<!— Windows AutoRuns Registry Values —>
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon” />
<itementry paramLDBX
=“value” operator=“equalnocase” type=“ansi” value=“Shell” />
</ruleentry>
</rulegroup>
<rulegroup name=“block-run6”>
<ruleentry event=“registry” match=“all” allow=“false” notify=“true” customtext=“4010”>
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify” />
</ruleentry>
</rulLDBX
egroup>
<rulegroup name=“block-shellex”>
<ruleentry event=“registry” match=“any” allow=“false” notify=“true” customtext=“4009”>
<!— Executable behavior —>
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKLMSOFTWAREClassesexefileshellopencommand” />
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKLMSOFTWAREClassesexefileshellrunascLDBX ommand” />
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKCUSOFTWAREClassesexefileshellopencommand” />
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKCUSOFTWAREClassesexefileshellrunascommand” />
</ruleentry>
</rulegroup>
<rulegroup name=“block-appinit”>
<ruleentry event=“registry” match=“all” allow=“false” notify=“LDBX !true” customtext=“4013”>
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows” />
<itementry param=“value” operator=“equalnocase” type=“ansi” value=“AppInit_DLLs” />
</ruleentry>
</rulegroup>
<ruleset name=“rs-rega-block” allow=“true”>
<rulerefentry rulegroupref=“block-run1”/>
LDBX!” <rulerefentry rulegroupref=“block-run2”/>
<rulerefentry rulegroupref=“block-run3”/>
<rulerefentry rulegroupref=“block-run4”/>
<rulerefentry rulegroupref=“block-run5”/>
<rulerefentry rulegroupref=“block-run6”/>
<rulerefentry rulegroupref=“block-shellex”/>
<rulerefentry rulegroupref=“block-appinit”/>
<rulerefentry rulegroupref=“blk-ie-search1”/>
LDBX”# <rulerefentry rulegroupref=“blk-ie-search2”/>
<rulerefentry rulegroupref=“blk-ie-search3”/>
<rulerefentry rulegroupref=“blk-ie-search4”/>
<rulerefentry rulegroupref=“blk-ie-search5”/>
<rulerefentry rulegroupref=“blk-ie-search6”/>
<rulerefentry rulegroupref=“blk-ie-search7”/>
<rulerefentry rulegroupref=“blk-ie-search8”/>
<rulerefLDBX#$entry rulegroupref=“blk-ie-search9”/>
<rulerefentry rulegroupref=“blk-ie-search10”/>
<rulerefentry rulegroupref=“blk-ie-srchdef” />
<rulerefentry rulegroupref=“blk-ie-home1”/>
<rulerefentry rulegroupref=“blk-ie-home2”/>
<rulerefentry rulegroupref=“blk-ie-lcpage1”/>
<rulerefentry rulegroupref=“blk-ie-lcpage2”/>
<rulerefentry rulegroupref=“blk-ie-stLDBX$%pgdef”/>
<rulerefentry rulegroupref=“protourreg”/>
<rulerefentry rulegroupref=“protourreg1”/>
<rulerefentry rulegroupref=“protourreg2”/>
<rulerefentry rulegroupref=“protourreg3”/>
<rulerefentry rulegroupref=“protourExecs”/>
<rulerefentry rulegroupref=“protAvDatVersion”/>
<rulerefentry rulegroupref=“protAvEngVersion”/>
<rulerefLDBX%&entry rulegroupref=“protAvSDKVersion”/>
<rulerefentry rulegroupref=“ask-ie-desktop-wp”/>
<rulerefentry rulegroupref=“prot-ie-advanced-tab”/>
<rulerefentry rulegroupref=“prot-ie-connections-tab”/>
<rulerefentry rulegroupref=“prot-ie-content-tab”/>
<rulerefentry rulegroupref=“prot-ie-general-tab”/>
<rulerefentry rulegroupref=“prot-ie-homepage”/>
<ruLDBX&‘lerefentry rulegroupref=“prot-ie-privacy-tab”/>
<rulerefentry rulegroupref=“prot-ie-programs-tab”/>
<rulerefentry rulegroupref=“prot-ie-security-tab”/>
<rulerefentry rulegroupref=“protect-run5U”/>
<rulerefentry rulegroupref=“protScreenSaver”/>
<rulerefentry rulegroupref=“protlogonGina”/>
<rulerefentry rulegroupref=“protlogonSys”/>
<rulerefentry ruLDBX’(legroupref=“protlogonSysU”/>
<rulerefentry rulegroupref=“protlogonTMan”/>
<rulerefentry rulegroupref=“protsysStartup”/>
<rulerefentry rulegroupref=“protcmdAutoRun”/>
<rulerefentry rulegroupref=“protcmdAutoRunU”/>
<rulerefentry rulegroupref=“protSecuPack”/>
<rulerefentry rulegroupref=“protAuthPack”/>
<rulerefentry rulegroupref=“protNotiPack”/>
LDBX() <rulerefentry rulegroupref=“protSessManager”/>
<rulerefentry rulegroupref=“protBootImage”/>
<rulerefentry rulegroupref=“protImageFExec”/>
<rulerefentry rulegroupref=“proIFMapWLogon”/>
<rulerefentry rulegroupref=“protDNSLibPath”/>
<rulerefentry rulegroupref=“protSTScheduler”/>
<rulerefentry rulegroupref=“protShExecHooks”/>
</ruleset>LDBX)*
<!— Block Deleting Startup —>
<rulegroup name=“block-run1”>
<ruleentry event=“registry” match=“any” allow=“false” notify=“true” customtext=“4004”>
<!— Windows AutoRuns Registry Keys —>
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKCUSoftwareMicrosoftWindowsCurrentVersionRun” />
<itementry param=“key” operator=“equalnocase” type=“anLDBX*+si” value=“HKCUSoftwareMicrosoftWindowsCurrentVersionRunServices” />
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKCUSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce” />
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce” />
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKCUSoftwareMicrosoftWiLDBX+,ndowsCurrentVersionRunOnceEx” />
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun” />
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKCUSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad” />
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKLMSoftwareMicrosoftWindowsCurrentLDBX,-VersionRun” />
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices” />
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce” />
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce” />
LDBX-. <itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnceEx” />
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HK
LMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun” />
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad” />
</ruleentry>
LDBX./
</rulegroup>
<rulegroup name=“block-run2”>
<ruleentry event=“registry” match=“all” allow=“false” notify=“true” customtext=“4004”>
<!— Windows AutoRuns Registry Values —>
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows” />
<itementry param=“value” operator=“equalnocase” type=“ansi” value=“LDBX/0Run” />
</ruleentry>
</rulegroup>
<rulegroup name=“block-run3”>
<ruleentry event=“registry” match=“all” allow=“false” notify=“true” customtext=“4004”>
<!— Windows AutoRuns Registry Values —>
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows” />
<itementry param=“value” LDBX01operator=“equalnocase” type=“ansi” value=“Load” />
</ruleentry>
</rulegroup>
<rulegroup name=“block-run4”>
<ruleentry event=“registry” match=“all” allow=“false” notify=“true” customtext=“4004”>
<!— Windows AutoRuns Registry Values —>
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon” />
LDBX12 <itementry param=“value” operator=“equalnocase” type=“ansi” value=“Userinit” />
</ruleentry>
</rulegroup>
<rulegroup name=“block-run5”>
<ruleentry event=“registry” match=“all” allow=“false” notify=“true” customtext=“4004”>
<!— Windows AutoRuns Registry Values —>
<itementry param=“key” operator=“equalnocase” type=“ansi” value=“HKLMSOFTWAREMicrosoLDBX23ftWindows NTCurrentVersionWinlogon” />
<itementry param=“value” operator=“equalnocase” type=“ansi” value=“Shell” />
</ruleentry>
</rulegroup>
<ruleset name=“rs-regd-block” allow=“true”>
<rulerefentry rulegroupref=“block-run1”/>
<rulerefentry rulegroupref=“block-run2”/>
<rulerefentry rulegroupref=“block-run3”/>
<rulerefentry rLDBX34ulegroupref=“block-run4”/>
<rulerefentry rulegroupref=“block-run5”/>
<rulerefentry rulegroupref=“block-shellex”/>
<rulerefentry rulegroupref=“block-appinit”/>
<rulerefentry rulegroupref=“blk-ie-search1”/>
<rulerefentry rulegroupref=“blk-ie-search2”/>
<rulerefentry rulegroupref=“blk-ie-search3”/>
<rulerefentry rulegroupref=“blk-ie-search4”/>
LDBX45 <rulerefentry rulegroupref=“blk-ie-search5”/>
<rulerefentry rulegroupref=“blk-ie-search6”/>
<rulerefentry rulegroupref=“blk-ie-search7”/>
<rulerefentry rulegroupref=“blk-ie-search8”/>
<rulerefentry rulegroupref=“blk-ie-search9”/>
<rulerefentry rulegroupref=“blk-ie-search10”/>
<rulerefentry rulegroupref=“blk-ie-srchdef” />
<rulerefenLDBX56try rulegroupref=“blk-ie-home1”/>
<rulerefentry rulegroupref=“blk-ie-home2”/>
<rulerefentry rulegroupref=“blk-ie-lcpage1”/>
<rulerefentry rulegroupref=“blk-ie-lcpage2”/>
<rulerefentry rulegroupref=“blk-ie-stpgdef”/>
<rulerefentry rulegroupref=“protourreg”/>
<rulerefentry rulegroupref=“protourreg1”/>
<rulerefentry rulegroupref=“protourreg2”/>
LDBX67 <rulerefentry rulegroupref=“protourreg3”/>
<rulerefentry rulegroupref=“protourExecs”/>
<rulerefentry rulegroupref=“protAvDatVersion”/>
<rulerefentry rulegroupref=“protAvEngVersion”/>
<rulerefentry rulegroupref=“protAvSDKVersion”/>
</ruleset>
<!— AllowSD and Protect our keys —>
<ruleset name=“rs-reg-allow” allow=“true”>
LDBX78 <rulerefentry rulegroupref=“protourreg”/>
<rulerefentry rulegroupref=“protourreg1”/>
<rulerefentry rulegroupref=“protourreg2”/>
<rulerefentry rulegroupref=“protourreg3”/>
<rulerefentry rulegroupref=“protourExecs”/>
<rulerefentry rulegroupref=“protAvDatVersion”/>
<rulerefentry rulegroupref=“protAvEngVersion”/>
<rulerefentry rulegroupref=“protAvSDKLDBX89Version”/>
<!— AllowSAskD and Protect our keys —>
<ruleset name=“rs-rega-sdd” allow=“true”>
<rulerefentry rulegroupref=“protourreg”/>
<rulerefentry rulegroupref=“protourreg1”/>
<rulerefentry rulegroupref=“protourreg2”/>
<rulerefentry rulegroupref=“protourreg3”/>
<rulerefentry rulegroupref=“protourExecs”/>
LDBX9: <rulerefentry rulegroupref=“protAvDatVersion”/>
<rulerefentry rulegroupref=“protAvEngVersion”/>
<rulerefentry rulegroupref=“protAvSDKVersion”/>
</ruleset>
<!— AllowSDenyD and Protect our keys —>
<ruleset name=“rs-rega-sad” allow=“true”>
<rulerefentry rulegroupref=“protourreg”/>
<rulerefentry rulegroupref=“protourreg1”/>
<rulerefentLDBX:;ry rulegroupref=“protourreg2”/>
<rulerefentry rulegroupref=“protourreg3”/>
<rulerefentry rulegroupref=“protourExecs”/>
<rulerefentry rulegroupref=“protAvDatVersion”/>
<rulerefentry rulegroupref=“protAvEngVersion”/>
<rulerefentry rulegroupref=“protAvSDKVersion”/>
</ruleset>
<!— Public Event Groups In Ascending Order of Weight —>
<eveLDBX;<ntgroup name=“DenySD” description=“DenySD” weight=“15” allowweightranges=“0-19,FE-FE” severityref=“normal” trustChoice=“restricted” trustDisplay=“restricted” trustDetail=“DenySD”>
<evententry class=“srcproc” event=“process” subevent=“openprocess” rulegroupref=“rg-openp-ask” />
<evententry class=“srcproc” event=“process” subevent=“openthread” rulegroupref=“rg-opent-ask” />
<evententry class=“srcproc” event=“process” subevent=“sLDBX<=pawnprocess” rulegroupref=“rg-spawn-ask” />
<evententry class=“srcproc” event=“process” subevent=“startupprocess” allow=“true” />
<evententry class=“srcproc” event=“process” subevent=“terminateprocess” rulegroupref=“rg-termp-ask” />
<evententry class=“srcproc” event=“process” subevent=“oleconnect” rulegroupref=“rg-olecn-ask” />
<evententry class=“srcproc” event=“message” subevent=“keyboard” rulegroupref=“rgLDBX=>-keybd-ask” />
<evententry class=“srcproc” event=“message” subevent=“mouse” allow=“true” />
<evententry class=“srcproc” event=“message” subevent=“dde” rulegroupref=“rg-ddein-ask” />
<evententry class=“srcproc” event=“message” subevent=“message” rulegroupref=“rg-msg-ask” />
<evententry class=“srcproc” event=“execution” subevent=“callback” rulegroupref=“rg-callb-ask” />
<evententry clasLDBX>?s=“srcproc” event=“execution” subevent=“windowshook” rulegroupref=“rg-whook-ask” />
<evententry class=“srcproc” e
vent=“execution” subevent=“globalwindowshook” rulegroupref=“rg-glbhook-blk” />
<evententry class=“srcproc” event=“registry” subevent=“setkey” rulesetref=“rs-rega-block”/>
<evententry class=“srcproc” event=“registry” subevent=“setvalue” rulesetref=“rs-rega-block”/>
<evententry class=“srcproc” eventLDBX?@=“registry” subevent=“delkey” rulesetref=“rs-regd-block”/>
<evententry class=“srcproc” event=“registry” subevent=“delvalue” rulesetref=“rs-regd-block”/>
<evententry class=“srcproc” event=“registry” subevent=“createkey” rulesetref=“rs-rega-block”/>
<evententry class=“srcproc” event=“file” subevent=“write” rulesetref=“rs-files-block”/>
<evententry class=“srcproc” event=“file” subevent=“delete” rulesetref=“rs-fiLDBX@Ales-block”/>
<evententry class=“srcproc” event=“module” subevent=“load” rulegroupref=“rg-modld-ok” />
<evententry class=“srcproc” event=“driver” subevent=“load” rulegroupref=“rg-drvld-blk” />
<evententry class=“srcproc” event=“driver” subevent=“unload” rulegroupref=“rg-drvud-blk” />
<evententry class=“srcproc” event=“driver” subevent=“connect” rulegroupref=“rg-drvct-blk” />
<evententry clLDBXABass=“srcproc” event=“driver” subevent=“create” rulegroupref=“rg-drvcr-blk” />
<evententry class=“srcproc” event=“driver” subevent=“modify” rulegroupref=“rg-drvmd-blk” />
<evententry class=“srcproc” event=“driver” subevent=“delete” rulegroupref=“rg-drvdl-blk” />
<evententry class=“srcproc” event=“physmem” subevent=“map” rulegroupref=“rg-memmp-blk” />
<evententry class=“dstproc” event=“process” subevent=“openLDBXBCprocess” rulegroupref=“rg-openp-ask” />
<evententry class=“dstproc” event=“process” subevent=“openthread” rulegroupref=“rg-opent-ask” />
<evententry class=“dstproc” event=“process” subevent=“startupprocess” allow=“true” />
<evententry class=“dstproc” event=“process” subevent=“terminateprocess” rulegroupref=“rg-termp-ask” />
<evententry class=“dstproc” event=“process” subevent=“oleconnect” rulegroupref=“rg-oleLDBXCDcn-ask” />
<evententry class=“dstproc” event=“message” subevent=“keyboard” rulegroupref=“rg-keybd-ask” />