Module/Rule/Convert/Data.McAfee.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License.

<#
    Instructions: Use this file to add/update/delete regsitry expressions that are used accross
    multiple technologies files that are considered commonly used. Ensure expressions are listed
    from MOST Restrive to LEAST Restrictive, similar to exception handling. Also, ensure only
    UNIQUE Keys are used in each hashtable to prevent errors and conflicts.
#>


$global:SingleLineRegistryValueName += [ordered]@{
    McAfee1 = @{
        Match  = 'Wow6432Node\\McAfee'
        Select = '(?<=If the value (of|for)\s)(\w+)'
    }
    McAfee2 = @{
        Match  = 'Wow6432Node\\McAfee'
        Select = '(?<=If the value\s)(\w+)'
    }
    McAfee3 = @{
        Match  = 'Wow6432Node\\McAfee'
        Select = '(?<=\s\sIf the\s)(\w+)'
    }
    McAfee4 = @{
        Match  = 'Wow6432Node\\McAfee'
        Select = '(?<=Criteria:\sIf the\s.)(\w+)'
    }
}

$global:SingleLineRegistryValueData += [ordered]@{
    McAfee1 = @{
        Select = '(?<=\sis\sREG_DWORD\s=\s)(\d+)'
    }
    McAfee2 = @{
        Select = '(?<=does not have a value of\s)(\d+)'
    }
    McAfee3 = @{
        Select = '(?<=\sis not\s)(\d+)'
    }
    McAfee4 = @{
        Select = '(?<=0x000001a0\s\()(\d+)'
    }
    McAfee5 = @{
        Select = '(?<=is not set to ")(\d+)'
    }
    McAfee6 = @{
        Select = '(?<=does not have a value of\s)(\d+)'
    }
    McAfee7 = @{
        Select = '(?<=If the value of\s)\w+\sis\s(\d+)'
    }
    McAfee8 = @{
        Select = ' (?<=If the value\s)\w+\sis\s(\d+)'
    }
}