Issue:
When the DataGuard features Access control and Discover trusted applications automatically are enabled for Elements EPP for Computers or EPP for Servers, DataGuard blocks Windows processes and applications installed in the Windows Users, AppData or System32 folder.
Elements Endpoint Protection Portal device Security Events tab shows an alert with the Source as DataGuard and the Description "DataGuard has blocked an attempt to access"
Elements Agent Event History on the device shows "Application was blocked from accessing your files" and the Reason as Ransomware:AccessControl.
Resolution:
If the blocked application (OneDrive.exe, Firefox.exe, Chrome.exe, WhatsApp.exe etc.) is in the Windows Users or AppData directory, it is not by default a trusted application location and therefore it will be blocked if it tries to modify a file that is located in a protected path. You can view the currently trusted application paths from the Elements Endpoint Protection Portal:
- Log in to the Elements Security Center
- Click See more details in the Endpoint Protection section
- Go to the Devices page
- Click a device that has DataGuard enabled
- In the Protection status tab, click on the DataGuard (Premium) section
To not have DataGuard block an application, you can either:
- Install the application to a trusted path, such as C:\Program Files (x86)\
- Add the application path to the Manually added trusted applications and folders list
- Log in to the Elements Endpoint Protection Portal
- Go to the Profiles page
- Select the profile the device is using
- Go to the DataGuard settings page
- In the Access Control section, click Add path below Manually added trusted applications and folders
- Add the full path of the application, example C:\Users\Username\Documents\exampleprogram\example.exe
- Click Save and publish the profile
Example: %USERPROFILE%\AppData\Local\Mozilla Firefox\firefox.exe
If you need to find out more about the detection (detection path, target path etc.), you can view it from the Security events page:
- Log in to the Elements Endpoint Protection Portal
- Go to the Security events page from the menu on the left
- Click on the double arrow on the left side of the detection
- Log in to the Elements Endpoint Protection portal
- Go to the Security Events page
- Click on the Three dots on the right side of the DataGuard detection
- Select Add the application to the Dataguard's trusted list
- Click Save and publish
Article no: 000007003