To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Windows 10 service pack update is blocked by dataguard

RefreshInternal
RefreshInternal Posts: 26 Contributor
edited June 2024 in Elements Endpoint Protection (EPP)

Can you add the file C:\$WINDOWS.~BT\Sources\SetupPlatform.exe to some global allowlist so that it doesn't get blocked by dataguard?

Best Answer

  • MonikaL
    MonikaL Posts: 205
    Solved

    Hi,

    The DataGuard functionality blocks SetupPlatform.exe because it is located in the C:\$WINDOWS.~BT\Sources\ folder, and it attempts to modify files located in folders protected by DataGuard.

    To see which file the application is trying to modify, you can check out the new Security Events page in the PSB Portal:

    1. Log in to the PSB Portal

    2. Click the Security Events button from the blue menu on the left side

    3. Click on the arrow on the left side to see more info


    With default DataGuard settings, applications in the C:\$WINDOWS.~BT\Sources\ are not listed as trusted applications. To see which applications are currently trusted, you can follow these steps:


    1. Log in to the PSB Portal

    2. Go to the Devices page

    3. Click a device which has DataGuard enabled

    4. From the Protection Status tab, click on DataGuard (Premium) and it will list all included paths (DataGuard protected folders) and then trusted applications (applications that can modify files in protected folders)


    SetupPlatform.exe is a legitimate Windows process and it is related to the Windows upgrade feature:

    https://superuser.com/questions/886098/what-is-the-windows-bt-folder


    In this case, you should add the C:\$WINDOWS.~BT\Sources\ folder as a trusted folder so that DataGuard does not block SetupPlatform.exe from modifying files in DataGuard protected folders. Follow the steps below to add the folder to the Manually added trusted applications and folders list:


    1. Log in to the PSB Portal

    2. Go to the Profiles page

    3. Click on the profile you want to modify

    4. Go to the DataGuard settings page

    5. Scroll down to the Access Control section and click the Add Path button under Manually added trusted applications and folders

    6. Add the following path: C:\$WINDOWS.~BT\Sources\

    7. Click Save and Publish

Answers

  • MonikaL
    MonikaL Posts: 205

    Hi,

    If the blocked application is in the Windows Users or AppData directory, it is not by default a trusted application location and therefore it will be blocked if it tries to access a file that is located in a protected location. You can view the currently trusted application locations from the PSB Portal:

    Log in to the PSB Portal

    Go to the Devices page

    Click a device that has DataGuard enabled

    In the Protection status tab, click on the DataGuard (Premium) section 

    This will show you the currently protected paths and the currently trusted application paths.


    To not have DataGuard block an application, you can add the application path to the Manually added trusted applications and folders list:

    Log in to PSB Portal

    Go to the Profiles page

    Select the profile the device is using

    Go to the DataGuard settings page

    In the Access Control section, click Add path below Manually added trusted applications and folders

    Add the full path of the application, example C:\Users\Username\Documents\exampleprogram\example.exe

    Click Save and publish the profile.


    If you need to find out more about the detection (detection path, target path etc.), you can view it from the Security events page:

    Log in to the PSB Portal

    Go to the Security events page from the menu on the left

    Click on the double arrow on the left side of the detection.

  • RefreshInternal
    RefreshInternal Posts: 26 Contributor

    If you had read the question you would have seen that the folder in question is not under the Windows Users or AppData directory.

    Dataguard includes the feature to Discover trusted applications automatically. The description of this feature says that the default trusted applications include everything installed under Program Files and some safe system applications from the Windows folder.

    It would be great if it would include the default Windows update folder also and would not block feature updates.

  • RefreshInternal
    RefreshInternal Posts: 26 Contributor

    Thank you for the clarification. I looked up the security notification and it shows that the application path is C:\$WINDOWS.~BT\Sources\SetupPlatform.exe and the target is a pdf file created by the user that is saved on the Desktop.

    That is indeed a suscpicious activity and I cannot think of any reason why these two things should connect.

    Since the $WINDOWS.~BT folder is now gone I have no need to add it as an exeption.

    Thank you again.

This discussion has been closed.

Categories