V12.2.2.8012 (Firewall only) Windows 7 Ultimate 64-bit (clean install with all MS-updates)
Assigned a custom HIPS rule to regedit.exe and having set the custom rule access name “Protected registry keys → BLOCKED REGISTRY KEYS” to the following entries:
HKCU\Test*
HKCU\Test\SubKey*
The “HKCU\Test” and "HKCU\Test\SubKey" keys both contain some different type variables (strings, dwords, qwords, binaries, etc.) set to some random values.
Regedit.exe isn’t blocked by HIPS at all when regedit.exe writes to any of these keys or the variables inside these keys.
Regedit.exe is even allowed to delete the keys or their values inside it.
In addition, the bug isn’t limited to regedit.exe only.
I’ve tried another registry tool and the same thing happens again.
The keys just aren’t protected against any modifications.
Nope it works fine as long as the registry keys are added under protected registry keys, otherwise HIPS will not monitor or protect those keys which means HIPS rules to block write access will not work.
Ok, so for protecting registry keys against any modification (create/change/delete) by any (trusted or untrusted) file one has to add the keys first to “Protected Objects → REGISTRY KEYS” and then add the same keys once more to the (trusted or untrusted) file HIPS custom ruleset “Protected registry keys → BLOCKED REGISTRY KEYS”.
When adding the keys only to “Protected Objects → REGISTRY KEYS” and not to the (trusted or untrusted) file HIPS custom ruleset than:
HIPS always allows (does not ask for making) modifications to these keys for trusted files. HIPS will add those keys to the trusted file HIPS custom ruleset “Protected registry keys → ALLOWED REGISTRY KEYS” automatically.
HIPS Asks or Blocks modifications (depending on the custom ruleset Action setting) to these keys for any untrusted files.
HIPS always allows (does not ask for making) modifications to these keys for trusted files. HIPS will add those keys to the trusted file HIPS custom ruleset "Protected registry keys -> ALLOWED REGISTRY KEYS" automatically.
Only if create rules for trusted applications is enabled.
HIPS Asks or Blocks modifications (depending on the custom ruleset Action setting) to these keys for any untrusted files.
Yep and asks for trusted applications when HIPS is in paranoid mode.