DataGuard blocking files opened from Documents or Desktop

I have lots of false positives of DataGuard blocking files opened from Windows Desktop and Documents. I have enabled OneDrive backup which makes a backup of Desktop and Documents to OneDrive. When a client opens a file from Documents, dataguard blocks it:

Type: ransomware access control

Target: C:\Users\Username\Documents\filename.xlsx

Infected object: C:\Users\Username\AppData\Local\Microsoft\OneDrive\OneDrive.exe


Today it blocked GoToMeeting from accessing a file from Desktop claiming infection again:

Type: ransomware access control

Target: C:\Users\Username\Desktop\GoToWebinar 000.png

Infected Object: C:\Users\Username\AppData\Local\GoToMeeting\19228\g2mui.exe


It has blocked several different filetypes.


What can be done to resolve these false positives?

Answers

  • MonikaLMonikaL Posts: 179 Moderator

    Hi,

    If you suspect that:

    A clean file has been falsely detected as malicious, you can submit the file to our labs for further investigation. To submit a sample file, go to the following page: https://www.f-secure.com/en/web/labs_global/submit-a-sample#sample-file

    Select the File Sample tab.

    Click Choose File, and attach your sample file.

    Tick the box I want to give more details about this sample and to be notified of the analysis results if you want to receive feedback from F-Secure Labs on the submitted file.

    Note: Subject and description should be written in English.

    Verify that you are not a robot with reCAPTCHA.

    Click Submit sample file.

    The sample submission is analyzed by our analysts and the databases will be updated if necessary.

  • RefreshInternalRefreshInternal Posts: 11 New Member

    Since I had over 50 alerts all connected to OneDrive with several different filetypes (jpg,png,csv,txt,dwg,xlsx) it seemed very unlikely that they were all infected.

    I added OneDrive Path to trusted applications manually:

    %USERPROFILE%\AppData\Local\Microsoft\OneDrive\OneDrive.exe

    This fixed the problem. It would be great if OneDrive would be trusted by F-Secure by default.

  • MonikaLMonikaL Posts: 179 Moderator

    Hi,

    If the blocked application (OneDrive.exe, Firefox.exe, Chrome.exe, etc.) is in the Windows Users or AppData directory, it is not by default a trusted application location and therefore it will be blocked if it tries to modify a file that is located in a protected path. You can view the currently trusted application paths from the PSB Portal:

    Log in to the PSB Portal

    Go to the Devices page

    Click a device that has DataGuard enabled

    In the Protection status tab, click on the DataGuard (Premium) section 

    This will show you the currently protected paths and the currently trusted application paths.


    To not have DataGuard block an application, you can either:

    1. Install the application to a trusted path, such as C:\Program Files (x86)\
    2. Add the application path to the Manually added trusted applications and folders list.
Sign In or Register to comment.