Elements Endpoint Protection DataGuard Ransomware access control blocks C:\Windows\System32\svchost.exe

Issue:

We are getting lot of Ransomware access control alerts caused by Elements Endpoint Protection feature DataGuard, which is blocking C:\Windows\System32\svchost.exe
What is the root cause of this?

Resolution:

Ransomware access control is a DataGuard feature, which provides the user the ability to safeguard important data from ransomware. More info are provided in this article and in this Help Guide.

In this particular case, where DataGuard is enabled for specific folders to safeguard against ransomware. As from this, svchost.exe (a legit Windows application) might try to access the file that is available in those folders, which is immediately blocked by DataGuard. By Default svchost.exe is not a trusted application by DataGuard.

You can find more details about this detection from the Elements Endpoint Protection Portal:

Log in to the Elements Endpoint Protection Portal
From the menu on the left, click Security Events PILOT
Click on the detection and you will see similar details:

Application C:\Windows\System32\svchost.exe
Target C:\Users\Username\Desktop\My Documents\examplematerial.xlsx
Profile version xxxxxxxxx
Client timestamp Oct 30, 2020 4:51:35 AM
Transaction id 0000-xxxxxxxxx

This means that svchost.exe has tried to modify examplematerial.xlsx which is saved on the users Desktop protected by DataGuard.

DataGuard works differently from our other engines, as it tries to be as paranoid as possible (even detecting Microsoft Windows files). This is because some malwares will inject into legitimate Microsoft files, which explains why DataGuard is more paranoid compared to other engines. DataGuard only allows trusted applications to modify protected files. By default svchost.exe is not a trusted application.

So, this leaves you with one choice, which is to either leave it as it is (Which we recommend) or add svchost.exe as a trusted application. If you want to do the latter, then you can follow the steps in the Help Guide.

You can also use Windows process monitor to figure out which svchost process exactly has tried to modify the file.
It can also be some windows or 3rd party feature using this process, and in case you don't need it, you can disable it, but it has nothing to do with our product - we just block write access to these files as we should

Article no: 000027366