Green Mountain IT

Add Exception for Registry Keys

Recommended Posts

Hello,

I have several false positives for registry keys relating to group policies that prevent users from accessing Task Manager, Command Prompt, Registry Editor, etc.

I am seeing quarantines such as:

"Setting.DisableRegistryTools (A)" in "Value: HKEY_USERS\S-1-5-21-365083775-2236518244-184172837-1136\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS"

How can I add reg entries as an exclusion?

I am using the cloud console. I found the detection and checked the boxes to Restore and Add Exclusion, and the Restore worked but I am not seeing any Exclusion added. Also I only see options to exclude Files or Folders. How can I exclude reg keys?

Thanks for looking.

Share this post


Link to post
Share on other sites
11 hours ago, Green Mountain IT said:

I have several false positives for registry keys relating to group policies that prevent users from accessing Task Manager, Command Prompt, Registry Editor, etc.

Technically these aren't fall positives. They're common modifications made by malware that hamper troubleshooting, and are usually considered undesirable outside of a corporate environment where the administrator has determined that these system tools should not be available to regular users on the system.

 

11 hours ago, Green Mountain IT said:

How can I add reg entries as an exclusion?

In the scan results, simply right-click on the entry you want to exclude and select Add to exclusions. This should prevent it from being detected in future scans.

Share this post


Link to post
Share on other sites
5 hours ago, GT500 said:

Technically these aren't fall positives. They're common modifications made by malware that hamper troubleshooting, and are usually considered undesirable outside of a corporate environment where the administrator has determined that these system tools should not be available to regular users on the system.

Understood.

 

5 hours ago, GT500 said:

In the scan results, simply right-click on the entry you want to exclude and select Add to exclusions. This should prevent it from being detected in future scans.

Will this apply the exclusion to the entire workspace? Or must it be done for each client. It would be convenient to be able to add registry exceptions pro-actively, long-term.

Thanks for your help.

Share this post


Link to post
Share on other sites
20 hours ago, Green Mountain IT said:

Will this apply the exclusion to the entire workspace? Or must it be done for each client.

Registry exclusions can't be added manually, and can't be added via a workspace, so this procedure would have to be performed on each workstation separately.

If you want to set this via a workspace policy then there's a setting in the Scanner Settings labeled Detect registry policies settings that you can disable, and that should prevent these detections as well. This setting can be configured in policies, and individually for each device that Emsisoft Anti-Malware is installed on (in the "Protection Settings" category).

image.png
Download Image

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.