Ransomware: AccessControl message

linck_tello

Hi F-Secure

How to can create a exception for one app detected as Ransomware: AccessControl buy this is safe?

From the PSB Console don' is possible, this display this info:

Attention: DataGuard Action: Blocked

But any info about how to can unblock these action or detection.

BR

Linck Tello Flores

 

JamesC

Hi Linck

It appears DataGuard component is blocking it. So under the PSB profile navigate to PREMIUM>Dataguard and add your exclusion there.

You can either add specific executables, e.g. "C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE " or "C:\Program Files (x86)\Microsoft Office\root\Office16\ "

Note: That when adding a folder, you must end the string with a backward slash \. This will include all executables and subfolders in that folder.

When using folders, you can use Windows environment variables, e.g. "%WINDIR%" to point to the Windows directory (typically C:\Windows).

Allowed System Environment variables:

%ProgramData%, %APPDATA%, %windir%, %SystemRoot%, %SystemDrive%, %ProgramFiles(x86)%, %ProgramFiles%.

Allowed per user Environment variables:

%Desktop%, %Favorites%, %My Music%, %My Pictures%, %My Video%, %Personal%.

Important: As all subfolders in specified folders are included, do not define folders that are close to the root level. For instance, specifying "C:\ " as a trusted folder sets all executables on the C: drive as trusted applications.

linck_tello

But, the process don't work.

I add the folder but PSB follow blocking.

I try manually and fro PSB and the result is the same, block!

How to can resolve this issue?

BR

Linck

JamesC

Hi Linck

Can you please share a screenshot showing where you are adding the exclusion ?

linck_tello

Hello Jamesch

Check the images.

JamesC

Hi Linck

I believe you have added the exclusions incorrectly. Your screenshot shows you have added to Application Control. You need to add these exclusions on the PSB Profile - DataGuard component . See example of my image below

linck_tello

Hi James

Same block, this was try before to write this question. Don't is working.

How to can check if really Dataguard is by-passing this exclusion?

BR

Linck Tello Flores

linck_tello

Hi James

Do you have some info about his case?

BR

Linck Tello Flores

JamesC

Hi Linck

Double check your exclusion paths again.

From application log in Event Viewer, alert similar to the following is logged normally, which shows the target folder for the blocked application:

DataGuard stopped a suspicious application that tried to modify protected files.

Application path: C:\Windows\System32\svchost.exe

Target path: C:\Users\FStest\AppData\Local\TileDataLayer\Database\vedatamodel.edb

linck_tello

Hello

Check the image:

BR

Linck

JamesC

Hi Linck

It appears the detection does not match the exclusion.

%userprofile% is a user environmental variable, so you can use:

:\Users\*\AppData\Roaming\

"*" denotes all folders in this place. It is not "any path" but "any folder under this path without subfolders"

It applies only to one folder in path, not to full path. eg - This will not work :\*\

So, in your scenario, please try to exclude %UserProfile%\AppData\Local\Microsoft\OneDrive\. If this doesn't work then you can exclude %ONEDRIVE%

linck_tello

Hi James

This enter was work fine:

The others options:

%UserProfile%\AppData\Local\Microsoft\OneDrive\

%ONEDRIVE%

don't.

Thanks you for you help.

BR

Linck Tello Flores