I'm working an incident where TeslaCrypt infection was apparently recognized, but was not quarantined and did not generate an alert. I need to answer as to why these did not
trigger. My guess is that it is because EndPoint's default action for the Low level is set to Allow and the signature match:subtype=Lowfi (as seen in the log snippet pasted below). That's the best correlation I can come up with, but I'd like to
be verified or corrected. Also, does "Lowfi" correspond to the severity level of the signature and/or the confidence level of the detection?
I notice the term "lowfi" in many MPLog files when I'm investigating incidents. (I'm referring to the MPLog files within %ProgramData%\Microsoft\Microsoft Antimalware\Support\.) Here's a MPLog snippet from the the incident I'm investigating.
Thanks in advance for any help you can provide.
Internal signature match:subtype=Lowfi, sigseq=0x80082278B8475656, signame=Ransom:Win32/Tescrypt.A, resource="process://D:\Users\[user]\AppData\Local\osranlh.exe" Begin Resource Scan Scan ID:{C4A03E77-A0A7-4C35-98D8-20EDFF82C906} Scan Source:7 Start Time:05-11-2015 15:25:39 End Time:05-11-2015 15:26:41 Explicit resource to scan Resource Schema:queryfileprocessrtsig Resource Path:pid:22192 Result Count:2 Unknown File Identifier:1744372094352752638 Number of Resources:1 Resource Schema:queryfileprocessrtsig Resource Path:pid:22192 Extended Info:9225661738551563862 Unknown File Identifier:8917550202655604734 Number of Resources:2 Resource Schema:process Resource Path:pid:22192 Extended Info:0 Resource Schema:file Resource Path:D:\Users\[user]\AppData\Local\osranlh.exe Extended Info:0 End Scan