Creating driver identifiers

Driver identifiers, or IDs, make it possible to define legitimate drivers that you can exclude from rootkit detection.

Driver IDs are necessary when you create audit rules for rootkit detection, and must be created beforehand.

For more information, refer to the section Protection against various threats.

Since IDs are specific to each rule set, you must create IDs in each set. You can however export all the IDs of a rule set to import and use them in another set. For more information, refer to the section Importing and exporting identifiers.Importing and exporting identifiers

  1. Select a policy in Policies, then select a set of rules.
  2. Click on the Identifiers tab at the top right, then on the Driver IDs tab.
  3. Click on Edit in the upper banner, then on Add an ID.
    A blank ID appears below the existing IDs.
  4. Click on Edit at the bottom right side of the entry.
  5. In the field New driver ID, enter an ID name, then a description if needed.
  6. Click on + Icon and select all the ID criteria that you wish to use, e.g., Path and Hashes.
  7. Click outside the criteria window and define each ID criterion selected:
  8. Specifying more criteria will more accurately identify the driver because all criteria must match.

  9. Click on Add an entry if you want to add another list of criteria for the same ID. Having several entries makes it possible to group various resources under the same ID, if the same security rules use them. For example, you can group all legitimate drivers to compile a whitelist.
  10. Click on OK.
  11. If you have finished creating driver identifiers, click on Save in the upper banner.
  12. To show the contents of a driver ID without editing it, click on View.