Jump to content

GPO Settings causing Hijack.FolderOptions to be triggered.


Recommended Posts

I have several settings pushed to the client via GPO to change wallpaper/folder options etc etc. These are being flagged as Hijack.FolderOptions or PUM's. Is there a way to add exceptions to these sorts of changes.

I have attempted to add in the discoveries but I think this is only adding in the exception for the current user and not as a blanked for all future detections.

>TIA

Link to post
Share on other sites

Hi @Jack_P, MBAM agent 1.80.x is indiscriminate when it comes to any registry modifications. It will hit on your legit GPO enforcement's. Add your GPO registry key to the Policy → Ignore list, then go to the ignore list and edit the entry, replacing the account SID‘s with the * wildcard. Note that only console and client communicator 1.6.1.2897 and above, with Anti-Malware 1.80.1.1011 and above, supports this wildcard in the middle of a string, and only for registry keys.

Here’s a list I made of all the GPO changes I’ve seen get tagged as PUM, add these to your ignore list as a starter pack: 
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoStartMenuMorePrograms
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoSetFolders
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoFind
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoSMHelp, 
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoRun
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoViewContextMenu
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoToolbarCustomize
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoPropertiesMyComputer
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoDrives
hku\*\software\microsoft\windows\currentversion\policies\explorer|ForceActiveDesktopOn
hku\*\software\microsoft\windows\currentversion\policies\system|DisableRegistryTools
hku\*\software\microsoft\windows\currentversion\policies\system|NoDispCPL
hku\*\software\microsoft\windows\currentversion\policies\system|NoDispBackgroundPage
hku\*\software\microsoft\windows\currentversion\policies\system|NoDispAppearancePage
hku\*\software\microsoft\windows\currentversion\policies\system|NoDispScrSavPage
hku\*\software\policies\microsoft\internet explorer\control panel|ConnectionsTab
hku\*\software\policies\microsoft\internet explorer\control panel|HomePage
hku\*\software\policies\microsoft\windows\system|DisableCMD
 

 

Link to post
Share on other sites

  • 1 month later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.