.N W2K File Tampering #Policy Name .L 2 #Policy structure .D Detects any changes to monitored system files (every 8 hours) and critical system files (every 60 seconds). #Policy Description .V 1003132544 #Policy revision number .Z 166 #Policy ID .Z 166 #Policy ID .R File-Replaced/Changed #Rule Definition ..D Detects the modification or replacement of a file listed in ntcrit_L.lst. The file may have been tampered with or replaced by a trojan horse with the same name. #Rule Description ..Z 165 #Rule ID ..V 50 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *Is now accessible* #Regular text ....C 0 #Case sensitivity ....Z 163 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *File Change in last 8 hours!*changed* #Regular text ....C 0 #Case sensitivity ....Z 162 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 164 #ID of the clause .R File-Reappeared #Rule Definition ..D Detects the reappearance of a file listed in ntcrit_L.lst. #Rule Description ..Z 161 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *File Change in last 8 hours!*Is now accessible* #Regular text ....C 0 #Case sensitivity ....Z 159 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 160 #ID of the clause .R File-Missing #Rule Definition ..D Detects the deletion or renaming of a file listed in ntcrit_L.lst. #Rule Description ..Z 158 #Rule ID ..V 50 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *File Change in last 8 hours!*Can no longer access file* #Regular text ....C 0 #Case sensitivity ....Z 156 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 157 #ID of the clause .R Critical File-Reappeared #Rule Definition ..D Detects the reappearance of a file listed in ntcrit_S.lst. #Rule Description ..Z 151 #Rule ID ..V 90 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *File Change in last 60 seconds!*Is now accessible* #Regular text ....C 0 #Case sensitivity ....Z 149 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 150 #ID of the clause .R Critical File-Missing #Rule Definition ..D Detects the deletion or renaming of a file listed in ntcrit_S.lst. #Rule Description ..Z 148 #Rule ID ..V 90 #Rule Value ..S #Select Clause(s) ...G System Message #System Message ....T *File Change in last 60 seconds!*Can no longer access file* #Regular text ....C 0 #Case sensitivity ....Z 146 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 147 #ID of the clause .R Critical File-Replaced/Changed #Rule Definition ..D Detects the modification or replacement of a file listed in ntcrit_S.lst. The file may have been tampered with or replaced by a trojan horse with the same name. #Rule Description ..Z 155 #Rule ID ..V 90 #Rule Value ..I #Ignore Clause(s) ...G System Message #System Message ....T *Is now accessible* #Regular text ....C 0 #Case sensitivity ....Z 153 #ID of the clause ..S #Select Clause(s) ...G System Message #System Message ....T *File Change in last 60 seconds!*changed* #Regular text ....C 0 #Case sensitivity ....Z 152 #ID of the clause ..A #Action Clause(s) ...E Record to Event Viewer #Record Event ....Z 154 #ID of the clause