Generic Exclusion Lists

The exclusion lists in Capture 2.0 allow an event to be excluded by matching a particular event type such as a registry event like OpenKey? and 2 access regular expressions which control whether the event is allowed on the system or not. Usually these regular expressions are first the process path that initiated the event and the path where the event occurs. The problem with this approach is that it is very inflexible as shown by the ProcessMonitor? exclusion lists which have an redundant coloum. Also the ability of Capture to monitor the system is based heavily on what the exclusion lists are capable of, as the kernel drivers even in version 2.0 are capable of detecting other events but because the exclusion lists cannot be easily extended they are just sitting there.

In version 3.0 we hope to fix this problem generically, with the ability to handle an arbitrary amount of access regular expressions (ARE) for a particular event. However we have not decided on a good way to achieve this. The structure we are leaning towards is the following:

[+,-] [event-type] [ARE 1] ... [ARE N]

However several problems arise from this. First the AREs do not define what they are restricting access to, it could be anything, a process path, an integer, process id etc. There needs to be some kind of exclusion list definition that defines what each ARE is for. Another problem is that for a single event-type there may be certain AREs that are not applicable to it for example some registry events (the Value ones) can return a list of strings, or an integer, or nothing.

This page will serve as a place holder for some ideas to fix these problems