Elements Endpoint Protection DataGuard Ransomware access control blocks C:\Windows\System32\svchost.exe - F-Secure Community
<main> <article class="userContent"> <h3 data-version="3" data-article="000027366" data-id="issue">Issue:</h3> <p>We are getting lot of Ransomware access control alerts caused by Elements Endpoint Protection feature DataGuard, which is blocking C:\Windows\System32\svchost.exe<br>What is the root cause of this?</p> <h3 data-id="resolution">Resolution:</h3> <p><b>Ransomware access control</b> is a <b>DataGuard</b> feature, which provides the user the ability to safeguard important data from ransomware. More info are provided in <a rel="nofollow" href="https://www.cybervision.co.za/articles-guarding-data-using-f-secures-dataguard/">this article</a> and in this <a rel="nofollow" href="https://help.f-secure.com/product.html#business/psb-portal/latest/en/concept_F0730463E69146269ECE353DDA81D4C7-psb-portal-latest-en">Help Guide</a>.<br><br>In this particular case, where DataGuard is enabled for specific folders to safeguard against ransomware. As from this, svchost.exe (a legit Windows application) might try to access the file that is available in those folders, which is immediately blocked by DataGuard.<br><br>You can find more details about this detection from the Elements Endpoint Protection Portal:<br></p><ol><li>Log in to the Elements Endpoint Protection Portal </li><li>From the menu on the left, click Security Events PILOT</li><li>Click on the detection and you will see similar details:</li></ol><div><b>Application C:\Windows\System32\svchost.exe</b><br><b>Target</b> C:\Users\Username\Desktop\My Documents\<b>examplematerial.xlsx</b><br>Profile version xxxxxxxxx<br>Client timestamp Oct 30, 2020 4:51:35 AM<br>Transaction id 0000-xxxxxxxxx<br> </div><br>This means that <b>svchost.exe </b>has tried to modify <b>examplematerial.xlsx </b>which is saved on the users<b> Desktop</b> protected by DataGuard.<br>DataGuard works differently from our other engines, as it tries to be as paranoid as possible (even detecting Microsoft Windows files). This is because some malwares will inject into legitimate Microsoft files, which explains why DataGuard is more paranoid compared to other engines. DataGuard only allows trusted applications to modify protected files. <br><br>So, this leaves you with one choice, which is to either leave it as it is (Which we recommend) or add svchost.exe as a trusted application. If you want to do the latter, then you can follow the steps in the <a rel="nofollow" href="https://help.f-secure.com/product.html#business/psb-portal/latest/en/task_C898D0A4E51346DD8E99236D891D701F-psb-portal-latest-en">Help Guide</a>.<br><br>You can also use Windows process monitor to figure out which svchost process exactly has tried to modify the file.<br>It can also be some windows or 3rd party feature using this process, and in case you don't need it, you can disable it, but it has nothing to do with our product - we just block write access to these files as we should<br> <p>Article no: 000027366</p> </article> </main>