Issue:
A DeepGuard Security alert is sent to the Elements Endpoint Protection portal's Security events list or Policy Manager Console's Alerts list.
Example:
Security alert: DeepGuard prevented an untrusted application from modifying another process.
Details: DeepGuard prevented an untrusted application from modifying another process. Application path: C:\Program Files\exampleprogram\examplefile.exe File hash: 2179dde55137b4a228135af0b45acc7752e13e15
Can this be a false positive and can the file be excluded?
Resolution:
DeepGuard is equipped with a self-protection feature where it prevent any process from terminating WithSecure's processes. DeepGuard monitors the OpenProcess function, which is used by the program to access the WithSecure process information with a termination rights.
When DeepGuard detects that the program is trying to open a WithSecure process with the PROCESS_TERMINATE flag, it shows a block message and removes the flag, preventing the ability of the program from terminating the process.
This alerts will not affect the functionalities of the accessor program as DeepGuard only removes the termination rights, hence made the OpenProcess called more safe towards WithSecure processes.
If you want to make sure it is not a false positive, you can open a submit a sample ticket.
If you are absolutely sure it to be a false positive and you do not want to have the alert shown, as a workaround you can exclude the program directly by using its path + filename or by excluding the SHA1 value shown in the alert.
Follow these steps to add an exclusion:
For Business Suite (Client Security and Server Security) using Policy Manager policy:
- Log in to the Policy Manager Console
- Select a policy domain or host from the Domain Tree
- Go to the Settings tab
- Go to the Real-time scanning settings
- Scroll to the Files and applications excluded from scanning table and enable Do not scan the following files and applications
- Click Add
- Set the scope as All scans and select File path from the drop-down menu
- Add the file path C:\Program Files\Exampleprogram\examplefile.exe and click OK
- Distribute the policy (Ctrl + D)
For Elements Endpoint Protection (EPP for Computers and EPP for Servers) using portal profile:
- Log in to the Elements Security Center: https://elements.withsecure.com
- Open the Security configurations section from the menu on the left
- Go to the Profiles page
- Choose the profile which the device is using
- Go to the General settings page
- Scroll down to the Exclude folders and files from all security scans section and click Add exclusion
- In the Path field add the:
- Full path for the application if you want to exclude a specific application
- Folder path if you want to exclude a folder and its sub folders
- Click Save and publish
The SHA-1 can also be added manually to the DeepGuard protection rules. Follow the steps below to manually add an SHA-1 exclusion in DeepGuard:
- Log in to the Elements portal
- Open the Security Configurations section from the menu on the left
- Select the Profiles tab on the left
- Select the profile you want to add the exclusion to
- Select Real-time scanning on the left
- Scroll down to DeepGuard protection rules
- Click on Add rule
- Fill in the SHA1-hash and a note about the application
- Click Save and Publish
Article no: 000029044