EPP for Server Premium behavior

Kari · 2022-09-09T14:28:33+00:00

There was an error rendering this rich post.

Hi,

I'm writing about an issue we had a few days ago.

Context: Windows Server 2016 with WithSecure Elements EPP for Servers Premium. DataGuard is active on every user's main folders (no domain) and on 3 data folders. All of a sudden after DataGuard detected a suspicious application (known application and known alert that was reported before without any further issues) the whole system crashed and the agent locked almost every single file, system file, and system setting. Everything on that server was locked by WithSecure making it unusable. The only thing I could do to unlock it was to completely remove anything related to WithSecure from Windows SafeMode.

What I'd like to understand is if this is a normal behavior of EPP and if that means that a malware was trying to attack and to protect data EEP "locked down" anything or not. What else could have been the trigger?

Attached there's EventViewer log that shows the exact moment from which everything started.

Thank you

Find more posts tagged with

Unlocking

Dataguard

Accepted answers

All comments

Kari

Hi Jamesch,

thank you for your reply.

It could be related but no external disks were used, it locked the main disk making the device unusable and remotely nothing was possible to do (disable device control or anything else). The only possible solution was to remove from safe mode the agent and reinstall it.

How we can avoid this same situation for the future without disabling DeviceControl?

Thank you

JamesC

Hi Kari

Dataguard doesn't lock files, it blocks only the suspicious process.

From your screenshot, I noticed many Device Control locks which could be related to the outage we had -

https://status.withsecure.com/incidents/ndz03scxxlxf