Controlling access to the registry base
This protection type makes it possible to control specific applications’ access to keys and values in the registry base. As such, access to particularly sensitive keys can be protected, as they are a prime target of malicious programs.
EXAMPLE
To prevent a malware program from disabling Windows security tools via the registry base, you can protect their registry keys so that they can only be modified by legitimate Windows applications.
Every registry path can be a full path or contain the generic characters "?" and "*".
Application identifiers must be created beforehand for applications that are allowed to access registry and for those that you want to block. For more information, refer to the section Creating application identifiers.
- Select the Security > Policies menu and click on your policy.
- Select a rule set.
- Click on the ACL resources > Registry tab.
- If you are in read-only mode, click on Edit in the upper banner.
- Click on in the area on the left to show the window in which registry key IDs are created.
- Enter the ID name.
- Enter the path to the key.
TIP
The path to the key can be copied from the registry base and pasted in the Key field. - Choose where to apply these rules:
- Key and Values. These rules cater to the most frequent protection needs. If you do not enter a value, all the values of the key will be protected, including the key itself. If you enter a single value, the other values of the key will not be protected.
- Key: These rules provide more advanced protection. Only the key is protected, but its values are not.
- Values: These rules also provide more advanced protection. Only the values are protected, but the rule does not protect the key itself. Even if the values of a key are protected from deletion, if the deletion of the key itself is allowed, the values may be deleted together with the key.
- Click on OK to close the ID creation window. Scroll over the name of the ID to see a summary of the settings.
- In Default behavior, choose the behavior of each action in a protection rule:
- Allow to allow the action by default,
- Block to block the action by default,
- Block and kill to block the action by default, and shut down the process that launched the action.
- Block, kill and quarantine to block the action by default, kill the process that triggered the action, and quarantine suspicious files. For more information, see the section Managing file quarantine.
- Click on + Add a specific behavior and choose the resource(s) that you want to exclude from the default behavior. Select the behavior for each case.
EXAMPLE
By default, block access to the registry keys of Windows security tools such as Windows Defender, Windows Firewall, etc. Allow only legitimate processes to perform these operations, e.g., Windows update and software installer, security solutions, etc.
- In the upper banner in the rule, you can:
- Make the rule passive. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
Use this mode to test new restriction rules, find out their impact, and make the necessary adjustments before disabling Passive rule mode. For further information on testing rules and policies, refer to Testing security policies. - Indicate whether the rule must generate a context when it is applied. By default, if a rule generates Emergency or Alert logs, it will generate a context, but you can disable this feature.
- Select the log settings that this rule will send.
- Specify whether an action must be performed when a log is sent for this rule. You can choose to display a notification on the agent and/or run a script.
- Enter a description to explain what this rule aims to achieve.
- Make the rule passive. Passive rules behave like standard rules but do not actually block any actions. The agent only generates logs that indicate which actions security rules would have blocked.
- The row number of each rule appears on its left. Rearrange the sequence of your rules if you need to, by clicking on the arrows above and below the row number.
- Click on Save at the top right of the window to save changes.