CryptoLocker actions

  • 18 June 2015
  • 1 reply

I have evidence that Cryptolocker went live on a client because a shared network drive was littered with the Help_Decrypt files all of which carried the user's name. No problem, restored from backup. However on the client itself it appears that webroot did as advertised and cleared up the infection, quaranteened the offending dropper and restored all encrypted files.
Now onto the forensics of the event. Where can I see the logs that record exactly what happened and what actions were performed?

1 reply

Userlevel 7
Hello @,

Welcome to the Webroot Community!
Unfortunately there is not much information to be had in the logs as that is all proprietary and encrypted information.
You may be able to get a bit more information from our support team by creating a ticket at or giving them a call at 1-800-870-8102.

I hope this helps and please do not hesitate to ask if there is anything else I can do to assist.

Best Regards,

James G.

Webroot Community Support Team