I am trying to configure a user defined access protection rule to block **\*.scr files as per the Cryptolocker message that went out last month. So far I have been able to make the appropriate exe exceptions but I am running into a problem with a number of events that don't show an exe as the process name. Example is below:
|Threat Source Process Name:||C:\Windows\system32\Bubbles.scr|
I have tried to exclude the .scr in the access protection rule but not being an exe it did not seem to have any impact. I would like to eventually select the "Block" check box for this rule. Has anyone else seen this or have any solution for it?
Thanks in advance!
Try to create a new user define rule, choose file and folder and typee **\.scr and then block What you want to block when writing..... Then you block only for that rule.
My advice would be to test this rule in a single Machine chosing only report mode to see the impact and if the impact is the one that you want then implement the blocking mode.
I do have this rule setup on a few machines in report mode so that I am not affecting anything. My rule is shown below:
Looking at the events in reporting mode is what is showing the .scr as the process name and I cannot fully implement the block on this rule until I am sure that production systems will not be affected.
I am not sure if this is the correct way to fix it but I uninstalled and reinstalled the VSE software. After that the appropriate exe's were being reported back in the Threat Source Process Name field.