About the registry access monitoring rules
3 August 2023
ID 223205
The Registry Access Monitor task is run based on registry access monitoring rules. You can use the rule triggering criteria to configure the conditions triggering the task, and set the importance level for the detected events recorded in the task log.
A registry access monitoring rule is specified for each monitoring scope.
You can configure the following rule triggering criteria:
- Actions
- Controlled values
- Trusted users
Actions
When the Registry Access Monitor task is started, Kaspersky Industrial CyberSecurity for Nodes uses a list of actions to monitor the registry (see the table below).
If an action specified as a rule triggering criterion is detected, the application logs a corresponding event.
The importance level of the logged events does not depend on the selected actions or the number of events.
By default, Kaspersky Industrial CyberSecurity for Nodes considers all actions. You can configure the list of actions manually in the task rule settings.
Actions
Action | Restrictions | Operating system |
---|---|---|
Create key |
| Windows XP and later |
Delete key | If you want to delete a parent key, make sure to clear both the Delete subkeys and Actions options on the list of monitored Delete key for a configured registry key, as you can only delete the parent key with subkeys. | Windows XP and later |
Rename Key | N/A | Windows XP and later |
Change key security settings | N/A | Windows Vista and later |
Delete Values | N/A | Windows XP and later |
Set values | If you add Actions to the list of Set values, define the Default Value or value mask in the rule for a key, and then select Block operations according to the rules mode, the key is not created, because a new key can only be created with a default value. | Windows XP and later |
Create subkeys | N/A | Windows XP and later |
Delete subkeys | N/A | Windows XP and later |
Rename subkeys | N/A | Windows XP and later |
Change subkeys security settings | N/A | Windows Vista and later |
Registry values
In addition to registry keys monitoring, you can block or monitor changes for the existing registry values. The following options are available:
- Set value - create the new registry values or change the existing registry values.
- Delete value - delete the existing registry values.
Renaming and changing the security settings are not applicable for the registry values.
Trusted users
By default, the application treats all user actions as potential security breaches. The trusted user list is empty. You can configure the event importance level by creating a list of trusted users in the system registry monitoring rule settings.
Untrusted user is any user not indicated in the trusted user list in the monitoring scope rule settings. If Kaspersky Industrial CyberSecurity for Nodes detects an action performed by an untrusted user, the Registry Access Monitor task records a Critical event in the task log.
Trusted user is a user or a group of users authorized to perform actions within the specified monitoring scope. If Kaspersky Industrial CyberSecurity for Nodes detects an action performed by a trusted user, the Registry Access Monitor task records an Informational event in the task log.