itman 1,807 Posted February 22, 2021 Posted February 22, 2021 Eset in its online HIPS documentation states it can monitor registry key additions. Problem is I have tried repeated to create a rule to do so and it does work. For example, a HIPS rule monitoring all registry changes for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\* doesn't stop a new registry key from being created there.
Administrators Marcos 5,468 Posted February 23, 2021 Administrators Posted February 23, 2021 Creation of a registry key does not pose any risk. Monitoring and preventing it would cause performance overhead which is not the cost users would like to pay for no additional protection.
itman 1,807 Posted February 23, 2021 Author Posted February 23, 2021 (edited) 2 hours ago, Marcos said: Creation of a registry key does not pose any risk. You're kidding here I hope. Here's a nasty one - Snatch ransomware: Quote The ransomware installs itself as a Windows service called SuperBackupMan. The service description text, “This service make backup copy every day,” might help camouflage this entry in the Services list, but there’s no time to look. This registry key is set immediately before the machine starts rebooting itself. The SuperBackupMan service has properties that prevent it from being stopped or paused by the user while it’s running. The malware then adds this key to the Windows registry so it will start up during a Safe Mode boot. HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan:Default:Service https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ Edited February 23, 2021 by itman
Administrators Marcos 5,468 Posted February 23, 2021 Administrators Posted February 23, 2021 It's not a problem, you can block writing there by creating a block rule for HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\*
itman 1,807 Posted February 23, 2021 Author Posted February 23, 2021 20 minutes ago, Marcos said: It's not a problem, you can block writing there by creating a block rule for HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\* I believe what you are stating is Eset HIPS has preset internal rules/whitelist/etc. that allow for monitoring write activity in select registry keys only. That is not acceptable. I should be able to monitor write activity in any registry area I desire.
Administrators Marcos 5,468 Posted February 23, 2021 Administrators Posted February 23, 2021 1 minute ago, itman said: I believe what you are stating is Eset HIPS has preset internal rules/whitelist/etc. that allow for monitoring write activity in select registry keys only. That is not acceptable. I should be able to monitor write activity in any registry area I desire. No, quite the contrary. I created a custom HIPS rule in the registry path that you referred to by the linked article.
itman 1,807 Posted February 23, 2021 Author Posted February 23, 2021 (edited) 2 minutes ago, Marcos said: No, quite the contrary. I created a custom HIPS rule in the registry path that you were referring to by the linked article. Then why doesn't write activity detection in this registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\* , work? Edited February 23, 2021 by itman
Administrators Marcos 5,468 Posted February 23, 2021 Administrators Posted February 23, 2021 I was unable to create / import values to that key:
itman 1,807 Posted February 23, 2021 Author Posted February 23, 2021 (edited) 35 minutes ago, Marcos said: I was unable to create / import values to that key: Correct and I do apologize. It works for example using import; i.e. regedit.exe, via opening a .reg file Where I screwed up and can see others doing the same is I added a key named "Test" via regedit interactively, Eset HIPS allowed it. Of course if you try to rename the key, Eset will detect that. Since I allowed the rename, any other subsequent activity that uses regedit, such as opening a .reg file against that key, will be allowed for current session. Edited February 23, 2021 by itman
itman 1,807 Posted February 23, 2021 Author Posted February 23, 2021 @Marcoswhat I would like to see added to HIPS rule options is an add/write registry option. As it now stands, the only way this activity can be monitoring is to select "All registry operations." There are instances where I want to just monitor registry add/write activity.
Recommended Posts