Issue:
Elements portal's Security Events page shows that "OfficeClickToRun.exe" was blocked from changing the "fshoster64.exe" process , whereas "fshoster64.exe" can be any WithSecure service is generated.
Will selecting acknowledge allow the specific process to run? Or we still need to do manual whitelisting or exclusion?
Resolution:
We are aware of this issue and the alert is triggered because OfficeClickToRun.exe attempts to change WithSecure processes and the product therefore blocks the action, this is why the alert is expected. When this alert is shown, it means that we have only blocked the process from touching WithSecure processes, all other actions of the detected process can continue as normal. If the alert is triggered for example for an installer, the installer will still be able to complete its installation or update without issue.
You can manually acknowledge the alerts by following these instructions:
- Log in to the Elements Security Center: https://elements.withsecure.com
- Go to the Events -page
- Choose Security Events
- Locate the alert where DeepGuard has blocked "OfficeClickToRun.exe" from changing WithSecure processes
- Click on the three dots under "Menu"
- Click on Show similar events
- Click on Acknowledge all
This will acknowledge and clear all alerts regarding OfficeClickToRun.exe.
Note - Acknowledge will not allow the specific process to run. It is just about managing which items are handled and which are not.
If needed, you can also exclude the file or folder from scanning and DeepGuard monitoring:
How to exclude a file or folder from Real-Time Scanning or DeepGuard
- Log in to the Elements Security Center: https://elements.withsecure.com
- Navigate to the Security Configurations > Profiles page
- Choose the profile which the devices are using
- Go to the General settings page
- Scroll down to the Exclude folders and files from all security scans section and click Add exclusion
- In the Path field add one of the following or all:
- Full path for the application if you want to exclude a specific application
- Folder path if you want to exclude a folder and its sub folders
- SHA-1 hash value of the process
- Click Save and publish
How to exclude a process from DeepGuard monitoring using the SHA-1
- Log in to the Elements Endpoint Protection portal
- Go to the Security events page
- Click on the three dots on the right side of the DeepGuard detection
Select Exclude file by SHA1
- The file SHA1 is automatically added to the Exclude folders and files from all security scans list
- Click Save and publish
Article no: 000045820