Can you add the file C:\$WINDOWS.~BT\Sources\SetupPlatform.exe to some global allowlist so that it doesn't get blocked by dataguard?
The DataGuard functionality blocks SetupPlatform.exe because it is located in the C:\$WINDOWS.~BT\Sources\ folder, and it attempts to modify files located in folders protected by DataGuard.
To see which file the application is trying to modify, you can check out the new Security Events page in the PSB Portal:
1. Log in to the PSB Portal
2. Click the Security Events button from the blue menu on the left side
3. Click on the arrow on the left side to see more info
With default DataGuard settings, applications in the C:\$WINDOWS.~BT\Sources\ are not listed as trusted applications. To see which applications are currently trusted, you can follow these steps:
2. Go to the Devices page
3. Click a device which has DataGuard enabled
4. From the Protection Status tab, click on DataGuard (Premium) and it will list all included paths (DataGuard protected folders) and then trusted applications (applications that can modify files in protected folders)
SetupPlatform.exe is a legitimate Windows process and it is related to the Windows upgrade feature:
In this case, you should add the C:\$WINDOWS.~BT\Sources\ folder as a trusted folder so that DataGuard does not block SetupPlatform.exe from modifying files in DataGuard protected folders. Follow the steps below to add the folder to the Manually added trusted applications and folders list:
2. Go to the Profiles page
3. Click on the profile you want to modify
4. Go to the DataGuard settings page
5. Scroll down to the Access Control section and click the Add Path button under Manually added trusted applications and folders
6. Add the following path: C:\$WINDOWS.~BT\Sources\
7. Click Save and Publish
If the blocked application is in the Windows Users or AppData directory, it is not by default a trusted application location and therefore it will be blocked if it tries to access a file that is located in a protected location. You can view the currently trusted application locations from the PSB Portal:
Log in to the PSB Portal
Go to the Devices page
Click a device that has DataGuard enabled
In the Protection status tab, click on the DataGuard (Premium) section
This will show you the currently protected paths and the currently trusted application paths.
To not have DataGuard block an application, you can add the application path to the Manually added trusted applications and folders list:
Log in to PSB Portal
Go to the Profiles page
Select the profile the device is using
Go to the DataGuard settings page
In the Access Control section, click Add path below Manually added trusted applications and folders
Add the full path of the application, example C:\Users\Username\Documents\exampleprogram\example.exe
Click Save and publish the profile.
If you need to find out more about the detection (detection path, target path etc.), you can view it from the Security events page:
Go to the Security events page from the menu on the left
Click on the double arrow on the left side of the detection.
If you had read the question you would have seen that the folder in question is not under the Windows Users or AppData directory.
Dataguard includes the feature to Discover trusted applications automatically. The description of this feature says that the default trusted applications include everything installed under Program Files and some safe system applications from the Windows folder.
It would be great if it would include the default Windows update folder also and would not block feature updates.
Thank you for the clarification. I looked up the security notification and it shows that the application path is C:\$WINDOWS.~BT\Sources\SetupPlatform.exe and the target is a pdf file created by the user that is saved on the Desktop.
That is indeed a suscpicious activity and I cannot think of any reason why these two things should connect.
Since the $WINDOWS.~BT folder is now gone I have no need to add it as an exeption.
Thank you again.