Issue:
Elements portal's Security Events page shows that "OfficeClickToRun.exe" was blocked from changing the "fshoster64.exe" process , whereas "fshoster64.exe" can be any WithSecure service is generated.
Will selecting acknowledge allow the specific process to run? Or we still need to do manual whitelisting or exclusion?
Resolution:
We are aware of this issue and the alert is triggered because OfficeClickToRun.exe attempts to change our processes and our products block the action, this is why the alert is expected. No further action is required and we are actively looking at how to reduce these alerts. For the time being, you can manually suppress the alerts or exclude the .exe file.
You can manually suppress the alerts by following these instructions:
How to suppress the alerts
- Log in to the Elements Security Center: https://elements.withsecure.com
- Go to the Events -page
- Choose Security Events
- Locate the alert where DeepGuard has blocked "OfficeClickToRun.exe" from changing WithSecure processes
- Click on the three dots under "Menu"
- Click on Show similar events
- Click on Acknowledge all
This will acknowledge and clear all alerts regarding OfficeClickToRun.exe.
Note - Acknowledge will not allow the specific process to run. It is just about managing which items are handled and which are not.
If needed, you can also exclude the file or folder from scanning and DeepGuard monitoring:
How to exclude a file or folder from Real-Time Scanning or DeepGuard
- Log in to the Elements Security Center: https://elements.withsecure.com
- Navigate to the Security Configurations > Profiles page
- Choose the profile which the devices are using
- Go to the General settings page
- Scroll down to the Exclude folders and files from all security scans section and click Add exclusion
- In the Path field add the:
- Full path for the application if you want to exclude a specific application
- Folder path if you want to exclude a folder and its sub folders
- Click Save and publish
How to exclude a process from DeepGuard monitoring using the SHA-1
- Log in to the Elements Endpoint Protection portal
- Go to the Security events page
- Click on the three dots on the right side of the DeepGuard detection
- Select Exclude file by SHA1
- The file SHA1 is automatically added to the Exclude folders and files from all security scans list
- Click Save and publish
Article no: 000045820