I put in a rule to block execution and creation of .scr files last November. Never once in over a year have I gotten any events come in that referenced scrnsave.scr. All of a sudden this past Thursday we started getting a flood of events coming in where the threat source and target are both scrnsave.scr in C:\Windows\System32. We've run scans with several malware scanners, GetSusp, full scans w updated definitions with VSE. Nothing is being detected. Is there anything I should be doing to go a little deeper?
The events might be generated because of new access protection policies that you have defined .
If the Policy says VSE to block execution of SCR files and VSE blocks SCR files then a log will be created .
Review the threat event from any client machine and check which policy is responsible to the alert.
The problem is that this AP policy is not new. It's been in place for over a year and the violations of the rule with this specific file just started a little over a week ago, for the first time.
Did you deploy any screen savers from GPO to client machines ?
may be a screen saver file or a script is being blocked by these AP rules.
Can check which file being blocked at the client end ?
We haven't, I thought for sure I would discover screensaver defaulted to the one listed on a few of these but on every one I checked it was set to "none". I checked on a few and the file date/version was the same as on our "good systems" that have not had any alerts. I'm having a really hard time finding what could be triggering these. I've dug through event viewer for events around the time of the AP violations and there is nothing consistent or common between events on the systems. We looked for any recently deployed apps common to those systems and several had nothing that is non standard. I've run full scans with new dats even a week after the violations, run GetSusp, etc. I don't see anything "fishy" at all. Kind of at a loss right now, but like I said These started just 2 weeks ago on about 50 systems out of 5500 and is the first time in over a year that we've had any of these detections.