I looking at creating a new rule to block access from an .exe in the AppData folder to any file (this is to stop CrytoLocker from encrypting any files).
I have created this rule, but I am unsure of the wildcard of **.*.
Will it - a) Work? and b) Cause an massive overhead on the scan engine?
I thin the rule which you looking for is the one below. The one you have created it will not work.
You need to include all processes (*) and then block the path in the path C:\**\AppData\**\*.exe
It will not cause an massive overhead on the scan engine
Please, test this and let me know
Thanks for the quick reply.
I already have created a rule to Block the EXE running from AppData folder.
I was looking at blocking CrytoLocker from encrypting files
Then create the rules like this for the office files (the files most commun are affected cryptolocker)
In process to include you need to add all process (*) and then file or folder to block is where you put the condition.
Please, let me know if Works.