If a notification includes suspicious registry entries or activity, its External Notification Details page includes a Registry Keys tab. This tab provides information about the keys that might be compromised.

You can select one or more of the reported keys and:

  • Ban the process that tried to access the key
  • Remove previously created process bans or approvals
  • Create a Registry Rule to control access to the key

Bans created in this context are similar to those created on any of the Files tabs. The Registry Rule command provides different options.

Procedure

  1. In the Notification Details page of interest, click the Registry Keys tab.
  2. Check the boxes next to the registry keys for which you want to create a rule.
  3. On the Action menu, click Create Registry Rule. The Add Registry Rule page appears, with rule name and settings pre-populated with details from the notification.

    By default, a rule created in this way blocks writes to the named registry keys by the processes identified in the notification, and does this for all users and all policies. You can modify these settings before you save the rule. Among the options on the Write Action menu, you can select Report, which means that activity at this key is reported but not blocked. If you are unsure of how best to configure a rule, see Creating Registry Rules. You can Cancel the rule without saving it if you would like to investigate rules parameters first.

    Caution: Rule menus have options that Allow activity at the named locations and even Promote processes to have more privileges than they previously did. If you alter the pre-populated values, be careful of the choices you make on these menus.
  4. Modify the rule and click the Save button. The new rule is created and appears on the Registry tab of the Software Rules page in the console.