Elements Endpoint Protection DataGuard Ransomware access control blocks C:\Windows\System32\svchost.exe

@import "https://static.cloud.coveo.com/searchui/v2.6063/css/CoveoFullSearch.min.css"; header {margin:52px 0 0 0} #dropdownnavi {float:left; clear:both; width:100%;} header .row {width:100%} header .row:nth-child(1) {background-color:#0014a0} header .container, footer .container {max-width:1172px; margin: auto;} .top-header {height:53px;} .bottom-header {height:52px;} .Header-logo {width: 10%;float: left;} .Header-logo img {width: 105px; margin: 11px 8px 8px 16px;} .header-top-links {float: right; margin: 1px 15px 0 0;} .header-top-link, .header-bottom-item {cursor: pointer; display: inline-block; font-size: 14px; font-weight: 400; line-height: 52px; margin: 0 15px; position: relative; text-align: center; } .header-top-link, .header-bottom-item a {text-decoration:none;} .header-top-link {color: #fff; margin: 0 10px 0 12px;} .header-top-link.active {margin-right:12px} .header-top-link.active::after {width: calc(100% + 30px)!important} .header-top-link.active::after, .header-top-link:hover::after {background: #fff;} .header-bottom-link {color: #1e1e1e;} .header-bottom-item .header-bottom-link {margin:0 15px} #opensearch-icon:before {content:"\f220";font-family:fsg-icon;font-size:26px;color:#ffffff} #closesearch-icon:before {content:"\f130";font-family:fsg-icon;font-size:26px;color:#ffffff} #opensearch-icon, #closesearch-icon {font-style: normal;} #opensearch-icon:hover, #closesearch-icon:hover {cursor:pointer} #homeLink {margin-left:1px} .kb-lang-title {width:100%;text-align:center;font-weight:600;color:black; margin:0} .header-right {float: right; margin: 10px 48px 0 0; padding: 3px; height: 30px; border-radius: 3px;} #signin {margin-top:5px} #signin a {text-decoration: none; color:#1e1e1e; } .signin-icon {float: left; height: 20px; padding: 0 5px 20px 0;} #articleslink hr, #dashboardlink hr {margin:0} #articleslink .title {padding: 0;text-align: center; font-weight: 600;} #articleslink p, #dashboardlink p {padding:10px 0 10px 20px;} #articleslink p a, #dashboardlink p a {text-decoration: none; color:#1e1e1e;} #articleslink .draftslink:hover, #dashboardlink p:hover {padding: 10px 0 10px 20px;} .header-coveosearch {position: relative; margin-top: -53px;} .header-search {display:inline-block;padding:8px 0 0 0;} .searchboxtoggle {color:white;} .header-searchcontainer {float: right; margin:0 18px 0 0; height:52px} .search-icon {color:white;} .expand {display:inline-block;} .collapse {display:none;} .header-searchbox {height:52px;} .CoveoSearchbox {background: white!important;margin-top: 3px!important;} .CoveoSearchbox .magic-box .magic-box-input > input {font-family: 'FSSansWeb';font-size: 14px;} #kbsearch {display:block;margin: 0 0 0 auto; height:53px; box-sizing: border-box; border: 1px solid white; font-size: 14px; padding: 14px 0 10px 15px;} header-searchbox.active, #kbsearch:focus {width: 100%; transition: 1s ease-in-out;} #helpForumsLink #menu-dropdown.ontouch {display: block;left: 25px;position: absolute;top: 52px;} #FaqsLink #kb-menu-dropdown.ontouch {display: block;left:0;position: absolute;top: 52px;} #helpForumsLink #menu-dropdown.ontouch .depth-2-list.ontouch, #FaqsLink #kb-menu-dropdown.ontouch .depth-2-list.ontouch {border: 1px solid #c4c4c4;left: calc(100% + 0px);position: absolute;top:-1px;width: 100%;display:block;background:white} #helpForumsLink #menu-dropdown.ontouch .dropdown-1-title, #helpForumsLink #menu-dropdown.ontouch .dropdown-2-title, #helpForumsLink #menu-dropdown.ontouch .dropdown-3-title,#FaqsLink #kb-menu-dropdown.ontouch .dropdown-1-title, #FaqsLink #kb-menu-dropdown.ontouch .dropdown-2-title, #FaqsLink #kb-menu-dropdown.ontouch .dropdown-3-title {display: block;text-align: left;margin-left:25px} #helpForumsLink #menu-dropdown.ontouch a.dropdown-1-title,#helpForumsLink #menu-dropdown.ontouch a.dropdown-2-title,#helpForumsLink #menu-dropdown.ontouch a.dropdown-3-title,#FaqsLink #kb-menu-dropdown.ontouch a.dropdown-1-title,#FaqsLink #kb-menu-dropdown.ontouch a.dropdown-2-title,#FaqsLink #kb-menu-dropdown.ontouch a.dropdown-3-title {font-weight:500!important;color:#8a8a8a;font-style: italic} #helpForumsLink #menu-dropdown.ontouch .depth-2-list.ontouch .depth-2-item, #FaqsLink #menu-dropdown.ontouch .depth-2-list.ontouch .depth-2-item {border-top: 1px solid #c4c4c4;} #helpForumsLink #menu-dropdown.ontouch .depth-2-list.ontouch .depth-2-item:first-of-type {border-top:none;} #helpForumsLink #menu-dropdown.ontouch .depth-2-list.ontouch .depth-3-list.ontouch {left: calc(100% + 0px);position: absolute;top:-1px;border: 1px solid #c4c4c4;width: 100%;display: block;border-bottom: none;background:white} #signin .header-bottom-item.header-bottom-link {display:inline-block; margin-top: -16px;} #signin a:hover {color:#0014a0} .signin-icon:before {content:"\f258";font-family:fsg-icon;font-size:22px;color:#363636;position:absolute;margin:-10px 0 0 -20px} .Footer {background:#f6f6f6;color:#555a62;font-size:16px;line-height:1.5;padding:18px 0; border-top:1px solid #c4c4c4} .Footer .footer-logo-wrap .footer-logo {height: auto; max-height: 32px; width: auto; margin-top:20px} .Footer .col {padding:0 0 0 15px;width: 23%; font-size: 13px; display: inline-block; vertical-align: top;} .Footer .footer-links-wrap {border-bottom: 1px solid #c4c4c4;max-width: 1172px; margin: auto;} .Footer .footer-links-wrap .col:nth-child(2), .Footer .footer-links-wrap .col:nth-child(3), .Footer .footer-links-wrap .col:nth-child(4) {border-right:1px solid #c4c4c4} .Footer .col ul {list-style: none;} .Footer .col:nth-child(2) ul {padding: 0;} .Footer .col ul li a {color: #1e1e1e; text-decoration: none;} .footer-link-title {text-transform: uppercase; color: #1e1e1e;} .footer-link-subtitle {font-size:14px; color: #1e1e1e; max-width:95%} .footer-icon {float: left; height: 30px; padding: 0 10px 60px 0;} footer.Footer .row.footer-links-wrap .col.footer-links {border:none;margin-bottom:0} footer.Footer .row.footer-links-wrap .col.footer-links h3 {font-size:16px} footer.Footer .row.footer-links-wrap .col.footer-links ul {padding:0 0 15px 0;margin-left:0} footer.Footer .row.footer-links-wrap .col.footer-links .footer-link{color:black;font-size:14px} footer.Footer .row.bottom-row .col.col-copyRight * {color:black;font-weight:400} footer.Footer .row.footer-links-wrap .col.footer-links .footer-link:hover, footer.Footer .row.bottom-row .col.col-copyRight:hover {color:#0014a0;} footer.Footer .row.bottom-row {border-top:none} footer.Footer .row.bottom-row .col {width:48%} footer.Footer .row.footer-links-wrap:nth-of-type(3) {padding-top:10px} .col-copyRight a, .social-icons-wrap a {display:inline-block; padding:5px 0; text-decoration: none; color: #1e1e1e; } .social-icons-wrap {float:right} .Footer a:hover, .Footer .col ul li a:hover, footer.Footer .row.bottom-row .col.col-copyRight *:hover {color:#0014a0} footer.Footer .row.bottom-row {padding-top:5px;max-width: 1172px;margin: auto;} footer.Footer .row.bottom-row .col.col-copyRight * {font-weight:400} social-link:hover {cursor:pointer} social-link:hover svg {fill:#0014a0} .social-link.facebook:before {content:"\f226";font-family:fsg-icon;font-size:38px;padding:10px 0;color:#363636} .social-link.youtube:before {content:"\f231";font-family:fsg-icon;font-size:38px;padding:10px 0;color:#363636} .social-link.twitter:before {content:"\f22f";font-family:fsg-icon;font-size:38px;padding:10px 0;color:#363636} .social-link.linkedin:before {content:"\f22a";font-family:fsg-icon;font-size:38px;padding:10px 0;color:#363636} .social-link.facebook:hover::before,.social-link.youtube:hover::before,.social-link.twitter:hover::before, .social-link.linkedin:hover::before {color:#0f58dc} @media screen and (max-width:991px){ header {margin:0} header .row:nth-child(1) {height:64px} .Header-logo img {margin: 17px 8px 8px 16px;} .Hamburger-border {position: absolute; right: 60px; border-left: 1px solid #fff; height: 64px; width: 50px; top: 0; z-index: 20; border-right: 1px solid white; padding-right: 10px;} .Hamburger {display:block;position: absolute; top: 8px; left: calc(100% - 52px); z-index: 20;-webkit-box-align: center; -webkit-box-pack: center;-webkit-user-select: none; align-items: center; background: transparent; border: none; border-radius: 0;cursor: pointer;justify-content: center; outline: none;transition: .35s;} .Hamburger-menuXcross {height: 25px; padding: 0; width: 26px;} .Hamburger-menuLines {-o-transition: .35s;-webkit-transition: .35s; background-color: #fff; border-radius: 2px; display: inline-block; height: 2px; position: relative; transition: .35s; width: 26px;} .Hamburger-menuLines::before {top: 6px; } .Hamburger-menuLines::after {top: -6px;} .Hamburger-menuLines::after, .Hamburger-menuLines::before {-ms-transform-origin: 5.5px center;-o-transition: .35s;-webkit-transform-origin: 5.5px center;-webkit-transition: .35s;background-color: #fff;border-radius: 2px; content: ""; display: inline-block; height: 2px;left: 0;position: absolute;transform-origin: 5.5px center;transition: .35s;width: 26px;} .sr-only {position: absolute !important;width: 1px !important;height: 1px !important;padding: 0 !important;margin: -1px !important;overflow: hidden !important;clip: rect(0,0,0,0) !important;border: 0 !important;} .Hamburger-menuXcross.isToggled .Hamburger-menuLines::before {-webkit-transform: rotate(45deg); transform: rotate(45deg);} .Hamburger-menuXcross.isToggled .Hamburger-menuLines::after {-webkit-transform: rotate(-45deg);transform: rotate(-45deg);} .Hamburger-menuXcross.isToggled .Hamburger-menuLines::after, .Hamburger-menuXcross.isToggled .Hamburger-menuLines::before {-ms-transform-origin: 50% 50%;-webkit-transform-origin: 50% 50%;background-color: hsla(0,0%,100%,.6); left: 0;top: 0;transform-origin: 50% 50%;width: 26px;} .Hamburger-menuXcross.isToggled .Hamburger-menuLines {background: transparent;} .isToggled .Hamburger-menuLines {-webkit-transform: scaleX(1);transform: scaleX(1);} #signin {text-align:center; margin: auto; color:white} #signin a {text-decoration: none; color:white;} .header-top-links, .bottom-header {display: none} .header-coveosearch {margin-top:0} .header-searchcontainer {color: white; text-align: right; margin: 8px 18px 0 0;} .header-search { padding: 5px 0 0 0; width: 60px; margin: auto; display: block; position: absolute; right: 17px; top: 8px;} .searchboxtoggle {color:white} .header-searchbox {position: absolute; right: 60px; top: 0; height:65px; width:85%;z-index:30} .CoveoSearchInterface {margin-top:-3px} .CoveoSearchbox {margin-top:0;} .CoveoSearchInterface .CoveoSearchbox {margin-right:0;height:65px;} .CoveoSearchButton.coveo-accessible-button, .CoveoSearchbox .magic-box .magic-box-input > input {height:65px} #kbsearch {height:66px} .banner-middleContainer_f1l0wf96 {box-shadow: inset 0 10px 10px -10px #000;} #homeLink, #helpForumsLink, #FaqsLink, #userguidesLink, #supportLink, .header-right {width:100%; text-align: left; margin: 0; } #userguidesLink, #supportLink {border-top: 1px solid #dfdfdf;} #helpForumsLink, #FaqsLink {margin: 0 0 10px 25px;} .top-header-link {text-transform: uppercase; font-weight:700; color:#1e1e1e; font-size:14px; padding:15px 15px; line-height: 2em;} #dropdownnavi .top-header-link {margin: 3px 0 0 10px;} .header-bottom-link::after {background:none;} .header-bottom-item .header-bottom-link {margin:0 10px} .depth-1-list, .depth-2-list, .depth-3-list {list-style: none; margin: 0; padding:0 0 0 40px} .kb-lang-title {text-align:left;} #menu-dropdown {margin-top: -20px;} #kb-menu-dropdown .depth-2-list.open {padding-left:30px} .depth-1-list a, .depth-2-list a, .depth-3-list a {color:#1e1e1e} .smdropdown-alt {line-height: 0; margin:0; padding: 0 0 10px 0;} .smdropdown-link {color:#acacac!important; font-style: italic;} .depth-1-list, .depth-2-list, .depth-3-list {display: none; margin: -20px 0 0 0; padding: 0 0 0 15px;} .header-right {float: right;padding: 8px 0; height: 30px; border-radius: 0; box-shadow: 0 3px 5px #1e1e1e; background:#0014a0; text-align: right;} .signin-icon {display: none;} #signin .header-bottom-item.header-bottom-link {margin-top: -10px;} .open {display: block;} .Footer .col {display: block; width:96%; padding: 0 20px 15px 20px} .Footer .col.col-copyRight, .Footer .col.col-social {width:90%} footer .container {width:95%} .col.footer-logo-wrap {text-align: center;} .col-copyRight a {padding: 10px 0 0 20px;} .social-icons-wrap a {padding: 10px 0 0 0;} .Footer .footer-links-wrap {padding-bottom:none; border-bottom:none;} .Footer .footer-links-wrap .col:nth-child(2), .Footer .footer-links-wrap .col:nth-child(3), .Footer .footer-links-wrap .col:nth-child(4) {border-bottom:1px solid #c4c4c4; border-right:none} footer.Footer .row:nth-of-type(2).footer-links-wrap .col.footer-links:last-of-type {border-bottom:none} a.dropdown-1-title, a.dropdown-2-title, a.dropdown-3-title {color: #8a8a8a; font-style: italic;} .header-bottom-link:focus::after, .header-bottom-link:hover .smdropdown::after,.smdropdown::after,.depth-1-url::after,.depth-2-url::after {content:"\f1f5";font-family:fsg-icon;font-size:26px;color:#363636;position:absolute} .smdropdown.change::after,.depth-1-url.change::after,.depth-2-url.change::after {content:"\f131";} .footer-link-title {width:94%} .footer-link-title::after {content:"\f1f5";font-family:fsg-icon;font-size:26px;color:#363636;float:right!important} .footer-link-title.change::after {content:"\f131";} footer.Footer .row.footer-links-wrap .col.footer-links ul {display:none} footer.Footer .row.footer-links-wrap .col.footer-links ul.open {display:block; padding-bottom:30px} footer.Footer .row.footer-links-wrap:nth-of-type(3) {border-bottom:none} footer.Footer .row.footer-links-wrap .col.footer-links {border-bottom:1px solid #dfdfdf;} footer.Footer .row.footer-links-wrap .col.footer-links, footer.Footer .row.footer-links-wrap .col.footer-links:last-of-type {padding:10px 0 0 20px} footer.Footer .row.footer-links-wrap .col.footer-links .footerdropdown::hover {cursor:pointer!important} .row.bottom-row {display:flex;} .Footer .col.col-copyRight, .Footer .col.col-social {width:50%;padding:0} .social-icons-wrap {margin-top:-15px} } @media screen and (min-width:992px){ .Hamburger, .dropdownnavi .top-header-link, #userguidesLink, #supportLink, .smdropdown-alt {display: none;} .bottom-header {display: block;} .header-top-link::after {background: #fff;} header .row:nth-child(2) {background-color:white; box-shadow: 0 3px 5px rgba(0,0,0,0.1);} .depth-1-list, .depth-2-list, .depth-3-list {list-style: none; margin: 0; padding-left: 0; box-shadow: 0 4px 4px rgba(0,0,0,.1);} .depth-1-item, .depth-2-item, .depth-3-item {padding-left:15px; border-bottom:1px solid #dfdfdf; position: relative;} .depth-1-item a, .depth-2-item a, .depth-3-item a {color: #1e1e1e;} .header-bottom-link::after {background: #0014a0;} .header-top-link.active::after, .header-top-link:hover::after, .header-bottom-link.active::after, .header-bottom-link:hover::after {bottom: 0; content: ""; display: block; height: 5px; left: -15px; margin: auto; position: absolute; width: calc(100% + 35px);} .header-bottom-link.smdropdown:hover, .header-bottom-link.smdropdown.active {color:#0014a0} .header-searchbox {position:absolute;top:0;right:60px; margin:0; z-index: 200; } .header-searchbox.active {width:500px;transition: 1s ease-in-out;} #kbsearch {width:350px;} #menu-dropdown, #kb-menu-dropdown {position: absolute; z-index: 100; background: white; text-align: left; margin: 1px 0 0 -15px;} #menu-dropdown, #kb-menu-dropdown .depth-1-list {width:300px} #kb-menu-dropdown .depth-1-url {color:#8a8a8a} #kb-menu-dropdown .depth-2-list {width:350px!important} #profile-menu {position: absolute; z-index: 100; background: white; width: 350px; text-align: left; width:260px; margin: 0 0 0 -230px; border: 1px solid #c4c4c4; border-radius: 5px; box-shadow: 0 4px 4px rgba(0,0,0,.1);} #menu-dropdown, #menu-dropdown .depth-2-list, #menu-dropdown .depth-3-list, #kb-menu-dropdown, #kb-menu-dropdown .depth-2-list, #profile-menu {display:none;} #helpForumsLink:hover #menu-dropdown, #FaqsLink:hover #kb-menu-dropdown, #profiledropdown:hover #profile-menu {display: block;} #menu-dropdown .depth-1-item:hover .depth-2-list, #menu-dropdown .depth-2-item:hover .depth-3-list, #kb-menu-dropdown .depth-1-item:hover .depth-2-list { display: block; left: calc(100%); background: #fff; border: 1px solid #c4c4c4; position: absolute; top: 0; width: 100%;} #kb-menu-dropdown .depth-1-url {margin:0} #menu-dropdown .depth-1-item:nth-child(3) .depth-2-list, #menu-dropdown .depth-2-item:hover .depth-3-list {top:-1px} .depth-1-item:hover, .depth-2-item:hover, .depth-3-item:hover {pointer:cursor;background-color:#f8f8f8} #helpForumsLink .depth-1-item:hover .depth-1-url, .depth-2-item:hover .depth-2-url, .depth-3-item:hover .depth-3-url, #kb-menu-dropdown .depth-2-item:hover .depth-3-url {color:#0014a0} #FaqsLink .depth-1-item:hover, #FaqsLink .depth-1-item:hover .depth-1-url {cursor:default} .header-right {float: right; margin: 8px 15px 0 0; padding: 3px; height: 30px; border-radius: 3px;} #dropdownnavi {margin: -1px 0 0 -13px;width:50%} #dropdownnavi .top-header-link, .dropdown-1-title, .dropdown-2-title, .dropdown-3-title {display:none} .header-bottom-link.smdropdown {line-height:53px} #signin {display:flex; margin: 1px -12px 0 0} #signin .header-bottom-item.header-bottom-link {margin-top:-14px; height:54px} #signin span {margin-top: 3px;} .signin-icon {padding: 4px 0 20px 0;} .header-bottom-link.smdropdown:before {content:"\f1f5";font-family:fsg-icon;font-size:26px;float: right;} #helpForumsLink:hover .header-bottom-link.smdropdown::before, #FaqsLink:hover .header-bottom-link.smdropdown::before, .header-bottom-link.smdropdown:hover::before {content:"\f131";} .depth-1-item:before, #helpForumsLink .depth-2-item:before {content:"\f1f6";font-family:fsg-icon;font-size:26px;float: right;} .depth-1-item:hover::before, #helpForumsLink .depth-2-item:hover::before {content:"\f132";} }

Elements Endpoint Protection DataGuard Ransomware access control blocks C:\Windows\System32\svchost.exe - F-Secure Community

Issue:

We are getting lot of Ransomware access control alerts caused by Elements Endpoint Protection feature DataGuard, which is blocking C:\Windows\System32\svchost.exe
What is the root cause of this?

Resolution:

Ransomware access control is a DataGuard feature, which provides the user the ability to safeguard important data from ransomware. More info are provided in this article and in this Help Guide.

In this particular case, where DataGuard is enabled for specific folders to safeguard against ransomware. As from this, svchost.exe (a legit Windows application) might try to access the file that is available in those folders, which is immediately blocked by DataGuard.

You can find more details about this detection from the Elements Endpoint Protection Portal:

Log in to the Elements Endpoint Protection Portal
From the menu on the left, click Security Events PILOT
Click on the detection and you will see similar details:

Application C:\Windows\System32\svchost.exe
Target C:\Users\Username\Desktop\My Documents\examplematerial.xlsx
Profile version xxxxxxxxx
Client timestamp Oct 30, 2020 4:51:35 AM
Transaction id 0000-xxxxxxxxx

This means that svchost.exe has tried to modify examplematerial.xlsx which is saved on the users Desktop protected by DataGuard.
DataGuard works differently from our other engines, as it tries to be as paranoid as possible (even detecting Microsoft Windows files). This is because some malwares will inject into legitimate Microsoft files, which explains why DataGuard is more paranoid compared to other engines. DataGuard only allows trusted applications to modify protected files.

So, this leaves you with one choice, which is to either leave it as it is (Which we recommend) or add svchost.exe as a trusted application. If you want to do the latter, then you can follow the steps in the Help Guide.

You can also use Windows process monitor to figure out which svchost process exactly has tried to modify the file.
It can also be some windows or 3rd party feature using this process, and in case you don't need it, you can disable it, but it has nothing to do with our product - we just block write access to these files as we should

Article no: 000027366