Product Announcements & Troubleshooting Extended Detection and Response Endpoint Protection

How to transfer or change a corporate customer company from old reseller partner to new?
Elements Connector cannot show welcome page after installation
Elements Connector error "Connection to the update server has failed for address https://guts2.sp.f-secure.com"
Elements portal shows Malware protection malfunction status for an Elements Endpoint Protection for Mac device
WithSecure Technical Support Engineer Elements portal access during a support request
error: "ERR_SSL_PROTOCOL_ERROR" after going to a HTTPS web page
Security Events reported User name does not reflect what is reported in the Windows Event viewer
OfficeClickToRun.exe was blocked from changing the "withsecure process"
Organizations drop-down list empty when trying to add Elements Endpoint Detection and Response Automated Actions rule
No test report sent when Security Events source is used for Elements Email notification and report

Elements Endpoint Protection - DataGuard feature blocks Windows processes and applications installed in the Windows Users or AppData folder

Issue:

When the DataGuard features Access control and Discover trusted applications automatically are enabled for Elements EPP for Computers/Servers, DataGuard blocks Windows processes and applications installed in the Windows Users, AppData or System32 folder.

The Security Events tab in the Elements Security Center shows an alert with the Source as DataGuard and the Description "DataGuard has blocked an attempt to access"

Elements Agent Event History on the device shows "Application was blocked from accessing your files" and the Reason as Ransomware:AccessControl.

Resolution:

If the blocked application (OneDrive.exe, Firefox.exe, Chrome.exe, WhatsApp.exe etc.) is in the Windows Users or AppData directory, it is not by default a trusted application location and therefore it will be blocked if it tries to modify a file that is located in a protected path. You can view the currently trusted application paths in the Elements Security Center:

Select Environment from the left side bar
Go to the Devices page
Click the device that has DataGuard enabled
Under the Protection status tab, click on the DataGuard (Premium) section

This will show you the currently protected paths and the currently trusted application paths.

To prevent DataGuard from blocking an application, you can either:

Install the application to a trusted path, such as C:\Program Files (x86)\
Add the application path to the Manually added trusted applications and folders list

How to add the application path to the Manually added trusted applications and folders list in the Elements Security Center:

Select Security Configurations from the left side bar
Go to the Profiles page
Select the profile the device is using
Go to the DataGuard settings page
In the Access Control section, click Add path below Manually added trusted applications and folders
Add the full path of the application, example C:\Users\Username\Documents\exampleprogram\example.exe
Click Save and publish the profile

Note: You can use system environment variables when you want to create an exclusion for many users. The supported environment variables are: %USERPROFILE%, %HOMEDRIVE%, %HOMEPATH%, %APPDATA%, %ProgramFIles%, %ProgramFiles(x86)% %ProgramData%, %windir%, %SystemRoot%, %SystemDrive%

Example: %USERPROFILE%\AppData\Local\Mozilla Firefox\firefox.exe

If you need to find out more about the detection (detection path, target path etc.), you can view it from the Security events page in the Elements Security Center:

Select Events from the left side bar
Go to the Security Events page
Click on the arrow on the left side of the DataGuard detection

From the Security Events page you can also add the application to the Manually added trusted applications and folders list:

Click on the Three dots on the right side of the DataGuard detection
Select Add the application to the Dataguard's trusted list
Click Save and publish

Article no: 000007003