Configuring monitoring rules

The monitoring rules are applied one after another in line with their position in the list of configured rules.

1. In the main window of the Web Console, select Devices → Policies & profiles.
2. Click the policy name you want to configure.
3. In the <Policy name> window that opens select the Application settings tab.
4. Select the System Inspection section.
5. Click Settings in the Registry Access Monitor subsection.
6. In the Registry Access Monitor window that appears on the screen, open the Registry Access Monitor Settings tab.
7. In the Registry Access Monitoring Rules section, click the Add button.
8. In the Registry Access Monitoring Area window, specify a path using a supported mask to Monitor registry operations for the scope.

   You can use ? and * as a mask when entering a path.

   If you enter the path to a root registry key, make sure to specify full path without a mask, such as HKEY_USERS. Following is a list of valid root registry keys:

   • HKEY_LOCAL_MACHINE
   • HKLM
   • HKEY_CURRENT_USER
   • HKCU
   • HKEY_USERS
   • HKUS
   • HKU
   • HKEY_CURRENT_CONFIG
   • HKEY_CLASSES_ROOT
   • HKCR

   Avoid using supported masks for the root keys, when creating the rules.
   If you specify only a root key, such as HKEY_CURRENT_USER, or a root key with a mask for all child keys, such as HKEY_CURRENT_USER\*, a vast number of notifications about addressing the specified child keys is generated, which results in the system performance issues.
   If you specify a root key, such as HKEY_CURRENT_USER, or a root key with a mask for all child keys, such as HKEY_CURRENT_USER\*, and select the Block operations according to the rules mode, the system is not able to read or change the keys required for OS functioning and fails to respond.

9. On the Actions tab for the selected monitoring area, configure the list of actions as applicable.
10. If you want to monitor certain Registry Values, do the following:
    1. On the Registry Values tab, click the Add button.
    2. In the Registry value rule window, enter the Value mask and set the required List of operations.
    3. Click OK to save the changes.
11. If you want to define Trusted users, do the following:
    1. On the Trusted users tab, click the Add button.
    2. Enter the User name or click Set SID Everyone, to define users authorized to perform the selected actions.
    3. Click OK to save the changes.

    By default, Kaspersky Embedded Systems Security treats all users not on the trusted user list as untrusted, and generates Critical events for them. For trusted users, statistics are compiled.

12. Click OK in the Registry Access Monitoring Area window to save the changes.

    The specified rule settings are immediately applied to the defined monitoring scope of the Registry Access Monitor task.