DataGuard blocking files opened from Documents or Desktop

RefreshInternal · 2021-03-12T08:45:19+00:00

There was an error rendering this rich post.

I have lots of false positives of DataGuard blocking files opened from Windows Desktop and Documents. I have enabled OneDrive backup which makes a backup of Desktop and Documents to OneDrive. When a client opens a file from Documents, dataguard blocks it:

Type: ransomware access control

Target: C:\Users\Username\Documents\filename.xlsx

Infected object: C:\Users\Username\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Today it blocked GoToMeeting from accessing a file from Desktop claiming infection again:

Type: ransomware access control

Target: C:\Users\Username\Desktop\GoToWebinar 000.png

Infected Object: C:\Users\Username\AppData\Local\GoToMeeting\19228\g2mui.exe

It has blocked several different filetypes.

What can be done to resolve these false positives?

Find more posts tagged with

Accepted answers

All comments

MonikaL

Hi,

If the blocked application (OneDrive.exe, Firefox.exe, Chrome.exe, etc.) is in the Windows Users or AppData directory, it is not by default a trusted application location and therefore it will be blocked if it tries to modify a file that is located in a protected path. You can view the currently trusted application paths from the PSB Portal:

Go to the Devices page

Click a device that has DataGuard enabled

In the Protection status tab, click on the DataGuard (Premium) section

This will show you the currently protected paths and the currently trusted application paths.

To not have DataGuard block an application, you can either:

Install the application to a trusted path, such as C:\Program Files (x86)\
Add the application path to the Manually added trusted applications and folders list.

RefreshInternal

Since I had over 50 alerts all connected to OneDrive with several different filetypes (jpg,png,csv,txt,dwg,xlsx) it seemed very unlikely that they were all infected.

I added OneDrive Path to trusted applications manually:

%USERPROFILE%\AppData\Local\Microsoft\OneDrive\OneDrive.exe

This fixed the problem. It would be great if OneDrive would be trusted by F-Secure by default.

MonikaL

Hi,

If you suspect that:

A clean file has been falsely detected as malicious, you can submit the file to our labs for further investigation. To submit a sample file, go to the following page: https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-file

Select the File Sample tab.

Click Choose File, and attach your sample file.

Tick the box I want to give more details about this sample and to be notified of the analysis results if you want to receive feedback from F-Secure Labs on the submitted file.

Note: Subject and description should be written in English.

Verify that you are not a robot with reCAPTCHA.

Click Submit sample file.

The sample submission is analyzed by our analysts and the databases will be updated if necessary.