I am trying to follow the tutorial on defending against CryptoLocker. However, I fail miserably when trying to determine the baseline for your file changes. I was able to start the monitor, and event 12216 was eventually triggered, indicating that the scan was complete. But how do I determine the baseline, now? The tutorial does not mention this at all. I am not running the full version (yet), so I can't write to the database. Is it a certain event I have to look for? If so, which one?
Thanks very much for any help!