Appendix 1 - Default Comodo Security Policy Details
An EDR policy determines which events will generate an alert for you. The table below contains details of the default rules in each event category.
The built-in event categories are:
- Process Events - Rules to generate alerts if an application causes an event
- Registry Events - Rules to alert you about changes to the Windows registry on your endpoints.
- File Events - Rules that detect modifications to any system files and folders.
- Download Events - Rules to create alerts when applications are downloaded via browsers.
- Upload Events - Rules to alert you about file uploads to shared folders or external drives.
- Defense+ Events - No default rules are set for this event category.
- Network Events - No default rules are set for this event category.
Event Category – Process Events |
||
---|---|---|
Event Type – Create Process |
||
Event Name |
Score |
Description |
Suspicious System Process Creation |
6 |
Process verdict is not safe and file path matches %systemroot%* |
Remote Powershell Execution |
5 |
File path matches *wsmprovhost.exe |
Suspicious Powershell Flag |
5 |
Command line matches any of the following: *powershell*-NoP* *powershell*-Win* *powershell*-w* *powershell*-Exec* *powershell*-ex* *powershell*-ep* *powershell*-command* *powershell*-NoL* *powershell*-InputFormat* *powershell*-Enc* *powershell*-NonInteractive* *powershell*-nonI* *powershell*-file* |
Stop Service |
5 |
Command line matches %systemroot%system32net*stop*. |
Run Untrusted Executable |
4 |
Verdict is not safe. |
Suspicious Process Hierarchy |
3 |
Process path does not match *explorer.exe AND path matches *powershell.exe OR patch matches *cmd.exe |
Start Service |
2 |
Command line matches %systemroot%system32net*start*. |
Event Category – Registry Events |
||
---|---|---|
Event Type – Set Registyry Value |
||
Event Name |
Score |
Description |
Disable User Account Control |
9 |
Registry key path is equal to HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem AND registry value name is equal to EnableLUA0 AND registry value data is equal to 0. |
Disable Task Manager |
9 |
Registry key path is equal to HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem AND registry value name is equal to DisableTaskMgr AND registry value data is equal to 1 |
Installation of Drivers |
8 |
[Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices* AND registry value name is equal to Type] AND [Registry value data is equal to 1 OR registry value data is equal to 2] |
Add Service to svchost |
7 |
[Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices* AND registry value name is equal to ImagePath AND registry value data matches *svchost.exe*] OR [Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices*Parameters AND registry value name is equal to ServiceDll AND registry matches *.dll] |
Add Active Setup Value In Registry |
7 |
Registry key path matches HKEY_LOCAL_MACHINESoftwareMicrosoftActive SetupInstalled Components* |
Modify Powershell Execution Policy |
7 |
Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREMicrosoftPowerShell1ShellIdsMicrosoft.PowerShell AND registry value name is equal to ExecutionPolicy |
Modify Firewall Settings |
6 |
Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile* |
Disable Registry Editing Tool |
6 |
Registry key path is equal to HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem AND registry value name is equal to DisableRegistryTools AND registry value data is equal to 1. |
Modify AppInit_DLLs in Registry |
6 |
Registry key path is equal to HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows AND registry value name is equal to AppInit_DLLs |
Add Service |
6 |
Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices* AND registry value name is equal to ImagePath AND registry value data matches *.exe* AND registry value data doesn't match *svchost.exe* |
Layered Service Provider installation |
6 |
Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinSock2ParametersProtocol_Catalog9Catalog_Entries* |
Add Autorun In Registry |
5 |
Registry key path matches any of the following: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSystemScriptsStartup* HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystemScriptsLogon* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce* HKEY_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWindows* HKEY_CURRENT_USERSoftwareMicrosoftWindowsNTCurrentVersionWindowsRun* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun* HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystemScriptsLogoff* HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSystemScriptsShutdown* OR Registry key path equals any of the following: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce |
Booting Time Execution |
5 |
Registry key path is equal to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager AND registry value name is equal to BootExecute |
Disable Auto Update |
5 |
Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU AND registry value name is equal to NoAutoUpdate AND registry value data is equal to 1 OR Registry key path is equal to HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdate AND registry value name is equal to DisableWindowsUpdateAccess AND registry value data is equal to 1] OR Registry key path is equal to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesWindowsUpdate AND registry value name is equal to DisableWindowsUpdateAccess AND registry value data is equal to 1 |
Disable Service |
5 |
Registry key path matches HKEY_LOCAL_MACHINESystemCurrentControlSetServices* AND registry value name is equal to Start AND registry value data is equal to 4 |
Create Explorer Entry |
5 |
Registry key path matches any of the following: HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSFilter* HKEY_LOCAL_MACHINESOFTWAREClassesPROTOCOLSHandler* HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerDesktopComponents* HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad* HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad* HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks* HKEY_CURRENT_USERSoftwareClasses*ShellExContextMenuHandlers* HKEY_LOCAL_MACHINESoftwareClasses*ShellExContextMenuHandlers* HKEY_CURRENT_USERSoftwareClassesAllFileSystemObjectsShellExContextMenuHandlers* HKEY_LOCAL_MACHINESoftwareClassesAllFileSystemObjectsShellExContextMenuHandlers* HKEY_CURRENT_USERSoftwareClassesDirectoryShellExContextMenuHandlers* HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellExContextMenuHandlers* HKEY_CURRENT_USERSoftwareClassesDirectoryShellexDragDropHandlers* HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellexDragDropHandlers* HKEY_CURRENT_USERSoftwareClassesDirectoryShellexPropertySheetHandlers* HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellexPropertySheetHandlers* HKEY_CURRENT_USERSoftwareClassesDirectoryShellexCopyHookHandlers* HKEY_LOCAL_MACHINESoftwareClassesDirectoryShellexCopyHookHandlers* HKEY_CURRENT_USERSoftwareClassesFolderShellexColumnHandlers* HKEY_LOCAL_MACHINESoftwareClassesFolderShellexColumnHandlers* HKEY_CURRENT_USERSoftwareClassesFolderShellExContextMenuHandlers* HKEY_LOCAL_MACHINESoftwareClassesFolderShellExContextMenuHandlers* HKEY_CURRENT_USERSoftwareClassesDirectoryBackgroundShellExContextMenuHandlers* HKEY_LOCAL_MACHINESoftwareClassesDirectoryBackgroundShellExContextMenuHandlers* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers* HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers* HKEY_CURRENT_USERSoftwareMicrosoftCtfLangBarAddin* HKEY_LOCAL_MACHINESoftwareMicrosoftCtfLangBarAddin* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved* HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved* OR Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler |
Disable Windows Application |
5 |
Registry key path is equal to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun |
Disable Command Prompt |
5 |
Registry key path is equal to HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsSystem AND registry value name is equal to DisableCMD AND registry value data is equal to 2 |
Disable Show Hidden Files |
4 |
Registry key path is equal to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced AND registry value data is equal to 2 AND Registry value name is equal to Hidden OR registry value name is equal to ShowSuperHidden |
Share Folder |
4 |
Registry key path is equal to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanserverShares |
Addition of DNS Server |
3 |
Registry key path matches HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfaces* AND registry value name is equal to NameServer |
Modify Hosts File Registry |
3 |
Registry key path is equal HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters AND registry value name equal to DataBasePath |
Event Category – File Events |
||
---|---|---|
Event Type – Write File |
||
Event Name |
Score |
Description |
Add Scheduled Task |
6 |
File path matches %systemroot%System32Tasks* OR %systemroot%Tasks* |
Write Fake System File |
6 |
File path matches *svch0st.exe OR *svhost.exe |
Write to System Directory |
5 |
File path matches %systemroot%* |
Add Startup File or Folder |
5 |
File path matches any of the following: %appdata%MicrosoftWindowsStart MenuProgramsStartup* %programdata%MicrosoftWindowsStart MenuProgramsStartup* %systemroot%systemiosubsys* %systemroot%systemvmm32* %systemroot%Tasks* OR File path equals any of the following: %systemdrive%autoexec.bat %systemdrive%config.sys %systemroot%wininit.ini %systemroot%winstart.bat %systemroot%win.ini %systemroot%system.ini %systemroot%dosstart.bat |
Modify Host File |
4 |
File path is equal to %systemroot%system32driversetchosts |
Write to Executable |
4 |
File type is equal to PORTABLE_EXECUTABLE AND Process path doesn't match *explorer.exe |
Write to Infectible File |
4 |
Process path doesn't match *explorer.exe AND File path matches any of the following: *.lnk *.wsf *.hta *.mhtml *.html *.doc *.docm *.xls *.xlsm *.ppt *.pptm *.chm *.vbs *.js *.bat *.pif *.jar *.sys |
Modify Group Policy Settings |
1 |
File path matches %systemroot%system32grouppolicy* OR %systemroot%Sysvolsysvol*Policies* |
Write to Program Files Directory |
1 |
File path matches %programfiles%* |
Event Category – Download Events |
||
---|---|---|
Event Type – Browser Download |
||
Event Name |
Score |
Description |
Download Infectible File |
3 |
File path matches any of the following: *.lnk *.wsf *.hta *.mhtml *.html *.doc *.docm *.xls *.xlsm *.ppt *.pptm *.chm *.vbs *.js *.bat *.pif *.jar *.sys |
Download Executable |
2 |
File type is equal to PORTABLE_EXECUTABLE |
Event Category – Upload Events |
||
---|---|---|
Event Type – File Copy to Shared Folder |
||
Event Name |
Score |
Description |
Write Executable to Shared Folder |
5 |
File type is equal to PORTABLE_EXECUTABLE |
Write Infectible to Shared Folder |
5 |
File path matches any of the following: *.lnk *.wsf *.hta *.mhtml *.html *.doc *.docm *.xls *.xlsm *.ppt *.pptm *.chm *.vbs *.js *.bat *.pif *.jar *.sys |
No default rules for this event category.
No default rules for this event
category.