Comodo Help
Find the desired product help
Xcitium Enterprise

Xcitium Enterprise

Xcitium Enterprise Administrator Guide

English

Print Help Download Help
Appendix 3 - Default Xcitium Security Policy Details
  • Introduction To Xcitium Enterprise - Endpoint Protection Platform
    • Key Concepts
    • Best Practices
    • Login Into The Admin Console
    • Upgrade To Full Version
  • The Admin Console
  • The Dashboards
  • CNAPP Dashboard
  • ROI Dashboard
  • Devices And Device Groups
    • Manage Device Groups
      • Create Device Groups
      • Edit A Device Group
      • Assign Configuration Profiles To A Device Group
      • Remove A Device Group
      • Run Procedures On Device Groups
    • Manage Devices
      • Add New Devices
      • Manage Windows Devices
        • View And Edit Device Name
        • View Summary Information
        • View Network Information
        • View And Manage Profiles Associated With A Device
        • View Maintenance Windows Associated With A Device
        • View And Manage Applications Installed On A Device
        • View The Files On A Device
        • View Exported Configurations And Import Profiles
        • View MSI Files Installed On A Device Through Xcitium
        • View And Manage Patches For Windows And 3rd Party Applications
        • View Antivirus Scan History
        • View And Manage Device Group Memberships
        • View Device Logs
      • Manage Mac OS Devices
        • View And Edit Mac OS Device Name
        • Summary Information Of Mac Device
        • View Installed Applications
        • View Quarantined Files On Mac OS Device
        • View And Manage Profiles Associated With A Device
        • View Packages Installed On A Device Through Xcitium
        • View And Manage Device Group Memberships
        • View Mac Device Logs
      • Manage Linux Devices
        • View And Edit Linux Device Name
        • Summary Information Of Linux Device
        • View Network Information Of A Linux Device
        • View And Manage Profiles Associated With A Linux Device
        • View Linux Packages Installed On A Device Through Dragon
        • View And Manage Device Group Memberships
      • Manage Android Devices
        • View And Edit Device Name
        • View Summary Information
        • Manage Installed Applications
        • View And Manage Profiles Associated With A Device
        • View Sneak Peek Pictures To Locate Lost Devices
        • View The Location Of The Device
        • View And Manage Device Group Memberships
      • Manage IOS Devices
        • View And Edit Device Name Of An IOS Device
        • View Summary Information Of An IOS Device
        • View Applications Installed On An IOS Device
        • View And Manage Profiles Associated With An IOS Device
        • View The Location Of An IOS Device
        • View And Manage Group Memberships Of An IOS Device
      • View User Information
      • Remote Management Of Windows And Mac OS Devices
        • Transfer Items To / From The Remote Computer
      • Remotely Manage Folders And Files On Windows Devices
      • Manage Processes On Remote Windows Devices
      • Manage Services On Remote Windows Devices
      • Use The Command Prompt On Remote Windows Devices
      • View Event Logs On Remote Windows Devices
      • Apply Procedures To Windows And Mac Devices
      • Remotely Install And Manage Packages On Windows Devices
      • Remotely Install Packages On Mac OS Devices
      • Remotely Install Packages On Linux Devices
      • Send Enrollment Link To IOS Devices
      • Generate An Alarm On Android Devices
      • Remotely Lock Mobile And Mac OS Devices
      • Wipe Selected Mobile And Mac Devices
      • Assign Configuration Profiles To Selected Devices
      • Set / Reset Screen Lock Password For Mobile Devices
      • Update Device Information
      • Send Text Messages To Mobile Devices
      • Restart Selected Windows Devices
      • Change A Device's Owner
      • Change The Ownership Status Of A Device
      • Add Custom Notes And Tags On Devices
      • Remove A Device
      • Generate Device List Report
      • Manage Isolate And Release From Isolation
    • Bulk Enrollment Of Devices
      • Enroll Windows, Mac OS And Linux Devices By Installing The Communication Client
        • Enroll Windows Devices Via AD Group Policy
        • Enroll Windows, Mac OS And Linux Devices By Offline Installation Of Agent
        • Enroll Windows Devices Using Auto Discovery And Deployment Tool
      • Enroll Android And IOS Devices Of AD Users
    • Download And Install The Remote Control Tool
  • Cloud Workloads
  • Cloud Assets
  • Cloud Security
    • View Vulnerabilities Findings
    • Registry Scan
    • CSPM Executive Dashboard
    • Compliance Summary
    • CWPP Dashboard
    • App Behavior
    • Manage Policies
    • Remediation
    • View Alerts
    • Manage Triggers
    • View Reports
  • Users And User Groups
    • Manage Users
      • Create New User Accounts
        • Manually Add Users
        • Import Users From A CSV File
      • Enroll User Devices For Management
        • Enroll Android Devices
        • Enroll IOS Devices
        • Enroll Windows Endpoints
        • Enroll Mac OS Endpoints
        • Enroll Linux OS Endpoints
      • View User Details
        • Update The Details Of A User
      • Assign Configuration Profiles To User Devices
      • Remove A User
      • Generate New Password For A User
      • Reset Two Factor Authentication Token For A User
      • Run Procedures On User Devices
    • Manage User Groups
      • Create A New User Group
      • Edit A User Group
      • Assign Configuration Profiles To A User Group
      • Remove A User Group
      • Run Procedures On User Group Devices
    • Configure Role Based Access Control For Users
      • Create A New Role
      • Manage Permissions And Users Assigned To A Role
      • Remove A Role
      • Manage Roles Assigned To A User
  • Configuration Templates
    • Create Configuration Profiles
      • Profiles For Android Devices
      • Profiles For IOS Devices
      • Profiles For Windows Devices
        • Create Windows Profiles
          • Associated Devices Settings
          • Antivirus Settings
          • Communication Client And Xcitium Client - Security Application Update Settings
          • File Rating Settings
          • Firewall Settings
          • HIPS Settings
          • Containment Settings
          • Maintenance Window Settings
          • VirusScope Settings
          • Xcitium Verdict Cloud
          • Global Proxy Settings
          • Client Proxy Settings
          • Agent Discovery Settings
          • Communication Client And Xcitium Client - Security Application UI Settings
          • Logging Settings
          • Client Access Control
          • External Devices Control Settings
          • Monitors
          • Procedure Settings
          • Remote Control Settings
          • Remote Tools Settings
          • Miscellaneous Settings
          • Script Analysis Settings
          • Data Loss Prevention Settings
          • Patch Management Settings
          • Performance Settings
          • Thumbnails Settings
          • Chat Settings
          • Applications Settings
        • Import Windows Profiles
      • Profiles For Mac OS Devices
        • Create A Mac OS Profile
          • Antivirus Settings For Mac OS Profile
          • Certificate Settings For Mac OS Profile
          • Restrictions Settings For Mac OS Profile
          • VPN Settings For Mac OS Profile
          • Wi-Fi Settings For Mac OS Profile
          • Remote Control Settings For Mac OS Profile
          • External Device Control Settings For Mac OS Profile
          • Valkyrie Settings For MacOS Profile
          • Procedure Settings For Mac Profiles
          • Monitor Settings For Mac OS Profile
      • Profiles For Linux Devices
        • Create A Linux Profile
          • Antivirus Settings For Linux Profile
          • Communication Client And XcitiumClient - Security Application Update Settings For Linux Profile
          • User Interface Settings For Linux Profile
          • Logging Settings For Linux Profile
          • Clients Access Control Settings For Linux Profile
          • Valkyrie Settings For Linux Profile
    • View And Manage Profiles
      • Export And Import Configuration Profiles
      • Clone A Profile
    • Edit Configuration Profiles
    • Manage Default Profiles
    • Manage Alerts
      • Create A New Alert
      • Edit / Delete An Alert
    • Manage Procedures
      • View And Manage Procedures
      • Create A Custom Procedure
      • Combine Procedures To Build Broader Procedures
      • Review / Approve / Decline New Procedures
      • Add A Procedure To A Profile / Procedure Schedules
      • Import / Export / Clone Procedures
      • Change Alert Settings
      • Apply Procedures To Devices
      • Edit / Delete Procedures
      • View Procedure Results
    • Manage Monitors
      • Create Monitors And Add Them To Profiles
        • Monitors For Windows Devices
        • Monitors For Mac OS Devices
      • View And Edit Monitors
    • Data Loss Prevention Rules
      • Create DLP Discovery Rules And Add Them To Profiles
      • View And Edit DLP Discovery Rules
      • Create DLP Monitoring Rules And Add Them To Profiles
      • View And Edit DLP Monitoring Rules
  • Security Systems
    • View Alerts And Security Events
      • View Alerts And Security Events By Time
      • View Alerts And Security Events By Files
      • View Alerts And Security Events By Device
      • Alert Policy
      • Suppression Rule
    • Investigate Events
      • Search Events By Query
      • Search Events By File
      • Search Events By Device
      • View Android Threat History
      • Process Timeline
    • Endpoint Security Status
      • Run Antivirus And/or File Rating Scans On Devices
      • Handle Malware On Scanned Devices
      • Update Virus Signature Database On Windows, Mac OS And Linux Devices
    • View And Manage Blocked Threats
    • View And Manage Quarantined Items
    • View Contained Threats
    • View And Manage Autorun Items
    • Manage File Trust Ratings On Windows Devices
      • File Ratings Explained
    • View List Of File Verdicts
    • View History Of External Device Connection Attempts
    • Data Loss Prevention Scans
      • DLP Logs
      • DLP Quarantined Files
  • Network Management
    • Create And Run Network Discovery Tasks
    • Manage Profiles For Network SNMP Devices
    • Manage Network Devices
      • Manage SNMP Devices
        • SNMP Device Details Interface
      • Discovered Devices
    • Manage Network Monitors
  • Software Inventory
    • View Applications Installed On Android And IOS Devices
      • Blacklist And Whitelist Applications
    • Patch Management
      • Manage OS Patches On Windows Endpoints
      • Install 3rd Party Application Patches On Windows Endpoints
        • Xcitium Supported 3rd Party Applications
    • View And Manage Applications Installed On Windows Devices
      • Uninstall A Windows Application From Selected Devices
      • Uninstall A Windows Application From All Devices
    • Vulnerability Management
  • Management Settings
    • Account Management
    • License Management
      • Manage Your Licenses
      • License Allocations
      • Bill Forecast
  • Configure Xcitium Enterprise
    • Email Notifications, Templates And Custom Variables
      • Configure Email Templates
      • Configure Email Notifications
      • Create And Manage Custom Variables
      • Create And Manage Registry Groups
      • Create And Manage COM Groups
      • Create And Manage File Groups
      • Create And Manage Tags
    • Xcitium Enterprise Portal Configuration
      • Import User Groups From LDAP
      • Configure Portal Settings
      • Configure Communication And Security Client Settings
        • Configure The Xcitium Android Client
          • Configure Android Client General Settings
          • Configure Android Client Antivirus Settings
          • Add Google Cloud Messaging (GCM) Token
        • Add Apple Push Notification Certificate
        • Configure Windows Clients
          • Configure Communication Client Settings
          • Configure Client Security Settings
      • Manage Xcitium Enterprise Extensions
      • Configure Xcitium Enterprise Reports
      • Device Removal Settings
      • Account Security Settings
      • Set-up Administrator's Time Zone And Language
      • Configure Audit Log Settings
    • Dashboard Settings
    • Cloud Security Settings
      • Manage Cloud Accounts
        • Amazon Web Server (AWS) Account Onboarding
        • Google Cloud Platform (GCP) Account Onboarding
        • Microsoft Azure Account Onboarding
      • Manage Cluster
      • Configure Integrations
        • CWPP
        • CSPM
        • Registry
        • S3 Data Source
      • Create And Manage Labels
      • Create And Manage Tags
      • Create And Manage Groups
      • Configure Ticket Template
    • Data Protection Templates
      • View And Manage Pattern Variables
      • View And Manage Keyword Groups
    • View Version And Support Information
    • Alert Notification Settings
  • Appendix 1a - Xcitium Services - IP Nos, Host Names And Port Details - EU Customers
  • Appendix 1b - Xcitium Services - IP Nos, Host Names And Port Details - US Customers
  • Appendix 2 - Pre-configured Profiles
  • Appendix 3 - Default Xcitium Security Policy Details
  • About Xcitium

Appendix 3: Default Xcitium Security Policy Details

An EDR policy determines which events will generate an alert for you. Xcitium EDR ships with a default security policy containing seven event categories. The table below contains details of the default rules in each event category.


The built-in event categories are:

  • Process Events - Rules to generate alerts if an application causes an event.

  • Registry Events - Rules to alert you about changes to the Windows registry on your endpoints.

  • File Events - Rules that detect modifications to any system files and folders.

  • Upload Events - Rules to alert you about file uploads to shared folders or external drives.

  • Defense+ Events - No default rules are set for this event category.

  • Network Events - No default rules are set for this event category.

Process Events


Event Category - Process Events

Event Type - Create Process

Event Name

Score

Description

Suspicious System Process Creation

6

Process verdict is not safe AND file path matches %systemroot%*

Remote Powershell Execution

5

File path matches *wsmprovhost.exe

Suspicious Powershell Flag

5

Command line matches any of the following:

*powershell*-NoP*

*powershell*-Win*

*powershell*-w*

*powershell*-Exec*

*powershell*-ex*

*powershell*-ep*

*powershell*-command*

*powershell*-NoL*

*powershell*-InputFormat*

*powershell*-Enc*

*powershell*-NonInteractive*

*powershell*-nonI*

*powershell*-file*

Stop Service

5

Command line matches %systemroot%system32net*stop*

Run Untrusted Executable

4

Verdict is not safe

Suspicious Process Hierarchy

3

Process path does not match *explorer.exe AND path matches *powershell.exe OR patch matches *cmd.exe

Start Service

2

Command line matches %systemroot%system32net*start*



Registry Events


Event Category - Registry Events

Event Type - Set Registry Value

Event Name

Score

Description

Disable User Account Control

9

Registry key path is equal to HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

AND registry value name is equal to EnableLUA0

AND registry value data is equal to 0.

Disable Task Manager

9

Registry key path is equal to HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem

AND registry value name is equal to DisableTaskMgr

AND registry value data is equal to 1

Installation of Drivers

8

Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices* AND registry value name is equal to Type

AND

Registry value data is equal to 1

OR registry value data is equal to 2

Add Service to svchost

7

Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices* AND registry value name is equal to ImagePath AND registry value data matches *svchost.exe*

OR

Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices*Parameters AND registry value name is equal to ServiceDll AND registry matches *.dll

Add Active Setup Value In Registry

7

Registry key path matches HKEY_LOCAL_MACHINESoftwareMicrosoftActive SetupInstalled Components*

Modify Powershell Execution Policy

7

Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREMicrosoftPowerShell1ShellIdsMicrosoft.PowerShell AND registry value name is equal to ExecutionPolicy

Modify Firewall Settings

6

Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile*

Disable Registry Editing Tool

6

Registry key path is equal to HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem AND registry value name is equal to DisableRegistryTools AND registry value data is equal to 1.

Modify AppInit_DLLs in Registry

6

Registry key path is equal to HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows AND registry value name is equal to AppInit_DLLs

Add Service

6

Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices* AND registry value name is equal to ImagePath AND registry value data matches *.exe* AND registry value data doesn't match *svchost.exe*

Layered Service Provider installation

6

Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinSock2ParametersProtocol_Catalog9Catalog_Entries*

Add Autorun In Registry

5

Registry key path matches any of the following:

HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSystemScriptsStartup*

HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystemScriptsLogon*

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem*

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx*

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce*

HKEY_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWindows*

HKEY_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWindowsRun*

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun*

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun*

HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystemScriptsLogoff*

HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSystemScriptsShutdown*

OR

Registry key path equals any of the following:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce

Booting Time Execution

5

Registry key path is equal to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager AND registry value name is equal to BootExecute

Disable Auto Update

5

Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU AND registry value name is equal to NoAutoUpdate AND registry value data is equal to 1

OR

Registry key path is equal to HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdate AND registry value name is equal to DisableWindowsUpdateAccess AND registry value data is equal to 1

OR

Registry key path is equal to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesWindowsUpdate AND registry value name is equal to DisableWindowsUpdateAccess AND registry value data is equal to 1

Disable Service

5

Registry key path matches HKEY_LOCAL_MACHINESystemCurrentControlSetServices* AND registry value name is equal to Start AND registry value data is equal to 4

Create Explorer Entry

5

Registry key path matches any of the following:

HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSFilter*

HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSHandler*

HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerDesktopComponents*

HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components*

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad*

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad*

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks*

HKEY_CURRENT_USERSoftwareClasses*ShellExContextMenuHandlers*

HKEY_LOCAL_MACHINESoftwareClasses*ShellExContextMenuHandlers*

HKEY_CURRENT_USERSoftwareClassesAllFileSystemObjectsShellExContextMenuHandlers*

HKEY_LOCAL_MACHINESoftwareClassesAllFileSystemObjectsShellExContextMenuHandlers*

HKEY_CURRENT_USERSoftwareClassesDirectoryShellExContextMenuHandlers*

HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellExContextMenuHandlers*

HKEY_CURRENT_USERSoftwareClassesDirectoryShellexDragDropHandlers*

HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellexDragDropHandlers*

HKEY_CURRENT_USERSoftwareClassesDirectoryShellexPropertySheetHandlers*

HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellexPropertySheetHandlers*

HKEY_CURRENT_USERSoftwareClassesDirectoryShellexCopyHookHandlers*

HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellexCopyHookHandlers*

HKEY_CURRENT_USERSoftwareClassesFolderShellexColumnHandlers*

HKEY_LOCAL_MACHINESoftwareClassesFolderShellexColumnHandlers*

HKEY_CURRENT_USERSoftwareClassesFolderShellExContextMenuHandlers*

HKEY_LOCAL_MACHINESoftwareClassesFolderShellExContextMenuHandlers*

HKEY_CURRENT_USERSoftwareClassesDirectoryBackgroundShellExContextMenuHandlers*

HKEY_LOCAL_MACHINESoftwareClassesDirectoryBackgroundShellExContextMenuHandlers*

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers*

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers*

HKEY_CURRENT_USERSoftwareMicrosoftCtfLangBarAddin*

HKEY_LOCAL_MACHINESoftwareMicrosoftCtfLangBarAddin*

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved*

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved*

OR

Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler

Disable Windows Application

5

Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun

Disable Command Prompt

5

Registry key path is equal to HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem AND registry value name is equal to DisableCMD AND registry value data is equal to 2

Disable Show Hidden Files

4

Registry key path is equal to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced AND registry value data is equal to 2

AND

Registry value name is equal to Hidden OR registry value name is equal to ShowSuperHidden

Share Folder

4

Registry key path is equal to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanserverShares

Addition of DNS Server

3

Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfaces* AND registry value name is equal to NameServer

Modify Hosts File Registry

3

Registry key path is equal HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters AND registry value name equal to DataBasePath


File Events


Event Category - File Events

Event Type - Write File

Event Name

Score

Description

Add Scheduled Task

6

File path matches %systemroot%System32Tasks* OR %systemroot%Tasks*

Write Fake System File

6

File path matches *svch0st.exe OR *svhost.exe

Write to System Directory

5

File path matches %systemroot%*

Add Startup File or Folder

5

File path matches any of the following:

%appdata%MicrosoftWindowsStart MenuProgramsStartup*

%programdata%MicrosoftWindowsStart MenuProgramsStartup*

%systemroot%systemiosubsys*

%systemroot%systemvmm32*

%systemroot%Tasks*

OR

File path equals any of the following:

%systemdrive%autoexec.bat

%systemdrive%config.sys

%systemroot%wininit.ini

%systemroot%winstart.bat

%systemroot%win.ini

%systemroot%system.ini

%systemroot%dosstart.bat

Modify Host File

4

File path is equal to %systemroot%system32driversetchosts

Write to Executable

4

File type is equal to PORTABLE_EXECUTABLE

AND

Process path doesn't match *explorer.exe

Write to Infectible File

4

Process path doesn't match *iexplorer.exe

AND

File path matches any of the following:

*.lnk

*.wsf

*.hta

*.mhtml

*.html

*.doc

*.docm

*.xls

*.xlsm

*.ppt

*.pptm

*.chm

*.vbs

*.js

*.bat

*.pif

*.pdf

*.jar

*.sys

Modify Group Policy Settings

1

File path matches %systemroot%system32grouppolicy* OR %systemroot%Sysvolsysvol*Policies*

Write to Program Files Directory

1

File path matches %programfiles%*



Upload Events


Event Category - Upload Events

Event Type - File Copy to Shared Folder

Event Name

Score

Description

Write Executable to Shared Folder

5

File type is equal to PORTABLE_EXECUTABLE

Write Infectible to Shared Folder

5

File path matches any of the following:

*.lnk

*.wsf

*.hta

*.mhtml

*.html

*.doc

*.docm

*.xls

*.xlsm

*.ppt

*.pptm

*.chm

*.vbs

*.js

*.bat

*.pif

*.pdf

*.jar

*.sys


Defense+ Events

No default rules for this event category.


Network Events

No default rules for this event category.

Our Products
  • Free Antivirus
  • Free Internet Security
  • Website Malware Removal
  • Free Anti-Malware
  • Anti-Spam (Free Trial)
  • Windows Antivirus
  • Antivirus for Windows 7
  • Antivirus for Windows 8
  • Antivirus for Windows 10
  • Antivirus for MAC
  • Antivirus for Linux
  • Free Endpoint Security
  • Free ModSecurity
  • Free RMM
  • Free Website Malware Scanner
  • Free Device Manager for Android
  • Free Demo
  • Network Security
  • Endpoint Protection
  • Antivirus for Android
  • Comodo Antivirus
  • Wordpress Security
Cheap CDN
  • Bootstrap CDN
  • Semantic UI CDN
  • Jquery CDN
  • CDN Plans
  • CDN
  • Free CDN
Enterprise
  • Patch Management Software
  • Patch Manager
  • Service Desk
  • Website Down
  • Endpoint Protection Solutions
  • Website Security Check
  • Remote Monitoring and Management
  • Website Security
  • Device Manager
  • ITSM
  • CRM
  • MSP
  • Android Device Manager
  • MDR Services
  • Managed IT Support Services
  • Free EDR
Free SSL Certificate
Support Partners Terms and Conditions Privacy Policy

© Comodo Group, Inc. 2025. All rights reserved.