I created a rule that logs whenever changes are made to any registry key.
After a day, I'm looking at what was triggered and for the most part its doing exactly what I wanted it do. But I'm thinking I want to get more specific with this rule to cut out legit changes.
What I'm thinking is a rule that triggers when any registry change is made only by regedit, reg, and regedt32. But if I had some kind of trojan or worm accessing the registry, they don't necessarily use these files. So what else can I do?
Create an Application Class and identify the executables for Regedit.
Then on your rule for monitoring the registry have it monitor
What will happen is all registry changes will be monitored EXCEPT those made by regedit.
You can do the opposite of this by having your rule monitor regedit, and in the "But not in any of the following selected classes: " define
Great, thanks. Now that you wrote it out, its really quite simple. Just doesn't always occur to me right away.
I'm trying to watch regedit, so I'm doing the opposite of your first example. Did you mean to say that I should set But Not to
Along those lines, here's my dillema:
The user base we're working with is such that we want to block any complicated sounding queries. As such, queries involving writing registry keys will probably be denied. However, if we set the rule to just deny the writing of keys, this will block several legit writes from IE and other applications. I will again attempt to see if this causes problems, but I believe it would.
I guess my question is how did the rest of the CSA admins protect the registry? Obviously allowing write access outright is not an option, but is there any way to selectivley allow access to legit apps while blocking shady access?
I speak in non-tech terms of course