Creation/deletion/modification of Registry keys as Writable Resource Lists
Created: 14 Feb 2013 | 2 comments
Playing around with prevention policies in SCSP v.5.2.9 I've found very weird behavior with registry keys. What I want to see is any creation, deletion or modification in registry keys/subkeys, however I cannot find a common pattern.
Adding the following entry in == Global Policy Options --> Registry Rules --> Writable Resoure Lists --> Allow but log modifications to these Registry Keys==, works as I expect, I see the events for creation, deletion and modification of keys/subkeys.
But doing exactly the same, but different registry key, doesn't behave in the same way. Then I started playing with the "*" and "\" characters, and the results are definitively unexpected.
If I use any of the following entries, the creation and deletion of keys/subkeys are reported, but no modification.
Any other "combination" would result in reporting just the creation or just the deletion of the key/subkey; in the worst case, nothing gets reported.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\USBSTOR\ --> [key creation reported]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\USBSTOR\* --> [key deletion reported]
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\USBSTOR --> [nothing reported]
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\USBSTOR* --> [nothing reported]
Does anyone see any "predictable" pattern here? Am I missing something?