0 Replies Latest reply on Dec 17, 2015 8:39 AM by lee@dovehousehospice

    Cryptolocker rule triggering false positives


      I am creating the rules shown in Protecting against Cryptolocker & Cryptowall and all seems fine barring rule#8 regarding the scr files.


      There are lots of events being triggered by SVCHOST.EXE and is to do with general windows screensavers.


      Source Process Name: C:\WINDOWS\SYSTEM32\SVCHOST.EXE


      Target File Name: C:\Windows\System32\Mystify.scr


      I cannot see anyway of allowing this through other than whitelisting SVCHOST.EXE which I dont really want to do.


      Any suggestions??