'Registry' detected warning

Products Endpoint Protection
1

Hi,
Since 3 or 4 days back I get users reporting ‘Registry’ warnings from CSC.
Today I’m getting more and more users reporting this incident.
Those are different users from different companies so it’s a general problem. Not affected on a single network.

On the ‘Security dashboard’ from the console I can’t find any entry or warning.
So I can’t whitelist or deblock this action.

If I open ‘Show activities’ :

When opening ‘View logs’ from the CS client and looking in the ‘HIPS events’:

The .log1 and .log2 files are mentioned on all the affected devices.

Is this a known problem after the last update?

And is it possible that these messages could also be seen from the MPS Console?

And more important, what’s the problem and how to solve?

Regards

0.jpg

1.jpg
1.jpg1198×759 65.4 KB

2.jpg
2.jpg1440×762 102 KB

2

fyi:
The proile I use are based on the default: Hardened Windows Profile for ITSM 6.10

3

Nobody else with these warnings?
I get more and more users complaining about this message.
And I can’t see any of these warnings from console.
I know I can disable HIPS or something else but that is not preferred.

Only thing I can tell the user is to click on ‘Allow’. But for a managed platform this should not be the case: I should see these logs or warnings also in my dashboard and take corresponding actions.

4

Hello @ailan,

We have created a support ticket in regards to your report and will reach you via your forum registered email for further correspondence.

5

Thank you for your reply.
I just wanted to update this thread for others, after waiting a while to post the results.

Earlier I received the following mail from Itarion Support:
Hello,

Thank you for contacting ITarian. Actually Registry process is a legitimate Microsoft Process:

Recent versions of Microsoft’s Windows 10 operating system, for instance build 17063, come with a new process that is just called Registry.

The Registry process is used to hold Software and User Registry hive data (HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_CURRENT_USER) to utilize memory management capabilities and, in the future will reduce the memory usage of the Registry in the future .

See https://answers.microsoft.com/en-us/windows/forum/…

For some reasons HIPS does not recognize Registry as Safe application and therefore shows an alert, because you do not use HIPS auto-action in profile settings.

As workaround the you can create HIPS rule for Registry application and apply “Allowed Application” ruleset

Thanks and Regards,
Nicholas
Itarian Support

I created HIPS rules and haven’t heard the clients in a week.
So hopefully the warning has been solved with this ruleset.

See my opening post, I find it very strange that I’m the only one seeing this problem because it looks like devices with updated Windows 10 and the latest CCS can trigger this problem.

What do Itarian Support mean with: ‘‘because you do not use HIPS auto-action in profile settings.’’?

My profile is based on the default ‘Hardened Windows Profile for ITSM 6.10’ like I was suggested a few years ago.
I couldn’t find any ‘HIPS Auto -action’. What is it and is that now enabled by default?