Video Screencast Help

Detection Rules OK for string, version, not for DWORD registry value ???

Created: 19 Oct 2012 • Updated: 25 Oct 2012 | 4 comments
Pascal KOTTE's picture

I try to include a detection rule, as I do often, no problem, but this time, I check a DWORD, not a string... And never detected, all the same registry there !!

Yes, I do set the type of the command line as "install", not a "custom" (as no detection check for custom :)

I make a few tries, FOR:

  • Registry Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
  • Registry entry: minRSAPubKeyBitLength

I put "registry Key Value" to match:

  • Substring: c8
  • entire string: 000000c8, x000000c8, dword:000000c8

No way, no detection, How did you do ? Id you do !

Comments 4 CommentsJump to latest comment

andykn101's picture

See point 9 under "Rules" here:

https://www-secure.symantec.com/connect/articles/s...

"Registry Key Version - I recommend using the Registry Key Value as it is more straight-forward. If the version is not a String, however, this Rule should be used."

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

andykn101's picture

I was going to suggest dropping "dword" from the "value" but I think the OP has already tried that. Interesting that you can use this rule type for dwords, though.

Authorised Symantec Consultant (ASC) with Endpoint Management Limited, an Authorised Symantec Delivery Provider based in the UK.

Connect Etiquette: Please "Mark as Solution" posts that fix your problem.

Pascal KOTTE's picture

Thanks your feedback, Yes I do try at start without 'Dword' :)

I wonder if not because must convert into "decimal" value and not "hexa", this can explain, why your '3' is ok, and my 'c8', is not detected... ? I will have to try when I will be able to.

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF