cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
405
Views
0
Helpful
4
Replies

CSA Registry Monitoring Rule

RichardSW
Level 1
Level 1

I created a rule that logs whenever changes are made to any registry key.

After a day, I'm looking at what was triggered and for the most part its doing exactly what I wanted it do. But I'm thinking I want to get more specific with this rule to cut out legit changes.

What I'm thinking is a rule that triggers when any registry change is made only by regedit, reg, and regedt32. But if I had some kind of trojan or worm accessing the registry, they don't necessarily use these files. So what else can I do?

4 Replies 4

netjim_66
Level 1
Level 1

Create an Application Class and identify the executables for Regedit.

Then on your rule for monitoring the registry have it monitor (or whatever) and then in the section "But not in any of the following selected classes: " define your newly created Application Class.

What will happen is all registry changes will be monitored EXCEPT those made by regedit.

You can do the opposite of this by having your rule monitor regedit, and in the "But not in any of the following selected classes: " define .

Great, thanks. Now that you wrote it out, its really quite simple. Just doesn't always occur to me right away.

I'm trying to watch regedit, so I'm doing the opposite of your first example. Did you mean to say that I should set But Not to ?

Yea that's what I meant.

Set it to .

Along those lines, here's my dillema:

The user base we're working with is such that we want to block any complicated sounding queries. As such, queries involving writing registry keys will probably be denied. However, if we set the rule to just deny the writing of keys, this will block several legit writes from IE and other applications. I will again attempt to see if this causes problems, but I believe it would.

I guess my question is how did the rest of the CSA admins protect the registry? Obviously allowing write access outright is not an option, but is there any way to selectivley allow access to legit apps while blocking shady access?

I speak in non-tech terms of course

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: