F-Secure’s Premium Business products include multiple modules that detect and protect devices from a multitude of cyber threats. F-Secure’s DataGuard is one such module which focusses on protecting specific folders from ransomware encryption.
F-Secure’s Premium Business products include multiple modules that detect and protect devices from a multitude of cyber threats. F-Secure’s DataGuard is one such module which focusses on protecting specific folders from ransomware encryption.
How DataGuard works
F-Secure’s Dataguard protects pre-defined user folders by enabling write protection. The pre-defined folders are the documents, desktop, pictures, videos, music and favourites which are assigned to each user profile. DataGuard then monitors and allows trusted applications to modify the contents of these folders. Untrusted applications have read-only access and are blocked from modifying these folders.
Why limit write-access to these folders?
During a ransomware attack, the attacking application or script actively seeks out important user files and encrypts them. The owner is then blackmailed into paying a large sum to unencrypt their files. Windows OS and other applications can easily be restored but the same cannot be said for important user data.
When are applications trusted?
F-Secure DataGuard scans the device and checks a predefined list of trusted applications. These will automatically be allowed to modify the contents of the protected folders. Trusted applications can also be added manually. By default, all applications installed in the directories C:\Program Files\ and C:\Program Files (x86)\ are trusted. This also includes Windows core system processes.
What happens to applications not installed in trusted locations?
Sometimes, applications are installed to alternate folders (e.g. C:\new folder\, D:\software\) or run directly from network shares or servers (e.g. \\myserver\program\). Another point to consider is that earlier versions of Windows OSs have different naming conventions (read more about this here) compared to later Windows OSs. This impacts how trusted applications can be added. DataGuard will block applications outside of its defined scope. The block alert will be shown as “Ransomware Access Control” and identifies the offending application and modification attempt.
Local Device Alert
F-Secure PSB Cloud portal (Cloud subscription) Alert
F-Secure Policy Manager (On-Premise Subscription) Alert
Adding applications to DataGuard’s Trusted list
- Determine what the application’s intended actions are by looking at the application path and file it’s attempting to modify.
- Confirm the applications authenticity and the user’s action.
- Add the full application path, including its extension to DataGuard Trusted Applications. (It only trusts this specific application)
- Add the application’s installation folder path (it trusts this and any other application in the same folder including subfolders).
- PSB Cloud Portal (Cloud Subscription) – ProfilesàSelect profile in useàDataGuard tabà Access Control List. Once added, save the profile, as below.
F-Secure Policy Manager (On-Premise Subscription) – Settings – DataGuard. Once added, distribute the policy, as shown below.
Once the device polls for an update, the block will be resolved. If not, confirm the configured application location.
Tips:
- Always confirm the authenticity of the application and action as some ransomware encryptions make use of built-in Windows components.
- Avoid removing protected folders from DataGuard’s protection as it may prove harmful in the event of an attack.
- System variables can be used when adding a path that may differ from user to user. e.g %userprofile%\appdata\local\google\chrome\ (system variable = %userprofile%).
- When adding folders, remember to add a backslash (\) at the end of the path.
- Full application paths must end with the extension.