cancel
Showing results for 
Search instead for 
Did you mean: 
c14us
Level 7

Custom HIPS rule to deny creation of Reg Key

Jump to solution

I’m aiming to deny creation of a registry key [HKCU\Software\CryptoLocker]

But I can only get it to respond to registry deletion of the key, with the below code. It will not deny the creation of the key.

I've tried dusins of variation, but have not succeded in getting the correct setup.

Hope someone can help me.

Regards

Claus

Rule {

tag "CryptoLocker Registry Protection 3 test"

Class Registry

Id 4005

level 4

keys { Include "\\REGISTRY\\CURRENT_USER\\*\\CryptoLocker" }

directives registrySmiley Tongueermissions registry:delete registry:modify registry:create

}

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Custom HIPS rule to deny creation of Reg Key

Jump to solution

Same results.  Worked just fine for me by importing a .REG file to create the key (which is done by Regedit); creating the key via Regedit drectly doesn't work.

5 Replies
McAfee Employee

Re: Custom HIPS rule to deny creation of Reg Key

Jump to solution

Same results.  Worked just fine for me by importing a .REG file to create the key (which is done by Regedit); creating the key via Regedit drectly doesn't work.

c14us
Level 7

Re: Custom HIPS rule to deny creation of Reg Key

Jump to solution

Thank you thank you thank you a million thank you Kary

I've tested for 6 hours using the registry editor. Feel so busted now.

Worked also for me, when I used reg files (NB. do you know why this is so. Should I trust the rule, when it not is trickering using the registry editor?)

Loads of regards

Claus

0 Kudos
McAfee Employee

Re: Custom HIPS rule to deny creation of Reg Key

Jump to solution

(NB. do you know why this is so. Should I trust the rule, when it not is trickering using the registry editor?)
I'm not entirely sure why it doesn't work with Regedit.exe when creating via the application, but I would encourage you to open a Service Request with McAfee Support to have this looked at further.  I believe it warrants further investigation.

0 Kudos
McAfee Employee

Re: Custom HIPS rule to deny creation of Reg Key

Jump to solution

Actually, I believe the reason is because when you create a new Key via Regedit.exe directly, you're actually creating a new key called New Key #1, then it renames it to the value you specified (\CryptoLocker)

When creating via .REG file import, it's directly creating the key you're protecting against (\CryptoLocker), instead of using this rename operation.

If I block \REGISTRY\SOFTWARE\** keys, then any new Key is blocked (via Regedit.exe directly; working as you originally intended) and it has this New Key #1 value.

shakira
Level 10

Re: Custom HIPS rule to deny creation of Reg Key

Jump to solution

This is correct. It tripped me up for half a day as well.

0 Kudos