F-Secure’s premium business products include multiple modules that detect and protect devices from a multitude of cyber threats. DataGuard is one such module that protects specific folders from ransomware encryption by enabling write protection. The predefined folders used by DataGuard include the documents, desktop, pictures, videos, music and favourites folders which are assigned to each user profile. DataGuard monitors and allows trusted applications to modify the contents of these folders while untrusted applications have read-only access and are blocked from modifying these folders.
During a ransomware attack, the attacking application or script actively seeks out important user files and then encrypts them. The owner is then blackmailed into paying a large sum to unencrypt their files. MS Windows operating systems and other applications can easily be restored but the same cannot be said for important and valuable user data.
F-Secure’s DataGuard scans the device and checks a predefined list of trusted applications which will automatically be allowed to modify the contents of the protected folders. Trusted applications can also be added manually. By default, all applications installed in the directories C:\Program Files\ and C:\Program Files (x86)\ are trusted. This also includes Windows core system processes.
Sometimes, applications are installed to alternate folders (e.g. C:\new folder\, D:\software\) or run directly from network shares or servers (e.g. \\myserver\program\). Another point to consider is that earlier versions of MS Windows operating systems have different naming conventions compared to later operating systems. This impacts how trusted applications can be added. DataGuard will block applications outside of its defined scope. The block alert will be shown as “Ransomware Access Control” and identifies the offending application and modification attempt.
Adding applications to DataGuard’s Trusted list:
- First, determine what the application’s intended actions are by looking at the application
path and file it’s attempting to modify. - Confirm the application’s authenticity and the user’s action.
- Add the full application path, including its extension to DataGuard Trusted Applications.
- Add the application’s installation folder path (it trusts this and any other application in the same folder including subfolders).
Once the device polls for an update, the block will be resolved. If not, confirm the configured application location.
Tips
• Always confirm the authenticity of the application and action as some ransomware encryptions make use of built-in MS Windows components.
• Avoid removing protected folders from DataGuard’s protection as it may prove harmful in the event of an attack.
• System variables can be used when adding a path that may differ from user to user – e.g %userprofile%\appdata\local\google\chrome\ (system variable = %userprofile%)
• When adding folders, remember to add a backslash (\) at the end of the path.
• Full application paths must end with the extension.