RegistryValueSet

The Integrity Monitoring module scans for unexpected changes to directories, registry values, registry keys, services, processes, installed software, ports, groups, users, files, and the WQL query statement on Deep Security Agents. To enable and configure Integrity Monitoring, see Set up Integrity Monitoring.

A set of Registry values (Windows only).

Tag Attributes

These are XML attributes of the tag itself as opposed to the attributes of the entity monitored by Integrity Monitoring Rules.

Attribute	Description	Required	Default Value	Allowed Values
base	Sets the base key of the RegistryValueSet. Everything else in the tag is relative to this key. The base must begin with one of the registry branch names: HKEY_CLASSES_ROOT (or HKCR), HKEY_LOCAL_MACHINE (or HKLM), HKEY_USERS (or HKU), HKEY_CURRENT_CONFIG (or HKCC)	Yes	N/A	String values resolving to syntactically valid registry key

Entity Set Attributes

These are the attributes of the Entity that can be monitored by Integrity Monitoring Rules:

Size
Type
Sha1
Sha256
Md5 (deprecated)

Short Hand Attributes

CONTENTS: Resolves to the content hash algorithm set in Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Integrity Monitoring > Advanced.
STANDARD: Size, Type, Contents

Meaning of "Key"

Registry Values are name-value pairs stored under a key in the registry. The key under which they are stored may in turn be stored under another key, very much like files and directories on a file system. For the purpose of this language the "key path" to a value is considered to look like the path to a file. For example, the "key path" to the InstallationFolder value of the Agent would be:

HKEY_LOCAL_MACHINE\SOFTWARE\Trend Micro\Deep Security Agent\InstallationFolder

The "key" value for includes and excludes for the RegistryValueSet is matched against the key path. This is a hierarchical pattern, with sections of the pattern separated by "/" matched against sections of the key path separated by "\"

Default Value

Each registry key has an unnamed or default value.

This value can be explicitly specified for inclusion and exclusion by using a trailing "/" in patterns. For example, "**/" will match all subordinate unnamed values, and "*Agent/**/" will match all unnamed values below a key matching "*Agent".

Registry value names can contain any printable character, including quotes, backslash, the "@" symbol, etc.

The Agent deals with this in Entity key names by using backslash as an escape character, but only backslashes themselves are escaped. It does this so that it can tell the difference between a value name containing a backslash and a backslash that occurs as part of the registry path. This means that value names which end with a backslash character will match rules designed to match the default or unnamed value.

See the table below for example registry value names and the resulting Entity key.

Value	Escaped Form	Example
Hello	Hello	HKLM\Software\Sample\Hello
"Quotes"	"Quotes"	HKLM\Software\Sample\"Quotes"
back\slash	back\\slash	HKLM\Software\Sample\back\\slash
trailing\	trailing\\	HKLM\Software\Sample\trailing\\
		HKLM\Software\Sample\
@	@	HKLM\Software\Sample\@

Sub Elements

Include
Exclude

See About the Integrity Monitoring rules language for a general description of Include and Exclude for their allowed attributes and sub elements.