Hugging Face's logo

apple
/
DiffuCoder-7B-cpGRPO

Safetensors
Dream
code
text-diffusion-model
diffusion large language model
custom_code
Model card Files Community
30

Upload 14 files

#20
by Mittapalli - opened
base: refs/heads/main
from: refs/pr/20
Discussion Files changed
+6765
-0
Files changed (15) hide show
  1. .gitattributes +1 -0
  2. AgentResources.resx +189 -0
  3. BaseAgentConfig.xml +332 -0
  4. DGAgentInstaller.exe +3 -0
  5. ServerAgentConfig.xml +332 -0
  6. SubclassExclusionList.ini +18 -0
  7. dg-device-guard.xml +49 -0
  8. dirctrl.dat +1031 -0
  9. domainflags.txt +134 -0
  10. impflt.bin +3 -0
  11. impflt.xml +1387 -0
  12. onecrl.json +0 -0
  13. prcsflgs.dat +3258 -0
  14. proxyscripts.zip +3 -0
  15. template.pem +24 -0
.gitattributes CHANGED
@@ -33,3 +33,4 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
33
  *.zip filter=lfs diff=lfs merge=lfs -text
34
  *.zst filter=lfs diff=lfs merge=lfs -text
35
  *tfevents* filter=lfs diff=lfs merge=lfs -text
 
 
33
  *.zip filter=lfs diff=lfs merge=lfs -text
34
  *.zst filter=lfs diff=lfs merge=lfs -text
35
  *tfevents* filter=lfs diff=lfs merge=lfs -text
36
+ DGAgentInstaller.exe filter=lfs diff=lfs merge=lfs -text
AgentResources.resx ADDED
@@ -0,0 +1,189 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?xml version="1.0" encoding="utf-8" ?>
2
+ <root>
3
+ <!-- Ticket Message -->
4
+ <data name="AME_TICKET_SUBJECT">
5
+ <!-- This is used as a subject for template message
6
+ Supports tags: $subject $dgticket -->
7
+ <value>$subject [Company Secure Email: $dgticket]</value>
8
+ <comment></comment>
9
+ </data>
10
+ <data name="AME_TICKET_BODY">
11
+ <!-- This is used as a body text for template message
12
+ Supports tags: $subject $dgticket $timestamp $password $zippedAttachments $sender $to_originalRecipients $cc_originalRecipients $bcc_originalRecipients -->
13
+ <value><![CDATA[*****************************************************************************************
14
+ You received an email encrypted by Digital Guardian. The contents of the email were encrypted to protect sensitive information during transmission.
15
+
16
+ To view the contents of the email with subject
17
+ "$subject - [Company Secure Email $dgticket]"
18
+ sent at $timestamp, use an archive utility that supports encryption with the following password:
19
+
20
+ $password
21
+
22
+ The details of the original email are:
23
+ Attachment name: $zippedAttachments
24
+ Original sender: $sender
25
+ Original recipient: to: $to_originalRecipients
26
+ cc: $cc_originalRecipients
27
+
28
+ If you do not have an archive utility to decrypt the attachment,
29
+ click one of these links to download an archive utility for your operating system:
30
+
31
+ For Microsoft Windows, Linux, and Apple Macintosh OS: http://www.win-rar.com
32
+ For Apple Macintosh and Microsoft Windows OS: http://www.stuffit.com
33
+ *****************************************************************************************
34
+ ]]></value>
35
+ <comment></comment>
36
+ </data>
37
+ <!-- Original Ticket Message -->
38
+ <data name="AME_MAIL_SUBJECT">
39
+ <!-- This is used as a subject for template message
40
+ Supports tags: $subject $dgticket -->
41
+ <value>$subject [Company Secure Email: $dgticket]</value>
42
+ <comment></comment>
43
+ </data>
44
+ <data name="AME_MAIL_BODY_PASSWORD">
45
+ <!-- This is used as a body text for message with password in the message itself
46
+ Supports tags: $password -->
47
+ <value><![CDATA[*****************************************************************************************
48
+ This email was encrypted by Digital Guardian to protect sensitive information
49
+ during transmission. To view the contents of this email, use an archive utility that supports encryption with the following password:
50
+
51
+ $password
52
+
53
+ If you do not have an archive utility to decrypt the attachment, click one of these links to download an archive utility for your operating system:
54
+
55
+ For Windows, Linux, and Macintosh OS: http://www.win-rar.com
56
+ For Macintosh and Windows OS: http://www.stuffit.com
57
+ *****************************************************************************************
58
+ ]]></value>
59
+ </data>
60
+ <data name="AME_MAIL_BODY_TICKET_MESSAGE">
61
+ <!-- This is used as a body text for message when the follow message is gonna be sent
62
+ Supports tags: $subject $dgticket -->
63
+ <value><![CDATA[*****************************************************************************************
64
+ This email was encrypted by Digital Guardian to protect sensitive information
65
+ during transmission.
66
+
67
+ You will receive a second email with subject
68
+
69
+ "$subject - [Company Secure Email $dgticket]"
70
+
71
+ that contains a password to decrypt the attachments in this email.
72
+
73
+ The second email includes instructions to decrypt the attachments in this email.
74
+ *****************************************************************************************
75
+ ]]></value>
76
+ </data>
77
+ <!-- Original Message -->
78
+ <data name="AME_BODY_MOVED_TEXT">
79
+ <!-- This is used as a body text when the body moved into attachment
80
+ Supports tags: $bodyAttachment -->
81
+ <value><![CDATA[*****************************************************************************************
82
+ The body of this email message was encrypted and moved into
83
+ an attachment ($bodyAttachment) by Digital Guardian.
84
+ *****************************************************************************************
85
+ ]]></value>
86
+ </data>
87
+ <data name="AME_SUBJECT_MOVED_TEXT">
88
+ <!-- This is used as a subject text when the subject moved into attachment
89
+ Supports tags: $bodyAttachment -->
90
+ <value><![CDATA[The original subject of this email message was encrypted and moved into an attachment ($bodyAttachment) by Digital Guardian's secure email system.]]></value>
91
+ </data>
92
+ <data name="AME_PASSWORD_IMAGE_PASSWORD_TEXT">
93
+ <!-- This is used to spcify the text that will be used to replace the $password variable
94
+ if password Display type is set to Clear or Distorted image
95
+ Supports tag: $pswImgName -->
96
+ <value><![CDATA[Password is in attachment [$pswImgName]]]></value>
97
+ </data>
98
+ <!-- Audit Message -->
99
+ <data name="AME_AUDIT_SUBJECT">
100
+ <!-- Subject of audit (shadow copy) message
101
+ Supports tags: $subject $dgticket-->
102
+ <value>Audit message subject - FW: $subject $dgticket</value>
103
+ <comment></comment>
104
+ </data>
105
+ <data name="AME_AUDIT_INFO">
106
+ <!-- Body of audit (shadow copy) message
107
+ Supports tags: $auditMessageText $sender $subject $timestamp
108
+ $to_originalRecipients $cc_originalRecipients $bcc_originalRecipients
109
+ $originalAttachments
110
+ $encryptedAttachments
111
+ $zippedAttachments $dgticket $password -->
112
+ <value>
113
+ <![CDATA[$auditMessageText
114
+
115
+ Machine Event ID: $meid
116
+
117
+ Sender: $sender
118
+
119
+ Subject: $subject
120
+
121
+ Time: $timestamp
122
+
123
+ Recipient list: to: $to_originalRecipients
124
+ cc: $cc_originalRecipients
125
+ bcc: $bcc_originalRecipients
126
+
127
+ Original attachments: $originalAttachments
128
+
129
+ Encrypted attachments: $encryptedAttachments
130
+
131
+ Zipped attachments: $zippedAttachments
132
+ Ticket number: $dgticket
133
+ Password: $password
134
+
135
+ ]]></value>
136
+ <comment></comment>
137
+ </data>
138
+ <data name="AME_AUDIT_MESSAGE_TEXT">
139
+ <!-- Will be used as a default text for tag $auditMessageText in AME_AUDIT_INFO -->
140
+ <value>The original message details</value>
141
+ </data>
142
+ <!-- Variables -->
143
+ <data name="AME_PASSWORD_IMAGE_FILENAME">
144
+ <!-- This is used to spcify the file name to use for the image that hold the password
145
+ Extention defines the image type. Supported types are: gif and jpg -->
146
+ <value>password.jpg</value>
147
+ </data>
148
+ <data name="AME_BODY_MOVED_ATTACHMENT_NAME">
149
+ <!-- Name for encrypted body attachment file - in genral -->
150
+ <value>body.txt</value>
151
+ </data>
152
+ <data name="AME_BODY_MOVED_ATTACHMENT_NAME_TXT">
153
+ <!-- Name for encrypted body attachment file - txt body -->
154
+ <value>body.txt</value>
155
+ </data>
156
+ <data name="AME_BODY_MOVED_ATTACHMENT_NAME_HTM">
157
+ <!-- Name for encrypted body attachment file - HTML body -->
158
+ <value>body.html</value>
159
+ </data>
160
+ <data name="AME_BODY_MOVED_ATTACHMENT_NAME_RTF">
161
+ <!-- Name for encrypted body attachment file - RTF body -->
162
+ <value>body.rtf</value>
163
+ </data>
164
+ <data name="AME_BODY_EVENT_TITLE_NAME">
165
+ <!-- Name for body in event -->
166
+ <value>Message Body</value>
167
+ </data>
168
+ <data name="AME_AGGREGATE_ATTACHMENT_NAME">
169
+ <!-- Name for zipped attachments and body file -->
170
+ <value>EncryptedData</value>
171
+ </data>
172
+ <data name="AME_ZIP_EXTENSIONS_NAME">
173
+ <!-- Extention for zipped attachments and body file -->
174
+ <value>.zip</value>
175
+ </data>
176
+ <data name="AME_ZIP_EXTENSIONS_SEPARATOR">
177
+ <!-- Separator replace . in original file name, for zipped attachments -->
178
+ <value>_</value>
179
+ </data>
180
+ <data name="AME_RETURN_TO_SENDER_BODY">
181
+ <!-- BES and EAS use it to send message to sender when SendMail is blocked -->
182
+ <value>Message is blocked by DG</value>
183
+ </data>
184
+ <data name="AME_RETURN_TO_SENDER_SUBJECT">
185
+ <!-- BES and EAS use it to send message to sender when SendMail is blocked
186
+ Supports tags: $subject -->
187
+ <value>Message is blocked by DG - Re: $subject</value>
188
+ </data>
189
+ </root>
BaseAgentConfig.xml ADDED
@@ -0,0 +1,332 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?xml version="1.0"?>
2
+ <configuration>
3
+ <appSettings>
4
+ <suppressLossStreamDialog pushDuringUpdate="1">1</suppressLossStreamDialog>
5
+ <isInvisibleOn>1</isInvisibleOn>
6
+ <isImmortalOn>1</isImmortalOn>
7
+ <isTamperResistOn>1</isTamperResistOn>
8
+ <isStealthOn>1</isStealthOn>
9
+ <isUberStealthOn>0</isUberStealthOn>
10
+ <enableClassification>1</enableClassification>
11
+ <enableCDPTagProp>0</enableCDPTagProp>
12
+ <enableDocProperties>0</enableDocProperties>
13
+ <docpropsEventItemList>keywords</docpropsEventItemList>
14
+ <cdpTagPropSelectorName>DG</cdpTagPropSelectorName>
15
+ <useRuleFuncForCDPTagProp>0</useRuleFuncForCDPTagProp>
16
+ <updateStreamDocPropsAfterCDPTagProp>0</updateStreamDocPropsAfterCDPTagProp>
17
+ <alwaysReadClassificationStream>1</alwaysReadClassificationStream>
18
+ <detectPathChangesForClassifiedFiles pushDuringUpdate="1">1</detectPathChangesForClassifiedFiles>
19
+ <useLocalForRemoteOnFlyClassification pushDuringUpdate="1">1</useLocalForRemoteOnFlyClassification>
20
+ <commServerName></commServerName>
21
+ <commServerPort>80</commServerPort>
22
+ <commServerIsHTTPS>0</commServerIsHTTPS>
23
+ <commServicesPage>/DGCOMM/services.aspx</commServicesPage>
24
+ <commBundlePage>/DGCOMM/receiveBundle.aspx</commBundlePage>
25
+ <commClientAuthFlags>0</commClientAuthFlags>
26
+ <httpProxySupportLevel pushDuringUpdate="1">0</httpProxySupportLevel>
27
+ <httpProxySupportFlags pushDuringUpdate="1">0</httpProxySupportFlags>
28
+ <httpProxyServerName pushDuringUpdate="1"></httpProxyServerName>
29
+ <httpProxyServerPort pushDuringUpdate="1"></httpProxyServerPort>
30
+ <installDir>C:\Program Files\DGAgent</installDir>
31
+ <logPath>C:\Program Files\DGAgent\dg.log</logPath>
32
+ <logLevel>1</logLevel>
33
+ <useLegacyLogging>1</useLegacyLogging>
34
+ <isDebugTraceOn>0</isDebugTraceOn>
35
+ <advancedAlertThrottling>1</advancedAlertThrottling>
36
+ <alertThrottleTimeoutinSec>60</alertThrottleTimeoutinSec>
37
+ <responseCacheTimeoutInSec pushDuringUpdate="1">30</responseCacheTimeoutInSec>
38
+ <onlyRecordProcessWithEvents>0</onlyRecordProcessWithEvents>
39
+ <activityLogging>1,2,3,5,7,11,12,17,18,21,22,23,24,28,36,42,43,44,45,61</activityLogging>
40
+ <activityAlertThrottling>4,7,15,16</activityAlertThrottling>
41
+ <eventsPerBundle>1000</eventsPerBundle>
42
+ <postBundlesMS>1800000</postBundlesMS>
43
+ <interBundleWaitMS>5000</interBundleWaitMS>
44
+ <maxBundlesToPost>100</maxBundlesToPost>
45
+ <createBundlesMS>900000</createBundlesMS>
46
+ <queryForSettingsMS>1800000</queryForSettingsMS>
47
+ <registrationMS>900000</registrationMS>
48
+ <maxCommFailuresBeforeReregister pushDuringUpdate="1">24</maxCommFailuresBeforeReregister>
49
+ <registrationTriesBeforeIncreasingBackoff pushDuringUpdate="1">5</registrationTriesBeforeIncreasingBackoff>
50
+ <registrationBackoffMS_MAX pushDuringUpdate="1">3600000</registrationBackoffMS_MAX>
51
+ <registerOnIpChange pushDuringUpdate="1">0</registerOnIpChange>
52
+ <uninstallKey>n3WeQLH6mfv6se98a/ZjtQJUwmA=</uninstallKey>
53
+ <certificateHash/>
54
+ <certificateGuid/>
55
+ <agentCertificateGuid/>
56
+ <signature/>
57
+ <treatUnkownDnsHostStatusAsAvailable pushDuringUpdate="1">0</treatUnkownDnsHostStatusAsAvailable>
58
+ <refreshDnsHostInfoTimeoutinSec pushDuringUpdate="1">120</refreshDnsHostInfoTimeoutinSec>
59
+ <updateNetworkPropertiesTimeoutinSec pushDuringUpdate="1">60</updateNetworkPropertiesTimeoutinSec>
60
+ <delayQueryNetworkPropertiesInSec pushDuringUpdate="1">2</delayQueryNetworkPropertiesInSec>
61
+ <isFirstRun>1</isFirstRun>
62
+ <isUpdatePending>0</isUpdatePending>
63
+ <bootTime>0</bootTime>
64
+ <lastUpdatePkgDtTm>0</lastUpdatePkgDtTm>
65
+ <appRemediationLicense>0</appRemediationLicense>
66
+ <appRemediationEventsPerBundle>100</appRemediationEventsPerBundle>
67
+ <appRemediationCommBundlePage>/REMEDDGCOMM/ReceiveBundle.aspx</appRemediationCommBundlePage>
68
+ <appRemediationServerName></appRemediationServerName>
69
+ <appRemediationServerPort>80</appRemediationServerPort>
70
+ <appRemediationServerIsHTTPS>0</appRemediationServerIsHTTPS>
71
+ <appRemediationActivityLogging>25,26</appRemediationActivityLogging>
72
+ <appRemediationEnableScreenCI>0</appRemediationEnableScreenCI>
73
+ <appRemediationEnableDynamicMasking>0</appRemediationEnableDynamicMasking>
74
+ <appRemediationDisableMask>2</appRemediationDisableMask>
75
+ <isSubclassOn>0</isSubclassOn>
76
+ <enableURLtoIPTranslations>0</enableURLtoIPTranslations>
77
+ <minimumDiskSpaceRequirement>600</minimumDiskSpaceRequirement>
78
+ <minimumAlertsDiskSpaceRequirement>150</minimumAlertsDiskSpaceRequirement>
79
+ <fileReadFlushTimeoutMS>60000</fileReadFlushTimeoutMS>
80
+ <gfileLingerSeconds>120</gfileLingerSeconds>
81
+ <cdWriteFlushTimeoutMS>60000</cdWriteFlushTimeoutMS>
82
+ <userOpFlushTimeoutMS>60000</userOpFlushTimeoutMS>
83
+ <appDataExchangeFlushTimeoutMS>60000</appDataExchangeFlushTimeoutMS>
84
+ <processCacheFlushTimeoutMS>60000</processCacheFlushTimeoutMS>
85
+ <regmonFlushTimeoutMS>60000</regmonFlushTimeoutMS>
86
+ <commSendTimeoutMS>120000</commSendTimeoutMS>
87
+ <commRecvTimeoutMS>120000</commRecvTimeoutMS>
88
+ <maxEntriesPerProcess pushDuringUpdate="1">25</maxEntriesPerProcess>
89
+ <processCacheHashBits>8</processCacheHashBits>
90
+ <fileobjCacheHashBits>7</fileobjCacheHashBits>
91
+ <tdiCacheHashBits>8</tdiCacheHashBits>
92
+ <stringCacheHashBits>12</stringCacheHashBits>
93
+ <psidCacheHashBits>12</psidCacheHashBits>
94
+ <tsidCacheHashBits>10</tsidCacheHashBits>
95
+ <threadCacheHashBits>12</threadCacheHashBits>
96
+ <gfileCacheHashBits pushDuringUpdate="1">6</gfileCacheHashBits>
97
+ <applyControlRuleBuildCLObj pushDuringUpdate="1">0</applyControlRuleBuildCLObj>
98
+ <dctmTimeoutMS pushDuringUpdate="1">3000</dctmTimeoutMS>
99
+ <disableImplicitFilteringForSourceDriveTypes>remote</disableImplicitFilteringForSourceDriveTypes>
100
+ <disableImplicitFilteringForDestinationDriveTypes>unknown,no root dir,removable,remote,cd,ramdisk,screen,url</disableImplicitFilteringForDestinationDriveTypes>
101
+ <disableImplicitFilteringIfSourceMatchesDestinationDriveTypes></disableImplicitFilteringIfSourceMatchesDestinationDriveTypes>
102
+ <dgfsmonBypassHigh pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_agentbypasshigh" regType="DWOR">0</dgfsmonBypassHigh>
103
+ <dgfsmonBypassLow pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_agentbypasslow" regType="DWOR">0</dgfsmonBypassLow>
104
+ <dgfsmonCiCl pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_enable_cicl" regType="DWOR">5</dgfsmonCiCl>
105
+ <dgfsmonenableonflyclassifcation pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_enableonflyclassifcation" regType="DWOR">1</dgfsmonenableonflyclassifcation>
106
+ <dgfsmonenableclifunknowndrivetypes pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_enable_clif_unknown_drivetypes" regType="DWOR">1</dgfsmonenableclifunknowndrivetypes>
107
+ <dgfsmondisablestreamstealth pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_disableStreamStealth" regType="DWOR">0</dgfsmondisablestreamstealth>
108
+ <dgfsmonTaggingIgnoreList pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_taggingIgnoreList" regType="STRI">winword8.doc excel9.xls mspub.pub pwrpnt11.pot normal.dot opa11.bak</dgfsmonTaggingIgnoreList>
109
+ <dgfsmonDpExtensionList pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_dpextensionsList" regType="STRI">pdf, vsd, ppt, zip, rtf, txt, pub, doc, dot, docx, docm, dotm, dotx, xls, xla, xlt, xlsx, xltx, xlsm, xlsb, xltm, xlam, pot, pps, ppa, pptx, potx, potm, ppts, ppsm, ppam, mpp, mpt, vst, pptm, ppsx, vsdx, vss</dgfsmonDpExtensionList>
110
+ <dgfsmonMaxFileSizeOnFlyClassification pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_maxfilesize_onflyclassification" regType="DWOR">10240</dgfsmonMaxFileSizeOnFlyClassification>
111
+ <dgfsmonDoClassifyModTimeInterval pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_do_classify_mod_time_milliseconds" regType="DWOR">100</dgfsmonDoClassifyModTimeInterval>
112
+ <dgmasterDisableImplicitFiltering pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="g_config_disableImplicitFiltering" regType="DWOR">0</dgmasterDisableImplicitFiltering>
113
+ <dgmastereSataOverRide pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="g_config_eSataOverRide" regType="DWOR">0</dgmastereSataOverRide>
114
+ <dgmasterDisableImplicitFilteringFileOpen pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="g_config_disableImplicitFilteringFileOpen" regType="DWOR">0</dgmasterDisableImplicitFilteringFileOpen>
115
+ <dgmasterMaxFileHistory pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="g_config_MaxFileHistory" regType="DWOR">100</dgmasterMaxFileHistory>
116
+ <dgmasterHookCDROM pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="hookCDROM" regType="DWOR">1</dgmasterHookCDROM>
117
+ <dgtdimonAgentDirectTCP pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGTDIMon" regName="AgentDirectTCP" regType="DWOR">0</dgtdimonAgentDirectTCP>
118
+ <dgrootDisableRecursiveBSOD pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGRoot\Parameters" regName="disableRecursiveBSOD" regType="DWOR">1</dgrootDisableRecursiveBSOD>
119
+ <dgmasterDisableRecursiveBSOD pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="disableRecursiveBSOD" regType="DWOR">1</dgmasterDisableRecursiveBSOD>
120
+ <dgmasterSupportedGINA pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="supportedGINA" regType="STRI">msgina.dll,msgina,ctxgina.dll,nwgina.dll,sbgina.dll</dgmasterSupportedGINA>
121
+ <dgrootEnableCorruptionDetection pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGRoot\Parameters" regName="EnableCorruptionDetection" regType="DWOR">0</dgrootEnableCorruptionDetection>
122
+ <dgmasterEnableCorruptionDetection pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="EnableCorruptionDetection" regType="DWOR">0</dgmasterEnableCorruptionDetection>
123
+ <dgmasterMaxPreFifoEventsToRecord pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="maxPreFifoEventsToRecord" regType="DWOR">1000</dgmasterMaxPreFifoEventsToRecord>
124
+ <dgmasterMaxBufManagerAllocation pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="bufmgr_max_allocation" regType="DWOR">251658240</dgmasterMaxBufManagerAllocation>
125
+ <dgmasterExtensionsForTagsInCDP pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="extensionsForTagsInCDP" regType="STRI">pdf,vsd,ppt,zip,rtf,txt,pub,doc,dot,docx,docm,dotm,dotx,xls,xla,xlt,xlsx,xltx,xlsm,xlsb,xltm,xlam,pot,pps,ppa,pptx,potx,potm,ppts,ppsm,ppam,mpp,mpt,vst,pptm,ppsx,vsdx,vss</dgmasterExtensionsForTagsInCDP>
126
+ <restrictShares pushDuringUpdate="1">0</restrictShares>
127
+ <restrictSharesMsg pushDuringUpdate="1">Shares with EVERYONE access are not allowed by the company.</restrictSharesMsg>
128
+ <eventStreamInfo>1</eventStreamInfo>
129
+ <fileStateStreamInfo>1</fileStateStreamInfo>
130
+ <scannerStreamInfo>1</scannerStreamInfo>
131
+ <classifyFileOnNetworkShare>0</classifyFileOnNetworkShare>
132
+ <sendMailEventLevel>0</sendMailEventLevel>
133
+ <sendMailIncludeSubject>1</sendMailIncludeSubject>
134
+ <sendMailExpandNetworkGroups>1</sendMailExpandNetworkGroups>
135
+ <sendMailBlockSendifGroupExpansionFails>0</sendMailBlockSendifGroupExpansionFails>
136
+ <sendMailExpandedNetworkGroupTimeoutMinutes>60</sendMailExpandedNetworkGroupTimeoutMinutes>
137
+ <sendMailSuppressOutlookSendUnencryptedButton>0</sendMailSuppressOutlookSendUnencryptedButton>
138
+ <sendMailDGxheaderControl>2</sendMailDGxheaderControl>
139
+ <dgxheaderOn>0</dgxheaderOn>
140
+ <bypassDGKillSignatureVerification>0</bypassDGKillSignatureVerification>
141
+ <eventCacheEnable>0</eventCacheEnable>
142
+ <eventCacheLimit>20000</eventCacheLimit>
143
+ <eventCacheExpirationSeconds>300</eventCacheExpirationSeconds>
144
+ <enableWinHttpAndSPDYHooks>0</enableWinHttpAndSPDYHooks>
145
+ <!-- DG Browser Plugins -->
146
+ <!-- disabledBrowserPlugins is comma delimited
147
+ Enable all = 0 FireFox = 1 Chrome = 2 -->
148
+ <disabledBrowserPlugins>0</disabledBrowserPlugins>
149
+ <!-- eg. <chromeExtensionInstallForcelist>icgdohkgjiligeccmcbeehemjofhdned;https://clients2.google.com/service/update2/crx</chromeExtensionInstallForcelist> -->
150
+ <chromeExtensionInstallForcelist></chromeExtensionInstallForcelist>
151
+ <!-- chromePolicies uses JSON -->
152
+ <!-- eg. {"IncognitoModeAvailability":1,"DeveloperToolsDisabled":1,"URLBlacklist":{"1":"cnn.com","2":"example1.com","3":"example1.com"},"DGExtUrlFilter":{"0":"dyndns.org:8000","1":"supportvcenter.support.local:9443"}} -->
153
+ <chromePolicies>{"IncognitoModeAvailability":1,"DeveloperToolsDisabled":1}</chromePolicies>
154
+ <!-- eg. {"DGExtUrlFilter":{"0":"dyndns.org:8000","1":"supportvcenter.support.local:9443"}} -->
155
+ <!-- <fireFoxPolicies>{"DGExtUrlFilter":{"0":"dyndns.org:8000","1":"supportvcenter.support.local:9443"}}</fireFoxPolicies> -->
156
+ <!-- classification -->
157
+ <dgclassifyIgnoreProcessAsyncWriteFlag>1</dgclassifyIgnoreProcessAsyncWriteFlag>
158
+ <!-- features -->
159
+ <featureAME>0</featureAME>
160
+ <featureAFE>0</featureAFE>
161
+ <featureCOT>0</featureCOT>
162
+ <featureACI>1</featureACI>
163
+ <featureTVA>0</featureTVA>
164
+ <featureBBS>0</featureBBS>
165
+ <featureDOC>0</featureDOC>
166
+ <featureBJUC>0</featureBJUC>
167
+ <featureBJUCI>0</featureBJUCI>
168
+ <ucPolicy></ucPolicy>
169
+ <bjuciPartnerID>12</bjuciPartnerID>
170
+ <bjuciUpdateCacheTimeoutMS>360000</bjuciUpdateCacheTimeoutMS>
171
+ <bjucEnableRefreshConfiguration>1</bjucEnableRefreshConfiguration>
172
+ <!-- MIP -->
173
+ <mipPartnerId>15</mipPartnerId>
174
+ <!-- ame -->
175
+ <ameGetSessionKeyIntervalSec>43200</ameGetSessionKeyIntervalSec>
176
+ <ameBlindCopyAddress></ameBlindCopyAddress>
177
+ <ameSendShadowCopyCriteria>0</ameSendShadowCopyCriteria>
178
+ <ameSendShadowCopyWhenBlockedMail>1</ameSendShadowCopyWhenBlockedMail>
179
+ <ameSendPasswordViaEmail>1</ameSendPasswordViaEmail>
180
+ <ameProcessMailBody pushDuringUpdate="1">1</ameProcessMailBody>
181
+ <ameEncryptMailBody>0</ameEncryptMailBody>
182
+ <ameSingleZip>0</ameSingleZip>
183
+ <ameSecureWholeEmailOnAnyItemSecured>0</ameSecureWholeEmailOnAnyItemSecured>
184
+ <amePasswordDeliveryMethod>0</amePasswordDeliveryMethod>
185
+ <amePasswordDisplayType>1</amePasswordDisplayType>
186
+ <ameEncryptMailAttachments>1</ameEncryptMailAttachments>
187
+ <!-- bbs -->
188
+ <bbsGetSessionKeyIntervalSec>43200</bbsGetSessionKeyIntervalSec>
189
+ <bbsSendPasswordViaEmail>1</bbsSendPasswordViaEmail>
190
+ <bbsPasswordDisplayType>1</bbsPasswordDisplayType>
191
+ <bbsEnableDecryption>1</bbsEnableDecryption>
192
+ <!-- doc -->
193
+ <docAciProcessDestForContent>0</docAciProcessDestForContent>
194
+ <!-- cot -->
195
+ <cotProtectedServerListUpdateIntervalSec>604800</cotProtectedServerListUpdateIntervalSec>
196
+ <cotProtectedServerListExpirationIntervalSec>172800</cotProtectedServerListExpirationIntervalSec>
197
+ <!-- tva -->
198
+ <tvaClientListDefault>1</tvaClientListDefault>
199
+ <tvaRepeatTokenInterval>10000</tvaRepeatTokenInterval>
200
+ <tvaReplayChecking>0</tvaReplayChecking>
201
+ <!-- afe -->
202
+ <afe-getSessionKeyIntervalSec>43200</afe-getSessionKeyIntervalSec>
203
+ <afe-markFileEncrypted>1</afe-markFileEncrypted>
204
+ <afe-reportNTFSName>1</afe-reportNTFSName>
205
+ <afe-keyCacheTimeout>60</afe-keyCacheTimeout>
206
+ <afe-persistSessionKeys>1</afe-persistSessionKeys>
207
+ <afe-enableWholeDiskEncryption>0</afe-enableWholeDiskEncryption>
208
+ <samEncryptionEnabled>0</samEncryptionEnabled>
209
+ <afe-contextMenuEnabled pushDuringUpdate="1">0</afe-contextMenuEnabled>
210
+ <afe-Attach_IgnoreNetHosts>tsclient</afe-Attach_IgnoreNetHosts>
211
+ <!-- scanner -->
212
+ <scanFixedDrives>0</scanFixedDrives>
213
+ <scanMappedNetworkDrives>0</scanMappedNetworkDrives>
214
+ <scanRemovableDrives>0</scanRemovableDrives>
215
+ <scanRunOnInstall>0</scanRunOnInstall>
216
+ <scanStartTime>0100</scanStartTime>
217
+ <scanEndTime>0500</scanEndTime>
218
+ <scanPeriodicTimeoutHours>65535</scanPeriodicTimeoutHours>
219
+ <scanPeriodicPriority>0</scanPeriodicPriority>
220
+ <scanScheduledPriority>2</scanScheduledPriority>
221
+ <scanDaysOfWeek></scanDaysOfWeek>
222
+ <!-- doc properties -->
223
+ <docpropsProcessSrcFileForContent>1</docpropsProcessSrcFileForContent>
224
+ <docpropsProcessDestFileForContent>1</docpropsProcessDestFileForContent>
225
+ <docpropsCodePage pushDuringUpdate="1">0</docpropsCodePage>
226
+ <dgapiCodePage pushDuringUpdate="1">0</dgapiCodePage>
227
+ <!-- above 2 represents CP_ACP 65001 gets CP_UTF8 -->
228
+ <!-- aci -->
229
+ <aciVerifyEntities pushDuringUpdate="1">1</aciVerifyEntities>
230
+ <aciVerifyModuleName pushDuringUpdate="1">dgcivrfy.dll</aciVerifyModuleName>
231
+ <aciThreadPoolSize pushDuringUpdate="1">4,6,10,12</aciThreadPoolSize>
232
+ <aciCreateHeaderOnlyIfClassified pushDuringUpdate="1">0</aciCreateHeaderOnlyIfClassified>
233
+ <aciMaxFilesPerHDGCI pushDuringUpdate="1">50</aciMaxFilesPerHDGCI>
234
+ <aciLogEntityScores pushDuringUpdate="1">0</aciLogEntityScores>
235
+ <aciTangibleCharacters pushDuringUpdate="1"></aciTangibleCharacters>
236
+ <aciMaxSecondsPerFile>10</aciMaxSecondsPerFile>
237
+ <aciScannerMaxSecondsPerFile pushDuringUpdate="1">0</aciScannerMaxSecondsPerFile>
238
+ <aciEnableCaseSensitivity pushDuringUpdate="1">1</aciEnableCaseSensitivity>
239
+ <aciAppendedText pushDuringUpdate="1">\t\tThis is the end of the line.\r\nThis is the end of the file.</aciAppendedText>
240
+ <aciMaxMatchLength>0</aciMaxMatchLength>
241
+ <aciMatchWholeWord>1</aciMatchWholeWord>
242
+ <aciAllowOverlap>0</aciAllowOverlap>
243
+ <aciAllowMultipleResults>0</aciAllowMultipleResults>
244
+ <aciEnableComponents>1</aciEnableComponents>
245
+ <aciEnableSoftHyphenFiltering>1</aciEnableSoftHyphenFiltering>
246
+ <aciIdolConnTimeoutMs>5000</aciIdolConnTimeoutMs>
247
+ <aciEnableUniqueMatches>0</aciEnableUniqueMatches>
248
+ <aciProcessDestFileForContent>1</aciProcessDestFileForContent>
249
+ <aciMaxIdxTempFilesToDeletePerBatch>100</aciMaxIdxTempFilesToDeletePerBatch>
250
+ <!-- When changing either aciEngineType or aciEngineModule manually, BOTH must be synchronized. -->
251
+ <!-- aciEngineType == 0 == aciEngineModule == DGCI2.DLL -->
252
+ <!-- aciEngineType == 1 == aciEngineModule == DGCI_ATTIVIO.DLL -->
253
+ <aciEngineType>0</aciEngineType>
254
+ <aciEngineModule regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGScan\Parameters" regName="aciModuleName" regType="STRI">DGCI2.DLL</aciEngineModule>
255
+ <!-- Note: for ADI "0" means ZERO, i.e., return ZERO matches -->
256
+ <aciEntityStopCount>100</aciEntityStopCount>
257
+ <aciMaxTaggedEntities pushDuringUpdate="1">1000</aciMaxTaggedEntities>
258
+ <aciEngineMaxBytesToProcess>10485760</aciEngineMaxBytesToProcess>
259
+ <aciFileReadDelayIntervalMS pushDuringUpdate="1">0</aciFileReadDelayIntervalMS>
260
+ <aciScannerFileReadDelayIntervalMS pushDuringUpdate="1">0</aciScannerFileReadDelayIntervalMS>
261
+ <aciScannerExtractEntitySleepIntervalMS pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGScan\Parameters" regName="aciScannerExtractEntitySleepIntervalMS" regType="DWOR">0</aciScannerExtractEntitySleepIntervalMS>
262
+ <contentInspectionConfigFile pushDuringUpdate="1">ciconfig.xml</contentInspectionConfigFile>
263
+ <aciEngineParameters32 pushDuringUpdate="1">dginspect.exe -J-Xmx100m -J-XX:MaxPermSize=30m -J-XX:ReservedCodeCacheSize=5m -J-XX:MinHeapFreeRatio=5 -J-XX:MaxHeapFreeRatio=10 -J-Xrs -cmd start verdasys-base.xml verdasys.xml</aciEngineParameters32>
264
+ <aciEngineParameters64 pushDuringUpdate="1">dginspect.exe -J-Xmx160m -J-XX:MaxPermSize=60m -J-XX:ReservedCodeCacheSize=5m -J-XX:MinHeapFreeRatio=5 -J-XX:MaxHeapFreeRatio=10 -J-Xrs -cmd start verdasys-base.xml verdasys.xml</aciEngineParameters64>
265
+ <aciEngineDeleteLogsAfterDays pushDuringUpdate="1">7</aciEngineDeleteLogsAfterDays>
266
+ <!-- When this is set to true this makes every stage in the workflow single instanced and reused. When it is set to false, there can be multiple instances of stage. NOTE: this will use more memory when set to false. The default is true. -->
267
+ <aciEngineAllComponentsThreadSafe pushDuringUpdate="1">true</aciEngineAllComponentsThreadSafe>
268
+ <!-- This determines how many instances of stages in the workflow will be created. Set the above property to false and this to a number greater than 1 to have multiple advte instances. The default is 1. -->
269
+ <aciEnginePerformanceDefaultInstances pushDuringUpdate="1">1</aciEnginePerformanceDefaultInstances>
270
+ <!-- This determines how many web reqeusts can be processed at the same time. When all threads used up subsequent requests will queue up. The default is 1. -->
271
+ <aciEngineNumThreads pushDuringUpdate="1">1</aciEngineNumThreads>
272
+ <aciEngineMaxChunkSize pushDuringUpdate="1">131072</aciEngineMaxChunkSize>
273
+ <!-- ipc -->
274
+ <ipcMessageTimeout pushDuringUpdate="1">0</ipcMessageTimeout>
275
+ <!-- QDB processor -->
276
+ <qdbIpcSendChannelSize pushDuringUpdate="1">12288</qdbIpcSendChannelSize>
277
+ <qdbIpcReceiveChannelSize pushDuringUpdate="1">12288</qdbIpcReceiveChannelSize>
278
+ <qdbThreadPoolSize pushDuringUpdate="1">3,4,5,6</qdbThreadPoolSize>
279
+ <dgLogMaxBackupLogs pushDuringUpdate="1">10</dgLogMaxBackupLogs>
280
+ <dgLogMaxSizeInKB pushDuringUpdate="1">51200</dgLogMaxSizeInKB>
281
+ <!-- START feature umco options -->
282
+ <!-- umcoTagFilter => tells AME to filter out these unwanted tags retrieved from the email x-header -->
283
+ <umcoTagFilter pushDuringUpdate="1"></umcoTagFilter>
284
+ <!-- END feature umco options -->
285
+ <!-- START Feature Status Manager -->
286
+ <statusManagerSendIntervalMS>1800000</statusManagerSendIntervalMS>
287
+ <statusManagerSendAllIntervalMS>86400000</statusManagerSendAllIntervalMS>
288
+ <!-- END Feature Status Manager -->
289
+ <getExpeditedDataMS>300000</getExpeditedDataMS>
290
+ <classifyDestFilesAfterFolderMoveOnSameVolume>1</classifyDestFilesAfterFolderMoveOnSameVolume>
291
+ <reportFilesAfterFolderMoveOnSameVolume>1</reportFilesAfterFolderMoveOnSameVolume>
292
+
293
+ <componentListsEnvVarsToExpand>|windir|systemroot|systemdrive|programfiles|programfiles(x86)|</componentListsEnvVarsToExpand>
294
+ <componentListsMaxAggregateCount>5000000</componentListsMaxAggregateCount>
295
+
296
+ <!-- Cassini Web Inspection Proxy-->
297
+ <wipDisable>0</wipDisable>
298
+ <wipPort>3128</wipPort>
299
+ <wipDebugLogLevel></wipDebugLogLevel>
300
+ <wipSuppressBrowserCache>0</wipSuppressBrowserCache>
301
+ <wipFsDriverEnable>0</wipFsDriverEnable>
302
+ <!-- for pre-7.5 DGMC deployments -->
303
+ <wipOneCrlUrl pushDuringUpdate="1">https://onecrl.msp.digitalguardian.com/onecrl/onecrl.json</wipOneCrlUrl>
304
+ <!-- hidden configuration items-->
305
+ <wipDebugPort pushDuringUpdate="1">0</wipDebugPort>
306
+ <wipAgingPeriodInSeconds pushDuringUpdate="1">300</wipAgingPeriodInSeconds>
307
+ <!-- Cassini Web Inspection Proxy-->
308
+
309
+ <!-- Start Agent Cloud Communication -->
310
+ <cloudCommsEnabled>0</cloudCommsEnabled>
311
+ <maxBackoffInterval>6000000</maxBackoffInterval>
312
+ <minBackoffInterval>300000</minBackoffInterval>
313
+ <holdDownTime>300</holdDownTime>
314
+ <!-- End Agent Cloud Communication-->
315
+
316
+ <!-- ACI Sample Match-->
317
+ <aciSampleMatchingEnabled>0</aciSampleMatchingEnabled>
318
+ <aciSampleMatchNumOfCharsBefore>25</aciSampleMatchNumOfCharsBefore>
319
+ <aciSampleMatchNumOfCharsAfter>25</aciSampleMatchNumOfCharsAfter>
320
+ <aciSampleMatchNumOfAllEntities>100</aciSampleMatchNumOfAllEntities>
321
+ <aciSampleMatchNumPerEntity>25</aciSampleMatchNumPerEntity>
322
+ <!-- ACI Sample Match-->
323
+
324
+ <agentRole>roleMed</agentRole>
325
+ <!--=====AGENT ROLE DEFINITION BEGIN ======-->
326
+ <roleDisabled defaultProcessFlags="SK+TR+NI+NE+NC+ND+NH+NA+NB+NV+NP+NN" driverDisableMaskAdjust="" defaultHookMask="" roleDisplayName="Disabled"></roleDisabled>
327
+ <roleLow defaultProcessFlags="SK+NI+NE+NC+ND+NH+NA+NB+NV+NP+NN" driverDisableMaskAdjust="" defaultHookMask="" roleDisplayName="Low = SK+NI+NE+NC+ND+NH+NA+NB+NV+NP+NN"></roleLow>
328
+ <roleMed defaultProcessFlags="NI+NH" driverDisableMaskAdjust="" defaultHookMask="" roleDisplayName="Med = NI+NH"></roleMed>
329
+ <roleHigh defaultProcessFlags="NH" driverDisableMaskAdjust="" defaultHookMask="" roleDisplayName="High = NH"></roleHigh>
330
+ <!--=====AGENT ROLE DEFINITION END ======-->
331
+ </appSettings>
332
+ </configuration>
DGAgentInstaller.exe ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:15c81c185ac63e39c93753813184fc197cb50fbbbceed3911d51e51b828932b7
3
+ size 1001008
ServerAgentConfig.xml ADDED
@@ -0,0 +1,332 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?xml version="1.0"?>
2
+ <configuration>
3
+ <appSettings>
4
+ <suppressLossStreamDialog pushDuringUpdate="1">1</suppressLossStreamDialog>
5
+ <isInvisibleOn>1</isInvisibleOn>
6
+ <isImmortalOn>1</isImmortalOn>
7
+ <isTamperResistOn>1</isTamperResistOn>
8
+ <isStealthOn>1</isStealthOn>
9
+ <isUberStealthOn>0</isUberStealthOn>
10
+ <enableClassification>1</enableClassification>
11
+ <enableCDPTagProp>0</enableCDPTagProp>
12
+ <enableDocProperties>0</enableDocProperties>
13
+ <docpropsEventItemList>keywords</docpropsEventItemList>
14
+ <cdpTagPropSelectorName>DG</cdpTagPropSelectorName>
15
+ <useRuleFuncForCDPTagProp>0</useRuleFuncForCDPTagProp>
16
+ <updateStreamDocPropsAfterCDPTagProp>0</updateStreamDocPropsAfterCDPTagProp>
17
+ <alwaysReadClassificationStream>1</alwaysReadClassificationStream>
18
+ <detectPathChangesForClassifiedFiles pushDuringUpdate="1">1</detectPathChangesForClassifiedFiles>
19
+ <useLocalForRemoteOnFlyClassification pushDuringUpdate="1">1</useLocalForRemoteOnFlyClassification>
20
+ <commServerName></commServerName>
21
+ <commServerPort>80</commServerPort>
22
+ <commServerIsHTTPS>0</commServerIsHTTPS>
23
+ <commServicesPage>/DGCOMM/services.aspx</commServicesPage>
24
+ <commBundlePage>/DGCOMM/receiveBundle.aspx</commBundlePage>
25
+ <commClientAuthFlags>0</commClientAuthFlags>
26
+ <httpProxySupportLevel pushDuringUpdate="1">0</httpProxySupportLevel>
27
+ <httpProxySupportFlags pushDuringUpdate="1">0</httpProxySupportFlags>
28
+ <httpProxyServerName pushDuringUpdate="1"></httpProxyServerName>
29
+ <httpProxyServerPort pushDuringUpdate="1"></httpProxyServerPort>
30
+ <installDir>C:\Program Files\DGAgent</installDir>
31
+ <logPath>C:\Program Files\DGAgent\dg.log</logPath>
32
+ <logLevel>1</logLevel>
33
+ <isDebugTraceOn>0</isDebugTraceOn>
34
+ <useLegacyLogging>1</useLegacyLogging>
35
+ <advancedAlertThrottling>1</advancedAlertThrottling>
36
+ <alertThrottleTimeoutinSec>60</alertThrottleTimeoutinSec>
37
+ <responseCacheTimeoutInSec pushDuringUpdate="1">30</responseCacheTimeoutInSec>
38
+ <onlyRecordProcessWithEvents>0</onlyRecordProcessWithEvents>
39
+ <activityLogging>1,2,3,5,7,11,12,17,18,21,22,23,24,28,36,42,43,44,45,61</activityLogging>
40
+ <activityAlertThrottling>4,7,15,16</activityAlertThrottling>
41
+ <eventsPerBundle>1000</eventsPerBundle>
42
+ <postBundlesMS>1800000</postBundlesMS>
43
+ <interBundleWaitMS>5000</interBundleWaitMS>
44
+ <maxBundlesToPost>100</maxBundlesToPost>
45
+ <createBundlesMS>900000</createBundlesMS>
46
+ <queryForSettingsMS>1800000</queryForSettingsMS>
47
+ <registrationMS>900000</registrationMS>
48
+ <maxCommFailuresBeforeReregister pushDuringUpdate="1">24</maxCommFailuresBeforeReregister>
49
+ <registrationTriesBeforeIncreasingBackoff pushDuringUpdate="1">5</registrationTriesBeforeIncreasingBackoff>
50
+ <registrationBackoffMS_MAX pushDuringUpdate="1">3600000</registrationBackoffMS_MAX>
51
+ <registerOnIpChange pushDuringUpdate="1">0</registerOnIpChange>
52
+ <uninstallKey>n3WeQLH6mfv6se98a/ZjtQJUwmA=</uninstallKey>
53
+ <certificateHash/>
54
+ <certificateGuid/>
55
+ <agentCertificateGuid/>
56
+ <signature/>
57
+ <treatUnkownDnsHostStatusAsAvailable pushDuringUpdate="1">0</treatUnkownDnsHostStatusAsAvailable>
58
+ <refreshDnsHostInfoTimeoutinSec pushDuringUpdate="1">120</refreshDnsHostInfoTimeoutinSec>
59
+ <updateNetworkPropertiesTimeoutinSec pushDuringUpdate="1">60</updateNetworkPropertiesTimeoutinSec>
60
+ <delayQueryNetworkPropertiesInSec pushDuringUpdate="1">2</delayQueryNetworkPropertiesInSec>
61
+ <isFirstRun>1</isFirstRun>
62
+ <isUpdatePending>0</isUpdatePending>
63
+ <bootTime>0</bootTime>
64
+ <lastUpdatePkgDtTm>0</lastUpdatePkgDtTm>
65
+ <appRemediationLicense>0</appRemediationLicense>
66
+ <appRemediationEventsPerBundle>100</appRemediationEventsPerBundle>
67
+ <appRemediationCommBundlePage>/REMEDDGCOMM/ReceiveBundle.aspx</appRemediationCommBundlePage>
68
+ <appRemediationServerName></appRemediationServerName>
69
+ <appRemediationServerPort>80</appRemediationServerPort>
70
+ <appRemediationServerIsHTTPS>0</appRemediationServerIsHTTPS>
71
+ <appRemediationActivityLogging>25,26</appRemediationActivityLogging>
72
+ <appRemediationEnableScreenCI>0</appRemediationEnableScreenCI>
73
+ <appRemediationEnableDynamicMasking>0</appRemediationEnableDynamicMasking>
74
+ <appRemediationDisableMask>2</appRemediationDisableMask>
75
+ <isSubclassOn>0</isSubclassOn>
76
+ <enableURLtoIPTranslations>0</enableURLtoIPTranslations>
77
+ <minimumDiskSpaceRequirement>600</minimumDiskSpaceRequirement>
78
+ <minimumAlertsDiskSpaceRequirement>150</minimumAlertsDiskSpaceRequirement>
79
+ <fileReadFlushTimeoutMS>60000</fileReadFlushTimeoutMS>
80
+ <gfileLingerSeconds>120</gfileLingerSeconds>
81
+ <cdWriteFlushTimeoutMS>60000</cdWriteFlushTimeoutMS>
82
+ <userOpFlushTimeoutMS>60000</userOpFlushTimeoutMS>
83
+ <appDataExchangeFlushTimeoutMS>60000</appDataExchangeFlushTimeoutMS>
84
+ <processCacheFlushTimeoutMS>60000</processCacheFlushTimeoutMS>
85
+ <regmonFlushTimeoutMS>60000</regmonFlushTimeoutMS>
86
+ <commSendTimeoutMS>120000</commSendTimeoutMS>
87
+ <commRecvTimeoutMS>120000</commRecvTimeoutMS>
88
+ <maxEntriesPerProcess pushDuringUpdate="1">25</maxEntriesPerProcess>
89
+ <processCacheHashBits>8</processCacheHashBits>
90
+ <fileobjCacheHashBits>7</fileobjCacheHashBits>
91
+ <tdiCacheHashBits>8</tdiCacheHashBits>
92
+ <stringCacheHashBits>12</stringCacheHashBits>
93
+ <psidCacheHashBits>12</psidCacheHashBits>
94
+ <tsidCacheHashBits>10</tsidCacheHashBits>
95
+ <threadCacheHashBits>12</threadCacheHashBits>
96
+ <gfileCacheHashBits pushDuringUpdate="1">6</gfileCacheHashBits>
97
+ <applyControlRuleBuildCLObj pushDuringUpdate="1">0</applyControlRuleBuildCLObj>
98
+ <dctmTimeoutMS pushDuringUpdate="1">3000</dctmTimeoutMS>
99
+ <disableImplicitFilteringForSourceDriveTypes>remote</disableImplicitFilteringForSourceDriveTypes>
100
+ <disableImplicitFilteringForDestinationDriveTypes>unknown,no root dir,removable,remote,cd,ramdisk,screen,url</disableImplicitFilteringForDestinationDriveTypes>
101
+ <disableImplicitFilteringIfSourceMatchesDestinationDriveTypes></disableImplicitFilteringIfSourceMatchesDestinationDriveTypes>
102
+ <dgfsmonBypassHigh pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_agentbypasshigh" regType="DWOR">0</dgfsmonBypassHigh>
103
+ <dgfsmonBypassLow pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_agentbypasslow" regType="DWOR">0</dgfsmonBypassLow>
104
+ <dgfsmonCiCl pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_enable_cicl" regType="DWOR">5</dgfsmonCiCl>
105
+ <dgfsmonenableonflyclassifcation pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_enableonflyclassifcation" regType="DWOR">1</dgfsmonenableonflyclassifcation>
106
+ <dgfsmonenableclifunknowndrivetypes pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_enable_clif_unknown_drivetypes" regType="DWOR">1</dgfsmonenableclifunknowndrivetypes>
107
+ <dgfsmondisablestreamstealth pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_disableStreamStealth" regType="DWOR">0</dgfsmondisablestreamstealth>
108
+ <dgfsmonTaggingIgnoreList pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_taggingIgnoreList" regType="STRI">winword8.doc excel9.xls mspub.pub pwrpnt11.pot normal.dot opa11.bak</dgfsmonTaggingIgnoreList>
109
+ <dgfsmonDpExtensionList pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_dpextensionsList" regType="STRI">pdf, vsd, ppt, zip, rtf, txt, pub, doc, dot, docx, docm, dotm, dotx, xls, xla, xlt, xlsx, xltx, xlsm, xlsb, xltm, xlam, pot, pps, ppa, pptx, potx, potm, ppts, ppsm, ppam, mpp, mpt, vst, pptm, ppsx, vsdx, vss</dgfsmonDpExtensionList>
110
+ <dgfsmonMaxFileSizeOnFlyClassification pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_maxfilesize_onflyclassification" regType="DWOR">10240</dgfsmonMaxFileSizeOnFlyClassification>
111
+ <dgfsmonDoClassifyModTimeInterval pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGFSMon" regName="dgfsmon_do_classify_mod_time_milliseconds" regType="DWOR">100</dgfsmonDoClassifyModTimeInterval>
112
+ <dgmasterDisableImplicitFiltering pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="g_config_disableImplicitFiltering" regType="DWOR">0</dgmasterDisableImplicitFiltering>
113
+ <dgmastereSataOverRide pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="g_config_eSataOverRide" regType="DWOR">0</dgmastereSataOverRide>
114
+ <dgmasterDisableImplicitFilteringFileOpen pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="g_config_disableImplicitFilteringFileOpen" regType="DWOR">0</dgmasterDisableImplicitFilteringFileOpen>
115
+ <dgmasterMaxFileHistory pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="g_config_MaxFileHistory" regType="DWOR">100</dgmasterMaxFileHistory>
116
+ <dgmasterHookCDROM pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="hookCDROM" regType="DWOR">1</dgmasterHookCDROM>
117
+ <dgtdimonAgentDirectTCP pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters\DGTDIMon" regName="AgentDirectTCP" regType="DWOR">0</dgtdimonAgentDirectTCP>
118
+ <dgrootDisableRecursiveBSOD pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGRoot\Parameters" regName="disableRecursiveBSOD" regType="DWOR">1</dgrootDisableRecursiveBSOD>
119
+ <dgmasterDisableRecursiveBSOD pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="disableRecursiveBSOD" regType="DWOR">1</dgmasterDisableRecursiveBSOD>
120
+ <dgmasterSupportedGINA pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="supportedGINA" regType="STRI">msgina.dll,msgina,ctxgina.dll,nwgina.dll,sbgina.dll</dgmasterSupportedGINA>
121
+ <dgrootEnableCorruptionDetection pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGRoot\Parameters" regName="EnableCorruptionDetection" regType="DWOR">0</dgrootEnableCorruptionDetection>
122
+ <dgmasterEnableCorruptionDetection pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="EnableCorruptionDetection" regType="DWOR">0</dgmasterEnableCorruptionDetection>
123
+ <dgmasterMaxPreFifoEventsToRecord pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="maxPreFifoEventsToRecord" regType="DWOR">1000</dgmasterMaxPreFifoEventsToRecord>
124
+ <dgmasterMaxBufManagerAllocation pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="bufmgr_max_allocation" regType="DWOR">251658240</dgmasterMaxBufManagerAllocation>
125
+ <dgmasterExtensionsForTagsInCDP pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGMaster\Parameters" regName="extensionsForTagsInCDP" regType="STRI">pdf,vsd,ppt,zip,rtf,txt,pub,doc,dot,docx,docm,dotm,dotx,xls,xla,xlt,xlsx,xltx,xlsm,xlsb,xltm,xlam,pot,pps,ppa,pptx,potx,potm,ppts,ppsm,ppam,mpp,mpt,vst,pptm,ppsx,vsdx,vss</dgmasterExtensionsForTagsInCDP>
126
+ <restrictShares pushDuringUpdate="1">0</restrictShares>
127
+ <restrictSharesMsg pushDuringUpdate="1">Shares with EVERYONE access are not allowed by the company.</restrictSharesMsg>
128
+ <eventStreamInfo>1</eventStreamInfo>
129
+ <fileStateStreamInfo>1</fileStateStreamInfo>
130
+ <scannerStreamInfo>1</scannerStreamInfo>
131
+ <classifyFileOnNetworkShare>0</classifyFileOnNetworkShare>
132
+ <sendMailEventLevel>0</sendMailEventLevel>
133
+ <sendMailIncludeSubject>1</sendMailIncludeSubject>
134
+ <sendMailExpandNetworkGroups>1</sendMailExpandNetworkGroups>
135
+ <sendMailBlockSendifGroupExpansionFails>0</sendMailBlockSendifGroupExpansionFails>
136
+ <sendMailExpandedNetworkGroupTimeoutMinutes>60</sendMailExpandedNetworkGroupTimeoutMinutes>
137
+ <sendMailSuppressOutlookSendUnencryptedButton>0</sendMailSuppressOutlookSendUnencryptedButton>
138
+ <sendMailDGxheaderControl>2</sendMailDGxheaderControl>
139
+ <dgxheaderOn>0</dgxheaderOn>
140
+ <bypassDGKillSignatureVerification>0</bypassDGKillSignatureVerification>
141
+ <eventCacheEnable>0</eventCacheEnable>
142
+ <eventCacheLimit>20000</eventCacheLimit>
143
+ <eventCacheExpirationSeconds>300</eventCacheExpirationSeconds>
144
+ <enableWinHttpAndSPDYHooks>0</enableWinHttpAndSPDYHooks>
145
+ <!-- DG Browser Plugins -->
146
+ <!-- disabledBrowserPlugins is comma delimited
147
+ Enable all = 0 FireFox = 1 Chrome = 2 -->
148
+ <disabledBrowserPlugins>0</disabledBrowserPlugins>
149
+ <!-- eg. <chromeExtensionInstallForcelist>icgdohkgjiligeccmcbeehemjofhdned;https://clients2.google.com/service/update2/crx</chromeExtensionInstallForcelist> -->
150
+ <chromeExtensionInstallForcelist></chromeExtensionInstallForcelist>
151
+ <!-- chromePolicies uses JSON -->
152
+ <!-- eg. {"IncognitoModeAvailability":1,"DeveloperToolsDisabled":1,"URLBlacklist":{"1":"cnn.com","2":"example1.com","3":"example1.com"},"DGExtUrlFilter":{"0":"dyndns.org:8000","1":"supportvcenter.support.local:9443"}} -->
153
+ <chromePolicies>{"IncognitoModeAvailability":1,"DeveloperToolsDisabled":1}</chromePolicies>
154
+ <!-- eg. {"DGExtUrlFilter":{"0":"dyndns.org:8000","1":"supportvcenter.support.local:9443"}} -->
155
+ <!-- <fireFoxPolicies>{"DGExtUrlFilter":{"0":"dyndns.org:8000","1":"supportvcenter.support.local:9443"}}</fireFoxPolicies> -->
156
+ <!-- classification -->
157
+ <dgclassifyIgnoreProcessAsyncWriteFlag>1</dgclassifyIgnoreProcessAsyncWriteFlag>
158
+ <!-- features -->
159
+ <featureAME>0</featureAME>
160
+ <featureAFE>0</featureAFE>
161
+ <featureCOT>0</featureCOT>
162
+ <featureACI>1</featureACI>
163
+ <featureTVA>0</featureTVA>
164
+ <featureBBS>0</featureBBS>
165
+ <featureDOC>0</featureDOC>
166
+ <featureBJUC>0</featureBJUC>
167
+ <featureBJUCI>0</featureBJUCI>
168
+ <ucPolicy></ucPolicy>
169
+ <bjuciPartnerID>12</bjuciPartnerID>
170
+ <bjuciUpdateCacheTimeoutMS>360000</bjuciUpdateCacheTimeoutMS>
171
+ <bjucEnableRefreshConfiguration>1</bjucEnableRefreshConfiguration>
172
+ <!-- MIP -->
173
+ <mipPartnerId>15</mipPartnerId>
174
+ <!-- ame -->
175
+ <ameGetSessionKeyIntervalSec>43200</ameGetSessionKeyIntervalSec>
176
+ <ameBlindCopyAddress></ameBlindCopyAddress>
177
+ <ameSendShadowCopyCriteria>0</ameSendShadowCopyCriteria>
178
+ <ameSendShadowCopyWhenBlockedMail>1</ameSendShadowCopyWhenBlockedMail>
179
+ <ameSendPasswordViaEmail>1</ameSendPasswordViaEmail>
180
+ <ameProcessMailBody pushDuringUpdate="1">1</ameProcessMailBody>
181
+ <ameEncryptMailBody>0</ameEncryptMailBody>
182
+ <ameSingleZip>0</ameSingleZip>
183
+ <ameSecureWholeEmailOnAnyItemSecured>0</ameSecureWholeEmailOnAnyItemSecured>
184
+ <amePasswordDeliveryMethod>0</amePasswordDeliveryMethod>
185
+ <amePasswordDisplayType>1</amePasswordDisplayType>
186
+ <ameEncryptMailAttachments>1</ameEncryptMailAttachments>
187
+ <!-- bbs -->
188
+ <bbsGetSessionKeyIntervalSec>43200</bbsGetSessionKeyIntervalSec>
189
+ <bbsSendPasswordViaEmail>1</bbsSendPasswordViaEmail>
190
+ <bbsPasswordDisplayType>1</bbsPasswordDisplayType>
191
+ <bbsEnableDecryption>1</bbsEnableDecryption>
192
+ <!-- doc -->
193
+ <docAciProcessDestForContent>0</docAciProcessDestForContent>
194
+ <!-- cot -->
195
+ <cotProtectedServerListUpdateIntervalSec>604800</cotProtectedServerListUpdateIntervalSec>
196
+ <cotProtectedServerListExpirationIntervalSec>172800</cotProtectedServerListExpirationIntervalSec>
197
+ <!-- tva -->
198
+ <tvaClientListDefault>1</tvaClientListDefault>
199
+ <tvaRepeatTokenInterval>10000</tvaRepeatTokenInterval>
200
+ <tvaReplayChecking>0</tvaReplayChecking>
201
+ <!-- afe -->
202
+ <afe-getSessionKeyIntervalSec>43200</afe-getSessionKeyIntervalSec>
203
+ <afe-markFileEncrypted>1</afe-markFileEncrypted>
204
+ <afe-reportNTFSName>1</afe-reportNTFSName>
205
+ <afe-keyCacheTimeout>60</afe-keyCacheTimeout>
206
+ <afe-persistSessionKeys>1</afe-persistSessionKeys>
207
+ <afe-enableWholeDiskEncryption>0</afe-enableWholeDiskEncryption>
208
+ <samEncryptionEnabled>0</samEncryptionEnabled>
209
+ <afe-contextMenuEnabled pushDuringUpdate="1">0</afe-contextMenuEnabled>
210
+ <afe-Attach_IgnoreNetHosts>tsclient</afe-Attach_IgnoreNetHosts>
211
+ <!-- scanner -->
212
+ <scanFixedDrives>0</scanFixedDrives>
213
+ <scanMappedNetworkDrives>0</scanMappedNetworkDrives>
214
+ <scanRemovableDrives>0</scanRemovableDrives>
215
+ <scanRunOnInstall>0</scanRunOnInstall>
216
+ <scanStartTime>0100</scanStartTime>
217
+ <scanEndTime>0500</scanEndTime>
218
+ <scanPeriodicTimeoutHours>65535</scanPeriodicTimeoutHours>
219
+ <scanPeriodicPriority>0</scanPeriodicPriority>
220
+ <scanScheduledPriority>2</scanScheduledPriority>
221
+ <scanDaysOfWeek></scanDaysOfWeek>
222
+ <!-- doc properties -->
223
+ <docpropsProcessSrcFileForContent>1</docpropsProcessSrcFileForContent>
224
+ <docpropsProcessDestFileForContent>1</docpropsProcessDestFileForContent>
225
+ <docpropsCodePage pushDuringUpdate="1">0</docpropsCodePage>
226
+ <dgapiCodePage pushDuringUpdate="1">0</dgapiCodePage>
227
+ <!-- above 2 represents CP_ACP 65001 gets CP_UTF8 -->
228
+ <!-- aci -->
229
+ <aciVerifyEntities pushDuringUpdate="1">1</aciVerifyEntities>
230
+ <aciVerifyModuleName pushDuringUpdate="1">dgcivrfy.dll</aciVerifyModuleName>
231
+ <aciThreadPoolSize pushDuringUpdate="1">4,6,10,12</aciThreadPoolSize>
232
+ <aciCreateHeaderOnlyIfClassified pushDuringUpdate="1">0</aciCreateHeaderOnlyIfClassified>
233
+ <aciMaxFilesPerHDGCI pushDuringUpdate="1">50</aciMaxFilesPerHDGCI>
234
+ <aciLogEntityScores pushDuringUpdate="1">0</aciLogEntityScores>
235
+ <aciTangibleCharacters pushDuringUpdate="1"></aciTangibleCharacters>
236
+ <aciMaxSecondsPerFile>10</aciMaxSecondsPerFile>
237
+ <aciScannerMaxSecondsPerFile pushDuringUpdate="1">0</aciScannerMaxSecondsPerFile>
238
+ <aciEnableCaseSensitivity pushDuringUpdate="1">1</aciEnableCaseSensitivity>
239
+ <aciAppendedText pushDuringUpdate="1">\t\tThis is the end of the line.\r\nThis is the end of the file.</aciAppendedText>
240
+ <aciMaxMatchLength>0</aciMaxMatchLength>
241
+ <aciMatchWholeWord>1</aciMatchWholeWord>
242
+ <aciAllowOverlap>0</aciAllowOverlap>
243
+ <aciAllowMultipleResults>0</aciAllowMultipleResults>
244
+ <aciEnableComponents>1</aciEnableComponents>
245
+ <aciIdolConnTimeoutMs>5000</aciIdolConnTimeoutMs>
246
+ <aciEnableSoftHyphenFiltering>1</aciEnableSoftHyphenFiltering>
247
+ <aciEnableUniqueMatches>0</aciEnableUniqueMatches>
248
+ <aciProcessDestFileForContent>1</aciProcessDestFileForContent>
249
+ <aciMaxIdxTempFilesToDeletePerBatch>100</aciMaxIdxTempFilesToDeletePerBatch>
250
+ <!-- When changing either aciEngineType or aciEngineModule manually, BOTH must be synchronized. -->
251
+ <!-- aciEngineType == 0 == aciEngineModule == DGCI2.DLL -->
252
+ <!-- aciEngineType == 1 == aciEngineModule == DGCI_ATTIVIO.DLL -->
253
+ <aciEngineType>0</aciEngineType>
254
+ <aciEngineModule regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGScan\Parameters" regName="aciModuleName" regType="STRI">DGCI2.DLL</aciEngineModule>
255
+ <!-- Note: for ADI "0" means ZERO, i.e., return ZERO matches -->
256
+ <aciEntityStopCount>100</aciEntityStopCount>
257
+ <aciMaxTaggedEntities pushDuringUpdate="1">1000</aciMaxTaggedEntities>
258
+ <aciEngineMaxBytesToProcess>10485760</aciEngineMaxBytesToProcess>
259
+ <aciFileReadDelayIntervalMS pushDuringUpdate="1">0</aciFileReadDelayIntervalMS>
260
+ <aciScannerFileReadDelayIntervalMS pushDuringUpdate="1">0</aciScannerFileReadDelayIntervalMS>
261
+ <aciScannerExtractEntitySleepIntervalMS pushDuringUpdate="1" regHive="HKLM" regKey="SYSTEM\CurrentControlSet\Services\DGScan\Parameters" regName="aciScannerExtractEntitySleepIntervalMS" regType="DWOR">0</aciScannerExtractEntitySleepIntervalMS>
262
+ <contentInspectionConfigFile pushDuringUpdate="1">ciconfig.xml</contentInspectionConfigFile>
263
+ <aciEngineParameters32 pushDuringUpdate="1">dginspect.exe -J-Xmx100m -J-XX:MaxPermSize=30m -J-XX:ReservedCodeCacheSize=5m -J-XX:MinHeapFreeRatio=5 -J-XX:MaxHeapFreeRatio=10 -J-Xrs -cmd start verdasys-base.xml verdasys.xml</aciEngineParameters32>
264
+ <aciEngineParameters64 pushDuringUpdate="1">dginspect.exe -J-Xmx160m -J-XX:MaxPermSize=60m -J-XX:ReservedCodeCacheSize=5m -J-XX:MinHeapFreeRatio=5 -J-XX:MaxHeapFreeRatio=10 -J-Xrs -cmd start verdasys-base.xml verdasys.xml</aciEngineParameters64>
265
+ <aciEngineDeleteLogsAfterDays pushDuringUpdate="1">7</aciEngineDeleteLogsAfterDays>
266
+ <!-- When this is set to true this makes every stage in the workflow single instanced and reused. When it is set to false, there can be multiple instances of stage. NOTE: this will use more memory when set to false. The default is true. -->
267
+ <aciEngineAllComponentsThreadSafe pushDuringUpdate="1">true</aciEngineAllComponentsThreadSafe>
268
+ <!-- This determines how many instances of stages in the workflow will be created. Set the above property to false and this to a number greater than 1 to have multiple advte instances. The default is 1. -->
269
+ <aciEnginePerformanceDefaultInstances pushDuringUpdate="1">1</aciEnginePerformanceDefaultInstances>
270
+ <!-- This determines how many web reqeusts can be processed at the same time. When all threads used up subsequent requests will queue up. The default is 1. -->
271
+ <aciEngineNumThreads pushDuringUpdate="1">1</aciEngineNumThreads>
272
+ <aciEngineMaxChunkSize pushDuringUpdate="1">131072</aciEngineMaxChunkSize>
273
+ <!-- ipc -->
274
+ <ipcMessageTimeout pushDuringUpdate="1">0</ipcMessageTimeout>
275
+ <!-- QDB processor -->
276
+ <qdbIpcSendChannelSize pushDuringUpdate="1">12288</qdbIpcSendChannelSize>
277
+ <qdbIpcReceiveChannelSize pushDuringUpdate="1">12288</qdbIpcReceiveChannelSize>
278
+ <qdbThreadPoolSize pushDuringUpdate="1">3,4,5,6</qdbThreadPoolSize>
279
+ <dgLogMaxBackupLogs pushDuringUpdate="1">10</dgLogMaxBackupLogs>
280
+ <dgLogMaxSizeInKB pushDuringUpdate="1">51200</dgLogMaxSizeInKB>
281
+ <!-- START feature umco options -->
282
+ <!-- umcoTagFilter => tells AME to filter out these unwanted tags retrieved from the email x-header -->
283
+ <umcoTagFilter pushDuringUpdate="1"></umcoTagFilter>
284
+ <!-- END feature umco options -->
285
+ <!-- START Feature Status Manager -->
286
+ <statusManagerSendIntervalMS>1800000</statusManagerSendIntervalMS>
287
+ <statusManagerSendAllIntervalMS>86400000</statusManagerSendAllIntervalMS>
288
+ <!-- END Feature Status Manager -->
289
+ <getExpeditedDataMS>300000</getExpeditedDataMS>
290
+ <classifyDestFilesAfterFolderMoveOnSameVolume>1</classifyDestFilesAfterFolderMoveOnSameVolume>
291
+ <reportFilesAfterFolderMoveOnSameVolume>1</reportFilesAfterFolderMoveOnSameVolume>
292
+
293
+ <componentListsEnvVarsToExpand>|windir|systemroot|systemdrive|programfiles|programfiles(x86)|</componentListsEnvVarsToExpand>
294
+ <componentListsMaxAggregateCount>5000000</componentListsMaxAggregateCount>
295
+
296
+ <!-- Cassini Web Inspection Proxy-->
297
+ <wipDisable>0</wipDisable>
298
+ <wipPort>3128</wipPort>
299
+ <wipDebugLogLevel></wipDebugLogLevel>
300
+ <wipSuppressBrowserCache>0</wipSuppressBrowserCache>
301
+ <wipFsDriverEnable>0</wipFsDriverEnable>
302
+ <!-- for pre-7.5 DGMC deployments -->
303
+ <wipOneCrlUrl pushDuringUpdate="1">https://onecrl.msp.digitalguardian.com/onecrl/onecrl.json</wipOneCrlUrl>
304
+ <!-- hidden configuration items-->
305
+ <wipDebugPort pushDuringUpdate="1">0</wipDebugPort>
306
+ <wipAgingPeriodInSeconds pushDuringUpdate="1">300</wipAgingPeriodInSeconds>
307
+ <!-- Cassini Web Inspection Proxy-->
308
+
309
+ <!-- Agent Cloud Communication -->
310
+ <cloudCommsEnabled>0</cloudCommsEnabled>
311
+ <maxBackoffInterval>6000000</maxBackoffInterval>
312
+ <minBackoffInterval>300000</minBackoffInterval>
313
+ <holdDownTime>300</holdDownTime>
314
+ <!-- End Agent Cloud Communication-->
315
+
316
+ <!-- ACI Sample Match-->
317
+ <aciSampleMatchingEnabled>0</aciSampleMatchingEnabled>
318
+ <aciSampleMatchNumOfCharsBefore>25</aciSampleMatchNumOfCharsBefore>
319
+ <aciSampleMatchNumOfCharsAfter>25</aciSampleMatchNumOfCharsAfter>
320
+ <aciSampleMatchNumOfAllEntities>100</aciSampleMatchNumOfAllEntities>
321
+ <aciSampleMatchNumPerEntity>25</aciSampleMatchNumPerEntity>
322
+ <!-- ACI Sample Match-->
323
+
324
+ <agentRole>roleMed</agentRole>
325
+ <!--=====AGENT ROLE DEFINITION BEGIN ======-->
326
+ <roleDisabled defaultProcessFlags="SK+TR+NI+NE+NC+ND+NH+NA+NB+NV+NP+NN" driverDisableMaskAdjust="" defaultHookMask="" roleDisplayName="Disabled"></roleDisabled>
327
+ <roleLow defaultProcessFlags="SK+NI+NE+NC+ND+NH+NA+NB+NV+NP+NN" driverDisableMaskAdjust="" defaultHookMask="" roleDisplayName="Low = SK+NI+NE+NC+ND+NH+NA+NB+NV+NP+NN"></roleLow>
328
+ <roleMed defaultProcessFlags="NI+NH" driverDisableMaskAdjust="" defaultHookMask="" roleDisplayName="Med = NI+NH"></roleMed>
329
+ <roleHigh defaultProcessFlags="NH" driverDisableMaskAdjust="" defaultHookMask="" roleDisplayName="High = NH"></roleHigh>
330
+ <!--=====AGENT ROLE DEFINITION END ======-->
331
+ </appSettings>
332
+ </configuration>
SubclassExclusionList.ini ADDED
@@ -0,0 +1,18 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ # SubclassExclusionList.ini
2
+ #
3
+ # This file contains the list of window classes that will not
4
+ # be subclassed.
5
+ # Each single entry exists on its own line with no punctuation at all.
6
+ #
7
+ # Comments may be added to the file by beginning the line with
8
+ # a hash mark ('#'). The hash mark must be the first character
9
+ # on the line. Comments may not be appended to an exclusion class line
10
+ # itself.
11
+ #
12
+ # Blank lines may be included but, like comments, will be ignored at run time.
13
+
14
+ # Following line allows a SUBCLASS trace to be enabled for xxxxx.exe
15
+ # xxxxx.exe refers to an image name, which can be no longer than 15 chars
16
+
17
+ TRACE_PROCESS:xxxxx.exe
18
+
dg-device-guard.xml ADDED
@@ -0,0 +1,49 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?xml version="1.0" encoding="utf-8"?>
2
+ <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
3
+ <VersionEx>10.0.0.0</VersionEx>
4
+ <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
5
+ <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
6
+ <!--EKUS-->
7
+ <EKUs />
8
+ <!--File Rules-->
9
+ <FileRules>
10
+ <Allow ID="ID_ALLOW_A_1" FriendlyName="C:\Users\DG User\Desktop\Scripts\7za.exe Hash Sha1" Hash="DD63CC0C8A32F2E6BFD59CE307CC4853A1619EA6" />
11
+ <Allow ID="ID_ALLOW_A_2" FriendlyName="C:\Users\DG User\Desktop\Scripts\7za.exe Hash Sha256" Hash="A2C5D4166ADE2FFF321A567FF222BAFF740CD13E1DA97FB74FE468C76C01C0F7" />
12
+ <Allow ID="ID_ALLOW_A_3" FriendlyName="C:\Users\DG User\Desktop\Scripts\7za.exe Hash Page Sha1" Hash="B2B08F463E7697C5588A553FC0590B21A78C942C" />
13
+ <Allow ID="ID_ALLOW_A_4" FriendlyName="C:\Users\DG User\Desktop\Scripts\7za.exe Hash Page Sha256" Hash="06EEFCC21A61E76208E0F4B701FE108453821D42A9F227DB4D1C9D132447EE06" />
14
+ <Allow ID="ID_ALLOW_A_5" FriendlyName="C:\Users\DG User\Desktop\dgdiag\diag.vbs Hash Sha1" Hash="0C1671B432F2370441E4C41996B33C27E240329C" />
15
+ <Allow ID="ID_ALLOW_A_6" FriendlyName="C:\Users\DG User\Desktop\dgdiag\diag.vbs Hash Sha256" Hash="9ABFB168B5579CA828BA08CAEC4B7C2522D34076EB18E67502EF10BAB8DEDD26" />
16
+ </FileRules>
17
+ <!--Signers-->
18
+ <Signers>
19
+ <Signer ID="ID_SIGNER_S_1" Name="Microsoft Code Signing PCA">
20
+ <CertRoot Type="TBS" Value="7251ADC0F732CF409EE462E335BB99544F2DD40F" />
21
+ </Signer>
22
+ </Signers>
23
+ <!--Driver Signing Scenarios-->
24
+ <SigningScenarios>
25
+ <SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Auto generated policy on 03-01-2017">
26
+ <ProductSigners />
27
+ </SigningScenario>
28
+ <SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="Auto generated policy on 03-01-2017">
29
+ <ProductSigners>
30
+ <FileRulesRef>
31
+ <FileRuleRef RuleID="ID_ALLOW_A_1" />
32
+ <FileRuleRef RuleID="ID_ALLOW_A_2" />
33
+ <FileRuleRef RuleID="ID_ALLOW_A_3" />
34
+ <FileRuleRef RuleID="ID_ALLOW_A_4" />
35
+ <FileRuleRef RuleID="ID_ALLOW_A_5" />
36
+ <FileRuleRef RuleID="ID_ALLOW_A_6" />
37
+ </FileRulesRef>
38
+ <AllowedSigners>
39
+ <AllowedSigner SignerId="ID_SIGNER_S_1" />
40
+ </AllowedSigners>
41
+ </ProductSigners>
42
+ </SigningScenario>
43
+ </SigningScenarios>
44
+ <UpdatePolicySigners />
45
+ <CiSigners>
46
+ <CiSigner SignerId="ID_SIGNER_S_1" />
47
+ </CiSigners>
48
+ <HvciOptions>0</HvciOptions>
49
+ </SiPolicy>
dirctrl.dat ADDED
@@ -0,0 +1,1031 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ //=========================================================================
2
+ // FILE: DIRCTRL.DAT
3
+ // APPLIES TO: Windows
4
+ //
5
+ // This file has three sections used for controlling various aspects
6
+ // of DG with regards to directories.
7
+ //
8
+ // SECTION AFE
9
+ // -----------
10
+ // Each line consists of a directory specification, using DOS style
11
+ // wildcards (*,?), that will be excluded from the encryption engine.
12
+ //
13
+ // SECTION SCAN
14
+ // ------------
15
+ // Each line consists of a directory or directory pattern, using DOS style
16
+ // wildcards (*,?), that will be included or excluded from scanning.
17
+ // If no wildcard is used at the beginning of the directory then the directory
18
+ // should start with a UNC "\\" specifier or a drive letter.
19
+ //
20
+ // SECTION ACI
21
+ // -----------
22
+ // Eache line consists of a directory to exclude from ACI.
23
+ // (Currently no wildcards)
24
+ //
25
+ // All comments begin with '//', and blank lines and whitespace are
26
+ // ignored. Exception: whitespace within a directory name.
27
+ //
28
+ //(Version 9.3.0)
29
+ //=========================================================================
30
+ //
31
+
32
+
33
+ //=========================================================================
34
+ // AFE SECTION
35
+ //
36
+ // PATTERN EXPECTED PATH
37
+ //
38
+ // V16
39
+ // *PROGRA* C:\Program files\*
40
+ // *DOCUME*\APPLIC*; C:\Documents and Settings\ANY USER\APPLICATION DATA
41
+ // *DOCUME*\LOCAL* C:\Documents and Settings\ANY USER\Local Settings
42
+ // *DOCUME*\USERD* C:\Documents and Settings\ANY USER\USERDATA
43
+ // *DOCUME*\WINDO* C:\Documents and Settings\ANY USER\WINDOWS
44
+ // *DOCUME*\COOKIE* C:\Documents and Settings\ANY USER\COOKIES
45
+ // *DOCUME*\TEMPLA* C:\Documents and Settings\ANY USER\TEMPLATES
46
+ // *DOCUME*\NETWO* C:\Documents and Settings\NetworkService
47
+ // *DOCUME*\SENDTO* C:\Documents and Settings\ANY USER\SENDTO (avoid *.desklink, *.mapimail, *compressed folder*)
48
+ // *SYSTEM* C:\SYSTEM VOLUME INFORMATION\ (Used for SYSTEM RESTORE)
49
+ // C:\SYSTEM.SAV\ (HP Laptop)
50
+ // *INETPUB\* C:\INETPUB\ (used by IIS)
51
+ // *CONFIG.MS* C:\CONFIG.MSI (used by windows update)
52
+
53
+ // For specific customers
54
+
55
+ // For specific machines
56
+ // *DELL\* C:\DELL (when dell machine is used)
57
+ // *DRIVERS\* C:\DRIVERS (IBM Thinkpad drivers)
58
+ // *SWSHARE\* C:\SWSHARE (IBM Thinkpad)
59
+ // *SWSETUP\* C:\SWSETUP (HP laptop)
60
+ // *SYSTEM* C:\SYSTEM.SAV\ (HP Laptop)
61
+ // *IBMTOOLS\* C:\IBMTOOLS\
62
+
63
+ // FOR Specific apps
64
+ // *CL32V* C:\CL32V (when Novell Ver X is used)
65
+ // *DGAGENT* Agent Directory (Agent may be outside Program files)
66
+ // *MSOCAC* C:\MSOCACHE\
67
+ // *LOTUS\* C:\LOTUS\
68
+
69
+ // Filed based should be added to registry through PENDING_UPDATE
70
+ // *NTUSER.* C:\Documents and Settings\ANY USER\NTUSER.* and C:\Documents and Settings\NTUSER.DAT (file)
71
+ // *.??_ Files compressed using CAB
72
+ //
73
+ // *.EXE*;*.DLL*;*.SYS*;*.COM*;*.LNK*;*NTUSER*.*;*NTLDR*;*BOOT.INI*;*.??_
74
+ // *.UTX*;*.XTU*;*.INI*;*.JAR*;*.LSL*;*.FON*;*.DAT* All Lotus Notes file exclusions
75
+ //
76
+ // Full string:
77
+ // *.EXE*;*.DLL*;*.SYS*;*.COM*;*.LNK*;*.UTX*;*.XTU*;*.INI*;*.JAR*;*.LSL*;*.FON*;*.DAT*;*NTUSER*.*;*NTLDR*;*BOOT.INI*;*.??_
78
+ //
79
+
80
+ // Full string:
81
+ // *PROGRA*;*DOCUME*\APPLIC*;*DOCUME*\LOCAL*;*DOCUME*\USERDA*;*DOCUME*\WINDO*;*DOCUME*\COOKIE*;*DOCUME*\TEMPL*;*DOCUME*\NETWO*;*DOCUME*\SENDTO*;*INETPUB\*;*SYSTEM*;*CONFIG.MS*;*DELL\*;*DRIVERS\*;*SWSHARE\*;*SWSETUP\*;*IBMTOOLS\*;*DGAGENT\*;*CL32V*;*MSOCAC*;*LOTUS\*
82
+ //=========================================================================
83
+
84
+ //=========================================================================
85
+ // SECTION AFE IS USED ONLY BY PRE-5.2 AGENTS!
86
+ //=========================================================================
87
+ SECTION AFE:
88
+ *PROGRA*\*;*DOCUME*\APPLIC*\*;*DOCUME*\LOCAL*\*;*DOCUME*\USERDA*\*;*DOCUME*\WINDO*\*
89
+ *DOCUME*\COOKIE*\*;*DOCUME*\TEMPL*\*;*DOCUME*\NETWO*\*;*DOCUME*\SENDTO*\*
90
+ *INETPUB\*;*SYSTEM*\*;*CONFIG.MS*
91
+ *DELL\*;*DRIVERS\*;*SWSHARE\*;*SWSETUP\*;*IBMTOOLS\*
92
+ *DGAGENT\*;*CL32V*;*MSOCAC*\*;*LOTUS\*
93
+ *DOCUME*\ALL*\NTUSER*\*
94
+ <java home>
95
+ SECTION END:
96
+
97
+ //=========================================================================
98
+ // SCANNER SECTION - directories to include or exclude from scanning
99
+ //=========================================================================
100
+ SECTION ADJUST SCAN:
101
+ INCLUDE:
102
+ END:
103
+ EXCLUDE:
104
+ *.PST
105
+ *.PST.TMP
106
+ *.OST
107
+ END:
108
+ SECTION END:
109
+
110
+ //=========================================================================
111
+ // AFE Directory Exclusions - These directories will be ignored by AFE in NON-FDE mode
112
+ //=========================================================================
113
+ AFE DIR EXCLUSIONS:
114
+
115
+ // Entire System root is now excluded
116
+ %SystemRoot%\*
117
+
118
+ // Program files
119
+ ?:\PROGRA*\*;
120
+
121
+ <user profile>*\COOKIE*\*;
122
+ <user profile>*\TEMPL*\*;
123
+ <user profile>*\NETWO*\*;
124
+ <user profile>*\SENDTO*\*
125
+ <user profile>*\ALL*\NTUSER*\*
126
+
127
+ ?:\INETPUB\*;
128
+ ?:\*CONFIG.MS*
129
+ ?:\*DELL\*;
130
+ ?:\*SWSETUP\*;
131
+ ?:\*IBMTOOLS\*
132
+ ?:\*DGAGENT\*;
133
+ ?:\*CL32V*;
134
+ ?:\*MSOCAC*\*;
135
+ ?:\*LOTUS\*
136
+ ?:\SWSHARE\*
137
+
138
+ // Java directory
139
+ <java home>\*
140
+
141
+ // OPTIONAL - System Restore and System Drive-State functions temp files. Removal could
142
+ // cause performance issues. Highly recommend keeping.
143
+ ?:\System Volume Information\*
144
+ ?:\SYSTEM~1*\*
145
+
146
+ // OPTIONAL - Symantec AV working locations
147
+ ?:\Progra*\Symant*\*
148
+ ?:\Progra*\Common*\Symant*\*
149
+ %ALLUSERSPROFILE%\App*\Symant*\*
150
+
151
+ SECTION END:
152
+
153
+ //=========================================================================
154
+ // AFE File Exclusions - these files will not be encrypted in NON-FDE mode
155
+ //=========================================================================
156
+ AFE FILE EXCLUSIONS:
157
+ *.EXE;*.DLL;*.SYS;*.COM;*.LNK;*.UTX;*.XTU;*.INI;*.JAR;*.LSL;*.FON;*.DAT;
158
+
159
+ // REQUIRED Windows Boot sequence & Registry
160
+ %SystemDrive%\*NTUSER*.*;
161
+ %SystemDrive%\IO.SYS
162
+ %SystemDrive%\MSDOS.SYS
163
+ %SystemDrive%\boot.ini
164
+ %SystemDrive%\ntldr
165
+ %SystemDrive%\autoexec.bat
166
+ ?:\pagefile.sys
167
+ ?:\hiberfil.sys
168
+ ?:\*.??_
169
+
170
+
171
+ // REQUIRED Windows Recycle Bin
172
+ ?:\RECYCLE*\*\INFO2
173
+
174
+ // REQUIRED DG Agent temp files during uninstall via Add/Remove Programs
175
+ <user profile>\*\APPLIC*\*\DGAgen*.*
176
+ <user profile>\*\APPLIC*\{*\instance.dat
177
+
178
+ // REQUIRED - Windows New User Creation and Roaming Profile Temp Files
179
+ ?:\*\PRF*.tmp
180
+
181
+ // OPTIONAL - example to avoid PerfectDisk conflict
182
+ ?:\Perfec*\Perfec*.adm
183
+ ?:\Perfec*\PDHelpEN.chm
184
+ ?:\Perfec*\Config.ini
185
+ ?:\Perfec*\Upd.ini
186
+ ?:\Perfec*\PDAgen*.mof
187
+
188
+ // OPTIONAL - example to avoid IBM / Lenovo ThinkVantage and Biometric Fingerprint Scanner
189
+ %SystemDrive%\SWSHARE\sfr.log
190
+ %SystemDrive%\Progra*\*Fingerprint*\*.xml
191
+ %SystemDrive%\Progra*\*Fingerprint*\rsc\sheetcc.css
192
+
193
+ // OPTIONAL - PointSec Driver
194
+ %SystemDrive%\prot_ins.sys
195
+
196
+ SECTION END:
197
+
198
+ //=========================================================================
199
+ // AFE FDE DGCIPHER FOLDERS - where to copy dgcipher for cd burns if file is encrypted with password
200
+ //=========================================================================
201
+ AFE FDE DGCIPHER FOLDERS:
202
+ <user profile>\Desktop\CdBurn
203
+ %SystemDrive%\CdBurnTemp
204
+ SECTION END:
205
+
206
+ //=========================================================================
207
+ // AFE FDE SYSTEM KEY - these files will be encryped by a random key, which
208
+ // in turn will be encrypted by the SYSTEM KEY
209
+ // ALGORITHM:
210
+ // If a file/directory is not found in this ("SYSTEM KEY") section,
211
+ // including its "exception" subsection, then or "SESSION KEY" section
212
+ // is checked (exception entries are checked first then inlusion entries)
213
+ // If a file or a directory could not be found there either
214
+ // than "afe-DefaultKeyProtectionType" value of config.xml is used
215
+ // 0 is for SYSTEM KEY, and 1 is for SESSION KEY. If there is no such
216
+ // configuration value than SYSTEM KEY is used by default for FDE installation
217
+ // and SESSION KEY is used for AFE installation.
218
+ //
219
+ // For removable media, these path are not checked, SESSION KEY are always used
220
+ //=========================================================================
221
+ AFE FDE SYSTEM KEY:
222
+ %SystemRoot%\*
223
+ %ProgramFiles%\*
224
+ ?:\Progra~?\*
225
+ %SystemDrive%\autoexec.bat
226
+
227
+ //"c:\Documents and Settings\user\Application Data\Sun\Java\Deployment\deployment.properties"
228
+ ?:\DOCUME~?\*\deployment.properties
229
+
230
+ ?:\DOCUME~?\*\ntuser.ini
231
+ ?:\RRbackups\*
232
+ ?:\RRback~?\*
233
+ ?:\SWSHARE\*
234
+ <java home>\*
235
+ // everything in documents in settings except user data
236
+ ?:\DOCUME~?\*
237
+ ?:\Documents?and?Settings\*
238
+ // except my documents and desktop, which are encrypted with session key
239
+ -|<user profile>\My?Documents\*
240
+ -|<user profile>\Desktop\*
241
+ -|?:\DOCUME~?\*\MyDocu~?\*
242
+ -|?:\DOCUME~?\*\Desktop\*
243
+ SECTION END:
244
+
245
+ //=========================================================================
246
+ // AFE FDE SESSION KEY - these files will be encryped by a random key, which
247
+ // in turn will be encrypted by the SESSION KEY
248
+ //
249
+ // If, previously, a file/directory is not found "SYSTEM KEY" section,
250
+ // including its "exception" subsection, then or this ("SESSION KEY") section
251
+ // is checked (exception entries are checked first then inlusion entries).
252
+ // If a file or a directory could not be found here either
253
+ // than "afe-DefaultKeyProtectionType" value of config.xml is used
254
+ // 0 is for SYSTEM KEY, and 1 is for SESSION KEY. If there is no such
255
+ // configuration value than SYSTEM KEY is used by default for FDE installation
256
+ // and SESSION KEY is used for AFE installation.
257
+ //
258
+ // For removable media, these path are not checked, SESSION KEY are always used
259
+ //=========================================================================
260
+ AFE FDE SESSION KEY:
261
+ *.DOC;*.DOCX;*.RTF;*.XLS;*.XLSX;*.PPT;*.PPTX;*.OST;*.PST;*.PDF;
262
+ <user profile>\*
263
+ -|<user profile>\Local Settings\Temp\*
264
+ ?:\DOCUME~?\*
265
+ -|?:\DOCUME~?\*\LOCALS~1\Temp\*
266
+ ?:\*
267
+ -|%SystemRoot%\*
268
+ SECTION END:
269
+
270
+ //=========================================================================
271
+ // FDE Directory Exclusions - FDE does not exclude any directories
272
+ // except these SYMANTEC SEP related directories.
273
+ //=========================================================================
274
+ FDE DIR EXCLUSIONS:
275
+ // REQUIRED registry avoidance vs. extensionless registry files
276
+ %SystemRoot%\system32\config\*
277
+
278
+ // OPTIONAL - System Restore and System Drive-State functions temp files. Removal could
279
+ // cause performance issues. Highly recommend keeping.
280
+ ?:\System Volume Information\*
281
+ ?:\SYSTEM~1*\*
282
+
283
+ // OPTIONAL - Symantec AV working locations
284
+ ?:\Progra*\Symant*\*
285
+ ?:\Progra*\Common*\Symant*\*
286
+ %ALLUSERSPROFILE%\App*\Symant*\*
287
+ SECTION END:
288
+
289
+ //=========================================================================
290
+ // FDE File Exclusions - these files will not be encrypted in FDE mode
291
+ //=========================================================================
292
+ FDE FILE EXCLUSIONS:
293
+ // REQUIRED Windows Boot sequence & Registry
294
+ %SystemDrive%\IO.SYS
295
+ %SystemDrive%\MSDOS.SYS
296
+ %SystemDrive%\boot.ini
297
+ %SystemDrive%\ntldr
298
+ ?:\pagefile.sys
299
+ ?:\hiberfil.sys
300
+ %SystemRoot%\system32\hal.dll
301
+ %SystemRoot%\system32\ntoskrnl.exe
302
+ %SystemRoot%\system32\atiicdxx.dat
303
+ %SystemRoot%\security\logs\winlogon.log
304
+ %SystemRoot%\Regist*\*.crmlog
305
+ %SystemRoot%\inf\*.inf
306
+ %SystemRoot%\inf\*.pnf
307
+ %SystemRoot%\inf\*.adm
308
+ %SystemRoot%\inf\*.iem
309
+ %SystemRoot%\bootstat.dat
310
+
311
+ // REQUIRED Windows Boot sequence - User Profiles
312
+ %SystemRoot%\system32\Micros*\Protect\*\Prefer*
313
+ %SystemRoot%\system32\Micros*\Protect\*\User\Prefer*
314
+
315
+ // REQIURED Windows Product Activation
316
+ %SystemRoot%\system32\wpa.dbl
317
+ %SystemRoot%\system32\wpa.bak
318
+
319
+ // REQUIRED Windows Recycle Bin
320
+ ?:\RECYCLE*\*\INFO2
321
+
322
+ // REQUIRED DG Agent temp files during uninstall via Add/Remove Programs
323
+ ?:\DOCUME*\*\APPLIC*\*\DGAgen*.*
324
+ ?:\DOCUME*\*\APPLIC*\{*\instance.dat
325
+
326
+ // REQUIRED - Windows New User Creation and Roaming Profile Temp Files
327
+ ?:\*\PRF*.tmp
328
+
329
+ // OPTIONAL - example to permit Windows user-mode debugging
330
+ %SystemRoot%\debug\UserMode\userenv.log
331
+
332
+ // OPTIONAL - example to avoid PerfectDisk conflict
333
+ ?:\Perfec*\Perfec*.adm
334
+ ?:\Perfec*\PDHelpEN.chm
335
+ ?:\Perfec*\Config.ini
336
+ ?:\Perfec*\Upd.ini
337
+ ?:\Perfec*\PDAgen*.mof
338
+
339
+ // OPTIONAL - example to avoid IBM / Lenovo ThinkVantage and Biometric Fingerprint Scanner
340
+ %SystemDrive%\SWSHARE\sfr.log
341
+ %SystemDrive%\Progra*\*Fingerprint*\*.xml
342
+ %SystemDrive%\Progra*\*Fingerprint*\rsc\sheetcc.css
343
+
344
+ // OPTIONAL - PointSec Driver
345
+ %SystemDrive%\prot_ins.sys
346
+ SECTION END:
347
+
348
+ //=========================================================================
349
+ // ACI SECTION - old style for old agents who don't understand the new format
350
+ // specify directories where files are not classified
351
+ //=========================================================================
352
+ SECTION ACI:
353
+ c:\program files\common files\symantec shared
354
+ c:\program files\symantec
355
+ c:\program files\symantec client security
356
+ c:\program files\norton internet security
357
+ c:\windows
358
+ c:\winnt
359
+ C:\documents and settings\all users\application data\microsoft\crypto
360
+ c:\system volume information
361
+ c:\msocache
362
+ c:\config.msi
363
+ c:\inetpub
364
+
365
+ //Customer specific requirements
366
+ c:\drivers
367
+ SECTION END:
368
+
369
+ //=========================================================================
370
+ // ACI2 SECTION - new and improved version (5.3.1+)
371
+ // specify directories where files are not classified
372
+ //=========================================================================
373
+ SECTION ACI2:
374
+ %SystemDrive%\windows\*
375
+ %SystemDrive%\progra*\common*\symant*\*
376
+ %SystemDrive%\progra*\symant*\*
377
+ %SystemDrive%\progra*\norton*\*
378
+ %SystemDrive%\winnt\*
379
+ %SystemDrive%\docume*\all*\applic*\micros*\crypto\*
380
+ %SystemDrive%\system*\*
381
+ %SystemDrive%\msocache\*
382
+ %SystemDrive%\config.msi\*
383
+ %SystemDrive%\inetpub\*
384
+ %SystemDrive%\progra*\citrix\person*\logs\*
385
+ %SystemDrive%\progra*\citrix\pvsage*\*
386
+ %SystemDrive%\progra*\vmware\vmware*\*
387
+ %SystemDrive%\progra*\dgagent\readops\*
388
+ %SystemDrive%\progra*\malwarebytes endpoint agent\logs*
389
+
390
+ //Customer specific requirements
391
+ %SystemDrive%\drivers\*
392
+
393
+ // more filtering for IE
394
+ %SystemDrive%\users*\appdata\local\microsoft\windows\webcache\*.log
395
+ %SystemDrive%\users*\appdata\roaming\microsoft\windows\recent\customdestinations\*.tmp
396
+ %SystemDrive%\users*\appdata\roaming\microsoft\windows\recent\customdestinations\*-ms
397
+
398
+
399
+ // Windows 8 Apps special directories
400
+ <windows apps home>\*
401
+ <windows apps repository>\*
402
+
403
+
404
+ // Customer specific, filtering for AppSense desktop redirection with Office
405
+ \\mmfiles\*\appsense\*\*tmp
406
+
407
+ // Windows 10 Performance improvements
408
+ %SystemDrive%\Program Files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\*.html
409
+ %SystemDrive%\Program Files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\*.png
410
+ %SystemDrive%\Program Files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\aicuc\images\*.png
411
+ %SystemDrive%\Program Files (x86)\apple software update\softwareupdate.resources\software update.tiff
412
+ %SystemDrive%\Program Files (x86)\cisco systems\cisco jabber\*.xml
413
+ %SystemDrive%\Program Files (x86)\cisco systems\cisco jabber\avatars\*.svg
414
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\dropboxcrashhandler.exe
415
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\dropboxupdate.exe
416
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\dropboxupdatebroker.exe
417
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\dropboxupdatehelper.msi
418
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\dropboxupdateondemand.exe
419
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\goopdate.dll
420
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\goopdateres_*.dll
421
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\npdropboxupdate*.dll
422
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\psmachine.dll
423
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\psuser.dll
424
+ %SystemDrive%\Program Files (x86)\dropbox\update\install\{*}\dropboxupdatesetup_*.exe
425
+ %SystemDrive%\Program Files (x86)\dyn\updater\*.txt
426
+ %SystemDrive%\Program Files (x86)\dyn\updater\images\*.png
427
+ %SystemDrive%\Program Files\itunes\itunes.resources\missingartworkloading.png
428
+ %SystemDrive%\Program Files*\microsoft office\*.thmx
429
+ %SystemDrive%\Program Files\microsoft office\appxmanifest.xml
430
+ %SystemDrive%\Program Files\microsoft office\filesystemmetadata.xml
431
+ %SystemDrive%\Program Files\microsoft office\root\office16\microsoft.lync.model.zip
432
+ %SystemDrive%\Program Files\microsoft office\root\office16\microsoft.lync.utilities.controls.zip
433
+ %SystemDrive%\Program Files\microsoft office\root\office16\microsoft.lync.utilities.zip
434
+ %SystemDrive%\Program Files\microsoft office\root\office16\ocomprivate.zip
435
+ %SystemDrive%\Program Files\microsoft office\root\office16\system.windows.controls.theming.toolkit.zip
436
+ %SystemDrive%\Program Files\microsoft office\updates\detection\*\versiondescriptor.xml
437
+ %SystemDrive%\users\*\appdata\local\microsoft\olk\cache\*
438
+ %SystemDrive%\users\*\appdata\local\microsoft\olk\ebwebview\*
439
+ %SystemDrive%\users\*\appdata\local\microsoft\olk\logs\*
440
+ %SystemDrive%\Program Files\windowsapps\microsoft.skypeapp*\skypeapp\assets\images\*.png
441
+ %SystemDrive%\ProgramData\{*}.zip
442
+ %SystemDrive%\ProgramData\apple computer\itunes\sc info\sc info.txt
443
+ %SystemDrive%\ProgramData\application data\dyn\updater\frontend.log
444
+ %SystemDrive%\ProgramData\application data\dyn\updater\frontend.log.*
445
+ %SystemDrive%\ProgramData\cisco\cisco anyconnect secure mobility client\*.xml
446
+ %SystemDrive%\ProgramData\cisco\cisco anyconnect secure mobility client\logs\updatehistory_*_log.txt
447
+ %SystemDrive%\programdata\dropbox\update\log\*
448
+ %SystemDrive%\ProgramData\dropbox\update\log\dropboxupdate.log-*
449
+ %SystemDrive%\ProgramData\dropbox\update\log\dropboxupdate.log-*-finished
450
+ %SystemDrive%\ProgramData\microsoft\clicktorun\machinedata\catalog\packages\*\deploymentconfiguration.xml
451
+ %SystemDrive%\ProgramData\microsoft\clicktorun\machinedata\catalog\packages\*\manifest.xml
452
+ %SystemDrive%\ProgramData\microsoft\clicktorun\machinedata\catalog\packages\*\userdeploymentconfiguration.xml
453
+ %SystemDrive%\ProgramData\microsoft\clicktorun\productreleases\*\en-us.16\masterdescriptor.en-us.xml
454
+ %SystemDrive%\ProgramData\microsoft\clicktorun\productreleases\*\x-none.16\masterdescriptor.x-none.xml
455
+ %SystemDrive%\ProgramData\microsoft\diagnosis\downloadedscenarios\windows.siuf.xml
456
+ %SystemDrive%\ProgramData\microsoft\office\heartbeat\heartbeatcache.xml
457
+ %SystemDrive%\ProgramData\microsoft\provisioning\*\masterdatastore.xml
458
+ %SystemDrive%\ProgramData\microsoft\provisioning\*\prov\runtime.xml
459
+ %SystemDrive%\ProgramData\microsoft\windows\power efficiency diagnostics\energy-report-*.xml
460
+ %SystemDrive%\ProgramData\microsoft\windows\power efficiency diagnostics\energy-report-latest.xml
461
+ %SystemDrive%\programdata\microsoft\windows\power efficiency diagnostics\energy-report*
462
+ %SystemDrive%\ProgramData\microsoft\windows\wer\reportqueue\*.txt
463
+ %SystemDrive%\ProgramData\microsoft\windows\wer\reportqueue\*.xml
464
+ %SystemDrive%\programdata\microsoft\windows\wer\reportqueue\*\report.wer
465
+ %SystemDrive%\programdata\microsoft\windows\wer\reportqueue\*\report.wer.tmp
466
+ %SystemDrive%\ProgramData\microsoft\windows\wer\temp\*.xml
467
+ %SystemDrive%\programdata\nvidia corporation\drs\update.bin
468
+ %SystemDrive%\ProgramData\nvidia corporation\shadowplay\capturecore.log
469
+ %SystemDrive%\ProgramData\nvidia corporation\shadowplay\capturecore.old
470
+ %SystemDrive%\ProgramData\sccomm\Logs\sccomm.txt
471
+ %SystemDrive%\ProgramData\sccomm\sccomm.txt
472
+ %SystemDrive%\ProgramData\vmware\*.txt
473
+ %SystemDrive%\Users\*\AppData\Local\{*}
474
+ %SystemDrive%\Users\*\AppData\Local\cisco\cisco anyconnect secure mobility client\preferences.xml
475
+ %SystemDrive%\Users\*\AppData\Local\cisco\unified communications\jabber\csf\history\*\_db.key
476
+ %SystemDrive%\users\*\appdata\local\cisco\unified communications\jabber\csf\logs\jabber.log.*
477
+ %SystemDrive%\Users\*\AppData\Local\cisco\unified communications\jabber\csf\photo cache\*.png
478
+ %SystemDrive%\Users\*\AppData\Local\cisco\unified communications\jabber\csf\telemetry\*.txt
479
+ %SystemDrive%\users\*\appdata\local\google\chrome\user data\*
480
+ %SystemDrive%\Users\*\AppData\Local\microsoft\clr_v4.0\ngendisable.txt
481
+ %SystemDrive%\Users\*\AppData\Local\microsoft\internet explorer\urlblock\urlblock_*.bin
482
+ %SystemDrive%\Users\*\AppData\Local\microsoft\msoidentitycrl\production\fplist.xml
483
+ %SystemDrive%\Users\*\AppData\Local\microsoft\office\*\lync.exe_rules.xml
484
+ %SystemDrive%\users\*\appdata\local\microsoft\office\*\lync\tracing\*.etl
485
+ %SystemDrive%\users\*\appdata\local\microsoft\office\*\lync\tracing\*.etl.bak
486
+ %SystemDrive%\users\*\appdata\local\microsoft\office\*\lync\tracing\*.uccapilog
487
+ %SystemDrive%\users\*\appdata\local\microsoft\office\*\msoia.exe_rules.xml
488
+ %SystemDrive%\Users\*\AppData\Local\microsoft\office\*\outlook.exe_rules.xml
489
+ %SystemDrive%\users\*\appdata\local\microsoft\onedrive\logs\*
490
+ %SystemDrive%\users\*\appdata\local\microsoft\onedrive\settings\*
491
+ %SystemDrive%\Users\*\AppData\Local\microsoft\onedrive\standaloneupdater\update.xml
492
+ %SystemDrive%\Users\*\AppData\Local\microsoft\onedrive\update\update.xml
493
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\*.com.nst.tmp
494
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\*.com.ost
495
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\*.com.ost.tmp
496
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\*\autod.*.com.xml
497
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\*autodiscover.xml
498
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\inferences*.xml
499
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\oab2.xml
500
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\oab3.xml
501
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\actioncentercache\dropbox-desktop-client_*.png
502
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\actioncentercache\flipboard-flipboard_*.jpg
503
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\actioncentercache\microsoft-explorer-notification--*.png
504
+ %SystemDrive%\users\*\appdata\local\microsoft\windows\actioncentercache\microsoft-explorer-notification*.png
505
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\actioncentercache\microsoft-office-outlook-exe-*.png
506
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\actioncentercache\microsoft-skypeapp_*-app_*.png
507
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\explorer\notifyicon\microsoft.explorer.notification.*.png
508
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*.htm
509
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*.jpg
510
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\compare_1_5_6_uni_dll1.zip
511
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\edgecompatviewlist[*].xml
512
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\edgecompatviewlist*.xml
513
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\edgecompatviewlist1.xml
514
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\img_spacer1.png
515
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\jabber_logo1.png
516
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\pluginmanager_*.zip
517
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\plugins*.zip
518
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\low\ie\*.htm
519
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\low\ie\*.png
520
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\low\ie\*.txt
521
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\notifications\wpnidm\*.jpg
522
+ %SystemDrive%\users\*\appdata\local\microsoft\windows\webcache\*
523
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\webcache\*.log
524
+ %SystemDrive%\Users\*\AppData\Local\microsoftedge\sharedcachecontainers\microsoftedge_iecompat\iecompatdata.xml
525
+ %SystemDrive%\Users\*\AppData\Local\nvidia corporation\shadowplay\capturecore.old
526
+ %SystemDrive%\users\*\appdata\local\nvidia\nvbackend\*
527
+ %SystemDrive%\Users\*\AppData\Local\nvidia\nvbackend\*.xml
528
+ %SystemDrive%\Users\*\AppData\Local\packages\*.dropbox_*\localstate\dbxdata.dat
529
+ %SystemDrive%\Users\*\AppData\Local\packages\*.dropbox_*\localstate\dbxdata.dat.bak
530
+ %SystemDrive%\users\*\appdata\local\packages\*.netflix_*\localstate\offlineinfo*
531
+ %SystemDrive%\users\*\appdata\local\packages\*.netflix_*\localstate\onlineinfo*
532
+ %SystemDrive%\users\*\appdata\local\packages\*.netflix_*\localstate\resumeinfo*
533
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\ac\inetcache\*\*.htm
534
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\ac\inetcache\*\*.jpg
535
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\ac\inetcache\*\*.png
536
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\ac\inetcache\*\*.txt
537
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\ac\microsoft\internet explorer\domstore\*\*.xml
538
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\ac\temp\*.tmp
539
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\localstate\*.xml
540
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\localstate\*.xml.~tmp
541
+ %SystemDrive%\Users\*\AppData\Local\packages\facebook.facebook_*\localstate\appdata\local\osmeta\_store_*\image_cache.v*\fbimagedownloader-*.jpg
542
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.aad.brokerplugin_*\ac\temp\*.tmp
543
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.aad.brokerplugin_*\localstate\*
544
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.aad.brokerplugin_*\localstate\*.tmp
545
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.bingweather_*\ac\inetcache\*.jpg
546
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.bingweather_*\ac\inetcache\*.png
547
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.bingweather_*\localstate\*.xml
548
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.bingweather_*\localstate\*.xml*.tmp
549
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.flv
550
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.htm
551
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.jpg
552
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.png
553
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.svg
554
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.svg
555
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.swf
556
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.txt
557
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.xml
558
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\microsoftedge\urlblock\urlblock_*.bin
559
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\temp\*.tmp
560
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.oneconnect_*\localstate\*
561
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.people_*\localstate\contactsonprimarytile.txt
562
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.people_*\localstate\contactsonprimarytile.txt.~tmp
563
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.people_*\localstate\diagoutputdir\peoplebackgroundtasklog.etl
564
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.people_*\localstate\diagoutputdir\peoplebackgroundtasklog.last.etl
565
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.people_*\localstate\tilethumbnails\primarytileimage_*.jpg
566
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.people_*\localstate\tilethumbnails\primarytileimage_*.jpgtemp
567
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.contentdeliverymanager_*\ac\temp\*.tmp
568
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.contentdeliverymanager_*\localstate\assets\*
569
+ %SystemDrive%\users\*\appdata\local\packages\microsoft.windows.contentdeliverymanager_*\localstate\contentmanagementsdk\creatives\*
570
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.contentdeliverymanager_*\localstate\contentmanagementsdk\creatives\*
571
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.contentdeliverymanager_*\localstate\contentmanagementsdk\creatives\*.tmp
572
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.contentdeliverymanager_*\localstate\stagedassets\*
573
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.contentdeliverymanager_*\localstate\tips\*.xml
574
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.cortana_*\ac\appcache\*.htm
575
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.cortana_*\ac\nvidia corporation\shadowplay\capturecore.log
576
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.cortana_*\ac\temp\*.tmp
577
+ %SystemDrive%\users\*\appdata\local\packages\microsoft.windows.cortana_*\localstate\*
578
+ %SystemDrive%\users\*\appdata\local\packages\microsoft.windows.cortana_*\tempstate\*
579
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.photos_*\ac\nvidia corporation\shadowplay\capturecore.log
580
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.photos_*\ac\nvidia corporation\shadowplay\capturecore.old
581
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.photos_*\localstate\framenavigationservicestate.xml
582
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.photos_*\localstate\photosapptile\tile*.jpg
583
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.photos_*\localstate\timelineprefetchthumbnails.xml
584
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscalculator_*\ac\nvidia corporation\shadowplay\capturecore.log
585
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\ac\nvidia corporation\shadowplay\capturecore.log
586
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\ac\nvidia corporation\shadowplay\capturecore.old
587
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\ac\temp\*.tmp
588
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\*.jpg
589
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\files\*.jpg
590
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\files\*.pdf
591
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\files\*.png
592
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\files\s0\*\image00*.png
593
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\localfiles\*.jpg
594
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\localfiles\*.pdf
595
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\localfiles\*.png
596
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\tempstate\content.mso\*.tmp
597
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\tempstate\syncenginesnapshot.xml
598
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\tempstate\syncenginesnapshotold.xml
599
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowsstore_*\ac\inetcache\*.htm
600
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowsstore_*\ac\inetcache\*.jpg
601
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowsstore_*\ac\inetcache\*.png
602
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowsstore_*\ac\nvidia corporation\shadowplay\capturecore.log
603
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowsstore_*\ac\nvidia corporation\shadowplay\capturecore.old
604
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowsstore_*\ac\temp\*.tmp
605
+ %SystemDrive%\Users\*\AppData\Local\packages\*\LocalState\*
606
+ %SystemDrive%\Users\*\AppData\Local\publishers\*\fonts\fontcache\2\fontcachemetadata.xml
607
+ %SystemDrive%\users\*\appdata\local\temp\*
608
+ %SystemDrive%\Users\*\appdata\local\xo communications\worktime\*
609
+ %SystemDrive%\Users\*\AppData\Locallow\lastpass\debug.txt
610
+ %SystemDrive%\Users\*\AppData\Roaming\apple computer\itunes\cookies\cookies.binarycookies
611
+ %SystemDrive%\Users\*\AppData\Roaming\apple computer\itunes\cookies\cookies.binarycookies_tmp_*.dat
612
+ %SystemDrive%\Users\*\AppData\Roaming\apple computer\preferences\byhost\com.apple.itunes.{*}.plist
613
+ %SystemDrive%\Users\*\AppData\Roaming\apple computer\preferences\byhost\com.apple.itunes.{*}.plist.*
614
+ %SystemDrive%\Users\*\AppData\Roaming\apple computer\preferences\com.apple.itunes.plist
615
+ %SystemDrive%\Users\*\AppData\Roaming\apple computer\preferences\com.apple.itunes.plist.*
616
+ %SystemDrive%\users\*\appdata\roaming\cisco\unified communications\jabber\csf\config\*
617
+ %SystemDrive%\Users\*\AppData\roaming\microsoft\templates\livecontent\*.thmx
618
+ %SystemDrive%\users\*\appdata\roaming\microsoft\office\*\*\proofing\*.tmp
619
+ %SystemDrive%\users\*\appdata\roaming\microsoft\office\*\*\proofing\roamingcustom.dic
620
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\outlook\outlook.xml
621
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\signatures\*.htm
622
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\signatures\*\colorschememapping.xml
623
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\signatures\*\themedata.thmx
624
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\templates\~$rmalemail.dotm
625
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\templates\~wrd*.tmp
626
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\templates\normalemail.dotm
627
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\windows\libraries\~ictures.tmp
628
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\windows\libraries\~ocuments.tmp
629
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\windows\libraries\documents.library-ms
630
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\windows\libraries\documents.library-ms~*.tmp
631
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\windows\libraries\pictures.library-ms
632
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\windows\libraries\pictures.library-ms~*.tmp
633
+ %SystemDrive%\users\*\appdata\roaming\microsoft\windows\recent\customdestinations\*
634
+ %SystemDrive%\Users\*\AppData\Roaming\notepad++\config.xml
635
+ %SystemDrive%\Users\*\AppData\Roaming\notepad++\contextmenu.xml
636
+ %SystemDrive%\Users\*\AppData\Roaming\notepad++\langs.xml
637
+ %SystemDrive%\Users\*\AppData\Roaming\notepad++\plugins\config\pluginmanagerplugins.zip
638
+ %SystemDrive%\Users\*\AppData\Roaming\notepad++\session.xml
639
+ %SystemDrive%\Users\*\AppData\Roaming\notepad++\shortcuts.xml
640
+ %SystemDrive%\Users\*\AppData\Roaming\notepad++\stylers.xml
641
+ %SystemDrive%\Users\*\evernote\logs\applog_*.txt
642
+ %SystemDrive%\Users\*\music\itunes\*.tmp
643
+ %SystemDrive%\Users\*\music\itunes\it.tmp
644
+ %SystemDrive%\Users\*\music\itunes\itunes library.itl
645
+ %SystemDrive%\Users\*\music\itunes\temp*.tmp
646
+ %SystemDrive%\windows\inf\wmiaprpl\*
647
+ %SystemDrive%\windows\system32\perfstringbackup.tmp
648
+ %SystemDrive%\windows\system32\wbem\performance\*
649
+ %SystemDrive%\windows\temp\*.exe
650
+
651
+
652
+ SECTION END:
653
+
654
+ //=========================================================================
655
+ // DOCPROPS SECTION - specify directories where files are not docprops done
656
+ //=========================================================================
657
+ SECTION DOCPROPS:
658
+ %SystemDrive%\windows\*
659
+ %SystemDrive%\progra*\common*\symant*\*
660
+ %SystemDrive%\progra*\symant*\*
661
+ %SystemDrive%\progra*\norton*\*
662
+ %SystemDrive%\winnt\*
663
+ %SystemDrive%\docume*\all*\applic*\micros*\crypto\*
664
+ %SystemDrive%\system*\*
665
+ %SystemDrive%\msocache\*
666
+ %SystemDrive%\config.msi\*
667
+ %SystemDrive%\inetpub\*
668
+ %SystemDrive%\progra*\citrix\person*\logs\*
669
+ %SystemDrive%\progra*\citrix\pvsage*\*
670
+ %SystemDrive%\progra*\vmware\vmware*\*
671
+ %SystemDrive%\progra*\dgagent\readops\*
672
+
673
+ //Customer specific requirements
674
+ %SystemDrive%\drivers\*
675
+
676
+ // Windows 8 Apps special directories
677
+ <windows apps home>\*
678
+ <windows apps repository>\*
679
+
680
+ // Windows 10 Performance improvements
681
+ %SystemDrive%\Program Files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\*.html
682
+ %SystemDrive%\Program Files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\*.png
683
+ %SystemDrive%\Program Files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\aicuc\images\*.png
684
+ %SystemDrive%\Program Files (x86)\apple software update\softwareupdate.resources\software update.tiff
685
+ %SystemDrive%\Program Files (x86)\cisco systems\cisco jabber\*.xml
686
+ %SystemDrive%\Program Files (x86)\cisco systems\cisco jabber\avatars\*.svg
687
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\dropboxcrashhandler.exe
688
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\dropboxupdate.exe
689
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\dropboxupdatebroker.exe
690
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\dropboxupdatehelper.msi
691
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\dropboxupdateondemand.exe
692
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\goopdate.dll
693
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\goopdateres_*.dll
694
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\npdropboxupdate*.dll
695
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\psmachine.dll
696
+ %SystemDrive%\Program Files (x86)\dropbox\update\*\psuser.dll
697
+ %SystemDrive%\Program Files (x86)\dropbox\update\install\{*}\dropboxupdatesetup_*.exe
698
+ %SystemDrive%\Program Files (x86)\dyn\updater\*.txt
699
+ %SystemDrive%\Program Files (x86)\dyn\updater\images\*.png
700
+ %SystemDrive%\Program Files\itunes\itunes.resources\missingartworkloading.png
701
+ %SystemDrive%\Program Files*\microsoft office\*.thmx
702
+ %SystemDrive%\Program Files\microsoft office\appxmanifest.xml
703
+ %SystemDrive%\Program Files\microsoft office\filesystemmetadata.xml
704
+ %SystemDrive%\Program Files\microsoft office\root\office16\microsoft.lync.model.zip
705
+ %SystemDrive%\Program Files\microsoft office\root\office16\microsoft.lync.utilities.controls.zip
706
+ %SystemDrive%\Program Files\microsoft office\root\office16\microsoft.lync.utilities.zip
707
+ %SystemDrive%\Program Files\microsoft office\root\office16\ocomprivate.zip
708
+ %SystemDrive%\Program Files\microsoft office\root\office16\system.windows.controls.theming.toolkit.zip
709
+ %SystemDrive%\Program Files\microsoft office\updates\detection\*\versiondescriptor.xml
710
+ %SystemDrive%\Program Files\windowsapps\microsoft.skypeapp*\skypeapp\assets\images\*.png
711
+ %SystemDrive%\ProgramData\{*}.zip
712
+ %SystemDrive%\ProgramData\apple computer\itunes\sc info\sc info.txt
713
+ %SystemDrive%\ProgramData\application data\dyn\updater\frontend.log
714
+ %SystemDrive%\ProgramData\application data\dyn\updater\frontend.log.*
715
+ %SystemDrive%\ProgramData\cisco\cisco anyconnect secure mobility client\*.xml
716
+ %SystemDrive%\ProgramData\cisco\cisco anyconnect secure mobility client\logs\updatehistory_*_log.txt
717
+ %SystemDrive%\programdata\dropbox\update\log\*
718
+ %SystemDrive%\ProgramData\dropbox\update\log\dropboxupdate.log-*
719
+ %SystemDrive%\ProgramData\dropbox\update\log\dropboxupdate.log-*-finished
720
+ %SystemDrive%\ProgramData\microsoft\clicktorun\machinedata\catalog\packages\*\deploymentconfiguration.xml
721
+ %SystemDrive%\ProgramData\microsoft\clicktorun\machinedata\catalog\packages\*\manifest.xml
722
+ %SystemDrive%\ProgramData\microsoft\clicktorun\machinedata\catalog\packages\*\userdeploymentconfiguration.xml
723
+ %SystemDrive%\ProgramData\microsoft\clicktorun\productreleases\*\en-us.16\masterdescriptor.en-us.xml
724
+ %SystemDrive%\ProgramData\microsoft\clicktorun\productreleases\*\x-none.16\masterdescriptor.x-none.xml
725
+ %SystemDrive%\ProgramData\microsoft\diagnosis\downloadedscenarios\windows.siuf.xml
726
+ %SystemDrive%\ProgramData\microsoft\office\heartbeat\heartbeatcache.xml
727
+ %SystemDrive%\ProgramData\microsoft\provisioning\*\masterdatastore.xml
728
+ %SystemDrive%\ProgramData\microsoft\provisioning\*\prov\runtime.xml
729
+ %SystemDrive%\ProgramData\microsoft\windows\power efficiency diagnostics\energy-report-*.xml
730
+ %SystemDrive%\ProgramData\microsoft\windows\power efficiency diagnostics\energy-report-latest.xml
731
+ %SystemDrive%\programdata\microsoft\windows\power efficiency diagnostics\energy-report*
732
+ %SystemDrive%\ProgramData\microsoft\windows\wer\reportqueue\*.txt
733
+ %SystemDrive%\ProgramData\microsoft\windows\wer\reportqueue\*.xml
734
+ %SystemDrive%\programdata\microsoft\windows\wer\reportqueue\*\report.wer
735
+ %SystemDrive%\programdata\microsoft\windows\wer\reportqueue\*\report.wer.tmp
736
+ %SystemDrive%\ProgramData\microsoft\windows\wer\temp\*.xml
737
+ %SystemDrive%\programdata\nvidia corporation\drs\update.bin
738
+ %SystemDrive%\ProgramData\nvidia corporation\shadowplay\capturecore.log
739
+ %SystemDrive%\ProgramData\nvidia corporation\shadowplay\capturecore.old
740
+ %SystemDrive%\ProgramData\sccomm\Logs\sccomm.txt
741
+ %SystemDrive%\ProgramData\sccomm\sccomm.txt
742
+ %SystemDrive%\ProgramData\vmware\*.txt
743
+ %SystemDrive%\Users\*\AppData\Local\{*}
744
+ %SystemDrive%\Users\*\AppData\Local\cisco\cisco anyconnect secure mobility client\preferences.xml
745
+ %SystemDrive%\Users\*\AppData\Local\cisco\unified communications\jabber\csf\history\*\_db.key
746
+ %SystemDrive%\users\*\appdata\local\cisco\unified communications\jabber\csf\logs\jabber.log.*
747
+ %SystemDrive%\Users\*\AppData\Local\cisco\unified communications\jabber\csf\photo cache\*.png
748
+ %SystemDrive%\Users\*\AppData\Local\cisco\unified communications\jabber\csf\telemetry\*.txt
749
+ %SystemDrive%\users\*\appdata\local\google\chrome\user data\*
750
+ %SystemDrive%\Users\*\AppData\Local\microsoft\clr_v4.0\ngendisable.txt
751
+ %SystemDrive%\Users\*\AppData\Local\microsoft\internet explorer\urlblock\urlblock_*.bin
752
+ %SystemDrive%\Users\*\AppData\Local\microsoft\msoidentitycrl\production\fplist.xml
753
+ %SystemDrive%\Users\*\AppData\Local\microsoft\office\*\lync.exe_rules.xml
754
+ %SystemDrive%\users\*\appdata\local\microsoft\office\*\lync\tracing\*.etl
755
+ %SystemDrive%\users\*\appdata\local\microsoft\office\*\lync\tracing\*.etl.bak
756
+ %SystemDrive%\users\*\appdata\local\microsoft\office\*\lync\tracing\*.uccapilog
757
+ %SystemDrive%\users\*\appdata\local\microsoft\office\*\msoia.exe_rules.xml
758
+ %SystemDrive%\Users\*\AppData\Local\microsoft\office\*\outlook.exe_rules.xml
759
+ %SystemDrive%\users\*\appdata\local\microsoft\onedrive\logs\*
760
+ %SystemDrive%\users\*\appdata\local\microsoft\onedrive\settings\*
761
+ %SystemDrive%\Users\*\AppData\Local\microsoft\onedrive\standaloneupdater\update.xml
762
+ %SystemDrive%\Users\*\AppData\Local\microsoft\onedrive\update\update.xml
763
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\*.com.nst.tmp
764
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\*.com.ost
765
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\*.com.ost.tmp
766
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\*\autod.*.com.xml
767
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\*autodiscover.xml
768
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\inferences*.xml
769
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\oab2.xml
770
+ %SystemDrive%\Users\*\AppData\Local\microsoft\outlook\oab3.xml
771
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\actioncentercache\dropbox-desktop-client_*.png
772
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\actioncentercache\flipboard-flipboard_*.jpg
773
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\actioncentercache\microsoft-explorer-notification--*.png
774
+ %SystemDrive%\users\*\appdata\local\microsoft\windows\actioncentercache\microsoft-explorer-notification*.png
775
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\actioncentercache\microsoft-office-outlook-exe-*.png
776
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\actioncentercache\microsoft-skypeapp_*-app_*.png
777
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\explorer\notifyicon\microsoft.explorer.notification.*.png
778
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*.htm
779
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*.jpg
780
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\compare_1_5_6_uni_dll1.zip
781
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\edgecompatviewlist[*].xml
782
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\edgecompatviewlist*.xml
783
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\edgecompatviewlist1.xml
784
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\img_spacer1.png
785
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\jabber_logo1.png
786
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\pluginmanager_*.zip
787
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\ie\*\plugins*.zip
788
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\low\ie\*.htm
789
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\low\ie\*.png
790
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\inetcache\low\ie\*.txt
791
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\notifications\wpnidm\*.jpg
792
+ %SystemDrive%\users\*\appdata\local\microsoft\windows\webcache\*
793
+ %SystemDrive%\Users\*\AppData\Local\microsoft\windows\webcache\*.log
794
+ %SystemDrive%\Users\*\AppData\Local\microsoftedge\sharedcachecontainers\microsoftedge_iecompat\iecompatdata.xml
795
+ %SystemDrive%\Users\*\AppData\Local\nvidia corporation\shadowplay\capturecore.old
796
+ %SystemDrive%\users\*\appdata\local\nvidia\nvbackend\*
797
+ %SystemDrive%\Users\*\AppData\Local\nvidia\nvbackend\*.xml
798
+ %SystemDrive%\Users\*\AppData\Local\packages\*.dropbox_*\localstate\dbxdata.dat
799
+ %SystemDrive%\Users\*\AppData\Local\packages\*.dropbox_*\localstate\dbxdata.dat.bak
800
+ %SystemDrive%\users\*\appdata\local\packages\*.netflix_*\localstate\offlineinfo*
801
+ %SystemDrive%\users\*\appdata\local\packages\*.netflix_*\localstate\onlineinfo*
802
+ %SystemDrive%\users\*\appdata\local\packages\*.netflix_*\localstate\resumeinfo*
803
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\ac\inetcache\*\*.htm
804
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\ac\inetcache\*\*.jpg
805
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\ac\inetcache\*\*.png
806
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\ac\inetcache\*\*.txt
807
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\ac\microsoft\internet explorer\domstore\*\*.xml
808
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\ac\temp\*.tmp
809
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\localstate\*.xml
810
+ %SystemDrive%\Users\*\AppData\Local\packages\amazon.com.amazon_*\localstate\*.xml.~tmp
811
+ %SystemDrive%\Users\*\AppData\Local\packages\facebook.facebook_*\localstate\appdata\local\osmeta\_store_*\image_cache.v*\fbimagedownloader-*.jpg
812
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.aad.brokerplugin_*\ac\temp\*.tmp
813
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.aad.brokerplugin_*\localstate\*
814
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.aad.brokerplugin_*\localstate\*.tmp
815
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.bingweather_*\ac\inetcache\*.jpg
816
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.bingweather_*\ac\inetcache\*.png
817
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.bingweather_*\localstate\*.xml
818
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.bingweather_*\localstate\*.xml*.tmp
819
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.flv
820
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.htm
821
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.jpg
822
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.png
823
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.svg
824
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.svg
825
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.swf
826
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.txt
827
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\*\microsoftedge\cache\*.xml
828
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\microsoftedge\urlblock\urlblock_*.bin
829
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.microsoftedge_*\ac\temp\*.tmp
830
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.oneconnect_*\localstate\*
831
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.people_*\localstate\contactsonprimarytile.txt
832
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.people_*\localstate\contactsonprimarytile.txt.~tmp
833
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.people_*\localstate\diagoutputdir\peoplebackgroundtasklog.etl
834
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.people_*\localstate\diagoutputdir\peoplebackgroundtasklog.last.etl
835
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.people_*\localstate\tilethumbnails\primarytileimage_*.jpg
836
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.people_*\localstate\tilethumbnails\primarytileimage_*.jpgtemp
837
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.contentdeliverymanager_*\ac\temp\*.tmp
838
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.contentdeliverymanager_*\localstate\assets\*
839
+ %SystemDrive%\users\*\appdata\local\packages\microsoft.windows.contentdeliverymanager_*\localstate\contentmanagementsdk\creatives\*
840
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.contentdeliverymanager_*\localstate\contentmanagementsdk\creatives\*
841
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.contentdeliverymanager_*\localstate\contentmanagementsdk\creatives\*.tmp
842
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.contentdeliverymanager_*\localstate\stagedassets\*
843
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.contentdeliverymanager_*\localstate\tips\*.xml
844
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.cortana_*\ac\appcache\*.htm
845
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.cortana_*\ac\nvidia corporation\shadowplay\capturecore.log
846
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.cortana_*\ac\temp\*.tmp
847
+ %SystemDrive%\users\*\appdata\local\packages\microsoft.windows.cortana_*\localstate\*
848
+ %SystemDrive%\users\*\appdata\local\packages\microsoft.windows.cortana_*\tempstate\*
849
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.photos_*\ac\nvidia corporation\shadowplay\capturecore.log
850
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.photos_*\ac\nvidia corporation\shadowplay\capturecore.old
851
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.photos_*\localstate\framenavigationservicestate.xml
852
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.photos_*\localstate\photosapptile\tile*.jpg
853
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windows.photos_*\localstate\timelineprefetchthumbnails.xml
854
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscalculator_*\ac\nvidia corporation\shadowplay\capturecore.log
855
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\ac\nvidia corporation\shadowplay\capturecore.log
856
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\ac\nvidia corporation\shadowplay\capturecore.old
857
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\ac\temp\*.tmp
858
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\*.jpg
859
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\files\*.jpg
860
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\files\*.pdf
861
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\files\*.png
862
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\files\s0\*\image00*.png
863
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\localfiles\*.jpg
864
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\localfiles\*.pdf
865
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\localstate\localfiles\*.png
866
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\tempstate\content.mso\*.tmp
867
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\tempstate\syncenginesnapshot.xml
868
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowscommunicationsapps_*\tempstate\syncenginesnapshotold.xml
869
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowsstore_*\ac\inetcache\*.htm
870
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowsstore_*\ac\inetcache\*.jpg
871
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowsstore_*\ac\inetcache\*.png
872
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowsstore_*\ac\nvidia corporation\shadowplay\capturecore.log
873
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowsstore_*\ac\nvidia corporation\shadowplay\capturecore.old
874
+ %SystemDrive%\Users\*\AppData\Local\packages\microsoft.windowsstore_*\ac\temp\*.tmp
875
+ %SystemDrive%\Users\*\AppData\Local\publishers\*\fonts\fontcache\2\fontcachemetadata.xml
876
+ %SystemDrive%\users\*\appdata\local\temp\*
877
+ %SystemDrive%\Users\*\AppData\Locallow\lastpass\debug.txt
878
+ %SystemDrive%\Users\*\AppData\Roaming\apple computer\itunes\cookies\cookies.binarycookies
879
+ %SystemDrive%\Users\*\AppData\Roaming\apple computer\itunes\cookies\cookies.binarycookies_tmp_*.dat
880
+ %SystemDrive%\Users\*\AppData\Roaming\apple computer\preferences\byhost\com.apple.itunes.{*}.plist
881
+ %SystemDrive%\Users\*\AppData\Roaming\apple computer\preferences\byhost\com.apple.itunes.{*}.plist.*
882
+ %SystemDrive%\Users\*\AppData\Roaming\apple computer\preferences\com.apple.itunes.plist
883
+ %SystemDrive%\Users\*\AppData\Roaming\apple computer\preferences\com.apple.itunes.plist.*
884
+ %SystemDrive%\users\*\appdata\roaming\cisco\unified communications\jabber\csf\config\*
885
+ %SystemDrive%\Users\*\AppData\roaming\microsoft\templates\livecontent\*.thmx
886
+ %SystemDrive%\users\*\appdata\roaming\microsoft\office\*\*\proofing\*.tmp
887
+ %SystemDrive%\users\*\appdata\roaming\microsoft\office\*\*\proofing\roamingcustom.dic
888
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\outlook\outlook.xml
889
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\signatures\*.htm
890
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\signatures\*\colorschememapping.xml
891
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\signatures\*\themedata.thmx
892
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\templates\~$rmalemail.dotm
893
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\templates\~wrd*.tmp
894
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\templates\normalemail.dotm
895
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\windows\libraries\~ictures.tmp
896
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\windows\libraries\~ocuments.tmp
897
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\windows\libraries\documents.library-ms
898
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\windows\libraries\documents.library-ms~*.tmp
899
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\windows\libraries\pictures.library-ms
900
+ %SystemDrive%\Users\*\AppData\Roaming\microsoft\windows\libraries\pictures.library-ms~*.tmp
901
+ %SystemDrive%\users\*\appdata\roaming\microsoft\windows\recent\customdestinations\*
902
+ %SystemDrive%\Users\*\AppData\Roaming\notepad++\config.xml
903
+ %SystemDrive%\Users\*\AppData\Roaming\notepad++\contextmenu.xml
904
+ %SystemDrive%\Users\*\AppData\Roaming\notepad++\langs.xml
905
+ %SystemDrive%\Users\*\AppData\Roaming\notepad++\plugins\config\pluginmanagerplugins.zip
906
+ %SystemDrive%\Users\*\AppData\Roaming\notepad++\session.xml
907
+ %SystemDrive%\Users\*\AppData\Roaming\notepad++\shortcuts.xml
908
+ %SystemDrive%\Users\*\AppData\Roaming\notepad++\stylers.xml
909
+ %SystemDrive%\Users\*\evernote\logs\applog_*.txt
910
+ %SystemDrive%\Users\*\music\itunes\*.tmp
911
+ %SystemDrive%\Users\*\music\itunes\it.tmp
912
+ %SystemDrive%\Users\*\music\itunes\itunes library.itl
913
+ %SystemDrive%\Users\*\music\itunes\temp*.tmp
914
+ %SystemDrive%\windows\inf\wmiaprpl\*
915
+ %SystemDrive%\windows\system32\perfstringbackup.tmp
916
+ %SystemDrive%\windows\system32\wbem\performance\*
917
+ %SystemDrive%\windows\temp\*.exe
918
+ %SystemDrive%\users\*\appdata\local\microsoft\edge\user data\*
919
+ SECTION END:
920
+
921
+ //=========================================================================
922
+ // AFE FDE NO REPARSE FILES -
923
+ // These are meant to suppress warning dialogs from firewalls
924
+ //=========================================================================
925
+ SECTION AFE FDE FILE NO REPARSE:
926
+
927
+ //Transactional NTFS and registry
928
+ // Legacy entries - not needed any more ...
929
+ //*\USERS\*\NTUSER*
930
+ //*\USERS\*\USRCLASS*
931
+ *\TxR\*
932
+
933
+ // OPTIONAL - Symantec AV
934
+ // *\PROGRA*\SYMANT*\*\*.exe
935
+ // *\PROGRA*\COMMON*\SYMANT*\*.exe
936
+ // *\PROG*\*\SRTSP*\*
937
+
938
+ // OPTIONAL - Symantec Tamper Protection
939
+ *\NOMADIC\DBENG8.EXE
940
+ *\SYSTEM32\SERVICES.EXE
941
+
942
+ // OPTIONAL - McAfee AV
943
+ *\PROGRA*\MCAFEE*\*
944
+
945
+ // OPTIONAL - VMWare Workstation and VMWare Player
946
+ *\VMWARE-AUTHD.exe
947
+
948
+ // OPTIONAL - Siebel DB client
949
+ *\sfadialer\SFADial.exe
950
+
951
+ // AME DGFS: without this AFE will decrypt temporary files
952
+ // that AME encrypted when replacing attachment
953
+ //*\09D849B6-32D3-4A40-85EE-6B84BA29E35B\msgs\*
954
+
955
+ // This is a fix for DGAGENT-1448, HP systems running out of stack space.
956
+ *\system32\atiok3*.dll
957
+
958
+ // This is a fix for DGAGENT-1893 Cannot launch start menu when AFE is enabled on Win8
959
+ // On start Explorer tries to open .lnk files in this directory with OpLocks
960
+ *\USERS\*\APPDATA\LOCAL\MICRO*\WINDOWS\WINX\*
961
+
962
+ // Fix For Universal Apps
963
+ *\USERS\*\APPDATA\LOCAL\PACKAGE?\*
964
+ *\WINDOWS\SYSTEM32\WWAHOST.EXE
965
+ *\WINDOWS\SYSTEM32\BYTECODEGENERATOR.EXE
966
+ *\WINDOWS\SYSTEM32\RUNTIMEBROKER.EXE
967
+ *\WINDOWS\SYSTEM32\BACKGROUNDTASKHOST.EXE
968
+ *\USERS\*\APPDATA\LOCAL\MICRO*\WINDOWS\APPLIC*\*
969
+ *\WINDOWS\WINSTOR*
970
+ *\PROG*\WINDOWSAPP*
971
+
972
+ //SA-24054: Fixed RS3 AFE compatibility issue.
973
+ *\WINDOWS\FONTS*
974
+
975
+ // Fix for DGAGENT-2893 (Sep12 RU3) and DGAGENT-3507 (Sep12 RU4) and future versions of
976
+ // Symantec Endpoint Protection Client Installations
977
+ *\SYMANT*12.1.*
978
+ *\PROGRA*\SYMANT*\SYMANT*\CURRENT*
979
+
980
+ // This is a fix for DGAGENT-5975, [Kraft Group] Latency accessing network shares with AFE enabled?
981
+ *\SRVSVC*
982
+
983
+ *WINDOWS\WINSX*
984
+ *WINDOWS\SOFTWAREDISTRIBUTIO*
985
+ *WINDOWS\SOFTWA~1*
986
+ *WINDOWS\CBSTEM*
987
+ *\CBSTEM*PACKAGE*KB*.CAT*
988
+ *WINDOWS\SERVICIN*
989
+ *WINDOWS\SERVIC*\PACK*
990
+ *WINDOWS\REGISTRATIO*
991
+ *WINDOWS\REGIST~1*
992
+ *WINDOWS\GLOBALIZATION*
993
+ *WINDOWS\GLOBAL~1*
994
+ *TIWORKER.EX*
995
+ *WINDOWS\LOGS*
996
+ *WINDOWS\SYS*\SMI\STORE*
997
+ *PROGRAMDATA\USOPRIVAT*
998
+ *PROGRAMDATA\MICROSOFT*
999
+ *WINDOWS\SYS*\CONFIG*
1000
+ *WINDOWS\APPPATC*
1001
+ *SYS*\CATROO*
1002
+ *\WINDOWS\INF*
1003
+
1004
+ // Don't reparse any basic EXE types
1005
+ // Fix for DGAGENT-17152
1006
+ *.EXE*;*.DLL*;*.SYS*;*.COM;*.CPL
1007
+
1008
+ SECTION END:
1009
+
1010
+ //=========================================================================
1011
+ // AFE PROCESS NO REPARSE FILES -
1012
+ // No reparse of the specified files. Effeects processses marked with RP flag.
1013
+ // e.g sfttray.exe,RP+PR - see prcsflgs.dat for example(s)
1014
+ //========================================================================
1015
+ SECTION AFE PROCESS NO REPARSE FILES:
1016
+ // OPTIONAL - AppV Application (see sfttray.exe in prcsflgs.dat )
1017
+ sfttray.exe:*.DLL
1018
+
1019
+ // OPTIONAL - Adobe Reader X 10.0.0 (see acrord32.exe in prcsflgs.dat)
1020
+ acrord32.exe:*\USERS\*\APPDATA\*\ADOBE\*
1021
+ acrord32.exe:*\DOC*\*\APP*\ADOBE\*
1022
+
1023
+ // SEP12 has issues during install
1024
+ ccSvcHst.exe:*SYMANTEC*
1025
+
1026
+ // SCEP 2015
1027
+ msmpeng.exe:*.CMD
1028
+
1029
+ // Universal Apps :aka MetroApps - Excluded for AFE
1030
+ sihost.exe:*.JPG
1031
+ SECTION END:
domainflags.txt ADDED
@@ -0,0 +1,134 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ //=========================================================================
2
+ // DOMAINFLAGS.TXT
3
+ //
4
+ // This file allows control of how DG Web Inspection Proxy
5
+ // handles HTTP and HTTPS requests made to specific web servers
6
+ //
7
+ // Current Domain Flags Definition
8
+ // (Version 9.3.0)
9
+ //
10
+ //
11
+ // Control Flag Name Parameter
12
+ // ------------------------ ---------
13
+ // SKIP INSPECTION SK
14
+ // SKIP INSPECTION if TLS TLSK
15
+ // USE BROWSER CACHING (default) CACHE
16
+ // DISABLE BROWSER CACHING NCACHE
17
+ // SKIP HTTPS SITES WHEN ACCESSED BY SAFARI TLSK_SAFARI
18
+ // SKIP HTTPS SITES WHEN ACCESSED BY CHROME TLSK_CHROME
19
+ // SKIP HTTPS SITES WHEN ACCESSED BY FIREFOX TLSK_FIREFOX
20
+ // SKIP HTTP TRAFFIC AT THE TCP LEVEL HTTP_TCPSK
21
+ // SKIP THE UPSTREAM PROXY (EXPLICIT PROXY MODE ONLY) SK_PROXY
22
+ // USE HTTP1.1 ONLY (AVOID HTTP2.0) HTTP1_1_ONLY
23
+ //
24
+ // NOTES:
25
+ // CACHE is useful to enable caching on a specific site if caching is disabled globally.
26
+ // (If caching is not disabled globally, CACHE has no effect, so can be used
27
+ // to create a domain flag entry that stops other entries from being applied.)
28
+ // If NCACHE and CACHE are both specified on the same line, NCACHE takes precedence.
29
+ // If SK or TLSK is specified all other processing is skipped, including CACHE and NCACHE.
30
+ // Add entries to the domain flags file in order of precedence.
31
+ // IP Address entries and Domain entries are treated separately.
32
+ // For each request the flags from the first matching IP address entry,
33
+ // amd the first matching domain entry are combined and applied.
34
+ //
35
+ // You can add a line to this file for each domain or IP address (range)
36
+ // that you need special handling for. Each line can contain either a
37
+ // domain entry or an IP subnet entry.
38
+ //
39
+ // Examples:
40
+
41
+ // example.com,SK //<-- SKIP inspection of requests to example.com
42
+ // example.com:80,SK //<-- SKIP inspection of requests to example.com port 80
43
+ // *.example.com,SK //<-- SKIP inspection of requests to immediate subdomains of example.com
44
+ // **.example.com,SK //<-- SKIP inspection of requests to all subdomains of example.com
45
+ // IPv4 examples
46
+ // 10.20.10.1,SK //<-- SKIP inspection of requests to the server at 10.20.10.1
47
+ // 10.10.0.0/16,SK //<-- SKIP inspection of requests to the 10.10.0.0/16 network
48
+ // 10.20.10.1:80,SK //<-- SKIP inspection of requests to the server at 10.20.10.1 port 80
49
+ // 10.20.0.0:80/16,SK //<-- SKIP inspection of requests to the 10.10.0.0/16 network port 80
50
+ // IPv6 examples
51
+ // [fe80::1c31:6bc2:7f5:675c],SK //<-- SKIP inspection of requests to the server at fe80::1c31:6bc2:7f5:675c
52
+ // [fe80::]/64,SK //<-- SKIP inspection of requests to the fe80::/64 network
53
+ // [fe80::1c31:6bc2:7f5:675c]:80,SK //<-- SKIP inspection of requests to the server at fe80::1c31:6bc2:7f5:675c port 80
54
+ // [fe80::]:80/64,SK //<-- SKIP inspection of requests to the fe80::/64 network port 80
55
+
56
+
57
+ // Domain wildcard syntax is designed to mimic directory glob syntax.
58
+ // It is not a full regular expression syntax.
59
+ // The following meta-characters are supported:
60
+ // • “*” will match any character except “.”
61
+ // • “**” will match any character including “.”
62
+ // • “?” will match a single character
63
+ // • “[]” can be used to specify a character match list. For example [ab] will match a or b but will not match c
64
+ // • “[!]” can be used to specify a negative character match list. For example [!ab] will not match a or b but will match c
65
+ // • {} can be used to specify comma separated pattern alternatives. For example {ab,de} will match ab or de
66
+
67
+
68
+ // Ad networks
69
+ secure.adnxs.com,SK
70
+ as-*.casalemedia.com,SK
71
+ logx.optimizely.com,SK
72
+ fastlane.rubiconproject.com,SK
73
+ tps*.doubleverify.com,SK
74
+ timeinc-*.openx.net,SK
75
+ ads.adaptv.advertising.com,SK
76
+
77
+ // Microsoft website for AD FS
78
+ login.microsoftonline.com,SK
79
+ // Single Sign On sites
80
+ sso.teamviewer.com,SK
81
+ idp.blackberry.com,SK
82
+ pki.entitlement.siemens.com,SK
83
+
84
+ // Apple websites with certificate checks on Safari Browser
85
+ safari-extensions.apple.com,TLSK_SAFARI
86
+ icloud.com,TLSK_SAFARI
87
+ setup.icloud.com,TLSK_SAFARI
88
+ edge.icloud.com,TLSK_SAFARI
89
+ *pushws.icloud.com,TLSK_SAFARI
90
+ *contactsws.icloud.com,TLSK_SAFARI
91
+ feedbackws.icloud.com,TLSK_SAFARI
92
+ *keyvalueservice.icloud.com,TLSK_SAFARI
93
+ idmsa.apple.com,TLSK_SAFARI
94
+ **.apple.com,TLSK_SAFARI
95
+
96
+ // Salesforce caches the case files. NCACHE is needed to override caching
97
+ // if you want to log/block NTDs.
98
+ **.force.com,NCACHE
99
+
100
+ // dropbox (and others) use cache-control headers for downloaded contents. NCACHE is needed
101
+ // to override caching if you wan to log/block NTDs.
102
+ **.dl.dropboxusercontent.com,NCACHE
103
+ web.opendrive.com,NCACHE
104
+ mail-attachment.googleusercontent.com,NCACHE
105
+
106
+ // DLPTEST caches files. NCACHE is needed to override caching for logging/blocking NTDs.
107
+ dlptest.com,NCACHE
108
+
109
+ // chrome remote desktop
110
+ instantmessaging-pa.clients6.google.com,TLSK_CHROME
111
+
112
+ // Microsoft AIP / MIP (pinned certificates / tls renegotiation)
113
+ **.aadrm.com,SK
114
+ **.protection.outlook.com,SK
115
+ // Microsoft Edge sync service
116
+ edge-enterprise.activity.windows.com,SK
117
+ edge.microsoft.com,SK
118
+ // Microsoft Teams presence
119
+ **presence.teams.microsoft.com,SK
120
+ // Microsoft telemetry (teams, browser, mobile, etc)
121
+ **.events.data.microsoft.com,SK
122
+ **.events.data.msn.com,SK
123
+ *-telemetry.officeapps.live.com,SK
124
+ // Firefox telemetry
125
+ incoming.telemetry.mozilla.org,SK
126
+
127
+ // Push Notifications are often implemented by FCM.
128
+ // Fixes the case when push notifications do not appear
129
+ mtalk.google.com,SK
130
+
131
+ // SA-38414, Online commerce
132
+ cc.zdtc.app,SK
133
+ // Microsoft Teams audio connections
134
+ **.relay.teams.microsoft.com,SK
impflt.bin ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:fbcb2447ff29818bb70ea7ad8444632a05e4b4b4ea72a4ebf8630c31752e5a2c
3
+ size 20326
impflt.xml ADDED
@@ -0,0 +1,1387 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?xml version="1.0" encoding="utf-8"?>
2
+ <root xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.verdasys.com/schemas/fileformat.xsd" xmlns:x="http://www.verdasys.com/schemas/fileformat.xsd">
3
+ <filetypes>
4
+
5
+ <filetype name="executable/">
6
+ <filesignature>
7
+ <!-- 'MZ' MS-DOS -->
8
+ <chunk>
9
+ <offset>0</offset>
10
+ <value>4D5A</value>
11
+ </chunk>
12
+ </filesignature>
13
+ <filesignature>
14
+ <!-- 'NE' Windows 3.1 -->
15
+ <chunk>
16
+ <offset>0</offset>
17
+ <value>4E45</value>
18
+ </chunk>
19
+ </filesignature>
20
+ <filesignature>
21
+ <!-- 'PE' Win32 -->
22
+ <chunk>
23
+ <offset>0</offset>
24
+ <value>5045</value>
25
+ </chunk>
26
+ </filesignature>
27
+ <filesignature>
28
+ <!-- 'LE' OS/2 -->
29
+ <chunk>
30
+ <offset>0</offset>
31
+ <value>4C45</value>
32
+ </chunk>
33
+ </filesignature>
34
+ <filesignature>
35
+ <!-- 'LX' OS/2 -->
36
+ <chunk>
37
+ <offset>0</offset>
38
+ <value>4C58</value>
39
+ </chunk>
40
+ </filesignature>
41
+ </filetype>
42
+
43
+ <filetype name="document/msofficelegacy">
44
+ <filesignature>
45
+ <!-- MS DOC PPT XLS MSI -->
46
+ <chunk>
47
+ <offset>0</offset>
48
+ <value>D0CF11E0A1B11AE1</value>
49
+ </chunk>
50
+ </filesignature>
51
+ </filetype>
52
+
53
+ <filetype name="system/registry">
54
+ <filesignature>
55
+ <!-- WinNT SYSTEM/Registry file 'regf' -->
56
+ <chunk>
57
+ <offset>0</offset>
58
+ <value>72656766</value>
59
+ </chunk>
60
+ </filesignature>
61
+ <filesignature>
62
+ <!-- This one is for Crypto Keys -->
63
+ <chunk>
64
+ <offset>0</offset>
65
+ <value>0200000000000000</value>
66
+ </chunk>
67
+ </filesignature>
68
+ </filetype>
69
+
70
+ <!-- MS Office Open XML formats -->
71
+ <filetype name="document/msofficeopenxml">
72
+ <filesignature>
73
+ <!-- DOCX PPTX XLSX -->
74
+ <chunk>
75
+ <offset>0</offset>
76
+ <value>504B030414000600</value>
77
+ </chunk>
78
+ </filesignature>
79
+ </filetype>
80
+
81
+ <!-- Adobe PDF -->
82
+ <filetype name="document/pdf">
83
+ <filesignature>
84
+ <!-- PDF FDF -->
85
+ <chunk>
86
+ <offset>0</offset>
87
+ <value>25504446</value>
88
+ </chunk>
89
+ </filesignature>
90
+ </filetype>
91
+
92
+ <!-- Windows System Monitor Logs -->
93
+ <filetype name="system/performancelog">
94
+ <filesignature>
95
+ <!-- file prolog -->
96
+ <chunk>
97
+ <offset>0</offset>
98
+ <value>00000100</value>
99
+ </chunk>
100
+ </filesignature>
101
+ </filetype>
102
+
103
+ <!-- Windows Managed Object File-->
104
+ <filetype name="system/wmidata">
105
+ <filesignature>
106
+ <!-- file prolog #p from #pragma-->
107
+ <chunk>
108
+ <offset>0</offset>
109
+ <value>2370</value>
110
+ </chunk>
111
+ </filesignature>
112
+ <filesignature>
113
+ <!-- file prolog #p from #pragma (wide chars)-->
114
+ <chunk>
115
+ <offset>0</offset>
116
+ <value>FFFE23007000</value>
117
+ </chunk>
118
+ </filesignature>
119
+ <filesignature>
120
+ <!-- file prolog // from commented line-->
121
+ <chunk>
122
+ <offset>0</offset>
123
+ <value>2F2F</value>
124
+ </chunk>
125
+ </filesignature>
126
+ </filetype>
127
+
128
+ <!-- MS Security Catalog -->
129
+ <filetype name="system/mssecuritycatalog">
130
+ <filesignature>
131
+ <!-- 3082 - Advanced Disk Catalog Disk Catalog -->
132
+ <chunk>
133
+ <offset>0</offset>
134
+ <value>3082</value>
135
+ </chunk>
136
+ </filesignature>
137
+ <filesignature>
138
+ <!-- 3083 - Advanced Disk Catalog Disk Catalog -->
139
+ <chunk>
140
+ <offset>0</offset>
141
+ <value>3083</value>
142
+ </chunk>
143
+ </filesignature>
144
+ </filetype>
145
+
146
+ <!-- COM+ - COM+ Catalog file -->
147
+ <filetype name="system/compluscatalog">
148
+ <filesignature>
149
+ <chunk>
150
+ <offset>0</offset>
151
+ <value>434F4D2B</value>
152
+ </chunk>
153
+ </filesignature>
154
+ </filetype>
155
+
156
+ <!--Extensible Storage Engine Database File -->
157
+ <filetype name="system/datastore">
158
+ <filesignature>
159
+ <!-- DataStore edb file -->
160
+ <chunk>
161
+ <offset>2</offset>
162
+ <value>EFCDAB89</value>
163
+ </chunk>
164
+ </filesignature>
165
+ <filesignature>
166
+ <chunk>
167
+ <offset>4</offset>
168
+ <value>EFCDAB89</value>
169
+ </chunk>
170
+ </filesignature>
171
+ </filetype>
172
+
173
+ <!-- Symantic Endpoint Protection -->
174
+ <filetype name="other/symantecendpointprotection">
175
+ <filesignature>
176
+ <!-- @\r\n@ -->
177
+ <chunk>
178
+ <offset>0</offset>
179
+ <value>400D0A40</value>
180
+ </chunk>
181
+ </filesignature>
182
+ <filesignature>
183
+ <!-- \\\r\n\\ -->
184
+ <chunk>
185
+ <offset>0</offset>
186
+ <value>5C0D0A5C</value>
187
+ </chunk>
188
+ </filesignature>
189
+ </filetype>
190
+
191
+ <!-- UniCode Extensions -->
192
+ <filetype name="system/unicodeextensions">
193
+ <filesignature>
194
+ <!-- UCEX -->
195
+ <chunk>
196
+ <offset>0</offset>
197
+ <value>55434558</value>
198
+ </chunk>
199
+ </filesignature>
200
+ </filetype>
201
+
202
+ <!-- Windows Icon-->
203
+ <filetype name="graphics/winicon">
204
+ <filesignature>
205
+ <chunk>
206
+ <offset>0</offset>
207
+ <value>00000100</value>
208
+ </chunk>
209
+ </filesignature>
210
+ </filetype>
211
+
212
+ <!-- Windows Cursor -->
213
+ <filetype name="graphics/wincursor">
214
+ <filesignature>
215
+ <chunk>
216
+ <offset>0</offset>
217
+ <value>00000200</value>
218
+ </chunk>
219
+ </filesignature>
220
+ </filetype>
221
+
222
+ <filetype name="system/winhelp">
223
+ <filesignature>
224
+ <chunk>
225
+ <offset>0</offset>
226
+ <value>3F5F0300</value>
227
+ </chunk>
228
+ </filesignature>
229
+ <filesignature>
230
+ <chunk>
231
+ <offset>0</offset>
232
+ <value>4C4E0200</value>
233
+ </chunk>
234
+ </filesignature>
235
+ </filetype>
236
+
237
+ <!-- Microsoft Outlook Personal Folder file -->
238
+ <filetype name="archive/msoutlook">
239
+ <filesignature>
240
+ <chunk>
241
+ <offset>0</offset>
242
+ <value>2142444E</value>
243
+ </chunk>
244
+ </filesignature>
245
+ </filetype>
246
+
247
+ <!-- Windows bitmap image -->
248
+ <filetype name="graphics/winbitmap">
249
+ <filesignature>
250
+ <chunk>
251
+ <offset>0</offset>
252
+ <value>424D</value>
253
+ </chunk>
254
+ </filesignature>
255
+ </filetype>
256
+
257
+ <!-- Graphics interchange format file -->
258
+ <filetype name="graphics/imagegif">
259
+ <filesignature>
260
+ <!-- GIF87a-->
261
+ <chunk>
262
+ <offset>0</offset>
263
+ <value>474946383761</value>
264
+ </chunk>
265
+ </filesignature>
266
+ <filesignature>
267
+ <!-- GIF89a-->
268
+ <chunk>
269
+ <offset>0</offset>
270
+ <value>474946383961</value>
271
+ </chunk>
272
+ </filesignature>
273
+ </filetype>
274
+
275
+ <!-- Tag image file format -->
276
+ <filetype name="graphics/tiff">
277
+ <filesignature>
278
+ <chunk>
279
+ <offset>0</offset>
280
+ <value>4949</value>
281
+ </chunk>
282
+ </filesignature>
283
+ </filetype>
284
+
285
+ <!-- RAR compressed archive file -->
286
+ <filetype name="archive/rarcompressed">
287
+ <filesignature>
288
+ <chunk>
289
+ <offset>0</offset>
290
+ <value>526172211A07</value>
291
+ </chunk>
292
+ </filesignature>
293
+ </filetype>
294
+
295
+ <!-- 7z compressed archive file -->
296
+ <filetype name="archive/7zcompressed">
297
+ <filesignature>
298
+ <chunk>
299
+ <offset>0</offset>
300
+ <value>377ABCAF271C</value>
301
+ </chunk>
302
+ </filesignature>
303
+ </filetype>
304
+
305
+ <!-- bzip2 compressed archive file -->
306
+ <filetype name="archive/bz2compressed">
307
+ <filesignature>
308
+ <chunk>
309
+ <offset>0</offset>
310
+ <value>425A68</value>
311
+ </chunk>
312
+ </filesignature>
313
+ </filetype>
314
+
315
+ <!-- gzip compressed archive file -->
316
+ <filetype name="archive/gzipcompressed">
317
+ <filesignature>
318
+ <chunk>
319
+ <offset>0</offset>
320
+ <value>1F8B08</value>
321
+ </chunk>
322
+ </filesignature>
323
+ </filetype>
324
+
325
+ <!-- lzh compressed archive file -->
326
+ <filetype name="archive/lzhcompressed">
327
+ <filesignature>
328
+ <chunk>
329
+ <offset>0</offset>
330
+ <value>2D6C68</value>
331
+ </chunk>
332
+ </filesignature>
333
+ <filesignature>
334
+ <chunk>
335
+ <offset>4</offset>
336
+ <value>2D6C68</value>
337
+ </chunk>
338
+ </filesignature>
339
+ </filetype>
340
+
341
+ <!-- Windows shortcut file -->
342
+ <filetype name="link/winshortcut">
343
+ <filesignature>
344
+ <chunk>
345
+ <offset>0</offset>
346
+ <value>4C00000001140200</value>
347
+ </chunk>
348
+ </filesignature>
349
+ </filetype>
350
+
351
+ <!-- Microsoft Cabinet file -->
352
+ <filetype name="archive/mscabinet">
353
+ <filesignature>
354
+ <chunk>
355
+ <offset>0</offset>
356
+ <value>4D534346</value>
357
+ </chunk>
358
+ </filesignature>
359
+ </filetype>
360
+
361
+ <!-- Musical Instrument Digital Interface -->
362
+ <filetype name="audiovideo/soundmidi">
363
+ <filesignature>
364
+ <chunk>
365
+ <offset>0</offset>
366
+ <value>4D546864</value>
367
+ </chunk>
368
+ </filesignature>
369
+ </filetype>
370
+
371
+ <!-- True Type font -->
372
+ <filetype name="font/truetype">
373
+ <filesignature>
374
+ <chunk>
375
+ <offset>0</offset>
376
+ <value>0001000000</value>
377
+ </chunk>
378
+ </filesignature>
379
+ <filesignature>
380
+ <chunk>
381
+ <offset>0</offset>
382
+ <value>4F54544F</value>
383
+ </chunk>
384
+ </filesignature>
385
+ </filetype>
386
+
387
+ <!-- True Type font collection -->
388
+ <filetype name="font/truetypecollection">
389
+ <filesignature>
390
+ <chunk>
391
+ <offset>0</offset>
392
+ <value>74746366</value>
393
+ </chunk>
394
+ </filesignature>
395
+ </filetype>
396
+
397
+ <!-- Audio for Windows -->
398
+ <filetype name="audiovideo/soundwave">
399
+ <filesignature>
400
+ <chunk>
401
+ <offset>0</offset>
402
+ <value>52494646</value>
403
+ </chunk>
404
+ <chunk>
405
+ <offset>8</offset>
406
+ <value>57415645666D7420</value>
407
+ </chunk>
408
+ </filesignature>
409
+ </filetype>
410
+
411
+ <!-- Real media file -->
412
+ <filetype name="audiovideo/soundreal">
413
+ <filesignature>
414
+ <chunk>
415
+ <offset>0</offset>
416
+ <value>2E524D46</value>
417
+ </chunk>
418
+ </filesignature>
419
+ </filetype>
420
+
421
+ <!-- Apple media file -->
422
+ <filetype name="audiovideo/apple">
423
+ <filesignature>
424
+ <chunk>
425
+ <offset>0</offset>
426
+ <value>00000020667479704D3441</value>
427
+ </chunk>
428
+ </filesignature>
429
+ </filetype>
430
+
431
+ <!-- 3GPP and 3GPP2 media files -->
432
+ <filetype name="audiovideo/3gp">
433
+ <filesignature>
434
+ <chunk>
435
+ <offset>0</offset>
436
+ <value>0000001466747970</value>
437
+ </chunk>
438
+ <chunk>
439
+ <offset>0</offset>
440
+ <value>0000002066747970</value>
441
+ </chunk>
442
+ </filesignature>
443
+ </filetype>
444
+
445
+ <!-- Ogg Vorbis Codec compressed Multimedia file -->
446
+ <filetype name="audiovideo/oggvorbis">
447
+ <filesignature>
448
+ <chunk>
449
+ <offset>0</offset>
450
+ <value>4F67675300020000</value>
451
+ </chunk>
452
+ </filesignature>
453
+ </filetype>
454
+
455
+ <!-- JPEG/JFIF graphics file -->
456
+ <filetype name="graphics/jpeg">
457
+ <filesignature>
458
+ <chunk>
459
+ <offset>0</offset>
460
+ <value>FFD8FF</value>
461
+ </chunk>
462
+ </filesignature>
463
+ </filetype>
464
+
465
+ <!-- Portable Network Graphics file -->
466
+ <filetype name="graphics/png">
467
+ <filesignature>
468
+ <chunk>
469
+ <offset>0</offset>
470
+ <value>89504E470D0A1A0A</value>
471
+ </chunk>
472
+ </filesignature>
473
+ </filetype>
474
+
475
+ <!-- PF file -->
476
+ <filetype name="system/prefetchdata">
477
+ <filesignature>
478
+ <!-- Windows\Prefetch\*.pf XP, 2003 -->
479
+ <chunk>
480
+ <offset>0</offset>
481
+ <value>11000000534343410F000000</value>
482
+ </chunk>
483
+ </filesignature>
484
+ <filesignature>
485
+ <!-- Windows\Prefetch\*.pf VISTA, Win7-->
486
+ <chunk>
487
+ <offset>0</offset>
488
+ <value>170000005343434111000000</value>
489
+ </chunk>
490
+ </filesignature>
491
+ <filesignature>
492
+ <!-- Windows\Prefetch\*.pf Win8.1-->
493
+ <chunk>
494
+ <offset>0</offset>
495
+ <value>1A0000005343434111000000</value>
496
+ </chunk>
497
+ </filesignature>
498
+ <!-- Java PF files -->
499
+ <filesignature>
500
+ <chunk>
501
+ <!-- 'HLino' -->
502
+ <offset>3</offset>
503
+ <value>484C696E6F</value>
504
+ </chunk>
505
+ </filesignature>
506
+ <filesignature>
507
+ <chunk>
508
+ <!-- 'KCMS' -->
509
+ <offset>4</offset>
510
+ <value>4B434D53</value>
511
+ </chunk>
512
+ </filesignature>
513
+ </filetype>
514
+
515
+ <!-- XML file -->
516
+ <filetype name="document/xml">
517
+ <filesignature>
518
+ <!-- <?xml -->
519
+ <chunk>
520
+ <offset>0</offset>
521
+ <value>3C3F786D6C</value>
522
+ </chunk>
523
+ </filesignature>
524
+ </filetype>
525
+
526
+ <!-- Rich Text Format file -->
527
+ <filetype name="document/rtf">
528
+ <filesignature>
529
+ <!-- {rtf1 -->
530
+ <chunk>
531
+ <offset>0</offset>
532
+ <value>7B5C72746631</value>
533
+ </chunk>
534
+ </filesignature>
535
+ </filetype>
536
+
537
+ <!-- IBM Notes Storage Facility (Lotus) -->
538
+ <filetype name="document/nsf">
539
+ <filesignature>
540
+ <chunk>
541
+ <offset>0</offset>
542
+ <value>1A00</value>
543
+ </chunk>
544
+ </filesignature>
545
+ </filetype>
546
+
547
+ <!-- MANIFEST file -->
548
+ <filetype name="document/manifestfile">
549
+ <filesignature>
550
+ <chunk>
551
+ <offset>0</offset>
552
+ <value>FFFE3C003F0078006D006C</value>
553
+ </chunk>
554
+ </filesignature>
555
+ <filesignature>
556
+ <chunk>
557
+ <offset>0</offset>
558
+ <value>EFBBBF3C3F786D6C</value>
559
+ </chunk>
560
+ </filesignature>
561
+ <filesignature>
562
+ <!-- <?xml -->
563
+ <chunk>
564
+ <offset>0</offset>
565
+ <value>3C3F786D6C</value>
566
+ </chunk>
567
+ </filesignature>
568
+ </filetype>
569
+
570
+ <!-- OLE Type Library -->
571
+ <filetype name="executable/typelibrary">
572
+ <filesignature>
573
+ <!-- 'MZ' -->
574
+ <chunk>
575
+ <offset>0</offset>
576
+ <value>4D5A</value>
577
+ </chunk>
578
+ </filesignature>
579
+ <filesignature>
580
+ <!-- 'MSFT' -->
581
+ <chunk>
582
+ <offset>0</offset>
583
+ <value>4D534654</value>
584
+ </chunk>
585
+ </filesignature>
586
+ </filetype>
587
+
588
+ <!-- Video for Windows -->
589
+ <filetype name="audiovideo/videoavi">
590
+ <filesignature>
591
+ <chunk>
592
+ <offset>0</offset>
593
+ <value>52494646</value>
594
+ </chunk>
595
+ <chunk>
596
+ <offset>8</offset>
597
+ <value>415649</value>
598
+ </chunk>
599
+ </filesignature>
600
+ </filetype>
601
+
602
+ <!-- QuickTime movie file -->
603
+ <filetype name="audiovideo/videoquicktime">
604
+ <filesignature>
605
+ <chunk>
606
+ <offset>4</offset>
607
+ <value>6D6F6F76</value>
608
+ </chunk>
609
+ <chunk>
610
+ <offset>0</offset>
611
+ <value>000000146674797071742020</value>
612
+ </chunk>
613
+ </filesignature>
614
+ </filetype>
615
+
616
+ <!-- MPEG video file -->
617
+ <filetype name="audiovideo/videompeg">
618
+ <filesignature>
619
+ <!-- MPEG-4 video file -->
620
+ <chunk>
621
+ <offset>0</offset>
622
+ <value>0000001466747970</value>
623
+ </chunk>
624
+ <chunk>
625
+ <offset>0</offset>
626
+ <value>0000001866747970</value>
627
+ </chunk>
628
+ <chunk>
629
+ <offset>0</offset>
630
+ <value>0000001C66747970</value>
631
+ </chunk>
632
+ <!-- MPEG video file 00 00 01 Bx -->
633
+ <chunk>
634
+ <offset>0</offset>
635
+ <value>000001</value>
636
+ </chunk>
637
+ </filesignature>
638
+ </filetype>
639
+
640
+ <!-- Shockwave Flash file -->
641
+ <filetype name="audiovideo/videoshockwave">
642
+ <filesignature>
643
+ <chunk>
644
+ <offset>0</offset>
645
+ <value>465753</value>
646
+ </chunk>
647
+ </filesignature>
648
+ <filesignature>
649
+ <chunk>
650
+ <offset>0</offset>
651
+ <value>435753</value>
652
+ </chunk>
653
+ </filesignature>
654
+ </filetype>
655
+
656
+ <!-- IE History file -->
657
+ <filetype name="link/clienturlcache">
658
+ <filesignature>
659
+ <chunk>
660
+ <offset>0</offset>
661
+ <value>436C69656E742055726C4361636865</value>
662
+ </chunk>
663
+ </filesignature>
664
+ </filetype>
665
+
666
+ <!-- Personal Usage Data -->
667
+ <filetype name="system/personalusagedata">
668
+ <filesignature>
669
+ <chunk>
670
+ <offset>0</offset>
671
+ <value>1900040019001900</value>
672
+ </chunk>
673
+ </filesignature>
674
+ </filetype>
675
+
676
+ <!-- BTR WBEM Index files -->
677
+ <filetype name="btrwbem">
678
+ <filesignature>
679
+ <chunk>
680
+ <offset>0</offset>
681
+ <value>CCAC</value>
682
+ </chunk>
683
+ </filesignature>
684
+ </filetype>
685
+
686
+ <!-- DIC IME Dictionary File -->
687
+ <filetype name="graphics/imedic">
688
+ <filesignature>
689
+ <chunk>
690
+ <offset>0</offset>
691
+ <value>53554400</value>
692
+ </chunk>
693
+ </filesignature>
694
+ </filetype>
695
+
696
+ <!-- Print Job Options -->
697
+ <filetype name="system/printjoboptions">
698
+ <filesignature>
699
+ <chunk>
700
+ <offset>0</offset>
701
+ <value>3C3C0D0A</value>
702
+ </chunk>
703
+ </filesignature>
704
+ </filetype>
705
+
706
+ <!-- SDB SYSTEM/ Database Files -->
707
+ <filetype name="system/database">
708
+ <filesignature>
709
+ <chunk>
710
+ <offset>0</offset>
711
+ <value>020000004912010073646266</value>
712
+ </chunk>
713
+ </filesignature>
714
+ </filetype>
715
+
716
+ <!-- Portable Network Graphics Frame Bitmap and Precompiled INF -->
717
+ <filetype name="graphics/pnfbitmap">
718
+ <filesignature>
719
+ <chunk>
720
+ <offset>0</offset>
721
+ <value>01010200</value>
722
+ </chunk>
723
+ <chunk>
724
+ <offset>0</offset>
725
+ <value>01030200</value>
726
+ </chunk>
727
+ </filesignature>
728
+ </filetype>
729
+
730
+ <!-- Command Extensions -->
731
+ <filetype name="executable/command">
732
+ <filesignature>
733
+ <chunk>
734
+ <offset>0</offset>
735
+ <value>406563686f20</value>
736
+ </chunk>
737
+ </filesignature>
738
+ </filetype>
739
+
740
+ <!-- Java bytecode -->
741
+ <filetype name="executable/javabytecode">
742
+ <filesignature>
743
+ <chunk>
744
+ <offset>0</offset>
745
+ <value>CAFEBABE</value>
746
+ </chunk>
747
+ </filesignature>
748
+ </filetype>
749
+
750
+ <!-- Config files -->
751
+ <filetype name="other/config">
752
+ <filesignature>
753
+ <chunk>
754
+ <offset>0</offset>
755
+ <value>fffe3c003f0078006d006c00</value>
756
+ </chunk>
757
+ </filesignature>
758
+ <filesignature>
759
+ <!-- <?xml -->
760
+ <chunk>
761
+ <offset>0</offset>
762
+ <value>3c3f786d6c</value>
763
+ </chunk>
764
+ </filesignature>
765
+ <filesignature>
766
+ <chunk>
767
+ <offset>0</offset>
768
+ <value>feff003c003f0078006d006c</value>
769
+ </chunk>
770
+ </filesignature>
771
+ </filetype>
772
+
773
+ <!-- ZIP compressed archive file -->
774
+ <filetype name="archive/zipcompressed">
775
+ <filesignature>
776
+ <chunk>
777
+ <offset>0</offset>
778
+ <value>504B0304</value>
779
+ </chunk>
780
+ </filesignature>
781
+ </filetype>
782
+
783
+ <!-- Open office document (same signature as ZIP compressed file) -->
784
+ <filetype name="document/openoffice">
785
+ <filesignature>
786
+ <chunk>
787
+ <offset>0</offset>
788
+ <value>504B0304</value>
789
+ </chunk>
790
+ </filesignature>
791
+ </filetype>
792
+
793
+ <!-- Tape Archive -->
794
+ <filetype name="archive/tapearchive">
795
+ <filesignature>
796
+ <!-- ustar -->
797
+ <chunk>
798
+ <offset>257</offset>
799
+ <value>7573746172</value>
800
+ </chunk>
801
+ </filesignature>
802
+ </filetype>
803
+
804
+ <!-- JAVA Archive -->
805
+ <filetype name="executable/javaarchive">
806
+ <filesignature>
807
+ <chunk>
808
+ <offset>0</offset>
809
+ <value>504B0304</value>
810
+ </chunk>
811
+ </filesignature>
812
+ </filetype>
813
+
814
+ <filetype name="system/">
815
+ <filesignature>
816
+ <!-- Windows (1)-->
817
+ <chunk>
818
+ <offset>0</offset>
819
+ <value>E9</value>
820
+ </chunk>
821
+ </filesignature>
822
+ <filesignature>
823
+ <!-- Windows/DOS (2) -->
824
+ <chunk>
825
+ <offset>0</offset>
826
+ <value>FF</value>
827
+ </chunk>
828
+ </filesignature>
829
+ <filesignature>
830
+ <!-- 'MZ' MS-DOS -->
831
+ <chunk>
832
+ <offset>0</offset>
833
+ <value>4D5A</value>
834
+ </chunk>
835
+ </filesignature>
836
+ <filesignature>
837
+ <!-- Windows/DOS (2) -->
838
+ <chunk>
839
+ <offset>0</offset>
840
+ <value>1E</value>
841
+ </chunk>
842
+ </filesignature>
843
+ <filesignature>
844
+ <!-- Windows/DOS (3) -->
845
+ <chunk>
846
+ <offset>0</offset>
847
+ <value>BC</value>
848
+ </chunk>
849
+ </filesignature>
850
+ <filesignature>
851
+ <!-- NTDETECT.COM -->
852
+ <chunk>
853
+ <offset>0</offset>
854
+ <value>665566</value>
855
+ </chunk>
856
+ </filesignature>
857
+
858
+ </filetype>
859
+
860
+ <!-- MS Common Console Document-->
861
+ <filetype name="executable/mscommonconsole">
862
+ <filesignature>
863
+ <chunk>
864
+ <offset>0</offset>
865
+ <value>D0CF11E0</value>
866
+ </chunk>
867
+ </filesignature>
868
+ <filesignature>
869
+ <!-- <?xml -->
870
+ <chunk>
871
+ <offset>0</offset>
872
+ <value>3C3F786D6C</value>
873
+ </chunk>
874
+ </filesignature>
875
+ <filesignature>
876
+ <!-- 'MZ' -->
877
+ <chunk>
878
+ <offset>0</offset>
879
+ <value>4D5A</value>
880
+ </chunk>
881
+ </filesignature>
882
+ </filetype>
883
+
884
+ <!-- MPEG audio file -->
885
+ <filetype name="audiovideo/soundmpeg">
886
+ <filesignature>
887
+ <chunk>
888
+ <offset>0</offset>
889
+ <value>FF</value>
890
+ </chunk>
891
+ </filesignature>
892
+ <filesignature>
893
+ <chunk>
894
+ <offset>0</offset>
895
+ <value>494433</value>
896
+ </chunk>
897
+ </filesignature>
898
+ </filetype>
899
+
900
+ <filetype name="other/configini">
901
+ <file-processor guid="IniFileProcessor"/>
902
+ </filetype>
903
+ <filetype name="document/html">
904
+ <file-processor guid="HTMLFileProcessor"/>
905
+ </filetype>
906
+ <filetype name="system/nls">
907
+ <file-processor guid="NLSFileProcessor"/>
908
+ </filetype>
909
+ <filetype name="executable/selfextractexec">
910
+ <file-processor guid="SelfExtractExec"/>
911
+ </filetype>
912
+
913
+
914
+ <filetype name="officetemplate">
915
+ <filesignature>
916
+ <chunk>
917
+ <offset>0</offset>
918
+ <value>D0CF</value>
919
+ </chunk>
920
+ </filesignature>
921
+ </filetype>
922
+
923
+ <filetype name="officetemplatexmlzip">
924
+ <filesignature>
925
+ <chunk>
926
+ <offset>0</offset>
927
+ <value>504B</value>
928
+ </chunk>
929
+ </filesignature>
930
+ </filetype>
931
+
932
+ <!-- Command Extensions -->
933
+
934
+ </filetypes>
935
+
936
+ <file-extentions>
937
+ <!-- OLE Compound Files -->
938
+ <file-extention name="doc" typeref="document/msofficelegacy"/>
939
+ <file-extention name="ppt" typeref="document/msofficelegacy"/>
940
+ <file-extention name="xls" typeref="document/msofficelegacy"/>
941
+ <file-extention name="vsd" typeref="document/msofficelegacy"/>
942
+ <file-extention name="msi" typeref="document/msofficelegacy"/>
943
+
944
+ <!-- SYSTEM/Registry -->
945
+ <file-extention name="log" typeref="system/registry"/>
946
+ <file-extention name="sav" typeref="system/registry"/>
947
+ <file-extention name="dat" typeref="system/registry"/>
948
+
949
+ <!-- SYSTEM/PerformanceLog -->
950
+ <file-extention name="blg" typeref="system/performancelog"/>
951
+
952
+ <!-- Install MST/MSC -->
953
+ <file-extention name="mst" typeref="executable/mscommonconsole"/>
954
+ <file-extention name="msc" typeref="executable/mscommonconsole"/>
955
+
956
+ <!-- Windows Managed Object File -->
957
+ <file-extention name="mof" typeref="system/wmidata"/>
958
+
959
+ <!-- Extensible Storage Engine Database File-->
960
+ <file-extention name="edb" typeref="system/datastore"/>
961
+
962
+ <!-- SYSTEM/MSSecurityCatalog -->
963
+ <file-extention name="cat" typeref="system/mssecuritycatalog"/>
964
+
965
+ <!-- COM+ catalog file -->
966
+ <file-extention name="clb" typeref="system/compluscatalog"/>
967
+
968
+ <!-- Self Extracting EXECUTABLE/ -->
969
+ <file-extention name="exe" typeref="executable/selfextractexec"/>
970
+
971
+ <!-- EXECUTABLE/ -->
972
+ <file-extention name="exe" typeref="executable/"/>
973
+ <file-extention name="dll" typeref="executable/"/>
974
+ <file-extention name="sys" typeref="executable/"/>
975
+ <file-extention name="drv" typeref="executable/"/>
976
+ <file-extention name="rll" typeref="executable/"/>
977
+ <file-extention name="qts" typeref="executable/"/>
978
+ <file-extention name="qtx" typeref="executable/"/>
979
+ <file-extention name="ax" typeref="executable/"/>
980
+ <file-extention name="cpl" typeref="executable/"/>
981
+ <file-extention name="fon" typeref="executable/"/>
982
+ <file-extention name="flt" typeref="executable/"/>
983
+ <file-extention name="ocx" typeref="executable/"/>
984
+ <file-extention name="olb" typeref="executable/"/>
985
+ <file-extention name="scr" typeref="executable/"/>
986
+ <file-extention name="vbx" typeref="executable/"/>
987
+ <file-extention name="vxd" typeref="executable/"/>
988
+ <file-extention name="386" typeref="executable/"/>
989
+ <file-extention name="api" typeref="executable/"/>
990
+ <file-extention name="msstyles" typeref="executable/"/>
991
+ <file-extention name="com" typeref="executable//"/>
992
+ <file-extention name="wpc" typeref="executable/"/>
993
+ <file-extention name="ime" typeref="executable/"/>
994
+ <file-extention name="dic" typeref="executable/"/>
995
+ <file-extention name="tsp" typeref="executable/"/>
996
+ <file-extention name="acm" typeref="executable/"/>
997
+ <file-extention name="iec" typeref="executable/"/>
998
+ <file-extention name="mui" typeref="executable/"/>
999
+
1000
+ <!-- SEP Plugin -->
1001
+ <file-extention name="plg" typeref="executable/"/>
1002
+
1003
+ <!-- SYSTEM/ -->
1004
+ <file-extention name="sys" typeref="system/"/>
1005
+ <file-extention name="com" typeref="system/"/>
1006
+
1007
+ <!-- EXECUTABLE/TypeLibrary -->
1008
+ <file-extention name="tlb" typeref="executable/typelibrary"/>
1009
+
1010
+ <!-- GRAPHICS/WinIcon -->
1011
+ <file-extention name="ico" typeref="graphics/winicon"/>
1012
+
1013
+ <!-- GRAPHICS/WinIcon -->
1014
+ <file-extention name="cur" typeref="graphics/wincursor"/>
1015
+
1016
+ <!-- SYSTEM/WinHelp -->
1017
+ <file-extention name="hlp" typeref="system/winhelp"/>
1018
+
1019
+ <!-- Microsoft Outlook Personal Folder file -->
1020
+ <file-extention name="pst" typeref="archive/msoutlook"/>
1021
+ <file-extention name="ost" typeref="archive/msoutlook"/>
1022
+
1023
+ <!-- Windows bitmap image -->
1024
+ <file-extention name="bmp" typeref="graphics/winbitmap"/>
1025
+ <file-extention name="dib" typeref="graphics/winbitmap"/>
1026
+ <file-extention name="ico" typeref="graphics/winbitmap"/>
1027
+
1028
+ <!-- Graphics interchange format file -->
1029
+ <file-extention name="gif" typeref="graphics/imagegif"/>
1030
+
1031
+ <!-- Tag image file format -->
1032
+ <file-extention name="tif" typeref="graphics/tiff"/>
1033
+
1034
+ <!-- Windows shortcut file -->
1035
+ <file-extention name="lnk" typeref="link/winshortcut"/>
1036
+
1037
+ <!-- Microsoft Cabinet file -->
1038
+ <file-extention name="cab" typeref="archive/mscabinet"/>
1039
+ <!-- Powerpoint Packaged Presentation -->
1040
+ <file-extention name="ppz" typeref="archive/mscabinet"/>
1041
+ <!-- Microsoft Access Snapshot Viewer file -->
1042
+ <file-extention name="snp" typeref="archive/mscabinet"/>
1043
+
1044
+ <!-- Musical Instrument Digital Interface -->
1045
+ <file-extention name="mid" typeref="audiovideo/soundmidi"/>
1046
+ <file-extention name="midi" typeref="audiovideo/soundmidi"/>
1047
+
1048
+ <!-- True Type font -->
1049
+ <file-extention name="ttf" typeref="font/truetype"/>
1050
+ <file-extention name="otf" typeref="font/truetype"/>
1051
+
1052
+ <!-- True Type font collection -->
1053
+ <file-extention name="ttc" typeref="font/truetypecollection"/>
1054
+
1055
+ <!-- Audio for Windows -->
1056
+ <file-extention name="wav" typeref="audiovideo/soundwave"/>
1057
+
1058
+ <!-- Real media file -->
1059
+ <file-extention name="rmf" typeref="audiovideo/soundreal"/>
1060
+
1061
+ <!-- Apple media file -->
1062
+ <file-extention name="m4a" typeref="audiovideo/apple"/>
1063
+
1064
+ <!-- 3GPP and 3GPP2 media files -->
1065
+ <file-extention name="3gp" typeref="audiovideo/3gp"/>
1066
+ <file-extention name="3g2" typeref="audiovideo/3gp"/>
1067
+
1068
+ <!-- Ogg Vorbis media file -->
1069
+ <file-extention name="oga" typeref="audiovideo/oggvorbis"/>
1070
+ <file-extention name="ogg" typeref="audiovideo/oggvorbis"/>
1071
+ <file-extention name="ogv" typeref="audiovideo/oggvorbis"/>
1072
+ <file-extention name="ogx" typeref="audiovideo/oggvorbis"/>
1073
+
1074
+ <!-- JPEG/JFIF graphics file -->
1075
+ <file-extention name="jfif" typeref="graphics/jpeg"/>
1076
+ <file-extention name="jpe" typeref="graphics/jpeg"/>
1077
+ <file-extention name="jpeg" typeref="graphics/jpeg"/>
1078
+ <file-extention name="jpg" typeref="graphics/jpeg"/>
1079
+
1080
+ <file-extention name="png" typeref="graphics/png"/>
1081
+
1082
+ <!-- PF file -->
1083
+ <file-extention name="pf" typeref="system/prefetchdata"/>
1084
+
1085
+ <!-- INI file -->
1086
+ <file-extention name="ini" typeref="other/configini"/>
1087
+ <file-extention name="url" typeref="other/configini"/>
1088
+ <file-extention name="inf" typeref="other/configini"/>
1089
+
1090
+ <!-- XML file -->
1091
+ <file-extention name="xml" typeref="document/xml"/>
1092
+
1093
+ <!-- Rich Text file -->
1094
+ <file-extention name="rtf" typeref="document/rtf"/>
1095
+
1096
+ <!-- IBM Notes Storage Facility (Lotus) -->
1097
+ <file-extention name="nsf" typeref="document/nsf"/>
1098
+
1099
+ <!-- MANIFEST file -->
1100
+ <file-extention name="manifest" typeref="document/manifestfile"/>
1101
+
1102
+ <!-- Video for Windows -->
1103
+ <file-extention name="avi" typeref="audiovideo/videoavi"/>
1104
+
1105
+ <!-- QuickTime movie file -->
1106
+ <file-extention name="mov" typeref="audiovideo/videoquicktime"/>
1107
+
1108
+ <!-- MPEG video file -->
1109
+ <file-extention name="mpg" typeref="audiovideo/videompeg"/>
1110
+ <file-extention name="mp4" typeref="audiovideo/videompeg"/>
1111
+ <file-extention name="m4v" typeref="audiovideo/videompeg"/>
1112
+
1113
+ <!-- MPEG audio file -->
1114
+ <file-extention name="mpg" typeref="audiovideo/soundmpeg"/>
1115
+ <file-extention name="mp3" typeref="audiovideo/soundmpeg"/>
1116
+
1117
+ <!-- Shockwave Flash file -->
1118
+ <file-extention name="swf" typeref="audiovideo/videoshockwave"/>
1119
+
1120
+ <!-- HTML Document -->
1121
+ <file-extention name="html" typeref="document/html"/>
1122
+ <file-extention name="htm" typeref="document/html"/>
1123
+
1124
+ <!-- Microsoft code page file -->
1125
+ <file-extention name="nls" typeref="system/nls"/>
1126
+
1127
+ <!-- Client UrlCache -->
1128
+ <file-extention name="dat" typeref="link/clienturlcache"/>
1129
+
1130
+ <!-- Personal Usage Data -->
1131
+ <file-extention name="pip" typeref="system/personalusagedata"/>
1132
+
1133
+ <!-- WBEM BTR Index -->
1134
+ <file-extention name="btr" typeref="btrwbem"/>
1135
+
1136
+ <!-- Print Job Options -->
1137
+ <file-extention name="joboptions" typeref="system/printjoboptions"/>
1138
+
1139
+ <!-- ZIP Archive Files -->
1140
+ <file-extention name="zip" typeref="archive/zipcompressed"/>
1141
+ <file-extention name="jar" typeref="executable/javaarchive"/>
1142
+ <file-extention name="odt" typeref="archive/zipcompressed"/>
1143
+ <file-extention name="odp" typeref="archive/zipcompressed"/>
1144
+ <file-extention name="ott" typeref="archive/zipcompressed"/>
1145
+
1146
+ <file-extention name="sxc" typeref="document/openoffice"/>
1147
+ <file-extention name="sxd" typeref="document/openoffice"/>
1148
+ <file-extention name="sxi" typeref="document/openoffice"/>
1149
+ <file-extention name="sxw" typeref="document/openoffice"/>
1150
+
1151
+ <!-- RAR Archive Files -->
1152
+ <file-extention name="rar" typeref="archive/rarcompressed"/>
1153
+
1154
+ <!-- 7z Archive Files -->
1155
+ <file-extention name="7z" typeref="archive/7zcompressed"/>
1156
+
1157
+ <!-- BZ2 Archive Files -->
1158
+ <file-extention name="bz2" typeref="archive/bz2compressed"/>
1159
+ <file-extention name="tb2" typeref="archive/bz2compressed"/>
1160
+ <file-extention name="tbz2" typeref="archive/bz2compressed"/>
1161
+
1162
+ <!-- gzip Archive Files -->
1163
+ <file-extention name="gz" typeref="archive/gzipcompressed"/>
1164
+
1165
+ <!-- lzh Archive Files -->
1166
+ <file-extention name="lzh" typeref="archive/lzhcompressed"/>
1167
+
1168
+ <!-- Tape Archive Files -->
1169
+ <file-extention name="tar" typeref="archive/tapearchive"/>
1170
+
1171
+ <!-- DIC IME Dictionary File -->
1172
+ <file-extention name="dic" typeref="graphics/imedic"/>
1173
+
1174
+ <!-- SDB SYSTEM/ Database Files -->
1175
+ <file-extention name="sdb" typeref="system/database"/>
1176
+
1177
+ <!-- Portable Network Graphics Frame Bitmap -->
1178
+ <file-extention name="pnf" typeref="graphics/pnfbitmap"/>
1179
+
1180
+ <!-- Command Extensions -->
1181
+ <file-extention name="cmd" typeref="executable/command"/>
1182
+
1183
+ <!-- Command Extensions -->
1184
+ <file-extention name="class" typeref="executable/javabytecode"/>
1185
+
1186
+ <!-- Config files -->
1187
+ <file-extention name="config" typeref="other/config"/>
1188
+
1189
+ <!-- Office Template files -->
1190
+ <!-- Template files removed as part of Sharepoint-STE (DGAGENT-2701) -->
1191
+
1192
+ <!-- OTHER/SymantecEndpointProtection -->
1193
+ <file-extention name="sep" typeref="other/symantecendpointprotection"/>
1194
+
1195
+ <!-- UniCode Extensions -->
1196
+ <file-extention name="uce" typeref="system/unicodeextensions"/>
1197
+
1198
+ <!-- MS Office Open XML -->
1199
+ <file-extention name="docx" typeref="document/msofficeopenxml"/>
1200
+ <file-extention name="pptx" typeref="document/msofficeopenxml"/>
1201
+ <file-extention name="xlsx" typeref="document/msofficeopenxml"/>
1202
+
1203
+ <!-- Adobe PDF -->
1204
+ <file-extention name="pdf" typeref="document/pdf"/>
1205
+ <file-extention name="fdf" typeref="document/pdf"/>
1206
+
1207
+ </file-extentions>
1208
+
1209
+ <filter-masks>
1210
+ <!-- Every bit of filtering mask represents an event type.
1211
+ The folowing are DG's event types:
1212
+
1213
+ USER_CD_BURN = 0x00000001,
1214
+ USER_NET_TRANSFER_DOWNLOAD = 0x00000002,
1215
+ USER_NET_TRANSFER_UPLOAD = 0x00000004,
1216
+ USER_NET_OP = 0x00000008,
1217
+ USER_FILE_ARCHIVE = 0x00000010,
1218
+ USER_FILE_EXTRACT = 0x00000020,
1219
+ USER_FILE_SAVEAS = 0x00000040,
1220
+ USER_FILE_EDIT = 0x00000080,
1221
+ USER_FILE_CREATE = 0x00000100,
1222
+ USER_FILE_DELETE = 0x00000200,
1223
+ USER_FILE_COPY = 0x00000400,
1224
+ USER_FILE_MOVE = 0x00000800,
1225
+ USER_FILE_OPEN = 0x00001000,
1226
+ USER_FILE_RENAME = 0x00002000,
1227
+ USER_FILE_READ = 0x00004000,
1228
+ USER_FILE_WRITE = 0x00008000,
1229
+ USER_FILE_RECYCLE = 0x00010000,
1230
+ USER_FILE_RESTORE = 0x00020000,
1231
+ USER_FILE_SETINFORMATION = 0x00040000,
1232
+ USER_FILE_CLOSE = 0x00080000,
1233
+ USER_APP_DATA_EXCHANGE = 0x00100000,
1234
+ USER_PRINT_FILE = 0x00200000,
1235
+ USER_ACTION_LOGON = 0x00400000,
1236
+ USER_ACTION_LOGOFF = 0x00800000,
1237
+ USER_APP_LOGON = 0x01000000,
1238
+ USER_APP_DATA_ACTION = 0x02000000,
1239
+ USER_APPLICATION_ACTION = 0x04000000,
1240
+ USER_ADE_CUT = 0x08000000,
1241
+ USER_ADE_PRINTSCREEN = 0x10000000,
1242
+ USER_ADE_PRINTPROCESS = 0x20000000,
1243
+ USER_SEND_MAIL = 0x40000000,
1244
+ USER_FILE_CLASSIFICATION = 0x80000000,
1245
+ USER_APP_BUFFER_CLASSIFICATION = 0x0100000000,
1246
+ USER_FILE_DECRYPT = 0x0200000000,
1247
+ USER_ADE_SCREEN_CAPTURE = 0x0400000000,
1248
+ USER_MAIL_ATTACH = 0x0800000000,
1249
+ USER_MODE_EXCLUDE_ENCRYPTION = 0x1000000000,
1250
+ USER_ADE_INSERT_FILE = 0x2000000000,
1251
+ USER_ADE_INSERT_NEW_OBJECT = 0x4000000000,
1252
+ USER_DOC_REPOSITORY = 0x8000000000,
1253
+ USER_FILE_VIEW = 0x10000000000,
1254
+ DEVICE_DETECTED = 0x20000000000,
1255
+ DEVICE_MISSING = 0x40000000000,
1256
+ DEVICE_ADDED = 0x80000000000,
1257
+ DEVICE_REMOVED = 0x100000000000,
1258
+ USER_APPLICATION_ACTION_EX = 0x200000000000
1259
+
1260
+ For instance, mask 137E80 represents the following event types:
1261
+
1262
+ USER_FILE_EDIT
1263
+ USER_FILE_DELETE
1264
+ USER_FILE_COPY
1265
+ USER_FILE_MOVE
1266
+ USER_FILE_OPEN
1267
+ USER_FILE_RENAME
1268
+ USER_FILE_READ
1269
+ USER_FILE_RECYCLE
1270
+ USER_FILE_RESTORE
1271
+ USER_APP_DATA_EXCHANGE
1272
+ -->
1273
+ <!-- USER_MODE_EXCLUDE_ENCRYPTION | USER_FILE_DELETE | USER_FILE_COPY | USER_FILE_MOVE | USER_FILE_OPEN | USER_FILE_CLOSE,
1274
+ USER_FILE_READ | USER_FILE_RECYCLE | USER_FILE_RESTORE | USER_APP_DATA_EXCHANGE | USER_FILE_CLASSIFICATION | USER_FILE_CREATE : 10801B5F00 -->
1275
+ <filter-mask mask="10801b5f00" typeref="system/registry"/>
1276
+ <filter-mask mask="10801b5f00" typeref="system/compluscatalog"/>
1277
+ <filter-mask mask="10801b5f00" typeref="executable/mscommonconsole"/>
1278
+
1279
+ <!-- USER_FILE_CREATE | USER_FILE_DELETE | USER_FILE_COPY | USER_FILE_MOVE | USER_FILE_OPEN | USER_FILE_CLOSE,
1280
+ USER_FILE_READ | USER_FILE_RECYCLE | USER_FILE_RESTORE | USER_APP_DATA_EXCHANGE | USER_FILE_CLASSIFICATION : 801B5F00 -->
1281
+ <filter-mask mask="801b5f00" typeref="system/performancelog"/>
1282
+ <filter-mask mask="801b5f00" typeref="system/wmidata"/>
1283
+ <filter-mask mask="801b5f00" typeref="system/datastore"/>
1284
+ <filter-mask mask="801b5f00" typeref="system/mssecuritycatalog"/>
1285
+
1286
+ <!-- NOTHING!!!! : 00000000 -->
1287
+ <filter-mask mask="00000000" typeref="executable/selfextractexec"/>
1288
+ <filter-mask mask="00000000" typeref="document/msofficeopenxml"/>
1289
+ <filter-mask mask="00000000" typeref="document/pdf"/>
1290
+ <filter-mask mask="00000000" typeref="document/xml"/>
1291
+ <filter-mask mask="00000000" typeref="document/rtf"/>
1292
+ <filter-mask mask="00000000" typeref="document/nsf"/>
1293
+ <filter-mask mask="00000000" typeref="document/msofficelegacy"/>
1294
+ <filter-mask mask="00000000" typeref="document/openoffice"/>
1295
+ <filter-mask mask="00000000" typeref="archive/rarcompressed"/>
1296
+ <filter-mask mask="00000000" typeref="archive/7zcompressed"/>
1297
+ <filter-mask mask="00000000" typeref="archive/bz2compressed"/>
1298
+ <filter-mask mask="00000000" typeref="archive/gzipcompressed"/>
1299
+ <filter-mask mask="00000000" typeref="archive/lzhcompressed"/>
1300
+ <filter-mask mask="00000000" typeref="archive/zipcompressed"/>
1301
+ <filter-mask mask="00000000" typeref="archive/tapearchive"/>
1302
+ <filter-mask mask="00000000" typeref="executable/javaarchive"/>
1303
+
1304
+ <!-- USER_FILE_DELETE | USER_FILE_COPY | USER_FILE_MOVE | USER_FILE_RECYCLE | USER_FILE_RESTORE,
1305
+ USER_FILE_CLOSE | USER_APP_DATA_EXCHANGE | USER_MODE_EXCLUDE_ENCRYPTION | USER_FILE_CLASSIFICATION : 10801b0E00 -->
1306
+ <filter-mask mask="10801b0e00" typeref="executable/"/>
1307
+
1308
+ <!-- USER_FILE_CREATE | USER_MODE_EXCLUDE_ENCRYPTION | USER_FILE_DELETE | USER_FILE_COPY | USER_FILE_MOVE | USER_FILE_OPEN | USER_FILE_CLOSE,
1309
+ USER_FILE_READ | USER_FILE_RECYCLE | USER_FILE_RESTORE | USER_APP_DATA_EXCHANGE | USER_FILE_CLASSIFICATION | USER_MODE_EXCLUDE_ENCRYPTION: 10801b5F00 -->
1310
+ <filter-mask mask="10801b5f00" typeref="system/"/>
1311
+ <filter-mask mask="10801b5f00" typeref="other/symantecendpointprotection"/>
1312
+
1313
+ <!-- USER_FILE_CREATE | USER_FILE_DELETE | USER_FILE_COPY | USER_FILE_MOVE | USER_FILE_OPEN | USER_FILE_CLOSE,
1314
+ USER_FILE_READ | USER_FILE_RECYCLE | USER_FILE_RESTORE | USER_APP_DATA_EXCHANGE | USER_FILE_CLASSIFICATION : 801b5f00 -->
1315
+ <filter-mask mask="801b5f00" typeref="graphics/winicon"/>
1316
+ <filter-mask mask="801b5f00" typeref="graphics/wincursor"/>
1317
+ <filter-mask mask="801b5f00" typeref="system/winhelp"/>
1318
+ <filter-mask mask="801b5f00" typeref="system/unicodeextensions"/>
1319
+
1320
+ <!-- USER_FILE_DELETE | USER_FILE_OPEN | USER_FILE_CLOSE,
1321
+ USER_FILE_READ | USER_FILE_RECYCLE | USER_FILE_RESTORE | USER_APP_DATA_EXCHANGE : 1b5200 -->
1322
+ <filter-mask mask="1b5200" typeref="archive/msoutlook"/>
1323
+
1324
+ <!-- USER_FILE_EDIT | USER_FILE_DELETE | USER_FILE_COPY | USER_FILE_MOVE | USER_FILE_OPEN | USER_FILE_CLOSE | USER_FILE_RENAME |
1325
+ USER_FILE_READ | USER_FILE_RECYCLE | USER_FILE_RESTORE : 1b7e80 -->
1326
+ <filter-mask mask="1b7e80" typeref="document/html"/>
1327
+
1328
+ <!-- USER_FILE_CREATE | USER_FILE_DELETE | USER_FILE_COPY | USER_FILE_MOVE | USER_FILE_OPEN | USER_FILE_CLOSE,
1329
+ USER_FILE_READ | USER_FILE_RECYCLE | USER_FILE_RESTORE | USER_APP_DATA_EXCHANGE : 1b5f00 -->
1330
+ <filter-mask mask="1b5f00" typeref="graphics/winbitmap"/>
1331
+ <filter-mask mask="1b5f00" typeref="graphics/imagegif"/>
1332
+ <filter-mask mask="1b5f00" typeref="graphics/tiff"/>
1333
+ <filter-mask mask="1b5f00" typeref="graphics/jpeg"/>
1334
+ <filter-mask mask="1b5f00" typeref="graphics/png"/>
1335
+ <filter-mask mask="1b5f00" typeref="graphics/imedic"/>
1336
+
1337
+ <!-- USER_FILE_CREATE | USER_FILE_DELETE | USER_FILE_COPY | USER_FILE_MOVE | USER_FILE_OPEN | USER_FILE_CLOSE,
1338
+ USER_FILE_READ | USER_FILE_RECYCLE | USER_FILE_RESTORE | USER_APP_DATA_EXCHANGE | USER_FILE_CLASSIFICATION : 801b5f00 -->
1339
+ <filter-mask mask="801b5f00" typeref="link/winshortcut"/>
1340
+ <filter-mask mask="801b5f00" typeref="archive/mscabinet"/>
1341
+ <filter-mask mask="801b5f00" typeref="audiovideo/soundmidi"/>
1342
+ <filter-mask mask="801b5f00" typeref="font/truetype"/>
1343
+ <filter-mask mask="801b5f00" typeref="font/truetypecollection"/>
1344
+ <filter-mask mask="801b5f00" typeref="audiovideo/soundwave"/>
1345
+ <filter-mask mask="801b5f00" typeref="audiovideo/soundreal"/>
1346
+ <filter-mask mask="801b5f00" typeref="audiovideo/apple"/>
1347
+ <filter-mask mask="801b5f00" typeref="audiovideo/3gp"/>
1348
+ <filter-mask mask="801b5f00" typeref="system/prefetchdata"/>
1349
+ <filter-mask mask="801b5f00" typeref="other/configini"/>
1350
+ <filter-mask mask="801b5f00" typeref="document/manifestfile"/>
1351
+ <filter-mask mask="801b5f00" typeref="executable/typelibrary"/>
1352
+ <filter-mask mask="801b5f00" typeref="audiovideo/videoavi"/>
1353
+ <filter-mask mask="801b5f00" typeref="audiovideo/videoquicktime"/>
1354
+ <filter-mask mask="801b5f00" typeref="audiovideo/videompeg"/>
1355
+ <filter-mask mask="801b5f00" typeref="audiovideo/soundmpeg"/>
1356
+ <filter-mask mask="801b5f00" typeref="audiovideo/videoshockwave"/>
1357
+ <filter-mask mask="801b5f00" typeref="audiovideo/oggvorbis"/>
1358
+ <filter-mask mask="801b5f00" typeref="system/nls"/>
1359
+ <filter-mask mask="801b5f00" typeref="link/clienturlcache"/>
1360
+ <filter-mask mask="801b5f00" typeref="system/personalusagedata"/>
1361
+ <filter-mask mask="801b5f00" typeref="btrwbem"/>
1362
+ <filter-mask mask="801b5f00" typeref="system/printjoboptions"/>
1363
+ <filter-mask mask="801b5f00" typeref="officetemplate"/>
1364
+ <filter-mask mask="801b5f00" typeref="officetemplatexmlzip"/>
1365
+
1366
+ <!-- USER_FILE_CLASSIFICATION | USER_FILE_CREATE : 0x80000100 -->
1367
+ <filter-mask mask="80000100" typeref="system/database"/>
1368
+ <filter-mask mask="80000100" typeref="graphics/pnfbitmap"/>
1369
+ <filter-mask mask="80000100" typeref="executable/command"/>
1370
+ <filter-mask mask="80000100" typeref="executable/javabytecode"/>
1371
+ <filter-mask mask="80000100" typeref="other/config"/>
1372
+
1373
+ </filter-masks>
1374
+
1375
+ <aspect-filter-masks>
1376
+ <!-- 87DFFFFA - Everything but USER_CD_BURN | USER_NET_TRANSFER_UPLOAD | USER_PRINT_FILE -->
1377
+ <aspect-filter mask="87DFFFFA" aspect-name="SYSTEM/Thread"/>
1378
+ <!-- 87DFF3FA - Everything but USER_FILE_COPY | USER_FILE_MOVE | USER_CD_BURN | USER_NET_TRANSFER_UPLOAD | USER_PRINT_FILE-->
1379
+ <aspect-filter mask="87DFF3FA" aspect-name="InternetBrowserTemporaryFiles">
1380
+ <!-- 87DF73FA - Everything but USER_FILE_WRITE | USER_FILE_COPY | USER_FILE_MOVE | USER_CD_BURN | USER_NET_TRANSFER_UPLOAD | USER_PRINT_FILE -->
1381
+ <aspect-filter-exclusion mask="87DF73FA" typeref="executable/" exclusion-mode="ExtentionOnly"/>
1382
+ <aspect-filter-exclusion mask="87DF73FA" typeref="system/" exclusion-mode="ExtentionOnly"/>
1383
+ </aspect-filter>
1384
+ <!-- 7DFF3FA - Everything but USER_CD_BURN | USER_NET_TRANSFER_UPLOAD | USER_PRINT_FILE | USER_FILE_CLASSIFICATION | USER_FILE_COPY | USER_FILE_MOVE-->
1385
+ <aspect-filter mask="7DFF3FA" aspect-name="ApplicationTemporaryFiles"/>
1386
+ </aspect-filter-masks>
1387
+ </root>
onecrl.json ADDED
The diff for this file is too large to render. See raw diff
 
prcsflgs.dat ADDED
@@ -0,0 +1,3258 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ //=========================================================================
2
+ // PRCSFLGS.DAT
3
+ //
4
+ // This file allows control of how DG Control Flags are applied
5
+ // to processes when they run or are found to be running.
6
+ //
7
+ // Current Process Flags Definition
8
+ // (Version 9.3.0)
9
+ //
10
+ //
11
+ //
12
+ // Control Flag Name Parameter Value
13
+ // ------------------------ --------- -----------
14
+ // MPO_INVISIBLE IN 1
15
+ // MPO_IMMORTAL IM 2
16
+ // MPO_SKIPPED SK 4
17
+ // MPO_CD_BURNER CD 8
18
+ // MPO_TRUSTED TR 16
19
+ // MPO_SYSTEM SY 32
20
+ // MPO_AGENT AG 64
21
+ // MPO_BYPASS BY 128
22
+ // MPO_NO_INJECT NI 256
23
+ // MPO_SUBCLASS SB 512
24
+ // MPO_TRUSTED_FILEOPEN TF 1024
25
+ // MPO_WINDOW_STEALTH_SAFE WS 2048
26
+ // MPO_UBER_STEALTH US 4096
27
+ // MPO_EXPLORER EX 8192
28
+ // MPO_MULTI_DOC MD 16384
29
+ // MPO_MULTI_WIN MW 32768
30
+ // MPO_NO_PROMPTING NP 65536
31
+ // MPO_BACKUP BK 131072
32
+ // MPO_NO_APP_LOGGING NA 262144
33
+ // MPO_ARCHIVING AR 524288
34
+ // MPO_NO_CLASSIFICATION NC 1048576
35
+ // MPO_NO_DOC_PROPERTIES ND 2097152
36
+ // MPO_SCANNER SC 4194304
37
+ // MPO_RENAME_UNSAFE RU 8388608
38
+ // MPO_NO_TAG_PROPAGATION TP 16777216
39
+ // MPO_AGENT_3RD_PARTY A3 33554432
40
+ // MPO_ALLOW_ACI_SVC_ACCESS AI 67108864
41
+ // MPO_NO_VAULTING NV 134217728
42
+ // MPO_SCREEN_CAPTURING SR 268435456
43
+ // MPO_FILE_PATH_LOCK FP 536870912
44
+
45
+ // MPO_NO_NETWORK_OPS NN 2147483648
46
+ // MPO_NO_REPARSE NR 4294967296
47
+ // MPO_PROPAGATE_FLAGS PR 8589934592
48
+ // MPO_NO_CDBURN NB 17179869184
49
+ // MPO_NLNOTES NL 34359738368
50
+ // MPO_BACKUP_INTENT_HONORED BI 68719476736 // no reparse for a create marked FILE_OPEN_FOR_BACKUP_INTENT
51
+ // MPO_ALLOW_SCREEN_CAPTURE AS 137438953472
52
+ // MPO_CLASSIFICATION_ON_CLOSE CC 274877906944
53
+ // MPO_NO_ENCRYPTION NE 549755813888
54
+ // MPO_SHARING_SENSITIVE SH 1099511627776
55
+ // MPO_NO_CLOSED_FILE_HISTORY NH 2199023255552 // don't maintain closed file history for this process
56
+ // MPO_DISABLE_WND_PROC_HOOK WP 4398046511104 // No subclassing - We will not hook the window procedure
57
+ // MPO_RESERVE_VM VM 8796093022208
58
+ // MPO_NO_USER_AUTHORIZATION NU 17592186044416
59
+ // MPO_NO_SAM_PROTECTION NS 35184372088832
60
+ // MPO_CLASSIFICATION_STREAM_SAFE CSS 70368744177664
61
+ // MPO_SYSTEM_KEY_ADMIN KE 140737488355328
62
+ // MPO_STOP_PROPAGATED_FLAGS NPR 281474976710656
63
+ // MPO_NO_REPARSE_PATH RP 562949953421312 // DirCtrl.dat "SECTION AFE PROCESS NO REPARSE FILES:" has to be set to specify no_reparce files
64
+ // MPO_NO_ON_THE_FLY_CLASSIFICATION NF 1125899906842624
65
+ // MPO_ENABLE_ASYNC_WRITESTREAM AW 2251799813685248
66
+ // MPO_TRUSTED_WHILE_NO_EGRESS TN 4503599627370496
67
+ // MPO_NO_FILTERING NFLT 9007199254740992
68
+ // MPO_NO_PROCESS_EVENT NPROC 18014398509481984 // DG 7.0 : Do not send process refernce events for this process.
69
+ // MPO_CLASSIFY_ON_OVERWRITE CO 36028797018963968 // Output file to classify is saved with OVERWRITE_IF.
70
+ // MPO_NO_RESET NRST 576460752303423488 // On update of process flags keep original process flags for running processes.
71
+ // MPO_DETECT_USER_COPY DC 1152921504606846976 // Detect user copies in the kernel.
72
+
73
+ // Note: The old flag "EH" or MPO_ENUMERATE_DIR_HEADERS = 1073741824 is not used anymore
74
+
75
+ // You can a line to this file for each process you need special handling for.
76
+ // Simply specify the parameters you want after the process image name.
77
+ //
78
+ // Example:
79
+ // notepad.exe, TR+SK+IM //<--MPO_TRUSTED | MPO_SKIPPED | MPO_IMMORTAL
80
+ // winword.exe, NC+ND //<--MPO_NO_CLASSIFICATION | MPO_NO_DOC_PROPERTIES
81
+ //
82
+ // You may also use the numeric sum by adding together the appropriate values
83
+ //
84
+ // Example:
85
+ // notepad.exe,22 // <-MPO_TRUSTED | MPO_SKIPPED | MPO_IMMORTAL
86
+ // notepad.exe,3145728 // <-MPO_NO_CLASSIFICATION | MPO_NO_DOC_PROPERTIES
87
+ //
88
+ //
89
+ // Image names are limited to 15 characters.
90
+ //
91
+ // 4.0 and 5.0 prcsflgs.dat entries may include 2 optional qualifiers,
92
+ // fileVersion and companyname, separated by commas.
93
+ // The fileVersion qualifier may be used with or without companyname.
94
+ //
95
+ // fileVersion may be included as a nn.nn.nn.nn string,
96
+ // where nn represents a decimal number, whose value must be less than
97
+ // 65,536 (ie a USHORT).
98
+ //
99
+ // companyname may be included as a string of characters as appears in
100
+ // the version properties displayed for companyname.
101
+ //
102
+ // Entries without either will return flags to any process, with
103
+ // matching image name, but whose version/companyname does not match any
104
+ // entries having version/companyname data.
105
+ //
106
+ // Example:
107
+ //
108
+ // winword.exe, WS+SB, 11.0.6502.0, Microsoft Corporation
109
+ // dbgview.exe, 0256, 4.32.0.0
110
+ //
111
+ // Whitespace is generally ignored.
112
+ //
113
+ // Here is a VERY common one
114
+ // some_app.exe, NI+SK+NC+ND
115
+ //
116
+ // equivalent to...
117
+ // some_app.exe, 3145988
118
+ //
119
+ //
120
+ // Here is a another VERY common one
121
+ // some_app.exe, NI+SK+NC+ND+TR
122
+ //
123
+ // equivalent to...
124
+ // some_app.exe, 3146004
125
+ //
126
+ // You may also use an MD5 if running a V6.1 or better DGAGENT:
127
+ //
128
+ // notepad.exe, MD5=5E28284F9B5F9097640D58A73D38AD4C, NI
129
+ //
130
+ // You can include version info with MD5 entries as well:
131
+ //
132
+ // notepad.exe, MD5=5E28284F9B5F9097640D58A73D38AD4C, NI, 5.1.2600.5512, Microsoft Corporation
133
+ //
134
+ //
135
+ // NOTE: older agents will ignore lines with MD5= in the line as this is
136
+ // invalid for them.
137
+ //
138
+ //===========================================================================
139
+
140
+ //=====================================================================================================
141
+ // START OF ENTRIES TAKEN FROM PROCESSFLAGS.C
142
+ // Note:
143
+ // * This file contains duplicate process flag entries and they are case insensitive. Duplicate entries
144
+ // are intentionally inserted for completeness of list of processes for a given section.
145
+ //=====================================================================================================
146
+ pdboot.exe,SK+NI+NC+ND+NA+RU+NV
147
+ smss.exe,SK+NI+NC+ND+NA+RU+NV
148
+ msdtc.exe,SK+NI+NC+ND+NA+NV
149
+ csrss.exe,SK+NI+NC+ND+NA+NV
150
+ termsrv.exe,SK+NI+NC+ND+NA+NV
151
+ lsass.exe,SK+NI+NC+ND+NA+NV
152
+ LsaIso.exe,SK+NI+NC+ND+NA+NV+NPR
153
+ psxss.exe,SK+NI+NC+ND+NA+NV
154
+ alescan.exe,SK+NI+NC+ND+NA+NV
155
+ ccalert.exe,SK+NI+NC+ND+NA+NV
156
+ ccimscan.exe,SK+NI+NC+ND+NA
157
+ ccprod.exe,SK+NI+NC+ND+NA
158
+ ccpwdsvc.exe,SK+NI+NC+ND+NA+NV
159
+ ccpxysvc.exe,SK+NI+NC+ND+NA+NV
160
+ ccregvfy.exe,SK+NI+NC+ND+NA
161
+ ccscan.exe,SK+NI+NC+ND+NA+NV
162
+ ccshtdwn.exe,SK+NI+NC+ND+NA
163
+ frameworkservic,SK+NI+NC+ND+NA
164
+ iralrshl.exe,SK+NI+NC+ND+NA
165
+ lucomserver.exe,SK+NI+NC+ND+NA+NV
166
+ mcagent.exe,SK+NI+NC+ND+NA+NV
167
+ mcappins.exe,SK+NI+NC+ND+NA+NV
168
+ mcdash.exe,SK+NI+NC+ND+NA+NV
169
+ mcinfo.exe,SK+NI+NC+ND+NA+NV
170
+ mcmnhdlr.exe,SK+NI+NC+ND+NA+NV
171
+ mcscript.exe,SK+NI+NC+ND+NA+NV
172
+ mcupdmgr.exe,SK+NI+NC+ND+NA+NV
173
+ mcupdui.exe,SK+NI+NC+ND+NA+NV
174
+ navapsvc.exe,SK+NI+NC+ND+NA+NV
175
+ navapw32.exe,SK+NI+NC+ND+NA+NV
176
+ navstub.exe,SK+NI+NC+ND+NA+NV
177
+ navw32.exe,SK+NI+NC+ND+NA+NV
178
+ navwnt.exe,SK+NI+NC+ND+NA
179
+ nis.exe,SK+NI+NC+ND+NA
180
+ nisum.exe,SK+NI+NC+ND+NA
181
+ nmain.exe,SK+NI+NC+ND+NA
182
+ ofcdog.exe,SK+NI+NC+ND+NA
183
+ pccbrows.exe,SK+NI+NC+ND+NA
184
+ pccguide.exe,SK+NI+NC+ND+NA
185
+ pcclient.exe,SK+NI+NC+ND+NA
186
+ pccmain.exe,SK+NI+NC+ND+NA
187
+ pccpfw.exe,SK+NI+NC+ND+NA
188
+ pcctool.exe,SK+NI+NC+ND+NA
189
+ pmntsrv.exe,SK+NI+NC+ND+NA
190
+ pmoagent.exe,SK+NI+NC+ND+NA
191
+ sevinst.exe,SK+NI+NC+ND+NA
192
+ symant~1.exe,SK+NI+NC+ND+NA+NV
193
+ symmoni.exe,SK+NI+NC+ND+NA+NV
194
+ symtdirg.exe,SK+NI+NC+ND+NA+NV
195
+ taskhost.exe,SK+NI+NC+ND+NA+NV
196
+ tmupdito.exe,SK+NI+NC+ND+NA+NV
197
+ tra.exe,SK+NI+NC+ND+NA+NV
198
+ zapro.exe,SK+NI+NC+ND+NA+NV
199
+ zonealarm.exe,SK+NI+NC+ND+NA+NV
200
+ msvcmon.exe,SK+NI+NC+ND+NA
201
+ userinit.exe,SK+NI+NC+ND+NA+PR
202
+ explorer.exe,TF+EX+NV+NU+NPR
203
+ ie4uinit.exe,SK+NI+NC+ND+NA+PR+NPR
204
+
205
+ // fix for bug #3897 (mshta.exe will not start if injected)
206
+ mshta.exe,NI+NC+ND+NA
207
+
208
+ dfssvc.exe,SK+NI+NC+ND+NA+NV
209
+ llssrv.exe,SK+NI+NC+ND+NA+NV
210
+
211
+ // Following are VISTA processes, seen at logon, and "potentially" causing VISTA to error out logon
212
+ // and to generate nasty grams complaining about system tampering
213
+ autochk.exe,SK+NI+NC+ND+NA+NV
214
+ wininit.exe,SK+NI+NC+ND+NA+NV
215
+ lsm.exe,SK+NI+NC+ND+NA+NV
216
+ logonui.exe,SK+NI+NC+ND+NA+NV
217
+ slsvc.exe,SK+NI+NC+ND+NA+NV
218
+ taskeng.exe,SK+NI+NC+ND+NA+NV
219
+ dwm.exe,SK+NI+NC+ND+NA+NV
220
+ searchindexer.e,SK+NI+NC+ND+NA+NV
221
+
222
+ // remote registry service ( fix for bug #3932 )
223
+ regsvc.exe,SK+NI+NC+ND
224
+
225
+ java.exe,NI
226
+ javaw.exe,NI
227
+
228
+ // Known CD BURN processes
229
+ nero.exe,CD
230
+ creator7.exe,CD
231
+ creator6.exe,CD
232
+ creator8.exe,CD
233
+ drgtodisc.exe,CD
234
+
235
+ // [start] -----------------------------------------
236
+ // CITRIX processes
237
+ // we don't care about citrix processes
238
+ //--------------------------------------------------
239
+ cdmsvc.exe,SK+NI+NA+NV
240
+ ssonsvr.exe,SK+NI+NA+NV
241
+ // don't propagate flags from parent so CITRIX shared apps will be injected properly
242
+ // otherwise, they will be marked as SKIPPED!
243
+ wfshell.exe,NPR+SK+NI+NC+ND+NA+NV
244
+
245
+ // adding a series of flags based on an email from Support about Citrix processes
246
+ // not including wfshell since it conflicts with the previous coment.
247
+ // All other processes include PR as per the field. This may cause DG to be blind to some processes.
248
+ AuthManSvr.exe,NI+SK+NC+ND+TR+PR
249
+ BNDevice.exe,NI+SK+NC+ND+TR+PR
250
+ CdfSvc.exe,NI+SK+NC+ND+TR+PR
251
+ CitrixCseEngin,NI+SK+NC+ND+TR+PR
252
+ concentr.exe,NI+SK+NC+ND+TR+PR
253
+ CpSvc.exe,NI+SK+NC+ND+TR+PR
254
+ CtxSvcHost.exe,NI+SK+NC+ND+TR+PR
255
+ encsvc.exe,NI+SK+NC+ND+TR+PR
256
+ HCAService.exe,NI+SK+NC+ND+TR+PR
257
+ IMAAdvanceSrv.,NI+SK+NC+ND+TR+PR
258
+ ImaSrv.exe,NI+SK+NC+ND+TR+PR
259
+ mfcom.exe,NI+SK+NC+ND+TR+PR
260
+ RadeHlprSvc.ex,NI+SK+NC+ND+TR+PR
261
+ RadeObj.exe,NI+SK+NC+ND+TR+PR
262
+ RadeSvc.exe,NI+SK+NC+ND+TR+PR
263
+ Receiver.exe,NI+SK+NC+ND+TR+PR
264
+ SelfServicePlu,NI+SK+NC+ND+TR+PR
265
+ SemsService.ex,NI+SK+NC+ND+TR+PR
266
+ StatusTray.exe,NI+SK+NC+ND+TR+PR
267
+ UserProfileMan,NI+SK+NC+ND+TR+PR
268
+ VDARedirector.,NI+SK+NC+ND+TR+PR
269
+ wfcrun32.exe,NI+SK+NC+ND+TR+PR
270
+ XTE.exe,NI+SK+NC+ND+TR+PR
271
+ // also adding the recommended Documented flags for performance, when they do not conflict with the previous ones
272
+ vmacthlp.exe,SK+TR+NI+NC+ND
273
+ fbserver.exe,SK+TR+NI+NC+ND
274
+ rscorsvc.exe,SK+TR+NI+NC+ND
275
+ stSchedEx.exe,SK+TR+NI+NC+ND
276
+ ctxactivesync.e,SK+TR+NI+NC+ND
277
+ ctxxmlss.exe,SK+TR+NI+NC+ND
278
+ SmaService.exe,SK+TR+NI+NC+ND
279
+
280
+
281
+ // [end] -------------------------------------------
282
+
283
+ // [start] -----------------------------------------
284
+ // KENSINGTON MOUSE WORKS
285
+ kmw_run.exe,SK+NI+NC+ND+NA+NV
286
+ kmw_show.exe,SK+NI+NC+ND+NA+NV
287
+ // [end] -------------------------------------------
288
+
289
+ // Windows VISTA and Windows 7 Processes
290
+ audiodg.exe,SK+NI+NC+ND+NA+NV+PR+NPR+NPROC
291
+ ui0detect.exe,SK+NI+NC+ND+NA+NV
292
+ mfpmp.exe,SK+NI+NC+ND+NA+NV+NPR
293
+
294
+ // ACI / Autonomy / Attivio
295
+ kvoop.exe,SK+NI+NC+ND+NA+NV+A3
296
+ agentstore.exe,SK+NI+NC+ND+NA+NV+A3
297
+ autonomydish.ex,SK+NI+NC+ND+NA+NV+A3
298
+ dginspect.exe,SK+NI+NC+ND+NA+NV+A3
299
+ aieadvte.exe,SK+NI+NC+ND+NA+NV+A3
300
+
301
+
302
+ // The SRV driver handles SMB requests - and the oplock on the file is usually taken (atleast for W2K3 SP2)
303
+ // This means that the tagging method of signalling the agent process to open and tag the file cannot work
304
+ // since it will hang/deadlock. The thread in IRP_MJ_CREATE will timeout in 5 seconds, but the classification
305
+ // will still fail. By marking the thread NO CLASSIFICATION, classification (on-the-fly) will not occur
306
+ // and therefore no deadlock (but no classification either).
307
+ //{ L"srv.sys", MPO_NO_CLASSIFICATION
308
+
309
+ snagiteditor.ex,SR
310
+ snagit32.exe,SR
311
+ snagpriv.exe,SR
312
+
313
+ // DG-DDNA
314
+ ddna3.exe,SK+TR+TF+NI+NC+ND+NA+NV+A3+NPR
315
+
316
+ //=====================================================================================================
317
+ // END OF ENTRIES TAKEN FROM PROCESSFLAGS.C
318
+ //=====================================================================================================
319
+
320
+ //-------------------------------------------
321
+ // Verdasys Digital Guardian Agent Applications
322
+ //-------------------------------------------
323
+ dgmapiutil.exe,SK
324
+ mfcmapi.exe,SK,,Microsoft Corporation
325
+ dgupdate.exe,NI+SK+BY+AG+NC+ND+NA+NV+NE
326
+ dgupdate2.exe,NI+SK+BY+AG+NC+ND+NA+NV+NE
327
+ // dgET is used to tell the agent to retrieve settings, and cannt be injected
328
+ dgET.exe, NI+SK+NC+ND+TR
329
+ ScannerMonitor.,SK
330
+ DGStat.exe,SK
331
+ //Bug #12841 - Dgkill does not work in stealth mode
332
+ DgKillExe.exe,4
333
+ terminator.exe,4
334
+ // uninstall using dgagentsetup.exe
335
+ roleBES:dgagentsetup.ex,SK+NI
336
+ // DGProfiler install
337
+ DGProfilerInsta,NI+SK+TR
338
+ DGJournal.exe,NI+SK+AG+NC+ND+NA+NV+NE
339
+ dgextract.exe,NI+SK+NC+ND+TR
340
+
341
+ //-------------------------------------------
342
+ // AppV application and its children
343
+ //-------------------------------------------
344
+ sfttray.exe,RP+PR
345
+
346
+ //---------------------------------------------------------
347
+ // Universal Apps :aka MetroApps - Excluded for AFE
348
+ //---------------------------------------------------------
349
+ wwahost.exe,NR+PR
350
+ runtimebroker.exe,NR+PR
351
+ wshost.exe,NR+PR
352
+ sihost.exe,RP+PR
353
+
354
+
355
+
356
+ //-------------------------------------------
357
+ // Broadcom MoCA applications
358
+ //-------------------------------------------
359
+ oc8800_emulatio,NI+SK+NC+ND+TR
360
+ moca_simulator.,NI+SK+NC+ND+TR
361
+ motek.exe,NI+SK+NC+ND+TR
362
+ calc_iq.exe,NI+SK+NC+ND+TR
363
+ calc_snr.exe,NI+SK+NC+ND+TR
364
+ gen_reg_batch.e,NI+SK+NC+ND+TR
365
+ gen_reg_batch_p,NI+SK+NC+ND+TR
366
+ show_packet.exe,NI+SK+NC+ND+TR
367
+ show_slicer.exe,NI+SK+NC+ND+TR
368
+ start_moca.exe,NI+SK+NC+ND+TR
369
+ avhdl.exe,NI+SK+NC+ND+TR
370
+
371
+ //-------------------------------------------
372
+ // Clearcase 7
373
+ //-------------------------------------------
374
+
375
+ abe.exe,NI+SK+NC+ND+TR
376
+ act_null_cs.exe,NI+SK+NC+ND+TR
377
+ admin_server.ex,NI+SK+NC+ND+TR
378
+ albd_server.exe,NI+SK+NC+ND+TR
379
+ bdtm.exe,NI+SK+NC+ND+TR
380
+ ccdoctor.exe,NI+SK+NC+ND+TR
381
+ ccfs_server.exe,NI+SK+NC+ND+TR
382
+ CCImportWizard.,NI+SK+NC+ND+TR
383
+ ccjbinstall.exe,NI+SK+NC+ND+TR
384
+ ccperl.exe,NI+SK+NC+ND+TR
385
+ Clearaas.exe,NI+SK+NC+ND+TR
386
+ clearapplywizar,NI+SK+NC+ND+TR
387
+ clearaudit.exe,NI+SK+NC+ND+TR
388
+ clearcomptree.e,NI+SK+NC+ND+TR
389
+ cleardescribe.e,NI+SK+NC+ND+TR
390
+ cleardiff.exe,NI+SK+NC+ND+TR
391
+ cleardiffbl.exe,NI+SK+NC+ND+TR
392
+ cleardiffmrg.ex,NI+SK+NC+ND+TR
393
+ cleardlg.exe,NI+SK+NC+ND+TR
394
+ clearexplorer.e,NI+SK+NC+ND+TR
395
+ clearexport_cca,NI+SK+NC+ND+TR
396
+ clearexport_cvs,NI+SK+NC+ND+TR
397
+ clearexport_ffi,NI+SK+NC+ND+TR
398
+ clearexport_pvc,NI+SK+NC+ND+TR
399
+ clearexport_rcs,NI+SK+NC+ND+TR
400
+ clearexport_ssa,NI+SK+NC+ND+TR
401
+ clearfindco.exe,NI+SK+NC+ND+TR
402
+ clearfsimport.e,NI+SK+NC+ND+TR
403
+ clearhistory.ex,NI+SK+NC+ND+TR
404
+ clearhomebase.e,NI+SK+NC+ND+TR
405
+ clearimport.exe,NI+SK+NC+ND+TR
406
+ clearlicense.ex,NI+SK+NC+ND+TR
407
+ clearlstype.exe,NI+SK+NC+ND+TR
408
+ clearmake.exe,NI+SK+NC+ND+TR
409
+ clearmenuadmin.,NI+SK+NC+ND+TR
410
+ clearmrgman.exe,NI+SK+NC+ND+TR
411
+ clearprojexp.ex,NI+SK+NC+ND+TR
412
+ clearprojtool.e,NI+SK+NC+ND+TR
413
+ clearprompt.exe,NI+SK+NC+ND+TR
414
+ cleartool.exe,NI+SK+NC+ND+TR
415
+ clearviewtool.e,NI+SK+NC+ND+TR
416
+ clearviewupdate,NI+SK+NC+ND+TR
417
+ clearvobtool.ex,NI+SK+NC+ND+TR
418
+ clearvtree.exe,NI+SK+NC+ND+TR
419
+ cqconfig.exe,NI+SK+NC+ND+TR
420
+ cqquery.exe,NI+SK+NC+ND+TR
421
+ cqtrigger_coci.,NI+SK+NC+ND+TR
422
+ cqtrigger_unco.,NI+SK+NC+ND+TR
423
+ credmap_server.,NI+SK+NC+ND+TR
424
+ crmregister.exe,NI+SK+NC+ND+TR
425
+ db_dumper.exe,NI+SK+NC+ND+TR
426
+ db_loader.exe,NI+SK+NC+ND+TR
427
+ db_server.exe,NI+SK+NC+ND+TR
428
+ hostid.exe,NI+SK+NC+ND+TR
429
+ htmlmgr.exe,NI+SK+NC+ND+TR
430
+ imsglog.exe,NI+SK+NC+ND+TR
431
+ lockmgr.exe,NI+SK+NC+ND+TR
432
+ msitedlg.exe,NI+SK+NC+ND+TR+NE+PR
433
+ multitool.exe,NI+SK+NC+ND+TR
434
+ mvfscache.exe,NI+SK+NC+ND+TR
435
+ mvfslog.exe,NI+SK+NC+ND+TR
436
+ mvfsstat.exe,NI+SK+NC+ND+TR
437
+ mvfsstorage.exe,NI+SK+NC+ND+TR
438
+ mvfstest.exe,NI+SK+NC+ND+TR
439
+ mvfstime.exe,NI+SK+NC+ND+TR
440
+ mvfsversion.exe,NI+SK+NC+ND+TR
441
+ notify.exe,NI+SK+NC+ND+TR
442
+ omake.exe,NI+SK+NC+ND+TR
443
+ pbimport.exe,NI+SK+NC+ND+TR
444
+ pblpopulate.exe,NI+SK+NC+ND+TR
445
+ promote_server.,NI+SK+NC+ND+TR
446
+ rccbuild.exe,NI+SK+NC+ND+TR
447
+ rccMKSecure.exe,NI+SK+NC+ND+TR
448
+ rccTSOServer.ex,NI+SK+NC+ND+TR
449
+ regsync.exe,NI+SK+NC+ND+TR
450
+ rgy_backup.exe,NI+SK+NC+ND+TR
451
+ rgy_check.exe,NI+SK+NC+ND+TR
452
+ rgy_passwd.exe,NI+SK+NC+ND+TR
453
+ rgy_switchover.,NI+SK+NC+ND+TR
454
+ scrubber.exe,NI+SK+NC+ND+TR
455
+ squidtool.exe,NI+SK+NC+ND+TR
456
+ tfdmgr.exe,NI+SK+NC+ND+TR
457
+ vdmaudit.exe,NI+SK+NC+ND+TR
458
+ view_dumper_10.,NI+SK+NC+ND+TR
459
+ view_scrubber.e,NI+SK+NC+ND+TR
460
+ view_server.exe,NI+SK+NC+ND+TR
461
+ vobrpc_server.e,NI+SK+NC+ND+TR
462
+ vob_scrubber.ex,NI+SK+NC+ND+TR
463
+ vob_server.exe,NI+SK+NC+ND+TR
464
+ wordconfig.exe,NI+SK+NC+ND+TR
465
+ worddiffmrg.exe,NI+SK+NC+ND+TR
466
+ xdemgr.exe,NI+SK+NC+ND+TR
467
+ xmldiffmrg.exe,NI+SK+NC+ND+TR
468
+ xtoolsmgr.exe,NI+SK+NC+ND+TR
469
+ zmgr.exe,NI+SK+NC+ND+TR
470
+ ztfdmgr.exe,NI+SK+NC+ND+TR
471
+
472
+ //-------------------------------------------
473
+ // BMAPI Exclusions
474
+ //-------------------------------------------
475
+
476
+ MSDEV.EXE,NI+SK+NC+ND+TR
477
+ TestApp.EXE,NI+SK+NC+ND+TR
478
+
479
+ //-------------------------------------------
480
+ // Richmond QA Team
481
+ //-------------------------------------------
482
+
483
+ RFS.EXE,NI+SK+NC+ND+TR
484
+ RTPBLASTER.EXE,NI+SK+NC+ND+TR
485
+ CAPTURELOG.EXE,NI+SK+NC+ND+TR
486
+ RFSSERVER.EXE,NI+SK+NC+ND+TR
487
+ TEE.EXE,NI+SK+NC+ND+TR
488
+ PUMPKIN.EXE,NI+SK+NC+ND+TR
489
+ WISH83.EXE,NI+SK+NC+ND+TR
490
+ rpcsh.exe,NI+SK+NC+ND+TR
491
+ CTHELPER.EXE,NI+SK+NC+ND+TR
492
+ PUTTYCYG.EXE,NI+SK+NC+ND+TR
493
+
494
+ //-------------------------------------------
495
+ // Dual core fix
496
+ //-------------------------------------------
497
+ NTKRNLPA.EXE,NI+SK+NC+ND+TR
498
+ NTKRNLPL.EXE,NI+SK+NC+ND+TR
499
+
500
+ //-------------------------------------------
501
+ // Trust X1
502
+ //-------------------------------------------
503
+
504
+ X1.exe,NI+SK+NC+ND+TR
505
+ X1Service.exe,NI+SK+NC+ND+TR
506
+ X1Systray.exe,NI+SK+NC+ND+TR
507
+
508
+ //-------------------------------------------
509
+ // ati video
510
+ //-------------------------------------------
511
+
512
+ 1xconfig.exe,NI+SK+NC+ND+TR
513
+ amm2iw32.exe,NI+SK+NC+ND+TR
514
+ ati2evxx.exe,NI+SK+NC+ND+TR
515
+ ati2mdxx.exe,NI+SK+NC+ND+TR
516
+ ati2sgag.exe,NI+SK+NC+ND+TR
517
+ atiprbxx.exe,NI+SK+NC+ND+TR
518
+ atiptaxx.exe,NI+SK+NC+ND+TR
519
+
520
+ //-------------------------------------------
521
+ // Broadcom Wireless Tool
522
+ //-------------------------------------------
523
+
524
+ bcmwltry.exe,NI+SK+NC+ND+TR
525
+ caft.exe,NI+SK+NC+ND+TR
526
+ caftf.exe,NI+SK+NC+ND+TR
527
+ cam.exe,NI+SK+NC+ND+TR
528
+ camclose.exe,NI+SK+NC+ND+TR
529
+ cvtres.exe,NI+SK+NC+ND+TR
530
+ disrv.exe,NI+SK+NC+ND+TR
531
+ filepathsrv.exe,NI+SK+NC+ND+TR
532
+ hkcmd.exe,NI+SK+NC+ND+TR
533
+ iagwnt.exe,NI+SK+NC+ND+TR
534
+ ig40wnt.exe,NI+SK+NC+ND+TR
535
+ inovw32.exe,NI+SK+NC+ND+TR
536
+ launchephd.exe,NI+SK+NC+ND+TR
537
+ naPrdMgr.exe,SK+NPR
538
+ nwtray.exe,NI+SK+NC+ND+TR
539
+ pcgprot.exe,NI+SK+NC+ND+TR
540
+ sdcmd.exe,NI+SK+NC+ND+TR
541
+ sdjexec.exe,NI+SK+NC+ND+TR
542
+ sdserv.exe,NI+SK+NC+ND+TR
543
+ swmspwnt.exe,NI+SK+NC+ND+TR
544
+ sxplog32.exe,NI+SK+NC+ND+TR
545
+ tbmon.exe,NI+SK+NC+ND+TR
546
+ triggag.exe,NI+SK+NC+ND+TR
547
+ umclisvc.exe,NI+SK+NC+ND+TR
548
+ umcstub.exe,NI+SK+NC+ND+TR
549
+ umdifw32.exe,NI+SK+NC+ND+TR
550
+ usermodule.exe,NI+SK+NC+ND+TR
551
+ VsTskMgr.exe,SK+NPR
552
+
553
+ //-------------------------------------------
554
+ // Viewstore directory apps
555
+ //-------------------------------------------
556
+
557
+ cccredmgr.exe,NI+SK+NC+ND+TR
558
+ cqintsvr11.exe,NI+SK+NC+ND+TR
559
+
560
+ //-------------------------------------------
561
+ // BT Test Tool exes
562
+ //-------------------------------------------
563
+
564
+ drwho.exe,NI+SK+NC+ND+TR
565
+ btcputil.exe,NI+SK+NC+ND+TR
566
+ sbc_decoder.exe,NI+SK+NC+ND+TR
567
+ bluetoothdecode,NI+SK+NC+ND+TR
568
+ cfamaker applic,NI+SK+NC+ND+TR
569
+ csrusbdevicesup,NI+SK+NC+ND+TR
570
+ framedecoderdev,NI+SK+NC+ND+TR
571
+ liveimportdevel,NI+SK+NC+ND+TR
572
+ advancedusb.exe,NI+SK+NC+ND+TR
573
+ bluetrim.exe,NI+SK+NC+ND+TR
574
+ btcpds.exe,NI+SK+NC+ND+TR
575
+ btusbds.exe,NI+SK+NC+ND+TR
576
+ dsaggregator.ex,NI+SK+NC+ND+TR
577
+ exitmessage.exe,NI+SK+NC+ND+TR
578
+ fts.exe,NI+SK+NC+ND+TR
579
+ ftsautoserver.e,NI+SK+NC+ND+TR
580
+ hsu.exe,NI+SK+NC+ND+TR
581
+ liveimport.exe,NI+SK+NC+ND+TR
582
+ mth2cpp.exe,NI+SK+NC+ND+TR
583
+ multiunitlicens,NI+SK+NC+ND+TR
584
+ snupy.exe,NI+SK+NC+ND+TR
585
+
586
+ //-------------------------------------------
587
+ // Java exes
588
+ //
589
+ // javaw.exe has special flags for Screen CI
590
+ //
591
+ // These have been removed and should not be
592
+ // in the default file we ship.
593
+ //
594
+ // java.exe,NI+SK+NC+ND+TR
595
+ // javaw.exe,NI+SK+NC+ND+TR+SB+MD+MW
596
+ //-------------------------------------------
597
+
598
+ javacpl.exe,NI+SK+NC+ND+TR
599
+ javaws.exe,NI+SK+NC+ND+TR
600
+ jucheck.exe,NI+SK+NC+ND+TR
601
+ jusched.exe,NI+SK+NC+ND+TR
602
+ Keytool.exe,SK+NPR
603
+ Kinit.exe,SK+NPR
604
+ Klist.exe,SK+NPR
605
+ Ktab.exe,SK+NPR
606
+ orbd.exe,NI+SK+NC+ND+TR
607
+ Pack200.exe,SK+NPR
608
+ Policytool.exe,SK+NPR
609
+ rmid.exe,NI+SK+NC+ND+TR
610
+ Rmiregistry.exe,SK+NPR
611
+ Servertool.exe,SK+NPR
612
+ Tnameserv.exe,SK+NPR
613
+ Unpack200.exe,SK+NPR
614
+
615
+ //-------------------------------------------
616
+ // Other build exes
617
+ //-------------------------------------------
618
+
619
+ arcd.exe,NI+SK+NC+ND+TR
620
+ FLEXidCleanUtil,NI+SK+NC+ND+TR
621
+ FLEXidInstaller,NI+SK+NC+ND+TR
622
+ lmborrow.exe,NI+SK+NC+ND+TR
623
+ lmdiag.exe,NI+SK+NC+ND+TR
624
+ lmdown.exe,NI+SK+NC+ND+TR
625
+ lmgrd.exe,NI+SK+NC+ND+TR
626
+ lmhostid.exe,NI+SK+NC+ND+TR
627
+ lmpath.exe,NI+SK+NC+ND+TR
628
+ lmremove.exe,NI+SK+NC+ND+TR
629
+ lmreread.exe,NI+SK+NC+ND+TR
630
+ lmstat.exe,NI+SK+NC+ND+TR
631
+ lmswitchr.exe,NI+SK+NC+ND+TR
632
+ lmtools.exe,NI+SK+NC+ND+TR
633
+ lmver.exe,NI+SK+NC+ND+TR
634
+ mqxc_icon.exe,NI+SK+NC+ND+TR
635
+ mide.exe,NI+SK+NC+ND+TR
636
+ dot.exe,NI+SK+NC+ND+TR
637
+ mwprof.exe,NI+SK+NC+ND+TR
638
+ neato.exe,NI+SK+NC+ND+TR
639
+ Profiler.exe,NI+SK+NC+ND+TR
640
+ mwfind.exe,NI+SK+NC+ND+TR
641
+ xilinx_readback,NI+SK+NC+ND+TR
642
+ bplist.exe,NI+SK+NC+ND+TR
643
+ bpmerge.exe,NI+SK+NC+ND+TR
644
+ cld.exe,NI+SK+NC+ND+TR
645
+ detectapp.exe,NI+SK+NC+ND+TR
646
+ elf2bin.exe,NI+SK+NC+ND+TR
647
+ elf2hex.exe,NI+SK+NC+ND+TR
648
+ findhelp.exe,NI+SK+NC+ND+TR
649
+ gpio.exe,NI+SK+NC+ND+TR
650
+ inlvc.exe,NI+SK+NC+ND+TR
651
+ ldvc.exe,NI+SK+NC+ND+TR
652
+ logparser.exe,SK+NPR
653
+ nmvc.exe,NI+SK+NC+ND+TR
654
+ pif.exe,NI+SK+NC+ND+TR
655
+ profvc.exe,NI+SK+NC+ND+TR
656
+ scvc.exe,NI+SK+NC+ND+TR
657
+ sizevc.exe,NI+SK+NC+ND+TR
658
+ stripvc.exe,NI+SK+NC+ND+TR
659
+ wgnuplot.exe,NI+SK+NC+ND+TR
660
+ tevi_vc.exe,NI+SK+NC+ND+TR
661
+ hcvc.exe,NI+SK+NC+ND+TR
662
+ hcvc1.exe,NI+SK+NC+ND+TR
663
+ hcvc2.exe,NI+SK+NC+ND+TR
664
+ asvc.exe,NI+SK+NC+ND+TR
665
+ arvc.exe,NI+SK+NC+ND+TR
666
+ echo.exe,NI+SK+NC+ND+TR
667
+ mkdir.exe,NI+SK+NC+ND+TR
668
+ find.exe,NI+SK+NC+ND+TR
669
+ comm.exe,NI+SK+NC+ND+TR
670
+ sort.exe,NI+SK+NC+ND+TR
671
+ tr.exe,NI+SK+NC+ND+TR
672
+ sed.exe,NI+SK+NC+ND+TR
673
+ filter.exe,NI+SK+NC+ND+TR
674
+ sizevlls.exe,NI+SK+NC+ND+TR
675
+ elfdumpvc.exe,NI+SK+NC+ND+TR
676
+
677
+ //-------------------------------------------
678
+ // Cisco VPN Client
679
+ //-------------------------------------------
680
+
681
+ cvpnd.exe,NI+SK+NC+ND+TR
682
+ //vpngui.exe,NI+SK+NC+ND+TR
683
+ // add PR
684
+ vpngui.exe,SK+TR+NI+NC+ND+PR
685
+ vpnagent.exe,NI+SK+NC+ND+TR
686
+ vpnui.exe,SK+TR+NI+NC+ND
687
+
688
+ //-------------------------------------------
689
+ // iPod Stuff
690
+ //-------------------------------------------
691
+
692
+ iPodService.exe,NI+SK+NC+ND+TR
693
+ iTunesHelper.ex,NI+SK+NC+ND+TR
694
+ AppleMobileDevi,NI+SK+NC+ND+TR
695
+
696
+ //-------------------------------------------
697
+ // Dell Applications
698
+ //-------------------------------------------
699
+
700
+ quickset.exe,NI+SK+NC+ND+TR
701
+ WLTRAY.EXE,NI+SK+NC+ND+TR
702
+ WLTRYSVC.EXE,NI+SK+NC+ND+TR
703
+ apntex.exe,SK+NPR
704
+ apoint.exe,SK+NPR
705
+ nvsvc32.exe,NI+SK+NC+ND+TR
706
+
707
+ //-------------------------------------------
708
+ // Windows Services
709
+ //-------------------------------------------
710
+
711
+ spoolsv.exe,NI+SK+NC+ND+TR+NA+NV
712
+ alg.exe,NI+SK+NC+ND+TR
713
+ Communicator.ex,NI+SK+NC+ND+TR
714
+ MDM.EXE,NI+SK+NC+ND+TR
715
+ scardsvr.exe,NI+SK+NC+ND+TR
716
+
717
+ //-------------------------------------------
718
+ // Additional Symantec Endpoint Protection 11 Programs:
719
+ //-------------------------------------------
720
+
721
+ WSCSAvNotifier.,NI+SK+NC+ND+TR
722
+
723
+ //-------------------------------------------
724
+ // Cygwin
725
+ //-------------------------------------------
726
+
727
+ cygwin.exe,NI+SK+NC+ND+TR
728
+
729
+ //-------------------------------------------
730
+ // UK Video Tools
731
+ //-------------------------------------------
732
+
733
+ dispman2_obj.ex,NI+SK+NC+ND+TR
734
+
735
+ //-------------------------------------------
736
+ // ZSP Tools
737
+ //-------------------------------------------
738
+
739
+ sdcpp.exe,NI+SK+NC+ND+TR
740
+ sdar.exe,NI+SK+NC+ND+TR
741
+ sdas.exe,NI+SK+NC+ND+TR
742
+ sdbug400.exe,NI+SK+NC+ND+TR
743
+ sdcc.exe,NI+SK+NC+ND+TR
744
+ sdcc1.exe,NI+SK+NC+ND+TR
745
+ sdelfread.exe,NI+SK+NC+ND+TR
746
+ sdld.exe,NI+SK+NC+ND+TR
747
+ sdnm.exe,NI+SK+NC+ND+TR
748
+ sdobjcopy.exe,NI+SK+NC+ND+TR
749
+ sdobjdump.exe,NI+SK+NC+ND+TR
750
+ sdopt.exe,NI+SK+NC+ND+TR
751
+ sdranlib.exe,NI+SK+NC+ND+TR
752
+ sdsize.exe,NI+SK+NC+ND+TR
753
+ sdstrings.exe,NI+SK+NC+ND+TR
754
+ sdstrip.exe,NI+SK+NC+ND+TR
755
+ zisim400.exe,NI+SK+NC+ND+TR
756
+ zsim400.exe,NI+SK+NC+ND+TR
757
+
758
+ //-------------------------------------------
759
+ // Altiris processes
760
+ //-------------------------------------------
761
+
762
+ ACLIENT.EXE,NI+SK+NC+ND+TR
763
+ AClntUsr.EXE,NI+SK+NC+ND+TR
764
+ AeXAgentActivat,NI+SK+NC+ND+TR
765
+ AeXAgentDesktop,NI+SK+NC+ND+TR
766
+ AeXAgentUIHost.,NI+SK+NC+ND+TR
767
+ AeXAgentUtil.ex,NI+SK+NC+ND+TR
768
+ AeXNSAgent.exe,NI+SK+NC+ND+TR
769
+ AeXNSInvCollect,NI+SK+NC+ND+TR
770
+ AeXSWDAppInv.ex,NI+SK+NC+ND+TR
771
+ AeXSWDSolnAgent,NI+SK+NC+ND+TR
772
+ AeXSWDUsr.exe,NI+SK+NC+ND+TR
773
+ AeXSWDUsrUIWin.,NI+SK+NC+ND+TR
774
+ SWRAgentUtils.e,NI+SK+NC+ND+TR
775
+ UnInstallSynchA,NI+SK+NC+ND+TR
776
+ AeXPatchUtil.ex,NI+SK+NC+ND+TR
777
+ AeXAuditPls.exe,NI+SK+NC+ND+TR
778
+ AeXCustInv.exe,NI+SK+NC+ND+TR
779
+ AeXExchPls.exe,NI+SK+NC+ND+TR
780
+ AeXInvSoln.exe,NI+SK+NC+ND+TR
781
+ AeXMachInv.exe,NI+SK+NC+ND+TR
782
+ AeXRunControl.e,NI+SK+NC+ND+TR
783
+ AeXSNPlus.exe,NI+SK+NC+ND+TR
784
+ SNData.exe,NI+SK+NC+ND+TR
785
+ SNData2.exe,NI+SK+NC+ND+TR
786
+ mechelenvpn.exe,NI+SK+NC+ND+TR
787
+ ClientUtil32.ex,NI+SK+NC+ND+TR
788
+ trustedsites.ex,NI+SK+NC+ND+TR
789
+ qchain.exe,NI+SK+NC+ND+TR
790
+
791
+ //-------------------------------------------
792
+ // Clearcase
793
+ //-------------------------------------------
794
+
795
+ ratlperl.exe,NI+SK+NC+ND+TR
796
+ clearview.exe,NI+SK+NC+ND+TR
797
+ cchelper.exe,NI+SK+NC+ND+TR
798
+
799
+ //-------------------------------------------
800
+ // Broadcom standard build processes
801
+ //-------------------------------------------
802
+
803
+ hausmake.exe,NI+SK+NC+ND+TR
804
+ make.exe,NI+SK+NC+ND+TR
805
+ gmake.exe,NI+SK+NC+ND+TR
806
+ mips-elf-gcc.ex,NI+SK+NC+ND+TR
807
+ cc1.exe,NI+SK+NC+ND+TR
808
+ cpp0.exe,NI+SK+NC+ND+TR
809
+ cygpath.exe,NI+SK+NC+ND+TR
810
+
811
+
812
+ grep.exe,NI+SK+NC+ND+TR
813
+
814
+ //-------------------------------------------
815
+ // Lotus Notes
816
+ //-------------------------------------------
817
+ nlnotes.exe,NL
818
+ amovie.exe,NI+SK+NC+ND+TR
819
+ ldapsearch.exe,NI+SK+NC+ND+TR
820
+ memcheck.exe,NI+SK+NC+ND+TR
821
+ nadminp.exe,NI+SK+NC+ND+TR
822
+ nca.exe,NI+SK+NC+ND+TR
823
+ nchronos.exe,NI+SK+NC+ND+TR
824
+ ncollect.exe,NI+SK+NC+ND+TR
825
+ ncompact.exe,NI+SK+NC+ND+TR
826
+ nconvert.exe,NI+SK+NC+ND+TR
827
+ ndctest.exe,NI+SK+NC+ND+TR
828
+ ndefault.exe,NI+SK+NC+ND+TR
829
+ ndyncfg.exe,NI+SK+NC+ND+TR
830
+ nevent.exe,NI+SK+NC+ND+TR
831
+ nfileret.exe,NI+SK+NC+ND+TR
832
+ nfixup.exe,NI+SK+NC+ND+TR
833
+ nlogasio.exe,NI+SK+NC+ND+TR
834
+ nminder.exe,NI+SK+NC+ND+TR
835
+ nnotesmm.exe,NI+SK+NC+ND+TR
836
+ npop3.exe,NI+SK+NC+ND+TR
837
+ nsd.exe,NI+SK+NC+ND+TR
838
+ nsenddiag.exe,NI+SK+NC+ND+TR
839
+ ntrends.exe,NI+SK+NC+ND+TR
840
+ nupdall.exe,NI+SK+NC+ND+TR
841
+ nupdate.exe,NI+SK+NC+ND+TR
842
+ nxpcdmn.exe,NI+SK+NC+ND+TR
843
+ qnc.exe,NI+SK+NC+ND+TR
844
+ rtfcnvt.exe,NI+SK+NC+ND+TR
845
+ sminstal.exe,NI+SK+NC+ND+TR
846
+ smupdate.exe,NI+SK+NC+ND+TR
847
+ stconnagent30.e,NI+SK+NC+ND+TR
848
+
849
+ //-------------------------------------------
850
+ // #12048
851
+ // Ntaskldr.exe is the Notes Task Loader.
852
+ // Ntaskldr.exe is a single process that runs
853
+ // on Windows operating systems, and carries
854
+ // out the various tasks by spawning threads
855
+ // instead of loading individual processes.
856
+ //-------------------------------------------
857
+ ntaskldr.exe,NI+SK+NC+ND+TR
858
+
859
+ // Below this line is DG Default Process Flags File
860
+ //
861
+ //-------------------------------------------
862
+ // #10349
863
+ //-------------------------------------------
864
+ fixccs.exe,276
865
+
866
+ //-------------------------------------------
867
+ // #14642
868
+ //-------------------------------------------
869
+ //dkservice.exe,276 //Diskeeper is in Defrag Tools Section now
870
+
871
+ //-------------------------------------------
872
+ // #9909
873
+ // Mark CA eTrust real time scanner as
874
+ // TRUSTED, SKIPPED and NO_INJECT
875
+ //-------------------------------------------
876
+ inort.exe,3146004
877
+
878
+
879
+ // VMWare
880
+ vmwareservice.e,NI+SK+NC+ND+TR
881
+ vmwaretray.exe,NI+SK+NC+ND+TR
882
+ vmwareuser.exe,NI+SK+NC+ND+TR
883
+ vmnat,SK+TR+NI+NC+ND
884
+ vmnetdhcp,SK+TR+NI+NC+ND
885
+ VMware-authd,SK+TR+NI+NC+ND
886
+ VMware-hostd,SK+TR+NI+NC+ND
887
+ VMware-tray,SK+TR+NI+NC+ND
888
+ VMware-usbarbitrator64,SK+TR+NI+NC+ND
889
+ vmtoolsd,SK+TR+NI+NC+ND
890
+ VGAuthService,SK+TR+NI+NC+ND
891
+ vmacthlp,SK+TR+NI+NC+ND
892
+
893
+ //Microsoft Windows Script Host
894
+ wscript.exe,NC+ND
895
+
896
+ //-------------------------------------------
897
+ // MS OFFICE Apps
898
+ // have Window Subclassing ON
899
+ // are Window Stealth SAFE
900
+ // iexplore include multi window and multi doc
901
+ //-------------------------------------------
902
+ iexplore.exe,MW+MD+WS+SB
903
+ winword.exe,SB+WS+FP+DWNG
904
+ excel.exe,SB+WS+FP+DWNG
905
+ infopath.exe,SB+WS+FP
906
+ msaccess.exe,SB+WS+FP+DWNG
907
+ mspub.exe,SB+WS+FP
908
+ mstore.exe,SB+WS+FP
909
+ ois.exe,SB+WS+FP
910
+
911
+ // DWNG+DWSP added in 7.6.3 because with Outlook COM tracking
912
+ // WinInet and WinSocket tracking is not needed
913
+ outlook.exe,SB+WS+AS+DWNG+DWSP
914
+
915
+ powerpnt.exe,SB+WS+FP+DWNG
916
+ winproj.exe,NI+PR
917
+ visio.exe,SB+WS+FP+DWNG
918
+ notepad.exe,2560
919
+ wordpad.exe,2560
920
+ officeclicktoru,NI+SK+NC+ND+TR
921
+
922
+
923
+ //-----------------------------------
924
+ // Hitachi Asset Management Software
925
+ //-----------------------------------
926
+ dmpwinst.exe, NI+SK+NC+ND+TR
927
+ dmpstmgr.exe, NI+SK+NC+ND+TR
928
+ dmpserv.exe, NI+SK+NC+ND+TR
929
+ dmprtry.exe, NI+SK+NC+ND+TR
930
+ dmpreged.exe, NI+SK+NC+ND+TR
931
+ dmpwtcp.exe, NI+SK+NC+ND+TR
932
+ dmpapchk.exe, NI+SK+NC+ND+TR
933
+ dmpbkdel.exe, NI+SK+NC+ND+TR
934
+ dmpbklst.exe, NI+SK+NC+ND+TR
935
+ dmpclint.exe, NI+SK+NC+ND+TR
936
+ dmpdelic.exe, NI+SK+NC+ND+TR
937
+ dmpdlg.exe, NI+SK+NC+ND+TR
938
+ dmpexect.exe, NI+SK+NC+ND+TR
939
+ dmpiddef.exe, NI+SK+NC+ND+TR
940
+ dmpiddel.exe, NI+SK+NC+ND+TR
941
+ dmpicron.exe, NI+SK+NC+ND+TR
942
+ dmpidex.exe, NI+SK+NC+ND+TR
943
+ dmpidreg.exe, NI+SK+NC+ND+TR
944
+ dmpinvui.exe, NI+SK+NC+ND+TR
945
+ dmpjbsts.exe, NI+SK+NC+ND+TR
946
+ dmplgetc.exe, NI+SK+NC+ND+TR
947
+ dmprcvry.exe, NI+SK+NC+ND+TR
948
+ dmpinit.exe, NI+SK+NC+ND+TR
949
+ dmpinv.exe, NI+SK+NC+ND+TR
950
+ dmpishld.exe, NI+SK+NC+ND+TR
951
+ dmplogmg.exe, NI+SK+NC+ND+TR
952
+ dmpmkgrp.exe, NI+SK+NC+ND+TR
953
+ dmpmsg.exe, NI+SK+NC+ND+TR
954
+ dmpmsgbx.exe, NI+SK+NC+ND+TR
955
+ dmppcom.exe, NI+SK+NC+ND+TR
956
+ dmprcchk.exe, NI+SK+NC+ND+TR
957
+ dmpsvchg.exe, NI+SK+NC+ND+TR
958
+ dmpsspnd.exe, NI+SK+NC+ND+TR
959
+ dmpsndst.exe, NI+SK+NC+ND+TR
960
+ dmpshutd.exe, NI+SK+NC+ND+TR
961
+ dmpstart.exe, NI+SK+NC+ND+TR
962
+ dmpstop.exe, NI+SK+NC+ND+TR
963
+ dmpsetvr.exe, NI+SK+NC+ND+TR
964
+ dmpsetup.exe, NI+SK+NC+ND+TR
965
+ dmpsvsnd.exe, NI+SK+NC+ND+TR
966
+ dmpsyset.exe, NI+SK+NC+ND+TR
967
+ dmpsysmv.exe, NI+SK+NC+ND+TR
968
+ dmpuinv.exe, NI+SK+NC+ND+TR
969
+ dmpusers.exe, NI+SK+NC+ND+TR
970
+ dmpusts.exe, NI+SK+NC+ND+TR
971
+ dmpwwset.exe, NI+SK+NC+ND+TR
972
+ dmrcagnt.exe, NI+SK+NC+ND+TR
973
+ dmrcasrv.exe, NI+SK+NC+ND+TR
974
+ dmrcctrn.exe, NI+SK+NC+ND+TR
975
+ dmrcexit.exe, NI+SK+NC+ND+TR
976
+ dmrcinfo.exe, NI+SK+NC+ND+TR
977
+ dmrcrreq.exe, NI+SK+NC+ND+TR
978
+ dmsysinf.exe, NI+SK+NC+ND+TR
979
+ dmpupdt.exe, NI+SK+NC+ND+TR
980
+ dmpsts.exe, NI+SK+NC+ND+TR
981
+ dmexe32.exe, NI+SK+NC+ND+TR
982
+
983
+ //--------------------------------------------------------------
984
+ // SiteTrust Related Executables
985
+ //--------------------------------------------------------------
986
+ stbrwsr.exe, NI+SK+NC+ND+TR
987
+ stdecomm.exe, NI+SK+NC+ND+TR
988
+ stservice.exe, NI+SK+NC+ND+TR
989
+ stupdateservice, NI+SK+NC+ND+TR
990
+
991
+
992
+ //ntaskldr.exe,3145988
993
+ //nlnotes.exe,TP
994
+
995
+ //-------------------------------------------
996
+ // Not Injecting for all YRIDD demo processes.
997
+ //-------------------------------------------
998
+ LOFEmulationSer, NI+SK+NC+ND+TR
999
+ LOFModelServer.,NI+SK+NC+ND+TR
1000
+ LOFService.exe, NI+SK+NC+ND+TR
1001
+ LPTServer.exe, NI+SK+NC+ND+TR
1002
+ LegacySystem.ex,NI+SK+NC+ND+TR
1003
+
1004
+ //------------------------------------------------
1005
+ // Not injecting Remediation for system processes
1006
+ //------------------------------------------------
1007
+ inetinfo.exe, ND+NC+NA
1008
+ aspnet_wp.exe,3407872
1009
+
1010
+ //csrss.exe,262144 <-- Handled in ProcessFlags
1011
+ //lsass.exe,262144 <-- Also skipped and non-inject, Handled in base list above
1012
+ services.exe,NI+SK+NC+ND+TR+NA+NV+NE
1013
+ mpnotify.exe,NI+SK+NC+ND+TR+NA
1014
+ // svchost is set to No Encrypt because some Out-of Proc COM objects will
1015
+ // it and we make mistakes and encrypt the wrong things.
1016
+ svchost.exe,NE+NI+NC+ND+NA+NV
1017
+ taskmgr.exe,3407872
1018
+ winlogon.exe,NI+NC+ND+NE
1019
+ WZQKPick.exe,3407872
1020
+
1021
+
1022
+ //================================================
1023
+ // SKIPPED + NON-INJECT LIST
1024
+ //================================================
1025
+ ctfmon.exe,NI+SK+NC+ND+TR
1026
+ stsystra.exe,NI+SK+NC+ND+TR
1027
+ regsrvc.exe,NI+SK+NC+ND+TR
1028
+ ifrmewrk.exe,NI+SK+NC+ND+TR
1029
+ apdproxy.exe,NI+SK+NC+ND+TR
1030
+ wdfmgr.exe,NI+SK+NC+ND+TR
1031
+ cli.exe,NI+SK+NC+ND+TR
1032
+ s24evmon.exe,NI+SK+NC+ND+TR
1033
+ pdvdserv.exe,NI+SK+NC+ND+TR
1034
+ winmgmt.exe, SK+NI+NC+ND+TR+NA+NV
1035
+ reader_sl.exe,NI+SK+NC+ND+TR
1036
+ sm1bg.exe,NI+SK+NC+ND+TR
1037
+ sm56hlpr.exe,NI+SK+NC+ND+TR
1038
+ zcfgsvc.exe,NI+SK+NC+ND+TR
1039
+ googledesktop.e,NI+SK+NC+ND+TR
1040
+ GoogleQuickSear,NI+SK+NC+ND+TR
1041
+ GoogleToolbarMa,NI+SK+NC+ND+TR
1042
+ GoogleToolbarNo,NI+SK+NC+ND+TR
1043
+ GoogleToolbarUs,NI+SK+NC+ND+TR
1044
+ GoogleUpdaterSe,NI+SK+NC+ND+TR
1045
+ SearchWithGoogl,NI+SK+NC+ND+TR
1046
+ staged_GoogleTo,NI+SK+NC+ND+TR
1047
+ GoogleUpdate.ex,NI+SK+NC+ND+TR+PR
1048
+ googledrivesync.exe,SK+NI
1049
+ GoogleDriveFS.exe,SK+NI
1050
+
1051
+ onedrive.exe,SK+NI
1052
+
1053
+ //=================================================
1054
+ // Installation/Update Packages
1055
+ //=================================================
1056
+
1057
+ //--------------------------------------------------------------
1058
+ // Agent Installer Related Executables:
1059
+ //--------------------------------------------------------------
1060
+ dgagentsetup.ex, NI+SK+NC+ND+TR+NE+PR
1061
+ dgagentinstalle, NI+SK+NC+ND+TR+NE+PR
1062
+ wuauclt.exe,NI+SK+NC+ND+TR+NE+PR
1063
+ WindowsXP-KB936,NI+SK+NC+ND+TR+NE+PR
1064
+ msiexec.exe,NI+SK+NC+ND+TR+NE+PR
1065
+ hp_53_enu.exe,NI+SK+NC+ND+TR+NE+PR
1066
+ update.exe,NI+SK+NC+ND+TR+NE+PR
1067
+ grpconv.exe,NI+SK+NC+ND+TR+NE+PR
1068
+ msoobe.exe,NI+SK+NC+ND+TR+NE+PR
1069
+ smbinst.exe,NI+SK+NC+ND+TR+NE+PR
1070
+ spiisupd.exe,NI+SK+NC+ND+TR+NE+PR
1071
+ spnpinst.exe,NI+SK+NC+ND+TR+NE+PR
1072
+ spupdsvc.exe,NI+SK+NC+ND+TR+NE+PR
1073
+ uploadm.exe,NI+SK+NC+ND+TR+NE+PR
1074
+ tiworker.exe,NI+SK+NC+ND+TR+NE+PR
1075
+
1076
+ //=================================================
1077
+ // TOUCHPAD
1078
+ //=================================================
1079
+ syntplpr.exe,NI+SK+NC+ND+TR
1080
+ syntpenh.exe,NI+SK+NC+ND+TR
1081
+
1082
+ //============================================
1083
+ // ROXIO SERVICES
1084
+ // (Do not exclude Drag To Disk!)
1085
+ //============================================
1086
+ roxwatchtray.ex,NI+SK+NC+ND+TR
1087
+ roxmediadb.exe,NI+SK+NC+ND+TR
1088
+ roxwatch.exe,NI+SK+NC+ND+TR
1089
+ roxliveshare.ex,NI+SK+NC+ND+TR
1090
+ roxupnpserver.e,NI+SK+NC+ND+TR
1091
+
1092
+ //-------------------------------------------
1093
+ // Other build exes
1094
+ //-------------------------------------------
1095
+ shell.exe,NI+SK+NC+ND+TR
1096
+ rm.exe,NI+SK+NC+ND+TR
1097
+ cat.exe,NI+SK+NC+ND+TR
1098
+ makedirs.exe,NI+SK+NC+ND+TR
1099
+
1100
+
1101
+
1102
+ //-------------------------------------------
1103
+ // Typical Developer Tools
1104
+ //-------------------------------------------
1105
+ sh.exe,NI+SK+NC+ND+TR
1106
+ cp.exe,NI+SK+NC+ND+TR
1107
+ guidgen.exe,NI+SK+NC+ND+TR
1108
+ uuidgen.exe,NI+SK+NC+ND+TR
1109
+ oleview.exe,NI+SK+NC+ND+TR
1110
+ mapsym.exe,NI+SK+NC+ND+TR
1111
+ lib.exe,NI+SK+NC+ND+TR
1112
+ link.exe,NI+SK+NC+ND+TR
1113
+ bscmake.exe,NI+SK+NC+ND+TR
1114
+ sproxy.exe,NI+SK+NC+ND+TR
1115
+ windbg.exe,NI+SK+NC+ND+TR
1116
+ dbgx.shell.exe,SK
1117
+ h2inc.exe,NI+SK+NC+ND+TR
1118
+ ml.exe,NI+SK+NC+ND+TR
1119
+ rc.exe,NI+SK+NC+ND+TR
1120
+ dumpbin.exe,NI+SK+NC+ND+TR
1121
+ drwtsn32.exe,NI+SK+ND+NC
1122
+ dbgview.exe,NI+SK+ND+NC+NA
1123
+
1124
+ //=======================================
1125
+ // DRIVER STUDIO
1126
+ //=======================================
1127
+ dsconfig.exe,NI+SK+NC+ND+TR
1128
+ genrebld.exe,NI+SK+NC+ND+TR
1129
+ wizapp.exe,NI+SK+NC+ND+TR
1130
+ drivererrorlook,NI+SK+NC+ND+TR
1131
+ dstrayapp.exe,NI+SK+NC+ND+TR
1132
+ dsrsvc.exe,NI+SK+NC+ND+TR
1133
+ nmsym.exe,NI+SK+NC+ND+TR
1134
+ siremote.exe,NI+SK+NC+ND+TR
1135
+ nmfilterconfig.,NI+SK+NC+ND+TR
1136
+ icepack.exe,NI+SK+NC+ND+TR
1137
+ kd2sysxlat.exe,NI+SK+NC+ND+TR
1138
+ loader32.exe,NI+SK+NC+ND+TR
1139
+ sicrashutil.exe,NI+SK+NC+ND+TR
1140
+ startsi.exe,NI+SK+NC+ND+TR
1141
+ ds.exe,NI+SK+NC+ND+TR
1142
+ dsspawn.exe,NI+SK+NC+ND+TR
1143
+ dsnotifysub.exe,NI+SK+NC+ND+TR
1144
+ symrtrvr.exe,NI+SK+NC+ND+TR
1145
+ dldr.exe,NI+SK+NC+ND+TR
1146
+ wldr.exe,NI+SK+NC+ND+TR
1147
+ msym.exe,NI+SK+NC+ND+TR
1148
+ dsrebootem.exe,NI+SK+NC+ND+TR
1149
+
1150
+ //-------------------------------------------
1151
+ // HP noisy driver
1152
+ //-------------------------------------------
1153
+ hpbpro.exe,NI+SK+NC+ND+TR
1154
+
1155
+ // Network Associates
1156
+ // Common Framework
1157
+ mcscript_inuse.,NI+SK+NC+ND+TR
1158
+
1159
+ // DG 3.0 MR3 default
1160
+ photoshop.exe,NI
1161
+ dreamweaver.exe,NI
1162
+ photoshp.exe, NI
1163
+
1164
+ //-------------------------------------------
1165
+ // #11511
1166
+ // Mark Provencia Client (BlackIce) as
1167
+ // TRUSTED, SKIPPED and NO_INJECT
1168
+ //-------------------------------------------
1169
+ blackd.exe,3146004
1170
+ rapapp.exe,3146004
1171
+ vpatch.exe,3146004
1172
+ blackice.exe,3146004
1173
+ RapUISvc.exe,3146004
1174
+
1175
+
1176
+ //===========================================
1177
+ // Hang Fix from Dante
1178
+ //===========================================
1179
+ crypserv.exe,3146004
1180
+ wlkeeper.exe,3146004
1181
+ oscmutilityserv,3146004
1182
+ rssensor.exe,3146004
1183
+ sddtaflt.exe,3146004
1184
+ miftoivf.exe,3146004
1185
+ sxpstub.exe,3146004
1186
+ amagent.exe,3146004
1187
+ triggusr.exe,3146004
1188
+ recovery.exe,3146004
1189
+ umcinst.exe,3146004
1190
+
1191
+ //========================================================
1192
+ // Hang issue and system event log error issue from Sri
1193
+ //========================================================
1194
+ //Nero group - we need to verify this does not cause any side effect in CD burning
1195
+ InCDsrv.exe,3146004
1196
+ InCD.exe,3146004
1197
+ NMBgMonitor.exe,3146004
1198
+
1199
+ //Windows live search group - probably due to Windows Live Toolbar
1200
+ WindowsSearch.e,260
1201
+ WindowsSearchIn,260
1202
+
1203
+ //sql server group - These can come part of VS2005 install
1204
+ sqlbrowser.exe,3146004
1205
+ sqlwriter.exe,3146004
1206
+ sqlservr.exe,3146004
1207
+ sqlagent.exe,3146004
1208
+ SQLAGENT90.EXE,3146004
1209
+ //SQL Server Reporting Services process (ReportingServicesService.exe)
1210
+ ReportingServic,SK+TR+NI+NC+ND
1211
+
1212
+ //Archiving utilities
1213
+
1214
+ winzip32.exe,524288
1215
+ winzip64.exe,524288
1216
+ winrar.exe,524288
1217
+ compact.exe,524288
1218
+ 7z.exe,524288
1219
+ 7zg.exe,524288
1220
+ 7zfm.exe,524288
1221
+ stuffit.exe,524288
1222
+ WebAuthBroker.exe,NI
1223
+
1224
+ //Symantec
1225
+ EvtEng.exe,NI+SK+NC+ND+TR
1226
+
1227
+
1228
+
1229
+ //Lenovo Logger
1230
+ logmon.exe,NI+SK+NC+ND+TR
1231
+
1232
+ //Lenovo Rescue and Recovery
1233
+ netwk.exe,NI+SK+NC+ND+TR
1234
+
1235
+ // pgp
1236
+ pgpsdkserv.exe, 3145728
1237
+
1238
+ //============================================
1239
+ // Windows XP Native CD Burn with AFE. Bug# 18990
1240
+ // Make imapi.exe (XP CD Burning service)
1241
+ // go directly to NTFS, bypassing AFE
1242
+ //============================================
1243
+ imapi.exe,NR
1244
+
1245
+ //============================================
1246
+ //Hondata FlashPro Manager
1247
+ //Hondata K-Series ECU Editor
1248
+ //Install and Exes
1249
+ //
1250
+ //DGAGENT-6752
1251
+ //============================================
1252
+ driverins.exe,NI+SK+NC+ND+TR+PR
1253
+ TeamViewerQS_en,NI+SK+NC+ND+TR+PR
1254
+ KManagerV4-2-5.,SK+TR+NI+NC+ND+PR
1255
+ FlashProManager,SK+TR+NI+NC+ND+PR
1256
+ KManager.exe,SK+TR+NI+NC+ND+PR
1257
+
1258
+ //============================================
1259
+ // Defrag Tools. Bug# 14811 TT24292
1260
+ // SK+NI+TR+NC+ND = 3146004
1261
+ //============================================
1262
+ // Ashampoo_MagicalDefrag
1263
+ aDefragCtrl.exe,NR+SK+NI+TR+NC+ND
1264
+ aDefragService.,NR+SK+NI+TR+NC+ND
1265
+
1266
+ // Auslogics Disk Defrag
1267
+ diskdefrag.exe,NR+SK+NI+TR+NC+ND
1268
+
1269
+ // BuzzSaw
1270
+ Buzzsaw-S.exe,NR+SK+NI+TR+NC+ND
1271
+ BuzzSawService.,NR+SK+NI+TR+NC+ND
1272
+
1273
+ // DefragMentor
1274
+ DEFRAGME.EXE,NR+SK+NI+TR+NC+ND
1275
+
1276
+ // DisKeeper
1277
+ Diskeeper.exe,NR+SK+NI+TR+NC+ND
1278
+ DkService.exe,NR+SK+NI+TR+NC+ND
1279
+ DfrgNTFS1.exe,NR+SK+NI+TR+NC+ND
1280
+
1281
+ // Windows Defrag
1282
+ DfrgNTFS.exe,BI+SK+NI+TR+NC+ND
1283
+ DfrgFat.exe,BI+SK+NI+TR+NC+ND
1284
+
1285
+ // DiskTrik Ultimate Defrag
1286
+ UDefrag.exe,NR+SK+NI+TR+NC+ND
1287
+
1288
+ // hsDefragSaver
1289
+ hsDefragSaver.e,NR+SK+NI+TR+NC+ND
1290
+ hsDefragSvc.exe,NR+SK+NI+TR+NC+ND
1291
+
1292
+ // IOBit SmartDefrag.exe
1293
+ IObit SmartDefr,NR+SK+NI+TR+NC+ND
1294
+
1295
+ // JKDefrag
1296
+ JkDefrag.exe,NR+SK+NI+TR+NC+ND
1297
+ JkDefragCmd.exe,NR+SK+NI+TR+NC+ND
1298
+
1299
+ // MindSoft Utilities
1300
+ defrag.exe,NR+SK+NI+TR+NC+ND
1301
+ defragl.exe,NR+SK+NI+TR+NC+ND
1302
+
1303
+ // mstDefrag
1304
+ mstDefrag.exe,NR+SK+NI+TR+NC+ND
1305
+ mstDfrgS.exe,NR+SK+NI+TR+NC+ND
1306
+
1307
+ // OODefrag
1308
+ oodcmd.exe,NR+SK+NI+TR+NC+ND
1309
+ oodcnt.exe,NR+SK+NI+TR+NC+ND
1310
+
1311
+ // PageDefrag
1312
+ pagedfrg.exe,NR+SK+NI+TR+NC+ND
1313
+
1314
+ // Paragon Total Defrag
1315
+ launcher.exe,NR+SK+NI+TR+NC+ND
1316
+
1317
+ // PerfectDisk
1318
+ PDAgent.exe,NR+SK+NI+TR+NC+ND
1319
+ PDCmd.exe,NR+SK+NI+TR+NC+ND
1320
+ PDEngine.exe,NR+SK+NI+TR+NC+ND
1321
+ PerfectDisk.exe,NR+SK+NI+TR+NC+ND
1322
+
1323
+ // PowerDefrag
1324
+ PDBot.exe,NR+SK+NI+TR+NC+ND
1325
+ PDefrag.exe,NR+SK+NI+TR+NC+ND
1326
+
1327
+ // Power Defragmenter GUI
1328
+ Contig.exe,NR+SK+NI+TR+NC+ND
1329
+ Power Defragmen,NR+SK+NI+TR+NC+ND
1330
+
1331
+ // Rapid File Defragmentor
1332
+ RapidFD.exe,NR+SK+NI+TR+NC+ND
1333
+ RapidFD_aux.exe,NR+SK+NI+TR+NC+ND
1334
+
1335
+ // SpeedItUp
1336
+ SpeedItUp.exe,NR+SK+NI+TR+NC+ND
1337
+
1338
+ // UltraDefrag
1339
+ defrag_native.e,NR+SK+NI+TR+NC+ND
1340
+ dfrg.exe,NR+SK+NI+TR+NC+ND
1341
+
1342
+ // Vopt
1343
+ Vopt.exe,NR+SK+NI+TR+NC+ND
1344
+ VoptAux.exe,NR+SK+NI+TR+NC+ND
1345
+
1346
+ // WinContig
1347
+ WinContig.exe,NR+SK+NI+TR+NC+ND
1348
+
1349
+ //windows indexing service
1350
+ cidaemon.exe,SK+NI+NC+ND
1351
+
1352
+ //BES computer role
1353
+ //default process flags: SK+NI+NC+ND
1354
+ roleBES:winlogon.exe,
1355
+ roleBES:alg.exe,
1356
+ roleBES:wfshell.exe,
1357
+ roleBES:javaw.exe,
1358
+ roleBES:inetinfo.exe,
1359
+ roleBES:aspnet_wp.exe,
1360
+ roleBES:taskmgr.exe,
1361
+
1362
+ // pgp
1363
+ roleBES:pgptray.exe,
1364
+ roleBES:pgpsdkserv.exe,
1365
+
1366
+ // MS OFFICE Apps
1367
+ roleBES:iexplore.exe,
1368
+ roleBES:winword.exe,
1369
+ roleBES:excel.exe,
1370
+ roleBES:infopath.exe,
1371
+ roleBES:msaccess.exe,
1372
+ roleBES:mspub.exe,
1373
+ roleBES:mstore.exe,
1374
+ roleBES:ois.exe,
1375
+ roleBES:outlook.exe,
1376
+ roleBES:powerpnt.exe,
1377
+ roleBES:winproj.exe,NI+PR
1378
+
1379
+ roleBES:notepad.exe,
1380
+ roleBES:wordpad.exe,
1381
+
1382
+ //BlackBerry server mail agent (domino)
1383
+ roleBES:nbes.exe,NP
1384
+
1385
+ //BlackBerry server mail agent (exchange)
1386
+ roleBES:BlackberryAgent,NP
1387
+ bmds.exe,SK+TR+NI+NC+ND
1388
+
1389
+ //EAS computer role
1390
+ //All process will be assigned default process flags: SK+NI+NC+ND
1391
+ //All process listge here with the prefix RoleEAS: will be cleaned from any flags
1392
+ roleEAS:winlogon.exe,
1393
+ roleEAS:alg.exe,
1394
+ roleEAS:wfshell.exe,
1395
+ roleEAS:javaw.exe,
1396
+ roleEAS:inetinfo.exe,
1397
+ roleEAS:aspnet_wp.exe,
1398
+ roleEAS:dllhost.exe,NPR
1399
+ roleEAS:taskmgr.exe,
1400
+
1401
+ // pgp
1402
+ roleEAS:pgptray.exe,
1403
+ roleEAS:pgpsdkserv.exe,
1404
+
1405
+ // MS OFFICE Apps
1406
+ roleEAS:iexplore.exe,
1407
+ roleEAS:winword.exe,
1408
+ roleEAS:excel.exe,
1409
+ roleEAS:infopath.exe,
1410
+ roleEAS:msaccess.exe,
1411
+ roleEAS:mspub.exe,
1412
+ roleEAS:mstore.exe,
1413
+ roleEAS:ois.exe,
1414
+ roleEAS:outlook.exe,
1415
+ roleEAS:powerpnt.exe,
1416
+ roleEAS:winproj.exe,NI+PR
1417
+
1418
+ roleEAS:notepad.exe,
1419
+ roleEAS:wordpad.exe,
1420
+
1421
+ //EAS server - IIS - will have only one flag
1422
+ roleEAS:w3wp.exe,NP
1423
+
1424
+ // documentum processes
1425
+ dcathmgr.exe, NI+SK+NC+ND
1426
+ dccomponentinst, NI+SK+NC+ND
1427
+ dccomponentlaun, NI+SK+NC+ND
1428
+ dcevtsrv.exe, NI+SK+NC+ND
1429
+ dcprogresssenti, NI+SK+NC+ND
1430
+
1431
+ // Sophos\Sophos Anti-Virus
1432
+ Sophosavagent.e,SK+TR+NI+NH+NC+ND+PR
1433
+ Sophoslogwrite.,SK+TR+NI+NH+NC+ND+PR
1434
+ Sophosbootask.e,SK+TR+NI+NH+NC+ND+PR
1435
+
1436
+ // performance issues on W2K
1437
+ Lafservice.exe,SK+NI+TR+ND+NC
1438
+ Radexecd.exe,SK+NI+TR+ND+NC
1439
+ Radsched.exe,SK+NI+TR+ND+NC
1440
+ Radstgms.exe,SK+NI+TR+ND+NC
1441
+ Sbmgrnt.exe,SK+NI+TR+ND+NC
1442
+ Mstask.exe,SK+NI+TR+ND+NC
1443
+ Uphclean.exe,SK+NI+TR+ND+NC
1444
+ Application Lau,SK+NI+TR+ND+NC
1445
+ Cfd.exe,SK+NI+TR+ND+NC
1446
+ generic.exe,SK+NI+TR+ND+NC
1447
+ asa.exe,SK+NI+TR+ND+NC
1448
+ epmworker.exe,SK+NI+TR+ND+NC
1449
+ gemone~1.scr,SK+NI+TR+ND+NC
1450
+ //-- [END] CLIENT:284
1451
+
1452
+ //-- [START] CLIENT:223 --
1453
+ ipagent.exe,NI+SK+NC+ND+TR
1454
+ iclarity.exe,NI+SK+NC+ND+TR
1455
+ loginw32.exe,NI+SK+NC+ND+TR
1456
+ nbnmsrvc.exe,NI+SK+NC+ND+TR
1457
+ nicrlstn.exe,NI+SK+NC+ND+TR
1458
+
1459
+ // Stealth MXP
1460
+ accessconsole.e,NI+SK+NC+ND+TR
1461
+ accesspresenter,NI+SK+NC+ND+TR
1462
+ accesstray.exe,NI+SK+NC+ND+TR
1463
+ accessunlock.ex,NI+SK+NC+ND+TR
1464
+ accessversion.e,NI+SK+NC+ND+TR
1465
+ accessstatus.ex,NI+SK+NC+ND+TR
1466
+ mxpconfig.exe,NI+SK+NC+ND+TR
1467
+ mxpconnector.ex,NI+SK+NC+ND+TR
1468
+ ssdconsole.exe,NI+SK+NC+ND+TR
1469
+ statusdialog.ex,NI+SK+NC+ND+TR
1470
+ unlockdialog.ex,NI+SK+NC+ND+TR
1471
+ //-- [END] CLIENT:223
1472
+
1473
+ Agrsmmsg.exe,SK+TR+NI+NC+ND
1474
+ ATWTUSB.EXE,SK+TR+NI+NC+ND
1475
+ BESClient.exe,SK+TR+NI+NC+ND
1476
+ BESClientUI.exe,SK+TR+NI+NC+ND
1477
+ btwdins.exe,SK+TR+NI+NC+ND
1478
+ dkAutoReg.exe,SK+TR+NI+NC+ND
1479
+ Dkcktkn.exe,SK+TR+NI+NC+ND
1480
+ Dklog.exe,SK+TR+NI+NC+ND
1481
+ dkMonitor.exe,SK+TR+NI+NC+ND
1482
+ Dkvcm.exe,SK+TR+NI+NC+ND
1483
+ Eabservr.exe,SK+TR+NI+NC+ND
1484
+ HP Wireless Ass,SK+TR+NI+NC+ND
1485
+ HPQTOA~1.EXE,SK+TR+NI+NC+ND
1486
+ hpqwmiex.exe,SK+TR+NI+NC+ND
1487
+ IAAnotif.exe,SK+TR+NI+NC+ND
1488
+ IAANTMon.exe,SK+TR+NI+NC+ND
1489
+ NeoterisSetupSe,SK+TR+NI+NC+ND
1490
+ Ntmulti.exe,SK+TR+NI+NC+ND
1491
+ NwmCli.exe,SK+TR+NI+NC+ND
1492
+ NwmSvc.exe,SK+TR+NI+NC+ND
1493
+ //PDAgent.exe,SK+TR+NI+NC+ND <-- Already handled generically
1494
+ QLBCTRL.exe,SK+TR+NI+NC+ND
1495
+ //SavRoam.exe,SK+TR+NI+NC+ND <-- Already handled above
1496
+ //Scardsvr.exe,SK+TR+NI+NC+ND <-- Already handled under Windows srvcs
1497
+ SDPin.exe,SK+TR+NI+NC+ND
1498
+ SMAgent.exe,SK+TR+NI+NC+ND
1499
+ SMax4.exe,SK+TR+NI+NC+ND
1500
+ SMax4PNP.exe,SK+TR+NI+NC+ND
1501
+ //Smc.exe,SK+TR+NI+NC+ND <-- Already handled under Symantec Anti-Virus
1502
+ //Smcgui.exe,SK+TR+NI+NC+ND <-- Already handled under Symantec Anti-Virus
1503
+ SMSWUagent.exe,SK+TR+NI+NC+ND
1504
+ //SNAC.exe,SK+TR+NI+NC+ND <-- Already handled under Symantec End-Point Protection
1505
+ //SPBBCSvc.exe,SK+TR+NI+NC+ND <-- Already handled under Symantec Anti-Virus 10
1506
+ Tfswctrl.exe,SK+TR+NI+NC+ND
1507
+ //Uphclean.exe,SK+TR+NI+NC+ND <-- Already handled generically (2K performance)
1508
+ VentC.exe,SK+TR+NI+NC+ND
1509
+ VPN Services.ex,SK+TR+NI+NC+ND
1510
+
1511
+
1512
+ avconf.exe,NN+NC+ND+NA
1513
+ testpartner.exe,SK+TR+NI+NC+ND
1514
+ testpa~1.exe,SK+NI+TR+NC+ND
1515
+
1516
+ //-- Redgate.Profiler.IISProfileHost.exe (ANT)
1517
+ redgate.profile,NA
1518
+
1519
+ //-- cisvc.exe (Indexing service)
1520
+ cisvc.exe,NA
1521
+
1522
+ // Client - ?
1523
+ collector.exe,SK+TR+NI+NC+ND
1524
+ cwsloginsvc.exe,SK+TR+NI+NC+ND
1525
+ issch.exe,SK+TR+NI+NC+ND
1526
+ issvc.exe,SK+TR+NI+NC+ND
1527
+ ldiscn32.exe,SK+TR+NI+NC+ND
1528
+ ldlcserv.exe,SK+TR+NI+NC+ND
1529
+ localsch.exe,SK+TR+NI+NC+ND
1530
+ modalwin.exe,SK+BK
1531
+ niagnt32.exe,SK+BK
1532
+ niaiserv.exe,SK+BK
1533
+ niinst32.exe,SK+BK
1534
+ pcs_agnt.exe,SK+TR+NI+NC+ND
1535
+ pds.exe,SK+TR+NI+NC+ND
1536
+ rcgui.exe,SK+TR+NI+NC+ND
1537
+ residentagent.e,SK+TR+NI+NC+ND
1538
+ screenagent.exe,SK+TR+NI+NC+ND
1539
+ sdclientmonitor,SK+TR+NI+NC+ND
1540
+ sndsrvc.exe,SK+TR+NI+NC+ND
1541
+ softmon.exe,SK+TR+NI+NC+ND
1542
+ suss.exe,SK+TR+NI+NC+ND
1543
+ Tmcsvc.exe,SK+NPR
1544
+ trcboot.exe,SK+TR+NI+NC+ND
1545
+ a180ag.exe,SK+TR+NI+NC+ND
1546
+ a180cm.exe,SK+TR+NI+NC+ND
1547
+ a180wd.exe,SK+TR+NI+NC+ND
1548
+
1549
+ //rotatelogs.exe may takes a longtime after installation of the agent. so skip it
1550
+ rotatelogs.exe,SK+TR+NI+NC+ND
1551
+
1552
+ // TSMSIhlp.EXE is a Tech Smith help utility used by Wise installers.
1553
+ // There can be a conflict between the agent and this program which results in
1554
+ // a failure for the application to shut down in an orderly fashion. As a result,
1555
+ // the uninstallation calling it will also fail to complete correctly.
1556
+ TSMSIhlp.EXE,NI+SK+NC+ND+TR
1557
+
1558
+
1559
+ // The first to use processFlags to better control dgapiHookMask for a particular process
1560
+
1561
+ qvp32.exe,DPG+DSBG
1562
+
1563
+ // bug #21337 Agile Downloads - Classification and Encryption does not work
1564
+ agilecm.exe,CC
1565
+
1566
+ // defect 23353
1567
+
1568
+ fltmc.exe,SK+TR+NI+NC+ND
1569
+
1570
+ searchfilterhos,SK+TR+NI+NC+ND
1571
+ searchprotocolh,SK+TR+NI+NC+ND+PR+NPR+NPROC
1572
+
1573
+ // add procmon to the list, otherwise, procmon is crashing with too little memory since 5.3.
1574
+ procmon.exe,SK+TR+NI+NC+ND
1575
+ procmon64.exe,SK+TR+NI+NC+ND
1576
+
1577
+ // TT#22036 - To prevent BlackBerry Desktop Manager from hanging when launched.
1578
+ desktopmgr.exe,NI
1579
+
1580
+ // TT#20028 - This change allows Bloomberg PriceLink and a DG Agent to operate on the same computer.
1581
+ wintrv.exe,SK+TR+NI+NC+ND
1582
+ plinksvc.exe,SK+TR+NI+NC+ND
1583
+ plnotify.exe,SK+TR+NI+NC+ND
1584
+ plpkt14.exe,SK+TR+NI+NC+ND
1585
+
1586
+ //TT#19400 - This change allows you to use the Iron Key secure USB key successfully.
1587
+ ironkey.exe,SK+NB+TR+NI+NC+ND+CD
1588
+
1589
+ // Role Low No inject
1590
+ //
1591
+ roleLowNI:alg.exe,NI+SK+NC+ND+TR+NE
1592
+ roleLowNI:explorer.exe,TF+EX+NV+NU+NPR+NC+ND
1593
+ roleLowNI:cmd.exe,NC+ND
1594
+ roleLowNI:inetinfo.exe,
1595
+ roleLowNI:aspnet_wp.exe,
1596
+ roleLowNI:dllhost.exe,NPR
1597
+ roleLowNI:taskmgr.exe,
1598
+ roleLowNI:winrar.exe,NC+ND
1599
+ roleLowNI:winzip32.exe,NC+ND
1600
+
1601
+ // pgp
1602
+ roleLowNI:pgptray.exe,
1603
+ roleLowNI:pgpsdkserv.exe,
1604
+
1605
+ // MS OFFICE Apps
1606
+ //roleLowNI:iexplore.exe,
1607
+ //roleLowNI:winword.exe,SB+NC+ND
1608
+ //roleLowNI:excel.exe,SB+NC+ND
1609
+ //roleLowNI:infopath.exe,
1610
+ //roleLowNI:msaccess.exe,SB+NC+ND
1611
+ //roleLowNI:mspub.exe,
1612
+ //roleLowNI:mstore.exe,
1613
+ //roleLowNI:ois.exe,
1614
+ //roleLowNI:outlook.exe,
1615
+ //roleLowNI:powerpnt.exe,SB+NC+ND
1616
+ //roleLowNI:winproj.exe,NI+PR
1617
+
1618
+ //roleLowNI:notepad.exe,
1619
+ //roleLowNI:wordpad.exe,
1620
+ //roleLowNI:calc.exe,
1621
+
1622
+ // Role Low
1623
+ //
1624
+ roleLow:alg.exe,NI+SK+NC+ND+TR+NE
1625
+ roleLow:explorer.exe,TF+EX+NV+NU+NPR+NC+ND
1626
+ roleLow:cmd.exe,NC+ND
1627
+ roleLow:inetinfo.exe,
1628
+ roleLow:aspnet_wp.exe,
1629
+ roleLow:dllhost.exe,NPR
1630
+ roleLow:taskmgr.exe,
1631
+ roleLow:winrar.exe,NC+ND
1632
+ roleLow:winzip32.exe,NC+ND
1633
+
1634
+ // pgp
1635
+ roleLow:pgptray.exe,
1636
+ roleLow:pgpsdkserv.exe,
1637
+
1638
+ // MS OFFICE Apps
1639
+ //roleLow:iexplore.exe,
1640
+ //roleLow:winword.exe,SB+NC+ND
1641
+ //roleLow:excel.exe,SB+NC+ND
1642
+ //roleLow:infopath.exe,
1643
+ //roleLow:msaccess.exe,SB+NC+ND
1644
+ //roleLow:mspub.exe,
1645
+ //roleLow:mstore.exe,
1646
+ //roleLow:ois.exe,
1647
+ //roleLow:outlook.exe,
1648
+ //roleLow:powerpnt.exe,SB+NC+ND
1649
+ //roleLow:winproj.exe,NI+PR
1650
+
1651
+ //roleLow:notepad.exe,
1652
+ //roleLow:wordpad.exe,
1653
+ //roleLow:calc.exe,
1654
+
1655
+ // NOD32 Anti Virus
1656
+ // Company: ESET
1657
+ // File Version: 4.2.40.0
1658
+
1659
+ // adding SK so activation can pass on Windows 8
1660
+ trustedinstall,BK+PR+SK,,Microsoft Corporation
1661
+
1662
+
1663
+
1664
+ // adding for automation
1665
+ testautomationc,NPR
1666
+
1667
+
1668
+ // Dropbox.exe configured for best ACI performance.
1669
+ dropbox.exe,NV+NN+CSS+NF
1670
+ DbxSvc.exe,TR+NC+ND+TP+NV+NN+CSS+NF+TN
1671
+ DropboxUpdate.exe,TR+NC+ND+TP+NV+NN+CSS+NF+TN
1672
+
1673
+ dgdecrypt.exe,CSS
1674
+
1675
+ // Allow roaming profiles to propagate DG stream
1676
+ userenv.dll,CSS
1677
+
1678
+ // Allow FireFox installer 24esr to work on Win8.0+
1679
+ firefox setup*,NI+PR
1680
+ firefox.exe,NPR
1681
+ // On Windows 10 firefox (UPX packed) installer change its name
1682
+ firefox insta*,NI+PR
1683
+
1684
+ //-------------------------------------------
1685
+ // Malwarebytes Endpoint Agent
1686
+ //-------------------------------------------
1687
+ mbamwsc.exe,NI+SK+NC+ND+TR+NPR+PR
1688
+ endpoint agent tray.exe,NI+SK+NC+ND+TR+NPR+PR
1689
+
1690
+ // Quick hash app
1691
+ QuickHash-v*,NI+SK+NC+ND+TR
1692
+ QuickHash-Windows-x86.exe,NI
1693
+ QuickHash-Windows-x64.exe,NI
1694
+
1695
+ // HashMyFiles
1696
+ HashMyFiles.exe,NI
1697
+
1698
+ // Adobe APPs
1699
+ Illustrator_Set-Up.exe,NI
1700
+ InDesign_Set-Up.exe,NI
1701
+ Photoshop_Set-Up.exe,NI
1702
+
1703
+ // Spotify is an interactive music and media player
1704
+ spotify.exe,NI+SK+NC+ND+TR
1705
+
1706
+ // 64-bit total commander, see DGAGENT-6741/DGAGENT-490
1707
+ TOTALCMD64.EXE,SB
1708
+
1709
+ // Chrome.exe
1710
+ chrome.exe,NR+NPR
1711
+
1712
+ //----------------------------------------
1713
+ // Windows 10
1714
+ //----------------------------------------
1715
+ // License checker
1716
+ ClipUp.exe,NI+SK+NC+ND+TR
1717
+ // Cortana
1718
+ SearchUI.exe,NI+SK+NC+ND+TR
1719
+
1720
+ //Facebook.exe: multiple issues
1721
+ Facebook.exe,NI
1722
+ Flipboard.exe,NI
1723
+
1724
+ //add a series of flags on several applications: Kaspersky, Bromium, Cisco VPN, Bitlocker, various development apps
1725
+ klnagent.exe,SK+NI+NC+ND+NA+RU+NV
1726
+ ccmexec.exe,SK+TR+NI+NC+ND+PR
1727
+ microsoft.confi,SK+TR+NI+NC+ND+PR
1728
+
1729
+ vpnagent-exe,SK+TR+NI+NC+ND
1730
+ vpnui.exe,SK+TR+NI+NC+ND
1731
+ msseces.exe,SK+TR+NI+NC+ND
1732
+ ccleaner.exe,SK+TR+NI+NC+ND
1733
+ ccleaner64.exe,SK+TR+NI+NC+ND
1734
+ atmgr.exe,SK+TR+NI+NC+ND
1735
+ vpxclient.exe,SK+TR+NI+NC+ND
1736
+ // we want to capture from mstsc.exe
1737
+ //mstsc.exe,SK+TR+NI+NC+ND
1738
+ rdcman.exe,SK+TR+NI+NC+ND
1739
+ citrixonlinelau,SK+TR+NI+NC+ND
1740
+ synergy.exe,SK+TR+NI+NC+ND
1741
+ synergyc.exe,SK+TR+NI+NC+ND
1742
+ synergyd.exe,SK+TR+NI+NC+ND
1743
+ desktopSearchOu,SK+TR+NI+NC+ND
1744
+ copernic.deskto,SK+TR+NI+NC+ND
1745
+ vmware.exe,SK+TR+NI+NC+ND
1746
+ devenv.com,TN+AW+PR
1747
+ LangResGen.exe,TN+AW+PR
1748
+ acrord32.exe,RP+PR+DWNG
1749
+ jre*,NI
1750
+ GoToMeeting.exe,SK+TR+NI+NC+ND+PR
1751
+ gotomeeting la,SK+TR+NI+NC+ND+PR
1752
+ gotowebinar la,SK+TR+NI+NC+ND+PR
1753
+ G2minstaller.ex,SK+TR+NI+NC+ND+PR
1754
+ G2minsthigh.exe,SK+TR+NI+NC+ND+PR
1755
+ G2mtranscoder.e,SK+TR+NI+NC+ND+PR
1756
+ G2mupdate.exe,SK+TR+NI+NC+ND+PR
1757
+ G2muninstall.ex,SK+TR+NI+NC+ND+PR
1758
+ SkypeSetup.exe,SK+TR+NI+NC+ND+PR
1759
+ webexconnect.ex,SK+TR+NI+NC+ND+PR
1760
+ CiscoCollabHost,SK+TR+NI+NC+ND+PR
1761
+ dg agent manag,SK+PR
1762
+ securecrt.exe,NI+PR
1763
+ Mcsheartbeat.ex,SK+TR+NI+NC+ND
1764
+ Swi_update64.ex,SK+TR+NI+NC+ND
1765
+ ClientMRInit.ex,SK+TR+NI+NC+ND
1766
+ EMLibUpdateAgen,SK+TR+NI+NC+ND
1767
+ BackgroundScanC,SK+TR+NI+NC+ND
1768
+ SAVCleanupServi,SK+TR+NI+NC+ND
1769
+ configuresav.ex,SK+TR+NI+NC+ND
1770
+ sdcdevconia64.e,SK+TR+NI+NC+ND
1771
+ sdcdevconx64.ex,SK+TR+NI+NC+ND
1772
+ aosuimanager.ex,SK+NI+NC+ND+NA+NV
1773
+ clndiag.exe,SK+NI+NC+ND+NA+NV
1774
+ cntaosuninstall,SK+NI+NC+ND+NA+NV
1775
+ ipxfer.exe,SK+NI+NC+ND+NA+NV
1776
+ LogServer.exe,SK+NPR
1777
+ officescantouch,SK+NI+NC+ND+NA+NV
1778
+ utilpfwinstcond,SK+NI+NC+ND+NA+NV
1779
+ wixupgrade.exe,SK+NI+NC+ND+NA+NV
1780
+ wofielauncher.e,SK+NI+NC+ND+NA+NV
1781
+ callmsi.exe,SK+NI+NC+ND+NA+NV
1782
+ ecls.exe,SK+NI+NC+ND+NA+NV
1783
+ ecmd.exe,SK+NI+NC+ND+NA+NV
1784
+ eeclnt.exe,SK+NI+NC+ND+NA+NV
1785
+ eOPPFrame.exe,SK+NI+NC+ND+NA+NV
1786
+ speclean.exe,SK+NI+NC+ND+NA+NV
1787
+ SysInspector.ex,SK+NI+NC+ND+NA+NV
1788
+ //Bit 9
1789
+ agent*,SK+NI+NC+ND+TR
1790
+ timedoverride.e,SK+TR+NI+NC+ND
1791
+ Parityserver.ex,SK+TR+NI+NC+ND
1792
+
1793
+ // backup engine
1794
+ wbengine.exe,NI+SK+NC+ND+TR
1795
+ //Microsoft Windows Backup
1796
+ sdclt.exe,NI+SK+NC+ND+TR
1797
+ // volume shadow
1798
+ vssvc.exe,NI+SK+NC+ND+TR
1799
+ // Microsoft Update Notification
1800
+ MusNotification.exe,NI+SK+NC+ND+TR+PR+NPR+NPROC
1801
+ MusNotificationUX.exe,NI+SK+NC+ND+TR+PR+NPR+NPROC
1802
+ // adobe 11 reader installer (PECompact on 32 bits segfaults)
1803
+ reader11_en_xa_install.exe,NI+SK+NC+ND+TR
1804
+ readerdc_en_xa_install.exe,NI+SK+NC+ND+TR
1805
+
1806
+ // Google Chrome Pre-Install
1807
+ gccheck_small.exe,NI+SK+NC+ND+TR
1808
+
1809
+ // Win 10 Redstone upgrade
1810
+ SetupHost.exe,SK+PR,,Microsoft Corporation
1811
+
1812
+ //Skype
1813
+ SkypeApp.exe,SK+TR+NI+NC+ND+PR
1814
+ SkypeHost.exe,SK+TR+NI+NC+ND+PR
1815
+
1816
+ // Windows error reporting
1817
+ // Must use NPR flag
1818
+ WerFault.exe,NPR+SK+NI+PR,,Microsoft Corporation
1819
+ WerFaultSecure.exe,NPR+SK+NI+PR,,Microsoft Corporation
1820
+ wermgr.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1821
+
1822
+ // Windows 10 applications that we should skip
1823
+ consent.exe,SK+NI
1824
+
1825
+ // Oracle VirtualBox and associated programs.
1826
+ vbox-img.exe,SK+TR+NI+NC+ND+PR
1827
+ vboxballoonctrl.exe,SK+TR+NI+NC+ND+PR
1828
+ vboxdtrace.exe,SK+TR+NI+NC+ND+PR
1829
+ vboxextpackhelperapp.exe,SK+TR+NI+NC+ND+PR
1830
+ vboxheadless.exe,SK+TR+NI+NC+ND+PR
1831
+ vboxmanage.exe,SK+TR+NI+NC+ND+PR
1832
+ vboxnetdhcp.exe,SK+TR+NI+NC+ND+PR
1833
+ vboxnetnat.exe,SK+TR+NI+NC+ND+PR
1834
+ vboxsdl.exe,SK+TR+NI+NC+ND+PR
1835
+ vboxsvc.exe,SK+TR+NI+NC+ND+PR
1836
+ vboxtestogl.exe,SK+TR+NI+NC+ND+PR
1837
+ vboxwebsrv.exe,SK+TR+NI+NC+ND+PR
1838
+ virtualbox.exe,SK+TR+NI+NC+ND+PR
1839
+
1840
+ // Windows Defender Application Guard Manager
1841
+ hvsimgr.exe,SK+NI+NC+ND+NA+NV+NPR
1842
+
1843
+ // Suppress Noisy Processes to prevent server being flooded with pi data
1844
+ conhost.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1845
+ mavinject32.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1846
+ powercfg.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1847
+ WmiApSrv.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1848
+ wermgr.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1849
+ splunk.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1850
+ splunkd.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1851
+ MpSigStub.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1852
+ ngen.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1853
+ mscorsvw.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1854
+ PresentationFontCache.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1855
+ ngentask.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1856
+ MSOSYNC.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1857
+ OSPPSVC.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1858
+ OfficeC2RClient.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1859
+ OfficeClickToRun.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1860
+ AdobeARM.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1861
+ armsvc.exe,NI+NC+ND+NR+SK+TR+PR+NPR+NPROC
1862
+
1863
+ // Microsoft Edge default visibility
1864
+ browser_broker.exe,NPR,,Microsoft Corporation
1865
+ MicrosoftEdge.exe,NPR,,Microsoft Corporation
1866
+ MicrosoftEdgeCP.exe,NPR,,Microsoft Corporation
1867
+ microsoftedgeupdate.exe,NI+SK+TR+NC+ND+PR+NPR,,Microsoft Corporation
1868
+
1869
+ // Microsoft Edge Chromium default visibility
1870
+ msedge.exe,NPR,,Microsoft Corporation
1871
+
1872
+ // Microsoft Management Console
1873
+ mmc.exe,NPR,,Microsoft Corporation
1874
+
1875
+ // MS User-mode font driver
1876
+ fontdrvhost.exe,NI,,Microsoft Corporation
1877
+
1878
+ dllhost.exe,NPR
1879
+
1880
+
1881
+ // UWP aka Metro Apps to be excluded from COM_MetroSensor load
1882
+ WhatsApp.exe,NMET
1883
+
1884
+ //
1885
+ // v8.0.1
1886
+ //
1887
+
1888
+ //-- MSP APPROVED ---------------------------------------------
1889
+ //-- Windows Workstation only ---------------------------------
1890
+ //-- Ver9 Dt.09/05/2024----------------------------------------
1891
+ //
1892
+ //****IMP NOTE - PLEASE DO NOT MAKE ANY CHANGES TO THIS SECTION****
1893
+ //*********Do file a support ticket for any issues/updates*********
1894
+ //-------------------------------------------------------------
1895
+ //---- Section 1----
1896
+ //=========================================================================
1897
+ //----ANTI-VIRUS EXCLUSIONS - Version 9.2
1898
+ //=========================================================================
1899
+
1900
+ //AppSense
1901
+ cca.exe,SK+NPR
1902
+ ccacmd.exe,SK+NPR
1903
+ ccarebootmonitor.exe,SK+NPR
1904
+ emcoreservice.exe,SK+NPR
1905
+ emexit.exe,SK+NPR
1906
+ emloggedonuser.exe,SK+NPR
1907
+ empshost.exe,SK+NPR
1908
+ emsystem.exe,SK+NPR
1909
+ emuser.exe,SK+NPR
1910
+ emuserlogoff.exe,SK+NPR
1911
+ emvirtualizationhost.exe,SK+NPR
1912
+ emwow64.exe,SK+NPR
1913
+ endpointselfservice.exe,SK+NPR
1914
+ pmagent.exe,SK+NPR
1915
+ pmagentassist.exe,SK+NPR
1916
+ watchdogagent64.exe,SK+NPR
1917
+ AsModLdr.sys,SK
1918
+ EmDriver.sys,SK
1919
+
1920
+ //ARESPP
1921
+ APPClientFixHelper.exe,SK+NPR
1922
+ APPCurrentSetting.exe,SK+NPR
1923
+ ARESPPBrowser.exe,SK+NPR
1924
+ ARESPPClientService.exe,SK+NPR
1925
+ ARESPPCommonService.exe,SK+NPR
1926
+ ARESPPEncryptService.exe,SK+NPR
1927
+ ARESPPLogService.exe,SK+NPR
1928
+ ARESPPPKMService.exe,SK+NPR
1929
+ ARESPrivacyProtectorAPDReader.exe,SK+NPR
1930
+ ARESPrivacyProtectorClient.exe,SK+NPR
1931
+ BGBackup.exe,SK+NPR
1932
+ BGEncrypt.exe,SK+NPR
1933
+ CheckARESFile.exe,SK+NPR
1934
+ DragDropHelper.exe,SK+NPR
1935
+ Encryptexe".exe,SK+NPR
1936
+ FESFDS.exe,SK+NPR
1937
+ FESFPolicy.exe,SK+NPR
1938
+ ImportantNotice.exe,SK+NPR
1939
+ OwnerFileCloud.exe,SK+NPR
1940
+ plugin-container.exe,SK+NPR
1941
+ plugin-hang-ui.exe,SK+NPR
1942
+ Reg.exe,SK+NPR
1943
+ Reg86.exe,SK+NPR
1944
+ RequestHelper.exe,SK+NPR
1945
+ Rs.exe,SK+NPR
1946
+ RunAPIx64.exe,SK+NPR
1947
+ RunAPIx86.exe,SK+NPR
1948
+ SetEncIconSeq.exe,SK+NPR
1949
+ SetServiceLocation.exe,SK+NPR
1950
+ ShowARESFileInfo.exe,SK+NPR
1951
+ SmartOpenHelper.exe,SK+NPR
1952
+ SmartRecovery.exe,SK+NPR
1953
+ TrayManager.exe,SK+NPR
1954
+ UpdateIndecator.exe,SK+NPR
1955
+ OsrDs2.sys,SK
1956
+ OsrDt2.sys,SK
1957
+ OsrIsolate.sys,SK
1958
+ OsrSupport.sys,SK
1959
+
1960
+ //Avecto
1961
+ Avecto.IC3.Client.Host.exe,SK+NPR
1962
+ Defendpointservice.exe,SK+NPR
1963
+ gmessagehostex,SK+NPR
1964
+ PGEPOService.exe,SK+NPR
1965
+ pgprogramsutil.exe,SK+NPR
1966
+ pgstub.exe,SK+NPR
1967
+ pgsystemtray.exe,SK+NPR
1968
+ PGDriver.sys,SK
1969
+
1970
+ //Bitdefender
1971
+ bddlpsetup.exe,SK+NPR
1972
+ bdredline.exe,SK+NPR
1973
+ bdreinit.exe,SK+NPR
1974
+ certutil.exe,SK+NPR
1975
+ deloeminfs.exe,SK+NPR
1976
+ downloader.exe,SK+NPR
1977
+ driverctrl.exe,SK+NPR
1978
+ epag.exe,SK+NPR
1979
+ epconsole.exe,SK+NPR
1980
+ epintegrationservice.exe,SK+NPR
1981
+ eppowerconsole.exe,SK+NPR
1982
+ epsecurityservice.exe,SK+NPR
1983
+ epprotectedservice.exe,SK+NPR
1984
+ epupdateservice.exe,SK+NPR
1985
+ genptch.exe,SK+NPR
1986
+ installer.exe,SK+NPR
1987
+ mitm_install_tool.exe,SK+NPR
1988
+ product.configu,SK+NPR
1989
+ productactionce,SK+NPR
1990
+ setloadorder.exe,SK+NPR
1991
+ snetcfg.exe,SK+NPR
1992
+
1993
+ //Bitlocker
1994
+ bdeUISrv.exe,SK+NPR
1995
+ bdeunlock.exe,SK+NPR
1996
+ bdeunlockwizard.exe,SK+NPR
1997
+
1998
+ //bluecoat systems unified agent
1999
+ bcua-notifier.exe,SK
2000
+ bcua-service.exe,SK
2001
+
2002
+ //Bromium
2003
+ autonomyhelper32.exe,SK+NPR
2004
+ ax_installer.exe,SK+NPR
2005
+ bemagent.exe,SK+NPR
2006
+ bemman.exe,SK+NPR
2007
+ bemreporter.exe,SK+NPR
2008
+ bemsession.exe,SK+NPR
2009
+ bemsup.exe,SK+NPR
2010
+ bemsvc.exe,SK+NPR
2011
+ br-hostconfig.exe,SK+NPR
2012
+ br-init-a.exe,SK+NPR
2013
+ br-init-b.exe,SK+NPR
2014
+ br-init-c.exe,SK+NPR
2015
+ br-init-l.exe,SK+NPR
2016
+ br-init-m.exe,SK+NPR
2017
+ br-init-n.exe,SK+NPR
2018
+ br-init-o.exe,SK+NPR
2019
+ br-init-p.exe,SK+NPR
2020
+ br-init-w.exe,SK+NPR
2021
+ Br-uxendm.exe,SK+NPR
2022
+ braxservice.exe,SK+NPR
2023
+ BrChrome.exe,SK+NPR
2024
+ BrConsole.exe,SK+NPR
2025
+ BrDeprivilege.exe,SK+NPR
2026
+ BrDesktopConsole.exe,SK+NPR
2027
+ BrDownloadManager.exe,SK+NPR
2028
+ BrExeScanner.exe,SK+NPR
2029
+ BrGPUCheck.exe,SK+NPR
2030
+ BrHostDrvSup.exe,SK+NPR
2031
+ BrHostSvr.exe,SK+NPR
2032
+ BrIEHelper.exe,SK+NPR
2033
+ BrIEHelper64.exe,SK+NPR
2034
+ BrInstaller.exe,SK+NPR
2035
+ BrInstallerPopup.exe,SK+NPR
2036
+ BrLauncher.exe,SK+NPR
2037
+ BrLogMgr.exe,SK+NPR
2038
+ BrManage.exe,SK+NPR
2039
+ BrNav.exe,SK+NPR
2040
+ BrPolicy.exe,SK+NPR
2041
+ BrPreCheck.exe,SK+NPR
2042
+ BrPrintHelper.exe,SK+NPR
2043
+ BrProgressDialog.exe,SK+NPR
2044
+ BrRemoteManagement.exe,SK+NPR
2045
+ BrRemoteMgmtSvc.exe,SK+NPR
2046
+ BrReporter.exe,SK+NPR
2047
+ BrSecurityAlertInspector.exe,SK+NPR
2048
+ BrService.exe,SK+NPR
2049
+ BrStatusMonitor.exe,SK+NPR
2050
+ bruxenctx.exe,SK+NPR
2051
+ BrWinFile.exe,SK+NPR
2052
+ dpinst.exe,SK+NPR
2053
+ getcaps.exe,SK+NPR
2054
+ HostPcapDump.exe,SK+NPR
2055
+ kdd.exe,SK+NPR
2056
+ uxenctl.exe,SK+NPR
2057
+ uxenctx.exe,SK+NPR
2058
+ uxendm.exe,SK+NPR
2059
+ vhd-util.exe,SK+NPR
2060
+ xenctx.exe,SK+NPR
2061
+ bemk.sys,SK
2062
+ brfilter_*,SK
2063
+
2064
+ //CarbonBlack
2065
+ carbonblackclient.exe,SK+NPR
2066
+ cb.exe,SK+NPR
2067
+ cb1.exe,SK+NPR
2068
+ crawler.exe,SK+NPR
2069
+ dascli.exe,SK+NPR
2070
+ notifier.exe,SK+NPR
2071
+ parity.exe,SK+NPR
2072
+ parity agent*,SK+NPR
2073
+ Parityserver.exe,SK+NPR
2074
+ Parityreporter.exe,SK+NPR
2075
+ timedoverride.exe,SK+NPR
2076
+ carbonblackk.sys,SK
2077
+ parity.sys,SK
2078
+
2079
+ //CarbonBlack Defense
2080
+ Repcli.exe,SK+NPR
2081
+ RepMgr.exe,SK+NPR
2082
+ RepMgr64.exe,SK+NPR
2083
+ RepUtils.exe,SK+NPR
2084
+ RepUtils32.exe,SK+NPR
2085
+ RepUx.exe,SK+NPR
2086
+ RepWAV.exe,SK+NPR
2087
+ RepWAV64.exe,SK+NPR
2088
+ RepWmiUtils.exe,SK+NPR
2089
+ RepWmiUtils32.exe,SK+NPR
2090
+ RepWSC.exe,SK+NPR
2091
+ RepWSC64.exe,SK+NPR
2092
+ scanhost.exe,SK+NPR
2093
+ upd.exe,SK+NPR
2094
+ ctifile.sys,SK
2095
+ ctinet.sys,SK
2096
+
2097
+ //Checkpoint Endpoint Security
2098
+ compliance.exe,SK+NPR
2099
+ cptraylogic.exe,SK+NPR
2100
+ cptrayui.exe,SK+NPR
2101
+ cpda.exe,SK+NPR
2102
+ daaw.exe,SK+NPR
2103
+ efrservice.exe,SK+NPR
2104
+ epab_svc.exe,SK+NPR
2105
+ epwd.exe,SK+NPR
2106
+ epam_svc.exe,SK+NPR
2107
+ idafserverhostservice.exe,SK+NPR
2108
+ tesvc.exe,SK+NPR
2109
+ tif.exe,SK+NPR
2110
+ tracsrvwrapper.exe,SK+NPR
2111
+ trgui.exe,SK+NPR
2112
+ vsmon.exe,SK+NPR
2113
+
2114
+ //Cisco AMP (Sourcefire)
2115
+ audit_fireamps,SK+NPR
2116
+ casetup64.exe,SK+NPR
2117
+ ciscoamp.exe,SK+NPR
2118
+ ConnectivityTool.exe,SK+NPR
2119
+ creport.exe,SK+NPR
2120
+ freshclam.exe,SK+NPR
2121
+ freshclamwrap.exe,SK+NPR
2122
+ imnd0c6.exe,SK+NPR
2123
+ imne339.exe,SK+NPR
2124
+ ipsupporttool.exe,SK+NPR
2125
+ iptray.exe,SK+NPR
2126
+ protectent-*,SK+NPR
2127
+ sfc.exe,SK+NPR
2128
+ test_workstation,SK+NPR
2129
+ uninstall.exe,SK+NPR
2130
+ updater.exe,SK+NPR
2131
+ ExPrevDriver.sys,SK
2132
+ immunetprotect.sys,SK
2133
+ immunetselfprotect,SK
2134
+ ImmunetNetworkM,SK
2135
+ ImmunetUtilDriver.sys,SK
2136
+ trufos.sys,SK
2137
+
2138
+ //Crowdstrike Falcon
2139
+ CrowdInspect.exe,SK+NPR
2140
+ csagent.exe,SK+NPR
2141
+ CSCOMUtils.exe,SK+NPR
2142
+ CSDeviceControlSupportTool.exe,SK+NPR
2143
+ CSFalconContainer.exe,SK+NPR
2144
+ CSFalconController.exe,SK+NPR
2145
+ CSFalconService.exe,SK+NPR
2146
+ csfalconserviceuninstalltool_x64.exe,SK+NPR
2147
+ CSInstallGuard.exe,SK+NPR
2148
+ csnest.exe,SK+NPR
2149
+ *csinstallerservice.exe,SK+NPR
2150
+ windowssensor.exe,SK+NPR
2151
+ windowssensor.x64.exe,SK+NPR
2152
+ csagent.sys,SK
2153
+ CSBoot.sys,SK
2154
+ CSDeviceControl.sys,SK
2155
+ CSFirmwareAnalysis.sys,SK
2156
+ cspcm4.sys,SK
2157
+ OsfmConfig.sys,SK
2158
+
2159
+ //CyberArk Viewfinity Agent
2160
+ PASAgent.exe,SK+NPR
2161
+ SIP,SK+NPR
2162
+ vf_agent.exe,SK+NPR
2163
+ vf_elevate.exe,SK+NPR
2164
+ vf_host.exe,SK+NPR
2165
+ vf_movie.exe,SK+NPR
2166
+ vf_rem.exe,SK+NPR
2167
+ vf_updater.exe,SK+NPR
2168
+ CybKernelTracker.sys,SK
2169
+ vfdrv.sys,SK
2170
+ vfnet.sys,SK
2171
+ vfpd.sys,SK
2172
+
2173
+ //Cyberhaven
2174
+ cyberhaven.exe,SK+NPR
2175
+ cyberhavenbackendconnector.exe,SK+NPR
2176
+ cyberhavenfileoperationsendpointsensor.exe,SK+NPR
2177
+ cyberhavenhealthmonitor.exe,SK+NPR
2178
+ cyberhavensessionmonitor.exe,SK+NPR
2179
+
2180
+
2181
+ //Cybereason
2182
+ BlockiSvc.exe,SK+NPR
2183
+ BlockSvc.exe,SK+NPR
2184
+ minionhost.exe,SK+NPR
2185
+ CybereasonBlo,SK+NPR
2186
+ CrsSvc.exe,SK+NPR
2187
+ PylumLoader.exe,SK+NPR
2188
+ CrAmTray.exe,SK+NPR
2189
+ ExecutionPreventionSvc.exe,SK+NPR
2190
+ AmSvc.exe,SK+NPR
2191
+
2192
+ //Cylance
2193
+ CylanceSvc.exe,SK+NPR
2194
+ CylanceOPTICSSe,SK+NPR
2195
+ cylanceprotect,SK+NPR
2196
+ CylanceUI.exe,SK+NPR
2197
+ CyOptics.exe,SK+NPR
2198
+ CyProtect.exe,SK+NPR
2199
+ CyUpdate.exe,SK+NPR
2200
+ LocalePkg.exe,SK+NPR
2201
+ CyDevFlt*.sys,SK
2202
+ CyProtectDrv*.sys,SK
2203
+
2204
+ // Deep Instinct
2205
+ DeepCIService.exe, SK+NPR
2206
+ DeepETPService.exe, SK+NPR
2207
+ DeepMgmtService.exe, SK+NPR
2208
+ DeepNetworkService.exe, SK+NPR
2209
+ DeepRecoveryService.exe, SK+NPR
2210
+ DeepRpcServer.exe, SK+NPR
2211
+ DeepStaticService.exe, SK+NPR
2212
+ DeepTHService.exe, SK+NPR
2213
+ DeepUI.exe, SK+NPR
2214
+ DeepUninstaller.exe, SK+NPR
2215
+ InstallerManaged_deep.exe, SK+NPR
2216
+ DeepCIDriver.sys, SK
2217
+ DeepElamDriver.sys, SK
2218
+ DeepMgmtDriver.sys, SK
2219
+ DeepRansomDriver.sys, SK
2220
+ DeepStaticDriver.sys, SK
2221
+ DeepTHDriver.sys, SK
2222
+
2223
+ // Dell Systems Management Data and Event Managers
2224
+ AppUpdate.exe,SK+NPR
2225
+ DRVUpdate.exe,SK+NPR
2226
+ DsiaSrv32.exe,SK+NPR
2227
+ dsm_sa_datamgr64.exe,SK+NPR
2228
+ dsm_sa_eventmgr64.exe,SK+NPR
2229
+ invcol.exe,SK+NPR
2230
+ SalomonDock.exe,SK+NPR
2231
+ SSDUpdate.exe,SK+NPR
2232
+ //Dell tpad
2233
+ apmsgfwd.exe,SK+NPR
2234
+ apntex.exe,SK+NPR
2235
+ apoint.exe,SK+NPR
2236
+ apremote.exe,SK+NPR
2237
+ hidfind.exe,SK+NPR
2238
+ hidmonitorsvc.exe,SK+NPR
2239
+ //Dell Red Cloak
2240
+ authtap64.exe,SK+NPR
2241
+ cyclorama64.exe,SK+NPR
2242
+ groundling64.exe,SK+NPR
2243
+ inspector64.exe,SK+NPR
2244
+ lacuna64.exe,SK+NPR
2245
+ procwall64.exe,SK+NPR
2246
+ rcnotify.exe,SK+NPR
2247
+ redcloak.exe,SK+NPR
2248
+ //Dell DataVault
2249
+ ddvcollectorsvcapi.exe,SK+NPR
2250
+ ddvdatacollector.exe,SK+NPR
2251
+ ddvrulesprocessor.exe,SK+NPR
2252
+ cmgcrypt.sys,SK
2253
+ cmgffe.sys,SK
2254
+ cmgshpt.sys,SK
2255
+ nvapiw.exe,SK+PR
2256
+ rsabcm.sys,SK
2257
+ rsabcmcfg.sys,SK
2258
+ //Dell SupportAssistagent
2259
+ dsapi.exe,SK+NPR
2260
+ pcdrwi.exe,SK+NPR
2261
+ supportassist.exe,SK+NPR
2262
+ supportassistinstaller.exe,SK+NPR
2263
+ supportassistdownloadmanager.exe,SK+NPR
2264
+ systemidlecheck.exe,SK+NPR
2265
+ updaterui.exe,SK+NPR
2266
+ //Dell Windows APPS
2267
+ dellcommandupdate.exe,SK+NPR
2268
+ premiercolor.exe,SK+NPR
2269
+ startuptask.exe,SK+NPR
2270
+ supportassistappwire.exe,SK+NPR
2271
+ //Dell Updateservice
2272
+ invcol.exe,SK+NPR
2273
+ invcolpc.exe,SK+NPR
2274
+ serviceshell.exe,SK+NPR
2275
+ //Dell PPO
2276
+ dellpoaevents.exe,SK+NPR
2277
+ dellpoaeventslauncher.exe,SK+NPR
2278
+ //Dell Kase
2279
+ kschedulersvc.exe,SK+NPR
2280
+ AMPAgent.exe,SK+NPR
2281
+ AMPWAtchDog.exe,SK+NPR
2282
+ konea.exe,SK+NPR
2283
+ kpatch.exe,SK+NPR
2284
+ kswmetersvc.exe,SK+NPR
2285
+
2286
+ //F-Secure
2287
+ fsaua-poll.exe,SK+NPR
2288
+ fsaua-reset.exe,SK+NPR
2289
+ fsaua-update.exe,SK+NPR
2290
+ fsdevcon.exe,SK+NPR
2291
+ fsdiag.exe,SK+NPR
2292
+ fshoster64.exe,SK+NPR
2293
+ fsorsp64.exe,SK+NPR
2294
+ FsPisces.exe,SK+NPR
2295
+ fsscan.exe,SK+NPR
2296
+ fssua.exe,SK+NPR
2297
+ fssua_pending_updates_32.exe,SK+NPR
2298
+ fssua_pending_updates_64.exe,SK+NPR
2299
+ fsulprothoster.exe,SK+NPR
2300
+ fs_ccf_cosmos_tool_32.exe,SK+NPR
2301
+ fs_latebound_32.exe,SK+NPR
2302
+ fs_ols_ca.exe,SK+NPR
2303
+ fs_oneclient_info.exe,SK+NPR
2304
+ fs_restart_32.exe,SK+NPR
2305
+ fs_start_menu_manager_32.exe,SK+NPR
2306
+ fs_swup_channel_handler_32.exe,SK+NPR
2307
+ fs_ui_32.exe,SK+NPR
2308
+ fs_uninstall_32.exe,SK+NPR
2309
+ ilaunchr.exe,SK+NPR
2310
+ orspdiag64.exe,SK+NPR
2311
+ reset_id_tool_32.exe,SK+NPR
2312
+ resetuid.exe,SK+NPR
2313
+ ultralight_diag.ex,SK+NPR
2314
+ wa_3rd_party_host_32.exe,SK+NPR
2315
+ wa_3rd_party_host_64.exe,SK+NPR
2316
+
2317
+ fselms.sys,SK
2318
+ fsni64.sys,SK
2319
+ fsulgk.sys,SK
2320
+ nif2s64.sys,SK
2321
+
2322
+ fsabout.exe,TR+NI+NC+ND+NPR
2323
+ fsactiononinfection.exe,TR+NI+NC+ND+NPR
2324
+ sappfilecontrol.exe,TR+NI+NC+ND+NPR
2325
+ fsbanking.exe,TR+NI+NC+ND+NPR
2326
+ fsconcheckhelper.exe,TR+NI+NC+ND+NPR
2327
+ fsconnectionchecker.exe,TR+NI+NC+ND+NPR
2328
+ fseventhistory.exe,TR+NI+NC+ND+NPR
2329
+ fshelp.exe,TR+NI+NC+ND+NPR
2330
+ fsmaincorporate.exe,TR+NI+NC+ND+NPR
2331
+ fsnetworkisolation.exe,TR+NI+NC+ND+NPR
2332
+ fsscanwizard.exe,TR+NI+NC+ND+NPR
2333
+ fssettings.exe,TR+NI+NC+ND+NPR
2334
+ fsswup.exe,TR+NI+NC+ND+NPR
2335
+ fsswupblockingprocesses.exe,TR+NI+NC+ND+NPR
2336
+ fsturnoff.exe,TR+NI+NC+ND+NPR
2337
+ fsturnon.exe,TR+NI+NC+ND+NPR
2338
+ fswebsites.exe,TR+NI+NC+ND+NPR
2339
+ ulu.exe,TR+NI+NC+ND+NPR
2340
+ ulu_handler.exe,TR+NI+NC+ND+NPR
2341
+ ulu_handler_ns.exe,TR+NI+NC+ND+NPR
2342
+
2343
+ //fireeye
2344
+ //fireeye
2345
+ AppUIMonitor.exe,SK+NPR
2346
+ fireeyeagent.exe,SK+NPR
2347
+ magent.exe,SK+NPR
2348
+ RemediationWSC.exe,SK+NPR
2349
+ uncontain.exe,SK+NPR
2350
+ xagt.exe,SK+NPR
2351
+ xagtnotif.exe,SK+NPR
2352
+
2353
+ //Forcepoint One Agent (Proxy/DLP)
2354
+ fppsvc.exe,SK+NPR
2355
+ f1eui.exe,SK+NPR
2356
+ proxyui.exe,SK+NPR
2357
+
2358
+ //Fortra Lookout
2359
+ Lookout.exe,SK+NPR
2360
+ LookoutLibService.exe,SK+NPR
2361
+ LookoutProxy.exe,SK+NPR
2362
+ LookoutService.exe,SK+NPR
2363
+
2364
+ // FortiClient/Fortinet AV
2365
+ epcuseravatar.exe,SK+NPR
2366
+ fcappdb.exe,SK+NPR
2367
+ fcauth.exe,SK+NPR
2368
+ fccomint.exe,SK+NPR
2369
+ fcconfig.exe,SK+NPR
2370
+ fcdblog.exe,SK+NPR
2371
+ fchelper64.exe,SK+NPR
2372
+ fcsetup.exe,SK+NPR
2373
+ fctsecsvr.exe,SK+NPR
2374
+ fcvbltscan.exe,SK+NPR
2375
+ fmon.exe,SK+NPR
2376
+ forticlient.exe,SK+NPR
2377
+ forticlientonl,SK+NPR
2378
+ forticlientsec,SK+NPR
2379
+ forticlientvpn,SK+NPR
2380
+ fortielevate.exe,SK+NPR
2381
+ fortiesnac.exe,SK+NPR
2382
+ fortiproxy.exe,SK+NPR
2383
+ fortiscand.exe,SK+NPR
2384
+ fortisettings.exe,SK+NPR
2385
+ fortisslvpndaemon.exe,SK+NPR
2386
+ fortitray.exe,SK+NPR
2387
+ ipsec.exe,SK+NPR
2388
+ scheduler.exe,SK+NPR
2389
+ update_task.exe,SK+NPR
2390
+ vcm2.exe,SK+NPR
2391
+
2392
+ //Intel Security
2393
+ catracker.exe,SK+NPR
2394
+ mcclientanalytics.exe,SK+NPR
2395
+ native_proxy.exe,SK+NPR
2396
+ pefservice.exe,SK+NPR
2397
+ setuppbx64.exe,SK+NPR
2398
+ setuppbx86.exe,SK+NPR
2399
+ truekey.exe,SK+NPR
2400
+
2401
+ //Pulse Juniper Networks VPN Client
2402
+ 64bitProxy.exe,SK+NPR
2403
+ dsAccessService.exe,SK+NPR
2404
+ dsmmf.exe,SK+NPR
2405
+ dsTermServ.exe,SK+NPR
2406
+ jamCommand.exe,SK+NPR
2407
+ nsstatsdump.exe,SK+NPR
2408
+ pdv.exe,SK+NPR
2409
+ Pulse.exe,SK+NPR
2410
+ PulseApplicationLauncher.exe,SK+NPR
2411
+ PulseCompMgrInstaller.exe,SK+NPR
2412
+ PulseExt.exe,SK+NPR
2413
+ PulseExt64.exe,SK+NPR
2414
+ pulselauncher.exe,SK+NPR
2415
+ PulseSecureService.exe,SK+NPR
2416
+ PulseSetupClient.exe,SK+NPR
2417
+ PulseSetupClientOCX.exe,SK+NPR
2418
+ PulseSetupClientOCX64.exe,SK+NPR
2419
+ PulseSetupXP.exe,SK+NPR
2420
+
2421
+ //Kaspersky
2422
+ AgentMon.exe,SK+NPR
2423
+ avpsus.exe,SK+NPR
2424
+ avp.exe,SK+NPR
2425
+ AVPDTAgt.exe,SK+NPR
2426
+ avpui.exe,SK+NPR
2427
+ drvins64.exe,SK+NPR
2428
+ getsysteminfo.exe,SK+NPR
2429
+ integrity_check_tool.exe,SK+NPR
2430
+ LogFileCleaner,SK+NPR
2431
+ LiveConnect.exe,SK+NPR
2432
+ LiveConnectTask,SK+NPR
2433
+ KasAVSrv.exe,SK+NPR
2434
+ KASetup.exe,SK+NPR
2435
+ KaUsrTsk.exe,SK+NPR
2436
+ kescli.exe,SK+NPR
2437
+ kGetELMg64.exe,SK+NPR
2438
+ klcpuld.exe,SK+NPR
2439
+ klcsldcl.exe,SK+NPR
2440
+ klcsngtgui.exe,SK+NPR
2441
+ klcspxy.exe,SK+NPR
2442
+ kldumper.exe,SK+NPR
2443
+ kldw.exe,SK+NPR
2444
+ KLicense.exe,SK+NPR
2445
+ klmover.exe,SK+NPR
2446
+ klnagchk.exe,SK+NPR
2447
+ klnagntf.exe,SK+NPR
2448
+ klnagwds.exe,SK+NPR
2449
+ klosprep.exe,SK+NPR
2450
+ klpsm.exe,SK+NPR
2451
+ klrbtagt.exe,SK+NPR
2452
+ klscmodchk.exe,SK+NPR
2453
+ klshwmsg.exe,SK+NPR
2454
+ klwd.exe,SK+NPR
2455
+ klwnstman.exe,SK+NPR
2456
+ klwtblfs.exe,SK+NPR
2457
+ KPrtPng.exe,SK+NPR
2458
+ ksnproxy.exe,SK+NPR
2459
+ ktvnServer.exe,SK+NPR
2460
+ kvdb_upgrader.exe,SK+NPR
2461
+ modify_watcher.exe,SK+NPR
2462
+ netcfg.exe,SK+NPR
2463
+ patchmanager.exe,SK+NPR
2464
+ proton.exe,SK+NPR
2465
+ remediation.exe,SK+NPR
2466
+ setup_kes.exe,SK+NPR
2467
+ soyuz.exe,SK+NPR
2468
+ tslauncher.exe,SK+NPR
2469
+ ThumbnailCaptur,SK+NPR
2470
+ Up2Date.exe,SK+NPR
2471
+ vapm.exe,SK+NPR
2472
+ wmi32.exe,SK+NPR
2473
+ wmi64.exe,SK+NPR
2474
+ wmias.exe,SK+NPR
2475
+ wmiav.exe,SK+NPR
2476
+ Cm_km.sys,SK
2477
+ dump_klfdedmp.sys,SK
2478
+ kl1.sys,SK
2479
+ klbackupdisk.sys,SK
2480
+ klbackupflt.sys,SK
2481
+ klelam.sys,SK
2482
+ klelaml.sys,SK
2483
+ klfde.sys,SK
2484
+ klfdedmp.sys,SK
2485
+ klflt.sys,SK
2486
+ klfltdev.sys,SK
2487
+ klgse.sys,SK
2488
+ klhk.sys,SK
2489
+ klif.sys,SK
2490
+ klim6.sys,SK
2491
+ klkbdctl.sys,SK
2492
+ klncap.sys,SK
2493
+ klpd.sys,SK
2494
+ klpnpflt.sys,SK
2495
+ klsnsr.sys,SK
2496
+ kltdi.sys,SK
2497
+ klupd_KLIF_arkmon.sys,SK
2498
+ klupd_KLIF_kimul.sys,SK
2499
+ klupd_KLIF_klark.sys,SK
2500
+ klupd_KLIF_klbg.sys,SK
2501
+ klupd_KLIF_mark.sys,SK
2502
+ klupd_KLIF_swmon.sys,SK
2503
+ klvfs.sys,SK
2504
+ klwfp.sys,SK
2505
+ klwtp.sys,SK
2506
+ kneps.sys,SK
2507
+
2508
+ //Malwarebytes
2509
+ collectclientlog.exe,SK+NPR
2510
+ coreinst.exe,SK+NPR
2511
+ mbae.exe,SK+NPR
2512
+ mbae-cli.exe,SK+NPR
2513
+ mbae-setup.exe,SK+NPR
2514
+ mbae-svc.exe,SK+NPR
2515
+ mbae-uninstaller.exe,SK+NPR
2516
+ mbae64.exe,SK+NPR
2517
+ mbam.exe,SK+NPR
2518
+ mbam-chameleon.exe,SK+NPR
2519
+ mbam-killer.exe,SK+NPR
2520
+ mbamapi.exe,SK+NPR
2521
+ mbamgui.exe,SK+NPR
2522
+ mbamhelper.exe,SK+NPR
2523
+ mbampt.exe,SK+NPR
2524
+ mbamscheduler.exe,SK+NPR
2525
+ mbamservice.exe,SK+NPR
2526
+ mbcloudea.exe,SK+NPR
2527
+ sccomm.exe,SK+NPR
2528
+
2529
+ //Trellix (McAfee)
2530
+ MfeFfProxy32.exe,NI+SK+TR+NC+ND+PR+NPR,,McAfee, LLC
2531
+ MfeFfCore.exe,NI+SK+TR+NC+ND+PR+NPR,,McAfee, LLC
2532
+ MfeFfCoreService.exe,NI+SK+TR+NC+ND+PR+NPR,,McAfee, LLC
2533
+ setup.exe,NI+SK+TR+NC+ND+PR+NPR,,McAfee, Inc.
2534
+ mfehidin64.exe,NI+SK+TR+NC+ND+PR+NPR,,McAfee, LLC
2535
+ mfeepmpk_utility.exe,NI+SK+TR+NC+ND+PR+NPR,,McAfee, LLC
2536
+ MfeEpAac.exe,NI+SK+TR+NC+ND+PR+NPR,,McAfee, LLC.
2537
+ MfeEpAac_mfeprotect.exe,NI+SK+TR+NC+ND+PR+NPR,,McAfee, LLC.
2538
+ mfewch.exe,SK+NPR
2539
+ mfewc.exe,SK+NPR
2540
+ mcschield.exe,SK+NPR
2541
+ 3DCompliance.exe,SK+NPR
2542
+ 6740xdat.exe,SK+NPR
2543
+ Aacinfo.exe,SK+NPR
2544
+ Amcfg.exe,SK+NPR
2545
+ amupdate.exe,SK+NPR
2546
+ AppDepotSetup_M,NI+NPR
2547
+ atpconfigtool.exe,SK+NPR
2548
+ ATPErrMgr.exe,SK+NPR
2549
+ AuditManagerService.exe,SK+NPR
2550
+ balloon32.exe,SK+NPR
2551
+ Cacheinfo.exe,SK+NPR
2552
+ CCuninst.exe,SK+NPR
2553
+ Cleanup.exe,SK+NPR
2554
+ CmdAgent.exe,SK+NPR
2555
+ contentupdate.exe,SK+NPR
2556
+ csscan.exe,SK+NPR
2557
+ dainstall.exe,SK+NPR
2558
+ dxlservice.exe,SK+NPR
2559
+ dxlservicemonitor.exe,SK+NPR
2560
+ engineMain.exe,SK+NPR
2561
+ EngineServer.exe,SK+NPR
2562
+ entvutil.exe,SK+NPR
2563
+ epefprtrainer.exe,SK+NPR
2564
+ EpePcCredentialProvider,SK+NPR
2565
+ EpePcMonitor.exe,SK+NPR
2566
+ Esconfigtool.exe,SK+NPR
2567
+ f00imcli.exe,SK+NPR
2568
+ fcags.exe,SK+NPR
2569
+ FireSvc.exe,SK+NPR
2570
+ FireTray.exe,SK+NPR
2571
+ FramePKG.exe,SK+NPR
2572
+ FrameworkService.exe,SK+NPR
2573
+ FrmInst.exe,SK+NPR
2574
+ Fwinfo.exe,SK+NPR
2575
+ Fwinstcheck.exe,SK+NPR
2576
+ fwWindowsFirewall,SK+NPR
2577
+ hcinfo.exe,SK+NPR
2578
+ Helper.exe,SK+NPR
2579
+ HIPSCoreReg.exe,SK+NPR
2580
+ HIPSvc.exe,SK+NPR
2581
+ Loadsapr.exe,SK+NPR
2582
+ logparser.exe,SK+NPR
2583
+ macmnsvc.exe,SK+NPR
2584
+ macompatsvc.exe,SK+NPR
2585
+ macomserver.exe,SK+NPR
2586
+ maconfig.exe,SK+NPR
2587
+ marepomirror.exe,SK+NPR
2588
+ marservice.exe,SK+NPR
2589
+ masvc.exe,SK+NPR
2590
+ mcadmin.exe,SK+NPR
2591
+ McAfee_Safeboot,SK+NPR
2592
+ McAfee_Virussca,NI+NPR
2593
+ McAfeeAV_def.ex,NI+NPR
2594
+ McAfeeFire.exe,SK+NPR
2595
+ mcconsol.exe,SK+NPR
2596
+ mcdatrep.exe,SK+NPR
2597
+ McSACore.exe,SK+NPR
2598
+ McScanCheck.exe,SK+NPR
2599
+ McScript_InUse,SK+NPR
2600
+ McShield.exe,SK+NPR
2601
+ McTray.exe,SK+NPR
2602
+ mcupdate.exe,SK+NPR
2603
+ mcvsftsn.exe,SK+NPR
2604
+ mcvsmap.exe,SK+NPR
2605
+ mcvsrte.exe,SK+NPR
2606
+ mcvsshld.exe,SK+NPR
2607
+ mfeamcin.exe,SK+NPR
2608
+ mfeann.exe,SK+NPR
2609
+ mfeatp.exe,SK+NPR
2610
+ mfecanary.exe,SK+NPR
2611
+ mfeConsole.exe,SK+NPR
2612
+ mfeensppl.exe,SK+NPR
2613
+ MfeEpeHost.exe,SK+NPR
2614
+ mfeEsp.exe,SK+NPR
2615
+ mfefire.exe,SK+NPR
2616
+ mfefw.exe,SK+NPR
2617
+ mfehcs.exe,SK+NPR
2618
+ mfehidin.exe,SK+NPR
2619
+ mfemactl.exe,SK+NPR
2620
+ mfemms.exe,SK+NPR
2621
+ mfeProvisionMod,SK+NPR
2622
+ mfeSysPrep.exe,SK+NPR
2623
+ mfeTp.exe,SK+NPR
2624
+ mfeupgradeTool.exe,SK+NPR
2625
+ mfevtps.exe,SK+NPR
2626
+ mghtml.exe,SK+NPR
2627
+ mmsinfo.exe,SK+NPR
2628
+ msaconfig.exe,SK+NPR
2629
+ Mue.exe,SK+NPR
2630
+ mvagtsvc.exe,SK+NPR
2631
+ mytilus3_server,SK+NPR
2632
+ naPrdMgr.exe,SK+NPR
2633
+ ncdaemon.exe,SK+NPR
2634
+ NCInstall.exe,SK+NPR
2635
+ NdisInstall.exe,SK+NPR
2636
+ PASysTray.exe,SK+NPR
2637
+ pireg.exe,SK+NPR
2638
+ policyupgrade.exe,SK+NPR
2639
+ pwdUninstall.exe,SK+NPR
2640
+ restartvse.exe,SK+NPR
2641
+ sbClientMan.exe,SK+NPR
2642
+ sbTOKWatch.exe,SK+NPR
2643
+ scan32.exe,SK+NPR
2644
+ Scan64.exe,SK+NPR
2645
+ ScnCfg32.exe,SK+NPR
2646
+ scsrvc.exe,SK+NPR
2647
+ setupATP.exe,SK+NPR
2648
+ setupCC.exe,SK+NPR
2649
+ setupEP.exe,SK+NPR
2650
+ setupFW.exe,SK+NPR
2651
+ setupTP.exe,SK+NPR
2652
+ setupVSE.exe,SK+NPR
2653
+ setupWC.exe,SK+NPR
2654
+ shcfg32.exe,SK+NPR
2655
+ shstat.exe,SK+NPR
2656
+ TIEservice.exe,SK+NPR
2657
+ UdaterUI.exe,SK+NPR
2658
+ VersionInformation.exe,SK+NPR
2659
+ VSE87MAS.exe,SK+NPR
2660
+ VsTskMgr.exe,SK+NPR
2661
+ Vtpinfo.exe,SK+NPR
2662
+ WinSecCtr.exe,SK+NPR
2663
+ wscavexe.exe,SK+NPR
2664
+ fireNfcp.sys,SK
2665
+ HIPshieldK.sys,SK
2666
+ mfeaack.sys,SK
2667
+ Mfeaacsk.sys,SK
2668
+ mfeapfk.sys,SK
2669
+ mfeavfk.sys,SK
2670
+ mfebopk.sys,SK
2671
+ mfeclnk.sys,SK
2672
+ mfeclnrk.sys,SK
2673
+ mfedisk.sys,SK
2674
+ mfeelamk.sys,SK
2675
+ mfeepmpk.sys,SK
2676
+ mfefirek.sys,SK
2677
+ mfehck.sys,SK
2678
+ mfehidk.sys,SK
2679
+ mfencbdc.sys,SK
2680
+ mfencrk.sys,SK
2681
+ mfenlfk.sys,SK
2682
+ mfeplk.sys,SK
2683
+ mferkdet.sys,SK
2684
+ Mfetdik2.sys,SK
2685
+ mfetdi2k.sys,SK
2686
+ mfewfpk.sys,SK
2687
+
2688
+ // Microsoft EMET
2689
+ emet_agent.exe,SK+NPR
2690
+ emet_service.exe,SK+NPR
2691
+
2692
+ // Microsoft Information Protection (aka MIP or AIP)
2693
+ MSIP.ExecutionHost.exe,SK+NPR
2694
+ MSIP.ExecutionHost32.exe,SK+NPR
2695
+ MSIP.NetworkDiscovery.exe,SK+NPR
2696
+ MSIP.Scanner.exe,SK+NPR
2697
+ msip.viewer.exe,SK+NPR
2698
+
2699
+
2700
+ //n-able technologies avdefender
2701
+ agentmaint.exe,SK+NPR
2702
+ automationmanager.scriptrunner64.exe,SK+NPR
2703
+ bdredline.exe,SK+NPR
2704
+ downloader.exe,SK+NPR
2705
+ epconsole.exe,SK+NPR
2706
+ genptch.exe,SK+NPR
2707
+ nableavdbridge.exe,SK+NPR
2708
+ nablereactivemanagement.exe,SK+NPR
2709
+ nablesixtyfourbitmanager.exe,SK+NPR
2710
+ redpatch0.exe,SK+NPR
2711
+ shadowprotectdatareader.exe,SK+NPR
2712
+ testinitsigs.exe,SK+NPR
2713
+ thirdpartypatch.exe,SK+NPR
2714
+ wuascanner.exe,SK+NPR
2715
+
2716
+ //NOD32
2717
+ egui.exe,SK+NPR
2718
+ ekrn.exe,SK+NPR
2719
+ eset-remote-install.exe,SK+NPR
2720
+ sha1sum.exe,SK+NPR
2721
+ eraagent.exe,SK+NPR
2722
+ insthelper.exe,SK+NPR
2723
+
2724
+ //PaloAlto Cortex
2725
+ Cydump.exe,SK+NPR
2726
+ cyreport.exe,SK+NPR
2727
+ cyrprtui.exe,SK+NPR
2728
+ cyserver.exe,SK+NPR
2729
+ cytool.exe,SK+NPR
2730
+ cytray.exe,SK+NPR
2731
+ CyveraConsole.exe,SK+NPR
2732
+ CyveraService.exe,SK+NPR
2733
+ CyveraWdg.exe,SK+NPR
2734
+ GetLogsUtilAgent.exe,SK+NPR
2735
+ tlaservice.exe,SK+NPR
2736
+ tlaworker.exe,SK+NPR
2737
+ twdservice.exe,SK+NPR
2738
+ xdrhealth.exe,SK+NPR
2739
+ cyverak.sys,SK
2740
+ cyvrfsfd.sys,SK
2741
+ cyvrlpc.sys,SK
2742
+ cyvrmtgn.sys,SK
2743
+ tdevflt.sys,SK
2744
+ tedrdrv.sys,SK
2745
+ tedrpers*.sys,SK
2746
+
2747
+ //pgp encryption
2748
+ encryptionservice.exe,SK+NPR
2749
+ pgpcbt64.exe,SK+NPR
2750
+ pgpfsd.exe,SK+NPR
2751
+ pgptray.exe,SK+NPR
2752
+
2753
+ //Qualys
2754
+ QualysAgent.exe,SK+PR
2755
+ QualysProxy.exe,SK+PR
2756
+
2757
+ //Rapid7 Insight Agent
2758
+ get_proxy.exe,SK+NPR
2759
+ ir_agent.exe,SK+NPR
2760
+ rapid7_endpoint_broker.exe,SK+NPR
2761
+ rapid7_events_monitor.exe,SK+NPR
2762
+ rapid7_sysmon_installer.exe,SK+NPR
2763
+
2764
+ //RSA NetWitness Agent
2765
+ Aurora.exe,SK+NPR
2766
+ AuroraDriver18052.sys,SK
2767
+ AuroraDriver18053.sys,SK
2768
+ AuroraDriver9115.sys,SK
2769
+ AuroraDriver9118.sys,SK
2770
+
2771
+ //Sentinal 1
2772
+ LogCollector.exe,SK+NPR
2773
+ SentinelAgent.exe,SK+NPR
2774
+ SentinelAgentWorker.exe,SK+NPR
2775
+ SentinelBrowserNativeHost.exe,SK+NPR
2776
+ SentinelCtl.exe,SK+NPR
2777
+ SentinelHelperService.exe,SK+NPR
2778
+ SentinelInstaller.exe,SK+NPR
2779
+ SentinelMemoryScanner.exe,SK+NPR
2780
+ SentinelRanger.exe,SK+NPR
2781
+ SentinelRemediation,SK+NPR
2782
+ SentinelRemoteShellHost.exe,SK+NPR
2783
+ SentinelScanFromContextMenu.exe,SK+NPR
2784
+ SentinelServiceHost.exe,SK+NPR
2785
+ SentinelStaticEngine.exe,SK+NPR
2786
+ SentinelStaticEngineScanner.exe,SK+NPR
2787
+ SentinelUI.exe,SK+NPR
2788
+ SentinelDeviceControl.sys,SK
2789
+ SentinelELAM.sys,SK
2790
+ SentinelMonitor.sys,SK
2791
+
2792
+ //Sophos AutoUpdate
2793
+ ALMon.exe,SK+NPR
2794
+ ALsvc.exe,SK+NPR
2795
+ ALUpdate.exe,SK+NPR
2796
+ SophosUpdate.exe,SK+NPR
2797
+
2798
+ //Sophos Remote Management System
2799
+ AutoUpdateAgent,SK+NPR,,sophos limited
2800
+ ClientMRInit.exe,SK+NPR
2801
+ EMLibUpdateAgent,SK+NPR
2802
+ ManagementAgent,SK+NPR
2803
+ mcsagent.exe,SK+NPR
2804
+ mcsclient.exe,SK+NPR
2805
+ RouterNT.exe,SK+NPR
2806
+
2807
+ //Sophos Sophos Anti-Virus
2808
+ SAVOnAccessCont,SK+NI+NC+ND
2809
+ BackgroundScanClient.exe,SK+NPR
2810
+ configuresav.exe,SK+NPR
2811
+ GetLogs.exe,SK+NPR,,sophos limited
2812
+ instmsia.exe,SK+NPR
2813
+ instmsiw.exe,SK+NPR
2814
+ native.exe,SK+NPR
2815
+ sav32cli.exe,SK+NPR
2816
+ SAVAdminService,SK+NPR
2817
+ SAVOnAccessControl,SK+NPR
2818
+ SAVCleanupService,SK+NPR
2819
+ SavMain.exe,SK+NPR
2820
+ SavProgress.exe,SK+NPR
2821
+ SavService.exe,SK+NPR
2822
+ sdcdevcon.exe,SK+NPR
2823
+ sdcdevconia64.exe,SK+NPR
2824
+ sdcdevconx64.exe,SK+NPR
2825
+ sdcservice.exe,SK+NPR
2826
+ sdugui.exe,SK+NPR
2827
+ Sophosavagent.exe,SK+NPR
2828
+ Sophosbootask.exe,SK+NPR
2829
+ sophosboottasks,SK+NPR
2830
+ SophosFileScanner.exe,SK+NPR
2831
+ SophosFS.exe,SK+NPR
2832
+ SophosHealth.exe,SK+NPR
2833
+ Sophoslogwrite.exe,SK+NPR
2834
+ spa.exe,SK+NPR
2835
+ wscclient.exe,SK+NPR
2836
+
2837
+ //Sophos Sophos Client Firewall
2838
+ op_viewer.exe,SK+NPR
2839
+ SCFManager.exe,SK+NPR
2840
+ SCFService.exe,SK+NPR
2841
+ SCFTray.exe,SK+NPR
2842
+
2843
+ //Sophos UTM Cloud communication
2844
+ Health.exe,SK+NPR,,sophos limited
2845
+ MCSagent.exe,SK+NPR
2846
+ Mcsclient.exe,SK+NPR
2847
+ Mcsheartbeate.exe,SK+NPR
2848
+ Sntpservice.exe,SK+NPR
2849
+ Ssp.exe,SK+NPR
2850
+
2851
+ //Sophos Web Protection
2852
+ Swc_service.exe,SK+NPR
2853
+ Swi_filter.exe,NI+NPR
2854
+ Swi_fc.exe,NI+NPR
2855
+ swi_lspdiag.exe,SK+NPR
2856
+ swi_lspdiag_64.exe,SK+NPR
2857
+ Swi_service.exe,SK+NPR
2858
+ Swi_update64.exe,SK+NPR
2859
+
2860
+ //Sophos Encyption
2861
+ sgnsafemodeserv,SK+TR+NI+NH+NC+ND+PR
2862
+ sgnauthservicen,SK+TR+NI+NH+NC+ND+PR
2863
+ sgn_masterservi,SK+TR+NI+NH+NC+ND+PR
2864
+
2865
+ be_encc.Exe,SK+NPR
2866
+ BEDevCtl.exe,SK+NPR
2867
+ BEFCSvcn.exe,SK+NPR
2868
+ feinit.exe,SK+NPR
2869
+ fetool.exe,SK+NPR
2870
+ Html5Encrypt.exe,SK+NPR
2871
+ SafeGuard Manag,SK+NPR
2872
+ SGFileEncWizard.exe,SK+NPR
2873
+ SGMCmdIntn.exe,SK+NPR
2874
+ SGNMaster.exe,SK+NPR
2875
+ SGNSafeModeService,SK+NPR
2876
+ SGTelemetryWinS,SK+NPR
2877
+ SGNAuthAppn.exe,SK+NPR
2878
+ SGNAuthServicen.exe,SK+NPR
2879
+ SGNHWInfo.exe,SK+NPR
2880
+ SGNState.exe,SK+NPR
2881
+ SGN_MasterService,SK+NPR
2882
+ SGPortable.exe,SK+NPR
2883
+ SophosSafestore64.exe,SK+NPR
2884
+ RecoveryKeyAccess,SK+NPR
2885
+ WMIListener.exe,SK+NPR
2886
+ BEFLT.sys,SK
2887
+ lcencvm.sys,SK
2888
+
2889
+ //Sophos Network Threat Protection
2890
+ SntpService.exe,SK+NPR
2891
+ SophosNtpService.exe,SK+NPR
2892
+
2893
+ //Sophos System Protection
2894
+ SedService.exe,SK+NPR
2895
+ Ssp.exe,SK+NPR
2896
+ Sspedr.exe,SK+NPR
2897
+
2898
+ //Sophos UI
2899
+ Sophos UI.exe,SK+NPR
2900
+ Telemetry.exe,SK+NPR,,sophos limited
2901
+
2902
+ //Sophos Endpoint Self Help
2903
+ SophosDiag.exe,SK+NPR
2904
+ SophosESH.exe,SK+NPR
2905
+
2906
+ //Sophos Data Recorder
2907
+ SDRService.exe,SK+NPR
2908
+
2909
+ //Sophos Clean Sophos
2910
+ SophosClean.exe,SK+NPR
2911
+ SophosCleanM.exe,SK+NPR
2912
+ Uninstall.exe,SK+NPR,,sophos limited
2913
+ Uninstall.exe,SK+NPR,,sophos, inc.
2914
+
2915
+ //Sophos Cloud Network Agent
2916
+ Clambc.exe,SK+NPR
2917
+ Clamconf.exe,SK+NPR
2918
+ Clamdscan.exe,SK+NPR
2919
+ Clamscan.exe,SK+NPR
2920
+ Installer.exe,SK+NPR,,sophos limited
2921
+ Jabswitch.exe,SK+NPR
2922
+ Keytool.exe,SK+NPR
2923
+ Kinit.exe,SK+NPR
2924
+ Klist.exe,SK+NPR
2925
+ Ktab.exe,SK+NPR
2926
+ Orbd.exe,SK+NPR
2927
+ Pack200.exe,SK+NPR
2928
+ Policytool.exe,SK+NPR
2929
+ R.exemid,SK+NPR
2930
+ Rmiregistry.exe,SK+NPR
2931
+ Servertool.exe,SK+NPR
2932
+ Sigtool.exe,SK+NPR
2933
+ SophosAgentRela,SK+NPR
2934
+ SophosAgentUI.exe,SK+NPR
2935
+ SophosCertMgr.exe,SK+NPR
2936
+ Sophos-cwg-moni,SK+NPR
2937
+ SophosCWGScanner,SK+NPR
2938
+ Ssvagent.exe,SK+NPR
2939
+ Tnameserv.exe,SK+NPR
2940
+ Unpack200.exe,SK+NPR
2941
+
2942
+ //Sophos for virtual environments
2943
+ sgvmmanagementservice.exe,SK+NPR
2944
+ sgvmscanningintegrationservice.exe,SK+NPR
2945
+ sgvmscanningservice.exe,SK+NPR
2946
+ wscclient.exe,SK+NPR
2947
+
2948
+ //sophos virus removal tool
2949
+ svrtcli.exe,SK+NPR
2950
+ svrtservice.exe,SK+NPR
2951
+
2952
+ //Symantec Endpoint Protection
2953
+ alunotify.exe,SK+NPR
2954
+ aluschedulersvc.exe,SK+NPR
2955
+ aupdate.exe,SK+NPR
2956
+ AutoExcl.exe,SK+NPR
2957
+ bhca.exe,SK+NPR
2958
+ brkrprcs64.exe,SK+NPR
2959
+ ccApp.exe,SK+NPR
2960
+ ccEvtMgr.exe,SK+NPR
2961
+ ccSetMgr.exe,SK+NPR
2962
+ DefWatch.exe,SK+NPR
2963
+ DevViewer.exe,SK+NPR
2964
+ DoScan.exe,SK+NPR
2965
+ dot1xtray64.exe,SK+NPR
2966
+ DWHWizrd.exe,SK+NPR
2967
+ edpa.exe,SK+NPR
2968
+ EFAInst.exe,SK+NPR
2969
+ FixExtend.exe,SK+NPR
2970
+ installTeefer.exe,SK+NPR
2971
+ LDVPREG.exe,SK+NPR
2972
+ lsetup.exe,SK+NPR
2973
+ luall.exe,SK+NPR
2974
+ LuaWrap.exe,SK+NPR
2975
+ lucallbackproxy.exe,SK+NPR
2976
+ luinit.exe,SK+NPR
2977
+ nlnhook.exe,SK+NPR
2978
+ Rtvscan.exe,SK+NPR
2979
+ SavRoam.exe,SK+NPR
2980
+ SPBBCSvc.exe,SK+NPR
2981
+ symantecrootins,SK+NPR
2982
+ VPC32.exe,SK+NPR
2983
+ VPDN_LU.exe,SK+NPR
2984
+ VPTray.exe,SK+NPR
2985
+ Checksum.exe,SK+NPR
2986
+ ControlAP.exe,SK+NPR
2987
+ dot1xtray.exe,SK+NPR
2988
+ LUCheck.exe,SK+NPR
2989
+ LuComServer_3_0,SK+NPR
2990
+ LuComServer_3_3,SK+NPR
2991
+ LuConfig.EXE,SK+NPR
2992
+ migrateUserScans.exe,SK+NPR
2993
+ NotifyHA.exe,SK+NPR
2994
+ PatchWrap.exe,SK
2995
+ RegSSHelper.exe,SK+NPR
2996
+ RtvStart.exe,SK+NPR
2997
+ SavUI.exe,SK+NPR
2998
+ SEPLiveUpdate.exe,SK+NPR
2999
+ SEPModuleList.exe,SK+NPR
3000
+ SescLU.exe,SK+NPR
3001
+ setiCollect.exe,SK+NPR
3002
+ sevntx64.exe,SK+NPR
3003
+ SISIDSService.exe,SK+NPR
3004
+ SISIPSService.exe,SK+NPR
3005
+ SISIPSUtil.exe,SK+NPR
3006
+ sisnat.exe,SK+NPR
3007
+ SISStatusDlg.exe,SK+NPR
3008
+ SMC.exe,SK+NPR
3009
+ SmcGui.exe,SK+NPR
3010
+ smcinst.exe,SK+NPR
3011
+ SNAC.EXE,SK+NPR
3012
+ SRTSP_CA.exe,SK+NPR
3013
+ Sylinkdrop.exe,SK+NPR
3014
+ SymCorpUI.exe,SK+NPR
3015
+ WFPUnins.exe,SK+NPR
3016
+ WSCSAvNotifier.exe,SK+NPR
3017
+ roru.exe,SK+NPR
3018
+ SepStub.exe,SK+NPR
3019
+ sepWscSvc.exe,SK+NPR
3020
+ sepWscSvc64.exe, SK+NPR
3021
+ BHDrvx64.sys,SK
3022
+ eeCtrl64.sys,SK
3023
+ EraserUtilReboo,SK
3024
+ Ex64.sys,SK
3025
+ IDSvia64.sys,SK
3026
+ Ironx64.sys,SK
3027
+ Srtsp64.sys,SK
3028
+ SyDvCtrl64.sys,SK
3029
+ Symefasi.sys,SK
3030
+ Symevent64x86.sys,SK
3031
+
3032
+ //Additional for Symantec upgrade
3033
+ ccSvcHst.exe,SK+NPR
3034
+ ccLgView.exe,SK+NPR
3035
+
3036
+ //Symantec Endpoint Encryption
3037
+ eacommunicatorsrv.exe,SK+NPR
3038
+ eafrclimanager.exe,SK+NPR
3039
+ eedService.exe,SK+NPR
3040
+ EERApplication.exe,SK+NPR
3041
+ EAFRCliStart.exe,SK+NPR
3042
+ PGPdesk.exe,SK+NPR
3043
+ PGPtray.exe,SK+NPR
3044
+ RemoveableMediaAccessUtility.exe,SK+NPR
3045
+ eedProtectionD,SK
3046
+ eedDiskEncrypt,SK
3047
+ EERfsfd.sys,SK
3048
+
3049
+ //systrack lsiagent
3050
+ jetcomp.exe,SK+NPR
3051
+ lsiagent.exe,SK+NPR
3052
+ lsicins.exe,SK+NPR
3053
+ lsimods64.exe,SK+NPR
3054
+ lsims.exe,SK+NPR
3055
+ lsisupervisor.exe,SK+NPR
3056
+
3057
+ //Tanium
3058
+ TaniumExecWrapper.exe,SK+NPR
3059
+ TaniumFileInfo.exe,SK+NPR
3060
+ TaniumDetect.exe,SK+NPR
3061
+ TaniumEndpoint.exe,SK+NPR
3062
+ TaniumEndpointIndex.exe,SK+NPR
3063
+ TaniumClient.exe,SK+NPR
3064
+ TaniumCX.exe,SK+NPR
3065
+
3066
+ //Nessus Scans
3067
+ nasl.exe,SK+NPR
3068
+ nessuscli.exe,SK+NPR
3069
+ nessusd.exe,SK+NPR
3070
+ nessus-service.exe,SK+NPR
3071
+
3072
+ //Nessus Agent Scans
3073
+ tenable_ovaldi_2ef350e0435440418f7d33232f74f260.exe,SK+NPR
3074
+ tenable_mw_scan_*.exe,SK+NPR
3075
+
3076
+ //Titus
3077
+ Titus.Enterprise.Client.Service.exe,SK+NPR
3078
+ Titus.Enterprise.HealthMonitor.Console.exe,SK+NPR
3079
+ Titus.Enterprise.HealthMonitor.Service.exe,SK+NPR
3080
+ Titus.FileWatcher.exe,SK+NPR
3081
+ Titus.LogCollector.exe,SK+NPR
3082
+ Titus.SmartRegex.TestApp.exe,SK+NPR
3083
+ TitusClassificationSetup.exe,SK+NPR
3084
+ TitusRMSTemplatesDownloader.exe,SK+NPR
3085
+ WCFLogViewer.exe,SK+NPR
3086
+
3087
+ //Trendmicro including version 14 ApexOne
3088
+ AosUImanager.exe,SK+NPR
3089
+ AtasAgent.exe,SK+NPR
3090
+ bspatch.exe,SK+NPR
3091
+ build.exe,SK+NPR
3092
+ build64.exe,SK+NPR
3093
+ bzip2.exe,SK+NPR
3094
+ CNTAoSMgr.exe,SK+NPR
3095
+ CNTAoSUnInstaller.exe,SK+NPR
3096
+ CompRmv.exe,SK+NPR
3097
+ Dreboot64.exe,SK+NPR
3098
+ dsa_control.exe,SK+NPR
3099
+ dsagent.exe,SK+NPR
3100
+ dsc.exe,SK+NPR
3101
+ endpointbasecamp.exe,SK+NPR
3102
+ ESClient.exe,SK+NPR
3103
+ ESEFrameworkHost.exe,SK+NPR
3104
+ ESEServiceShell.exe,SK+NPR
3105
+ Instreg.exe,SK+NPR
3106
+ iVPAgent.exe,SK+NPR
3107
+ LogServer.exe,SK+NPR
3108
+ ncfg.exe,SK+NPR
3109
+ NTRmv.exe,SK+NPR
3110
+ NTRtScan.exe,SK+NPR
3111
+ Ofccccaupdate.exe,SK+NPR
3112
+ OfcPfwSvc.exe,SK+NPR
3113
+ PATCH.EXE,SK+NPR
3114
+ PATCH64.EXE,SK+NPR
3115
+ PccNT.exe,SK+NPR
3116
+ PccNTMon.exe,SK+NPR
3117
+ PccNTUpd.exe,SK+NPR
3118
+ ShowMsg.exe,SK+NPR
3119
+ supportconnector.exe,SK+NPR
3120
+ tdiins.exe,SK+NPR
3121
+ tmasutility.exe,SK+NPR
3122
+ TMBMServer.exe,SK+NPR
3123
+ TMBMSRV.exe,SK+NPR
3124
+ tmccsf.exe,SK+NPR
3125
+ Tmcsvc.exe,SK+NPR
3126
+ tmextins.exe,SK+NPR
3127
+ tmextins32.exe,SK+NPR
3128
+ TmFpHcEx.exe,SK+NPR
3129
+ TMiACAgentSvc.exe,SK+NPR
3130
+ TmListen.exe,SK+NPR
3131
+ tmlwfins.exe,SK+NPR
3132
+ TmNTUpgd.exe,SK+NPR
3133
+ tmopextins.exe,SK+NPR
3134
+ tmopextins32.exe,SK+NPR
3135
+ TmPfw.exe,SK+NPR
3136
+ TmProxy.exe,SK+NPR
3137
+ TmsaInstance64.exe,SK+NPR
3138
+ TmSSClient.exe,SK+NPR
3139
+ TmUninst.exe,SK+NPR
3140
+ tmupgradeui.exe,SK+NPR
3141
+ tmwfpins.exe,SK+NPR
3142
+ TmWSCSvc.exe,SK+NPR
3143
+ TSC.exe,SK+NPR
3144
+ TSC64.exe,SK+NPR
3145
+ UpdGuide.exe,SK+NPR
3146
+ Upgrade.exe,SK+NPR
3147
+ Utilpfwinstcondchecker.exe,SK+NPR
3148
+ vcredist_2012u3_x64.exe,SK+NPR
3149
+ vcredist_2012u3_x86.exe,SK+NPR
3150
+ VSEncode.exe,SK+NPR
3151
+ wofielauncher.exe,SK+NPR
3152
+ wscommunicator.exe,SK+NPR
3153
+ XPUpg.exe,SK+NPR
3154
+ TM_CFW.sys,SK
3155
+ tmactmon.sys,SK
3156
+ tmcomm.sys,SK
3157
+ tmeevw.sys,SK
3158
+ tmevtmgr.sys,SK
3159
+ tmfilter.sys,SK
3160
+ tmlwf.sys,SK
3161
+ tmprefilter.sys,SK
3162
+ tmPreflt.sys,SK
3163
+ tmtdi.sys,SK
3164
+ tmumh.sys,SK
3165
+ tmusa.sys,SK
3166
+ tmwfp.sys,SK
3167
+ tmxpflt.sys,SK
3168
+ teefer2.sys,SK
3169
+ VSApint.sys,SK
3170
+
3171
+ //Vipre
3172
+ VipreEdgeProtection.exe,SK+NPR
3173
+ SBAMSvc.exe,SK+NPR
3174
+ SBAMTray.exe,SK+NPR
3175
+ SBPIMSvc.exe,SK+NPR
3176
+ TracSrvWrapper.exe,SK+NPR
3177
+ sbapifs.sys,SK
3178
+
3179
+ //Websense
3180
+ ClientInfo.exe,SK+NPR
3181
+ Dserui.exe,SK+NPR
3182
+ RFUI.exe,SK+NPR
3183
+ WDEUtil.exe,SK+NPR
3184
+ remediate.exe,SK+NPR
3185
+ wepsvc.exe,SK+NPR
3186
+ wsdecrypt.exe,SK+NPR
3187
+ cwnep.sys,SK
3188
+ qip.sys,SK
3189
+ qiptdi.sys,SK
3190
+ rnetcore.sys,SK
3191
+ WNetCore.sys,SK
3192
+ WFPRedir.sys,SK
3193
+ WsOMFlt.sys,SK
3194
+
3195
+ //Windows Defender
3196
+ configsecuritypolicy.exe,SK+NPR
3197
+ mpcmdrun.exe,SK+NPR
3198
+ mprecovery.exe,SK+NPR
3199
+ mpuxsrv.exe,SK+NPR
3200
+ msascui.exe,SK+NPR
3201
+ msascuil.exe,SK+NPR
3202
+ msmpeng.exe,SK+NPR
3203
+ nissrv.exe,SK+NPR
3204
+ wdnsfltr.exe,SK+NPR
3205
+ offlinescannershell.exe,SK+NPR
3206
+ mpfilter.sys,SK
3207
+
3208
+ //Windows Defender Advanced Threat Protection
3209
+ MsSense.exe,SK+NPR
3210
+ NisSrv.exe,SK+NPR
3211
+ SecurityHealthService.exe,SK+NPR
3212
+ sechealthui.exe,SK+NPR
3213
+ sensecncproxy.exe,SK+NPR
3214
+ sensendr.exe,SK+NPROC+NPR
3215
+ sensesampleuploader.exe,SK+NPR
3216
+ SgrmBroker.exe,SK+NPR
3217
+ sppsvc.exe,SK+NPR
3218
+
3219
+ //Visual Studio
3220
+ MSBuild.exe,SK+NPR
3221
+ vshub.exe,SK+NPR
3222
+ vshost*-*.exe,SK+NPR
3223
+ vsga.exe,SK+NPR
3224
+ perfwatson2.exe,SK+NPR
3225
+ Vcpkgsrv.exe,SK+NPR
3226
+ TailoredDeplo,SK+NPR
3227
+ VsDebugLaunch,SK+NPR
3228
+ VsDebugWERHel,SK+NPR
3229
+ VsGraphicsRem,SK+NPR
3230
+ devenv.exe,NC+ND+TN+AW+AS+NPR+PR
3231
+ msvsmon.exe,SK+NPR
3232
+ QTAgent32_40.exe,SK+NPR
3233
+ QTAgent.exe,SK+NPR
3234
+ QTAgent32.exe,SK+NPR
3235
+
3236
+ //.Net complier
3237
+ csc.exe,SK+NPR
3238
+ cl.exe,SK+NPR
3239
+ mt.exe,SK+NPR
3240
+ mt2.exe,SK+NPR
3241
+
3242
+ //Cisco Umbrella
3243
+ dnscrypt-proxy.exe,SK+NPR+PR
3244
+ acumbrellaagent.exe,SK+NPR+PR
3245
+ acswgagent.exe,NPR
3246
+ acnvmagent.exe,SK+NPR+PR
3247
+ ERCService.exe,SK+NPR+PR
3248
+ ERCInterface.exe,SK+NPR+PR
3249
+ UmbrellaDiagnostic.exe,SK+NPR+PR
3250
+
3251
+ //-------------------------------------------------------------
3252
+ //-- Windows Workstation only ---------------------------------
3253
+ //-- END MSP APPROVED -----------------------------------------
3254
+ //-------------------------------------------------------------
3255
+
3256
+ //=========================================================================
3257
+ // END Application entries
3258
+ //=========================================================================
proxyscripts.zip ADDED
@@ -0,0 +1,3 @@
 
 
 
 
1
+ version https://git-lfs.github.com/spec/v1
2
+ oid sha256:11966b8961d32a33b71bacf781282cd077bc4b260bb0084122b623ca889b3e98
3
+ size 15163
template.pem ADDED
@@ -0,0 +1,24 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ -----BEGIN CERTIFICATE-----
2
+ MIIEGzCCAwOgAwIBAgIJAK0b8yplCxEVMA0GCSqGSIb3DQEBCwUAMIGjMQswCQYD
3
+ VQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czEQMA4GA1UEBwwHV2FsdGhh
4
+ bTEeMBwGA1UECgwVRGlnaXRhbCBHdWFyZGlhbiwgSW5jMR4wHAYDVQQDDBVEaWdp
5
+ dGFsIEd1YXJkaWFuLCBJbmMxKjAoBgkqhkiG9w0BCQEWG3N1cHBvcnRAZGlnaXRh
6
+ bGd1YXJkaWFuLmNvbTAeFw0xODAyMjMyMTQyNTlaFw0xOTAyMjMyMTQyNTlaMIGj
7
+ MQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czEQMA4GA1UEBwwH
8
+ V2FsdGhhbTEeMBwGA1UECgwVRGlnaXRhbCBHdWFyZGlhbiwgSW5jMR4wHAYDVQQD
9
+ DBVEaWdpdGFsIEd1YXJkaWFuLCBJbmMxKjAoBgkqhkiG9w0BCQEWG3N1cHBvcnRA
10
+ ZGlnaXRhbGd1YXJkaWFuLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
11
+ ggEBAMeOyubCIcc45+NBftiutJMWrc2+N0qeQZ95Gg1KqCnBhWqj/cqibFIoTMKh
12
+ 7tW+SYk7xxUnDLyvFlD0tYkKgAvADK848v/ZsvCjo15rTgRU77292ggc/gOj1P4N
13
+ m3Iogtu9dDI6IaDLzhvj25afnbLqAYI8uCYoDECxUJa932Ns7YLT1ireYIH2q8wL
14
+ C41meBa3TybVb/bWvS1CAf5ZmLnXWZ4hMyM80zDgtaFIF6PudyZnu1Omo3VxBUYI
15
+ /DJiJXwF6vbrm1rDyPdDsBoPXzQvjwcIVG6Ri/h1s3pxD2UaGWcBsKN4AIWq4CJ7
16
+ t/9zdk9P3mf7xsNleS7Trjq6xh8CAwEAAaNQME4wHQYDVR0OBBYEFCeWhMM0nAF5
17
+ 8agK3WAOjh0nr4Q3MB8GA1UdIwQYMBaAFCeWhMM0nAF58agK3WAOjh0nr4Q3MAwG
18
+ A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAF8HtTe+zfDCcGa38Ez0z8oV
19
+ z4dXNBfBj2XOJ1mLPwPLsCxDM2jFbH81UwpTZoV5bvYaX1F+GVsDf+WQV3itM2CW
20
+ n5iy1bP/kxgqZaU/N6wiJMMvWBtwSj0sjW/FyyYNzRvScH3lLhkCXjb3VZ7MgR8+
21
+ 99u9XKYLdTILpTsHl4UihOtDj9mblsJwtTv4ygnkgpj6ZJMIirJ20YNqsLz2eMdK
22
+ 8HQSR2l6BBOYwJQl2l0agotDlgR7ITGQCCwybke1XwkiqUxbgUvKnONQRSaW36C2
23
+ PckgP1EgGVBK0HtQUmxEklaCCmFazVNfh3VP6x71nq2tXEOUluDefWWRFYla3tg=
24
+ -----END CERTIFICATE-----