.N W2K_Instant_Messaging_Activity #Policy Name .L 2 #Policy structure .D This policy contains rules that detect activity associated with various instant messaging (IM) applications. The IM applications covered include AOL, Yahoo, MSN, and ICQ. Other applications include mIRC (Internet Relay Chat) and Trillian’s comprehensive IM program. #Policy Description .V 1049474654 #Policy revision number .Z 123 #Policy ID .Z 123 #Policy ID .R AOL IM Installed #Rule Definition ..D This rule detects the installation of AOL Instant Messenger (AIM). #Rule Description ..Z 51 #Rule ID ..K #Rule And Select logic ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *\HKEY_LOCAL_MACHINE\SOFTWARE\America Online\AOL Instant Messenger (SM)*SET* #Regular text ....T *\HKEY_LOCAL_MACHINE\SOFTWARE\America Online\AOL Instant Messenger*SET* #Regular text ....C 1 #Case sensitivity ....Z 49 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 50 #ID of the clause .R AOL IM Filter #Rule Definition ..D This rule filters changes to the AOL Instant Messenger (AIM) registry key. #Rule Description ..Z 48 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...Q Select NT Registry Key #NT Registry ....T * #Regular text ....T \HKEY_LOCAL_MACHINE\SOFTWARE\America Online\AOL Instant Messenger* #Regular text ....T 3145920 #Regular text ....C 0 #Case sensitivity ....Z 47 #ID of the clause .R Yahoo! IM Installed Flag #Rule Definition ..D This rule detects the creation of registry keys that comprise a Yahoo Instant Messenger installation and raises a flag. #Rule Description ..Z 113 #Rule ID ..K #Rule And Select logic ..V 50 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *NTVDM* #Regular text ....C 0 #Case sensitivity ....Z 111 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *\HKEY_CURRENT_USER\Software\Yahoo\Pager ?*CREATE* #Regular text ....C 1 #Case sensitivity ....Z 110 #ID of the clause ..A #Action Clause(s) ...B Yahoo Installed #Raise Flag ....L 60 #Lifetime of flag ....G #Global context ....Z 112 #ID of the clause .R Yahoo! IM Started #Rule Definition ..D This rule detects the starting of a Yahoo Instant Messenger process. #Rule Description ..Z 116 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *ID: 592*new process*YPager.exe* #Regular text ....C 1 #Case sensitivity ....Z 114 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 115 #ID of the clause .R AOL IM Started #Rule Definition ..D This rule detects the starting of an AOL Instant Messenger (AIM) process. #Rule Description ..Z 54 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *ID: 592*new process*\aim.exe* #Regular text ....C 1 #Case sensitivity ....Z 52 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 53 #ID of the clause .R Yahoo! IM Filter #Rule Definition ..D This rule filters changes to the Yahoo Instant Messenger Pager registry key. #Rule Description ..Z 109 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...Q Select NT Registry Key #NT Registry ....T * #Regular text ....T \HKEY_CURRENT_USER\Software\Yahoo\Pager #Regular text ....T 60 #Regular text ....C 0 #Case sensitivity ....Z 108 #ID of the clause .R MSN Messenger Installed #Rule Definition ..D This rule detects the installation of MSN Messenger. #Rule Description ..Z 89 #Rule ID ..K #Rule And Select logic ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\InstallationDirectory* #Regular text ....C 1 #Case sensitivity ....Z 86 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *SET VALUE* #Regular text ....C 1 #Case sensitivity ....Z 87 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 88 #ID of the clause .R MSN Messenger Filter #Rule Definition ..D This rule filters changes to the MSN Messenger registry key. #Rule Description ..Z 85 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...Q Select NT Registry Key #NT Registry ....T * #Regular text ....T \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\InstallationDirectory #Regular text ....T 3145920 #Regular text ....C 0 #Case sensitivity ....Z 84 #ID of the clause .R MSN Messenger Started #Rule Definition ..D This rule detects the starting of an MSN Messenger process. #Rule Description ..Z 92 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *ID: 592*new process*msmsgs.exe* #Regular text ....C 1 #Case sensitivity ....Z 90 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 91 #ID of the clause .R ICQ Filter #Rule Definition ..D This rule filters changes to the ICQ Instant Messenger registry key. #Rule Description ..Z 60 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...Q Select NT Registry Key #NT Registry ....T * #Regular text ....T \HKEY_LOCAL_MACHINE\SOFTWARE\Mirabilis\ICQ\Install\General\InstalledDir #Regular text ....T 3145920 #Regular text ....C 0 #Case sensitivity ....Z 59 #ID of the clause .R ICQ Installed #Rule Definition ..D This rule detects the installation of ICQ Instant Messenger. #Rule Description ..Z 63 #Rule ID ..K #Rule And Select logic ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *\HKEY_LOCAL_MACHINE\SOFTWARE\Mirabilis\ICQ\Install\General\InstalledDir ?*SET* #Regular text ....C 1 #Case sensitivity ....Z 61 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 62 #ID of the clause .R ICQ Started #Rule Definition ..D This rule detects the starting of an ICQ Instant Messenger process. #Rule Description ..Z 66 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *ID: 592*new process*Icq.exe* #Regular text ....C 1 #Case sensitivity ....Z 64 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 65 #ID of the clause .R mIRC Installed Flag #Rule Definition ..D This rule detects the creation of registry keys that comprise a mIRC installation and raises a flag. #Rule Description ..Z 77 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC ?*CREATE* #Regular text ....C 1 #Case sensitivity ....Z 75 #ID of the clause ..A #Action Clause(s) ...B mIRC Installed Flag #Raise Flag ....L 60 #Lifetime of flag ....G #Global context ....Z 76 #ID of the clause .R mIRC Filter #Rule Definition ..D This rule filters changes to the mIRC registry key. #Rule Description ..Z 71 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...Q Select NT Registry Key #NT Registry ....T * #Regular text ....T \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC #Regular text ....T 60 #Regular text ....C 0 #Case sensitivity ....Z 70 #ID of the clause .R mIRC Started #Rule Definition ..D This rule detects the starting of an mIRC process. #Rule Description ..Z 80 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *ID: 592*new process*mirc.exe* #Regular text ....C 1 #Case sensitivity ....Z 78 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 79 #ID of the clause .R Trillian Filter #Rule Definition ..D This rule filters changes to the Trillian Instant Messenger registry key. #Rule Description ..Z 98 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...Q Select NT Registry Key #NT Registry ....T * #Regular text ....T \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian #Regular text ....T 60 #Regular text ....C 0 #Case sensitivity ....Z 97 #ID of the clause .R Trillian Installed #Rule Definition ..D This rule detects the installation of Trillian Instant Messenger Program. #Rule Description ..Z 101 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian ?*CREATE* #Regular text ....C 1 #Case sensitivity ....Z 99 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 100 #ID of the clause .R Trillian Started #Rule Definition ..D This rule detects the starting of a Trillian Instant Messenger process. #Rule Description ..Z 104 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *ID: 592*new process*trillian.exe* #Regular text ....C 1 #Case sensitivity ....Z 102 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 103 #ID of the clause .R Yahoo! Installed #Rule Definition ..D This rule detects the installation of Yahoo Instant Messenger. #Rule Description ..Z 122 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...B Yahoo Installed Flag #Flag(S) ....I 112 #ID list ....F 112,{flag count}=2 #Flag list ....Z 120 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 121 #ID of the clause .R mIRC Installed #Rule Definition ..D This rule detects the installation of mIRC. #Rule Description ..Z 74 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...B Flag #Flag(S) ....I 76 #ID list ....F 76,{flag count}=2 #Flag list ....Z 72 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 73 #ID of the clause