About System registry monitoring rules

The Registry Access Monitor task is run based on the system registry monitoring rules. You can use the rule triggering criteria to configure the conditions triggering the task, and set the importance level for the detected events recorded in the task log.

A System registry monitoring rule is specified for each monitoring scope.

You can configure the following rule triggering criteria:

• Actions
• Registry Values
• Trusted users

Actions

When the Registry Access Monitor task is started, Kaspersky Industrial CyberSecurity for Nodes uses a list of actions to monitor the registry (see the table below).

If an action specified as a rule triggering criterion is detected, the application logs a respective event.

The importance level of the logged events does not depend on the selected actions or the number of events.

By default, Kaspersky Industrial CyberSecurity for Nodes considers all actions. You can configure the list of actions manually in the task rule settings.

Actions

Action	Restrictions	Operating system
Create key	For Windows XP and Windows Server 2003, if you add Create key to the list of Actions, and then select the Block operations according to the rules mode, the key creation is not blocked in the specified operating systems because of the system restrictions. The key is created with a respective notification sent to the log of events. If you want to forbid creating a specific key via Registry Editor, create a rule for a parent registry key and make sure to add Create subkeys to the list of Actions, and then select the Block operations according to the rules mode.	Windows XP and later
Delete Key	If you want to delete a parent key, make sure to clear both the Delete Key and Delete subkeys options on the list of monitored Actions for a configured registry key, as you can only delete the parent key with subkeys.	Windows XP and later
Rename Key	N/A	Windows XP and later
Change key security settings	N/A	Windows Vista and later
Delete values	N/A	Windows XP and later
Set values	If you add Set values to the list of Actions, define the Default Value name in the rule for a key, and then select Block operations according to the rules mode, the key is not created, because a new key can only be created with a default value.	Windows XP and later
Create subkeys	N/A	Windows XP and later
Delete subkeys	N/A	Windows XP and later
Rename subkeys	N/A	Windows XP and later
Change subkeys security settings	N/A	Windows Vista and later

Registry Values

In addition to registry keys monitoring, you can block or monitor changes for the existing registry values. The following options are available:

• Set value - create the new registry values or change the existing registry values.
• Delete value - delete the existing registry values.

Renaming and changing the security settings are not applicable for the registry values.

Trusted users

By default, the application treats all user actions as potential security breaches. The trusted user list is empty. You can configure the event importance level by creating a list of trusted users in the system registry monitoring rule settings.

Untrusted user is any user not indicated in the trusted user list in the monitoring scope rule settings. If Kaspersky Industrial CyberSecurity for Nodes detects an action performed by an untrusted user, the Registry Access Monitor task records a Critical event in the task log.

Trusted user is a user or a group of users authorized to perform actions within the specified monitoring scope. If Kaspersky Industrial CyberSecurity for Nodes detects an action performed by a trusted user, the Registry Access Monitor task records an Informational event in the task log.

Page top