F-Secure Client Premium 13.10 - DataGuard with NETLOGON

Aspirant

F-Secure Client Premium 13.10 - DataGuard with NETLOGON

When logging in, we use login scripts that are located on a domain controller. As a trusted application within DataGuard we have set the netlogon directory %LOGONSERVER%\NETLOGON\ in policy manager. Nevertheless, we get the error when logging in that the program could not be trusted.

Tags (1)
6 REPLIES 6
Aspirant

Re: F-Secure Client Premium 13.10 - DataGuard with NETLOGON

Messages:

Date: 2018-03-23  08:18:20+01:00
Host: machine01.test.com (10.1.10.22, ::1) Computer name: MACHINE01 User account: MACHINE01-COM\testuser
Product: F-Secure DeepGuard (OID: 1.3.6.1.4.1.2213.53)
Severity: security alert (5)
Message: DataGuard prevented an untrusted application from modifying protected files.
 
Application: \\DOMAINCO-01\NETLOGON\KIX32.EXE
File: C:\Users\testuser\Desktop\Internet Explorer.lnk

Highlighted
Superuser

Re: F-Secure Client Premium 13.10 - DataGuard with NETLOGON

Hello,

 

> Message: DataGuard prevented an untrusted app from modifying protected files
> Application: \\DOMAINCO-01\NETLOGON\KIX32.EXE

 

I'm afraid you may be out of luck here, as this knowledge base article says:

 

https://community.f-secure.com/t5/Business/Using-wildcards-in-exclusions/ta-p/20428

 

"...DeepGuard supports exclusions configured for real-time protection but they need to meet the following criteria:
- Device names are not supported; use standard paths with drive letters and

- Wildcards are not supported. Examples:

 

Wrong: \\Device\\HarddiskVolume1\\CodeMeter\\*
Correct: c:\Program files (x86)\CodeMeter"

 

I would suggest submitting the .EXE file to F-Secure virus lab at:
https://www.f-secure.com/en/web/labs_global/submit-a-sample

Tick the "more details" checkbox and fill in the details, so you can receive a response. Maybe they will be able to crate a "false alarm" style correction in the database update, thereby  solving your problem?

 

Best Regards: Tamas Feher, Hungary.

Aspirant

Re: F-Secure Client Premium 13.10 - DataGuard with NETLOGON

Hello
thanks for this quick reaction.
However, the problem is not recognized.
The KIX file is not blocked by antivirus, but by DeepGuard.
Therefore, changes in the database will bring nothing.
We also do not use wildcards.
System variables are used that are familiar to every Windows system (% LOGONSERVER%).
This is also supported according to policy manager.
But it probably does not work with exactly these variables.

F-Secure
F-Secure

Re: F-Secure Client Premium 13.10 - DataGuard with NETLOGON

Hello HolMi,

 

> But it probably does not work with exactly these variables.

 

You are right. In PM Console help text for the field "Folder" in "Protected folders" table contains the list of supported environment variables:

%UserProfile%, %HomeDrive%, %HomePath%, %ProgramData%, %WinDir%, %SystemRoot%, %SystemDrive%, %ProgramFiles%, and %ProgramFiles(x86)%.

 

The same limitation affects "Trusted applications" table. Sorry for the inconvenience.

 

Best regards,

Vad

Superuser

Re: F-Secure Client Premium 13.10 - DataGuard with NETLOGON

Hello,

 

> The KIX file is not blocked by antivirus, but by DeepGuard.
> Therefore, changes in the database will bring nothing

 

F-Secure Viruslab is also able to fix DeepGuard false alarms centrally, because there is the ORSP cloud tech and also DG has updates, for example the current one is 2018-03-23_01.

 

Best Regards: Tamas Feher, Hungary.

Aspirant

Re: F-Secure Client Premium 13.10 - DataGuard with NETLOGON

Reviewed this morning with the latest DeepGuard database from yesterday evening. The described behavior has not changed so far.