations=
; Whether operations with folders are monitored.
FolderOperaton=TRUE
; Whether operations with registry are monitored.
RegistryOperation=TRUE
; Whether operations with processes are monitored.
InterprocOperation=FALSE
; Whether non-file operations are monitored.
FileOperation=FALSE
; -------------------------------------------------------------------------------------------------------------------------
; System Events Learning Settings
; -------------------------------------------------------------------------------------------------------------------------
[LearnOperations]
; This section describes learning channel settings.
; Macroses do not work in this section.
; Operation mask for the learning channel. Available values:
; open exec read write close delete rename start stop
Operations=open exec read write close delete rename
; Whether operations with folders are monitored.
FolderOperaton=TRUE
; Whether operations with registry are monitored.
RegistryOperation=TRUE
; Whether operations with processes are monitored.
InterprocOperation=TRUE
; Whether non-file operations are monitored.
FileOperation=TRUE
; -------------------------------------------------------------------------------------------------------------------------
; ImproveNet Settings
; -------------------------------------------------------------------------------------------------------------------------
[ImproveNet]
; This section describes ImproveNet settings.
; URL of the server where improve_net reports are stored
URL=http://improvenet.agnitum.com/improvenet.php
; ImproveNet task scheduling settings:
; If ScheduleDay parameter is specified, ImproveNet task will be performed weekly,
; ScheduleDay specifies the number of a day, available values are 0-6 (0 corresponds to Monday).
; If ScheduleHour and ScheduleMinute are not specified, they are considered equal to 0.
ScheduleDay=
; If ScheduleHour parameter is specified (without ScheduleDay parameter), ImproveNet task will be performed
; daily, ScheduleHour specifies the number of an hour, available values are 0-23.
; If ScheduleMinute not specified, it is considered equal to 0.
ScheduleHour=14
; If ScheduleMinute parameter is specified (without ScheduleDay and ScheduleHour), ImproveNet task will be
; performed hourly, ScheduleMinute specifies the number of a minute, available values are 0-59.
ScheduleMinute=0
; ScheduleDay, ScheduleHour, ScheduleMinute settings can be specified together,
; for example, if all these parameters are specified, ImproveNet task will be performed weekly on the specified day,
; at the specified time.
[HTTPService]
; This section describes HTTP settings used in http_service.
; HTTPVersion parameter specifies version to be used in requests,
; available values are 0.0, 1.0, 1.1
HTTPVersion=1.0
; AppendProductArg parameter specifies that product name should be added to each request,
; available values are TRUE, FALSE
AppendProductArg=FALSE
; AllowCaching parameter enables/disables caching,
; available values are TRUE, FALSE
AllowCaching=FALSE
; Proxy parameter defines whether proxy should be used, available
; values are auto, specified, disabled
Proxy=auto
; ProxyAddress, ProxyPort parameters are used if Proxy=specified,
; these parameters specify proxy server address and port
ProxyAddress=
ProxyPort=8080
; ProxyAuth parameter specifies that proxy requires authorization, availavle values are TRUE, FALSE;
; ProxyLogin, ProxyPassword parameters specify credentials
ProxyAuth=false
; ProxyLogin, ProxyPassword parameters specify login and password for the proxy that requires autorization.
ProxyLogin=
ProxyPassword=
[Protect]
; Protect plug-in state. If FALSE, no configuration in driver.
Enable=TRUE
; Maximum number of remote hosts for each attack, after which
; the reports are stopped till report_timeout expiration.
MaxReportHost=10
; Pause before repeated message about the attack for the
; remote host, in hundreds ms.
ReportTimeout=6000
; -------------------------------------------------------------------------------------------------------------------------
; Critical Objects Monitor Settings
; -------------------------------------------------------------------------------------------------------------------------
[SystemMonitor]
; Main object monitor section.
; This section describes records for monitor.
RegAutoStart=Auto Start Entries
RegAutoLoad=Auto Start Modules
RegWinLogon=WinLogon Settings
RegShellExtensions=Shell Extensions
RegShellCriticalEntries=Shell Critical Entries
RegApplicationRestrictions=Application Restrictions
RegActiveDesktop=Active Desktop
RegInternetSettings=Internet Settings
RegInternetExplorerPlugins=Explorer Plug-Ins
RegInternetExplorerSettings=Explorer Settings
Reg3rdPartyApplications=Third-Party Applications
LegacyConfigurationFiles=Legacy Configuration Files
[DefragApp]
; Defragmentation sotfware category.
<SystemDir32OrWow>\dfrgntfs.exe
[RegShellExtensions]
; Shell Extensions.
*->REGISTRY\<MachineCurrentVersion>\Explorer\Browser Helper Objects\*=read
*->REGISTRY\<MachineCurrentVersion>\Shell Extensions\Approved\*=read
*->REGISTRY\<MachineCurrentVersion>\ShellServiceObjectDelayLoad\*=read
*->REGISTRY\<MachineCurrentVersion>\Explorer\RemoteComputer\NameSpace\*=read
*->REGISTRY\<CurrentVersionUserMachine3264>\Explorer\SharedTaskScheduler\*=read
*->REGISTRY\MACHINE\{SoftwareClasses32Or64}\SystemFileAssociations\shellex\ContextMenuHandlers\*=read
*->REGISTRY\{MachineOrUser}\{Software32Or64}\Microsoft\Active Setup\Installed Components\*=read
<WindowsDir>\explorer.exe->REGISTRY\{MachineOrUser}\{Software32Or64}\Microsoft\Active Setup\Installed Components\*=read write
[RegShellCriticalEntries]
; Object 'Windows Shell Open Commands' (85)----------
*->REGISTRY\MACHINE\{SoftwareClasses32Or64}\exefile\shell\{OpenOrRunAs}\command\*=read
*->REGISTRY\MACHINE\{SoftwareClasses32Or64}\comfile\shell\{OpenOrRunAs}\command\*=read
*->REGISTRY\MACHINE\{SoftwareClasses32Or64}\piffile\shell\{OpenOrRunAs}\command\*=read
*->REGISTRY\MACHINE\{SoftwareClasses32Or64}\batfile\shell\{OpenOrRunAs}\command\*=read
*->REGISTRY\MACHINE\{SoftwareClasses32Or64}\cmdfile\shell\{OpenOrRunAs}\command\*=read
*->REGISTRY\MACHINE\{SoftwareClasses32Or64}\scrfile\shell\{OpenOrRunAs}\command\*=read
*->REGISTRY\<CurrentVersionUserMachine3264>\Explorer\ShellExecuteHooks\*=read
[RegApplicationRestrictions]
; Application restrictions.
*->REGISTRY\<User>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\*=read
*->REGISTRY\<User>\Software\Microsoft\Windows\CurrentVersion\Policies\System\*=read
*->REGISTRY\<User>\Software\Policies\Microsoft\Internet Explorer\Control Panel\*=read
*->REGISTRY\{MachineOrUser}\{Software32Or64}\Policies\Microsoft\Internet Explorer\Restrictions\*=read
*->REGISTRY\<MachineCurrentVersion>\Policies\DisableRegistryTools=read
[RegInternetSettings]
; LSP providers.
*->REGISTRY\<MachineServices>\WinSock2\Parameters\*=read
*-><SystemDir>\Drivers\Etc\hosts=read
<SystemDir32OrWow>\svchost.exe-><SystemDir>\Drivers\Etc\hosts=read write
{DefragApp}-><SystemDir>\Drivers\Etc\hosts=read write
[RegActiveDesktop]
; Active Desktop settings.
*->REGISTRY\<User>\Control Panel\Desktop\*=read
*->REGISTRY\<User>\Control Panel\Desktop\WindowMetrics\*=read write delete
*->REGISTRY\<User>\Software\Microsoft\Internet Explorer\Desktop\General\*=read
<WindowsDir>\explorer.exe->REGISTRY\<User>\Software\Microsoft\Internet Explorer\Desktop\General\*=read write delete
[RegInternetExplorerPlugins]
; Internet Explorer Plug-Ins.
*->REGISTRY\MACHINE\{Software32Or64}\Microsoft\Internet Explorer\Plugins\Extension\*=read
*->REGISTRY\{MachineOrUser}\{Software32Or64}\Microsoft\Internet Explorer\MenuExt\*=read
*->REGISTRY\{MachineOrUser}\{Software32Or64}\Microsoft\Internet Explorer\Extensions\*=read
*->REGISTRY\{MachineOrUser}\{Software32Or64}\Microsoft\Internet Explorer\Explorer Bars\*=read
*->REGISTRY\{MachineOrUser}\{Software32Or64}\Microsoft\Internet Explorer\Toolbar\ShellBrowser\*=read
*->REGISTRY\{MachineOrUser}\{Software32Or64}\Microsoft\Internet Explorer\Toolbar\WebBrowser\*=read
<WindowsDir>\explorer.exe->REGISTRY\{MachineOrUser}\{Software32Or64}\Microsoft\Internet Explorer\Toolbar\ShellBrowser\*=read write
<ProgramDir>\Internet Explorer\iexplore.exe->REGISTRY\{MachineOrUser}\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\*=read write
<ProgramDirWow>\Internet Explorer\iexplore.exe->REGISTRY\{MachineOrUser}\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\WebBrowser\*=read write
<ProgramDir>\Internet Explorer\iexplore.exe->\REGISTRY\{MachineOrUser}\SOFTWARE\MICROSOFT\Internet Explorer\Extensions\*=read write
<ProgramDirWow>\Internet Explorer\iexplore.exe->\REGISTRY\{MachineOrUser}\SOFTWARE\Wow6432Node\MICROSOFT\Internet Explorer\Extensions\*=read write
[RegInternetExplorerSettings]
; Internet Explorer URLs
*->REGISTRY\{MachineOrUser}\{Software32Or64}\Microsoft\Internet Explorer\Main\Start Page=read
*->REGISTRY\{MachineOrUser}\{Software32Or64}\Microsoft\Internet Explorer\Main\Search Page=read
*->REGISTRY\{MachineOrUser}\{Software32Or64}\Microsoft\Internet Explorer\AboutURLs\*=read
*->REGISTRY\{MachineOrUser}\{Software32Or64}\Microsoft\Internet Explorer\URLSearchHooks\*=read
<SystemDir32OrWow>\ie4uinit.exe->REGISTRY\{MachineOrUser}\{Software32Or64}\Microsoft\Internet Explorer\*=read write delete
[RegAutoStart]
; Startup Registry Files.
*->REGISTRY\<CurrentVersionUserMachine3264>\Run\*=read
*->REGISTRY\<CurrentVersionUserMachine3264>\RunOnce\*=read
*->REGISTRY\<CurrentVersionUserMachine3264>\RunOnceEx\*=read
*->REGISTRY\<CurrentVersionUserMachine3264>\RunServices\*=read
*->REGISTRY\<User>\Software\Microsoft\Windows NT\CurrentVersion\Windows\load=read
*->REGISTRY\<User>\Software\Microsoft\Windows NT\CurrentVersion\Windows\run\*=read
*->REGISTRY\<MachineNTCurrentVersion3264>\Image File Execution Options\*=read
*->REGISTRY\<MachineCurrentVersion>\policies\Explorer\Run\*=read
;*->C:\Documents and Settings\*\StartMenu\Programs\Startup\*=read
<SystemDir>\ctfmon.exe->REGISTRY\USER\*\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe=read write delete
<SystemDir>\ctfmon.exe->REGISTRY\USER\*\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe=read write delete
<SystemDir>\wermgr.exe->REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\LHWerQueuedReporting=read write delete
[RegAutoLoad]
; AppInit Dlls.
*->REGISTRY\MACHINE\{Software32Or64}\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=read
*->REGISTRY\MACHINE\{Software32Or64}\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs=read
*->REGISTRY\MACHINE\{Software32Or64}\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib=read
[RegWinLogon]
; Windows Logon Policies.
*->REGISTRY\<MachineNTCurrentVersion3264>\Winlogon\GPExtensions\*=read
*->REGISTRY\<MachineNTCurrentVersion3264>\Winlogon\Notify\*=read
*->REGISTRY\<MachineNTCurrentVersion3264>\WOW\boot\shell=read
*->REGISTRY\<MachineNTCurrentVersion3264>\Winlogon\Userinit=read
*->REGISTRY\<MachineNTCurrentVersion3264>\Winlogon\Shell=read
*->REGISTRY\{MachineOrUser}\Software\Policies\Microsoft\Windows\System\Scripts\Logon\*=read
*->REGISTRY\<User>\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell*=read
[Reg3rdPartyApplications]
; Critical non-MS application settings.
[ProtectedConfigFiles]
; Configuration files protected from modification.
<WindowsDir>\win.ini
<WindowsDir>\system.ini
<SystemRoot>\autoexec.bat
<SystemRoot>\config.sys
<WindowsDir>\winstart.bat
<WindowsDir>\dosstart.bat
<SystemDir>\autoexec.nt
<SystemDir>\config.nt
[LegacyConfigurationFiles]
; Windows win.ini file.
*->REGISTRY\<MachineNTCurrentVersion3264>\IniFileMapping\system.ini\*=read
*->REGISTRY\<MachineNTCurrentVersion3264>\IniFileMapping\win.ini\*=read
*->REGISTRY\<MachineNTCurrentVersion3264>\IniFileMapping\control.ini\*=read
*->{ProtectedConfigFiles}=read
{DefragApp}->{ProtectedConfigFiles}=read write
; REGISTRY\<MachineServices>\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\*
; REGISTRY\<MachineServices>\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\*
; REGISTRY\<MachineServices>\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\*
; REGISTRY\<MachineServices>\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\*
; Off screen
; ActiveX registration
; Services registration
; Object 'Explorer Trojan' (93)----------
; Dir: ±:\. Search explorer.exe
; FILE: 'C:\WINDOWS\control.ini' listen 'MMCPL-inetcpl.cpl' section-value. Check data for 'no' value.
; [RestrictAnonymous]
; Windows Restrict Anonymous
; REGISTRY\MACHINE\SYSTEM\ControlSet*\Control\Lsa\restrictanonymous
; [RegActiveSetup]
; Installed Components
;
[license]
Reseller=agnitum