Can you use wildcards in the rootkit check files (win_malware_rcl.txt, win_audit_rcl.txt, etc)? Let's say you want to search one of the following
*:\Users\*\My*\ *:\Documents and Settings\* *:Users\*\Documents\* I know you need not specify the root file system, you can do "\Documents and Settings\ or \Users\", but what about actual sub-directories or wild cards? How would you search all Users\*\Documents or something similar? So far I have tested the following, all have found 0 results * f:\Users\*\My Documents\nates_test.txt; * f:%HOMEPATH%\My Documents\nates_test.txt; * f:%HOMEPATH%\Documents\nates_test.txt; None of the above produced a match in alerts.log. Only when I specify an exact path (\Users\nsanders\Documents\nates_test.txt) do I get a match * logs/alerts/alerts.log:279618:Windows Malware: Nate TEST. File: C:\Users\nsanders\Documents\nates_test.txt. Is this not possible? Is there some other variable I should be using?
