2 Replies Latest reply on May 2, 2014 8:12 AM by Scott Sadlocha

    VSE CryptoLocker Rules and Svchost.exe

    Scott Sadlocha

      Hello All,

      I have a question with regard to CryptoLocker, and was hoping someone out there might be able to help. Some time back, we got hit with CryptLocker, but were able to recover due to timely backups. At the time of the infection, I put in place several Access Protection rules in the McAfee policy to block the creation of executables in the various locations CryptoLocker is known to use.


      Also, to alert me when this ruleset gets fired, I created an automated response to send out an email. Unfortunately, the rules fire far more than I expected. In the past couple weeks, I have about 700 instances of the rule being triggered, and we have about 1400 computers in the environment. In looking through the alerts, it looks as if a majority of them are false positives for svchost.exe. After reading through the details for CryptoLocker, it seems that the malware uses a randomly generated name in most cases. In trying to balance this ruleset out a bit, I was thinking of removing svchost.exe from triggering by creating an exclusion. I am aware of the role this file/process plays in malware, but I want to strike a balance in these rules. When 99% or so of triggers are false positives, the rules don't do much good because there is too much chatter.


      So, I was looking for anyone to add their experience with CryptoLocker. Does it utilize svchost.exe in any noticeable way during creation? Did anyone else create these under User-defined Rules? Any thoughts or opinions on this? Any information provided will be greatly appreciated.