Even when Security_HKLM_only is set to 1, trusted sites added by users are trusted by Symantec Endpoint Protection 12.1

book

Article ID: 158938

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

This issue can occur when the following prerequisites are met:

  1. An administrator has configured set the value data of the Registry value Security_HKLM_only to 1. This value is located here: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings  Please see Microsoft support article 833633 (http://support.microsoft.com/kb/833633) for more information on this Registry value.
  2. An administrator has enabled the setting "Automatically trust any file downloaded from a trusted Internet or intranet site." within the Download Protection portion of the Virus and Spyware Protection policy for Symantec Endpoint Protection (SEP)
  3. A user has added a internet or intranet site to Trusted sites within Internet Explorer.

Expected behavior: Websites added by users should not be automatically trusted by Symantec Endpoint Protection 12.1 since the Registry value Security_HKLM_only is set to 1.

Actual behavior: Websites added by users can sometimes be automatically trusted by Symantec Endpoint Protection 12.1, even when Security_HKLM_only is set to 1.

Cause

Some versions of Internet Explorer save the URL entered by a user into Trusted Sites to both the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet 
Settings\Zones\Domains and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\Domains Registry locations.
 
When Security_HKLM_only is set to 0 or does not exist, SEP will read from both Registry locations respectively to determine which sites should be trusted. When Security_HKLM_only is set to 1, SEP will only read from the first Registry location (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\Domains), however, since Internet Explorer has written the website's URL to this location, SEP will trust it.

Resolution

This is not a Symantec issue. Please upgrade Internet Explorer to a version which does not exhibit this behavior.