Elements Endpoint Protection - DataGuard feature blocks Windows processes and applications installed in the Windows Users or AppData folder

Issue:

When the DataGuard features Access control and Discover trusted applications automatically are enabled for Elements EPP for Computers/Servers, DataGuard blocks Windows processes and applications installed in the Windows Users, AppData or System32 folder.

The Security Events tab in the Elements Security Center shows an alert with the Source as DataGuard and the Description "DataGuard has blocked an attempt to access"

Elements Agent Event History on the device shows "Application was blocked from accessing your files" and the Reason as Ransomware:AccessControl.

Resolution:

If the blocked application (OneDrive.exe, Firefox.exe, Chrome.exe, WhatsApp.exe etc.) is in the Windows Users or AppData directory, it is not by default a trusted application location and therefore it will be blocked if it tries to modify a file that is located in a protected path. You can view the currently trusted application paths in the Elements Security Center:

Select Environment from the left side bar
Go to the Devices page
Click the device that has DataGuard enabled
Under the Protection status tab, click on the DataGuard (Premium) section

This will show you the currently protected paths and the currently trusted application paths.

To prevent DataGuard from blocking an application, you can either:

Install the application to a trusted path, such as C:\Program Files (x86)\
Add the application path to the Manually added trusted applications and folders list

How to add the application path to the Manually added trusted applications and folders list in the Elements Security Center:

Select Security Configurations from the left side bar
Go to the Profiles page
Select the profile the device is using
Go to the DataGuard settings page
In the Access Control section, click Add path below Manually added trusted applications and folders
Add the full path of the application, example C:\Users\Username\Documents\exampleprogram\example.exe
Click Save and publish the profile

Note: You can use system environment variables when you want to create an exclusion for many users. The supported environment variables are: %USERPROFILE%, %HOMEDRIVE%, %HOMEPATH%, %APPDATA%, %ProgramFIles%, %ProgramFiles(x86)% %ProgramData%, %windir%, %SystemRoot%, %SystemDrive%

Example: %USERPROFILE%\AppData\Local\Mozilla Firefox\firefox.exe

If you need to find out more about the detection (detection path, target path etc.), you can view it from the Security events page in the Elements Security Center:

Select Events from the left side bar
Go to the Security Events page
Click on the arrow on the left side of the DataGuard detection

From the Security Events page you can also add the application to the Manually added trusted applications and folders list:

Click on the Three dots on the right side of the DataGuard detection
Select Add the application to the Dataguard's trusted list
Click Save and publish