I am creating the rules shown in Protecting against Cryptolocker & Cryptowall and all seems fine barring rule#8 regarding the scr files.
There are lots of events being triggered by SVCHOST.EXE and is to do with general windows screensavers.
Source Process Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE
Target File Name: C:\Windows\System32\Mystify.scr
I cannot see anyway of allowing this through other than whitelisting SVCHOST.EXE which I dont really want to do.