Configuring monitoring rules

Support

Support for business applications

Kaspersky Embedded Systems Security 3.x

Registry Access Monitor

Managing the Registry Access Monitor via the Administration Plug-in

Configuring monitoring rules

March 10, 2023

ID 223002

Get as PDF

The monitoring rules are applied one after another in line with their position in the list of configured rules.

To add a monitoring scope:

Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
Select the administration group for which you want to configure application settings.
Perform one of the following actions in the details pane of the selected administration group:
- To configure application settings for a group of protected devices, select the Policies tab and open the Properties: <Policy name> window.
- To configure the application for a single protected device, select the Devices tab and open the Application settings window.
  If an active Kaspersky Security Center policy is applied to a device and blocks changes to application settings, then these settings cannot be edited in the Application settings window.
In the System inspection section, in the Registry Access Monitor subsection, click the Settings button.
The Registry Access Monitor window appears.
In the Monitor registry operations for the scope section, click the Add button.
In the Registry Access Monitoring Area window, to add a monitor scope, specify a path using a supported mask.
You can use ? and * as a mask when entering a path.

If you enter the path to a root registry key, make sure to specify full path without a mask, such as HKEY_USERS. Following is a list of valid root registry keys:
- HKEY_LOCAL_MACHINE
- HKLM
- HKEY_CURRENT_USER
- HKCU
- HKEY_USERS
- HKUS
- HKU
- HKEY_CURRENT_CONFIG
- HKEY_CLASSES_ROOT
- HKCR
Avoid using supported masks for the root keys when creating the rules.
If you specify only a root key, such as HKEY_CURRENT_USER, or a root key with a mask for all child keys, such as HKEY_CURRENT_USER\*, a vast number of notifications about addressing the specified child keys is generated, which results in the system performance issues. If you specify a root key, such as HKEY_CURRENT_USER, or a root key with a mask for all child keys, such as HKEY_CURRENT_USER\*, and select the Block operations according to the rules mode, the system is not able to read or change the keys required for OS functioning and fails to respond.
On the Add tab, configure the list of actions as applicable.
If you want to monitor certain Registry Values, do the following:
- On the Registry Values tab, click the Add button.
- In the Registry value rule window, enter the Controlled operations and set the Controlled operations.
- Click OK to save the changes.
If you want to define Trusted users, do the following:
- On the Trusted users tab, click the Add button.
- In the Select Users or Groups window, select the users or groups of users authorized to perform the defined actions.
- Click OK to save the changes.
By default, Kaspersky Embedded Systems Security treats all users not on the trusted user list as untrusted, and generates Critical events for them. For trusted users, statistics are compiled.
Click OK in the Registry Access Monitoring Area window.

The specified rule settings are immediately applied to the defined monitoring scope of the Registry Access Monitor task.

Kaspersky Professional Services

Implementation services. Health check and security system configuration. Contact us if you need expert help.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.