Ringfencing Registry Activity
Malware often hides in the registry. Ringfencing gives you the ability to prevent an application from making any changes to your registry, preventing the possibility that something malicious could be written to it. When you select 'Restrict these applications from making registry changes except for the below rules', no registry access will be permitted unless you permit it.
Many legitimate programs require access to the registry, such as Notepad++. To observe what programs need to access the registry, you can enable registry restrictions and then set the policy to 'Monitor Only'. Then you can observe what is occurring with the registry without blocking any interaction.
In the Unified Audit, it will show you the exact path of the registry key that was created or changed. You can filter by 'Policy Name', and enter the name of the policy whose registry interaction you wish to view, and then under 'Action Type' select 'Registry' from the dropdown to view only registry interactions.
In the 'Details' column, you will see the exact path to the registry key.
You can go through and permit any denied registry activity that you would like to permit by expanding the entry in the Unified Audit and clicking the 'Add to Policy' button.
You can use wildcards in the path if desired. As you can see in the Unified Audit excerpt above there are many different registry entries that Notepad++ makes when executing, and many of them follow close to the same path. In the screenshot below you can see how we permitted these using wildcards in the path.