performance DeepGuard - folder protection

Hi!

 

Does anybody has some experience/knowledge of the performance of folder-protection by DeepGuard?

 

Why not e.g. add a complete drive to be protected ?

As default settings only the Windows Users-folders are added.

 

I can image to protect against ransomware, a complete drive is added to the folder protection.

What drawbacks can be expected (if any) ?

 

Kind regards,

Jeroen.

Comments

  • Ukko
    Ukko Posts: 3,768 Superuser

    Hello,

     

    I am only an F-Secure user (their home solutions). So, only my own feedback / experience / feelings.

     

    First of all, it is not possible to add entire system drive (contained system's folders and so) by designed steps. Helpful against "aggressive" protection. Some critical (for system) folders and system folders itself are excluded from ability to be added to Ransomware protection list. Because if "safe" operation will be denied - can be tricky state and / or broken system as a result. Thus, "false positive" are highly unrecommended.

    All in all, perhaps, such places are controlled by common functionality of DeepGuard with more tweaked level.

    Why not e.g. add a complete drive to be protected ?
    As default settings only the Windows Users-folders are added.

    Since it is not possible to add a complete system drive - it is possible to add certain folders only. Some of them "User's content". I think that this is a main point and most "valuable" files for users, furthermore this is a main reason for Ransomware Protection. Since system's own files are possible to retrieve just by system reinstallation.

    Thus, it is possible to suspect that good to add only "required" and important folders. Or other drives.

     

    I feel that most of "crypto" malicious software are about "ransom". So, ransomware design targets user's content. If only reason will be "to destroy" user's system - then... maybe more folders under Ransomware Protection list is good (as prevention against broken system. But I think that current operational systems with own protection against such a thing; it should be tricky to destroy system completely. But if so and there are enough rights, permissions, ways of distribution and design of launched software or script - then I think such tricks are more useful for something else rather then "joke and destroy").

    I can image to protect against ransomware, a complete drive is added to the folder protection.
    What drawbacks can be expected (if any) ?

    I think that current design of F-Secure Ransomware Protection is, mostly, about protection against unauthorized access (to protected folder / file) by suspicious attempt.

    Some of their competitors (large and good companies) with a bit another design. With my own opinion - more suitable for protection against "Ransomware".

     

    Anyway, if a complete drive (not a system drive) is added to the protected folders list - then when some "unauthorized" application/process or activity decided to try access to file - such action is prevented / blocked by F-Secure. Then, maybe entire source can be blocked / rejected as Ransomware.

    If it was "safe" action by "safe" application - so, something can be broken or still OK (for example, software logs does not receive "updates" to entries; it is unwanted, but not so critical maybe).

     

    With my own feelings - if malicious software tried to do something with system's files (which are not possible to add under Protected list) - system own design with some layers against it. Another point is that such action can be more suspicious and detected by F-Secure DeepGuard.

    When real "unknown" ransomware tried to do something with files under protected folder - then all is OK (if action is detected).

    But If "safe" application / process tried to do so (and treated as "suspicious" process) - then it is not nice (for example, changes to project are prevented). Usually, level of impact can be visible for user. Although if it is background activity - it is not always clear.

     

    My own experience was about "default" set of folders (with addition "Downloads" folder).  During normal unextreme system use - I did not receive any false positive, perhaps.

    But, for example, if entire drive (not a system drive) is added to list. Then, any installed application there can be impacted (as example, you work with software - tried to save result - but such action is rejected).

     

    Good if there will be more opinion by really experienced users. I decided to add some more folders to list too.

    It is possible to read about F-Secure DeepGuard (whitepaper):

    Latest edition is about "Ransomware protection" too (probably).

     

    This reply was only my own thoughts. And sorry for my English!

     

    Thanks!

  • JeroenH
    JeroenH Posts: 2 New Member

    Hi Ukko,

     

    Thanks for your answer!

     

    For drives containing system files (Operating Systems) I agree; I'm not planning to add these drives to the protected folder list.

    On the other hand, my User-files are not limited to the Users-folder. I have several other disks containing user-data, and was wondering if I could add these as protected folder.

     

    Maybe I give it a go, to see if/how many false positives arise.

     

    I've read the white paper, interesting stuff.

     

    Thanks again for your thoughts!

     

    Jeroen.

     

    PS : your English is not so bad ;-)

  • yeoldfart
    yeoldfart Posts: 571 Superuser

    Hello !

    I suggest to add only the windows backup file which is more than enough in case of disaster, this one should never be on the windows system drive: then you are safe.

  • Ukko
    Ukko Posts: 3,768 Superuser

    Hello,

    On the other hand, my User-files are not limited to the Users-folder. I have several other disks containing user-data, and was wondering if I could add these as protected folder.
    Maybe I give it a go, to see if/how many false positives arise.

    I think so too! In fact, I tried this design and thought that I still use it (but after your topic - I found that my settings are default. Perhaps, I forgot to change them after one of reinstallations).

     

    In addition, my own use is pretty quiet style. Maybe based on this - I received notification by Ransomware Protection layer only when it was first introduced in aggressive mode for more statistics and user feedback. Thus, it is likely that all should be OK with "custom" list.

    Although, I am not sure whether any malicious ransomware designed to start their "payload" through specific drives and folders (since main drive and User's Data are always there) even if targets are certain extensions. However, maybe certain item can be discovered sooner with custom protected folders (or, at least, impact is prevented sooner). Basically, Ransomware Protection is useful against any "unauthorized" access to protected files by enough suspicious activity.

     

    One more point is that some of detections can be attributed to system's processes. For example, malicious script triggers Command Prompt or Powershell or anything else (injection to another process; or used system's ways to do something) - F-Secure notification can block suspicious activity and claim that, for example, cmd.exe (or "svchost.exe") tried to access protected folder (file). Such action is denied / blocked / prevented. But it is unclear "who is real actor" (I think that with such situation - one option is to open Event Viewer / Windows Journal and check logs or F-Secure own Journal if persist for a bit more information). So, it is good do not allow such generic executable like cmd.exe / svchost.exe per prompt about suspicious attempt.

     

    Thanks!

This discussion has been closed.
Feedback on New Design