cancel
Showing results for 
Search instead for 
Did you mean: 

Trying to block **\*.scr for Cryptolocker rule

Hello,

I am trying to configure a user defined access protection rule to block **\*.scr files as per the Cryptolocker message that went out last month. So far I have been able to make the appropriate exe exceptions but I am running into a problem with a number of events that don't show an exe as the process name. Example is below:

Threat Source Process Name:C:\Windows\system32\Bubbles.scr

I have tried to exclude the .scr in the access protection rule but not being an exe it did not seem to have any impact. I would like to eventually select the "Block" check box for this rule. Has anyone else seen this or have any solution for it?

Thanks in advance!

3 Replies

Re: Trying to block **\*.scr for Cryptolocker rule

Hi,

Try to create a new user define rule, choose file and folder and typee **\.scr and then block What you want to block when writing..... Then you block only for that rule.

My advice would be to test this rule in a single Machine chosing only report mode to see the impact and if the impact is the one that you want then implement the blocking mode.

Best regards,

Jose Maria

Highlighted

Re: Trying to block **\*.scr for Cryptolocker rule

I do have this rule setup on a few machines in report mode so that I am not affecting anything. My rule is shown below:

AP Rule For Scr.PNG

Looking at the events in reporting mode is what is showing the .scr as the process name and I cannot fully implement the block on this rule until I am sure that production systems will not be affected.

Thanks!

Re: Trying to block **\*.scr for Cryptolocker rule

I am not sure if this is the correct way to fix it but I uninstalled and reinstalled the VSE software. After that the appropriate exe's were being reported back in the Threat Source Process Name field.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community