cancel
Showing results for 
Search instead for 
Did you mean: 
inthehills
Level 7

Custom Sig - Registry Protection

Kary,

I have configured the registry to manage USB devices per company policy and now I am trying to develop a HIP7 Custom Sig to protect those keys.

I have built a Custom Sig with the following:

Type - Host IPS

Severtiy - High

Type - Registry

Operation (checked) - Create / Delete / Modify / Change Permissions

Include - Registry Key - \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\*

But this didnt work so I have tried adding:

Include - Registry Key - \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowedDeviceIDs\

Include - Registry Key - \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy\

I can still navigate right to and modify or delete these Registry Keys.

What am I missing???

John

0 Kudos
15 Replies
greatscott
Level 12

Re: Custom Sig - Registry Protection

are you positive you are blocking highs? Perhaps you could try it as an expert subrule versus the checked options. it would look like this:

Rule {

tag indicator 1

Class Registry

Id 9999

level 4

keys { Include"\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restriction s\AllowedDeviceIDs\" "\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Restriction s\DeniedPolicy\" }

directives registry:delete registry:modify registry:create

}

Message was edited by: greatscott on 5/30/13 8:54:57 AM CDT
0 Kudos
inthehills
Level 7

Re: Custom Sig - Registry Protection

GreatScott.

I am 100% sure that I am blocking highs because I have had a few other (unrelated) events triggered while working on this.

This is what the Preview looks like with what I currently have configured.

Rule {

tag "Registry Protection"

Class Registry

Id 9999

level 4

keys { Include\\REGISTRY\\MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceInstall\\Restrictions\* " }

directives -c -d  registrySmiley Tongueermissions registry:delete registry:modify registry:create

}

But since I posted this an interesting thing happened. An event was actually triggered!!! I think it was GPO cleaning up the registry that it did not think belonged. But the crazy part is that it kept the two Keys (AllowedDeviceIDs & DeniedPolicy) but wiped out the values and data. the event claimed to have blocked the attempted deletion but it sure does not seem that way to me.

I know I must be missing something somewhere but I sure cant figure it out. I am going to take the test system offine until I can get the Signature blocking everything so that GPO does not wipe everything out again.

any help is GREATLY appreciated.

0 Kudos
greatscott
Level 12

Re: Custom Sig - Registry Protection

when testing signatures, i sometimes have issues getting the registry class of signatures to fire when working within the registry editor GUI. meaning, if i create or modify a registry key that I have a signature set to trigger on, it wont trigger. one thing I have learned is that if you use the command line to do your registry edits, you will get the signature to fire. next time you are testing, use an elevated command prompt and say "reg add hklm_classes_root\the rest of the key here\etc" it should fire when you do it this way.

0 Kudos
inthehills
Level 7

Re: Custom Sig - Registry Protection

I really need it to fire if a user tries to make changes via regedit or cmd line.

Do you know what the "-c -d" mean?

Should the a\b\c\d\Restrictions\* also include protection for the two keys under it?

0 Kudos
inthehills
Level 7

Re: Custom Sig - Registry Protection

GreatScott,

You are indeed correct it does trigger using the cmd line. What else can I do to protect the Reg Keys from modification or deletion via RegEdit?

0 Kudos
greatscott
Level 12

Re: Custom Sig - Registry Protection

you may just want to create a signature to prevent users from using regedit.

0 Kudos
inthehills
Level 7

Re: Custom Sig - Registry Protection

It also seems to trigger and block mmc.exe when I try to edit GPO.

Kary - Any ideas?

0 Kudos
McAfee Employee

Re: Custom Sig - Registry Protection

I tested it in HIPS 7.0 and couldn't get it to trigger on regedit.exe (not sure why).  I tried it in HIPS 8.0 and it works perfectly.

_2013-05-31_16-31-36.jpg

reg.jpg

0 Kudos
inthehills
Level 7

Re: Custom Sig - Registry Protection

Kary,

I’m not really trying to use HIPS to manage USB, just to protect a few Reg Keys.

I would prefer to use DLP but we are currently using DLP to manage USB through the environment using AD User Assignment Groups. The problem is that we have a these systems that need to be able to mount a few specific USBs regardless of user. The former solution and later problem so not seem to work together. I think the User Assignment Groups override the Computer Assignment Groups.

I am hoping to go to HIP8 in a few weeks so hopefully that will solve this riddle.

Thanks for your help.

0 Kudos