1. Create an "Application and Device Control" rule.
"Apply this rule to the following processes:" *
Add "File and Folder Access Attempts"
1.1. "Properties" of File and Folder Access Attempts
Apply to the following files and folders:
decrypt all*.txt
decrypt_instruction*.txt
*.doc.???????
*.docx.???????
*.xls.???????
*.xlsx.???????
*.pdf.???????
*.rtf.???????
*.txt.???????
*.zip.???????
*.pst.???????
*.locky
*.crypted
*.encryptedRSA
do not apply the following files and folders:
*.???.???
*.partial
1.2. "Actions":
Under the "Launch Process Attempts":
properties:
Apply to the following processes:
new "cryptolocker" and "download.ponic" variants md5's
Actions:
Terminate process, Enable logging, severity - 0, Send e-mail alert.
2. Create a "Notification condition" under Monitors/Notifications:
Done.
When the malware makes an action (encrypts any files), SEPM generates a mail to system administrators.