I'm working an incident where TeslaCrypt infection was apparently recognized, but was not quarantined and did not generate an alert.  I need to answer as to why these did not trigger.  My guess is that it is because EndPoint's default action for the Low level is set to Allow and the signature match:subtype=Lowfi (as seen in the log snippet pasted below).  That's the best correlation I can come up with, but I'd like to be verified or corrected.  Also, does "Lowfi" correspond to the severity level of the signature and/or the confidence level of the detection?  

I notice the term "lowfi" in many MPLog files when I'm investigating incidents. (I'm referring to the MPLog files within %ProgramData%\Microsoft\Microsoft Antimalware\Support\.)  Here's a MPLog snippet from the the incident I'm investigating.

Thanks in advance for any help you can provide.

Internal signature match:subtype=Lowfi, sigseq=0x80082278B8475656, signame=Ransom:Win32/Tescrypt.A, resource="process://D:\Users\[user]\AppData\Local\osranlh.exe"
Begin Resource Scan
Scan ID:{C4A03E77-A0A7-4C35-98D8-20EDFF82C906}
Scan Source:7
Start Time:05-11-2015 15:25:39
End Time:05-11-2015 15:26:41
Explicit resource to scan
Resource Schema:queryfileprocessrtsig
Resource Path:pid:22192
Result Count:2
Unknown File
Identifier:1744372094352752638
Number of Resources:1
Resource Schema:queryfileprocessrtsig
Resource Path:pid:22192
Extended Info:9225661738551563862
Unknown File
Identifier:8917550202655604734
Number of Resources:2
Resource Schema:process
Resource Path:pid:22192
Extended Info:0
Resource Schema:file
Resource Path:D:\Users\[user]\AppData\Local\osranlh.exe
Extended Info:0
End Scan

Hi,

Please try to change the low level to quarantine, then check if the client generates a alert for TeslaCrypt.

Best Regards,

Joyce

Good idea, but I don't think I'll be able to pull if off (for  too many reasons than I can explain here).  But I'll try.  Thanks.