GPO Settings causing Hijack.FolderOptions to be triggered.

[Jack_P]

I have several settings pushed to the client via GPO to change wallpaper/folder options etc etc. These are being flagged as Hijack.FolderOptions or PUM's. Is there a way to add exceptions to these sorts of changes.

I have attempted to add in the discoveries but I think this is only adding in the exception for the current user and not as a blanked for all future detections.

>TIA

[djacobson]

Hi @Jack_P, MBAM agent 1.80.x is indiscriminate when it comes to any registry modifications. It will hit on your legit GPO enforcement's. Add your GPO registry key to the Policy → Ignore list, then go to the ignore list and edit the entry, replacing the account SID‘s with the * wildcard. Note that only console and client communicator 1.6.1.2897 and above, with Anti-Malware 1.80.1.1011 and above, supports this wildcard in the middle of a string, and only for registry keys.

Here’s a list I made of all the GPO changes I’ve seen get tagged as PUM, add these to your ignore list as a starter pack: 
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoStartMenuMorePrograms
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoSetFolders
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoFind
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoSMHelp, 
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoRun
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoViewContextMenu
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoToolbarCustomize
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoPropertiesMyComputer
hku\*\software\microsoft\windows\currentversion\policies\explorer|NoDrives
hku\*\software\microsoft\windows\currentversion\policies\explorer|ForceActiveDesktopOn
hku\*\software\microsoft\windows\currentversion\policies\system|DisableRegistryTools
hku\*\software\microsoft\windows\currentversion\policies\system|NoDispCPL
hku\*\software\microsoft\windows\currentversion\policies\system|NoDispBackgroundPage
hku\*\software\microsoft\windows\currentversion\policies\system|NoDispAppearancePage
hku\*\software\microsoft\windows\currentversion\policies\system|NoDispScrSavPage
hku\*\software\policies\microsoft\internet explorer\control panel|ConnectionsTab
hku\*\software\policies\microsoft\internet explorer\control panel|HomePage
hku\*\software\policies\microsoft\windows\system|DisableCMD
 

 

[Jack_P]

Ahhh did not read the part about wildcards in the reg entries. What a time saver. Have added these exceptions to my list. Will report back on progress.

[djacobson]

presumed resolved