cancel
Showing results for 
Search instead for 
Did you mean: 

Cryptolocker rule triggering false positives

I am creating the rules shown in Protecting against Cryptolocker & Cryptowall and all seems fine barring rule#8 regarding the scr files.

There are lots of events being triggered by SVCHOST.EXE and is to do with general windows screensavers.

Source Process Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

Target File Name: C:\Windows\System32\Mystify.scr

I cannot see anyway of allowing this through other than whitelisting SVCHOST.EXE which I dont really want to do.

Any suggestions??

Thanks

Lee