To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Registry access blocked at random setup attempts

zwp-secure
zwp-secure W/ Member Posts: 15 Cyber Knight
edited January 17 in WithSecure Business Suite

Hi,

often we receive admin warnings like these when executing a setup.exe (non specific). Example:

Sicherheitsalarm: Der Zugriff auf die Registrierung wurde blockiert.
Von: XXX,
2024-01-16 23:14:44 +01:00
Details: Zugriff auf Registrierung wurde blockiert.
Anwendungspfad: C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe
Pfad: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8F139CF91DE936230A1FA8ED33D0E0EC|6765AF7951F793C4FB1AEC76AB81332C
Hashwert des Initiators: a69a853da0e377882e4fa36b8d6c9340ef446730
Zertifikat-Hash: c4405f06dfb035f3ad360d29d27d434e004e054b6fb18fa3a5566a9f9afa8296
Zertifikataussteller: Microsoft Code Signing PCA 2010
Unterzeichner: Microsoft Corporation.

Which WithSecure Component generates this kind of warnings? Is there a way to conrol it in Policy Manager?

Thanks,
Boris

Best Answers

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 488 Moderator
    Answer ✓

    Hi Boris,

    Thank you for reaching out to WithSecure Community and sorry to hear you are getting these errors.

    This type of block is the function of the Tamper Protection functionality. 

    When the path shows a registry path, the Tamper protection functionality sees that some process tries to open a protected part of registry with write access rights. Even if the process would not try to modify the registry, the fact that it could is enough that is will be blocked by Tamper Protection. When Tamper protection blocks an operation, the application gets an ACCESS_DENIED error. It should not affect the functionality of this application, but if it does - this is the problem in the 3rd party application.

    If you do not want to see Tampering Protection alerting notifications in the Policy Manager Console Alerts tab, you may filter them out by following these steps: 


    Log in to Policy Manager Console

    1. Select a host or policy domain from the Domain Tree
    2. Go to the Settings tab
    3. Go to the Alert sending page
    4. Scroll down to the Alert sending exclusions list and click Add
    5. Select Source as Tamper protection
    6. Select Type as Access to registry blocked
    7. Click OK to finish adding rule
    8. Distribute policy (Ctrl + D)

  • zwp-secure
    zwp-secure W/ Member Posts: 15 Cyber Knight
    Answer ✓

    Thanks! 😊👍️