Jump to content

Ignore List: How to use registry key wildcard


Recommended Posts

I'm currently running Malwarebytes Management Console v1.7.0.  For each client deployment, it picks up a large number of false positive PUM registry keys.  The PUM registry keys are the same, but with slightly different ID for each computer, therefore, malwarebytes keeps picking up the same PUM registry key over and over again after each Quick Scan although the registry key has already been added to the Ignore List.  My question is, is it possible to add registry keys to the ignore list using a wildcard?

Take for instance the following registry keys. Instead of adding three separate registry keys, is it possible to use one registry key with a wildcard?

HKEY_USERS\S-1-5-21-300489223-253122308-953900138-1072\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispScrSavPage
HKEY_USERS\S-1-5-21-300489223-253122308-953900138-2782\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispScrSavPage
HKEY_USERS\S-1-5-21-300489223-253122308-953900138-1146\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispScrSavPage

HKEY_USERS\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispScrSavPage

Link to post
Share on other sites

  • Staff

Hello Neng. MBAM agent 1.80.x is indiscriminate when it comes to any registry modifications. It will hit on your legit GPO enforcements. You can add your GPO registry key to Policy → Ignore list, replacing the account SID‘s with the * wildcard. Note that only console and client communicator version 1.6.1.2897 and above with Anti-Malware version 1.80.1.1011 and above, supports this wildcard in the middle of a string, and only for registry keys.

You can utilize this website for finding registry keys associated with the GPO - http://gpsearch.azurewebsites.net/#4842

You can also utilize this list I made of all the GPO changes I’ve seen get tagged as PUM so far: 
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoStartMenuMorePrograms
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoSetFolders
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoFind
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoSMHelp
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoRun
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoViewContextMenu
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoToolbarCustomize
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoPropertiesMyComputer
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoDrives
hku\*\software\microsoft\windows\currentversion\policies\explorer|ForceActiveDesktopOn
hku\*\software\microsoft\windows\currentversion\policies\system|DisableRegistryTools
hku\*\software\microsoft\windows\currentversion\policies\system|NoDispCPL
hku\*\software\microsoft\windows\currentversion\policies\system|NoDispBackgroundPage
hku\*\software\microsoft\windows\currentversion\policies\system|NoDispAppearancePage
hku\*\software\microsoft\windows\currentversion\policies\system|NoDispScrSavPage
hku\*\software\policies\microsoft\internet explorer\control panel|ConnectionsTab
hku\*\software\policies\microsoft\internet explorer\control panel|HomePage
hku\*\software\policies\microsoft\windows\system|DisableCMD

 

 

Edited by djacobson
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.