Showing results for 
Search instead for 
Did you mean: 

Trying to block **\*.scr for Cryptolocker rule


I am trying to configure a user defined access protection rule to block **\*.scr files as per the Cryptolocker message that went out last month. So far I have been able to make the appropriate exe exceptions but I am running into a problem with a number of events that don't show an exe as the process name. Example is below:

Threat Source Process Name:C:\Windows\system32\Bubbles.scr

I have tried to exclude the .scr in the access protection rule but not being an exe it did not seem to have any impact. I would like to eventually select the "Block" check box for this rule. Has anyone else seen this or have any solution for it?

Thanks in advance!

3 Replies

Re: Trying to block **\*.scr for Cryptolocker rule


Try to create a new user define rule, choose file and folder and typee **\.scr and then block What you want to block when writing..... Then you block only for that rule.

My advice would be to test this rule in a single Machine chosing only report mode to see the impact and if the impact is the one that you want then implement the blocking mode.

Best regards,

Jose Maria

Re: Trying to block **\*.scr for Cryptolocker rule

I do have this rule setup on a few machines in report mode so that I am not affecting anything. My rule is shown below:

AP Rule For Scr.PNG

Looking at the events in reporting mode is what is showing the .scr as the process name and I cannot fully implement the block on this rule until I am sure that production systems will not be affected.


Re: Trying to block **\*.scr for Cryptolocker rule

I am not sure if this is the correct way to fix it but I uninstalled and reinstalled the VSE software. After that the appropriate exe's were being reported back in the Threat Source Process Name field.