EPP for Server Premium behavior
Hi,
I'm writing about an issue we had a few days ago.
Context: Windows Server 2016 with WithSecure Elements EPP for Servers Premium. DataGuard is active on every user's main folders (no domain) and on 3 data folders. All of a sudden after DataGuard detected a suspicious application (known application and known alert that was reported before without any further issues) the whole system crashed and the agent locked almost every single file, system file, and system setting. Everything on that server was locked by WithSecure making it unusable. The only thing I could do to unlock it was to completely remove anything related to WithSecure from Windows SafeMode.
What I'd like to understand is if this is a normal behavior of EPP and if that means that a malware was trying to attack and to protect data EEP "locked down" anything or not. What else could have been the trigger?
Attached there's EventViewer log that shows the exact moment from which everything started.
Thank you
Answers
-
Hi Kari
Dataguard doesn't lock files, it blocks only the suspicious process.
From your screenshot, I noticed many Device Control locks which could be related to the outage we had -
1 1Like -
Hi Jamesch,
thank you for your reply.
It could be related but no external disks were used, it locked the main disk making the device unusable and remotely nothing was possible to do (disable device control or anything else). The only possible solution was to remove from safe mode the agent and reinstall it.
How we can avoid this same situation for the future without disabling DeviceControl?
Thank you
1 1Like
