DeepGuard notifications for closing applications
We use F-Secure Elements EPP Premium V 22.1 for virus and malware protection.
Many computers in our office are getting multiple notifications through-out the day noting it has closed an application. It varies between cmd.exe, svchost.exe & powershell.exe. The notifications typically come in groups of three for the cmd.exe. See image below.
I have scanned for malware and virus and not threats have been detected. I would like to know what would be causing the closing of these applications and if they'd be OK to be excluded. Nothing seems to be affected on the computers including any software.
We do use Revit and other AutoDesk software daily that requires a license verification online. It does seem to correspond to when we installed Revit 21 & 22 on our computers.
Any help would be appreciated.
MonikaL Posts: 211 Moderator
If DeepGuard has blocked a safe application (a false positive), then we recommend to submit the sample file to our Labs so that we can analyze the file and correct the detection if necessary. You can open a Labs ticket here: https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample
If you are sure that the detection is a false positive, you can create a DeepGuard exclusion to immediately get the application working again. How to centrally create the exclusion depends on if you are using Business Suite or Elements Endpoint Protection. For Elements Endpoint Protection:
- Log in to the Elements Security Center: https://elements.f-secure.com/
- Click the See more details link under the product category Endpoint Protection
- Go to the Profiles page
- Choose the profile which the device is using
- Go to the General settings page
- Scroll down to the Exclude folders and files from all security scans section and click Add exclusion
- In the Path field add the:
- Full path for the application if you want to exclude a specific application
- Folder path if you want to exclude a folder and its sub folders
- Click Save and publish
Alternatively, the DeepGuard exclusion rule can be also added using the Security events page:
- Log in to the Elements Endpoint Protection portal
- Go to the Security events page
- Click on the three dots on the right side of the DeepGuard detection
- Select Exclude file by SHA1
- The file SHA1 is automatically added to the Exclude folders and files from all security scans list
- Click Save and publish
On all products, to locally allow an application that DeepGuard has blocked:
- Open the F-Secure program
- Click Settings
- Under the Malware Protection tab, click View quarantine
- Go to the Blocked tab
- Select the application that you want Deepguard to allow to run
- Click Allow
- Click Close
Note: To prevent it from happening again in the future, please inform our Labs about the blocked application.0 Like
In terms of exclusions, I would maybe highlight that if you end up doing the exclusions then you should do it for Autodesk / Revit rather then powershell / cmd / svchost since all there of these latter ones are commonly used for spreading malicious files.1 1Like