Issue:
When the DataGuard features Access control and Discover trusted applications automatically are enabled for Elements EPP for Computers/Servers, DataGuard blocks Windows processes and applications installed in the Windows Users, AppData or System32 folder.
The Security Events tab in the Elements Security Center shows an alert with the Source as DataGuard and the Description "DataGuard has blocked an attempt to access"
Elements Agent Event History on the device shows "Application was blocked from accessing your files" and the Reason as Ransomware:AccessControl.
Resolution:
If the blocked application (OneDrive.exe, Firefox.exe, Chrome.exe, WhatsApp.exe etc.) is in the Windows Users or AppData directory, it is not by default a trusted application location and therefore it will be blocked if it tries to modify a file that is located in a protected path. You can view the currently trusted application paths in the Elements Security Center:
- Select Environment from the left side bar
- Go to the Devices page
- Click the device that has DataGuard enabled
- Under the Protection status tab, click on the DataGuard (Premium) section
This will show you the currently protected paths and the currently trusted application paths.
To prevent DataGuard from blocking an application, you can either:
- Install the application to a trusted path, such as C:\Program Files (x86)\
- Add the application path to the Manually added trusted applications and folders list
How to add the application path to the Manually added trusted applications and folders list in the Elements Security Center:
- Select Security Configurations from the left side bar
- Go to the Profiles page
- Select the profile the device is using
- Go to the DataGuard settings page
- In the Access Control section, click Add path below Manually added trusted applications and folders
- Add the full path of the application, example C:\Users\Username\Documents\exampleprogram\example.exe
- Click Save and publish the profile
Note: You can use system environment variables when you want to create an exclusion for many users. The supported environment variables are: %USERPROFILE%, %HOMEDRIVE%, %HOMEPATH%, %APPDATA%, %ProgramFIles%, %ProgramFiles(x86)% %ProgramData%, %windir%, %SystemRoot%, %SystemDrive%
Example: %USERPROFILE%\AppData\Local\Mozilla Firefox\firefox.exe
If you need to find out more about the detection (detection path, target path etc.), you can view it from the Security events page in the Elements Security Center:
- Select Events from the left side bar
- Go to the Security Events page
- Click on the arrow on the left side of the DataGuard detection
From the Security Events page you can also add the application to the Manually added trusted applications and folders list:
- Click on the Three dots on the right side of the DataGuard detection
- Select Add the application to the Dataguard's trusted list
- Click Save and publish
Article no: 000007003