Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA Registry Monitoring Rule

I created a rule that logs whenever changes are made to any registry key.

After a day, I'm looking at what was triggered and for the most part its doing exactly what I wanted it do. But I'm thinking I want to get more specific with this rule to cut out legit changes.

What I'm thinking is a rule that triggers when any registry change is made only by regedit, reg, and regedt32. But if I had some kind of trojan or worm accessing the registry, they don't necessarily use these files. So what else can I do?

New Member

Re: CSA Registry Monitoring Rule

Create an Application Class and identify the executables for Regedit.

Then on your rule for monitoring the registry have it monitor (or whatever) and then in the section "But not in any of the following selected classes: " define your newly created Application Class.

What will happen is all registry changes will be monitored EXCEPT those made by regedit.

You can do the opposite of this by having your rule monitor regedit, and in the "But not in any of the following selected classes: " define .

New Member

Re: CSA Registry Monitoring Rule

Great, thanks. Now that you wrote it out, its really quite simple. Just doesn't always occur to me right away.

I'm trying to watch regedit, so I'm doing the opposite of your first example. Did you mean to say that I should set But Not to ?

New Member

Re: CSA Registry Monitoring Rule

Yea that's what I meant.

Set it to .

New Member

Re: CSA Registry Monitoring Rule

Along those lines, here's my dillema:

The user base we're working with is such that we want to block any complicated sounding queries. As such, queries involving writing registry keys will probably be denied. However, if we set the rule to just deny the writing of keys, this will block several legit writes from IE and other applications. I will again attempt to see if this causes problems, but I believe it would.

I guess my question is how did the rest of the CSA admins protect the registry? Obviously allowing write access outright is not an option, but is there any way to selectivley allow access to legit apps while blocking shady access?

I speak in non-tech terms of course