0 Replies Latest reply on Oct 13, 2014 5:40 PM by xspader

    svchost.exe trying to delete DisableRegistryTools

    xspader

      I have a detection where svchost.exe is trying to delete \REGISTRY\USER\S-1-5-21-2954251252-2009956459-2392978873-42980\Software\Microso ft\Windows\CurrentVersion\Policies\System\DisableRegistryTools

      all the research I have done shows that if this was under HKLM\Software then it would probably be a virus or malware.

      I'm thinking this is a Group Policy trying to do what it does and McAfee is stopping it as it is supposed to do. I guess I'm wanting to see if anyone else has had a similar experience and what you did, or do you simply ignore this alert?

       

      I'm tempted to setup Application Control and run full scans and then allow this behaviour.

       

      Thoughts? Comments?