Registry exclusion syntax / not working?

anyWARE-Mainz · July 9, 2018

Hello,

we use GPOs for different thing. Some GPO registry settings affect Malwarebytes, so it quarantines and logs them.
How do I exclude with wildcards?

For example, if I like to exclude: \SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NOCHANGINGWALLPAPER

I tried the above syntax and just: NOCHANGINGWALLPAPER
Neither worked. It's getting logged and quarantined.

Regards
Daniel

djacobson · July 9, 2018

Use this in the Registry key area of the exclusion function:

HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NOCHANGINGWALLPAPER

See this KB for more info and a list of common GPO keys hit as PUMs - https://support.malwarebytes.com/docs/DOC-1417

anyWARE-Mainz · July 10, 2018

Thanks. I'll try that

anyWARE-Mainz · July 16, 2018

It does not seem to work:

image.png.be9620b882a8888ce3d515140d40c35c.png

I did it like that:

image.png.58359c7c60f73888ee72cdc4e44e729f.png

How may I remotely check, if the Client got the Exclusion?
What else may be the issue?

Edited July 16, 2018 by anyWARE-Mainz

exile360 · July 17, 2018

Greetings,

I have a few ideas and hopefully one of them will resolve the problem for you:

Since there are no other settings which Malwarebytes detects under the ActiveDesktop key that I'm aware of (primarily due to the fact that Active Desktop doesn't really exist as a Windows feature since Windows 2000 and most of the policies that apply to it are now retired/legacy and have no real effect save the one you're trying to exclude), it should be safe to just exclude the entire key, leaving off the |NoChangingWallpaper portion of the exclusion entry in case that allows it to function.

You could also try entering the exclusion in a case sensitive manner rather than all caps (assuming you are using all caps as the images indicate) because, while it should be case-insensitive, I do recall a long time ago that Malwarebytes did have some issues with certain registry entries if the appropriate case was not used, so while it is definitely a long shot as that was a very long time ago back in the 1.x days, it still could be a similar issue here.

Otherwise, you might try just using HKCU\Software rather than HKU\Software as that should allow it to work to still exclude all users in theory and eliminates the need for the wildcard which might be what's tripping it up.

MichaelRight · July 20, 2018

This exclusion works in my test environment: HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NOCHANGINGWALLPAPER

Please reach out to support. They will walk you though enabling debug more for logs which will expose the exclusions that are being passed to the endpoint and we can investigate from there.

anyWARE-Mainz · July 23, 2018

Thanks you for the feedback. I'll try that also.

anyWARE-Mainz · July 23, 2018

New status:
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ACTIVEDESKTOP|NOCHANGINGWALLPAPER

worked.
Maybe the Malwarebytes policy on the logged clients was not updated, when the event was logged.
So it was a syntax-issue.

Thanks again.

Registry exclusion syntax / not working?

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Important Information