Windows.Tool.Disabled

[KevinGu]

Hello:

We are testing MBMR and keep finding this:

 

<Detection><Info><Name>Windows.Tool.Disabled</Name>

<Path>HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE|DisableConfig</Path>

<Hash>1100944e71197bbb1d2d5cd27c89c13f</Hash>

<Class>8</Class>

 

I am pretty sure its a false positive and just reading the registery entery that controls system restore. We disable system restore and believe its flagging MalwareBytes because maybe some threats do this.

 

I would like to confirm our theory is correct. Also, when it finds and "removes" what does it do to the  registry key, if anything?

 

Thanks....

[blender]

Hi Kevin,

 

Indeed that key is for system restore. More specifically - it is a policy setting that allows or dissallows users to configure system restore.

 

Many threats disable system restore which in turn removes all previous restore points so the user cannot revert to an uninfected date.

Often they will also block user's ability to turn system restore back on again to create restore points as they work on fixing the system.

 

So - this in not a false positive.

However - because you set this yourself, you can ignore this/whitelist this setting.

 

When MBAM "fixes" the entry, it sets the value data back to 0 (which allows users to enable system restore again)

Value of 1 means "don't let users configure system restore"

Value of 0 means "allow users to configure system restore"

 

More info here on this specific policy:

https://support.microsoft.com/en-us/kb/283073

 

Hope that helps explain it.