Recently joined after finding the community useful for quite a while. I have a question with regard to CryptoLocker, and was hoping the vast amount of experience out there might prove helpful.We are a McAfee shop, with their VSE product as our primary AV. Some time back, we got hit with CryptLocker, but were able to recover due to timely backups. At the time of the infection, I put in place several rules in the McAfee policy to block the creation of executables in the various locations CryptoLocker is known to use.
Also, to alert me when this ruleset gets fired, I created an automated response to send out an email. Unfortunately, the rules fire far more than I expected. In the past couple weeks, I have about 700 instances of the rule being triggered, and we have about 1400 computers in the environment. In looking through the alerts, it looks as if a majority of them are false positives for svchost.exe. After reading through the details for CryptoLocker, it seems that the malware uses a randomly generated name in most cases. In trying to balance this ruleset out a bit, I was thinking of removing svchost.exe from triggering. I am aware of the role this file/process plays in malware, but I want to strike a balance in these rules. When 99% or so of triggers are false positives, the rules don't do much good because there is too much chatter.
So, I was looking for anyone to add their experience with CryptoLocker. Does it utilize svchost.exe in any noticeable way during creation? Any thoughts or opinions on this? Any information provided will be greatly appreciated.