Registry modifications with operations using MAXIMUM_ALLOWED permission are blocked by the IPS policy but no CSP event is generated

book

Article ID: 158507

calendar_today

Updated On:

Products

Critical System Protection

Issue/Introduction

 

When processes make registry operations requesting for explicit permissions such as KEY_READ, KEY_WRITE, KEY_SET_VALUE etc, if not permitted by the IPS policy, these accesses will generate an appropriate CSP event logging the blocked action.

However if a process requests for MAXIMUM_ALLOWED permission to a registry key, the SCSP IPS driver correctly enforces the protection but does not log any event. 

 MAXIMUM_ALLOWED request is not an explicit request for read or write permission at the instance when the call is made. Instead it requests that the target object be opened with all the access rights that are valid for the caller. Please see http://msdn.microsoft.com/en-us/library/cc230290.aspx for information on this.

 The symptom is that some MAXIMUM_ALLOWED opens will be blocked (reduced) by CSP and those will not generate a CSP event. 

Resolution

 

If you want the SCSP IPS driver to log all MAXIMUM_ALLOWED requests on the system for debugging purposes , please do the following registry modification to set the flag -

1.       Set/create a "Log MAXIMUM ALLOWED" dword value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SISIPSDriver\Parameters key.

2.       Set the value to "1".

3.       Reboot the system.

The events are logged as Allowed disposition. 

Note: Enabling this flag will generate a lot of CSP events since it logs all MAXIMUM_ALLOWED access, so please use this option very carefully.