The Registry Access Monitor task is run based on the system registry monitoring rules. You can use the rule triggering criteria to configure the conditions triggering the task, and set the importance level for the detected events recorded in the task log.
A System registry monitoring rule is specified for each monitoring scope.
You can configure the following rule triggering criteria:
Actions
When the Registry Access Monitor task is started, Kaspersky Industrial CyberSecurity for Nodes uses a list of actions to monitor the registry (see the table below).
If an action specified as a rule triggering criterion is detected, the application logs a respective event.
The importance level of the logged events does not depend on the selected actions or the number of events.
By default, Kaspersky Industrial CyberSecurity for Nodes considers all actions. You can configure the list of actions manually in the task rule settings.
Actions
Action |
Restrictions |
Operating system |
---|---|---|
Create key |
|
Windows XP and later |
Delete key |
If you want to delete a parent key, make sure to clear both the Delete key and Delete subkeys options on the list of monitored Actions for a configured registry key, as you can only delete the parent key with subkeys. |
Windows XP and later |
Rename Key |
N/A |
Windows XP and later |
Change key security settings |
N/A |
Windows Vista and later |
Delete Values |
N/A |
Windows XP and later |
Set values |
If you add Set values to the list of Actions, define the Default Value name in the rule for a key, and then select Block operations according to the rules mode, the key is not created, because a new key can only be created with a default value. |
Windows XP and later |
Create subkeys |
N/A |
Windows XP and later |
Delete subkeys |
N/A |
Windows XP and later |
Rename subkeys |
N/A |
Windows XP and later |
Change subkeys security settings |
N/A |
Windows Vista and later |
Registry Values
In addition to registry keys monitoring, you can block or monitor changes for the existing registry values. The following options are available:
Renaming and changing the security settings are not applicable for the registry values.
Trusted users
By default, the application treats all user actions as potential security breaches. The trusted user list is empty. You can configure the event importance level by creating a list of trusted users in the system registry monitoring rule settings.
Untrusted user is any user not indicated in the trusted user list in the monitoring scope rule settings. If Kaspersky Industrial CyberSecurity for Nodes detects an action performed by an untrusted user, the Registry Access Monitor task records a Critical event in the task log.
Trusted user is a user or a group of users authorized to perform actions within the specified monitoring scope. If Kaspersky Industrial CyberSecurity for Nodes detects an action performed by a trusted user, the Registry Access Monitor task records an Informational event in the task log.
Page top