1 2 Previous Next 11 Replies Latest reply on Dec 21, 2016 12:02 PM by jabii

    User defined policy - reg key blocking

    jabii

      I've made in EPO a User defined policy for VSE which should block the creation of a reg key that starts with { : HKCU\Sotware\Microsoft\Windows\CurrentVersion\Run\{**, but after this was implemented, I've seen that the sample policy is blocking also the ....Run\?**.

       

      One system from 90.000 has hundreds of events regarding this. Explorer.exe is trying to deploy a reg key that start's with ?**. I have no impact or user complain, but this could be a bug in VSE.

       

      My question is why McAfee is considering the character "{" equal/the same with "?"

      Is this a bug/known bug in VSE 8.8 patch 6 ?

       

      PS: I have no other information regarding other VSE patch's.

        • 1. Re: User defined policy - reg key blocking
          tao

          Interesting, may be a bug  ... I wonder if you would receive the same results if you created a LOG Only (for testing):

          HKCU\Sotware\Microsoft\Windows\CurrentVersion\Run\{**}

          or

          HKCU\Sotware\Microsoft\Windows\CurrentVersion\Run\{**}\

           

          • 2. Re: User defined policy - reg key blocking
            jabii

            I think i will do that tomorrow. But what will be the difference or what you try to get? I don't get your idea, because the double * actually is referring also to the character }

            I was asking why VSE doesn't make a difference between { and ?

            • 3. Re: User defined policy - reg key blocking
              tao

              Perhaps, it's a bug or (reading your post) a corrupt policy on that "One system from 90.000 has hundreds of events regarding this".  So, the test would be on that one unit, if you push the test policy to that one unit and still receive "hundreds of events regarding" Explorer.exe is trying to deploy a reg key that start's with ?**... may just have a corrupt policy on that one node.

               

               

              • 4. Re: User defined policy - reg key blocking
                jabii

                No Tao, ... those events triggered me to test more, and i made the sample policy on my own pc and the "issue" is still there. I tried to manually create using regedit a new key under HKCU\...RUN that start with ?** and i got the access denied error.

                SO, i think McAfee VSE has a bug on interpreting those 2 characther: { and?, because with others like: !@#$%^&*()+ there is no problem (this i tested also).

                • 5. Re: User defined policy - reg key blocking
                  tao

                  Ok, just tested the following:

                  HKCU and HKULM <> Protect Value <> Write/Create

                  /**/Microsoft/Windows/CurrentVersion/Run/{*

                   

                  Dummy Reg:

                  [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

                  "?*"=""

                  "?**"=""

                  "{1234"=""

                  "{1234abc"=""

                  "{1234}"=""

                  "{1234abc}"=""

                  "{abc"=""

                  "{abc}"=""

                   

                  Results:

                  "?*"="" Allowed

                  "?**"="" Allowed

                  Everything else Blocked

                  • 6. Re: User defined policy - reg key blocking
                    jabii

                    Then, do you have any idea why i get this error?

                    Run1.png

                    • 7. Re: User defined policy - reg key blocking
                      tao

                      I receive the same type of error, mine was due to:  Access Protection <> Common Maximum Protection <> Prevent programs registering to autorun: Block & Report  ... for testing I had toggled off "Block".

                      • 8. Re: User defined policy - reg key blocking
                        woody188

                        The question mark is a single character wild card in ePO so if you are using "?" you are really saying any single character in that position in the string. Unsure of the curly brackets but they would typically need a break out character in most programming languages. If they didn't set the string variable correctly for that entry it could very well be a bug.

                        • 9. Re: User defined policy - reg key blocking
                          jabii

                          I don't have that option enabled, not even reporting or anything from Common Maximum Protection.

                          This was tested on ePo 5.3.1/5.3.2, VSE 8.8 patch 7 and 6, via web console of the ePo and also locally on the system.

                           

                          PS: in accessprotectionlog.txt i have the same information:

                           

                           

                          12/16/20163:39:05 PMBlocked by Access Protection ruledomain\usernameC:\WINDOWS\REGEDIT.EXEHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\?User-defined Rules:PowelikeAction blocked : Create

                           

                           

                          1 2 Previous Next