Tamper Protection
Menu Directory Zoom In Zoom Out

Function description: This feature restrict the operational permissions of a process on files.


1. Rule Matching Method

When it comes to "restricting a process's operational permissions on files," there are naturally three matching conditions: file path, process, and operation. Only when all three conditions are met can the match be considered successful.


The matching process is as follows:

1) First, check whether the file being operated on is within the "protected paths."

2) If it is within the protected paths, proceed to check each "advanced rule" in order of priority.

3) If the file path, process path, and operation restrictions all match, then intercept the operation. If any one of them does not match, allow the operation to proceed.


If there are multiple main rules, repeat steps 1-3 above until all rules have been checked.


2. Rule Execution Order

1) Main Rules

Main rules are executed in reverse chronological order based on their addition time. Once a match is found, the operation is immediately intercepted.


1.png


2) Advanced Rules

For the advanced rules (also known as sub-rules) under each main rule, they are executed in descending order of priority. If multiple rules have the same priority, they are executed in reverse chronological order based on their addition time. Once a match is found, the operation is immediately intercepted.

2.png


Notes:

A. The priority range is from 1 to 99, with 1 being the highest priority and 99 being the lowest. In other words, a smaller number indicates a higher priority.

B. The "operation restrictions" in advanced rules take precedence over those in main rules. (This means that if a match is found in the advanced rules, the operation is immediately intercepted. Only if no match is found in the advanced rules will the operation restrictions in the main rules be checked.)



3. Rule Filling Instructions

1) Basic Rules

Enable Rule:

Tick the checkbox to enable the rule.


Protected Directory:

Fill in the file or directory that requires protection. It must start with an absolute path, and the asterisk (*) can only be placed at the far right.


Filling Examples:

d:\wwwroot\*  This indicates protection for d:\wwwroot itself and all its sub-paths.

d:\wwwroot  This indicates protection for d:\wwwroot itself only.

d:\wwwroot\index.php  This indicates protection for d:\wwwroot\index.php itself only.


Operation Restrictions:

Prohibited operation actions (note that these operation restrictions apply to all processes, meaning they match any process).

Prohibit Read: Prevents reading the content of files or directories (excluding attributes).

Prohibit Execute: Prevents running executable files as processes.

Prohibit Create: Prevents creating new files or directories.

Prohibit Modify: Prevents modifying the content of files (excluding attributes).

Prohibit Delete: Prevents deleting files or directories.

Prohibit Rename: Prevents renaming files or directories. Note: If the renaming involves changing the storage directory (such as cutting or moving), it will be identified as creating a new file and deleting the old one.

Prohibit Time Tampering: Prevents changing the "last modified time" of files or directories to a time more than 3 seconds before the current time.


Message Notification:

Sends a notification to the administrator when tampering behavior is intercepted. Be cautious when enabling this option, as it may generate a large number of notifications.

3.png


2) Advanced Rules

If the basic rules cannot meet your requirements, you can add complex rules through advanced rules.


Sub-path

Specify the sub-path requiring protection. Use * alone to represent all sub-paths.

Supports full or partial paths. For partial paths, add * on one or both sides.

Detailed rules: http://www.magiaegis.com/supports/defense/159.html


Examples:

*\uploads\*   Matches any path containing \uploads\, e.g., d:\web\uploads\logo.jpg.

*\admin.php   Matches the admin.php file.

*.php   Matches all PHP files.

d:\wwwroot\admin*   Matches all paths starting with d:\wwwroot\admin (must be within the protected path), e.g., d:\wwwroot\admin\index.php.

d:\wwwroot\admin\login.php   Matches this specific file.


Restricted Process

Specify the process path restricted by this rule. Use * alone to represent all processes.

Supports full or partial paths. For partial paths, add * on one or both sides.

Detailed rules: http://www.magiaegis.com/supports/defense/159.html


Examples:

  Applies to all processes.

*\bin\*   Matches processes containing \bin\ in their path, e.g., d:\mysql\bin\mysql.exe.

*\mysqld.exe   Matches the mysqld.exe process.

d:\software\*   Matches all processes under d:\software, e.g., d:\software\mysql\mysqld.exe.

d:\software\mysql\mysqld.exe   Matches this specific process.


Priority

Advanced rules are executed in descending order of priority (from highest to lowest).If multiple advanced rules match, the one with the highest priority takes effect.

Priority range: 1–99 (1 = highest priority, 99 = lowest priority).


4.png


<< Tamper Protection