从零开始，打造超强COMODO V3防护规则包（FD篇）

remcn

声明：

　　.本贴首发于科摩多爱好者论坛（www.comodoer.cn），次发卡饭COMODO版块；
　　.本人也是菜鸟，有问题请问U版，这是个天才+雷锋；

－－－－－－－－－－－－－－－－－－－－－－－－－
　　
　　本人也是超级菜鸟，只是有COMODO V3这么好的安防软件，不下决心啃它两口实在说不过去。参考卡饭论坛小邪邪版主的麦咖啡FD和RD规则包，自己动手给COMODO V3查缺补漏。不当之处请高手指正，不胜感谢！

COMODO V3的FD可操作性颗粒度不足，预置了六个组，分别是：

My Protected Files
Defense+ allows users to protect the specific files and folders specified in this section against unauthorized modification.

在这里，Comodo V3的Defense+允许用户保护指定的文件和文件夹免遭非授权的修改；

My Quarantined Files
Defense + allows users to “lockdown”files and folders specified in this section by denying all access to them.

在这里，Defense+允许用户通过禁止一切操作来锁定指定的文件或文件夹。

My Pending Files
This section shows the unrecognized files waiting for an administrative review

该区域存放未经认证的程序，以待管理审核。

My Own Safe Files
In this section,you can add/remov files to/from your local safe executable files database.

在这里，你可以添加（或去除）一些文件到你本机的安全程序数据库中。

My Protected Registry Keys
Defense+ allows users to protect the specific keys specified in this section against unauthorized modification.

翻译请参考受保护的文件组

My Protected COM Interfaces
In this section, you can group some COM interfaces together so that they can be easily referenced if needed.

翻译请参考受保护的文件组

这些组有什么用呢？按照软件的说明，My protected files是保护重要文件不被修改的，My Quarantined Files相当于其他杀软的隔离区，My Pending Files是说如果程序到底是否安全暂时还不确定，就放到这里等日后搞清楚了再说，My Own Safe Files是放一些你百分百确定不会危害系统的安全软件。

据我自己的使用来看，有了这六个预置的区域，对文件的防护功能已经足够强大了。不信？来看这个图：


023.JPG (151.68 KB)
2007-11-28 21:08





狠不狠？在科摩多的AD模块中，任何一个程序，其可以设置的权限都有16项之多，其中一项就是对Protected Files/Folders的操作权限。在图中的例子，选了最具代表性的资源管理器，看到了吧，在Computer Security Policy频道中，如果所有位于explorer.exe前面的规则中没有对某一特定的文件的规则（主要是指All Applications所有程序），那么，到了explorer这里，就会看你设定的explorer.exe的规则中有没有对这一文件的规定。有没有呢？默认是没有的，可以看上图中最右边的对话框，Allowed Files/Folders中并没有程序。但是通常情况下，COMODO这时候并不会报警，为什么？

原因很简单，因为explorer.exe已经加入了COMODO自带的安全程序数据库，也就是说，它已经经过了COMODO的签名认证了，所有在上面我提到过的16项可以设置的权限中，除了第一项“运行程序”是ask之外，其余的，默认全是ALLOW。

老实说，在没有认真分析这里头的道道之前，我对COMODO的防护功能并不是太有底，只是觉得拦截动作确实够厉害，但从这里可以看出：

COMODO V3的防护真正是滴水不漏，它的FD、RD和AD完全是无缝结合的，并不像其他的HIPS那样分成三个不同的、明显的，甚至需要单独设置的模块。

所以，对COMODO的FD+RD规则制定，就放在本文开始时的六个预置分组中，重点又是My Protected Files、My protected Registry Keys和My Protected COM Interfaces。设定好了这三个组以后，其余的工作，都交给AD去做，也就是仅仅靠提示框就足够了。

因为本篇讨论的是FD，所以只看My Protected Files这个组中的规则。

继续上图，看这个组中到底有哪些玄机：


024.JPG (39.77 KB)
2007-11-28 21:08





看到了吧，预置了五个组，其中第一项“可执行程序”中，全是通配符，把.exe,.dll,.sys,.ocx,.bat,.pif,.scr,.cpl，举凡平时可能会被病毒、恶意程序利用的可执行程序，全囊括了进来，并且该组还放在最前面，优先级最高。分别解释一下，对新手的，老鸟可以无视飘过：

exe,都知道是可执行程序；
.dll,DLL文件
.sys,系统文件
.ocx,程序控件
.bat,常见的是批处理
.pif,快捷方式文件
.scr,屏幕保护文件
.cpl控制面板功能插件

有人看到了，是啊，危险的文件都加入进来了，那么文件夹呢？比如说系统启动时要用到的.ini文件怎么办？

很显然，COMODO是聪明的，如果在上面的列表中再加入一个*.ini，确实可以保护系统自身的INI文件，但是其他的应用程序也就跟着玩完了，就死等着弹窗点到累疯吧。所以，对于这些到处都要用到的文件，COMODO没有乱保护，而是单独把一些重要的文件夹，比如启动文件夹（前面提到的INI文件当然也包括在这里面），列出来预置了。

这也就有了预置的另外三个组：startup folders/important files/protocol drivers，另外还有一个要用来保护COMODO自己。

那么，我们要通过自定义规则来完善COMODO的FD功能，自然只有一条路：

把上面所说的COMODO已经内置的重要文件和文件夹之外的，可能会危害我们系统的文件以及文件夹加入到My Protected Files组中来就万事大吉了。

这就是我们现在着手要干的活儿

（未完待续）

remcn

AccessProtection {
UserString UR0 "A1 禁止在WINDOWS目录中新建任何文件"
UserEnforce UR0 1
UserReport UR0 1
UserProcess UR0 {Include *;Exclude ACDSee*.exe FireSvc.exe FrameworkService.exe McScript_InUse.exe mmc.exe QQ.exe services.exe svchost.exe WMIADAP.EXE}
UserRule UR0 G_User {File C { Include C:\\WINDOWS\\** }
}
UserString UR1 "A2 禁止在C盘中新建,修改任何SCR文件(防范某些木马)"
UserEnforce UR1 1
UserReport UR1 1
UserProcess UR1 {Include *}
UserRule UR1 G_User {File C { Include C:\\**\\*.scr }
}
UserString UR10 "A3 禁用DOS命令提示符下的脚本运行工具"
UserEnforce UR10 1
UserReport UR10 1
UserProcess UR10 {Include *}
UserRule UR10 G_User {File WXCD { Include C:\\WINDOWS\\system32\\cscript.exe }
}
UserString UR100 "A4 保护EXPLORER.EXE进程"
UserEnforce UR100 1
UserReport UR100 1
UserProcess UR100 {Include *}
UserRule UR100 G_User {File WCD { Include C:\\WINDOWS\\explorer.exe }
}
UserString UR101 "A5 保护SERVICES.EXE进程"
UserEnforce UR101 1
UserReport UR101 1
UserProcess UR101 {Include *}
UserRule UR101 G_User {File WCD { Include C:\\WINDOWS\\system32\\services.exe }
}
UserString UR102 "A6 保护CSRSS.EXE进程"
UserEnforce UR102 1
UserReport UR102 1
UserProcess UR102 {Include *}
UserRule UR102 G_User {File WCD { Include C:\\WINDOWS\\system32\\csrss.exe }
}
UserString UR103 "A7 保护WINLOGON.EXE进程"
UserEnforce UR103 1
UserReport UR103 1
UserProcess UR103 {Include *}
UserRule UR103 G_User {File WCD { Include C:\\WINDOWS\\system32\\winlogon.exe }
}
UserString UR104 "A8 保护SMSS.EXE进程"
UserEnforce UR104 1
UserReport UR104 1
UserProcess UR104 {Include *}
UserRule UR104 G_User {File WCD { Include C:\\WINDOWS\\system32\\smss.exe }
}
UserString UR105 "A9 保护整个IE浏览器程序目录"
UserEnforce UR105 0
UserReport UR105 0
UserProcess UR105 {Include *}
UserRule UR105 G_User {File WCD { Include "C:\\Program Files\\Internet Explorer\\**" }
}
UserString UR106 "A10 禁止在Common Files目录中新建,修改,删除任何文件"
UserEnforce UR106 0
UserReport UR106 0
UserProcess UR106 {Include *;Exclude McScript_InUse.exe}
UserRule UR106 G_User {File WCD { Include "C:\\Program Files\\Common Files\\**" }
}
UserString UR107 "A11 禁用Outlook Express程序目录"
UserEnforce UR107 0
UserReport UR107 0
UserProcess UR107 {Include *}
UserRule UR107 G_User {File WXCD { Include "C:\\Program Files\\Outlook Express\\**" }
}
UserString UR108 "A12 保护用于修复系统的基本配置文件夹"
UserEnforce UR108 1
UserReport UR108 1
UserProcess UR108 {Include *}
UserRule UR108 G_User {File WXCD { Include C:\\WINDOWS\\repair\\** }
}
UserString UR109 "A13 保护系统的应用程序修补备份文件夹"
UserEnforce UR109 1
UserReport UR109 1
UserProcess UR109 {Include *}
UserRule UR109 G_User {File WXCD { Include C:\\WINDOWS\\AppPatch\\** }
}
UserString UR11 "A14 禁止系统中基于web的应用程序私自运行"
UserEnforce UR11 0
UserReport UR11 0
UserProcess UR11 {Include *}
UserRule UR11 G_User {File WXCD { Include C:\\WINDOWS\\system32\\mshta.exe }
}
UserString UR110 "A15 保护硬件驱动的缓存文件夹"
UserEnforce UR110 1
UserReport UR110 1
UserProcess UR110 {Include *}
UserRule UR110 G_User {File WXCD { Include "C:\\WINDOWS\\Driver Cache\\**" }
}
UserString UR111 "A16 保护微软的应用程序文件夹"
UserEnforce UR111 1
UserReport UR111 1
UserProcess UR111 {Include *}
UserRule UR111 G_User {File WXCD { Include C:\\WINDOWS\\msapps\\** }
}
UserString UR112 "A17 保护系统启动配置文件的备份目录"
UserEnforce UR112 1
UserReport UR112 1
UserProcess UR112 {Include *}
UserRule UR112 G_User {File WXCD { Include C:\\WINDOWS\\pss\\** }
}
UserString UR113 "A18 保护系统的组件服务存储目录"
UserEnforce UR113 1
UserReport UR113 1
UserProcess UR113 {Include *}
UserRule UR113 G_User {File WXCD { Include C:\\WINDOWS\\system32\\Com\\** }
}
UserString UR114 "A19 保护系统的WMI测试程序文件夹"
UserEnforce UR114 1
UserReport UR114 1
UserProcess UR114 {Include *;Exclude cmd.exe svchost.exe}
UserRule UR114 G_User {File WCD { Include C:\\WINDOWS\\system32\\wbem\\** }
}
UserString UR115 "A20 防范驱动级木马病毒的入侵(rootkit)\[增强\]"
UserEnforce UR115 1
UserReport UR115 1
UserProcess UR115 {Include *;Exclude avgas.exe}
UserRule UR115 G_User {File WCD { Include C:\\WINDOWS\\system32\\**\\*.sys }
}
UserString UR116 "A21 保护IEXPLORE(微软浏览器)进程"
UserEnforce UR116 1
UserReport UR116 1
UserProcess UR116 {Include *}
UserRule UR116 G_User {File WCD { Include "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE" }
}
UserString UR117 "A22 禁用系统计划任务管理器"
UserEnforce UR117 0
UserReport UR117 0
UserProcess UR117 {Include *}
UserRule UR117 G_User {File WXCD { Include C:\\WINDOWS\\TASKMAN.EXE }
}
UserString UR118 "A23 禁止私自在内存中加载新的DLL文件"
UserEnforce UR118 0
UserReport UR118 0
UserProcess UR118 {Include *;Exclude Explorer.EXE svchost.exe}
UserRule UR118 G_User {File WXCD { Include C:\\WINDOWS\\system32\\rundll32.exe }
}
UserString UR119 "A24 禁止私自将安装程序添加到自启动项中,并在重启后进行配置"
UserEnforce UR119 0
UserReport UR119 0
UserProcess UR119 {Include *}
UserRule UR119 G_User {File WXCD { Include C:\\WINDOWS\\system32\\runonce.exe }
}
UserString UR12 "A25 禁止format.com运行(防范恶意格式化行为)"
UserEnforce UR12 1
UserReport UR12 1
UserProcess UR12 {Include *}
UserRule UR12 G_User {File WXCD { Include C:\\WINDOWS\\system32\\format.com }
}
UserString UR120 "A26 保护Windows操作系统的\"启动顺序管理器\""
UserEnforce UR120 1
UserReport UR120 1
UserProcess UR120 {Include *}
UserRule UR120 G_User {File WCD { Include C:\\WINDOWS\\system32\\userinit.exe }
}
UserString UR121 "A27 保护系统的时间和日期设置信息显示管理器"
UserEnforce UR121 1
UserReport UR121 1
UserProcess UR121 {Include *}
UserRule UR121 G_User {File WCD { Include C:\\WINDOWS\\system32\\systray.exe }
}
UserString UR122 "A28 禁用系统的Internet连接共享 /防火墙控管程序"
UserEnforce UR122 0
UserReport UR122 0
UserProcess UR122 {Include *}
UserRule UR122 G_User {File WXCD { Include C:\\WINDOWS\\system32\\alg.exe }
}
UserString UR123 "A29 保护DLLHOST.EXE进程"
UserEnforce UR123 1
UserReport UR123 1
UserProcess UR123 {Include *;Exclude MSConfig.exe}
UserRule UR123 G_User {File WXCD { Include C:\\WINDOWS\\system32\\dllhost.exe }
}
UserString UR124 "A30 保护用于管理多线程,内存和资源的Windows壳进程"
UserEnforce UR124 1
UserReport UR124 1
UserProcess UR124 {Include *}
UserRule UR124 G_User {File WCD { Include C:\\WINDOWS\\system32\\kernel32.dll }
}
UserString UR125 "A31 保护CONIME.EXE进程"
UserEnforce UR125 1
UserReport UR125 1
UserProcess UR125 {Include *}
UserRule UR125 G_User {File WCD { Include C:\\WINDOWS\\system32\\conime.exe }
}
UserString UR126 "A32 禁止(监视)一切高端动态\\私有端口的连接尝试行为"
UserEnforce UR126 1
UserReport UR126 1
UserProcess UR126 {Include *}
UserRule UR126 G_User {Port IOUT {Include 49152 65535}
}
UserString UR127 "A33 监视本地与远程的注册(动态分配)端口的连接行为"
UserEnforce UR127 0
UserReport UR127 0
UserProcess UR127 {Include *;Exclude avgas.exe flashget.exe IEXPLORE.EXE QQ.exe}
UserRule UR127 G_User {Port OUT {Include 1024 49151}
}
UserString UR128 "A34 监视远程对本地公认服务端口的连接行为"
UserEnforce UR128 1
UserReport UR128 1
UserProcess UR128 {Include *}
UserRule UR128 G_User {Port IUT {Include 1 1023}
}
UserString UR129 "A35 保护WINDOWS任务管理器"
UserEnforce UR129 1
UserReport UR129 1
UserProcess UR129 {Include *}
UserRule UR129 G_User {File WCD { Include C:\\WINDOWS\\system32\\taskmgr.exe }
}
UserString UR13 "A36 禁止私自调用帮助文件和文档初始化工具"
UserEnforce UR13 0
UserReport UR13 0
UserProcess UR13 {Include *;Exclude Explorer.EXE}
UserRule UR13 G_User {File WXCD { Include C:\\WINDOWS\\hh.exe }
}
UserString UR130 "A37 保护系统中的\"控制面板\"应用程序"
UserEnforce UR130 1
UserReport UR130 1
UserProcess UR130 {Include *}
UserRule UR130 G_User {File WCD { Include C:\\WINDOWS\\system32\\control.exe }
}

remcn

UserString UR131 "A38 保护系统中的MSDOS配置程序"
UserEnforce UR131 1
UserReport UR131 1
UserProcess UR131 {Include *}
UserRule UR131 G_User {File WCD { Include C:\\WINDOWS\\system32\\dosx.exe }
}
UserString UR132 "A39 禁止私自调用DOS命令程序"
UserEnforce UR132 0
UserReport UR132 0
UserProcess UR132 {Include *}
UserRule UR132 G_User {File WXCD { Include C:\\WINDOWS\\system32\\doskey.exe }
}
UserString UR133 "A40 禁止对本地的NETBIOS连接"
UserEnforce UR133 1
UserReport UR133 1
UserProcess UR133 {Include *}
UserRule UR133 G_User {Port IUT {Include 137 139}
}
UserString UR134 "A41 禁止\\保护本地135端口"
UserEnforce UR134 1
UserReport UR134 1
UserProcess UR134 {Include *}
UserRule UR134 G_User {Port IUT {Include 135 135}
}
UserString UR135 "A42 禁止\\保护本地445端口"
UserEnforce UR135 1
UserReport UR135 1
UserProcess UR135 {Include *}
UserRule UR135 G_User {Port IUT {Include 445 445}
}
UserString UR136 "A43 屏蔽远程对本地3389端口的访问"
UserEnforce UR136 1
UserReport UR136 1
UserProcess UR136 {Include *}
UserRule UR136 G_User {Port IUT {Include 3389 3389}
}
UserString UR137 "A44 关闭用于跨网传送电子邮件(SMTP)服务的25端口"
UserEnforce UR137 1
UserReport UR137 1
UserProcess UR137 {Include *}
UserRule UR137 G_User {Port IUT {Include 25 25}
}
UserString UR138 "A45 关闭本地用于Telnet远程登录服务的23端口"
UserEnforce UR138 1
UserReport UR138 1
UserProcess UR138 {Include *}
UserRule UR138 G_User {Port IUT {Include 23 23}
}
UserString UR139 "A46 关闭SimpleTCP/IPService(TCP/IP)等服务端口"
UserEnforce UR139 1
UserReport UR139 1
UserProcess UR139 {Include *}
UserRule UR139 G_User {Port IUT {Include 7 9}
}
UserString UR14 "A47 禁止私自启用命令行运行工具"
UserEnforce UR14 1
UserReport UR14 1
UserProcess UR14 {Include *;Exclude Explorer.EXE}
UserRule UR14 G_User {File WXCD { Include C:\\WINDOWS\\system32\\cmd.exe }
}
UserString UR140 "A48 关闭本地的SQL Server 1433服务端口"
UserEnforce UR140 0
UserReport UR140 0
UserProcess UR140 {Include *}
UserRule UR140 G_User {Port IUT {Include 1433 1433}
}
UserString UR141 "A49 关闭本地用于的EMAIL服务的57端口"
UserEnforce UR141 1
UserReport UR141 1
UserProcess UR141 {Include *}
UserRule UR141 G_User {Port IUT {Include 57 57}
}
UserString UR142 "A50 关闭本地的1080代理服务端口"
UserEnforce UR142 0
UserReport UR142 0
UserProcess UR142 {Include *}
UserRule UR142 G_User {Port IUT {Include 1080 1080}
}
UserString UR143 "A51 关闭本地的3128代理服务端口"
UserEnforce UR143 0
UserReport UR143 0
UserProcess UR143 {Include *}
UserRule UR143 G_User {Port IUT {Include 3128 3128}
}
UserString UR144 "A52 关闭本地的6588代理服务端口"
UserEnforce UR144 0
UserReport UR144 0
UserProcess UR144 {Include *}
UserRule UR144 G_User {Port IUT {Include 6588 6588}
}
UserString UR145 "A53 关闭本地的8080代理服务端口"
UserEnforce UR145 0
UserReport UR145 0
UserProcess UR145 {Include *}
UserRule UR145 G_User {Port IUT {Include 8080 8080}
}
UserString UR146 "A54 关闭本地用于SNMP服务的161端口"
UserEnforce UR146 1
UserReport UR146 1
UserProcess UR146 {Include *}
UserRule UR146 G_User {Port IUT {Include 161 161}
}
UserString UR147 "A55 不提供DNS域名解析服务,关闭本地的53端口"
UserEnforce UR147 1
UserReport UR147 1
UserProcess UR147 {Include *}
UserRule UR147 G_User {Port IUT {Include 53 53}
}
UserString UR148 "A56 关闭本地提供引导程序服务的67端口"
UserEnforce UR148 1
UserReport UR148 1
UserProcess UR148 {Include *}
UserRule UR148 G_User {Port IUT {Include 67 67}
}
UserString UR149 "A57 关闭本地危险的512端口"
UserEnforce UR149 1
UserReport UR149 1
UserProcess UR149 {Include *}
UserRule UR149 G_User {Port IUT {Include 512 512}
}
UserString UR15 "A58 禁止修改文件访问控制权限"
UserEnforce UR15 0
UserReport UR15 0
UserProcess UR15 {Include *}
UserRule UR15 G_User {File WXCD { Include C:\\WINDOWS\\system32\\cacls.exe }
}
UserString UR150 "A59 不提供网页浏览服务,关闭80端口"
UserEnforce UR150 1
UserReport UR150 1
UserProcess UR150 {Include *}
UserRule UR150 G_User {Port IUT {Include 80 80}
}
UserString UR151 "A60 关闭本地的HTTPS服务端口"
UserEnforce UR151 1
UserReport UR151 1
UserProcess UR151 {Include *}
UserRule UR151 G_User {Port IUT {Include 443 443}
}
UserString UR152 "A61 关闭本地用于查询用户的79端口"
UserEnforce UR152 1
UserReport UR152 1
UserProcess UR152 {Include *}
UserRule UR152 G_User {Port IUT {Include 79 79}
}
UserString UR153 "A62 关闭本地用于查询身份的113端口"
UserEnforce UR153 1
UserReport UR153 1
UserProcess UR153 {Include *}
UserRule UR153 G_User {Port IUT {Include 113 113}
}
UserString UR154 "A63 关闭用于提供“新闻服务器”服务的119端口"
UserEnforce UR154 1
UserReport UR154 1
UserProcess UR154 {Include *}
UserRule UR154 G_User {Port IUT {Include 119 119}
}
UserString UR155 "A64 保护微软的用户文字输入\\微软Office XP语言条工具程序"
UserEnforce UR155 1
UserReport UR155 1
UserProcess UR155 {Include *}
UserRule UR155 G_User {File WCD { Include C:\\WINDOWS\\system32\\ctfmon.exe }
}
UserString UR156 "A65 禁止将应用程序的相关错误信息发送给微软"
UserEnforce UR156 0
UserReport UR156 0
UserProcess UR156 {Include *}
UserRule UR156 G_User {File WXCD { Include C:\\WINDOWS\\system32\\dumprep.exe }
}
UserString UR157 "A66 禁止用于维护远程调用本地系统服务的数据库程序"
UserEnforce UR157 0
UserReport UR157 0
UserProcess UR157 {Include *}
UserRule UR157 G_User {File WXCD { Include C:\\WINDOWS\\system32\\locator.exe }
}
UserString UR158 "A67 保护C盘根目录下的AUTOEXEC.BAT批处理文件"
UserEnforce UR158 1
UserReport UR158 1
UserProcess UR158 {Include *}
UserRule UR158 G_User {File WCD { Include C:\\AUTOEXEC.BAT }
}
UserString UR159 "A68 保护系统中对\"反复启动行为\"的保护性进程"
UserEnforce UR159 1
UserReport UR159 1
UserProcess UR159 {Include *}
UserRule UR159 G_User {File WCD { Include C:\\WINDOWS\\system32\\ntoskrnl.exe }
}
UserString UR16 "A69 禁止私自启用计划运行任务程序"
UserEnforce UR16 0
UserReport UR16 0
UserProcess UR16 {Include *}
UserRule UR16 G_User {File WXCD { Include C:\\WINDOWS\\system32\\at.exe }
}
UserString UR160 "A70 保护系统中用于32位系统环境的16位进程虚拟机"
UserEnforce UR160 1
UserReport UR160 1
UserProcess UR160 {Include *}
UserRule UR160 G_User {File WCD { Include C:\\WINDOWS\\system32\\ntvdm.exe }
}
UserString UR161 "A71 保护系统自带的Modem拨号(调制解调器)连接管理器"
UserEnforce UR161 1
UserReport UR161 1
UserProcess UR161 {Include *}
UserRule UR161 G_User {File WCD { Include C:\\WINDOWS\\system32\\rasautou.exe }
}
UserString UR162 "A72 保护系统的虚拟内存实时转换进程"
UserEnforce UR162 1
UserReport UR162 1
UserProcess UR162 {Include *}
UserRule UR162 G_User {File WCD { Include C:\\WINDOWS\\system32\\savedump.exe }
}
UserString UR163 "A73 禁用(保护)系统的打印服务进程"
UserEnforce UR163 0
UserReport UR163 0
UserProcess UR163 {Include *}
UserRule UR163 G_User {File WXCD { Include C:\\WINDOWS\\system32\\spoolsv.exe }

remcn

}
UserString UR164 "A74 保护系统中专用于TCP/IP网络服务的网络组件"
UserEnforce UR164 1
UserReport UR164 1
UserProcess UR164 {Include *}
UserRule UR164 G_User {File WCD { Include C:\\WINDOWS\\system32\\tcpsvcs.exe }
}
UserString UR165 "A75 保护本地的Windows(系统)管理脚本服务管理器"
UserEnforce UR165 1
UserReport UR165 1
UserProcess UR165 {Include *}
UserRule UR165 G_User {File WCD { Include C:\\WINDOWS\\system32\\wmimgmt.msc }
}
UserString UR166 "A76 保护Windows用于系统自动升级的更新检测程序"
UserEnforce UR166 1
UserReport UR166 1
UserProcess UR166 {Include *}
UserRule UR166 G_User {File WCD { Include C:\\WINDOWS\\system32\\wuauclt.exe }
}
UserString UR167 "A77 保护系统磁盘管理器"
UserEnforce UR167 0
UserReport UR167 0
UserProcess UR167 {Include *}
UserRule UR167 G_User {File WXCD { Include C:\\WINDOWS\\system32\\diskmgmt.msc }
}
UserString UR168 "A78 保护硬盘分区管理程序"
UserEnforce UR168 0
UserReport UR168 0
UserProcess UR168 {Include *}
UserRule UR168 G_User {File WXCD { Include C:\\WINDOWS\\system32\\diskpart.exe }
}
UserString UR169 "A79 保护本地所有COM文件(防止修改)"
UserEnforce UR169 0
UserReport UR169 0
UserProcess UR169 {Include *}
UserRule UR169 G_User {File W { Include **\\*.com }
}
UserString UR17 "A80 防范远程注册表操作,禁止调用regsvc.dll"
UserEnforce UR17 1
UserReport UR17 1
UserProcess UR17 {Include *}
UserRule UR17 G_User {File WXCD { Include C:\\WINDOWS\\system32\\regsvc.dll }
}
UserString UR170 "A81 保护本地所有COM文件(防止删除)"
UserEnforce UR170 0
UserReport UR170 0
UserProcess UR170 {Include *}
UserRule UR170 G_User {File D { Include **\\*.com }
}
UserString UR171 "A82 保护本地网卡底层物理地址的管理程序"
UserEnforce UR171 1
UserReport UR171 1
UserProcess UR171 {Include *}
UserRule UR171 G_User {File WCD { Include C:\\WINDOWS\\system32\\arp.exe }
}
UserString UR172 "A83 禁止\"在启动过程中自动转化系统 \""
UserEnforce UR172 0
UserReport UR172 0
UserProcess UR172 {Include *}
UserRule UR172 G_User {File WXCD { Include C:\\WINDOWS\\system32\\autoconv.exe }
}
UserString UR173 "A84 严禁在启动过程中格式化进程 "
UserEnforce UR173 0
UserReport UR173 0
UserProcess UR173 {Include *}
UserRule UR173 G_User {File WXCD { Include C:\\WINDOWS\\system32\\autofmt.exe }
}
UserString UR174 "A85 保护(禁用)SQL客户网络工具"
UserEnforce UR174 0
UserReport UR174 0
UserProcess UR174 {Include *}
UserRule UR174 G_User {File WXCD { Include C:\\WINDOWS\\system32\\cliconfg.exe }
}
UserString UR175 "A86 超级防护规则(警告！慎用此规则！)"
UserEnforce UR175 0
UserReport UR175 0
UserProcess UR175 {Include *}
UserRule UR175 G_User {File WXCD { Include **\\** }
}
UserString UR176 "A87 防范网络入侵,关闭本地4899端口"
UserEnforce UR176 1
UserReport UR176 1
UserProcess UR176 {Include *}
UserRule UR176 G_User {Port IUT {Include 4899 4899}
}
UserString UR177 "A88 屏蔽本地WINDOWS服务端口（防范Netspy）"
UserEnforce UR177 0
UserReport UR177 0
UserProcess UR177 {Include *}
UserRule UR177 G_User {Port IUT {Include 1024 1025}
}
UserString UR178 "A89 防止利用UPnP (通用即插即用)漏洞入侵"
UserEnforce UR178 1
UserReport UR178 1
UserProcess UR178 {Include *}
UserRule UR178 G_User {Port IUT {Include 5000 5000}
}
UserString UR179 "A90 屏蔽本地的PPTP（点到点隧道协议）服务端口"
UserEnforce UR179 0
UserReport UR179 0
UserProcess UR179 {Include *}
UserRule UR179 G_User {Port IUT {Include 1723 1723}
}
UserString UR18 "A91 禁止在C盘中新建任何VXD文件"
UserEnforce UR18 1
UserReport UR18 1
UserProcess UR18 {Include *}
UserRule UR18 G_User {File C { Include C:\\**\\*.vxd }
}
UserString UR180 "A92 关闭本地31端口(防范木马Master Paradise)"
UserEnforce UR180 1
UserReport UR180 1
UserProcess UR180 {Include *}
UserRule UR180 G_User {Port IUT {Include 31 31}
}
UserString UR181 "A93 关闭本地41端口（防范木马DeepThroat）"
UserEnforce UR181 1
UserReport UR181 1
UserProcess UR181 {Include *}
UserRule UR181 G_User {Port IUT {Include 41 41}
}
UserString UR182 "A94 关闭本地58端口（防范木马Dmsetup）"
UserEnforce UR182 1
UserReport UR182 1
UserProcess UR182 {Include *}
UserRule UR182 G_User {Port IUT {Include 58 58}
}
UserString UR183 "A95 关闭本地146端口（防范木马FC Infector）"
UserEnforce UR183 1
UserReport UR183 1
UserProcess UR183 {Include *}
UserRule UR183 G_User {Port IUT {Include 146 146}
}
UserString UR184 "A96 关闭本地531端口（防范木马RASmin）"
UserEnforce UR184 1
UserReport UR184 1
UserProcess UR184 {Include *}
UserRule UR184 G_User {Port IUT {Include 531 531}
}
UserString UR185 "A97 关闭本地555端口（防范木马Stealth Spy）"
UserEnforce UR185 1
UserReport UR185 1
UserProcess UR185 {Include *}
UserRule UR185 G_User {Port IUT {Include 555 555}
}
UserString UR186 "A98 关闭本地666端口（防范木马Bla, Attack FTP）"
UserEnforce UR186 1
UserReport UR186 1
UserProcess UR186 {Include *}
UserRule UR186 G_User {Port IUT {Include 666 666}
}
UserString UR187 "A99 关闭本地911端口（防范木马Dark Shadow）"
UserEnforce UR187 1
UserReport UR187 1
UserProcess UR187 {Include *}
UserRule UR187 G_User {Port IUT {Include 911 911}
}
UserString UR188 "A100 关闭本地1001端口（防范木马Silencer）"
UserEnforce UR188 1
UserReport UR188 1
UserProcess UR188 {Include *}
UserRule UR188 G_User {Port IUT {Include 1001 1001}
}
UserString UR189 "B1 防范木马Doly的入侵"
UserEnforce UR189 1
UserReport UR189 1
UserProcess UR189 {Include *}
UserRule UR189 G_User {Port IUT {Include 1010 1012}
}
UserString UR19 "B2 禁止私自创建共享文件夹"
UserEnforce UR19 0
UserReport UR19 0
UserProcess UR19 {Include *}
UserRule UR19 G_User {File WXCD { Include C:\\WINDOWS\\system32\\shrpubw.exe }
}
UserString UR190 "B3 防范木马Doly的入侵（增强）"
UserEnforce UR190 0
UserReport UR190 0
UserProcess UR190 {Include *}
UserRule UR190 G_User {Port IUT {Include 1015 1015}
}
UserString UR191 "B4 关闭本地1042端口（防范木马Bla）"
UserEnforce UR191 0
UserReport UR191 0
UserProcess UR191 {Include *}
UserRule UR191 G_User {Port IUT {Include 1042 1042}
}
UserString UR192 "B5 关闭本地1045端口（防范木马RASmin）"
UserEnforce UR192 0
UserReport UR192 0
UserProcess UR192 {Include *}
UserRule UR192 G_User {Port IUT {Include 1045 1045}
}
UserString UR193 "B6 关闭本地1090端口（防范木马Extreme）"
UserEnforce UR193 0
UserReport UR193 0
UserProcess UR193 {Include *}
UserRule UR193 G_User {Port IUT {Include 1090 1090}
}
UserString UR194 "B7 关闭本地1234端口（防范木马Ultor\'s）"
UserEnforce UR194 0
UserReport UR194 0
UserProcess UR194 {Include *}
UserRule UR194 G_User {Port IUT {Include 1234 1234}
}
UserString UR195 "B8 关闭本地1243端口（防范木马Backdoor/SubSeven）"
UserEnforce UR195 0
UserReport UR195 0
UserProcess UR195 {Include *}
UserRule UR195 G_User {Port IUT {Include 1243 1243}
}
UserString UR196 "B9 防范木马TransScout的入侵"
UserEnforce UR196 0
UserReport UR196 0
UserProcess UR196 {Include *}
UserRule UR196 G_User {Port IUT {Include 1999 2005}
}
UserString UR197 "B10 关闭本地2565端口（防范木马Striker）"
UserEnforce UR197 0
UserReport UR197 0
UserProcess UR197 {Include *}
UserRule UR197 G_User {Port IUT {Include 2565 2565}
}

remcn

UserString UR198 "B11 关闭本地2801端口（防范木马Phinneas Phucker）"
UserEnforce UR198 0
UserReport UR198 0
UserProcess UR198 {Include *}
UserRule UR198 G_User {Port IUT {Include 2801 2801}
}
UserString UR199 "B12 关闭本地4267端口（防范木马SubSeven）"
UserEnforce UR199 0
UserReport UR199 0
UserProcess UR199 {Include *}
UserRule UR199 G_User {Port IUT {Include 4267 4267}
}
UserString UR2 "B13 禁止在本地新建任何dll文件（增强）"
UserEnforce UR2 0
UserReport UR2 0
UserProcess UR2 {Include *}
UserRule UR2 G_User {File WCD { Include **\\*.dll }
}
UserString UR20 "B14 禁止私自启动远程登录客户端程序"
UserEnforce UR20 0
UserReport UR20 0
UserProcess UR20 {Include *}
UserRule UR20 G_User {File WXCD { Include C:\\WINDOWS\\system32\\telnet.exe }
}
UserString UR200 "B15 关闭本地5001端口（防范木马Sokets de Trois）"
UserEnforce UR200 0
UserReport UR200 0
UserProcess UR200 {Include *}
UserRule UR200 G_User {Port IUT {Include 5001 5001}
}
UserString UR201 "B16 关闭本地5321端口（防范木马FireHotcker）"
UserEnforce UR201 0
UserReport UR201 0
UserProcess UR201 {Include *}
UserRule UR201 G_User {Port IUT {Include 5321 5321}
}
UserString UR202 "B17 防范木马Blade Runner"
UserEnforce UR202 0
UserReport UR202 0
UserProcess UR202 {Include *}
UserRule UR202 G_User {Port IUT {Include 5400 5402}
}
UserString UR203 "B18 防范木马,SERV-Me,BO-Facil,BO-Facil"
UserEnforce UR203 0
UserReport UR203 0
UserProcess UR203 {Include *}
UserRule UR203 G_User {Port IUT {Include 5555 5557}
}
UserString UR204 "B19 关闭本地5569端口（防范木马Robo-Hack）"
UserEnforce UR204 0
UserReport UR204 0
UserProcess UR204 {Include *}
UserRule UR204 G_User {Port IUT {Include 5569 5569}
}
UserString UR205 "B20 关闭本地5742端口（防范木马WinCrash）"
UserEnforce UR205 0
UserReport UR205 0
UserProcess UR205 {Include *}
UserRule UR205 G_User {Port IUT {Include 5742 5742}
}
UserString UR206 "B21 关闭本地7300端口（防范木马NetMonitor）"
UserEnforce UR206 0
UserReport UR206 0
UserProcess UR206 {Include *}
UserRule UR206 G_User {Port IUT {Include 7300 7300}
}
UserString UR207 "B22 关闭本地7308端口,防范木马NetMonitor（增强）"
UserEnforce UR207 0
UserReport UR207 0
UserProcess UR207 {Include *}
UserRule UR207 G_User {Port IUT {Include 7308 7308}
}
UserString UR208 "B23 关闭本地7789端口（防范木马ICKiller）"
UserEnforce UR208 0
UserReport UR208 0
UserProcess UR208 {Include *}
UserRule UR208 G_User {Port IUT {Include 7789 7789}
}
UserString UR209 "B24 防范木马Portal of Doom（增强）"
UserEnforce UR209 0
UserReport UR209 0
UserProcess UR209 {Include *}
UserRule UR209 G_User {Port IUT {Include 9872 9875}
}
UserString UR21 "B25 禁止在C盘中新建任何EXE可执行文件"
UserEnforce UR21 1
UserReport UR21 1
UserProcess UR21 {Include *;Exclude McScript_InUse.exe}
UserRule UR21 G_User {File C { Include C:\\**\\*.exe }
}
UserString UR210 "B26 关闭本地11000端口（防范木马Senna Spy）"
UserEnforce UR210 0
UserReport UR210 0
UserProcess UR210 {Include *}
UserRule UR210 G_User {Port IUT {Include 11000 11000}
}
UserString UR211 "B27 关闭本地11223端口（防范木马Progenic）"
UserEnforce UR211 0
UserReport UR211 0
UserProcess UR211 {Include *}
UserRule UR211 G_User {Port IUT {Include 11223 11223}
}
UserString UR212 "B28 关闭本地12076端口（防范木马GJammer）"
UserEnforce UR212 0
UserReport UR212 0
UserProcess UR212 {Include *}
UserRule UR212 G_User {Port IUT {Include 12076 12076}
}
UserString UR213 "B29 防范木马NetBus（增强）"
UserEnforce UR213 0
UserReport UR213 0
UserProcess UR213 {Include *}
UserRule UR213 G_User {Port IUT {Include 12345 12346}
}
UserString UR214 "B30 关闭本地12362端口（防范木马Whack-a-Mole）"
UserEnforce UR214 0
UserReport UR214 0
UserProcess UR214 {Include *}
UserRule UR214 G_User {Port IUT {Include 12362 12362}
}
UserString UR215 "B31 关闭本地23456端口（防范木马EvilFTP, UglyFTP）"
UserEnforce UR215 0
UserReport UR215 0
UserProcess UR215 {Include *}
UserRule UR215 G_User {Port IUT {Include 23456 23456}
}
UserString UR216 "B32 关闭本地23477端口（防范木马Donald Dick）"
UserEnforce UR216 0
UserReport UR216 0
UserProcess UR216 {Include *}
UserRule UR216 G_User {Port IUT {Include 23477 23477}
}
UserString UR217 "C1 防范木马NetSphere（增强）"
UserEnforce UR217 0
UserReport UR217 0
UserProcess UR217 {Include *}
UserRule UR217 G_User {Port IUT {Include 30100 30102}
}
UserString UR218 "C2 关闭本地31337端口（防范木马Back Orifice 2000）"
UserEnforce UR218 0
UserReport UR218 0
UserProcess UR218 {Include *}
UserRule UR218 G_User {Port IUT {Include 31337 31337}
}
UserString UR219 "C3 防范木马Hack \'A\' Tack（增强）"
UserEnforce UR219 0
UserReport UR219 0
UserProcess UR219 {Include *}
UserRule UR219 G_User {Port IUT {Include 31785 31792}
}
UserString UR22 "C4 禁止在C盘中新建任何COM可执行文件"
UserEnforce UR22 1
UserReport UR22 1
UserProcess UR22 {Include *}
UserRule UR22 G_User {File C { Include C:\\**\\*.com }
}
UserString UR220 "C5 防范木马Master Paradise（增强）"
UserEnforce UR220 0
UserReport UR220 0
UserProcess UR220 {Include *}
UserRule UR220 G_User {Port IUT {Include 40421 40426}
}
UserString UR221 "C6 防范木马Back Orifice 2000（增强）"
UserEnforce UR221 0
UserReport UR221 0
UserProcess UR221 {Include *}
UserRule UR221 G_User {Port IUT {Include 54320 54321}
}
UserString UR222 "C7 屏蔽本地60000端口（防范木马DeepThroat）"
UserEnforce UR222 1
UserReport UR222 1
UserProcess UR222 {Include *}
UserRule UR222 G_User {Port IOUT {Include 60000 60000}
}
UserString UR223 "C8 关闭本地6267端口（防范木马\"广外女生\"）"
UserEnforce UR223 1
UserReport UR223 1
UserProcess UR223 {Include *}
UserRule UR223 G_User {Port IUT {Include 6267 6267}
}
UserString UR224 "C9 关闭本地7626端口（防范木马\"冰河\"）"
UserEnforce UR224 1
UserReport UR224 1
UserProcess UR224 {Include *}
UserRule UR224 G_User {Port IUT {Include 7626 7626}
}
UserString UR225 "C10 关闭本地88端口（某些木马利用这个端口）"
UserEnforce UR225 1
UserReport UR225 1
UserProcess UR225 {Include *}
UserRule UR225 G_User {Port IUT {Include 88 88}
}
UserString UR226 "C11 关闭本地553端口（防止信息泄漏）"
UserEnforce UR226 1
UserReport UR226 1
UserProcess UR226 {Include *}
UserRule UR226 G_User {Port IUT {Include 553 553}
}
UserString UR227 "C12 关闭本地8102端口（防范木马\"网络神偷\"）"
UserEnforce UR227 1
UserReport UR227 1
UserProcess UR227 {Include *}
UserRule UR227 G_User {Port IUT {Include 8102 8102}
}
UserString UR228 "C13 关闭本地4006端口（防范木马\"灰鸽子\"）"
UserEnforce UR228 1
UserReport UR228 1
UserProcess UR228 {Include *}
UserRule UR228 G_User {Port IUT {Include 4006 4006}
}
UserString UR229 "C14 关闭本地6667端口（防范木马\"小邮差\",SCO炸弹）"
UserEnforce UR229 1
UserReport UR229 1
UserProcess UR229 {Include *}
UserRule UR229 G_User {Port IUT {Include 6667 6667}
}

remcn

UserString UR23 "C15 禁止在C盘中新建任何DLL动态连接库文件"
UserEnforce UR23 1
UserReport UR23 1
UserProcess UR23 {Include *;Exclude FrameworkService.exe IEXPLORE.EXE McScript_InUse.exe}
UserRule UR23 G_User {File C { Include C:\\**\\*.dll }
}
UserString UR230 "C16 关闭本地10168端口（防范“恶邮差”）"
UserEnforce UR230 1
UserReport UR230 1
UserProcess UR230 {Include *}
UserRule UR230 G_User {Port IUT {Include 10168 10168}
}
UserString UR231 "C17 关闭本地19191端口（防范“蓝色火焰”）"
UserEnforce UR231 1
UserReport UR231 1
UserProcess UR231 {Include *}
UserRule UR231 G_User {Port IUT {Include 19191 19191}
}
UserString UR24 "C18 防范脚本病毒,禁止调用scrrun.dll"
UserEnforce UR24 1
UserReport UR24 1
UserProcess UR24 {Include *}
UserRule UR24 G_User {File WXCD { Include C:\\WINDOWS\\system32\\scrrun.dll }
}
UserString UR25 "C19 禁止在C盘中新建任何批处理BAT文件"
UserEnforce UR25 1
UserReport UR25 1
UserProcess UR25 {Include *;Exclude Explorer.EXE}
UserRule UR25 G_User {File C { Include C:\\**\\*.bat }
}
UserString UR26 "C20 禁止在C盘中新建任何VBS脚本文件"
UserEnforce UR26 1
UserReport UR26 1
UserProcess UR26 {Include *}
UserRule UR26 G_User {File C { Include C:\\**\\*.vbs }
}
UserString UR27 "C21 禁止访问TEMP文件夹，防止恶意安装程序"
UserEnforce UR27 0
UserReport UR27 0
UserProcess UR27 {Include *}
UserRule UR27 G_User {File WXCD { Include G:\\Temp\\** }
}
UserString UR28 "C22 禁止在C盘中新建任何JS脚本文件"
UserEnforce UR28 1
UserReport UR28 1
UserProcess UR28 {Include *;Exclude QQ.exe}
UserRule UR28 G_User {File C { Include C:\\**\\*.js }
}
UserString UR29 "C23 禁止在C盘中新建任何JSE脚本文件"
UserEnforce UR29 1
UserReport UR29 1
UserProcess UR29 {Include *}
UserRule UR29 G_User {File C { Include C:\\**\\*.jse }
}
UserString UR3 "C24 禁止对Access数据库文件进行任何操作"
UserEnforce UR3 0
UserReport UR3 0
UserProcess UR3 {Include *}
UserRule UR3 G_User {File WXCD { Include **\\*.mdb }
}
UserString UR30 "C25 禁止在C盘中新建任何VBE文件"
UserEnforce UR30 1
UserReport UR30 1
UserProcess UR30 {Include *}
UserRule UR30 G_User {File C { Include C:\\**\\*.vbe }
}
UserString UR31 "C26 禁止C盘中新建,运行任何WSH文件"
UserEnforce UR31 1
UserReport UR31 1
UserProcess UR31 {Include *}
UserRule UR31 G_User {File XC { Include C:\\**\\*.wsh }
}
UserString UR32 "C27 禁止C盘中新建任何WSF文件"
UserEnforce UR32 1
UserReport UR32 1
UserProcess UR32 {Include *}
UserRule UR32 G_User {File C { Include C:\\**\\*.wsf }
}
UserString UR33 "C28 禁止在本地新建,修改,执行任何AUTORUN.INF文件"
UserEnforce UR33 1
UserReport UR33 1
UserProcess UR33 {Include *}
UserRule UR33 G_User {File WXC { Include **\\autorun.inf }
}
UserString UR34 "C29 禁止在C盘中新建任何SYS文件"
UserEnforce UR34 1
UserReport UR34 1
UserProcess UR34 {Include *}
UserRule UR34 G_User {File C { Include C:\\**\\*.sys }
}
UserString UR35 "C30 禁止私自添加在桌面上显示的文件"
UserEnforce UR35 1
UserReport UR35 1
UserProcess UR35 {Include *;Exclude Explorer.EXE}
UserRule UR35 G_User {File C { Include "C:\\Documents and Settings\\**\\桌面\\**" }
}
UserString UR36 "C31 禁止启用远程桌面程序"
UserEnforce UR36 0
UserReport UR36 0
UserProcess UR36 {Include *}
UserRule UR36 G_User {File WXCD { Include C:\\WINDOWS\\system32\\mstsc.exe }
}
UserString UR37 "C32 禁止私自在本地用户的开始菜单中添加新的项目"
UserEnforce UR37 1
UserReport UR37 1
UserProcess UR37 {Include *}
UserRule UR37 G_User {File C { Include "C:\\Documents and Settings\\**\\「开始」菜单\\**" }
}
UserString UR38 "C33 禁止在C盘中新建ZIP文件(防范某些蠕虫)"
UserEnforce UR38 0
UserReport UR38 0
UserProcess UR38 {Include *;Exclude FrameworkService.exe}
UserRule UR38 G_User {File C { Include C:\\**\\*.zip }
}
UserString UR39 "C34 禁用NetMeeting网络会议程序"
UserEnforce UR39 0
UserReport UR39 0
UserProcess UR39 {Include *}
UserRule UR39 G_User {File WXCD { Include **\\NetMeeting\\** }
}
UserString UR4 "C35 保护系统中的SYSTEM.INI配置文件"
UserEnforce UR4 1
UserReport UR4 1
UserProcess UR4 {Include *}
UserRule UR4 G_User {File WCD { Include C:\\WINDOWS\\system.ini }
}
UserString UR40 "C36 禁止在本地新建任何*desktop*.ini文件"
UserEnforce UR40 1
UserReport UR40 1
UserProcess UR40 {Include *;Exclude IEXPLORE.EXE iGame.exe}
UserRule UR40 G_User {File C { Include **\\*desktop*.ini }
}
UserString UR41 "C37 禁止java目录下的程序私自运行"
UserEnforce UR41 0
UserReport UR41 0
UserProcess UR41 {Include *}
UserRule UR41 G_User {File WXC { Include C:\\WINDOWS\\java\\** }
}
UserString UR42 "C38 禁止在C盘中新建CHM文件"
UserEnforce UR42 0
UserReport UR42 0
UserProcess UR42 {Include *}
UserRule UR42 G_User {File C { Include C:\\**\\*.chm }
}
UserString UR43 "C39 禁止启动\"Downloads\"目录中的任何文件（增强）"
UserEnforce UR43 0
UserReport UR43 0
UserProcess UR43 {Include *}
UserRule UR43 G_User {File XD { Include **\\Downloads\\** }
}
UserString UR44 "C40 保护本机所有EXE可执行文件（防止修改）"
UserEnforce UR44 0
UserReport UR44 0
UserProcess UR44 {Include *;Exclude Explorer.EXE FrameworkService.exe McScript_InUse.exe WinRAR.exe}
UserRule UR44 G_User {File W { Include **\\*.exe }
}
UserString UR45 "C41 禁止私自在Program Files根目录下新建文件"
UserEnforce UR45 1
UserReport UR45 1
UserProcess UR45 {Include *;Exclude Explorer.EXE}
UserRule UR45 G_User {File C { Include "**\\Program Files\\*.*" }
}
UserString UR46 "C42 禁止私自启动Netware登录脚本处理器"
UserEnforce UR46 0
UserReport UR46 0
UserProcess UR46 {Include *}
UserRule UR46 G_User {File WXCD { Include C:\\WINDOWS\\system32\\nwscript.exe }
}
UserString UR47 "C43 禁用自动下载连接管理器"
UserEnforce UR47 0
UserReport UR47 0
UserProcess UR47 {Include *}
UserRule UR47 G_User {File WXCD { Include C:\\WINDOWS\\system32\\cmdl32.exe }
}
UserString UR48 "C44 禁止未经许可的控件注册"
UserEnforce UR48 1
UserReport UR48 1
UserProcess UR48 {Include *}
UserRule UR48 G_User {File WXCD { Include C:\\WINDOWS\\system32\\regsvr32.exe }
}
UserString UR49 "C45 禁止script.dll运行(防范恶意脚本)"
UserEnforce UR49 1
UserReport UR49 1
UserProcess UR49 {Include *}
UserRule UR49 G_User {File WXCD { Include C:\\WINDOWS\\system32\\usmt\\script.dll }
}
UserString UR5 "C46 保护系统中的WIN.INI配置文件"
UserEnforce UR5 1
UserReport UR5 1
UserProcess UR5 {Include *}
UserRule UR5 G_User {File WCD { Include C:\\WINDOWS\\win.ini }
}
UserString UR50 "C47 禁用SQL Server 客户端网络工具"
UserEnforce UR50 0
UserReport UR50 0
UserProcess UR50 {Include *}
UserRule UR50 G_User {File WXCD { Include C:\\WINDOWS\\system32\\cliconfg.exe }
}
UserString UR51 "C48 禁止创建,修改或删除磁盘的卷标(名称)"
UserEnforce UR51 0
UserReport UR51 0
UserProcess UR51 {Include *}
UserRule UR51 G_User {File WXCD { Include C:\\WINDOWS\\system32\\label.exe }
}
UserString UR52 "C49 禁止调用路由跟踪命令"
UserEnforce UR52 0
UserReport UR52 0
UserProcess UR52 {Include *}
UserRule UR52 G_User {File WXCD { Include C:\\WINDOWS\\system32\\pathping.exe }
}
UserString UR53 "C50 防范某些网络蠕虫扩散,禁止私自运行PING命令"
UserEnforce UR53 0
UserReport UR53 0
UserProcess UR53 {Include *}
UserRule UR53 G_User {File WXCD { Include C:\\WINDOWS\\system32\\ping.exe }
}
UserString UR54 "C51 禁止私自用源目录中的同名文件替换目标目录中的文件"
UserEnforce UR54 0
UserReport UR54 0
UserProcess UR54 {Include *}
UserRule UR54 G_User {File WXCD { Include C:\\WINDOWS\\system32\\replace.exe }
}

remcn

UserString UR55 "C52 禁止私自更改当前登录用户的权限"
UserEnforce UR55 0
UserReport UR55 0
UserProcess UR55 {Include *}
UserRule UR55 G_User {File WXCD { Include C:\\WINDOWS\\system32\\runas.exe }
}
UserString UR56 "C53 禁止私自调用文件属性修改工具"
UserEnforce UR56 0
UserReport UR56 0
UserProcess UR56 {Include *}
UserRule UR56 G_User {File WXCD { Include C:\\WINDOWS\\system32\\attrib.exe }
}
UserString UR57 "C54 禁止对Boot.ini配置文件执行编辑操作"
UserEnforce UR57 0
UserReport UR57 0
UserProcess UR57 {Include *}
UserRule UR57 G_User {File WXCD { Include C:\\WINDOWS\\system32\\bootcfg.exe }
}
UserString UR58 "C55 防止多用户同时登陆,禁用termsrv.dl"
UserEnforce UR58 0
UserReport UR58 0
UserProcess UR58 {Include *}
UserRule UR58 G_User {File WXCD { Include C:\\WINDOWS\\system32\\termsrv.dll }
}
UserString UR59 "C56 禁止使用NetMeeting功能访问远程桌面"
UserEnforce UR59 0
UserReport UR59 0
UserProcess UR59 {Include *}
UserRule UR59 G_User {File WXCD { Include C:\\WINDOWS\\system32\\mnmsrvc.exe }
}
UserString UR6 "C57 禁止在C盘根目录创建文件"
UserEnforce UR6 1
UserReport UR6 1
UserProcess UR6 {Include *}
UserRule UR6 G_User {File C { Include C:\\*.* }
}
UserString UR60 "C58 禁止“私自指定某些程序在指定的时间运行”"
UserEnforce UR60 0
UserReport UR60 0
UserProcess UR60 {Include *}
UserRule UR60 G_User {File WXCD { Include C:\\WINDOWS\\system32\\mstask.dll }
}
UserString UR61 "C59 禁止在C盘中新建任何PIF文件"
UserEnforce UR61 1
UserReport UR61 1
UserProcess UR61 {Include *}
UserRule UR61 G_User {File C { Include C:\\**\\*.pif }
}
UserString UR62 "C60 禁止私自修改本地用户帐户数据库"
UserEnforce UR62 0
UserReport UR62 0
UserProcess UR62 {Include *}
UserRule UR62 G_User {File WCD { Include C:\\WINDOWS\\system32\\config\\SAM }
}
UserString UR63 "C61 禁止在Default User目录下新建,修改,删除任何文件"
UserEnforce UR63 0
UserReport UR63 0
UserProcess UR63 {Include *}
UserRule UR63 G_User {File WCD { Include "C:\\Documents and Settings\\Default User\\**" }
}
UserString UR64 "C62 禁止在LocalService目录下新建,修改,删除任何文件"
UserEnforce UR64 0
UserReport UR64 0
UserProcess UR64 {Include *}
UserRule UR64 G_User {File C { Include "C:\\Documents and Settings\\LocalService\\**" }
}
UserString UR65 "C63 禁止在NetworkService目录下新建,修改,删除任何文件"
UserEnforce UR65 0
UserReport UR65 0
UserProcess UR65 {Include *}
UserRule UR65 G_User {File C { Include "C:\\Documents and Settings\\NetworkService\\**" }
}
UserString UR66 "C64 禁止在Application Data目录下新建任何项目"
UserEnforce UR66 0
UserReport UR66 0
UserProcess UR66 {Include *;Exclude ACDSee5.exe}
UserRule UR66 G_User {File C { Include "**\\Application Data\\*" }
}
UserString UR67 "C65 禁止修改WINDOWS目录中的任何文件"
UserEnforce UR67 0
UserReport UR67 0
UserProcess UR67 {Include *;Exclude avgas.exe Explorer.EXE FireSvc.exe FrameworkService.exe mmc.exe services.exe svchost.exe winlogon.exe WMIADAP.EXE wmiprvse.exe}
UserRule UR67 G_User {File W { Include C:\\WINDOWS\\** }
}
UserString UR68 "C66 禁止删除WINDOWS目录中的任何文件"
UserEnforce UR68 0
UserReport UR68 0
UserProcess UR68 {Include *;Exclude FrameworkService.exe mmc.exe services.exe svchost.exe WMIADAP.EXE}
UserRule UR68 G_User {File D { Include C:\\WINDOWS\\** }
}
UserString UR69 "C67 保护本机所有EXE可执行文件（防止删除）"
UserEnforce UR69 0
UserReport UR69 0
UserProcess UR69 {Include *;Exclude Explorer.EXE}
UserRule UR69 G_User {File D { Include **\\*.exe }
}
UserString UR7 "C68 禁止私自启用网络检测命令程序"
UserEnforce UR7 0
UserReport UR7 0
UserProcess UR7 {Include *}
UserRule UR7 G_User {File WXCD { Include C:\\WINDOWS\\system32\\net.exe }
}
UserString UR70 "C69 禁止在WINDOWS根目录下新建任何文件"
UserEnforce UR70 1
UserReport UR70 1
UserProcess UR70 {Include *}
UserRule UR70 G_User {File C { Include C:\\WINDOWS\\*.* }
}
UserString UR71 "C70 禁止在SYSTEM32根目录下新建任何文件"
UserEnforce UR71 1
UserReport UR71 1
UserProcess UR71 {Include *;Exclude mmc.exe svchost.exe}
UserRule UR71 G_User {File C { Include C:\\WINDOWS\\system32\\*.* }
}
UserString UR72 "C71 禁止在Downloaded Program Files目录中新建任何文件"
UserEnforce UR72 1
UserReport UR72 1
UserProcess UR72 {Include *}
UserRule UR72 G_User {File C { Include "C:\\WINDOWS\\Downloaded Program Files\\**" }
}
UserString UR73 "C72 禁止在PCHEALTH目录中新建,修改,删除任何文件"
UserEnforce UR73 0
UserReport UR73 0
UserProcess UR73 {Include *}
UserRule UR73 G_User {File WCD { Include C:\\WINDOWS\\PCHEALTH\\** }
}
UserString UR74 "C73 禁止Config目录下新建,修改,删除任何文件"
UserEnforce UR74 0
UserReport UR74 0
UserProcess UR74 {Include *}
UserRule UR74 G_User {File WCD { Include C:\\WINDOWS\\Config\\** }
}
UserString UR75 "C74 禁止在SECURITY目录下新建,修改,删除任何文件"
UserEnforce UR75 0
UserReport UR75 0
UserProcess UR75 {Include *;Exclude services.exe}
UserRule UR75 G_User {File WCD { Include C:\\WINDOWS\\security\\** }
}
UserString UR76 "C75 禁止在SYSTEM目录下新建,修改,删除任何文件"
UserEnforce UR76 0
UserReport UR76 0
UserProcess UR76 {Include *}
UserRule UR76 G_User {File WCD { Include C:\\WINDOWS\\system\\** }
}
UserString UR77 "C76 禁止在Registration目录下新建,修改,删除任何文件"
UserEnforce UR77 0
UserReport UR77 0
UserProcess UR77 {Include *}
UserRule UR77 G_User {File WCD { Include C:\\WINDOWS\\Registration\\** }
}
UserString UR78 "C77 禁止在DRIVERS目录下新建,修改,删除任何文件"
UserEnforce UR78 0
UserReport UR78 0
UserProcess UR78 {Include *;Exclude avgas.exe}
UserRule UR78 G_User {File WCD { Include C:\\WINDOWS\\system32\\drivers\\** }
}
UserString UR79 "C78 禁止启用系统还原程序"
UserEnforce UR79 0
UserReport UR79 0
UserProcess UR79 {Include *}
UserRule UR79 G_User {File WXCD { Include C:\\WINDOWS\\system32\\Restore\\** }
}
UserString UR8 "C79 禁用远程登录控制台程序"
UserEnforce UR8 1
UserReport UR8 1
UserProcess UR8 {Include *}
UserRule UR8 G_User {File WXCD { Include C:\\WINDOWS\\system32\\tlntsvr.exe }
}
UserString UR80 "C80 禁止私自调用系统配置编辑器"
UserEnforce UR80 1
UserReport UR80 1
UserProcess UR80 {Include *}
UserRule UR80 G_User {File WXCD { Include C:\\WINDOWS\\system32\\sysedit.exe }
}
UserString UR81 "C81 保护系统盘中的BOOT.INI配置文件"
UserEnforce UR81 1
UserReport UR81 1
UserProcess UR81 {Include *}
UserRule UR81 G_User {File WCD { Include C:\\boot.ini }
}
UserString UR82 "C82 禁止在C盘中新建CMD文件(防范某些蠕虫)"
UserEnforce UR82 1
UserReport UR82 1
UserProcess UR82 {Include *}
UserRule UR82 G_User {File C { Include C:\\**\\*.cmd }
}
UserString UR83 "C83 禁止在C盘中新建HTT文件(防范某些病毒)"
UserEnforce UR83 0
UserReport UR83 0
UserProcess UR83 {Include *}
UserRule UR83 G_User {File C { Include C:\\**\\*.htt }
}
UserString UR84 "C84 保护WINDOWS的\"系统文件替换\"备份目录"
UserEnforce UR84 1
UserReport UR84 1
UserProcess UR84 {Include *}
UserRule UR84 G_User {File WCD { Include C:\\WINDOWS\\LastGood\\** }
}
UserString UR85 "C85 保护WINDOWS的\"最后一次正确启动配置\"备份文件目录"
UserEnforce UR85 1
UserReport UR85 1
UserProcess UR85 {Include *}
UserRule UR85 G_User {File WCD { Include C:\\WINDOWS\\LastGood.Tmp\\** }
}
UserString UR86 "C86 保护系统中的WININIT.INI配置文件"
UserEnforce UR86 1
UserReport UR86 1
UserProcess UR86 {Include *}
UserRule UR86 G_User {File WCD { Include C:\\WINDOWS\\wininit.ini }
}
UserString UR87 "C87 禁止在C盘中新建,修改任何CPL文件(防范某些木马)"
UserEnforce UR87 1
UserReport UR87 1
UserProcess UR87 {Include *}
UserRule UR87 G_User {File WC { Include C:\\**\\*.cpl }
}

remcn

UserString UR88 "C88 禁止在C盘中新建,修改任何DOT文件(防范宏病毒)"
UserEnforce UR88 0
UserReport UR88 0
UserProcess UR88 {Include *}
UserRule UR88 G_User {File WC { Include C:\\**\\*.dot }
}
UserString UR89 "C89 禁止在C盘中新建,修改任何DOC文件(防范宏病毒)"
UserEnforce UR89 0
UserReport UR89 0
UserProcess UR89 {Include *}
UserRule UR89 G_User {File WC { Include C:\\**\\*.doc }
}
UserString UR9 "C90 禁止运行Windows脚本宿主工具"
UserEnforce UR9 1
UserReport UR9 1
UserProcess UR9 {Include *}
UserRule UR9 G_User {File WXCD { Include C:\\WINDOWS\\system32\\wscript.exe }
}
UserString UR90 "C91 禁止在C盘中新建,修改任何BFF文件(防止宏病毒寄生)"
UserEnforce UR90 0
UserReport UR90 0
UserProcess UR90 {Include *}
UserRule UR90 G_User {File WC { Include C:\\**\\*.bff }
}
UserString UR91 "C92 保护SVCHOST.EXE进程"
UserEnforce UR91 1
UserReport UR91 1
UserProcess UR91 {Include *;Exclude McAfeeFire.exe MSConfig.exe}
UserRule UR91 G_User {File WXCD { Include C:\\WINDOWS\\system32\\svchost.exe }
}
UserString UR92 "C93 禁止修改SYSTEM32根目录下的任何文件"
UserEnforce UR92 1
UserReport UR92 1
UserProcess UR92 {Include *;Exclude Explorer.EXE mmc.exe svchost.exe}
UserRule UR92 G_User {File W { Include C:\\WINDOWS\\system32\\*.* }
}
UserString UR93 "C94 禁止删除SYSTEM32根目录下的任何文件"
UserEnforce UR93 1
UserReport UR93 1
UserProcess UR93 {Include *}
UserRule UR93 G_User {File D { Include C:\\WINDOWS\\system32\\*.* }
}
UserString UR94 "C95 禁止修改WINDOWS根目录下的任何文件"
UserEnforce UR94 0
UserReport UR94 0
UserProcess UR94 {Include *}
UserRule UR94 G_User {File W { Include C:\\WINDOWS\\*.* }
}
UserString UR95 "C96 禁止删除WINDOWS根目录下的任何文件"
UserEnforce UR95 0
UserReport UR95 0
UserProcess UR95 {Include *}
UserRule UR95 G_User {File D { Include C:\\WINDOWS\\*.* }
}
UserString UR96 "C97 禁止修改C盘根目录中的任何文件"
UserEnforce UR96 1
UserReport UR96 1
UserProcess UR96 {Include *}
UserRule UR96 G_User {File W { Include C:\\*.* }
}
UserString UR97 "C98 禁止删除C盘根目录下的任何文件"
UserEnforce UR97 1
UserReport UR97 1
UserProcess UR97 {Include *}
UserRule UR97 G_User {File D { Include C:\\*.* }
}
UserString UR98 "C99 监控本地程序的网络访问行为"
UserEnforce UR98 0
UserReport UR98 0
UserProcess UR98 {Include *;Exclude avgas.exe emule.exe flashget.exe FrameworkService.exe IEXPLORE.EXE QQ.exe QQLiveUpdate.exe wmplayer.exe}
UserRule UR98 G_User {Port IOUT {Include 1 65535}
}
UserString UR99 "C100 保护LSASS.EXE进程"
UserEnforce UR99 1
UserReport UR99 1
UserProcess UR99 {Include *}
UserRule UR99 G_User {File WCD { Include C:\\WINDOWS\\system32\\lsass.exe }
}

qihui

眼都看花了，支持一下！

lz是天才 ，小邪邪是天才，u大也是天才