Quantcast
Channel: Symantec Connect - Critical System Protection - Discussions
Viewing all articles
Browse latest Browse all 278

Creation/deletion/modification of Registry keys as Writable Resource Lists

$
0
0
I need a solution

 

Hi there.
 
Playing around with prevention policies in SCSP v.5.2.9 I've found very weird behavior with registry keys. What I want to see is any creation, deletion or modification in registry keys/subkeys, however I cannot find a common pattern.
 
Adding the following entry in == Global Policy Options --> Registry Rules --> Writable Resoure Lists --> Allow but log modifications to these Registry Keys==, works as I expect, I see the events for creation, deletion and modification of keys/subkeys.
 
HKEY_LOCAL_MACHINE\System\*ControlSet*\Services\LanManServer\Parameters*
 
But doing exactly the same, but different registry key, doesn't behave in the same way. Then I started playing with the "*" and "\" characters, and the results are definitively unexpected.
 
If I use any of the following entries, the creation and deletion of keys/subkeys are reported, but no modification.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\USBSTOR*
HKEY_LOCAL_MACHINE\SYSTEM\*CurrentControlSet*\services\USBSTOR*
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\USBSTOR\*
 
Any other "combination" would result in reporting just the creation or just the deletion of the key/subkey; in the worst case, nothing gets reported.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\USBSTOR\  --> [key creation reported]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\USBSTOR\* --> [key deletion reported]
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\USBSTOR  --> [nothing reported]
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\USBSTOR*  --> [nothing reported]
 
Does anyone see any "predictable" pattern here? Am I missing something?
 
Cheers.

 


Viewing all articles
Browse latest Browse all 278

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>