Is there any way to automate a task on detection of specific malware?

We're having a lot of problems with Crowti encrypting network shares, and restoring the backups has become a huge time sync. Crowti is being detected pretty early (often before it's been executed), but it's a race against the clock to get to the client pc before things start getting encrypted.

What I'd like to do is have SCCM immediately perform some task (that would disable the client's access to shares, disable the network adapter, or something) as soon as Crowti or even any ransom-ware is detected. Does SCCM allow something like this to be setup, or is there some other route I could take?

Thanks!

I should note that quarantining isn't cutting it. The malware is somehow working around any attempt to quarantine it. I just want to minimize the damage to the client pc, until we find a better option.

You don't have that many options for reacting on malware. The options you can do are located in the policies in the Default Actions tab. Per classification, not per product, you can select a default action. Basically you can Quarantine or Remove with a High classification.

So to be clear what AV software are the client PCs running?

Have you sent a copy of this malware to MS security to analyze?

Have you open a support case with MS security on this? If not, why not?

How is the malware bypassing the quarantine or removal?