Match type values

The MATCH_type value determines which entries in an Include or Exclude are ORed or ANDed. Commands with the same MATCH_type value evaluate to either value (OR). Commands with different MATCH_type values evaluate to both values (AND).

Each Match_type value uses a specific data type for his possible values. The supported data types are:

  • INTx/UINTx — All match numeric values.
  • String — A text string.
  • Bitmask — A numeric value expressed in hexadecimal notation, which is logically evaluated.
Note: MATCH_types values are case sensitive.
Match type value Description Data type Valid in object types
ACCESS_MASK Specifies the access type. UINT64 - Bitmask All
AUTHENTICATION_ID Matches a textual account SDDL SID identifier. This match can be used to identify a specific user-account in policy enforcement.

For information about SDDL strings, see http://msdn.microsoft.com/en-us/library/windows/desktop/aa379602(v=vs.85).aspx.

String All
CACHE_ATTRIBUTE Matches a cache attribute for the given object.

Because it is a bitmask match type, any matching bits are considered a match.

Bitmask
  • PROCESS
  • FILE
CERT_NAME Matches the object's signing certificate name, but doesn't check whether the certificate is chained to the root.

If the object is of type PROCESS or THREAD, the certificate is obtained from the main entry module. This match never evaluates to true if the object is not signed.

String
  • PROCESS
  • THREAD
  • SECTION
CERT_NAME_CHAINED Matches the object's signing certificate name, and the signing certificate must be chained to the root of the certificate store.

If the object is of type PROCESS or THREAD, the certificate is obtained from the main entry module. This match never evaluates to true if the object is not signed.

String
  • PROCESS
  • THREAD
  • SECTION
DESCRIPTION Matches the “FileDescription” resource extracted from the resource section for the PE. String
  • PROCESS
  • FILE
  • SECTION
DLL_LOADED Matches a loaded DLL in a specified PROCESS object.

This is primarily useful for narrowing Initiator matches, such as svchost.exe service exclusions. The DLL name generally is the base name of the DLL without a path or file extension. That is, “MFEVTPA” matches, whereas “MFEVTPA.DLL” or “c:\program files\common files\mcafee\systemcore\mfevtpa.dll”. The match data is pulled directly from the process structures where the DLL is known by its base name and the associated image file name is not present.

To match when the DLL is loaded, set the value part of the name-value bitmask to 1. To match when the DLL is not loaded, set it to 0.

Bitmask PROCESS
ENV_VAR Specifies an environment variable name and its value. This criteria matches only if both name and value match the environment variables extracted from the PEB. Named value pair: String, String
  • PROCESS
  • THREAD
FILE_ATIME Matches against the file last accessed time. INT64
  • PROCESS
  • FILE
FILE_ATTRIBUTES Matches against the file attribute bits. Bitmask
  • PROCESS
  • FILE
FILE_CTIME Matches against the file create time. INT64
  • PROCESS
  • FILE
FILE_MTIME Matches against the file last changed time. INT64
  • PROCESS
  • FILE
FILE_PROPERTIES Matches the bitmask against file properties reported by the Target. The defined bits are:
  • NETWORK (0x1) — File is in a network path.
  • REMOVABLE (0x2) — File is on a removable drive.
  • FLOPPY (0x4) — File is on a floppy drive.
  • CD (0x8) — File is on a CD drive.
  • DFS (0x10) — File is over on DFS.
  • REDIRECTOR (0x20) — File is opened using a redirector.
UINT64 - Bitmask FILE
GROUP_SID Matches the provided textual SID (that is, S-1-5-18) against the groups that the user token belongs to.

The criteria evaluates to true if at least one matching group is found.

String
  • PROCESS
  • THREAD
IMAGE_BASE_ADDRESS Specifies the virtual base address for an image.

This is useful for retrieving the base address for an image during an image load notification.

UINT64 SECTION

Available only during load image callbacks, access mask set to LOAD_IMAGE.

IMAGE_ENTRY_POINT Specifies the entry point offset (in bytes) for an image.

This is useful for retrieving the entry point address for an image during an image load notification.

UINT64 SECTION

Available only during load image callbacks, access mask set to LOAD_IMAGE.

IMAGE_PROPERTIES Specifies different image properties, as available during an image load notification.

The defined bits are:

  • 64-bit — 64-bit image.
  • SYSTEM_MODE — System mode image.
  • MAPPED_TO_ALL_PROCESSES — The image is mapped to all processes.
UINT64 - Bitmask SECTION

Available only during load image callbacks, access mask set to LOAD_IMAGE.

IS_TRANSACTED Matches (true) if the file is part of an NTFS TxF transaction. For PROCESS or THREAD object types, matches if the backing file object for the main executable is part of an NTFS TxF transaction. UINT8 - Boolean
  • PROCESS
  • THREAD
  • FILE
  • SECTION
MD5 Indicates the MD5 digest of the backing file. If object is of type PROCESS or THREAD, MD5 is calculated against its main executable module. UINT8
  • PROCESS
  • THREAD
  • FILE
  • SECTION
NT_ACCESS_MASK Matches against the native NT access mask of the I/O operation for file, registry, process, and thread access attempts. Make sure to use access masks appropriate for the object type as described in Microsoft MSDN.

For example, to use NT_ACCESS_MASK to block calls to CreateFile() with GENERIC_WRITE, the bit mask must be FILE_GENERIC_WRITE.

Note: Due to operating system limitations, you can't block PROCESS_QUERY_LIMITED_INFORMATION but you can use it in ALLOW rules for reporting purposes.
UINT64 - Bitmask
  • PROCESS
  • THREAD
  • FILE
  • REGISTRY
OBJECT_NAME Specifies the object name. Any combination of wildcards is accepted. String All
OBJECT_SIZE Matches against the size of the file or, for a section, the image size during load. INT64
  • FILE
  • SECTION
OPERATION_STATUS Matches the operation status for a post-event. Not useful with non-post events. INT32 FILE
OS_VERSION Compares the specified OS version to the actual version. The OS version must be specified in the format:

OS_Version = Major_Version * 1000 + Minor_Version * 10 + ServicePack. By way of example: VistaRtm = 6000; VistaSp1=6001; Win7=6010; Win7Sp1=6011; Win8=6020

UINT32 All
PE Matches a data value of "1" if the target file is a PE (Portable Executable, Windows executable binary) file.
Note: Initiator PROCESS/THREAD matches are not supported because, by definition, they are PE files.
UINT8 FILE
PE_MD5 Compares MD5 digest calculated across PE against the match criteria.

The digest is calculated according to Microsoft’s Authenticode PE hash value calculations – 4-byte PE header check sum is omitted as well as the Certificate Table Entry, which is part of Optional Header Directories.

UINT8
  • PROCESS
  • THREAD
  • FILE
  • SECTION
PE_SHA1 Compares the match data with the SHA-1 hash sum calculated across the PE. UINT8
  • PROCESS
  • THREAD
  • FILE
  • SECTION
PE_SHA2_256 Compares the match data with the SHA2-256 hash sum calculated across the PE. UINT8
  • PROCESS
  • THREAD
  • FILE
  • SECTION
PE_SHA2_384 Compares the match data with the SHA2-384 hash sum calculated across the PE. UINT8
  • PROCESS
  • THREAD
  • FILE
  • SECTION
PE_SHA2_512 Compares the match data with the SHA2-512 hash sum calculated across the PE. UINT8
  • PROCESS
  • THREAD
  • FILE
  • SECTION
PROCESSOR_MODE Matches if the match is evaluated in the context of an I/O operation originating from user-mode or kernel-mode.

This is most useful for excluding processes from matching a rule if the process is executing in user-mode.

Note: Do not use this type with registry operations.

KPROCESSOR_MODE

0 = kernelmode

1 = usermode

UINT8
  • PROCESS
  • THREAD
PROCESS_CMD_LINE Matches the process command line, extracted from the PEB (Process Environment Block), a data structure used by Microsoft Windows to hold information about running processes. String
  • PROCESS
  • THREAD
PROCESS_ID/THREAD_ID Matches a specified thread ID.
Note: Remember when using this match type that thread IDs and process IDs are rapidly recycled in the Windows environment.
UINT64 - Thread ID
  • PROCESS
  • THREAD
PROCESS_STATE_BITS Compares the specified name/bitmask with the stateID/stateBits carried by the Initiator or Target ProcessInfo object. The comparison evaluates to true if stateBits with stateID are present in ProcessInfo and the “bitwise and” between the stateBits and the bitmask carried by the match object yields a non-zero result. Bitmask
  • PROCESS
  • THREAD
PRODUCT_NAME Matches the "ProductName" resource extracted from the resource section of the PE. String
  • PROCESS
  • FILE
  • SECTION
REMOTE_MACHINE_ADDRESS
Note: This type is for reporting only.

If used for matching, matches the specified type against file I/O initiated by a specific SMB client IP address in either IPv4 or IPv6 format.

In other words, this type does not match for file I/O initiated on the local system going to an SMB server. It only matches for client I/O going to the local SMB server. This match type is mostly useful for generating event details.

String This match type is valid in PROCESS Initiator (requires OBJECT_NAME to match SYSTEM:REMOTE) or FILE Target match.
SESSION_ID Compares the specified match criteria against the session ID that the process/thread belongs to and can apply to both Initiator and Target objects. UINT32
  • PROCESS
  • THREAD
SHA1 Compares the SHA-1 hash sum of the backing file with the match data.

If the object is of type PROCESS or THREAD, the hash sum is calculated against its main executable module.

UINT8
  • PROCESS
  • THREAD
  • FILE
  • SECTION
SHA2_256 Compares the SHA2-256 hash sum of the backing file with the match data.

If the object is of type PROCESS or THREAD, the hash sum is calculated against its main executable module.

UINT8
  • PROCESS
  • THREAD
  • FILE
  • SECTION
SHA2_384 Compares the SHA2-384 hash sum of the backing file with the match data.

If the object is of type PROCESS or THREAD, the hash sum is calculated against its main executable module.

UINT8
  • PROCESS
  • THREAD
  • FILE
  • SECTION
SHA2_512 Compares the SHA2-512 hash sum of the backing file with the match data.

If the object is of type PROCESS or THREAD, the hash sum is calculated against its main executable module.

UINT8
  • PROCESS
  • THREAD
  • FILE
  • SECTION
TARGET_OBJECT_NAME Specifies the object name. Any combination of wildcards is accepted.

Names follow the same conventions as OBJECT_NAME. But, they only match against the target of a file rename operation. This enables rules to be written that only apply to renames based on both source (OBJECT_NAME) and target (TARGET_OBJECT_NAME) name.

  • OBJECT_NAME is not required. If it is not specified, any source matches.
  • ACCESS_MASK for a rename is DELETE, because it’s from the perspective of the source file, even if the OBJECT_NAME is not specified.
String FILE
USER_SID Matches the text representation of the user account SID (that is, S-1-5-21-22-23-24-1168). String
  • PROCESS
  • THREAD
VERSION_RESOURCE Matches the “FileVersion” resource extracted from the resource section for the PE. String
  • PROCESS
  • FILE
  • SECTION
VERSION Matches the version extracted from the resource section for the file. String
  • PROCESS
  • THREAD
  • SECTION
VTP_PRIVILEGES Matches the bitmask against the VTP privileges of the target.

The defined bits are:

  • PRIVILEGE_IOCTL (0x1) — Signed by a VTP-trusted certificate.
  • PRIVILEGE_ISG (0x8) — Signed by a McAfee certificate specifically.

Files signed by Microsoft:

  • VTP_TRUST — Yes
  • VTP_PRIVILEGES — Yes
  • =0x08 — No
  • =0x09 — Yes

Files signed by McAfee:

  • VTP_TRUST — Yes
  • VTP_PRIVILEGES — Yes
  • =0x08 — Yes
  • =0x09 — Yes

Files signed by 3rd party:

  • VTP_TRUST — No
  • VTP_PRIVILEGES — No
  • =0x08 — No
  • =0x09 — No
UINT64 - Bitmask
  • FILE
  • PROCESS
  • THREAD
VTP_TRUST Checks if VTP trusts the process or file.

The value is treated as Boolean. That is, a value of 1 in the match type matches only processes trusted by VTP. A value of 0 matches non-trusted processes.

UINT8
  • PROCESS
  • THREAD
  • SECTION
WOW64 Matches a data value of "1" if the process/thread is a WOW64 process.

This can only be true on 64-bit platforms and always matches a "0" on 32-bit platforms.

This match can apply to both Initiator and Target objects.

UINT8
  • PROCESS
  • THREAD