06-16-2006 07:13 AM - edited 03-09-2019 03:16 PM
I created a rule that logs whenever changes are made to any registry key.
After a day, I'm looking at what was triggered and for the most part its doing exactly what I wanted it do. But I'm thinking I want to get more specific with this rule to cut out legit changes.
What I'm thinking is a rule that triggers when any registry change is made only by regedit, reg, and regedt32. But if I had some kind of trojan or worm accessing the registry, they don't necessarily use these files. So what else can I do?
07-14-2006 08:33 AM
Create an Application Class and identify the executables for Regedit.
Then on your rule for monitoring the registry have it monitor
What will happen is all registry changes will be monitored EXCEPT those made by regedit.
You can do the opposite of this by having your rule monitor regedit, and in the "But not in any of the following selected classes: " define
07-14-2006 10:21 AM
Great, thanks. Now that you wrote it out, its really quite simple. Just doesn't always occur to me right away.
I'm trying to watch regedit, so I'm doing the opposite of your first example. Did you mean to say that I should set But Not to
07-14-2006 10:45 AM
Yea that's what I meant.
Set it to
07-31-2006 09:53 AM
Along those lines, here's my dillema:
The user base we're working with is such that we want to block any complicated sounding queries. As such, queries involving writing registry keys will probably be denied. However, if we set the rule to just deny the writing of keys, this will block several legit writes from IE and other applications. I will again attempt to see if this causes problems, but I believe it would.
I guess my question is how did the rest of the CSA admins protect the registry? Obviously allowing write access outright is not an option, but is there any way to selectivley allow access to legit apps while blocking shady access?
I speak in non-tech terms of course
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: