Jump to content
Limon

Registry change via GPO being cleaned and forcing reboot

Recommended Posts

Good morning,

To say that our Malwarebytes EP experience has been poor is an understatement.  We rolled out to the entire enterprise the weekend of the mal-formed update and still have not completely recovered.  The tech has been unpleasant "I've already called you twice", and we have not been able to track down a workable exclusion for the hundreds of end users forced to reboot with a registry change that Malwarebytes is cleaning daily.  I'm turning to the forums since it appears we have exhausted our support through two phone calls.  Basically we are forcing a wallpaper image and not allowing users to change it.  The error in the console looks like this:

PUM.Optional.NoChangingWallpaper
Quarantined Detection Data  
Name: PUM.Optional.NoChangingWallpaper
Category: PUM
Type: Registry Value
Location: HKU\S-1-5-21-2425530655-2670725271-3209618128-9677\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NOCHANGINGWALLPAPER
Detection ID: 1d93df19-0d56-11e8-aed3-6c0b8469375e
Endpoint:  
Scanned At: 02/09/2018 - 07:51:35 AM
Scan ID: Blocked By Real-Time Protection

Looking for any thoughts or recommendations to allow us to control the wallpaper in this manner through exclusions so that we don't have hundreds of users being forced to reboot daily.  I see this is part of Malwarebyte's design (https://blog.malwarebytes.com/detections/pum-optional-nochangingwallpaper/), but we need to exclude detection of this.  Note it's an user key location, so different with each user.

 

Thanks so much for your insight and help!

Share this post


Link to post
Share on other sites

Under Settings>Exclusions, choose "Exclude a registry key (Windows)".

Specify...

HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NOCHANGINGWALLPAPER

The part of this reg key that I replaced with a asterisk to unique to each user, so the * acts as a wildcard that applies to everyone.

Also note that I have had the problem noted in the following thread, so keep an eye out... 

 

 

Share this post


Link to post
Share on other sites
1 hour ago, mitchboston said:

Under Settings>Exclusions, choose "Exclude a registry key (Windows)".

Specify...

HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NOCHANGINGWALLPAPER

The part of this reg key that I replaced with a asterisk to unique to each user, so the * acts as a wildcard that applies to everyone.

Also note that I have had the problem noted in the following thread, so keep an eye out... 

 

 

@Limon Using what @mitchboston suggested with the wildcards is definitely the correct way. My two cents until the quarantine issue is resolved, which you may not have a problem with. Since we've had the issue we planned our scan schedules around it, one at 6am (1 hour before users login) and at 7:30pm (1 1/2 hours to 30min after users log out). This way even if the issue occurs and is quarantined, which means they are removed from registry, there is still time for Group Policy to re-add them in before the user logs in. We have not had a time where they were quarantined a second time on the same day, honestly very few repeat offenders.

Edited by Kalrand

Share this post


Link to post
Share on other sites

That has been our exclusion since December. I have several other exclusions not working, yet properly entered. Even when advised to Delay Real-Time Protection when Malwarebytes starts by 120 seconds. Exclusions are failing to be applied. Back and forth with support we go. -_-

 

2018-02-09_11-39-42.png

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.