Endpoint Protection

Hello,

In Registry Access Protection I specified the following key to protect:

HKEY_CLASSES_ROOT\CLSID

However I still CAN delete or modify things under it. But I CAN NOT delete or modify HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\

Can somebody explain this behavior? How can I get HKEY_CLASSES_ROOT\CLSID protected.

Thanks,
Hung.

 

What version of SEP are you using? An issue with registry access was fixed a while back in MR3.

Fix ID: 1180455

Thomas

Hi Thomas,

The SEP version is 11.0.4000.2295. Any ideas how we could trouble shoot this?

Thanks,
Hung.

I am looking for an answer to this. I will hope to have an answer to you tomorrow.

Thomas

Great. Thanks. Let me know if you need further information.

-Hung.

Also, could you please comment on this pending thread: https://www-secure.symantec.com/connect/forums/sep11-application-device-control-policy

Thanks,
Hung.

Hung, You should not block CLSID from being able to be modified as this can seriously impact our product, other products installed on the computer and potentially the OS as well. This has the danger of breaking the system in the long run.

It seems that HKEY_CLASSES_ROOT is actually a combined “view” of HKEY_LOCAL_MACHINE\Software\Classes and HKEY_CURRENT_USER\Software\Classes. That is to say, it is composed of first the Local Machine node, then the Current User node “overlaid” on each other, where Current User overwrites the settings contained in Local Machine for the current user. More about this concept can be found at Microsoft’s website at the following URL: http://msdn.microsoft.com/en-us/library/ms724475%28VS.85%29.aspx

Since the view is composed of the two, it is likely that you will need to instead block the above two key nodes, rather than HKEY_CLASSES_ROOT directly.

What exactly are you trying to accomplish? If you are trying to block certain keys, that is fine, but a blanket deny is potentially hazardous.

I hope this is helpful,
Thomas

Hi Thomas,

I don't mean to block entire regitry. I only need to block access to certain keys. Blocking HKEY_CLASSES_ROOT was just my experiment.

The real scenario is that I need to block write/modify access to a set of registry entries, for each entry I would like to protect the Key and everything under it. One example of such entries is as below:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{203b1eed-db9f-40fb-87bd-1990982017d2}]
@="WMSDK NamespaceFactory Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{203b1eed-db9f-40fb-87bd-1990982017d2}\InprocServer32]
@="C:\\WINDOWS\\system32\\wmnetmgr.dll"
"ThreadingModel"="Both"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{203b1eed-db9f-40fb-87bd-1990982017d2}\ProgID]
@="WMSDKNamespace.NamespaceFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{203b1eed-db9f-40fb-87bd-1990982017d2}\TypeLib]
@="{4f15a451-b14f-4067-8b78-50e7837148d2}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{203b1eed-db9f-40fb-87bd-1990982017d2}\VersionIndependentProgID]
@="WMSDKNamespace.NamespaceFactory"

In order to accomplish that, I setup the following settings in SEP11 registry protection:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{203b1eed-db9f-40fb-87bd-1990982017d2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{203b1eed-db9f-40fb-87bd-1990982017d2}\*

Then I open up the Regedit and try to mess up the entry. And the result is:

1) The key is completely protected from HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\

2) But from HKEY_CLASSES_ROOT\CLSID, only Values are protected but NOT Keys. I can delete any Keys I want including the head {203b1eed-db9f-40fb-87bd-1990982017d2}. But I can not delete any Values under the Key.

3) Of course if you deleted the key from HKEY_CLASSES_ROOT, the entry also disapeared from HKEY_LOCAL_MACHINE

So the question is how do I get this work? I am wondering if I did something wrong here?

This issue is getting hot. So could you please take a look?

Thanks,
Hung.