Group Policy registry keys detected as PUMs in Endpoint Protection

Document created by jgolomb Employee on Dec 26, 2018Last modified by bgoddard on Aug 1, 2019
Version 4Show Document
  • View in full screen mode

After a threat scan, your Malwarebytes Endpoint Protection and Response software detects Group Policy registry keys as Potentially Unwanted Modifications (PUMs).

 

Cause

If you have a Group Policy enforced on your network, your Malwarebytes software assumes the Group Policy registry keys are Potentially Unwanted Modifications. If these registry keys were added with your permission, you may treat the detections as false positives.

 

Resolution

Add your Group Policy's registry keys as exclusions in the Malwarebytes cloud console. Your Malwarebytes software does not scan any items that are added to exclusions.

 

Here is a list of Group Policy registry keys your Malwarebytes software may detect:

 

 

HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoStartMenuMorePrograms
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSetFolders
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoFind
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoSMHelp
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoRun
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoViewContextMenu
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoToolbarCustomize
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoPropertiesMyComputer
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoDrives
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ForceActiveDesktopOn
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DisableRegistryTools
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispCPL
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispBackgroundPage
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispAppearancePage
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|NoDispScrSavPage
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NoFolderOptions
HKU\*\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DisableTaskMgr
HKU\*\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|ConnectionsTab
HKU\*\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL|HomePage
HKU\*\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM|DisableCMD

 

There are wildcards (*) included in the registry keys above in place of user account names.

 

Microsoft Reference for All Group Policy Settings

Microsoft provides a reference list for all group policy settings here: Download Group Policy Settings Reference Spreadsheet Windows 1803 from Official Microsoft Download Center.

 

Malwarebytes cloud console

Configure exclusions for the Malwarebytes cloud console in Settings > Exclusions. Scroll down, then click Exclude a registry key (Windows). To see additional instructions, refer to the article Add exclusions to the Malwarebytes cloud console.

 

Additional information

Attachments

    Outcomes