Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Information about detection type identified as Policy by ATTK

    • Updated:
    • 9 Mar 2020
    • Product/Version:
    • Support Tools
    • Platform:
Summary

When using ATTK, you may see the detection type: Policy. This type of detection indicates that ATTK found Windows Settings suspiciously changed, possibly modified by malware. One good example is some malware that disable Task Manager to prevent the user from killing the malware process. The modified Task Manager settings can be detected by ATTK as Policy.

ATTK Detection Policy

Details
Public
PolicyTypeDescription
SCRNSAVE.EXEDesktopSet screen saver value to Blank
BackupWallpaperDesktopEnable the predefined backup wallpaper of the OS
NoSetActiveDesktopDesktopDisable Active Desktop
WallpaperDesktopEnable the predefined wallpaper of the OS
NoChangingWallpaperDesktopDisable the changing of wallpapers
NoActiveDesktopChangesDesktopDisable changing of Active Desktop
Start PageInternet ExplorerSet start page value of Internet Explorer to "about:blank"
Home PageInternet ExplorerEnable user to change the HomePage Address in the Internet Options of IE
Window TitleInternet ExplorerDelete value to be shown in the Menu Bar of IE
AntivirusDisableNotifySecurityUsers will be notified that Antivirus Software is Disabled
AntivirusOverrideSecurityEnable Antivirus Monitoring
FirewallDisableNotifySecurityUsers will be notified that the Firewall is Disabled
FirewallOverrideSecurityEnable 3rd Party Firewall Monitoring
UpdatesDisableNotitySecurityUsers will be notified that Updates are available
DisableWindowsUpdateAccessSecurityAccess to Windows Updates is Enabled
AUOptionsSecurityEnable "Download updates for me but let me choose when to install them"
NoAutoUpdateSecurityEnable Windows Automatic Updates
EnableDCOMSecurityLaunching of servers and connecting to objects by remote clients is allowed on a per-class basis according to the value
DoNotAllowXPSP2SecurityWindows XP Service Pack 2 will be shown in Windows Update
RestrictAnonymousSecurityAllow anonymous users
AutoShareServerSecurityAdmin$ shares will not be available (on a server machine)
AutoShareWksSecurityAdmin$ shares will not be avialable (on a workstation machine)
MessengerSecuritySet Net Send Service startup type to Automatic
RemoteRegistrySecuritySet Remote Registry accessible service startup type to Automatic
EnableFirewallSecurityEnable WIndows XP Firewall
TIntSvrSecuritySet TIntSvr Service startup type to Manual
wscsvcSecuritySet wscsvc service startup type to Automatic
wuauservSecuritySet wuauserv service startup type to Automatic
DisableRegeditSystemDelete value of HKCU\Software\Microsoft\WIndows\CurrentVersion\Policies\System DisableRegedit and HKLM\Software\Microsoft\WIndows\CurrentVersion\Policies\System DisableRegedit
DisableRegistryToolsSystemAllows users to run registry editor
DisableTaskMgrSystemAllows users to run Task Manager
DisableCMDSystemEnable command prompt and batch files
DisableConfigSystemSystem Restore will be configurable in the "System Properties" a.k.a. WIndows + Break
DisableSRSystemSystem Restore will be shown in the "System Properties" a.k.a Windows + Break
DisableMSISystemSet value for Windows Installer is enabled for all applications. All install operations are allowed
HiddenExplorerEnable "Show Hidden Files"
HideFileExtExplorerEnable "Always show extensions of Known File Types"
ShowSuperHiddenExplorerEnable "Show System Files"
DisallowCplExplorerThe system displays the icons of all Control Panel Item
DisallowRunExplorerUsers can run all installed Windows Programs
NoCloseExplorerShut Down appears on the Start Menu and in the Windows Security dialog box
NoControlPanelExplorerAllow to access Control Panel
NoDesktopExplorerShow Desktop Items
NoDrivesExplorerAll Drives will show
NoFindExplorerFind features operate normally
NoFolderOptionsExplorerAllow "Folder Options" in Windows Explorer will be accessible
NoLogOffExplorerShow "Log Off" on "Shut Down Windows" menu
NoRecentDocsMenuExplorerShow "My Recent Documents" and "Customize Start Menu" in the Start Menu
NoRunExplorerShow Run command
NoSetFoldersExplorerControl Panel, Printers, and Network and Dial-up connections can run
NoSetTaskBarExplorerUsers can use the Taskbar and Start Menu Properties dialog box
NoTrayContextMenuExplorerContext-sensitive menus appear when you right-click the taskbar or right-click items on the taskbar
CheckedValueExplorerThe values for Hidden files and Folders will be interchangeable
NoDriveAutoRunExplorerDisables AutoPlay on all kinds of Drives
NoDriveTypeAutoRunExplorerDisables Autorun on all kinds of Drives

ATTK fixes the policy by restoring the registry value to the default.

For example:

ATTK Detection Policy

Policy: Wuauserv Detects HKLM\SYSTEM\CurrentControlSet\Services\wuauserv Start=3

ATTK Detection Policy

After the fix, it should return to the default value, which is 2.

ATTK Detection Policy

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000246139
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.