江民HIPS规则分享

zjb0923

2011.07.16

%windir%\system32\cmd.exe\*.bat*
%windir%\system32\cmd.exe\*.cmd*
%windir%\system32\cmd.exe\*sc config *
%windir%\system32\cmd.exe\*taskkill*
*\Temporary Internet Files\*.exe
*\attrib.exe
%windir%\system32\cscript.exe
%windir%\system32\wscript.exe
%windir%\system32\cmd.exe
*\debug.exe
*\user.exe
*\Cacls.exe
*\replace.exe
%windir%\system32\at.exe
%windir%\system32\tasklist.exe
%%windir%\system32\diskpart.exe
%windir%\system32\ftp.exe
%windir%\system32\telnet.exe
*\runas.exe
%windir%\system32\tftp.exe
%windir%\system32\schtasks.exe
%windir%\system32\doskey.exe
%windir%\system32\ntsd.exe
%windir%\system32\taskkill.exe
%windir%\system32\net.exe
%windir%\system32\net1.exe
%windir%\system32\netstat.exe
%windir%\system32\mmc.exe
%windir%\system32\msconfig.exe
%windir%\*
%ProgramFiles%\Common Files\*.exe
%ProgramFiles%\*
{4590F811-1D3A-11D0-891F-00AA004B2E24}
{4991D34B-80A1-4291-83B6-3328366B9097}
{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}
{69AD4AEE-51BE-439b-A92C-86AE490E8B30}
{75048700-EF1F-11D0-9888-006097DEACF9}
{8856F961-340A-11D0-A96B-00C04FD705A2}
{9BA05972-F6A8-11CF-A442-00A0C90A8F39}
{B69003B3-C55E-4B48-836C-BC5946FC3B28}
{ED8C108E-4349-11D2-91A4-00C04F7969E8}
{F81CD990-910B-4bbf-9CB3-6A77F3D697B3}
{FBF23B40-E3F0-101B-8488-00AA003E56F8}
*\scrrun.dll
*\regsvc.dll
*\mstask.dll
*\wshom.ocx
%windir%\system32\msiexec.exe
%windir%\system32\*.exe
%windir%\explorer.exe
%windir%\winhelp.exe
%windir%\hh.exe
%windir%\winhlp32.exe
%windir%\*.dll
%windir%\regedit.exe
*\WindowsXP-KB*-x86-CHS.exe
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*\Control Panel\Desktop
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\Tcpip\Parameters\DataBasePath
HKEY_LOCAL_MACHINE\SYSTEM\*controlset*\Services\Tcpip\Parameters\Interfaces*
HKEY_LOCAL_MACHINE\SYSTEM\*controlset*\Services\WinSock*
*\SOFTWARE\Microsoft\Command Processor* 创建注册表，修改注册表
*\Software\Microsoft\Windows\CurrentVersion\Group Policy*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad*
*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers\*
*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run
*\Software\Microsoft\Windows nt\Currentversion\Windows\load
*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\boot\shell
*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\NonWindowsApp
*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\standard
*\System\*ControlSet*\Control\Session Manager\BootRxecute
*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced*
*\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe*
*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders\Common Startup
*\Software\Microsoft\Windows\CurrentVersion\Explorer\*Shell Folders\Startup
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks*
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler*
*\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\*\shell\*
*\Software\Microsoft\Windows\Currentversion\Explorer\Browser helper objects*

HKEY_LOCAL_MACHINE\SYSTEM\*controlset*\Services\*\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\*controlset*\Services\*\imagepath
HKEY_LOCAL_MACHINE\SYSTEM\*controlset*\Services\*[key]

*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon*
*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ParseAutoexec

IE浏览器
*\Software\Microsoft\Internet explorer\AboutURLs
*\Software\Microsoft\Internet explorer\Advancedoptions*
*\Software\Microsoft\Internet Explorer\Explorer Bars*
*\Software\Microsoft\Internet explorer\Search*
*\Software\Microsoft\Internet explorer\Styles\stylesheet
*\Software\Microsoft\Internet explorer\Toolbar\Locked[允许]*\Software\Microsoft\Internet explorer\Main\Default_Page_URL
*\Software\Microsoft\Internet explorer\Urlsearchhooks*


*\Software\Microsoft\Internet explorer\Search*
Default_Search_URL   
HOMEOldSP
Local Page
Search Bar
Search Page
Start Page
Start Page_bak
Use Custom Search URL
*\Software\Microsoft\Windows\Currentversion\Internet settings\MinLevel
Security_RunActiveXControls
Security_RunScripts
Safety Warning Level
Trust Warning Level
*\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\Ranges*
*\Software\Microsoft\Windows\Currentversion\URL\*
*\Software\Microsoft\Internet explorer\Activex Compatibility*
HKEY_CLASSES_ROOT\Comfile\Shell\Open\Command
HKEY_CLASSES_ROOT\.bat*
HKEY_CLASSES_ROOT\.chm*
HKEY_CLASSES_ROOT\.cmd*
HKEY_CLASSES_ROOT\.com*
HKEY_CLASSES_ROOT\.exe*
HKEY_CLASSES_ROOT\.Folder*
HKEY_CLASSES_ROOT\.htm*
HKEY_CLASSES_ROOT\.inf*
HKEY_CLASSES_ROOT\.js*
HKEY_CLASSES_ROOT\.jar*
HKEY_CLASSES_ROOT\.lnk*
HKEY_CLASSES_ROOT\.pif*
HKEY_CLASSES_ROOT\.reg*
HKEY_CLASSES_ROOT\.scr*
HKEY_CLASSES_ROOT\.txt*
HKEY_CLASSES_ROOT\.vbs*
HKEY_CLASSES_ROOT\Folder\shell\*\command*
HKEY_CLASSES_ROOT\*file\shell\*\command*
HKEY_CURRENT_USER\Software\Microsoft\Windows nt\Currentversion\Windows\Load
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run



*\exefile\*HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\BootVerificationProgram\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Control\Terminal Server\Wds\rdpwd\StartupPrograms
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Lsa\Authentication Packages
Notification Packages
Security Packages
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\MPRServices\*\DllName
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Print\Monitors*
HKEY_LOCAL_MACHINE\SYSTEM\*controlset*\Control\Safeboot*
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Session Manager\Environment\ComSpec
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Session Manager\KnownDLLs*
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Session Manager\Memory Management\EnforceWriteProtection
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Session Manager\SubSystems*
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\VirtualDeviceDrivers\VDD
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\WOW\cmdline
Wowcmdline
*\Software\Microsoft\Driver Signing\Policy
*\Software\Microsoft\Windows\Currentversion\Policies*
*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GinaDLL*
*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping*
*\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher[修改允许 白]
*\Software\Policies*
HKEY_CLASSES_ROOT\Clsid\{e6fb5e20-de35-11cf-9c87-00aa005127ed}*
HKEY_CLASSES_ROOT\Protocols\Filter*
HKEY_CLASSES_ROOT\Protocols\Handler*
HKEY_CURRENT_USER\Control panel\Don't load
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Control panel\Don't load
HKEY_LOCAL_MACHINE\Software\Microsoft\Security center
*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*
*\SOFTWARE\Microsoft\Active Setup\Installed Components*



*\usp10.dll
%windir%\*.com

?:\RECYCLE?\*

%SystemDrive%\*.bat
%SystemDrive%\*.cmd
%ProgramFiles%\Common Files\*.sys
%ProgramFiles%\Common Files\*.dll
%ProgramFiles%\Common Files\*.exe
%ProgramFiles%\Common Files\*.dat
*\temp.exe

?:\*.exe
*.com
*\GameMon.des
?:\autorun.inf【仅禁止创建】

%SystemDrive%\*.jar
%SystemDrive%\*.sys  hta   htc    ocx   cpl  jse  vbe   wsf  wsh  vbs
Wmf   hta   drv  imz  
Olb   shs  %systemdrive%\*wshom.ocx
%WinDir%\system32\drivers\*.exe
%WinDir%\system32\drivers\*.dll
%WinDir%\*.dll
%WinDir%\*.exe
%WinDir%\*.sys
%Windir%\*.dat
%Windir%\*.com
%Windir%\*.bat
*\temp?.exe
*\temp??.exe
%WinDir%\system32\drivers\*.exe
%WinDir%\system32\drivers\*.dll

%ProgramFiles%\WinRAR\WinRAR.exe
%WinDir%\system32\dllcache\*
%WinDir%\system\*.dll
%WinDir%\system\*.exe
%ProgramFiles%\*.exe【这个可以允许删除】
%WinDir%\system\*.sys
*\?.exe
*\1?.exe

?:\System Volume Information\*.dll
?:\System Volume Information\*.exe
?:\System Volume Information\*.jar
?:\System Volume Information\*.js
?:\System Volume Information\*.lnk
?:\System Volume Information\*.vbs
?:\System Volume Information\*.ocx
?:\System Volume Information\*.cpl
?:\System Volume Information\*.jse
?:\System Volume Information\*.vbe


?:\System Volume Information\*

*\win.ini
%SystemDrive%\boot.ini
%SystemDrive%\bootfont.bin
%SystemDrive%\NTDETECT.COM
%SystemDrive%\ntldr
*.GHO  
%SystemDrive%\CONFIG.SYS
%SystemDrive%\IO.SYS
%SystemDrive%\MSDOS.SYS
%SystemDrive%\GHLDR
%Windir%\explorer.exe
%Windir%\winhlp.exe
%Windir%\notepad.exe
%Windir%\regedit.exe
%Windir%\system32\ctfmon.exe
%Windir%\system32\taskmgr.exe
%Windir%\system32\rundll32.exe
%Windir%\system32\csrss.exe
%Windir%\system32\lsass.exe
%Windir%\system32\smss.exe
%Windir%\system32\mmc.exe
%Windir%\system32\sndvol32.exe
%Windir%\system32\notepad.exe
%Windir%\system32\svchost.exe
%Windir%\system32\control.exe
%Windir%\system32\winlogon.exe
%Windir%\system32\services.exe
%Windir%\system32\verclsid.exe
%WinDir%\system32\drivers\etc\hosts
%ProgramFiles%\Outlook Express\msimn.exe
%ProgramFiles%\Internet Explorer\iexplore.exe

%windir%\*.exe
%windir%\*.dll

*\*.pif
*\?.exe
*\?sy.exe
*\1?.exe
*\??so.exe
*\temp.exe
*\temp?.exe
*\temp1?.exe
*\down.exe
*\down?.exe
*\down1?.exe
*\format.*
*\fuck*.exe
*\logo1_.exe
*\rundl1*.exe
*\conime.exe
*\rundll.exe
*\TIMPlatform.exe
?:\*.bat
?:\*.com
?:\*.exe
*\*Recycle*\*
%Windir%\Temp\*.exe
%SystemDrive%\System Volume Information\*
%SystemDrive%\Documents and Settings\*\Local Settings\Temp\*.exe
%SystemDrive%\Documents and Settings\*\Local Settings\Temporary Internet Files\*

论坛附件下载：

                           

                           

下载完毕，选中这两个，同时解压到一个文件夹 得到完整文件

注：此文件配置不包括恶意网址库的补充 如有相关需求，点击●●★★广告bu疯狂★★●●l下载，导入即可

如果哪里有漏 麻烦指正

如有错误 轻拍重拍都可以

士兵许三多

来支持一下，那个写的真的很详细！

zjb0923

士兵许三多 发表于 2011-6-3 18:32
来支持一下，那个写的真的很详细！

版主权限是多少啊，180都能进来，晕

士兵许三多

zjb0923 发表于 2011-6-3 19:54
版主权限是多少啊，180都能进来，晕

你在江民区怎么设置我都能进来，在江民区我就是老大，哈哈哈哈

木山

果断高级版，弹窗多，知道的多，心里踏实

zjb0923

木山 发表于 2011-6-4 18:51
果断高级版，弹窗多，知道的多，心里踏实

那么我事先说明一下，高级版的规则会影响东石recovery这个虚拟还原软件的运行。如果出现运行程序不了的情况，记得先关主动防御，再运行就可以。查看日志进行修正。这是目前发现的问题

小仙仙

友情帮定一下

小仙仙

谢谢加分了啊

xp-AntiSpy

来支持一下

契卡

http://bbs.kafan.cn/thread-993436-1-1.htm
这个帖子貌似米有了