Sure, Moshe, these exclusion rules works for me: + DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKCU\\Software\\Macromedia\\FlashPlayer\\.+
+ DeleteValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\ESENT\\.+ + SetValueKey C:\\Program Files\\Internet Explorer\\iexplore\.exe HKLM\\SOFTWARE\\Microsoft\\ESENT\\.+ Regards Emilio 2010/1/21 Moshe Basanchig <mbasanc...@finjan.com> > Hi Emilio > > The lines I added are: > + Delete .* > C:\\WINDOWS\\system32\\Macromed\\Flash\\testUpdate.txt > + SetValueKey .* > HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\FlashPlayer.* > > And yet, even in RegistryMonitor.exl, it doesn't work. > Could you please share the exclusion rules you added? > > Thanks, > Moshe > > -----Original Message----- > From: capture-hpc-boun...@public.honeynet.org [mailto: > capture-hpc-boun...@public.honeynet.org] On Behalf Of > capture-hpc-requ...@public.honeynet.org > Sent: Tuesday, January 19, 2010 7:00 PM > To: capture-hpc@public.honeynet.org > Subject: Capture-HPC Digest, Vol 32, Issue 3 > > Send Capture-HPC mailing list submissions to > capture-hpc@public.honeynet.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://public.honeynet.org/mailman/listinfo/capture-hpc > or, via email, send a message with subject or body 'help' to > capture-hpc-requ...@public.honeynet.org > > You can reach the person managing the list at > capture-hpc-ow...@public.honeynet.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Capture-HPC digest..." > > > Today's Topics: > > 1. Re: RE: Can't exclude a registry (Emilio Casbas) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 19 Jan 2010 11:26:24 +0100 > From: Emilio Casbas <ecas...@gmail.com> > Subject: Re: [Capture-HPC] RE: Can't exclude a registry > To: General discussion list for Capture-HPC users > <capture-hpc@public.honeynet.org> > Message-ID: > <659d59b51001190226n2b090e28n90469555ded33...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Don't know exactly why, but moving up the problematic lines on the > RegistryMonitor.exl solved the issue. > > Regards > Emilio > > 2009/12/2 Moshe Basanchig <mbasanc...@finjan.com> > > > Same here, > > > > I'm having the exact same issue. > > Suggestions? > > > > > > _______________________________________________ > > Capture-HPC mailing list > > Capture-HPC@public.honeynet.org > > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://public.honeynet.org/pipermail/capture-hpc/attachments/20100119/bea1ebec/attachment-0001.html > > ------------------------------ > > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc > > > End of Capture-HPC Digest, Vol 32, Issue 3 > ****************************************** > > > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc > >
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
