Running Capture-Server-1.1.0-5324, I'm trying to stop the recognition of a flash update as an identifier for a malicious site, and have added the following lines to RegistryMonitor.exl, but to no avail:
+ SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Macromedia\\FlashPlayer\\.* + SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Macromedia\\FlashPlayerUpdate\\.* + SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\FlashplayerUpdate I still get the following: Got: visiting::http://www3.addfreestats.com Got: pong::client Got: event::registry::SetValueKey::C:\Program Files\Internet Explorer\iexplore.exe::HKLM\SOFTWARE\Macromedia\FlashPlayer\AutoUpdateTest Got: event::registry::SetValueKey::C:\Program Files\Internet Explorer\iexplore.exe::HKCU\Software\Macromedia\FlashPlayerUpdate\description Got: event::registry::SetValueKey::C:\Program Files\Internet Explorer\iexplore.exe::HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\FlashPlayerUpdate in the log, and the site is classified as malicious. Is there some processing that I'm supposed to perform after I change this file? I've checked that the spaces and tabs are all in the right place. And *please* don't tell me to upgrade! Steve
pgpdnAsZDlUPS.pgp
Description: PGP signature
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
