Green Mountain IT Posted September 10, 2020 Report Share Posted September 10, 2020 Hello, I have several false positives for registry keys relating to group policies that prevent users from accessing Task Manager, Command Prompt, Registry Editor, etc. I am seeing quarantines such as: "Setting.DisableRegistryTools (A)" in "Value: HKEY_USERS\S-1-5-21-365083775-2236518244-184172837-1136\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS" How can I add reg entries as an exclusion? I am using the cloud console. I found the detection and checked the boxes to Restore and Add Exclusion, and the Restore worked but I am not seeing any Exclusion added. Also I only see options to exclude Files or Folders. How can I exclude reg keys? Thanks for looking. Link to comment Share on other sites More sharing options...
GT500 Posted September 11, 2020 Report Share Posted September 11, 2020 11 hours ago, Green Mountain IT said: I have several false positives for registry keys relating to group policies that prevent users from accessing Task Manager, Command Prompt, Registry Editor, etc. Technically these aren't fall positives. They're common modifications made by malware that hamper troubleshooting, and are usually considered undesirable outside of a corporate environment where the administrator has determined that these system tools should not be available to regular users on the system. 11 hours ago, Green Mountain IT said: How can I add reg entries as an exclusion? In the scan results, simply right-click on the entry you want to exclude and select Add to exclusions. This should prevent it from being detected in future scans. Link to comment Share on other sites More sharing options...
Green Mountain IT Posted September 11, 2020 Author Report Share Posted September 11, 2020 5 hours ago, GT500 said: Technically these aren't fall positives. They're common modifications made by malware that hamper troubleshooting, and are usually considered undesirable outside of a corporate environment where the administrator has determined that these system tools should not be available to regular users on the system. Understood. 5 hours ago, GT500 said: In the scan results, simply right-click on the entry you want to exclude and select Add to exclusions. This should prevent it from being detected in future scans. Will this apply the exclusion to the entire workspace? Or must it be done for each client. It would be convenient to be able to add registry exceptions pro-actively, long-term. Thanks for your help. Link to comment Share on other sites More sharing options...
GT500 Posted September 12, 2020 Report Share Posted September 12, 2020 20 hours ago, Green Mountain IT said: Will this apply the exclusion to the entire workspace? Or must it be done for each client. Registry exclusions can't be added manually, and can't be added via a workspace, so this procedure would have to be performed on each workstation separately. If you want to set this via a workspace policy then there's a setting in the Scanner Settings labeled Detect registry policies settings that you can disable, and that should prevent these detections as well. This setting can be configured in policies, and individually for each device that Emsisoft Anti-Malware is installed on (in the "Protection Settings" category). Link to comment Share on other sites More sharing options...
Green Mountain IT Posted September 14, 2020 Author Report Share Posted September 14, 2020 Thank your for the help, Arthur. Link to comment Share on other sites More sharing options...
GT500 Posted September 15, 2020 Report Share Posted September 15, 2020 You're welcome. Link to comment Share on other sites More sharing options...
Recommended Posts