The Find Encrypted Data script requires the user to provide the Malware Detection Event ID to investigate.
The following PowerShell script can be used to output a list of recent Malware Events:
With the Event ID to be investigated now identified, pass that guid to the find-encrypted-data.ps1 script:
The find-encrypted-data.ps1 script will create a subfolder named "output" and write the results CSV file into that folder.
Example: {b20c3fe9-927c-4aca-b4f4-d93b1ecdab9b}_Volume0_result.csv
Open the CSV file in a spreadsheet editor or plain text editor and review the results.
As this tool only checks for encryption within the first MB of a file, false positives may occur, and a manual review by an administrator is necessary to determine whether a file has been impacted by malware/ransomware.
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case