Endpoint Protection

 View Only

  • 1.  Registry monitoring

    Posted Jul 12, 2013 07:05 AM

    Hi all,

     

    Is it possible to monitor a registry value of type DWORD using application and device control?



  • 2.  RE: Registry monitoring

    Posted Jul 12, 2013 07:07 AM

    Hi,

    No You can't  monitor a registry value through SEP ADC policy.



  • 3.  RE: Registry monitoring

    Posted Jul 12, 2013 07:09 AM

    I can't monitor DWORD or I cannot monitor registrey at all?



  • 4.  RE: Registry monitoring

    Posted Jul 12, 2013 07:09 AM

    Yes, you can add in registry values to the ADC policy. See here:

    http://www.symantec.com/docs/HOWTO27048

    About the structure of an Application and Device Control policy

    Article:HOWTO81236  |  Created: 2012-10-24  |  Updated: 2013-06-06  |  Article URL http://www.symantec.com/docs/HOWTO81236

     

    "Rules control attempts to access computer entities, such as files or Windows registry keys, that Symantec Endpoint Protection monitors. You configure these different types of attempts as conditions."

    Add the key you want to monitor.



  • 5.  RE: Registry monitoring

    Posted Jul 12, 2013 07:16 AM

    Hi Brian,

     

    i would like to share my observations.

    1. If I monitor a registry value of type String, then I'm able to get the logs.

    2. If I monitor a registrey value of type DWORD, then I'm not getting any logs.

     

    So when i checked the help document, it has following line written in the desciption,

    "The data is treated as a string and not a number. For example, you might create a registry key condition with the name AAA and a registry key value of 111. If you configure the rule to block, then the rule only blocks AAA when it is created as a string."

    So it seems that it only monitors the key value of a type string and not a number....



  • 6.  RE: Registry monitoring
    Best Answer

    Posted Jul 12, 2013 07:19 AM

    Hi Darshan,

    Yes, that explanation is accurate and so it what you're seeing when you try your test.

    It's not that you can't monitor the regsitry, although it may be slightly limited in doing so.



  • 7.  RE: Registry monitoring

    Posted Jul 12, 2013 07:28 AM

    Thanks Brian.. I though so..

     

    I checked that there is other option where we can use regular expressions.. Can that be useful in this case?



  • 8.  RE: Registry monitoring

    Posted Jul 12, 2013 07:48 AM
    Personally, I have not tried regex so I cannot say. It would be worth a test though.


  • 9.  RE: Registry monitoring

    Trusted Advisor
    Posted Jul 12, 2013 08:16 AM

    Hello,

    I agree with above comments.

    You can use application control to control applications in the following ways:

    • Prevent malware from taking over applications

    • Restrict the applications that can run

    • Prevent users from changing configuration files

    • Protect specific registry keys

    • Protect particular folders, such as \WINDOWS\system

    Check these Articles:

    About application and device control

    http://www.symantec.com/docs/HOWTO80859

    Is it possible to specify the "default" or "@" registry value in a SEP Application and Device Control policy?

    http://www.symantec.com/docs/TECH171634

    Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security

    http://www.symantec.com/docs/TECH132337

    How the Application and Device Control Hardening policy works

    http://www.symantec.com/business/support/index?page=content&id=TECH132307

    Hope that helps!!