How to Ignore Registry Check

[Jacky Qin]

Hi,

There's so much information about registry integrity checks that I want to ignore it.The following changes were made in the file /var/ossec/etc/shared/default/agent. conf.

<agent_config os="Windows">

   <syscheck>

<registry_ignore>HKEY_LOCAL_MACHINE\Security\Cache</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions</registry_ignore>

<registry_ignore>[x64] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions</registry_ignore>

<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\PolAdtEv</registry_ignore>

   </syscheck>

</agent_config>

Check OK with the var/ossec/bin/verify-agent-conf command.However, after restarting the wazuh-manager service, the logs collected on the agent seem to open all the registry integrity checks. 

New file 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users\000001F4' added to the file system. 

New file 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users\Names\Guest' added to the file system.

New file 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{b5e78648-f13c-4fe1-b529-3a8f714bef27}' added to the file system.

The logs above should not appear, and they have been ignored in the agent's ossec.conf configuration.Is there a configuration error?

Best regards

Jacky Qin

[Juan Pablo Saez]

Hi Jacky,

New file 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users\000001F4' added to the file system. 

New file 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users\Names\Guest' added to the file system.

New file 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{b5e78648-f13c-4fe1-b529-3a8f714bef27}' added to the file system.

The first two lines on your example are out of your ignores scope so it's normal for that events to show. The third one should be ignored by your <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</registry_ignore> option. Maybe another <windows_registry field> option is pointing to a deeper registry folder, triggering the scan and going through the <registry_ignore>  option.





Could you paste here your complete syscheck configuration on that agent? After doing some test seems like registry_ignore is working fine on Wazuh v3.9.5. So the deeper pointing <windows_registry field> option seems possible.

Best regards, Juan Pablo Sáez

[Jacky Qin]

Hi Juan,

Thank you for your reply. I'm sorry that the agent.conf file I pasted on it is incorrect.Here is the syscheck configuration of that agent.

agent.conf:

root@ip-10-129-3-46:/home/ubuntu# cat /var/ossec/etc/shared/default/agent.conf

<agent_config  os="Windows">

    <syscheck>

      <disabled>no</disabled>

      <scan_on_start>yes</scan_on_start>

      <directories check_all="yes" realtime="yes" restrict=".aspx$|.exe$|.ashx$|.asmx$|.svc$">D:\Program Files (x86)\WebSite</directories>

      <registry_ignore>HKEY_LOCAL_MACHINE\Security</registry_ignore>

      <registry_ignore>HKEY_LOCAL_MACHINE\System</registry_ignore>

      <registry_ignore>HKEY_LOCAL_MACHINE\Software</registry_ignore>

      <registry_ignore arch='64bit'>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</registry_ignore>

    </syscheck>

</agent_config>

ossec.conf:

<!--

  Wazuh - Agent - Default configuration for Windows

  More info at: https://documentation.wazuh.com

  Mailing list: https://groups.google.com/forum/#!forum/wazuh

-->

<ossec_config>

  <client>

    <server>

      <address>0.0.0.0</address>

      <port>1514</port>

      <protocol>udp</protocol>

    </server>

  </client>

  <!-- Agent buffer options -->

  <client_buffer>

    <disabled>no</disabled>

    <queue_size>5000</queue_size>

    <events_per_second>500</events_per_second>

  </client_buffer>

  <!-- Log analysis -->

  <localfile>

    <location>Application</location>

    <log_format>eventlog</log_format>

  </localfile>

  <localfile>

    <location>Security</location>

    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447]</query>

  </localfile>

  <localfile>

    <location>System</location>

    <log_format>eventlog</log_format>

  </localfile>

  <localfile>

    <location>C:\Program Files (x86)\ossec-agent\active-response\active-responses.log</location>

    <log_format>syslog</log_format>

  </localfile>

  <!-- Policy monitoring -->

  <rootcheck>

    <disabled>no</disabled>

    <windows_audit>./shared/win_audit_rcl.txt</windows_audit>

    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>

    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>

  </rootcheck>

  <!-- File integrity monitoring -->

  <syscheck>

    

    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->

    <frequency>43200</frequency>

    <!-- Default files to be monitored. -->

    <directories check_all="yes">%WINDIR%/regedit.exe</directories>

    <directories check_all="yes">%WINDIR%/system.ini</directories>

    <directories check_all="yes">%WINDIR%/win.ini</directories>

    <directories check_all="yes">%WINDIR%/SysNative/at.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/attrib.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/cacls.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/cmd.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/drivers/etc</directories>

    <directories check_all="yes">%WINDIR%/SysNative/eventcreate.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/ftp.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/lsass.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/net.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/net1.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/netsh.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/reg.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/regedt32.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/regsvr32.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/runas.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/sc.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/schtasks.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/sethc.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/subst.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/wbem/WMIC.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/WindowsPowerShell\v1.0\powershell.exe</directories>

    <directories check_all="yes">%WINDIR%/SysNative/winrm.vbs</directories>

    <!-- 32-bit programs. -->

    <directories check_all="yes">%WINDIR%/System32/at.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/cmd.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>

    <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/net.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/net1.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/reg.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/regedit.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/runas.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/sc.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/schtasks.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/sethc.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/subst.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/wbem/WMIC.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/WindowsPowerShell\v1.0\powershell.exe</directories>

    <directories check_all="yes">%WINDIR%/System32/winrm.vbs</directories>

    <directories check_all="yes" realtime="yes">%PROGRAMDATA%/Microsoft/Windows/Start Menu/Programs/Startup</directories>

    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

    <!-- Windows registry entries to monitor. -->

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>

    <!-- Windows registry entries to ignore. -->

    <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>

    <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>

    <registry_ignore type="sregex">\Enum$</registry_ignore>

  </syscheck>

  <!-- CIS policies evaluation -->

  <wodle name="cis-cat">

    <disabled>yes</disabled>

    <timeout>1800</timeout>

    <interval>1d</interval>

    <scan-on-start>yes</scan-on-start>

    <java_path>wodles\java</java_path>

    <ciscat_path>wodles\cis-cat</ciscat_path>

  </wodle>

  <!-- Active response -->

  <active-response>

    <disabled>no</disabled>

    <ca_store>wpk_root.pem</ca_store>

  </active-response>

  <!-- Choose between plain or json format (or both) for internal logs -->

  <logging>

    <log_format>plain</log_format>

  </logging>

</ossec_config>

<!-- END of Default Configuration. -->

<ossec_config>   <client>      <server-ip>10.129.3.46</server-ip>   </client> </ossec_config>

<ossec_config>   <client>      <server-ip>10.129.3.46</server-ip>   </client> </ossec_config>

<ossec_config>   <client>      <server-ip>10.129.3.46</server-ip>   </client> </ossec_config>

Best regards

Jacky Qin

在 2019年9月17日星期二 UTC+8下午9:33:57，Juan Pablo Saez写道：

[Juan Pablo Saez]

Hi again Jacky,

Thank you for your reply. I'm sorry that the agent.conf file I pasted on it is incorrect.Here is the syscheck configuration of that agent.

Now it makes sense, let's review what happens:

On you agent.conf file you are ignoring the further registry paths:

 <registry_ignore>HKEY_LOCAL_MACHINE\Security</registry_ignore>

 <registry_ignore>HKEY_LOCAL_MACHINE\System</registry_ignore>

 <registry_ignore>HKEY_LOCAL_MACHINE\Software</registry_ignore>

 <registry_ignore arch='64bit'>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</registry_ignore>

But events coming from paths inside these already under <registry_ignore> keep arriving:

New file 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users\000001F4' added to the file system. 

New file 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users\Names\Guest' added to the file system.

New file 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{b5e78648-f13c-4fe1-b529-3a8f714bef27}' added to the file system.

About the HKEY_LOCAL_MACHINE\System\...  alerts,

<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>

• The <windows_registry> stanza above(located on your agent ossec.conf) overrides the <registry_ignore>HKEY_LOCAL_MACHINE\System</registry_ignore> so events coming from HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services or a deeper path won't be ignored. With the same configuration, I receive alerts too.
  ** Alert 1568791055.92477: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,

  2019 Sep 18 09:17:35 (SERV2kk16) 192.168.75.132->syscheck-registry

  Rule: 554 (level 5) -> 'File added to the system.'

  File 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ACPI\Parameters\TEST' was added.

  
  

  Attributes:

   - MD5: 9ecb8fd9145c35990156768d60692d62

   - SHA1: 61a9c79144fd0e644577d1631e4e3ed147e436db
  
  
• Removing the <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> entry on agent ossec.conf should be enough to stop these alerts.

About the HKEY_LOCAL_MACHINE\Security\...  alerts,

New file 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users\000001F4' added to the file system.  

New file 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users\Names\Guest' added to the file system

shouldn't appear as in your agent.conf the entry <registry_ignore>HKEY_LOCAL_MACHINE\Security</registry_ignore> is ignoring the same level that the ossec.conf is targeting <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry> and there is no <windows_registry> stanza pointing to a deeper level. 

• Please, remove the <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>  and let me know if tti silences the HKEY_LOCAL_MACHINE\System related alerts.
• On the other hand, could you confirm if you keep receiving these HKEY_LOCAL_MACHINE\Security alerts? I haven't been able to recreate this environment.

I hope it helps. Best regards, 

Juan Pablo Sáez

[Jacky Qin]

Hi Juan,

I did not delete the <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry> configuration in ossec.conf.Because we have hundreds of agents.I can only ignore a lot of registry alerts on agents through the agent.conf configuration, which is what I want to do, but it doesn't seem to be successful.

Best regards

Jacky Qin

在 2019年9月18日星期三 UTC+8下午3:56:10，Juan Pablo Saez写道：

[Juan Pablo Saez]

Hi again Jacky,

We are investigating a solution for you. We will let you know as soon as we figure out the best way to ignore these registry paths analysis and how to propagate it to all your agents.

Best regards, Juan Pablo Sáez

[Jacky Qin]

Thank you, you are so good.

在 2019年9月18日星期三 UTC+8下午9:43:32，Juan Pablo Saez写道：

[Juan Pablo Saez]

Hi Jacky,

The solution goes through changing the <registry_ignore> to <registy_ignore type="sregex"> so, you should modify the agent.conf 

from

      <registry_ignore>HKEY_LOCAL_MACHINE\Security</registry_ignore>

      <registry_ignore>HKEY_LOCAL_MACHINE\System</registry_ignore>

      <registry_ignore>HKEY_LOCAL_MACHINE\Software</registry_ignore>

      <registry_ignore arch='64bit'>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</registry_ignore>

to

      <registry_ignore type="sregex">^HKEY_LOCAL_MACHINE\Security</registry_ignore>

      <registry_ignore type="sregex">^HKEY_LOCAL_MACHINE\System</registry_ignore>

      <registry_ignore type="sregex">^HKEY_LOCAL_MACHINE\Software</registry_ignore>

      <registry_ignore arch='64bit' type="sregex">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</registry_ignore>

The '^' sregex character means "Begins with", so these sregex expressions target the specified path and its subpaths.

In theory, the <registry_ignore type="sregex"> options above, should be enough to override the <windows_registry> stanzas that point to a deeper subpath than the ignored ones. The problem is that during the sregex solution test, i've found a bug:

• When combining <registry_ignore> with <registry_ignore type="sregex">, the <registry_ignore type="sregex"> stanzas are ignored. 
• This doesn't occur when using only <registry_ignore="sregex">. Your problem here is that you are pushing these options using the centralized configuration, and some <registry_ignore> stanzas remain from the default ossec.conf configuration. So the combination of your <registry_ignore type="sregex"> with the default <registry_ignore> options cancel the sregex ones.
• This bug has been documented on Github.

When our workflow allows us, we will fix this bug so you can really ignore these registry events. While we are fixing it, I can help you to design rules to silence windows registry unwanted alerts.

Please, let me know if it helps.

PD: I appreciate your positive feedback, thanks!

Best regards, Juan Pablo Sáez

[Jacky Qin]

Hi Juan,

Thank you for your help.Looking forward to your early repair of this bug.Thanks again.

在 2019年9月19日星期四 UTC+8下午11:29:53，Juan Pablo Saez写道：

[Juan Pablo Saez]

Hi Jacky,

If you paste here some of the alerts you would like to ignore we can design silencing rules.

Best regards, Juan Pablo Sáez

[venkat swaminathan]

Hello Good Day,

Even we are facing some issues setting wazuh agent config

We are currently using 3.8.1 Wazuh windows agent and trying to minimize some integrity alerts and it does not work as expected.
Trying to add <registry_ignore> for  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service tried various ways but nothing worked
Trail One:<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</registry_ignore>
Trial 2:
<registry_ignore type=sregex>^HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</registry_ignore>I did follow 2 mailing list & it's prescribed solution nothing worked. Some guidance is required herehttps://groups.google.com/forum/#!msg/wazuh/jlSRgiyU3/YlLbPz85AgAJ
https://groups.google.com/forum/#!topic/wazuh/agNZ6Bf2HdYBug reference: https://github.com/wazuh/wazuh/issues/3990 

[Jacky Qin]

Hi Juan,

Actually, I want to ignore alerts in all registries, so I have the path HKEY_LOCAL_MACHINE Security, HKEY_LOCAL_MACHINE System, HKEY_LOCAL_MACHINE Software that I configured earlier.

在 2019年9月23日星期一 UTC+8下午2:20:52，Juan Pablo Saez写道：

[Juan Pablo Saez]

Hi Jacky and Venkat,

When our workflow allows us, we will fix this bug so you can really ignore these registry events. While we are fixing it, please, use the further level 0 silencing rules to keep the flooding under control:

For Jacky:

Actually, I want to ignore alerts in all registries, so I have the path HKEY_LOCAL_MACHINE Security, HKEY_LOCAL_MACHINE System, HKEY_LOCAL_MACHINE Software that I configured earlier.

Please, place the rules above on /var/ossec/etc/rules/local_rules.xml.

<rule id="99990" level="0">

    <if_sid>550</if_sid>

    <field name="file">^HKEY_LOCAL_MACHINE\Security</field>

    <description>Silencing FIM alert</description>

</rule>

<rule id="99991" level="0">

    <if_sid>550</if_sid>

    <field name="file">^HKEY_LOCAL_MACHINE\System</field>

    <description>Silencing FIM alert</description>

</rule>

<rule id="99992" level="0">

    <if_sid>550</if_sid>

    <field name="file">^HKEY_LOCAL_MACHINE\Software</field>

    <description>Silencing FIM alert</description>

</rule>

For Venkat:

Trying to add <registry_ignore> for  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service tried various ways but nothing worked

 Please, place the rule above on /var/ossec/etc/rules/local_rules.xml:

<rule id="99990" level="0">

    <if_sid>550</if_sid>

    <field name="file">^HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</field>

    <description>Silencing FIM alert</description>

</rule>

Please, let me know if it helps. I also want to remind you that you can follow the progress of the registry ignore fix here.

Greetings, Juan Pablo Sáez

[Jacky Qin]

Hi Juan,

The solutions you offer can help me.Thank you very much

Best regards

Jacky Qin

在 2019年9月25日星期三 UTC+8下午4:24:20，Juan Pablo Saez写道：

[Juan Pablo Saez]

Hi again Jacky,

This reduced version should also work for you:

<rule id="99990" level="0">
    <if_sid>550</if_sid>

    <field name="file">^HKEY_LOCAL_MACHINE\Security|^HKEY_LOCAL_MACHINE\System|^HKEY_LOCAL_MACHINE\Software</field>

    <description>Silencing FIM alert</description>
</rule>

I hope it helps.

Greetings, JP Sáez

[Jacky Qin]

Hi Juan,

It does.Tanks again.

在 2019年9月26日星期四 UTC+8下午6:57:52，Juan Pablo Saez写道：

[Mefisto Evil]

hello does this fixed? as far as i know using <registry_ignore> events about registry will not even uploading from agent to server, but if  we  create rule they will still uploading but ignored. So registry_ignore is preffered.

четверг, 26 сентября 2019 г. в 16:34:13 UTC+5, Jacky Qin: