F-Secure Client Premium 13.10 - DataGuard with NETLOGON
When logging in, we use login scripts that are located on a domain controller. As a trusted application within DataGuard we have set the netlogon directory %LOGONSERVER%\NETLOGON\ in policy manager. Nevertheless, we get the error when logging in that the program could not be trusted.
Comments
-
Messages:
Date: 2018-03-23 08:18:20+01:00
Host: machine01.test.com (10.1.10.22, ::1) Computer name: MACHINE01 User account: MACHINE01-COM\testuser
Product: F-Secure DeepGuard (OID: 1.3.6.1.4.1.2213.53)
Severity: security alert (5)
Message: DataGuard prevented an untrusted application from modifying protected files.
Application: \\DOMAINCO-01\NETLOGON\KIX32.EXE
File: C:\Users\testuser\Desktop\Internet Explorer.lnk1 -
Hello,
> Message: DataGuard prevented an untrusted app from modifying protected files
> Application: \\DOMAINCO-01\NETLOGON\KIX32.EXEI'm afraid you may be out of luck here, as this knowledge base article says:
https://community.f-secure.com/t5/Business/Using-wildcards-in-exclusions/ta-p/20428
"...DeepGuard supports exclusions configured for real-time protection but they need to meet the following criteria:
- Device names are not supported; use standard paths with drive letters and- Wildcards are not supported. Examples:
Wrong: \\Device\\HarddiskVolume1\\CodeMeter\\*
Correct: c:\Program files (x86)\CodeMeter"I would suggest submitting the .EXE file to F-Secure virus lab at:
https://www.f-secure.com/en/web/labs_global/submit-a-sample
Tick the "more details" checkbox and fill in the details, so you can receive a response. Maybe they will be able to crate a "false alarm" style correction in the database update, thereby solving your problem?Best Regards: Tamas Feher, Hungary.
0 -
Hello
thanks for this quick reaction.
However, the problem is not recognized.
The KIX file is not blocked by antivirus, but by DeepGuard.
Therefore, changes in the database will bring nothing.
We also do not use wildcards.
System variables are used that are familiar to every Windows system (% LOGONSERVER%).
This is also supported according to policy manager.
But it probably does not work with exactly these variables.0 -
Hello HolMi,
> But it probably does not work with exactly these variables.
You are right. In PM Console help text for the field "Folder" in "Protected folders" table contains the list of supported environment variables:
%UserProfile%, %HomeDrive%, %HomePath%, %ProgramData%, %WinDir%, %SystemRoot%, %SystemDrive%, %ProgramFiles%, and %ProgramFiles(x86)%.
The same limitation affects "Trusted applications" table. Sorry for the inconvenience.
Best regards,
Vad
0 -
Hello,
> The KIX file is not blocked by antivirus, but by DeepGuard.
> Therefore, changes in the database will bring nothingF-Secure Viruslab is also able to fix DeepGuard false alarms centrally, because there is the ORSP cloud tech and also DG has updates, for example the current one is 2018-03-23_01.
Best Regards: Tamas Feher, Hungary.
0 -
To protect DataGuard monitor specific folders on your system to prevent untrusted applications from modifying your files. DataGuard is very useful ransomware that is able to get past the product's other security layers.
DataGuard blocks suspicious applications that are considered to behave as ransomware and may block attempts to modify data folders by untrusted applications
Fixed: Firewall Application Control was sometimes unable to verify applications' reputation after restarting the computer.0 -
Reviewed this morning with the latest DeepGuard database from yesterday evening. The described behavior has not changed so far.
0
Categories
- All Categories
- 4.7K WithSecure Community
- 3.6K Products
- 1 Get Support