Showing results for 
Show  only  | Search instead for 
Did you mean: 

Blocked execution of .scr file events

I put in a rule to block execution and creation of .scr files last November. Never once in over a year have I gotten any events come in that referenced scrnsave.scr. All of a sudden this past Thursday we started getting a flood of events coming in where the threat source and target are both scrnsave.scr in C:\Windows\System32. We've run scans with several malware scanners, GetSusp, full scans w updated definitions with VSE. Nothing is being detected. Is there anything I should be doing to go a little deeper?

4 Replies

Re: Blocked execution of .scr file events

Hello Jim,

The events might be generated because of new access protection policies that you have defined .

If the Policy says VSE to block execution of SCR files and VSE blocks SCR files then a log will be created .

Review the threat event from any client machine and check which policy is responsible to the alert.



Re: Blocked execution of .scr file events


The problem is that this AP policy is not new. It's been in place for over a year and the violations of the rule with this specific file just started a little over a week ago, for the first time.

Re: Blocked execution of .scr file events

Did you deploy any screen savers from GPO to client machines ?

may be a screen saver file or a script is being blocked by these AP rules.

Can check which file being blocked at the client end ?

Re: Blocked execution of .scr file events

We haven't, I thought for sure I would discover screensaver defaulted to the one listed on a few of these but on every one I checked it was set to "none". I checked on a few and the file date/version was the same as on our "good systems" that have not had any alerts. I'm having a really hard time finding what could be triggering these. I've dug through event viewer for events around the time of the AP violations and there is nothing consistent or common between events on the systems. We looked for any recently deployed apps common to those systems and several had nothing that is non standard. I've run full scans with new dats even a week after the violations, run GetSusp, etc. I don't see anything "fishy" at all. Kind of at a loss right now, but like I said These started just 2 weeks ago on about 50 systems out of 5500 and is the first time in over a year that we've had any of these detections.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community