Announcement: New Knowledge Base

4 June 2020: We are pleased to announce the launch of a new Knowledge Base, Changelogs for Business Security Products, where you can find more details, such as bugfixes or new features, about the most recent releases of our business-related products.

Ransomware: AccessControl message

linck_tellolinck_tello Posts: 10 New Member

Hi F-Secure

How to can create a exception for one app detected as Ransomware: AccessControl buy this is safe?

From the PSB Console don' is possible, this display this info:

Attention: DataGuard Action: Blocked

But any info about how to can unblock these action or detection.


BR

Linck Tello Flores

 

Answers

  • jameschjamesch Posts: 145 Moderator

    Hi Linck

    It appears DataGuard component is blocking it. So under the PSB profile navigate to PREMIUM>Dataguard and add your exclusion there.

    You can either add specific executables, e.g. "C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE " or "C:\Program Files (x86)\Microsoft Office\root\Office16\ "

    Note: That when adding a folder, you must end the string with a backward slash \. This will include all executables and subfolders in that folder.

    When using folders, you can use Windows environment variables, e.g. "%WINDIR%" to point to the Windows directory (typically C:\Windows).

    Allowed System Environment variables:

    %ProgramData%, %APPDATA%, %windir%, %SystemRoot%, %SystemDrive%, %ProgramFiles(x86)%, %ProgramFiles%.

    Allowed per user Environment variables:

    %Desktop%, %Favorites%, %My Music%, %My Pictures%, %My Video%, %Personal%.

    Important: As all subfolders in specified folders are included, do not define folders that are close to the root level. For instance, specifying "C:\ " as a trusted folder sets all executables on the C: drive as trusted applications.

    Jaims
  • linck_tellolinck_tello Posts: 10 New Member

    But, the process don't work.

    I add the folder but PSB follow blocking.

    I try manually and fro PSB and the result is the same, block!

    How to can resolve this issue?

    BR

    Linck

  • jameschjamesch Posts: 145 Moderator

    Hi Linck

    Can you please share a screenshot showing where you are adding the exclusion ?

  • linck_tellolinck_tello Posts: 10 New Member

    Hello Jamesch

    Check the images.


  • jameschjamesch Posts: 145 Moderator

    Hi Linck

    I believe you have added the exclusions incorrectly. Your screenshot shows you have added to Application Control. You need to add these exclusions on the PSB Profile - DataGuard component . See example of my image below


  • linck_tellolinck_tello Posts: 10 New Member

    Hi James


    Same block, this was try before to write this question. Don't is working.

    How to can check if really Dataguard is by-passing this exclusion?

    BR

    Linck Tello Flores

  • linck_tellolinck_tello Posts: 10 New Member

    Hi James


    Do you have some info about his case?


    BR

    Linck Tello Flores

  • jameschjamesch Posts: 145 Moderator

    Hi Linck

    Double check your exclusion paths again.

    From application log in Event Viewer, alert similar to the following is logged normally, which shows the target folder for the blocked application:


    DataGuard stopped a suspicious application that tried to modify protected files.

    Application path: C:\Windows\System32\svchost.exe

    Target path: C:\Users\FStest\AppData\Local\TileDataLayer\Database\vedatamodel.edb

  • linck_tellolinck_tello Posts: 10 New Member

    Hello

    Check the image:


    BR

    Linck

  • jameschjamesch Posts: 145 Moderator

    Hi Linck

    It appears the detection does not match the exclusion.

    %userprofile% is a user environmental variable, so you can use:

    :\Users\*\AppData\Roaming\

    "*" denotes all folders in this place. It is not "any path" but "any folder under this path without subfolders"

    It applies only to one folder in path, not to full path. eg - This will not work :\*\

    So, in your scenario, please try to exclude %UserProfile%\AppData\Local\Microsoft\OneDrive\. If this doesn't work then you can exclude %ONEDRIVE%

  • linck_tellolinck_tello Posts: 10 New Member

    Hi James

    This enter was work fine:

    The others options:

    %UserProfile%\AppData\Local\Microsoft\OneDrive\

    %ONEDRIVE%

    don't.


    Thanks you for you help.


    BR

    Linck Tello Flores

    jamesch
Sign In or Register to comment.