Jump to content

Registry exclusion syntax / not working?


Recommended Posts

Hello,

we use GPOs for different thing. Some GPO registry settings affect Malwarebytes, so it quarantines and logs them.
How do I exclude with wildcards?

For example, if I like to exclude: \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NOCHANGINGWALLPAPER

I tried the above syntax and just: NOCHANGINGWALLPAPER 
Neither worked. It's getting logged and quarantined.


Regards
Daniel

malwarebytes.JPG

Link to post
Share on other sites

  • Staff

Greetings,

I have a few ideas and hopefully one of them will resolve the problem for you:

Since there are no other settings which Malwarebytes detects under the ActiveDesktop key that I'm aware of (primarily due to the fact that Active Desktop doesn't really exist as a Windows feature since Windows 2000 and most of the policies that apply to it are now retired/legacy and have no real effect save the one you're trying to exclude), it should be safe to just exclude the entire key, leaving off the |NoChangingWallpaper portion of the exclusion entry in case that allows it to function.

You could also try entering the exclusion in a case sensitive manner rather than all caps (assuming you are using all caps as the images indicate) because, while it should be case-insensitive, I do recall a long time ago that Malwarebytes did have some issues with certain registry entries if the appropriate case was not used, so while it is definitely a long shot as that was a very long time ago back in the 1.x days, it still could be a similar issue here.

Otherwise, you might try just using HKCU\Software rather than HKU\Software as that should allow it to work to still exclude all users in theory and eliminates the need for the wildcard which might be what's tripping it up.

Link to post
Share on other sites

This exclusion works in my test environment: HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NOCHANGINGWALLPAPER

Please reach out to support. They will walk you though enabling debug more for logs which will expose the exclusions that are being passed to the endpoint and we can investigate from there.

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.