From 676b75efeda3bc531c9f4e13c7701562cae506c2 Mon Sep 17 00:00:00 2001
From: Elwali karkoub <elwali@wazuh.com>
Date: Thu, 21 Mar 2019 14:42:14 +0100
Subject: [PATCH 1/7] Create 0585-VIPRE_rules.xml

---
 rules/0585-VIPRE_rules.xml | 554 +++++++++++++++++++++++++++++++++++++
 1 file changed, 554 insertions(+)
 create mode 100644 rules/0585-VIPRE_rules.xml

diff --git a/rules/0585-VIPRE_rules.xml b/rules/0585-VIPRE_rules.xml
new file mode 100644
index 000000000..b39d52235
--- /dev/null
+++ b/rules/0585-VIPRE_rules.xml
@@ -0,0 +1,554 @@
+<!--
+  -  Vipre rules
+  -  Created by Wazuh, Inc.
+  -  Copyright (C) 2015-2019, Wazuh Inc.
+  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
+-->
+
+
+<group name="Vipre">
+
+ <rule id="90500" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4097$</id>
+    <description>VIPRE :  System shutdown complete </description>
+    <options>no_full_log</options>
+  </rule>
+  
+  
+   <rule id="90501" level="7">
+    <if_sid>18101</if_sid>
+    <id>^4098$</id>
+    <description>VIPRE :  User initiated shutdown </description>
+    <options>no_full_log</options>
+  </rule>
+  
+   <rule id="90502" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4099$</id>
+    <description>VIPRE : Service started Application version </description>
+    <options>no_full_log</options>
+  </rule>
+ 
+ 
+  <rule id="90503" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4100$</id>
+    <description>VIPRE : Service paused</description>
+    <options>no_full_log</options>
+  </rule>
+
+  
+  <rule id="90504" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4101$</id>
+    <description>VIPRE : Service resumed</description>
+    <options>no_full_log</options>
+  </rule>
+
+
+  <rule id="90505" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4102$</id>
+    <description>ThreatNet : The transfer of one or more ThreatNet files failed </description>
+    <options>no_full_log</options>
+  </rule>   
+ 
+  <rule id="90506" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4103$</id>
+    <description>ThreatNet Transfer occured </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+  <rule id="90507" level="6">
+    <if_sid>18101</if_sid>
+    <id>^4104$</id>
+    <description>The start of the ThreatNet controller failed</description>
+    <options>no_full_log</options>
+  </rule>
+
+ 
+
+   <rule id="90508" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4105$</id>
+    <description>VIPRE : Active Protection enabled </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+  <rule id="90509" level="7">
+    <if_sid>18101</if_sid>
+    <id>^4106$</id>
+    <description>VIPRE : Active Protection disabled </description>
+    <options>no_full_log</options>
+  </rule>
+
+   <rule id="90510" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4108$</id>
+    <description>VIPRE : Active protection could not be enabled </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+  <rule id="90511" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4109$</id>
+    <description>VIPRE : Active Protection could not be disabled </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+   <rule id="90512" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4110$</id>
+    <description>VIPRE : Active Protection requires a reboot to fully protect your computer </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+  <rule id="90513" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4111$</id>
+    <description>VIPRE : Active Protection could not be enabled because there are no threat definitions </description>
+    <options>no_full_log</options>
+  </rule>
+
+   <rule id="90514" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4112$</id>
+    <description>VIPRE : Manual software update downloaded </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+  <rule id="90515" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4113$</id>
+    <description>VIPRE : Scheduled software update downloaded </description>
+    <options>no_full_log</options>
+  </rule>
+
+  
+   <rule id="90516" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4114$</id>
+    <description>VIPRE was unable to complete the check for software updates </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+
+  <rule id="90517" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4115$</id>
+    <description>VIPRE was unable to complete the check for software updates. It will retry on the next update event. </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+  
+  <rule id="90518" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4116$</id>
+    <description>VIPRE : The start of the software update controller failed </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+  <rule id="90519" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4121$</id>
+    <description>VIPRE : Definitions update applied</description>
+    <options>no_full_log</options>
+  </rule>
+
+
+   <rule id="90520" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4122$</id>
+    <description>VIPRE : Definitions update cancelled </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+
+  <rule id="90521" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4123$</id>
+    <description>VIPRE was unable to complete the check for threat definitions updates </description>
+    <options>no_full_log</options>
+  </rule>
+
+ 
+ <rule id="90522" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4124$</id>
+    <description>VIPRE was unable to complete the check for threat definitions updates. It will retry on the next update event  </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ 
+  <rule id="90523" level="6">
+    <if_sid>18101</if_sid>
+    <id>^4125$</id>
+    <description>VIPRE : Start of threat definitions controller failed </description>
+    <options>no_full_log</options>
+  </rule>
+
+ 
+ <rule id="90524" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4126$</id>
+    <description> VIPRE : Cannot update threat definitions because your registration is expired</description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90525" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4129$</id>
+    <description>VIPRE : Completed scheduled deep scan </description>
+    <options>no_full_log</options>
+  </rule>
+
+ 
+ <rule id="90526" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4130$</id>
+    <description> VIPRE : Completed manual deep scan </description>
+    <options>no_full_log</options>
+  </rule>
+
+ 
+
+ <rule id="90527" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4131$</id>
+    <description>VIPRE : Completed scheduled quick scan </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90528" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4132$</id>
+    <description> VIPRE : Completed manual quick scan</description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90529" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4133$</id>
+    <description>VIPRE : Completed scheduled custom scan </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90530" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4134$</id>
+    <description> VIPRE : Completed manual custom scan</description>
+    <options>no_full_log</options>
+  </rule>
+
+
+
+
+  <rule id="90531" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4135$</id>
+    <description>VIPRE : Scan cancelled</description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90532" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4136$</id>
+    <description> VIPRE : Reboot required</description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90533" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4137$</id>
+    <description>VIPRE : A scan of your computer failed because there are no threat definitions </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90534" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4138$</id>
+    <description> VIPRE : Start of the scan controller failed </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+   <rule id="90535" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4139$</id>
+    <description>VIPRE : An item has been quarantined </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90536" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4140$</id>
+    <description> VIPRE : An item has been restored from quarantine </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90537" level="6">
+    <if_sid>18101</if_sid>
+    <id>^4141$</id>
+    <description>VIPRE : An item has been deleted from quarantine </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90538" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4142$</id>
+    <description> VIPRE : The quarantne has been purged </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90539" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4143$</id>
+    <description> VIPRE : The quarantne controller could not be started </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+  <rule id="90540" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4145$</id>
+    <description> VIPRE : Email AV enabled  </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90541" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4146$</id>
+    <description> VIPRE : Email AV disabled </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90542" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4147$</id>
+    <description>VIPRE : Email protection is enabled but the drivers are not loaded </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90543" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4148$</id>
+    <description> VIPRE : The scan of an email item failed </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+  <rule id="90544" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4149$</id>
+    <description> VIPRE : The Scan of an email item failed because there are no threat definitions </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+<rule id="90545" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4250$</id>
+    <description> VIPRE : Registration state changed </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90546" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4151$</id>
+    <description>VIPRE : The registration controller could not be started </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90547" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4153$</id>
+    <description> VIPRE : The scan control could not complete its scan </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+  <rule id="90548" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4159$</id>
+    <description> VIPRE : A scheduled scan was missed because the machine was powered off</description>
+    <options>no_full_log</options>
+  </rule>
+
+
+
+ <rule id="90549" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4160$</id>
+    <description> VIPRE : Quarantine of an item failed</description>
+    <options>no_full_log</options>
+  </rule>
+
+
+
+ <rule id="90550" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4161$</id>
+    <description> VIPRE : Restore of an item from quarantine failed</description>
+    <options>no_full_log</options>
+  </rule>
+
+
+
+ <rule id="90551" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4162$</id>
+    <description> VIPRE : Delete of an from quarantine failed </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+  <rule id="90552" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4163$</id>
+    <description> VIPRE : The quarantine purge failed </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90553" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4165$</id>
+    <description> VIPRE : Firewall enabled </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+
+ <rule id="90554" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4166$</id>
+    <description> VIPRE : Firewall disabled </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+
+ <rule id="90555" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4167$</id>
+    <description> VIPRE : IDS enabled </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+
+ <rule id="90556" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4168$</id>
+    <description> VIPRE : IDS disabled </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+
+ <rule id="90557" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4169$</id>
+    <description> VIPRE : Web Filtering enabled </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+
+ <rule id="90558" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4170$</id>
+    <description> VIPRE : Web Filtering disabled </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+
+ <rule id="90559" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4171$</id>
+    <description> VIPRE : Bad Web Site Blocking enabled </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+
+ <rule id="90560" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4172$</id>
+    <description> VIPRE : Bad Web Site Blocking disabled</description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90561" level="3">
+    <if_sid>18101</if_sid>
+    <id>^4173$</id>
+    <description> VIPRE : HIPS enabled</description>
+    <options>no_full_log</options>
+  </rule>
+
+
+ <rule id="90562" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4174$</id>
+    <description> VIPRE : HIPS disabled</description>
+    <options>no_full_log</options>
+  </rule>
+
+
+
+ <rule id="90563" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4175$</id>
+    <description> VIPRE : Firewall Resume All Traffic </description>
+    <options>no_full_log</options>
+  </rule>
+
+  <rule id="90564" level="5">
+    <if_sid>18101</if_sid>
+    <id>^4176$</id>
+    <description> VIPRE : Firewall Stops All Traffic </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+   <rule id="90565" level="4">
+    <if_sid>18101</if_sid>
+    <id>^4177$</id>
+    <description> VIPRE : Active protection blocked a process from accessing a file </description>
+    <options>no_full_log</options>
+  </rule>
+
+
+</group>
+

From 2f03924253e0f04598bb84e5d969b4b9fabcdcd0 Mon Sep 17 00:00:00 2001
From: Elwali karkoub <walikarkoub@gmail.com>
Date: Mon, 26 Aug 2019 21:12:21 +0200
Subject: [PATCH 2/7] Update 0585-VIPRE_rules.xml

---
 rules/0585-VIPRE_rules.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/rules/0585-VIPRE_rules.xml b/rules/0585-VIPRE_rules.xml
index b39d52235..9fe32ba8a 100644
--- a/rules/0585-VIPRE_rules.xml
+++ b/rules/0585-VIPRE_rules.xml
@@ -8,6 +8,13 @@
 
 <group name="Vipre">
 
+<rule id="90499" level="3">
+    <if_sid>18101</if_sid>
+    <match>SBAMSvc</match>
+    <description>VIPRE Informational message</description>
+    <options>no_full_log</options>
+  </rule>
+
  <rule id="90500" level="5">
     <if_sid>18101</if_sid>
     <id>^4097$</id>

From 8153927ffeab740c5c8951acca49bad921fbc47b Mon Sep 17 00:00:00 2001
From: Elwali karkoub <walikarkoub@gmail.com>
Date: Tue, 27 Aug 2019 17:37:55 +0200
Subject: [PATCH 3/7] Update and rename 0585-VIPRE_rules.xml to
 0585-vipre_rules.xml

---
 ...5-VIPRE_rules.xml => 0585-vipre_rules.xml} | 140 +++++++++---------
 1 file changed, 69 insertions(+), 71 deletions(-)
 rename rules/{0585-VIPRE_rules.xml => 0585-vipre_rules.xml} (62%)

diff --git a/rules/0585-VIPRE_rules.xml b/rules/0585-vipre_rules.xml
similarity index 62%
rename from rules/0585-VIPRE_rules.xml
rename to rules/0585-vipre_rules.xml
index 9fe32ba8a..ef7487548 100644
--- a/rules/0585-VIPRE_rules.xml
+++ b/rules/0585-vipre_rules.xml
@@ -6,19 +6,19 @@
 -->
 
 
-<group name="Vipre">
+<group name="vipre">
 
 <rule id="90499" level="3">
     <if_sid>18101</if_sid>
     <match>SBAMSvc</match>
-    <description>VIPRE Informational message</description>
+     <description>VIPRE Informational message</description>
     <options>no_full_log</options>
   </rule>
 
  <rule id="90500" level="5">
     <if_sid>18101</if_sid>
     <id>^4097$</id>
-    <description>VIPRE :  System shutdown complete </description>
+    <description>System shutdown complete</description>
     <options>no_full_log</options>
   </rule>
   
@@ -26,14 +26,14 @@
    <rule id="90501" level="7">
     <if_sid>18101</if_sid>
     <id>^4098$</id>
-    <description>VIPRE :  User initiated shutdown </description>
+    <description>User initiated shutdown</description>
     <options>no_full_log</options>
   </rule>
   
    <rule id="90502" level="3">
     <if_sid>18101</if_sid>
     <id>^4099$</id>
-    <description>VIPRE : Service started Application version </description>
+    <description>Service started Application version</description>
     <options>no_full_log</options>
   </rule>
  
@@ -41,7 +41,7 @@
   <rule id="90503" level="5">
     <if_sid>18101</if_sid>
     <id>^4100$</id>
-    <description>VIPRE : Service paused</description>
+    <description>Service paused</description>
     <options>no_full_log</options>
   </rule>
 
@@ -49,7 +49,7 @@
   <rule id="90504" level="3">
     <if_sid>18101</if_sid>
     <id>^4101$</id>
-    <description>VIPRE : Service resumed</description>
+    <description>Service resumed</description>
     <options>no_full_log</options>
   </rule>
 
@@ -57,14 +57,14 @@
   <rule id="90505" level="5">
     <if_sid>18101</if_sid>
     <id>^4102$</id>
-    <description>ThreatNet : The transfer of one or more ThreatNet files failed </description>
+     <description>The transfer of one or more ThreatNet files failed</description>
     <options>no_full_log</options>
   </rule>   
  
   <rule id="90506" level="5">
     <if_sid>18101</if_sid>
     <id>^4103$</id>
-    <description>ThreatNet Transfer occured </description>
+     <description>Transfer occured</description>
     <options>no_full_log</options>
   </rule>
 
@@ -72,7 +72,7 @@
   <rule id="90507" level="6">
     <if_sid>18101</if_sid>
     <id>^4104$</id>
-    <description>The start of the ThreatNet controller failed</description>
+     <description>The start of the ThreatNet controller failed</description>
     <options>no_full_log</options>
   </rule>
 
@@ -81,7 +81,7 @@
    <rule id="90508" level="3">
     <if_sid>18101</if_sid>
     <id>^4105$</id>
-    <description>VIPRE : Active Protection enabled </description>
+    <description>Active Protection enabled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -89,14 +89,14 @@
   <rule id="90509" level="7">
     <if_sid>18101</if_sid>
     <id>^4106$</id>
-    <description>VIPRE : Active Protection disabled </description>
+    <description>Active Protection disabled</description>
     <options>no_full_log</options>
   </rule>
 
    <rule id="90510" level="5">
     <if_sid>18101</if_sid>
     <id>^4108$</id>
-    <description>VIPRE : Active protection could not be enabled </description>
+    <description>Active protection could not be enabled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -104,7 +104,7 @@
   <rule id="90511" level="5">
     <if_sid>18101</if_sid>
     <id>^4109$</id>
-    <description>VIPRE : Active Protection could not be disabled </description>
+    <description>Active Protection could not be disabled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -112,7 +112,7 @@
    <rule id="90512" level="4">
     <if_sid>18101</if_sid>
     <id>^4110$</id>
-    <description>VIPRE : Active Protection requires a reboot to fully protect your computer </description>
+    <description>Active Protection requires a reboot to fully protect your computer</description>
     <options>no_full_log</options>
   </rule>
 
@@ -120,14 +120,14 @@
   <rule id="90513" level="4">
     <if_sid>18101</if_sid>
     <id>^4111$</id>
-    <description>VIPRE : Active Protection could not be enabled because there are no threat definitions </description>
+    <description>Active Protection could not be enabled because there are no threat definitions</description>
     <options>no_full_log</options>
   </rule>
 
    <rule id="90514" level="3">
     <if_sid>18101</if_sid>
     <id>^4112$</id>
-    <description>VIPRE : Manual software update downloaded </description>
+    <description>Manual software update downloaded</description>
     <options>no_full_log</options>
   </rule>
 
@@ -135,7 +135,7 @@
   <rule id="90515" level="3">
     <if_sid>18101</if_sid>
     <id>^4113$</id>
-    <description>VIPRE : Scheduled software update downloaded </description>
+    <description>Scheduled software update downloaded</description>
     <options>no_full_log</options>
   </rule>
 
@@ -143,7 +143,7 @@
    <rule id="90516" level="4">
     <if_sid>18101</if_sid>
     <id>^4114$</id>
-    <description>VIPRE was unable to complete the check for software updates </description>
+     <description>VIPRE was unable to complete the check for software updates</description>
     <options>no_full_log</options>
   </rule>
 
@@ -152,7 +152,7 @@
   <rule id="90517" level="4">
     <if_sid>18101</if_sid>
     <id>^4115$</id>
-    <description>VIPRE was unable to complete the check for software updates. It will retry on the next update event. </description>
+     <description>VIPRE was unable to complete the check for software updates. It will retry on the next update event</description>
     <options>no_full_log</options>
   </rule>
 
@@ -161,7 +161,7 @@
   <rule id="90518" level="5">
     <if_sid>18101</if_sid>
     <id>^4116$</id>
-    <description>VIPRE : The start of the software update controller failed </description>
+    <description>The start of the software update controller failed</description>
     <options>no_full_log</options>
   </rule>
 
@@ -169,7 +169,7 @@
   <rule id="90519" level="3">
     <if_sid>18101</if_sid>
     <id>^4121$</id>
-    <description>VIPRE : Definitions update applied</description>
+    <description>Definitions update applied</description>
     <options>no_full_log</options>
   </rule>
 
@@ -177,7 +177,7 @@
    <rule id="90520" level="4">
     <if_sid>18101</if_sid>
     <id>^4122$</id>
-    <description>VIPRE : Definitions update cancelled </description>
+    <description>Definitions update cancelled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -186,7 +186,7 @@
   <rule id="90521" level="4">
     <if_sid>18101</if_sid>
     <id>^4123$</id>
-    <description>VIPRE was unable to complete the check for threat definitions updates </description>
+     <description>VIPRE was unable to complete the check for threat definitions updates</description>
     <options>no_full_log</options>
   </rule>
 
@@ -194,7 +194,7 @@
  <rule id="90522" level="4">
     <if_sid>18101</if_sid>
     <id>^4124$</id>
-    <description>VIPRE was unable to complete the check for threat definitions updates. It will retry on the next update event  </description>
+     <description>VIPRE was unable to complete the check for threat definitions updates. It will retry on the next update event</description>
     <options>no_full_log</options>
   </rule>
 
@@ -203,7 +203,7 @@
   <rule id="90523" level="6">
     <if_sid>18101</if_sid>
     <id>^4125$</id>
-    <description>VIPRE : Start of threat definitions controller failed </description>
+    <description>Start of threat definitions controller failed</description>
     <options>no_full_log</options>
   </rule>
 
@@ -211,7 +211,7 @@
  <rule id="90524" level="4">
     <if_sid>18101</if_sid>
     <id>^4126$</id>
-    <description> VIPRE : Cannot update threat definitions because your registration is expired</description>
+    <description>Cannot update threat definitions because your registration is expired</description>
     <options>no_full_log</options>
   </rule>
 
@@ -219,7 +219,7 @@
  <rule id="90525" level="3">
     <if_sid>18101</if_sid>
     <id>^4129$</id>
-    <description>VIPRE : Completed scheduled deep scan </description>
+    <description>Completed scheduled deep scan</description>
     <options>no_full_log</options>
   </rule>
 
@@ -227,7 +227,7 @@
  <rule id="90526" level="3">
     <if_sid>18101</if_sid>
     <id>^4130$</id>
-    <description> VIPRE : Completed manual deep scan </description>
+    <description>Completed manual deep scan</description>
     <options>no_full_log</options>
   </rule>
 
@@ -236,7 +236,7 @@
  <rule id="90527" level="3">
     <if_sid>18101</if_sid>
     <id>^4131$</id>
-    <description>VIPRE : Completed scheduled quick scan </description>
+    <description>Completed scheduled quick scan</description>
     <options>no_full_log</options>
   </rule>
 
@@ -244,7 +244,7 @@
  <rule id="90528" level="3">
     <if_sid>18101</if_sid>
     <id>^4132$</id>
-    <description> VIPRE : Completed manual quick scan</description>
+    <description>Completed manual quick scan</description>
     <options>no_full_log</options>
   </rule>
 
@@ -252,7 +252,7 @@
  <rule id="90529" level="3">
     <if_sid>18101</if_sid>
     <id>^4133$</id>
-    <description>VIPRE : Completed scheduled custom scan </description>
+    <description>Completed scheduled custom scan</description>
     <options>no_full_log</options>
   </rule>
 
@@ -260,17 +260,15 @@
  <rule id="90530" level="3">
     <if_sid>18101</if_sid>
     <id>^4134$</id>
-    <description> VIPRE : Completed manual custom scan</description>
+    <description>Completed manual custom scan</description>
     <options>no_full_log</options>
   </rule>
 
 
-
-
   <rule id="90531" level="4">
     <if_sid>18101</if_sid>
     <id>^4135$</id>
-    <description>VIPRE : Scan cancelled</description>
+    <description>Scan cancelled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -278,7 +276,7 @@
  <rule id="90532" level="4">
     <if_sid>18101</if_sid>
     <id>^4136$</id>
-    <description> VIPRE : Reboot required</description>
+    <description>Reboot required</description>
     <options>no_full_log</options>
   </rule>
 
@@ -286,7 +284,7 @@
  <rule id="90533" level="4">
     <if_sid>18101</if_sid>
     <id>^4137$</id>
-    <description>VIPRE : A scan of your computer failed because there are no threat definitions </description>
+    <description>A scan of your computer failed because there are no threat definitions</description>
     <options>no_full_log</options>
   </rule>
 
@@ -294,15 +292,15 @@
  <rule id="90534" level="5">
     <if_sid>18101</if_sid>
     <id>^4138$</id>
-    <description> VIPRE : Start of the scan controller failed </description>
+    <description>Start of the scan controller failed</description>
     <options>no_full_log</options>
   </rule>
 
 
-   <rule id="90535" level="4">
+  <rule id="90535" level="4">
     <if_sid>18101</if_sid>
     <id>^4139$</id>
-    <description>VIPRE : An item has been quarantined </description>
+    <description>An item has been quarantined</description>
     <options>no_full_log</options>
   </rule>
 
@@ -310,7 +308,7 @@
  <rule id="90536" level="4">
     <if_sid>18101</if_sid>
     <id>^4140$</id>
-    <description> VIPRE : An item has been restored from quarantine </description>
+    <description>An item has been restored from quarantine</description>
     <options>no_full_log</options>
   </rule>
 
@@ -318,7 +316,7 @@
  <rule id="90537" level="6">
     <if_sid>18101</if_sid>
     <id>^4141$</id>
-    <description>VIPRE : An item has been deleted from quarantine </description>
+    <description>An item has been deleted from quarantine</description>
     <options>no_full_log</options>
   </rule>
 
@@ -326,7 +324,7 @@
  <rule id="90538" level="4">
     <if_sid>18101</if_sid>
     <id>^4142$</id>
-    <description> VIPRE : The quarantne has been purged </description>
+    <description>The quarantne has been purged</description>
     <options>no_full_log</options>
   </rule>
 
@@ -334,7 +332,7 @@
  <rule id="90539" level="5">
     <if_sid>18101</if_sid>
     <id>^4143$</id>
-    <description> VIPRE : The quarantne controller could not be started </description>
+    <description>The quarantne controller could not be started</description>
     <options>no_full_log</options>
   </rule>
 
@@ -342,7 +340,7 @@
   <rule id="90540" level="3">
     <if_sid>18101</if_sid>
     <id>^4145$</id>
-    <description> VIPRE : Email AV enabled  </description>
+    <description>Email AV enabled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -350,7 +348,7 @@
  <rule id="90541" level="4">
     <if_sid>18101</if_sid>
     <id>^4146$</id>
-    <description> VIPRE : Email AV disabled </description>
+    <description>Email AV disabled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -358,7 +356,7 @@
  <rule id="90542" level="4">
     <if_sid>18101</if_sid>
     <id>^4147$</id>
-    <description>VIPRE : Email protection is enabled but the drivers are not loaded </description>
+    <description>Email protection is enabled but the drivers are not loaded</description>
     <options>no_full_log</options>
   </rule>
 
@@ -366,7 +364,7 @@
  <rule id="90543" level="5">
     <if_sid>18101</if_sid>
     <id>^4148$</id>
-    <description> VIPRE : The scan of an email item failed </description>
+    <description>The scan of an email item failed</description>
     <options>no_full_log</options>
   </rule>
 
@@ -374,7 +372,7 @@
   <rule id="90544" level="5">
     <if_sid>18101</if_sid>
     <id>^4149$</id>
-    <description> VIPRE : The Scan of an email item failed because there are no threat definitions </description>
+    <description>The Scan of an email item failed because there are no threat definitions</description>
     <options>no_full_log</options>
   </rule>
 
@@ -382,7 +380,7 @@
 <rule id="90545" level="3">
     <if_sid>18101</if_sid>
     <id>^4250$</id>
-    <description> VIPRE : Registration state changed </description>
+    <description>Registration state changed</description>
     <options>no_full_log</options>
   </rule>
 
@@ -390,7 +388,7 @@
  <rule id="90546" level="5">
     <if_sid>18101</if_sid>
     <id>^4151$</id>
-    <description>VIPRE : The registration controller could not be started </description>
+    <description>The registration controller could not be started</description>
     <options>no_full_log</options>
   </rule>
 
@@ -398,7 +396,7 @@
  <rule id="90547" level="5">
     <if_sid>18101</if_sid>
     <id>^4153$</id>
-    <description> VIPRE : The scan control could not complete its scan </description>
+    <description>The scan control could not complete its scan</description>
     <options>no_full_log</options>
   </rule>
 
@@ -406,7 +404,7 @@
   <rule id="90548" level="3">
     <if_sid>18101</if_sid>
     <id>^4159$</id>
-    <description> VIPRE : A scheduled scan was missed because the machine was powered off</description>
+    <description>A scheduled scan was missed because the machine was powered off</description>
     <options>no_full_log</options>
   </rule>
 
@@ -415,7 +413,7 @@
  <rule id="90549" level="4">
     <if_sid>18101</if_sid>
     <id>^4160$</id>
-    <description> VIPRE : Quarantine of an item failed</description>
+    <description>Quarantine of an item failed</description>
     <options>no_full_log</options>
   </rule>
 
@@ -424,7 +422,7 @@
  <rule id="90550" level="5">
     <if_sid>18101</if_sid>
     <id>^4161$</id>
-    <description> VIPRE : Restore of an item from quarantine failed</description>
+    <description>Restore of an item from quarantine failed</description>
     <options>no_full_log</options>
   </rule>
 
@@ -433,7 +431,7 @@
  <rule id="90551" level="4">
     <if_sid>18101</if_sid>
     <id>^4162$</id>
-    <description> VIPRE : Delete of an from quarantine failed </description>
+    <description>Delete of an from quarantine failed</description>
     <options>no_full_log</options>
   </rule>
 
@@ -441,7 +439,7 @@
   <rule id="90552" level="4">
     <if_sid>18101</if_sid>
     <id>^4163$</id>
-    <description> VIPRE : The quarantine purge failed </description>
+    <description>The quarantine purge failed</description>
     <options>no_full_log</options>
   </rule>
 
@@ -449,7 +447,7 @@
  <rule id="90553" level="3">
     <if_sid>18101</if_sid>
     <id>^4165$</id>
-    <description> VIPRE : Firewall enabled </description>
+     <description>Firewall enabled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -458,7 +456,7 @@
  <rule id="90554" level="5">
     <if_sid>18101</if_sid>
     <id>^4166$</id>
-    <description> VIPRE : Firewall disabled </description>
+     <description>Firewall disabled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -467,7 +465,7 @@
  <rule id="90555" level="3">
     <if_sid>18101</if_sid>
     <id>^4167$</id>
-    <description> VIPRE : IDS enabled </description>
+     <description>IDS enabled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -476,7 +474,7 @@
  <rule id="90556" level="5">
     <if_sid>18101</if_sid>
     <id>^4168$</id>
-    <description> VIPRE : IDS disabled </description>
+     <description>IDS disabled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -485,7 +483,7 @@
  <rule id="90557" level="3">
     <if_sid>18101</if_sid>
     <id>^4169$</id>
-    <description> VIPRE : Web Filtering enabled </description>
+    <description>Web Filtering enabled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -494,7 +492,7 @@
  <rule id="90558" level="5">
     <if_sid>18101</if_sid>
     <id>^4170$</id>
-    <description> VIPRE : Web Filtering disabled </description>
+     <description>Web Filtering disabled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -503,7 +501,7 @@
  <rule id="90559" level="3">
     <if_sid>18101</if_sid>
     <id>^4171$</id>
-    <description> VIPRE : Bad Web Site Blocking enabled </description>
+     <description>Bad Web Site Blocking enabled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -512,7 +510,7 @@
  <rule id="90560" level="5">
     <if_sid>18101</if_sid>
     <id>^4172$</id>
-    <description> VIPRE : Bad Web Site Blocking disabled</description>
+     <description>Bad Web Site Blocking disabled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -520,7 +518,7 @@
  <rule id="90561" level="3">
     <if_sid>18101</if_sid>
     <id>^4173$</id>
-    <description> VIPRE : HIPS enabled</description>
+     <description>HIPS enabled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -528,7 +526,7 @@
  <rule id="90562" level="5">
     <if_sid>18101</if_sid>
     <id>^4174$</id>
-    <description> VIPRE : HIPS disabled</description>
+     <description>HIPS disabled</description>
     <options>no_full_log</options>
   </rule>
 
@@ -537,14 +535,14 @@
  <rule id="90563" level="4">
     <if_sid>18101</if_sid>
     <id>^4175$</id>
-    <description> VIPRE : Firewall Resume All Traffic </description>
+     <description>Firewall Resume All Traffic</description>
     <options>no_full_log</options>
   </rule>
 
   <rule id="90564" level="5">
     <if_sid>18101</if_sid>
     <id>^4176$</id>
-    <description> VIPRE : Firewall Stops All Traffic </description>
+     <description>Firewall Stops All Traffic</description>
     <options>no_full_log</options>
   </rule>
 
@@ -552,7 +550,7 @@
    <rule id="90565" level="4">
     <if_sid>18101</if_sid>
     <id>^4177$</id>
-    <description> VIPRE : Active protection blocked a process from accessing a file </description>
+     <description>Active protection blocked a process from accessing a file</description>
     <options>no_full_log</options>
   </rule>
 

From 6e02606739d1b0bf4c3557a2ae258c472201ea45 Mon Sep 17 00:00:00 2001
From: Elwali karkoub <walikarkoub@gmail.com>
Date: Tue, 27 Aug 2019 20:25:15 +0200
Subject: [PATCH 4/7] Update 0585-vipre_rules.xml

---
 rules/0585-vipre_rules.xml | 276 +++++++++++++------------------------
 1 file changed, 99 insertions(+), 177 deletions(-)

diff --git a/rules/0585-vipre_rules.xml b/rules/0585-vipre_rules.xml
index ef7487548..f4363b9bb 100644
--- a/rules/0585-vipre_rules.xml
+++ b/rules/0585-vipre_rules.xml
@@ -9,551 +9,473 @@
 <group name="vipre">
 
 <rule id="90499" level="3">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <match>SBAMSvc</match>
      <description>VIPRE Informational message</description>
     <options>no_full_log</options>
   </rule>
 
  <rule id="90500" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4097$</id>
     <description>System shutdown complete</description>
     <options>no_full_log</options>
   </rule>
   
-  
-   <rule id="90501" level="7">
-    <if_sid>18101</if_sid>
+  <rule id="90501" level="7">
+    <if_sid>60600</if_sid>
     <id>^4098$</id>
     <description>User initiated shutdown</description>
     <options>no_full_log</options>
   </rule>
   
-   <rule id="90502" level="3">
-    <if_sid>18101</if_sid>
+  <rule id="90502" level="3">
+    <if_sid>60600</if_sid>
     <id>^4099$</id>
     <description>Service started Application version</description>
     <options>no_full_log</options>
   </rule>
  
- 
   <rule id="90503" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4100$</id>
     <description>Service paused</description>
     <options>no_full_log</options>
   </rule>
-
-  
+ 
   <rule id="90504" level="3">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4101$</id>
     <description>Service resumed</description>
     <options>no_full_log</options>
   </rule>
 
-
   <rule id="90505" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4102$</id>
      <description>The transfer of one or more ThreatNet files failed</description>
     <options>no_full_log</options>
   </rule>   
  
   <rule id="90506" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4103$</id>
      <description>Transfer occured</description>
     <options>no_full_log</options>
   </rule>
 
-
   <rule id="90507" level="6">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4104$</id>
      <description>The start of the ThreatNet controller failed</description>
     <options>no_full_log</options>
   </rule>
 
- 
-
-   <rule id="90508" level="3">
-    <if_sid>18101</if_sid>
+  <rule id="90508" level="3">
+    <if_sid>60600</if_sid>
     <id>^4105$</id>
     <description>Active Protection enabled</description>
     <options>no_full_log</options>
   </rule>
 
-
   <rule id="90509" level="7">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4106$</id>
     <description>Active Protection disabled</description>
     <options>no_full_log</options>
   </rule>
 
-   <rule id="90510" level="5">
-    <if_sid>18101</if_sid>
+  <rule id="90510" level="5">
+    <if_sid>60600</if_sid>
     <id>^4108$</id>
     <description>Active protection could not be enabled</description>
     <options>no_full_log</options>
   </rule>
 
-
   <rule id="90511" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4109$</id>
     <description>Active Protection could not be disabled</description>
     <options>no_full_log</options>
   </rule>
 
-
-   <rule id="90512" level="4">
-    <if_sid>18101</if_sid>
+  <rule id="90512" level="4">
+    <if_sid>60600</if_sid>
     <id>^4110$</id>
     <description>Active Protection requires a reboot to fully protect your computer</description>
     <options>no_full_log</options>
   </rule>
 
-
   <rule id="90513" level="4">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4111$</id>
     <description>Active Protection could not be enabled because there are no threat definitions</description>
     <options>no_full_log</options>
   </rule>
 
-   <rule id="90514" level="3">
-    <if_sid>18101</if_sid>
+  <rule id="90514" level="3">
+    <if_sid>60600</if_sid>
     <id>^4112$</id>
     <description>Manual software update downloaded</description>
     <options>no_full_log</options>
   </rule>
 
-
   <rule id="90515" level="3">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4113$</id>
     <description>Scheduled software update downloaded</description>
     <options>no_full_log</options>
   </rule>
-
-  
-   <rule id="90516" level="4">
-    <if_sid>18101</if_sid>
+ 
+  <rule id="90516" level="4">
+    <if_sid>60600</if_sid>
     <id>^4114$</id>
      <description>VIPRE was unable to complete the check for software updates</description>
     <options>no_full_log</options>
   </rule>
 
-
-
   <rule id="90517" level="4">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4115$</id>
      <description>VIPRE was unable to complete the check for software updates. It will retry on the next update event</description>
     <options>no_full_log</options>
   </rule>
-
-
-  
+ 
   <rule id="90518" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4116$</id>
     <description>The start of the software update controller failed</description>
     <options>no_full_log</options>
   </rule>
 
-
   <rule id="90519" level="3">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4121$</id>
     <description>Definitions update applied</description>
     <options>no_full_log</options>
   </rule>
 
-
-   <rule id="90520" level="4">
-    <if_sid>18101</if_sid>
+  <rule id="90520" level="4">
+    <if_sid>60600</if_sid>
     <id>^4122$</id>
     <description>Definitions update cancelled</description>
     <options>no_full_log</options>
   </rule>
 
-
-
   <rule id="90521" level="4">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4123$</id>
      <description>VIPRE was unable to complete the check for threat definitions updates</description>
     <options>no_full_log</options>
   </rule>
 
- 
- <rule id="90522" level="4">
-    <if_sid>18101</if_sid>
+  <rule id="90522" level="4">
+    <if_sid>60600</if_sid>
     <id>^4124$</id>
      <description>VIPRE was unable to complete the check for threat definitions updates. It will retry on the next update event</description>
     <options>no_full_log</options>
   </rule>
 
-
- 
   <rule id="90523" level="6">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4125$</id>
     <description>Start of threat definitions controller failed</description>
     <options>no_full_log</options>
   </rule>
 
- 
  <rule id="90524" level="4">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4126$</id>
     <description>Cannot update threat definitions because your registration is expired</description>
     <options>no_full_log</options>
   </rule>
 
-
  <rule id="90525" level="3">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4129$</id>
     <description>Completed scheduled deep scan</description>
     <options>no_full_log</options>
   </rule>
 
- 
- <rule id="90526" level="3">
-    <if_sid>18101</if_sid>
+  <rule id="90526" level="3">
+    <if_sid>60600</if_sid>
     <id>^4130$</id>
     <description>Completed manual deep scan</description>
     <options>no_full_log</options>
   </rule>
 
- 
-
  <rule id="90527" level="3">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4131$</id>
     <description>Completed scheduled quick scan</description>
     <options>no_full_log</options>
-  </rule>
-
+ </rule>
 
  <rule id="90528" level="3">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4132$</id>
     <description>Completed manual quick scan</description>
     <options>no_full_log</options>
-  </rule>
-
+ </rule>
 
  <rule id="90529" level="3">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4133$</id>
     <description>Completed scheduled custom scan</description>
     <options>no_full_log</options>
-  </rule>
-
+ </rule>
 
  <rule id="90530" level="3">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4134$</id>
     <description>Completed manual custom scan</description>
     <options>no_full_log</options>
-  </rule>
-
+ </rule>
 
-  <rule id="90531" level="4">
-    <if_sid>18101</if_sid>
+ <rule id="90531" level="4">
+    <if_sid>60600</if_sid>
     <id>^4135$</id>
     <description>Scan cancelled</description>
     <options>no_full_log</options>
-  </rule>
-
+ </rule>
 
  <rule id="90532" level="4">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4136$</id>
     <description>Reboot required</description>
     <options>no_full_log</options>
-  </rule>
-
+ </rule>
 
  <rule id="90533" level="4">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4137$</id>
     <description>A scan of your computer failed because there are no threat definitions</description>
     <options>no_full_log</options>
   </rule>
 
-
  <rule id="90534" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4138$</id>
     <description>Start of the scan controller failed</description>
     <options>no_full_log</options>
   </rule>
 
-
   <rule id="90535" level="4">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4139$</id>
     <description>An item has been quarantined</description>
     <options>no_full_log</options>
-  </rule>
-
+ </rule>
 
  <rule id="90536" level="4">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4140$</id>
     <description>An item has been restored from quarantine</description>
     <options>no_full_log</options>
   </rule>
 
-
  <rule id="90537" level="6">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4141$</id>
     <description>An item has been deleted from quarantine</description>
     <options>no_full_log</options>
   </rule>
 
-
  <rule id="90538" level="4">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4142$</id>
     <description>The quarantne has been purged</description>
     <options>no_full_log</options>
-  </rule>
-
+ </rule>
 
  <rule id="90539" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4143$</id>
     <description>The quarantne controller could not be started</description>
     <options>no_full_log</options>
-  </rule>
+ </rule>
 
-
-  <rule id="90540" level="3">
-    <if_sid>18101</if_sid>
+ <rule id="90540" level="3">
+    <if_sid>60600</if_sid>
     <id>^4145$</id>
     <description>Email AV enabled</description>
     <options>no_full_log</options>
-  </rule>
-
+ </rule>
 
  <rule id="90541" level="4">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4146$</id>
     <description>Email AV disabled</description>
     <options>no_full_log</options>
   </rule>
 
-
  <rule id="90542" level="4">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4147$</id>
     <description>Email protection is enabled but the drivers are not loaded</description>
     <options>no_full_log</options>
   </rule>
 
-
  <rule id="90543" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4148$</id>
     <description>The scan of an email item failed</description>
     <options>no_full_log</options>
-  </rule>
+ </rule>
 
-
-  <rule id="90544" level="5">
-    <if_sid>18101</if_sid>
+ <rule id="90544" level="5">
+    <if_sid>60600</if_sid>
     <id>^4149$</id>
     <description>The Scan of an email item failed because there are no threat definitions</description>
     <options>no_full_log</options>
-  </rule>
-
+ </rule>
 
-<rule id="90545" level="3">
-    <if_sid>18101</if_sid>
+ <rule id="90545" level="3">
+    <if_sid>60600</if_sid>
     <id>^4250$</id>
     <description>Registration state changed</description>
     <options>no_full_log</options>
-  </rule>
-
+ </rule>
 
  <rule id="90546" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4151$</id>
     <description>The registration controller could not be started</description>
     <options>no_full_log</options>
   </rule>
 
-
  <rule id="90547" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4153$</id>
     <description>The scan control could not complete its scan</description>
     <options>no_full_log</options>
   </rule>
 
-
   <rule id="90548" level="3">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4159$</id>
     <description>A scheduled scan was missed because the machine was powered off</description>
     <options>no_full_log</options>
   </rule>
 
-
-
  <rule id="90549" level="4">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4160$</id>
     <description>Quarantine of an item failed</description>
     <options>no_full_log</options>
   </rule>
 
-
-
  <rule id="90550" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4161$</id>
     <description>Restore of an item from quarantine failed</description>
     <options>no_full_log</options>
   </rule>
 
-
-
  <rule id="90551" level="4">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4162$</id>
     <description>Delete of an from quarantine failed</description>
     <options>no_full_log</options>
-  </rule>
-
+ </rule>
 
   <rule id="90552" level="4">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4163$</id>
     <description>The quarantine purge failed</description>
     <options>no_full_log</options>
   </rule>
 
-
  <rule id="90553" level="3">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4165$</id>
      <description>Firewall enabled</description>
     <options>no_full_log</options>
   </rule>
 
-
-
  <rule id="90554" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4166$</id>
      <description>Firewall disabled</description>
     <options>no_full_log</options>
   </rule>
 
-
-
  <rule id="90555" level="3">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4167$</id>
      <description>IDS enabled</description>
     <options>no_full_log</options>
   </rule>
 
-
-
  <rule id="90556" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4168$</id>
      <description>IDS disabled</description>
     <options>no_full_log</options>
   </rule>
 
-
-
  <rule id="90557" level="3">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4169$</id>
     <description>Web Filtering enabled</description>
     <options>no_full_log</options>
   </rule>
 
-
-
  <rule id="90558" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4170$</id>
      <description>Web Filtering disabled</description>
     <options>no_full_log</options>
   </rule>
 
-
-
  <rule id="90559" level="3">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4171$</id>
      <description>Bad Web Site Blocking enabled</description>
     <options>no_full_log</options>
   </rule>
 
-
-
  <rule id="90560" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4172$</id>
      <description>Bad Web Site Blocking disabled</description>
     <options>no_full_log</options>
   </rule>
 
-
  <rule id="90561" level="3">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4173$</id>
      <description>HIPS enabled</description>
     <options>no_full_log</options>
   </rule>
 
-
  <rule id="90562" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4174$</id>
      <description>HIPS disabled</description>
     <options>no_full_log</options>
   </rule>
 
-
-
  <rule id="90563" level="4">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4175$</id>
      <description>Firewall Resume All Traffic</description>
     <options>no_full_log</options>
   </rule>
 
   <rule id="90564" level="5">
-    <if_sid>18101</if_sid>
+    <if_sid>60600</if_sid>
     <id>^4176$</id>
      <description>Firewall Stops All Traffic</description>
     <options>no_full_log</options>
   </rule>
 
-
-   <rule id="90565" level="4">
-    <if_sid>18101</if_sid>
+  <rule id="90565" level="4">
+    <if_sid>60600</if_sid>
     <id>^4177$</id>
      <description>Active protection blocked a process from accessing a file</description>
     <options>no_full_log</options>
   </rule>
 
-
 </group>
 

From 8d5a7421e082e4e2b6bba93db6ab682427f5f2f4 Mon Sep 17 00:00:00 2001
From: Elwali karkoub <walikarkoub@gmail.com>
Date: Tue, 27 Aug 2019 20:36:31 +0200
Subject: [PATCH 5/7] Update 0585-vipre_rules.xml

---
 rules/0585-vipre_rules.xml | 440 +++++++++++++++++++------------------
 1 file changed, 221 insertions(+), 219 deletions(-)

diff --git a/rules/0585-vipre_rules.xml b/rules/0585-vipre_rules.xml
index f4363b9bb..58b8e77ea 100644
--- a/rules/0585-vipre_rules.xml
+++ b/rules/0585-vipre_rules.xml
@@ -11,471 +11,473 @@
 <rule id="90499" level="3">
     <if_sid>60600</if_sid>
     <match>SBAMSvc</match>
-     <description>VIPRE Informational message</description>
+    <description>vipre Informational message</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90500" level="5">
+<rule id="90500" level="5">
     <if_sid>60600</if_sid>
-    <id>^4097$</id>
+    <field name="win.system.eventID">^4097$</field>
     <description>System shutdown complete</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
   
-  <rule id="90501" level="7">
+  
+<rule id="90501" level="7">
     <if_sid>60600</if_sid>
-    <id>^4098$</id>
+    <field name="win.system.eventID">^4098$</field>
     <description>User initiated shutdown</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
   
-  <rule id="90502" level="3">
+<rule id="90502" level="3">
     <if_sid>60600</if_sid>
-    <id>^4099$</id>
+    <field name="win.system.eventID">^4099$</field>
     <description>Service started Application version</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
  
-  <rule id="90503" level="5">
+<rule id="90503" level="5">
     <if_sid>60600</if_sid>
-    <id>^4100$</id>
+    <field name="win.system.eventID">^4100$</field>
     <description>Service paused</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
  
-  <rule id="90504" level="3">
+<rule id="90504" level="3">
     <if_sid>60600</if_sid>
-    <id>^4101$</id>
+    <field name="win.system.eventID">^4101$</field>
     <description>Service resumed</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90505" level="5">
+<rule id="90505" level="5">
     <if_sid>60600</if_sid>
-    <id>^4102$</id>
-     <description>The transfer of one or more ThreatNet files failed</description>
+    <field name="win.system.eventID">^4102$</field>
+    <description>The transfer of one or more ThreatNet files failed</description>
     <options>no_full_log</options>
-  </rule>   
+</rule>   
  
-  <rule id="90506" level="5">
+<rule id="90506" level="5">
     <if_sid>60600</if_sid>
-    <id>^4103$</id>
-     <description>Transfer occured</description>
+    <field name="win.system.eventID">^4103$</field>
+    <description>Transfer occured</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90507" level="6">
+<rule id="90507" level="6">
     <if_sid>60600</if_sid>
-    <id>^4104$</id>
-     <description>The start of the ThreatNet controller failed</description>
+    <field name="win.system.eventID">^4104$</field>
+    <description>The start of the ThreatNet controller failed</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90508" level="3">
+<rule id="90508" level="3">
     <if_sid>60600</if_sid>
-    <id>^4105$</id>
+    <field name="win.system.eventID">^4105$</field>
     <description>Active Protection enabled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90509" level="7">
+<rule id="90509" level="7">
     <if_sid>60600</if_sid>
-    <id>^4106$</id>
+    <field name="win.system.eventID">^4106$</field>
     <description>Active Protection disabled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90510" level="5">
+<rule id="90510" level="5">
     <if_sid>60600</if_sid>
-    <id>^4108$</id>
+    <field name="win.system.eventID">^4108$</field>
     <description>Active protection could not be enabled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90511" level="5">
+<rule id="90511" level="5">
     <if_sid>60600</if_sid>
-    <id>^4109$</id>
+    <field name="win.system.eventID">^4109$</field>
     <description>Active Protection could not be disabled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90512" level="4">
+<rule id="90512" level="4">
     <if_sid>60600</if_sid>
-    <id>^4110$</id>
+    <field name="win.system.eventID">^4110$</field>
     <description>Active Protection requires a reboot to fully protect your computer</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90513" level="4">
+<rule id="90513" level="4">
     <if_sid>60600</if_sid>
-    <id>^4111$</id>
+    <field name="win.system.eventID">^4111$</field>
     <description>Active Protection could not be enabled because there are no threat definitions</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90514" level="3">
+<rule id="90514" level="3">
     <if_sid>60600</if_sid>
-    <id>^4112$</id>
+    <field name="win.system.eventID">^4112$</field>
     <description>Manual software update downloaded</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90515" level="3">
+<rule id="90515" level="3">
     <if_sid>60600</if_sid>
-    <id>^4113$</id>
+    <field name="win.system.eventID">^4113$</field>
     <description>Scheduled software update downloaded</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
  
-  <rule id="90516" level="4">
+<rule id="90516" level="4">
     <if_sid>60600</if_sid>
-    <id>^4114$</id>
-     <description>VIPRE was unable to complete the check for software updates</description>
+    <field name="win.system.eventID">^4114$</field>
+    <description>VIPRE was unable to complete the check for software updates</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90517" level="4">
+<rule id="90517" level="4">
     <if_sid>60600</if_sid>
-    <id>^4115$</id>
-     <description>VIPRE was unable to complete the check for software updates. It will retry on the next update event</description>
+    <field name="win.system.eventID">^4115$</field>
+    <description>VIPRE was unable to complete the check for software updates. It will retry on the next update event</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
  
-  <rule id="90518" level="5">
+<rule id="90518" level="5">
     <if_sid>60600</if_sid>
-    <id>^4116$</id>
+    <field name="win.system.eventID">^4116$</field>
     <description>The start of the software update controller failed</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90519" level="3">
+<rule id="90519" level="3">
     <if_sid>60600</if_sid>
-    <id>^4121$</id>
+    <field name="win.system.eventID">^4121$</field>
     <description>Definitions update applied</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90520" level="4">
+<rule id="90520" level="4">
     <if_sid>60600</if_sid>
-    <id>^4122$</id>
+    <field name="win.system.eventID">^4122$</field>
     <description>Definitions update cancelled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90521" level="4">
+<rule id="90521" level="4">
     <if_sid>60600</if_sid>
-    <id>^4123$</id>
-     <description>VIPRE was unable to complete the check for threat definitions updates</description>
+    <field name="win.system.eventID">^4123$</field>
+    <description>VIPRE was unable to complete the check for threat definitions updates</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90522" level="4">
+<rule id="90522" level="4">
     <if_sid>60600</if_sid>
-    <id>^4124$</id>
-     <description>VIPRE was unable to complete the check for threat definitions updates. It will retry on the next update event</description>
+    <field name="win.system.eventID">^4124$</field>
+    <description>VIPRE was unable to complete the check for threat definitions updates. It will retry on the next update event</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90523" level="6">
+<rule id="90523" level="6">
     <if_sid>60600</if_sid>
-    <id>^4125$</id>
+    <field name="win.system.eventID">^4125$</field>
     <description>Start of threat definitions controller failed</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90524" level="4">
+<rule id="90524" level="4">
     <if_sid>60600</if_sid>
-    <id>^4126$</id>
+    <field name="win.system.eventID">^4126$</field>
     <description>Cannot update threat definitions because your registration is expired</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90525" level="3">
+<rule id="90525" level="3">
     <if_sid>60600</if_sid>
-    <id>^4129$</id>
+    <field name="win.system.eventID">^4129$</field>
     <description>Completed scheduled deep scan</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90526" level="3">
+<rule id="90526" level="3">
     <if_sid>60600</if_sid>
-    <id>^4130$</id>
+    <field name="win.system.eventID">^4130$</field>
     <description>Completed manual deep scan</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90527" level="3">
+<rule id="90527" level="3">
     <if_sid>60600</if_sid>
-    <id>^4131$</id>
+    <field name="win.system.eventID">^4131$</field>
     <description>Completed scheduled quick scan</description>
     <options>no_full_log</options>
- </rule>
+</rule>
 
- <rule id="90528" level="3">
+<rule id="90528" level="3">
     <if_sid>60600</if_sid>
-    <id>^4132$</id>
+    <field name="win.system.eventID">^4132$</field>
     <description>Completed manual quick scan</description>
     <options>no_full_log</options>
- </rule>
+</rule>
 
- <rule id="90529" level="3">
+<rule id="90529" level="3">
     <if_sid>60600</if_sid>
-    <id>^4133$</id>
+    <field name="win.system.eventID">^4133$</field>
     <description>Completed scheduled custom scan</description>
     <options>no_full_log</options>
- </rule>
+</rule>
 
- <rule id="90530" level="3">
+<rule id="90530" level="3">
     <if_sid>60600</if_sid>
-    <id>^4134$</id>
+    <field name="win.system.eventID">^4134$</field>
     <description>Completed manual custom scan</description>
     <options>no_full_log</options>
- </rule>
+</rule>
 
- <rule id="90531" level="4">
+<rule id="90531" level="4">
     <if_sid>60600</if_sid>
-    <id>^4135$</id>
+    <field name="win.system.eventID">^4135$</field>
     <description>Scan cancelled</description>
     <options>no_full_log</options>
- </rule>
+</rule>
 
- <rule id="90532" level="4">
+<rule id="90532" level="4">
     <if_sid>60600</if_sid>
-    <id>^4136$</id>
+    <field name="win.system.eventID">^4136$</field>
     <description>Reboot required</description>
     <options>no_full_log</options>
- </rule>
+</rule>
 
- <rule id="90533" level="4">
+<rule id="90533" level="4">
     <if_sid>60600</if_sid>
-    <id>^4137$</id>
+    <field name="win.system.eventID">^4137$</field>
     <description>A scan of your computer failed because there are no threat definitions</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90534" level="5">
+<rule id="90534" level="5">
     <if_sid>60600</if_sid>
-    <id>^4138$</id>
+    <field name="win.system.eventID">^4138$</field>
     <description>Start of the scan controller failed</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90535" level="4">
+<rule id="90535" level="4">
     <if_sid>60600</if_sid>
-    <id>^4139$</id>
+    <field name="win.system.eventID">^4139$</field>
     <description>An item has been quarantined</description>
     <options>no_full_log</options>
- </rule>
+</rule>
 
- <rule id="90536" level="4">
+<rule id="90536" level="4">
     <if_sid>60600</if_sid>
-    <id>^4140$</id>
+    <field name="win.system.eventID">^4140$</field>
     <description>An item has been restored from quarantine</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90537" level="6">
+<rule id="90537" level="6">
     <if_sid>60600</if_sid>
-    <id>^4141$</id>
+    <field name="win.system.eventID">^4141$</field>
     <description>An item has been deleted from quarantine</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90538" level="4">
+<rule id="90538" level="4">
     <if_sid>60600</if_sid>
-    <id>^4142$</id>
+    <field name="win.system.eventID">^4142$</field>
     <description>The quarantne has been purged</description>
     <options>no_full_log</options>
- </rule>
+</rule>
 
- <rule id="90539" level="5">
+<rule id="90539" level="5">
     <if_sid>60600</if_sid>
-    <id>^4143$</id>
+    <field name="win.system.eventID">^4143$</field>
     <description>The quarantne controller could not be started</description>
     <options>no_full_log</options>
- </rule>
+</rule>
 
- <rule id="90540" level="3">
+<rule id="90540" level="3">
     <if_sid>60600</if_sid>
-    <id>^4145$</id>
+    <field name="win.system.eventID">^4145$</field>
     <description>Email AV enabled</description>
     <options>no_full_log</options>
- </rule>
+</rule>
 
- <rule id="90541" level="4">
+<rule id="90541" level="4">
     <if_sid>60600</if_sid>
-    <id>^4146$</id>
+    <field name="win.system.eventID">^4146$</field>
     <description>Email AV disabled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90542" level="4">
+<rule id="90542" level="4">
     <if_sid>60600</if_sid>
-    <id>^4147$</id>
+    <field name="win.system.eventID">^4147$</field>
     <description>Email protection is enabled but the drivers are not loaded</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90543" level="5">
+<rule id="90543" level="5">
     <if_sid>60600</if_sid>
-    <id>^4148$</id>
+    <field name="win.system.eventID">^4148$</field>
     <description>The scan of an email item failed</description>
     <options>no_full_log</options>
- </rule>
+</rule>
 
- <rule id="90544" level="5">
+<rule id="90544" level="5">
     <if_sid>60600</if_sid>
-    <id>^4149$</id>
+    <field name="win.system.eventID">^4149$</field>
     <description>The Scan of an email item failed because there are no threat definitions</description>
     <options>no_full_log</options>
- </rule>
+</rule>
 
- <rule id="90545" level="3">
+<rule id="90545" level="3">
     <if_sid>60600</if_sid>
-    <id>^4250$</id>
+    <field name="win.system.eventID">^4250$</field>
     <description>Registration state changed</description>
     <options>no_full_log</options>
- </rule>
+</rule>
 
- <rule id="90546" level="5">
+<rule id="90546" level="5">
     <if_sid>60600</if_sid>
-    <id>^4151$</id>
+    <field name="win.system.eventID">^4151$</field>
     <description>The registration controller could not be started</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90547" level="5">
+<rule id="90547" level="5">
     <if_sid>60600</if_sid>
-    <id>^4153$</id>
+    <field name="win.system.eventID">^4153$</field>
     <description>The scan control could not complete its scan</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90548" level="3">
+<rule id="90548" level="3">
     <if_sid>60600</if_sid>
-    <id>^4159$</id>
+    <field name="win.system.eventID">^4159$</field>
     <description>A scheduled scan was missed because the machine was powered off</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90549" level="4">
+<rule id="90549" level="4">
     <if_sid>60600</if_sid>
-    <id>^4160$</id>
+    <field name="win.system.eventID">^4160$</field>
     <description>Quarantine of an item failed</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90550" level="5">
+<rule id="90550" level="5">
     <if_sid>60600</if_sid>
-    <id>^4161$</id>
+    <field name="win.system.eventID">^4161$</field>
     <description>Restore of an item from quarantine failed</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90551" level="4">
+<rule id="90551" level="4">
     <if_sid>60600</if_sid>
-    <id>^4162$</id>
+    <field name="win.system.eventID">^4162$</field>
     <description>Delete of an from quarantine failed</description>
     <options>no_full_log</options>
- </rule>
+</rule>
+
 
-  <rule id="90552" level="4">
+<rule id="90552" level="4">
     <if_sid>60600</if_sid>
-    <id>^4163$</id>
+    <field name="win.system.eventID">^4163$</field>
     <description>The quarantine purge failed</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90553" level="3">
+<rule id="90553" level="3">
     <if_sid>60600</if_sid>
-    <id>^4165$</id>
-     <description>Firewall enabled</description>
+    <field name="win.system.eventID">^4165$</field>
+    <description>Firewall enabled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90554" level="5">
+<rule id="90554" level="5">
     <if_sid>60600</if_sid>
-    <id>^4166$</id>
-     <description>Firewall disabled</description>
+    <field name="win.system.eventID">^4166$</field>
+    <description>Firewall disabled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90555" level="3">
+<rule id="90555" level="3">
     <if_sid>60600</if_sid>
-    <id>^4167$</id>
-     <description>IDS enabled</description>
+    <field name="win.system.eventID">^4167$</field>
+    <description>IDS enabled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90556" level="5">
+<rule id="90556" level="5">
     <if_sid>60600</if_sid>
-    <id>^4168$</id>
-     <description>IDS disabled</description>
+    <field name="win.system.eventID">^4168$</field>
+    <description>IDS disabled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90557" level="3">
+<rule id="90557" level="3">
     <if_sid>60600</if_sid>
-    <id>^4169$</id>
+    <field name="win.system.eventID">^4169$</field>
     <description>Web Filtering enabled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90558" level="5">
+<rule id="90558" level="5">
     <if_sid>60600</if_sid>
-    <id>^4170$</id>
-     <description>Web Filtering disabled</description>
+    <field name="win.system.eventID">^4170$</field>
+    <description>Web Filtering disabled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90559" level="3">
+<rule id="90559" level="3">
     <if_sid>60600</if_sid>
-    <id>^4171$</id>
-     <description>Bad Web Site Blocking enabled</description>
+    <field name="win.system.eventID">^4171$</field>
+    <description>Bad Web Site Blocking enabled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90560" level="5">
+<rule id="90560" level="5">
     <if_sid>60600</if_sid>
-    <id>^4172$</id>
-     <description>Bad Web Site Blocking disabled</description>
+    <field name="win.system.eventID">^4172$</field>
+    <description>Bad Web Site Blocking disabled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90561" level="3">
+<rule id="90561" level="3">
     <if_sid>60600</if_sid>
-    <id>^4173$</id>
-     <description>HIPS enabled</description>
+    <field name="win.system.eventID">^4173$</field>
+    <description>HIPS enabled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90562" level="5">
+<rule id="90562" level="5">
     <if_sid>60600</if_sid>
-    <id>^4174$</id>
-     <description>HIPS disabled</description>
+    <field name="win.system.eventID">^4174$</field>
+    <description>HIPS disabled</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
- <rule id="90563" level="4">
+<rule id="90563" level="4">
     <if_sid>60600</if_sid>
-    <id>^4175$</id>
-     <description>Firewall Resume All Traffic</description>
+    <field name="win.system.eventID">^4175$</field>
+    <description>Firewall Resume All Traffic</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90564" level="5">
+<rule id="90564" level="5">
     <if_sid>60600</if_sid>
-    <id>^4176$</id>
-     <description>Firewall Stops All Traffic</description>
+    <field name="win.system.eventID">^4176$</field>
+    <description>Firewall Stops All Traffic</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
-  <rule id="90565" level="4">
+<rule id="90565" level="4">
     <if_sid>60600</if_sid>
-    <id>^4177$</id>
-     <description>Active protection blocked a process from accessing a file</description>
+    <field name="win.system.eventID">^4177$</field>
+    <description>Active protection blocked a process from accessing a file</description>
     <options>no_full_log</options>
-  </rule>
+</rule>
 
 </group>
 

From 2eb3609c66a877e1364bafc4e2a72297eb149425 Mon Sep 17 00:00:00 2001
From: Elwali karkoub <walikarkoub@gmail.com>
Date: Tue, 27 Aug 2019 20:37:25 +0200
Subject: [PATCH 6/7] Update 0585-vipre_rules.xml

---
 rules/0585-vipre_rules.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/0585-vipre_rules.xml b/rules/0585-vipre_rules.xml
index 58b8e77ea..25175b843 100644
--- a/rules/0585-vipre_rules.xml
+++ b/rules/0585-vipre_rules.xml
@@ -11,7 +11,7 @@
 <rule id="90499" level="3">
     <if_sid>60600</if_sid>
     <match>SBAMSvc</match>
-    <description>vipre Informational message</description>
+    <description>Vipre informational message</description>
     <options>no_full_log</options>
 </rule>
 

From 98fc79e81d79bcc23ad8045deea86e5f4efd219e Mon Sep 17 00:00:00 2001
From: Elwali karkoub <walikarkoub@gmail.com>
Date: Tue, 27 Aug 2019 20:44:22 +0200
Subject: [PATCH 7/7] Update 0585-vipre_rules.xml

---
 rules/0585-vipre_rules.xml | 40 +++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/rules/0585-vipre_rules.xml b/rules/0585-vipre_rules.xml
index 25175b843..e74940418 100644
--- a/rules/0585-vipre_rules.xml
+++ b/rules/0585-vipre_rules.xml
@@ -33,7 +33,7 @@
 <rule id="90502" level="3">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4099$</field>
-    <description>Service started Application version</description>
+    <description>Service started application version</description>
     <options>no_full_log</options>
 </rule>
  
@@ -54,7 +54,7 @@
 <rule id="90505" level="5">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4102$</field>
-    <description>The transfer of one or more ThreatNet files failed</description>
+    <description>The transfer of one or more threatNet files failed</description>
     <options>no_full_log</options>
 </rule>   
  
@@ -75,14 +75,14 @@
 <rule id="90508" level="3">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4105$</field>
-    <description>Active Protection enabled</description>
+    <description>Active protection enabled</description>
     <options>no_full_log</options>
 </rule>
 
 <rule id="90509" level="7">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4106$</field>
-    <description>Active Protection disabled</description>
+    <description>Active protection disabled</description>
     <options>no_full_log</options>
 </rule>
 
@@ -96,21 +96,21 @@
 <rule id="90511" level="5">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4109$</field>
-    <description>Active Protection could not be disabled</description>
+    <description>Active protection could not be disabled</description>
     <options>no_full_log</options>
 </rule>
 
 <rule id="90512" level="4">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4110$</field>
-    <description>Active Protection requires a reboot to fully protect your computer</description>
+    <description>Active protection requires a reboot to fully protect your computer</description>
     <options>no_full_log</options>
 </rule>
 
 <rule id="90513" level="4">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4111$</field>
-    <description>Active Protection could not be enabled because there are no threat definitions</description>
+    <description>Active protection could not be enabled because there are no threat definitions</description>
     <options>no_full_log</options>
 </rule>
 
@@ -131,14 +131,14 @@
 <rule id="90516" level="4">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4114$</field>
-    <description>VIPRE was unable to complete the check for software updates</description>
+    <description>Vipre was unable to complete the check for software updates</description>
     <options>no_full_log</options>
 </rule>
 
 <rule id="90517" level="4">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4115$</field>
-    <description>VIPRE was unable to complete the check for software updates. It will retry on the next update event</description>
+    <description>Vipre was unable to complete the check for software updates. It will retry on the next update event</description>
     <options>no_full_log</options>
 </rule>
  
@@ -166,14 +166,14 @@
 <rule id="90521" level="4">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4123$</field>
-    <description>VIPRE was unable to complete the check for threat definitions updates</description>
+    <description>Vipre was unable to complete the check for threat definitions updates</description>
     <options>no_full_log</options>
 </rule>
 
 <rule id="90522" level="4">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4124$</field>
-    <description>VIPRE was unable to complete the check for threat definitions updates. It will retry on the next update event</description>
+    <description>Vipre was unable to complete the check for threat definitions updates. It will retry on the next update event</description>
     <options>no_full_log</options>
 </rule>
 
@@ -285,14 +285,14 @@
 <rule id="90538" level="4">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4142$</field>
-    <description>The quarantne has been purged</description>
+    <description>The quarantine has been purged</description>
     <options>no_full_log</options>
 </rule>
 
 <rule id="90539" level="5">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4143$</field>
-    <description>The quarantne controller could not be started</description>
+    <description>The quarantine controller could not be started</description>
     <options>no_full_log</options>
 </rule>
 
@@ -327,7 +327,7 @@
 <rule id="90544" level="5">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4149$</field>
-    <description>The Scan of an email item failed because there are no threat definitions</description>
+    <description>The scan of an email item failed because there are no threat definitions</description>
     <options>no_full_log</options>
 </rule>
 
@@ -419,28 +419,28 @@
 <rule id="90557" level="3">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4169$</field>
-    <description>Web Filtering enabled</description>
+    <description>Web filtering enabled</description>
     <options>no_full_log</options>
 </rule>
 
 <rule id="90558" level="5">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4170$</field>
-    <description>Web Filtering disabled</description>
+    <description>Web filtering disabled</description>
     <options>no_full_log</options>
 </rule>
 
 <rule id="90559" level="3">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4171$</field>
-    <description>Bad Web Site Blocking enabled</description>
+    <description>Bad web site blocking enabled</description>
     <options>no_full_log</options>
 </rule>
 
 <rule id="90560" level="5">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4172$</field>
-    <description>Bad Web Site Blocking disabled</description>
+    <description>Bad web site blocking disabled</description>
     <options>no_full_log</options>
 </rule>
 
@@ -461,14 +461,14 @@
 <rule id="90563" level="4">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4175$</field>
-    <description>Firewall Resume All Traffic</description>
+    <description>Firewall resume all traffic</description>
     <options>no_full_log</options>
 </rule>
 
 <rule id="90564" level="5">
     <if_sid>60600</if_sid>
     <field name="win.system.eventID">^4176$</field>
-    <description>Firewall Stops All Traffic</description>
+    <description>Firewall stops all traffic</description>
     <options>no_full_log</options>
 </rule>