Little question about relevance for reading out a file. I would like an analysis that reads the line after every “property” (Malicious MBR, Hidden Files, etc).
The file:
+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: x
| Computer Name: x
| OS version: x
| User Name: x
+----------------------------------------------------
--== Dump malicious MBR ==--
No hidden MBR found.
--== Dump Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.
--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.
--== Dump Hidden Process ==--
No hidden processes found.
When we run the rootkitBuster, it creates a file with name random numbers. So first I check if there is an existing file: exists files whose (line 2 of it contains "Trend Micro RootkitBuster" of it) of folder "c:\temp"
This will be my relevance for my analysis. But now my question: Do I need to put the following for every property? Like this:
(name of it, (next lines of it) of lines whose (it contains "Dump malicious MBR" of it) of it ) of files whose (line 2 of it contains "Trend Micro RootkitBuster" of it) of folder "c:\temp"
(name of it, (next lines of it) of lines whose (it contains "Dump Hidden Files and Alternate Data Streams on C:\" of it) of it ) of files whose (line 2 of it contains "Trend Micro RootkitBuster" of it) of folder "c:\temp"
It seems useless for me that I always need to rewrite whose (line 2 of it contains "Trend Micro RootkitBuster" of it) of folder "c:\temp"
Any idea on how improving this or is this the only solution?
I believe that if you use a property for each line, you have no choice but to repeat the relevance in each property. If you were able to use the data if it were captured as a single property, that would avoid the need to evaluate all the files in the C:\temp folder to find the one you are interested in over and over. A possible method for consideration (I’m sure this can be improved on)
Q: (preceding texts of firsts "+++" of following texts of firsts "--== Dump malicious MBR ==--+++" of it, preceding texts of firsts "+++" of following texts of firsts "+++" of following texts of firsts "--== Dump Hidden Files and Alternate Data Streams" of it, preceding texts of firsts "+++" of following texts of firsts "--== Dump Hidden Registry Value on HKLM ==--+++" of it, following texts of firsts "--== Dump Hidden Process ==--+++" of it) of ((concatenation "+++" of lines of it)) of files whose (line 2 of it contains "Trend Micro RootkitBuster" of it) of folders "c:\temp"
A: No hidden MBR found., No hidden files found., No hidden registry entries found., No hidden processes found.
T: 2.599 ms
I: plural ( substring, substring, substring, substring )
Yes, I thought of that too. But I’ve only picked 4 properties, in total there are more than 15. So it would become very long and maybe take a while to evaluate too… So I would prefer single properties instead of 1 big property…
Q: (it, next line of it) of lines containing "--==" of file "Path\To\RootKitBuster.txt"
A: --== Dump malicious MBR ==--, No hidden MBR found.
A: --== Dump Hidden Files and Alternate Data Streams on C:\ ==--, No hidden files found.
A: --== Dump Hidden Registry Value on HKLM ==--, No hidden registry entries found.
A: --== Dump Hidden Process ==--, No hidden processes found.
It’s an analysis, this evaluates itself. I don’t use it with notifications
@strawgate: The problem is that there can be multiple files with this and the name changes always… That’s why I have the “(line 2 of it contains “Trend Micro RootkitBuster” of it”
Any idea how to avoid using that? Because I don’t know the name of the txt file upfront.
If @strawgate suggestion isn’t an option, can you have a task that retrieves the file name then stores it in a reg value so your properties only need to query the reg value each time? Not ideal I grant you, but maybe less intrusive that repeating the file check for each property.