See http://imgur.com/a/b9oEa. Last image is after the reboot. Looks like it stops it from cryptolocking all the files at run time, but despite the popup, the UI doesn't show anything in quarantine. It also doesn't seem to remove the autorun registry entry, which I guess is why it can't stop cryptowall on a reboot after infection. The sample I used was this: https://malwr.com/analysis/MDQ2YjNhMmQzNTM3NGIyODk0MzRhZGYyMWViNTdkNWM// https://www.hybrid-analysis.com/sample/50b011838c687a7c1cd225c23522ee969596735248e040a6561d07533bd95dd6 It looks like a newer variant of cryptowall4? https://malwr.com/analysis/ZDhiNWYyMWFkMzhjNGE5YThiOWIwZWRkOTMyNmU4M2I/is the bootup entry https://www.virustotal.com/en/file/50b011838c687a7c1cd225c23522ee969596735248e040a6561d07533bd95dd6/analysis/ I can provide the initial sample if needed. (This was run on an unpatched windows 7 box running nothing but anti-RW)
