How to debug dataguard blocking svchost.exe

MarttiNuudi
MarttiNuudi W/ Alumni Posts: 10 Security Scout

Hi

Couple of Windows 10 computers running psb are sending me blocking messages about svchost.exe every other week. Is there a log where I can check what exactly causes this block?

AV Alert that I get:

F-Secure Protection Service for Business has identified the following security incidents:

Time|Account|Host|Infection|Action|Type|Infected Object|Infected Object SHA1

Mon, 19 October 2020 09:53:07 UTC|CompanyName|Computername||Blocked|DataGuard|C:\Windows\System32\svchost.exe|

Answers

  • MonikaL
    MonikaL W/ Alumni Posts: 206 W/ Former Staff

    Hi MarttiNuudi,

    If the warning appears at startup and a full computer scan does not find any suspicious files, it is very likely that there is a script in the Windows startup folder that is run when the user logs in. Check the folder that is shown below and see if there are any suspicious start up files. You can for example temporarily move start up files one by one to a different folder and do a system restart in between to see if you still receive the warning during start up. 

    C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

    The AppData folder is hidden by default, so you can either enable showing hidden files in the folder or write the path directly in to the file explorer address field. 

  • MikaArasola
    MikaArasola W/ Partner, W/ Staff, W/ Product Leadership Posts: 68 W/ Staff
    edited October 2020

    I would start by looking under Security Events to see how the detection looks there. The email for DataGuard is a bit misleading as it reports only the executable without the target. DataGuard works with an ACL, so it will block all untrusted applications from accessing the protected resources.

    • Open Security events
    • Set a filter for source -> DataGuard
    • Expand the event for svchost.exe with the arrows on the left side and look at what the target file is

    To debug further then this, you can try to use Application Control:

    • Open your profile (or create a new one for testing with a subset of computers)
    • Select the Application control section
    • Select "add exclusion" to create a rule

    Create rules with the following settings:

    rule1:

    • Event: "File Access"
    • Action: "Allow and monitor"
    • Condition: "target path" -> "contains" -> file path detected in DataGuard

    rule2:

    • Event "Application start and module load"
    • Action "Allow and monitor"
    • Condition: "target path" -> "contains" -> svchost.exe

    rule3:

    • Event: "File Access"
    • Action: "Allow and monitor"
    • Condition: "target path" -> "contains" -> svchost.exe

    Ensure these 3 rules are at the top of the exclusion list, and disable them when you are done (they will generate noise, and cause lower rules to be skipped if they match).

    With these you might find out what is calling svchost.exe. Please notice that some system applications might not generate an Application Control event (we are working on that), so it's possible to still miss out on the details.

  • MarttiNuudi
    MarttiNuudi W/ Alumni Posts: 10 Security Scout

    Thank you for the pointers. I found the place that I should have looked first - the PSB portal and the computers security events and blocked programs. The reasons for blocking still leave me puzzled:

    C:\$WINDOWS.~BT\Sources\SetupPlatform.exe   8 Sep 2020 14:34:38   C:\Users\ABC\Desktop\08.06.2020.jpeg   DataGuard

    C:\Windows\System32\svchost.exe   13 Oct 2020 15:27:50   C:\Users\ABC\Desktop\ABC\video\2020.10.11 by ABC\by ABC 2.mp4   DataGuard

    C:\Windows\System32\svchost.exe   19 Oct 2020 12:53:07   C:\Users\ABC\Desktop\MAP-1.jpg   DataGuard

    Are'nt these media files checked by F-secure real-time scanning when copied to the computer and safe for opening?

    BTW I checked the event log and there were no events under Security or Application log but it would be great to have them there.

  • MikaArasola
    MikaArasola W/ Partner, W/ Staff, W/ Product Leadership Posts: 68 W/ Staff

    The client scans all relevant files to see if they are safe. The file extensions that were scanned used to be shown in the profile editor (so you could even change them), but that option was removed. The main reason for removal was that after an admin modified the list, it would be difficult for us to add new file types when they are needed.

    Please notice that DataGuard blocking a file does not automatically indicate that the file or application was malicious. While DataGuard does add some advanced DeepGuard (our heuristics engine) protections, the main logic for DataGuard is to work as an ACL blocking any untrusted application from modifying files in trusted locations. In this case trusted does not even mean trusted vendors (our normal protection already protects for those cases), but actually applications trusted by you.

    In the DataGuard section of profile editor you have an option for "Discover monitored user data folders automatically". When this feature is enabled then the default locations containing user documents are protected quite aggressively against modifications. Any application attempting to modify the files needs to be separately set as trusted under "manually added trusted applications and folders".

    If your organisation has clearly defined rules for what locations could contain the most valuable user data, then you can turn off the automatic discovery of locations, and rather define them manually. This would likely dramatically reduce the number of cases where access is blocked.

    By event log I assume you mean Windows event log? I can pass this message forward to the team client team, generally all detections should be visible there as far as I'm aware so this could be an oversight.

This discussion has been closed.