LoFP LoFP / as this is controlled by group policy as well as user settings. some false positives may occur.

Techniques

Sample rules

Internet Explorer DisableFirstRunCustomize Enabled

Description

Detects changes to the Internet Explorer “DisableFirstRunCustomize” value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_generic:
  Image:
  - C:\Windows\explorer.exe
  - C:\Windows\System32\ie4uinit.exe
filter_optional_avira:
  Details|contains: DWORD (0x00000001)
  Image|contains|all:
  - \Temp\
  - \.cr\avira_
filter_optional_foxit:
  Details|contains: DWORD (0x00000001)
  Image:
  - C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe
  - C:\Program Files\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe
selection:
  Details:
  - DWORD (0x00000001)
  - DWORD (0x00000002)
  TargetObject|endswith: \Microsoft\Internet Explorer\Main\DisableFirstRunCustomize