Announcement: New Knowledge Base

4 June 2020: We are pleased to announce the launch of a new Knowledge Base, Changelogs for Business Security Products, where you can find more details, such as bugfixes or new features, about the most recent releases of our business-related products.

F-Secure Client Premium 13.10 - DataGuard with NETLOGON

When logging in, we use login scripts that are located on a domain controller. As a trusted application within DataGuard we have set the netlogon directory %LOGONSERVER%\NETLOGON\ in policy manager. Nevertheless, we get the error when logging in that the program could not be trusted.


  • HolMiHolMi Posts: 5


    Date: 2018-03-23  08:18:20+01:00
    Host: (, ::1) Computer name: MACHINE01 User account: MACHINE01-COM\testuser
    Product: F-Secure DeepGuard (OID:
    Severity: security alert (5)
    Message: DataGuard prevented an untrusted application from modifying protected files.
    Application: \\DOMAINCO-01\NETLOGON\KIX32.EXE
    File: C:\Users\testuser\Desktop\Internet Explorer.lnk

  • etomcatetomcat Posts: 1,312



    > Message: DataGuard prevented an untrusted app from modifying protected files
    > Application: \\DOMAINCO-01\NETLOGON\KIX32.EXE


    I'm afraid you may be out of luck here, as this knowledge base article says:



    "...DeepGuard supports exclusions configured for real-time protection but they need to meet the following criteria:
    - Device names are not supported; use standard paths with drive letters and

    - Wildcards are not supported. Examples:


    Wrong: \\Device\\HarddiskVolume1\\CodeMeter\\*
    Correct: c:\Program files (x86)\CodeMeter"


    I would suggest submitting the .EXE file to F-Secure virus lab at:

    Tick the "more details" checkbox and fill in the details, so you can receive a response. Maybe they will be able to crate a "false alarm" style correction in the database update, thereby  solving your problem?


    Best Regards: Tamas Feher, Hungary.

  • HolMiHolMi Posts: 5

    thanks for this quick reaction.
    However, the problem is not recognized.
    The KIX file is not blocked by antivirus, but by DeepGuard.
    Therefore, changes in the database will bring nothing.
    We also do not use wildcards.
    System variables are used that are familiar to every Windows system (% LOGONSERVER%).
    This is also supported according to policy manager.
    But it probably does not work with exactly these variables.

  • VadVad Posts: 1,048

    Hello HolMi,


    > But it probably does not work with exactly these variables.


    You are right. In PM Console help text for the field "Folder" in "Protected folders" table contains the list of supported environment variables:

    %UserProfile%, %HomeDrive%, %HomePath%, %ProgramData%, %WinDir%, %SystemRoot%, %SystemDrive%, %ProgramFiles%, and %ProgramFiles(x86)%.


    The same limitation affects "Trusted applications" table. Sorry for the inconvenience.


    Best regards,


  • etomcatetomcat Posts: 1,312



    > The KIX file is not blocked by antivirus, but by DeepGuard.
    > Therefore, changes in the database will bring nothing


    F-Secure Viruslab is also able to fix DeepGuard false alarms centrally, because there is the ORSP cloud tech and also DG has updates, for example the current one is 2018-03-23_01.


    Best Regards: Tamas Feher, Hungary.

  • To protect DataGuard monitor specific folders on your system to prevent untrusted applications from modifying your files. DataGuard is very useful ransomware that is able to get past the product's other security layers.
                DataGuard blocks suspicious applications that are considered to behave as ransomware and may block attempts to modify data folders by untrusted applications
                Fixed: Firewall Application Control was sometimes unable to verify applications' reputation after restarting the computer.

    Xbox Customer Service

  • HolMiHolMi Posts: 5

    Reviewed this morning with the latest DeepGuard database from yesterday evening. The described behavior has not changed so far.

This discussion has been closed.