Jump to content

Recommended Posts

We have a GPO set that when our users log into Windows their Internet Explorer browser is directed to our intranet company home page. This is detected as a PUM by Malwarebytes as shown below. I can add this to the Ignore List but each time a different user logs in on a PC the registry location changes just enough due to their unique sid to flag another alert. Would there be a way to stop this from happening?

 

 

 

 PUM.Hijack.HomepageControl  Quarantined      HKU\S-1-5-21-25782353-988745373-623647154-1029\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HomePage

 

 

Thank you

Link to post
Share on other sites

We are having the same issue with every machine in our network.  This is just for one machine below.

 

PUM.Hijack.DisplayProperties 9/28/2015 10:51:01 AM Quarantined HKU\S-1-5-21-1956397903-2026841819-1852903728-1194\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NoChangingWallPaper Anti-Malware       A4-1F-72-59-C7-85   PUM.Hijack.DisplayProperties 9/28/2015 10:51:01 AM Quarantined HKU\S-1-5-21-1956397903-2026841819-1852903728-1194\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispBackgroundPage Anti-Malware       A4-1F-72-59-C7-85   PUM.Hijack.ConnectionControl 9/28/2015 10:51:01 AM Quarantined HKU\S-1-5-21-1956397903-2026841819-1852903728-1194\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|ConnectionsTab Anti-Malware       A4-1F-72-59-C7-85   PUM.Hijack.HomepageControl 9/28/2015 10:51:01 AM Quarantined HKU\S-1-5-21-1956397903-2026841819-1852903728-1194\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HomePage Anti-Malware       A4-1F-72-59-C7-85  
Link to post
Share on other sites

  • 2 weeks later...

We're also having this issue with Group Policy settings being flagged as PUM's.

 

Examples of the some of the Objects Scanned/Flagged:

 

HKU\(The Domain Users Sid)\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ForceClassicControlPanel

HKU\(The Domain Users Sid)\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM|DisableCMD

HKU\(The Domain Users Sid)\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoRun

HKU\(The Domain Users Sid)\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoFind

HKU\(The Domain Users Sid)\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoToolbarCustomize

HKU\(The Domain Users Sid)\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NoChangingWallPaper

 

How do we add these to the Ignore List?

 

I assume a wildcard needs to be used for the Domain Users SID, But I haven't been able to figure it out yet.

 

Awaiting Guru replies.

 

Thanks

Link to post
Share on other sites

  • Staff

Welcome to the forum and thanks for posting.

 

Unfortunately these cannot be excluded at the moment.

 

Can you please open a Corporate Support ticket with this issue? It is being prioritized so the more Corporate Support tickets are received the higher priority it will receive.

Link to post
Share on other sites

  • 5 months later...
  • 1 month later...
  • Staff

The issue is fixed starting MBMC 1.6.1 release. All you need to do is to use the wild card (*) in the Ignore List. For example:

HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ForceClassicControlPanel
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ForceClassicControlPanel
HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\DISALLOWCPL|1
HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED|Start_ShowSearch
HKEY_USERS\*\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HomePage
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\DISALLOWRUN|1
HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispCPL
HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NoChangingWallPaper
HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoPropertiesMyComputer
HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSetFolders
HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoDrives
HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoClose
HKEY_USERS\*\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM|DisableCMD
HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispScrSavPage
HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DisableRegistryTools
HKEY_USERS\S-1-5-21-*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispAppearancePage
HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoToolbarCustomize
HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ForceActiveDesktopOn

IMPORTANT: Never put all the different values mentioned above into the Ignore List. Put only those your organisation actually using via GPO.

 

 

Link to post
Share on other sites

We were not on 1.6.1 at the time, and I don't actually believe it was in full release, only beta at the time of my post, but yes, we're on 1.6.1.2897 currently and using wildcards since upgrading.

 

It was a much needed enhancement, and I'm so very glad to have it now.

Link to post
Share on other sites

  • Root Admin

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.