Exclude specific PUM object type: NoSMHelp

[Imperator]

Is it possible to exclude the PUM object type 'NoSMHelp' from being flagged and removed?

 

Our current policies have the scanner action for PUMs set to 'Show in results and check for removal'. I of course understand that changing the action to 'Show in results list and do not check for removal' or 'Do not show in results list' will exclude it, but this is undesired as we do want PUMs to be logged and flagged for removal; just not 'PUM.Optional.NoSMHelp'.

 

I also understand that we could find the object in the threat list and right-click the object and select 'exclude this object' or manually add it to the ignore list. However, the object itself is going to be for the specific user account, with a unique SID, under which the scanner detected the setting. With this scenario, the exclusion would only apply to that specific user account on that specific machine. The exclusion would not apply to other machines or accounts as the SID in the registry entry would be different for every user on every machine. This is simply unsustainable over time.

 

Even though I am fairly certain this wouldn't work... could editing the ignore list entry to replace the SID with an asterisk work? e.g.

HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSMHelp

Or would simply adding 'PUM.Optional.NoSMHelp' to the ignore list accomplish it?

 

Any assistance will be greatly appreciated.

[Rsullinger]

Hey Imperator,

 

What version of the management console/management client are you on? If you open up the management console and look in the bottom left, you will see the version number written out there. In version 1.6.1, we put in the ability to add wildcard registration entries like the one you put above. So if you do have version 1.6.1, you can simply put in what you wanted to enter in:

 

HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSMHelp

 

That will exclude it on all user accounts on the machines.

 

If you are not on 1.6.1, you will just need to update to that and push the new managed client and anti-malware client version to the computer. You can use the instructions here for that:

 

https://support.malwarebytes.org/customer/en/portal/articles/1835539-how-do-i-upgrade-to-the-latest-version-of-the-malwarebytes-management-console-?b_id=6401

 

Thank you,

 

Ron S

[Imperator]

Hello Rsullinger,

 

Thank you for taking the time to address my question. We are running MBMC version 1.6.0.2816. I will upgrade to 1.6.1 as you suggested and will report back my findings.

[Rsullinger]

Hey Imperator,

 

No problem! If you run into any snags let me know and we can assist further.

 

Thank you,

 

Ron S

[Imperator]

As an update, this is working as intended; no issues to report.

Thanks again!

[Rsullinger]

Hey Imperator,

 

Perfect! Let us know if you run into any other issues.

 

-Ron