Modifying regsitry keys

Hello, I use the currently latest version of CIS.

I wish to ask: The notification pop-up about apps attempting to modify protected registry keys - does really CIS “see” that the app is trying to ALTER something in that key or is it possible that the app is only READING something from that key?

This is important, for example, regarding digital certificates stores in the registry - it looks legit for me for an app to READ from these keys to verify crystallographic related stuff, but sure it will not be legit to change stuff there.

What do you say?

Unfortunately, CIS will warn about registry modification when a registry key is just being opened for reading. Funny enough this doesn’t happen for files/folders, in that an application can open a file/folder for reading without CIS generating an alert, but will alert on file/folder modification.

Thanks futuretech!

Well, this calls for:

  1. Change the alert text so it will not use any context of “modify” but use a more general term (like “accessed”)

  2. The lack of knowledge about the nature of the app’s action - prevent the users from deciding correctly what to do with the alert… if it is a legit ‘READ’ and we block it - we both suspect a legit app and also damaging its operation… if it is bad and we allow this action because we think it may be just a ‘READ’ but it is actually doing something bad… - all in all - this way we totally miss the concept of HIPS

  3. It would also be nice if we could control the HIPS rules logging, which we cannot do today, so wan monitor closely suspicious apps