5 Replies Latest reply: Jan 17, 2014 9:13 AM by shakira RSS

    Custom HIPS rule to deny creation of Reg Key


      I’m aiming to deny creation of a registry key [HKCU\Software\CryptoLocker]


      But I can only get it to respond to registry deletion of the key, with the below code. It will not deny the creation of the key.

      I've tried dusins of variation, but have not succeded in getting the correct setup.

      Hope someone can help me.








      Rule {

      tag "CryptoLocker Registry Protection 3 test"

      Class Registry

      Id 4005

      level 4

      keys { Include "\\REGISTRY\\CURRENT_USER\\*\\CryptoLocker" }

      directives registry:permissions registry:delete registry:modify registry:create