Registry change via GPO being cleaned and forcing reboot

[Limon]

Good morning,

To say that our Malwarebytes EP experience has been poor is an understatement.  We rolled out to the entire enterprise the weekend of the mal-formed update and still have not completely recovered.  The tech has been unpleasant "I've already called you twice", and we have not been able to track down a workable exclusion for the hundreds of end users forced to reboot with a registry change that Malwarebytes is cleaning daily.  I'm turning to the forums since it appears we have exhausted our support through two phone calls.  Basically we are forcing a wallpaper image and not allowing users to change it.  The error in the console looks like this:

PUM.Optional.NoChangingWallpaper

Quarantined Detection Data
Name:	PUM.Optional.NoChangingWallpaper
Category:	PUM
Type:	Registry Value
Location:	HKU\S-1-5-21-2425530655-2670725271-3209618128-9677\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NOCHANGINGWALLPAPER
Detection ID:	1d93df19-0d56-11e8-aed3-6c0b8469375e
Endpoint:
Scanned At:	02/09/2018 - 07:51:35 AM
Scan ID:	Blocked By Real-Time Protection

Looking for any thoughts or recommendations to allow us to control the wallpaper in this manner through exclusions so that we don't have hundreds of users being forced to reboot daily.  I see this is part of Malwarebyte's design (https://blog.malwarebytes.com/detections/pum-optional-nochangingwallpaper/), but we need to exclude detection of this.  Note it's an user key location, so different with each user.

 

Thanks so much for your insight and help!

[mitchboston]

Under Settings>Exclusions, choose "Exclude a registry key (Windows)".

Specify...

HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NOCHANGINGWALLPAPER

The part of this reg key that I replaced with a asterisk to unique to each user, so the * acts as a wildcard that applies to everyone.

Also note that I have had the problem noted in the following thread, so keep an eye out... 

 

 

[Kalrand]

1 hour ago, mitchboston said:

Under Settings>Exclusions, choose "Exclude a registry key (Windows)".

Specify...

HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NOCHANGINGWALLPAPER

The part of this reg key that I replaced with a asterisk to unique to each user, so the * acts as a wildcard that applies to everyone.

Also note that I have had the problem noted in the following thread, so keep an eye out... 

 

 

@Limon Using what @mitchboston suggested with the wildcards is definitely the correct way. My two cents until the quarantine issue is resolved, which you may not have a problem with. Since we've had the issue we planned our scan schedules around it, one at 6am (1 hour before users login) and at 7:30pm (1 1/2 hours to 30min after users log out). This way even if the issue occurs and is quarantined, which means they are removed from registry, there is still time for Group Policy to re-add them in before the user logs in. We have not had a time where they were quarantined a second time on the same day, honestly very few repeat offenders.

Edited February 9, 2018 by Kalrand

[guyatworkworking]

That has been our exclusion since December. I have several other exclusions not working, yet properly entered. Even when advised to Delay Real-Time Protection when Malwarebytes starts by 120 seconds. Exclusions are failing to be applied. Back and forth with support we go.