itman 937 Posted Monday at 10:06 PM Share Posted Monday at 10:06 PM Eset in its online HIPS documentation states it can monitor registry key additions. Problem is I have tried repeated to create a rule to do so and it does work. For example, a HIPS rule monitoring all registry changes for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\* doesn't stop a new registry key from being created there. Quote Link to post Share on other sites
Administrators Marcos 3,591 Posted Tuesday at 11:36 AM Administrators Share Posted Tuesday at 11:36 AM Creation of a registry key does not pose any risk. Monitoring and preventing it would cause performance overhead which is not the cost users would like to pay for no additional protection. Quote Link to post Share on other sites
itman 937 Posted Tuesday at 01:36 PM Author Share Posted Tuesday at 01:36 PM (edited) 2 hours ago, Marcos said: Creation of a registry key does not pose any risk. You're kidding here I hope. Here's a nasty one - Snatch ransomware: Quote The ransomware installs itself as a Windows service called SuperBackupMan. The service description text, “This service make backup copy every day,” might help camouflage this entry in the Services list, but there’s no time to look. This registry key is set immediately before the machine starts rebooting itself. The SuperBackupMan service has properties that prevent it from being stopped or paused by the user while it’s running. The malware then adds this key to the Windows registry so it will start up during a Safe Mode boot. HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan:Default:Service https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ Edited Tuesday at 01:53 PM by itman Quote Link to post Share on other sites
Administrators Marcos 3,591 Posted Tuesday at 02:16 PM Administrators Share Posted Tuesday at 02:16 PM It's not a problem, you can block writing there by creating a block rule for HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\* Quote Link to post Share on other sites
itman 937 Posted Tuesday at 02:41 PM Author Share Posted Tuesday at 02:41 PM 20 minutes ago, Marcos said: It's not a problem, you can block writing there by creating a block rule for HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\* I believe what you are stating is Eset HIPS has preset internal rules/whitelist/etc. that allow for monitoring write activity in select registry keys only. That is not acceptable. I should be able to monitor write activity in any registry area I desire. Quote Link to post Share on other sites
Administrators Marcos 3,591 Posted Tuesday at 02:43 PM Administrators Share Posted Tuesday at 02:43 PM 1 minute ago, itman said: I believe what you are stating is Eset HIPS has preset internal rules/whitelist/etc. that allow for monitoring write activity in select registry keys only. That is not acceptable. I should be able to monitor write activity in any registry area I desire. No, quite the contrary. I created a custom HIPS rule in the registry path that you referred to by the linked article. Quote Link to post Share on other sites
itman 937 Posted Tuesday at 02:45 PM Author Share Posted Tuesday at 02:45 PM (edited) 2 minutes ago, Marcos said: No, quite the contrary. I created a custom HIPS rule in the registry path that you were referring to by the linked article. Then why doesn't write activity detection in this registry key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\* , work? Edited Tuesday at 02:46 PM by itman Quote Link to post Share on other sites
Administrators Marcos 3,591 Posted Tuesday at 02:54 PM Administrators Share Posted Tuesday at 02:54 PM I was unable to create / import values to that key: Quote Link to post Share on other sites
itman 937 Posted Tuesday at 03:29 PM Author Share Posted Tuesday at 03:29 PM (edited) 35 minutes ago, Marcos said: I was unable to create / import values to that key: Correct and I do apologize. It works for example using import; i.e. regedit.exe, via opening a .reg file Where I screwed up and can see others doing the same is I added a key named "Test" via regedit interactively, Eset HIPS allowed it. Of course if you try to rename the key, Eset will detect that. Since I allowed the rename, any other subsequent activity that uses regedit, such as opening a .reg file against that key, will be allowed for current session. Edited Tuesday at 03:31 PM by itman Quote Link to post Share on other sites
itman 937 Posted Tuesday at 07:58 PM Author Share Posted Tuesday at 07:58 PM @Marcoswhat I would like to see added to HIPS rule options is an add/write registry option. As it now stands, the only way this activity can be monitoring is to select "All registry operations." There are instances where I want to just monitor registry add/write activity. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.