After upgrading to Server Security 14.00 or Client Security 14.10 the NTUSER.DAT file is getting corrupted
After upgrading Server Security to version 14.00, the NTUSER.DAT file is often corrupted when loading server-based profiles
Same issue with upgrade to Client Security 14.10
Avdaemon.dll is doing multiple service tasks. One of tasks is the setting conversion and resolving paths environment profiles e.g. %desktop% using user profile and loads each profile into memory. In this case Windows cannot find the local profile and is logging the user with a temporary profile. Changes you make to this profile will be lost when you log off. Ransomware loads user profile aka ntuser.dat to resolve protected path. It seems that it is doing it, even if anti-Ransomware is off.
This issue will be fixed in the next versions of the products.
Currently we have hotfix FSCS1410-HF11 that fixes the issue, but before applying the hotfix, which contains a new avdaemon.dll file, make sure the steps below help you resolve the issue:
Contact F-Secure support and we will provide you with the hotfix FSCS1410-HF11 and the new avdaemon.dll file
Rename avdaemon.dll on one of the affected hosts and restart fshoster service to see if this helps. The avdaemon.dll is located here: C:\Program Files (x86)\F-Secure\Client Security and C:\Program Files (x86)\F-Secure\Server Security
If the renaming avdaemon.dll solves the issue, replace the avdaemon.dll file with the fixed version and restart the fshoster service
If the replacement helped, you can apply hotfix FSCS1410-HF11 on all of your affected clients
Follow these steps to install the hotfix to centrally managed computers:
Log into F-Secure Policy Manager Console
Select Installation tab
Click Installation packages
Import the hotfix jar file
Select appropriate domain or host from the Domain Tree