To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

EPP for Server Premium behavior

Options
Kari
Kari W/ Partner Posts: 6 Security Scout

Hi,

I'm writing about an issue we had a few days ago.

Context: Windows Server 2016 with WithSecure Elements EPP for Servers Premium. DataGuard is active on every user's main folders (no domain) and on 3 data folders. All of a sudden after DataGuard detected a suspicious application (known application and known alert that was reported before without any further issues) the whole system crashed and the agent locked almost every single file, system file, and system setting. Everything on that server was locked by WithSecure making it unusable. The only thing I could do to unlock it was to completely remove anything related to WithSecure from Windows SafeMode.

What I'd like to understand is if this is a normal behavior of EPP and if that means that a malware was trying to attack and to protect data EEP "locked down" anything or not. What else could have been the trigger?

Attached there's EventViewer log that shows the exact moment from which everything started.

Thank you


Answers

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 525 Moderator
    Options

    Hi Kari

    Dataguard doesn't lock files, it blocks only the suspicious process.

    From your screenshot, I noticed many Device Control locks which could be related to the outage we had -

    https://status.withsecure.com/incidents/ndz03scxxlxf

  • Kari
    Kari W/ Partner Posts: 6 Security Scout
    Options

    Hi Jamesch,

    thank you for your reply.

    It could be related but no external disks were used, it locked the main disk making the device unusable and remotely nothing was possible to do (disable device control or anything else). The only possible solution was to remove from safe mode the agent and reinstall it.

    How we can avoid this same situation for the future without disabling DeviceControl?

    Thank you

This discussion has been closed.