Ringfencing Registry Activity

4 min. readlast update: 01.13.2024
Note: This article contains directions for both the ThreatLocker Portal and the ThreatLocker Legacy Portal. If you are using the Legacy Portal, you can find the appropriate directions by scrolling down in the article.  

Malware often hides in the registry. Ringfencing gives you the ability to prevent an Application from making any changes to your registry, preventing the possibility that something malicious could be written to it. When you select 'Restrict these Applications from accessing the Registry?', no registry access will be permitted unless you permit it.  

undefined

 Many legitimate programs require access to the registry, such as Notepad++. To observe what programs need to access the registry, you can enable registry restrictions and then set the policy to 'Monitor Only'. Then you can observe what is occurring with the registry without blocking any interaction.   

undefined

In the Unified Audit, it will show you the exact path of the registry key that was created or changed. You can filter by 'Policy Name', and enter the name of the policy whose registry interaction you wish to view, and then under 'Action Type' select 'Registry' from the dropdown to view only registry interactions.   

In the 'Details' column, you will see the exact path to the registry key.  

undefined

You can go through and permit any denied registry activity that you would like to permit by expanding the entry in the Unified Audit and clicking the 'Add to Policy' button.  

undefined

undefined

You can use wildcards in the path if desired. As you can see in the Unified Audit excerpt above, there are many different registry entries that Notepad++ makes when executing, and many of them follow close to the same path. In the screenshot below you can see how we permitted these using wildcards in the path.

undefined

When you are applying Ringfencing to an Application that has previously not had Ringfencing applied, it is very important to place that specific Policy into a Monitor Only Status for about a week.  

Failure to place a new Ringfencing Policy into a Monitor Only Status for a week may possibly impact your day-to-day business operations. 

Ringfencing - Application interaction

Ringfencing - File access

Ringfencing - Internet Access

Ringfencing a New Application

Ringfencing Registry Activity in the Legacy Portal

Malware often hides in the registry. Ringfencing gives you the ability to prevent an Application from making any changes to your registry, preventing the possibility that something malicious could be written to it. When you select 'Restrict these Applications from making registry changes except for the below rules', no registry access will be permitted unless you permit it.  

undefined

Many legitimate programs require access to the registry, such as Notepad++. To observe what programs need to access the registry, you can enable registry restrictions and then set the policy to 'Monitor Only'. Then you can observe what is occurring with the registry without blocking any interaction.   

undefined

In the Unified Audit, it will show you the exact path of the registry key that was created or changed. You can filter by 'Policy Name', and enter the name of the policy whose registry interaction you wish to view, and then under 'Action Type' select 'Registry' from the dropdown to view only registry interactions.   

In the 'Details' column, you will see the exact path to the registry key.  

undefined

You can go through and permit any denied registry activity that you would like to permit by expanding the entry in the Unified Audit and clicking the 'Add to Policy' button.  

undefined

You can use wildcards in the path if desired. As you can see in the Unified Audit excerpt above there are many different registry entries that Notepad++ makes when executing, and many of them follow close to the same path. In the screenshot below you can see how we permitted these using wildcards in the path.

undefined

When you are applying Ringfencing to an Application that has previously not had Ringfencing applied, it is very important to place that specific Policy into a Monitor Only Status for about a week.  

Failure to place a new Ringfencing Policy into a Monitor Only Status for a week may possibly impact your day-to-day business operations. 

Ringfencing - Application interaction

Ringfencing - File access

Ringfencing - Internet Access

Ringfencing a New Application 

Was this article helpful?