Hi All I noticed that rule 514 Windows application monitor event fires only the first time it detects an application configured in win_applications_rcl.txt to monitor. Is there any way to make it fire on every rootcheck scan?
i have managed to make root check run every 5 minutes from the looks of the logs though i set it to run every 2 minutes with <frequecny>120</frequency> however it does not fire after the first time and also dosent send an email alert even after changing the level =8 and enabled t<options>alert_by_email</options>. My goal is to run rootcheck every few minutes in order to fire an alert on the prohibited windows applications configured in win_applications_rcl.tx and write an active-response script to block the process from running on the agent machine(s) Please any help will be much apperciated
