F-Secure Client Premium 13.10 - DataGuard with NETLOGON

When logging in, we use login scripts that are located on a domain controller. As a trusted application within DataGuard we have set the netlogon directory %LOGONSERVER%\NETLOGON\ in policy manager. Nevertheless, we get the error when logging in that the program could not be trusted.

Find more posts tagged with

Comments

HolMi

Reviewed this morning with the latest DeepGuard database from yesterday evening. The described behavior has not changed so far.

xboxsupport

To protect DataGuard monitor specific folders on your system to prevent untrusted applications from modifying your files. DataGuard is very useful ransomware that is able to get past the product's other security layers.

         DataGuard blocks suspicious applications that are considered to behave as ransomware and may block attempts to modify data folders by untrusted applications

         Fixed: Firewall Application Control was sometimes unable to verify applications' reputation after restarting the computer.

Xbox Customer Service

etomcat

Hello,

> The KIX file is not blocked by antivirus, but by DeepGuard.
> Therefore, changes in the database will bring nothing

F-Secure Viruslab is also able to fix DeepGuard false alarms centrally, because there is the ORSP cloud tech and also DG has updates, for example the current one is 2018-03-23_01.

Best Regards: Tamas Feher, Hungary.

Vad

Hello HolMi,

> But it probably does not work with exactly these variables.

You are right. In PM Console help text for the field "Folder" in "Protected folders" table contains the list of supported environment variables:

%UserProfile%, %HomeDrive%, %HomePath%, %ProgramData%, %WinDir%, %SystemRoot%, %SystemDrive%, %ProgramFiles%, and %ProgramFiles(x86)%.

The same limitation affects "Trusted applications" table. Sorry for the inconvenience.

Best regards,

Vad

HolMi

Hello
thanks for this quick reaction.
However, the problem is not recognized.
The KIX file is not blocked by antivirus, but by DeepGuard.
Therefore, changes in the database will bring nothing.
We also do not use wildcards.
System variables are used that are familiar to every Windows system (% LOGONSERVER%).
This is also supported according to policy manager.
But it probably does not work with exactly these variables.

etomcat

Hello,

> Message: DataGuard prevented an untrusted app from modifying protected files
> Application: \\DOMAINCO-01\NETLOGON\KIX32.EXE

I'm afraid you may be out of luck here, as this knowledge base article says:

https://community.f-secure.com/t5/Business/Using-wildcards-in-exclusions/ta-p/20428

"...DeepGuard supports exclusions configured for real-time protection but they need to meet the following criteria:
- Device names are not supported; use standard paths with drive letters and

- Wildcards are not supported. Examples:

Wrong: \\Device\\HarddiskVolume1\\CodeMeter\\*
Correct: c:\Program files (x86)\CodeMeter"

I would suggest submitting the .EXE file to F-Secure virus lab at:
https://www.f-secure.com/en/web/labs_global/submit-a-sample

Tick the "more details" checkbox and fill in the details, so you can receive a response. Maybe they will be able to crate a "false alarm" style correction in the database update, thereby solving your problem?

Best Regards: Tamas Feher, Hungary.

HolMi

Messages:

Date: 2018-03-23 08:18:20+01:00
Host: machine01.test.com (10.1.10.22, ::1) Computer name: MACHINE01 User account: MACHINE01-COM\testuser
Product: F-Secure DeepGuard (OID: 1.3.6.1.4.1.2213.53)
Severity: security alert (5)
Message: DataGuard prevented an untrusted application from modifying protected files.

Application: \\DOMAINCO-01\NETLOGON\KIX32.EXE
File: C:\Users\testuser\Desktop\Internet Explorer.lnk