nexxai / cryptoblocker Goto Github PK

seen a Strange bug on some servers.
no way to download the extensions list.
The problem was from Internet explorer that was never launch before.
The first time You launch Internet explorer You are asked to choose the default parameters You want to use.
The cmdlet Invoke-WebRequest seems to use Internet Explorer because after launching one time IE, the problem was solved.
I did this on almost 3 different servers (2012R2 and 2016).

Not sure if it's clear :-)

I have an issue on a server 2008 R2.
I got a 403 forbidden when I try to download the newest list of extensions.
when on IE or firefox on this server I go to https://fsrm.experiant.ca/api/v1/get , I reach a web page asking me for a ReCAPTCHA.
The problem is tthat on other servers even in 2008 R2, I had no problem.

Rechapta on https://fsrm.experiant.ca/ doesn't work anymore with newest Firefox ESR 52.6.0 - it just displays the following (all ad-Blockers are disabled):

https://support.google.com/recaptcha#6262736
https://support.google.com/recaptcha#6223828

Führen Sie ein Upgrade auf einen unterstützten Browser aus, um eine reCAPTCHA-Aufgabe zu erhalten.

Wenn Sie meinen, dass diese Seite fälschlicherweise angezeigt wird, überprüfen Sie bitte Ihre Internetverbindung und laden Sie die Seite neu.

Warum gerade ich?

This way I sadly can't support you anymore.

Hi,

I've been receiving notification emails this morning (GMT) that some files have been blocked. Looking at the notification the FSRM CrytoBlocker is blocking common and fine extensions including txt and JPEG.

I'm not the only person with the issue - reddit thread: https://www.reddit.com/r/sysadmin/comments/9m2nbb/issues_with_fsrm_cryptolocker_file_screen_from

Example of the notification I'm getting right now:

User NT AUTHORITY\SYSTEM attempted to save C:\Windows\Temp\Sophos Anti-Virus Install Log_181007_080552.txt to C:\Windows on the $server server. This file is in the "CryptoBlockerGroup1" file group, which is not permitted on the server.

Can you help?!

Cheers

Let me be one of many whom are so thankful for hosting the list, api and providing this excellent script.

I think i found a bug , or it is I doing something wrong but. i added a File screen exception for a quickbooks directory that stores auto backup files as .adr
Set allow cryptoblocker group 1 to the exception. after the script runs, the group becomes unchecked. Is there a way to adjust the script to not uncheck the groups in the exception list ?

Thank you for all you have done.

Hello, I'm attempting to automate the update of the filescreens by calling the script which works great. Though, the admin email field on each individual file screen gets wiped out and I have to go into each file screen on each server to re-configure. It would be great if we could do something about this, either supply the email address or prevent it from getting rewritten. Perhaps this already exists but I can't find t he documentation. Thank you.

Is it possible to implement a list of directories to be excluded from the CryptoBlocker screening? I have software such as Trend that seems to use multiple detected file type exceptions in it's own folders. I'd rather except the C:\Program Files\Trend directory from the screen then remove a number of monitored extensions using the skiplist.txt file.

When run as a scheduled task, the script does not make use of the location it's being run from, so it cannot find .\SkipList.txt
It defaults to running from C:\Windows\System32 and thus makes a SkipList.txt in that directory instead.

Obvious workaround is to specifically tell Task Scheduler to use the Start in location.

However, could use something like this at line 209:

$invLoc = Split-Path -parent $PSCommandPath
If (Test-Path $invLoc\SkipList.txt)
{
    $Exclusions = Get-Content $invLoc\SkipList.txt | ForEach-Object { $_.Trim() }
    $monitoredExtensions = $monitoredExtensions | Where-Object { $Exclusions -notcontains $_ }

}

Hi,

The rule is too broad an matches words like door and poor.
Using https://github.com/quickreflex/ransomware-samba-ban as client.

I am testing the script on our file server in a SRM test failover, so no internet to grab the file. So I downloaded the file and installed XAMPP to run local web server and tweak the script to get the file locally, but when I run it I am getting Could not load file or assembley 'System.Web.Extentions.... FilenotfoundException
I checked the logs and the path to the get file and its being read OK, but its not finding it further on in the script. Have you come across this before?

Ideally want to test the script before applying on live production file server.

Thanks

Is there somehow an option to add in an second api source ? This would be nice since we can then host our own api list besides your api list. This way we can block faster and more specific file extensions.

I already tried to edit an version of the script witch calls upon an diffrent API and ads an diffrent filegroup to the default file template. The problem is somehow the last active script running is the active file group. So when we run our version of the script, our file group is active in the default template. When we run your version of the script your file groups are active in the template. If you could help me resolve this issue then a second api source would not be needed.

One of my customers got hit with "..rtf" extension. It also wrote a text file called "Your files HERE.txt" Can this be added to the FSRM filter list?

Regards,
Roy

Hi,

Love the script. Have used it for many clients already but this is the first time I have come across this issue. FSRM is installed already and when the script gets to Checking FSRM it fails then does not continue unlike before.

Any advise why the script would fall over if it does detect FSRM already installed?

Hi Guys,

Great work.

Just a question - Could you please tell me the powershell command to update the file groups on Server 2008. At the moment i'm using the old "deploy..." from a few months back and it gives me groups 1,4,5 and 6. However, If i test by renaming something to .wallet it isnt working.

Why is it needed to now a e-mailAdress at submission, where even the placeholder still says "optional"?
I gladly help adding to this list and URL wehre to find makes sense, but why do you need the mail adress. Having to fill in Fake-Adresses otherwise.

Email Address

If I use the form without email address, i am given: "The email address must be a valid email address."

I use the SkipList to exclude some files extension (.enc), and IncludeList to add other file extension (.pst, .exe).
Now I want to add a Filename in SkipList (TeamViewerQS*.exe).
But it doesn't work.
2 possible explanations:
either Filename exclusion doesn't work (only file extension work)
or as *.exe is in IncludeList, it doesn't read the Filename with an exe in SkipList.

How can I Skip a Filename instead of an file extension?

Thanks

Please remove the *.DG extension from your list. That extension is used by Tekla Software.

Thnks.
Eduardo

I've an issue with "*.one" filter, actually this extension is used by onenote as well

I'm using the DeployCryptoBlocker.ps1 on a Win2008 server and I'm new to PowerShell.

Line 143 of the script begins

If

 (Test-Path .\SkipList.txt)
{
    $Exclusions = Get-Content .\SkipList.txt | ForEach-Object { $_.Trim() }
    $monitoredExtensions = $monitoredExtensions | Where-Object { $Exclusions -notcontains $_ }

}
Else 
{
    $emptyFile = @'
#
# Add one filescreen per line that you want to ignore
#
# For example, if *.doc files are being blocked by the list but you want 
# to allow them, simply add a new line in this file that exactly matches 
# the filescreen:
#
# *.doc
#
# The script will check this file every time it runs and remove these 
# entries before applying the list to your FSRM implementation.
#
'@
    Set-Content -Path .\SkipList.txt -Value $emptyFile
}

I want to add the exclusion in here, and not in the skiplist.txt Where exactly does the extension go? I tried outside the @ symbol but that did not work:

Else 
{
    $emptyFile = 
*.adr
     @'
#

I was running this script all morning and tweaking it. I got it to work wonderfully on Server 2012 R2.
I let it sit for a few hours and update in the background.

Now when it run both the default script and my modified one it fails to create CryptoBlockerGroup3, the Template, and the file Screens.
It stops after:
Add new file groups.

The syntax of this command is:

Filescrn Filegroup Add /Filegroup:FG_NAME /Members:"MEMBERS"
[/Nonmembers:"NONMEMBERS"] [/Remote:MACHINE]

/Filegroup:FG_NAME Add file group with name FG_NAME.

/Members:"MEMBERS" Configure file group member patterns. MEMBERS is
a list of file name patterns separated by '|'.

/Nonmembers:"NONMEMBERS" Configure file group non-member patterns.
NONMEMBERS is a list of file name patterns
separated by '|'.

/Remote:MACHINE Perform the operation on machine MACHINE.

Example:
Filescrn Filegroup Add /Filegroup:"Log Files" /Members:".log|.history"

Hi everyone,
Maybe someone can help me with my issue.
We already implemented the RANSOM-Ware script on our Fileservers.
Now we have implemented the script where certain drives should be excluded. The script look like this one:
$DriveExclusions = "C:"
$drivesContainingShares = $drivesContainingShares | Where-Object { $DriveExclusions -notcontains $_

Now I would like to implement a Folder exclusion.
For example: V:\APPLICATIONS\Test
Which means that this Folder is excluded from the protection.

Does anyone know how to implement this?
Thanks for any answer
Regards
Andre

Hi,

I could not see if this has been answered anywhere but FSRM is passive on C:, C:\Windows\system. We are monitoring Event Viewer for 8215 errors to create alerts through Automate. We get alerts for C:\Windows\WinSxS\Temp\PendingDeletes\a9eb206dedf6d2017c0400006882a480.icrav03.rat. Wanted to Exception this folder or c:\windows\winsxs\temp\ from any monitoring. Please let me know how anyone has done this

Hi everyone,
I just find your CryptoBlocker PS, and it's a great job. Very useful for our w2012 files server.

But I have a little problem .
If I want to add a personal Parameters (block all *.PST by example) on a Directory that already be use by CryptoBlokerGroupXX, it will be desactivate on next CryptoBloker update :(

I try also to modify the template to add my rule, but also desactivate after an update :(

How can I solve my problem?
Do I have to modify something in the Script?

Thanks

Luc

I have figured out that your "SkipList.txt" is just excluding those extensions from being added into the "Include Files" list.
I am new to Powershell and am wondering if there is a way to take the $Exclusions from the script and set it as the "Exclude Files" list for each group?

I would like to see some sort of includelist.txt functionality, similar to skiplist.txt, but a list of files to screen while waiting on file extension submission to be approved.

For example, a nearby county government system was hit today by a LockCrypt variant. In researching what happened, the .lock extension was brought to my attention by this link:

https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-crew-started-via-satan-raas-now-deploying-their-own-strain/

I have submitted the extension via https://fsrm.experiant.ca/, but while waiting for them to approve it, I would like to add it to an include list and re-run my script across all of our servers through our MSP software so that I get the protection immediately instead of waiting for a day or two.

Thank you for your consideration.

Mark

Hi all,

I've noticed recently that the automated script that creates the FSRM rules has stopped working correctly.

Reading through the script, I can see that it pulls the list of extensions etc and breaks them up into groups named CryptoBlockerGroup#. It then deletes existing FSRM file groups and recreates them.

This has worked for months without problem. However I'm now seeing that the script doesn't create CryptoBlockerGroup2 or recreate the file screens. It does create CryptoBlcokerGroup 1,3,4 and 5.

I've outputed the results of the powershell script to a log file and when it's trying to create CryptoBlockerGroup2 see the error :

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality.

The requested object was not found.

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality.
The parameter is incorrect.

Add new file groups.
The syntax of this command is:
Filescrn Filegroup Add /Filegroup

I'm also seeing the follow error when it tries to create the file screen:

The requested object was not found.
Adding/replacing File Screens..
Adding/replacing File Screen for [F:] with Source Template [CryptoBlockerTemplate]..

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality.
The requested object was not found.

Sometime last week, I was alerted that files were being blocked from writing to disk even though they were acceptable files (even 'New Text Document.txt' was failing).

Checking the FSRM gui, I noticed that the CryptoBlockerGroupX count had skyrocketed to over 500 (from 6). Looking into the newly created groups, I found that they were only populated with 2 items, BTC_DECRYPT_FILES.txt and zzzzzzzzzzzzzzzzzyyy.

This may be related to the huge jump in groups but I also found an excluded item named *.??? and *.???? in the CryptoBlockerGroup1 which was preventing files to be written to disk. I was able to confirm that once the *.??? and *.???? was removed, the server returned to normal functions.

Has anyone seen something similar to this? At first, I thought it might have been a new
language/character in the extensions list but I was not able to reproduce it. Running the update now works just as great as it has the past year.

Hello,

Thank you for the work and time you've put into this script!

This is probably an easy question for you.

What dependency am I missing if I get the following error on one of my 2008 R2 machines?

Add-Type : The file or assembly "System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad3
64e35" or a dependency could not be found. The system can't find the file.
Bei C:\Scripte\DeployCryptoBlocker.ps1:13 Zeichen:13

This function is used in the ConvertFrom-JSON20 function.

Thank you very much in advance!

In my environment I run a separate script when the filter is tripped, would it be possible to not overwrite or add modifications of these fields in the script?

Error when sending in online form:

https://fsrm.experiant.ca/filter/store

TokenMismatchException in VerifyCsrfToken.php line 67:

in VerifyCsrfToken.php line 67
at VerifyCsrfToken->handle(object(Request), object(Closure))
at call_user_func_array(array(object(VerifyCsrfToken), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 136
at Pipeline->Illuminate\Pipeline\{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 32
at Pipeline->Illuminate\Routing\{closure}(object(Request)) in ShareErrorsFromSession.php line 49
at ShareErrorsFromSession->handle(object(Request), object(Closure))
at call_user_func_array(array(object(ShareErrorsFromSession), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 136
at Pipeline->Illuminate\Pipeline\{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 32
at Pipeline->Illuminate\Routing\{closure}(object(Request)) in StartSession.php line 64
at StartSession->handle(object(Request), object(Closure))
at call_user_func_array(array(object(StartSession), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 136
at Pipeline->Illuminate\Pipeline\{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 32
at Pipeline->Illuminate\Routing\{closure}(object(Request)) in AddQueuedCookiesToResponse.php line 37
at AddQueuedCookiesToResponse->handle(object(Request), object(Closure))
at call_user_func_array(array(object(AddQueuedCookiesToResponse), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 136
at Pipeline->Illuminate\Pipeline\{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 32
at Pipeline->Illuminate\Routing\{closure}(object(Request)) in EncryptCookies.php line 59
at EncryptCookies->handle(object(Request), object(Closure))
at call_user_func_array(array(object(EncryptCookies), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 136
at Pipeline->Illuminate\Pipeline\{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 32
at Pipeline->Illuminate\Routing\{closure}(object(Request)) in CheckForMaintenanceMode.php line 44
at CheckForMaintenanceMode->handle(object(Request), object(Closure))
at call_user_func_array(array(object(CheckForMaintenanceMode), 'handle'), array(object(Request), object(Closure))) in Pipeline.php line 136
at Pipeline->Illuminate\Pipeline\{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 32
at Pipeline->Illuminate\Routing\{closure}(object(Request))
at call_user_func(object(Closure), object(Request)) in Pipeline.php line 102
at Pipeline->then(object(Closure)) in Kernel.php line 132
at Kernel->sendRequestThroughRouter(object(Request)) in Kernel.php line 99
at Kernel->handle(object(Request)) in index.php line 53

This is just to notify you that as of today, all of my definition updates are failing. I am getting the following output when I run the script.

Exception calling "DownloadString" with "1" argument(s): "The remote server returned an error: (500) Internal Server Er
ror."
At line:1 char:37

• $jsonStr = $webClient.DownloadString <<<< ("https://fsrm.experiant.ca/api/v1/get")
  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : DotNetMethodException

hello guys,

based on the experiant.ca extension list I did my own script. really complete with inclusions or exclusions of shares, extensions.
Work like a charm on our 200 Windows servers 2008 to 2016
https://github.com/davidande/FSRM-ANTICRYPTO

code needs maybe to be cleaned but works and protects.
Come and help if You want :-)
Dav

Hi there,

First of all, I just wanted to say this is an awesome tool you guys have put together, and is very handy, seeming to work very well.

My question is, is there any way to run CryptoBlocker against a Fileshare cluster? Everything seems to be based around the server it is run on. While I could run it manually and then copy the config, if I can target a "hostname" as part of the script, I can then schedule it to automatically push updates.

I have a current script that updates countless servers from the raw list as follows.

set-FsrmFileGroup -name "Anti-Ransomware File Groups" -IncludePattern @((Invoke-WebRequest -Uri "https://fsrm.experiant.ca/api/v1/combined" -UseBasicParsing).content | convertfrom-json | % {$_.filters})

Today, we experienced issues with every server (Windows Server 2008, 2012, and 2016) not allowing any new or saved documents within the folders being monitored by FSRM. Would anyone have insight into what new extensions were added in the Oct 6th update or what extension is the list might have caused this issue? I have not been able to trace the specific entry as of yet and continue to comb through them. Any advice is greatly appreciated as this has been operating as intended for years until this weekend.

Anyone else had issues when adding file extensions not pulled from the API, i.e. *.doc?

For example I've noticed *.one has been added (OneNote) which I've added to the list but it only excludes from FileGroup2 if the other extensions in SkipList that do not exist in the list of extensions pulled from the API have been removed, for example I've added *.doc, *.iso etc. to SkipList and it doesn't work with these extensions exist in SkipList.

Cheers,

Found that I had to change the limit in

if (($LengthOfStringsInWorkingArray + 1 + $_.Length) -gt 4096

to 4095. At 4096, a file group with exactly 4096 characters wouldn't be created. The template creation would then fail, as would the file screen itself.

We have found your script and think thats it's abolsultely brilliant. I have tested it and was hoping to make an amendment to point it to a local drive, but as I have basically no powershell skills I thought I would ask if you knew how to make the adjustment to point to a filepath.

Good afternoon all,

i've been deploying the FSRM to my customer servers.

One of my customers have recently been hit with Ransomware and the files have been encrypted and appended with [[email protected]].0oxr4

I looked in this list https://fsrm.experiant.ca/api/v1/get and it is not there.

Do you know who I need to contact to get this in?

thanks,

K

Hi,

Every now and then, CryptoBlocker is blocking some files which belong to our legimate Deltacopy backup process. An example is this:
User NT AUTHORITY\SYSTEM attempted to save Q:\xxxx\xxxx\xxxx\xxxx\xxxx\.354.index.423.nDDEXx to Q:\ on the xxxx server. This file is in the "CryptoBlockerGroup1" file group, which is not permitted on the server.
What exactly is causing CryptoBlocker to block this? Because unless I'm overlooking something, I couldn't find any part of .354.index.423.nDDEXx in the block list (unless it does partial matches?).

I'm trying to use the script on our 2012 R2 file server to setup FSRM however im receiving the following error when it tries to download via the API:

`Exception calling "DownloadString" with "1" argument(s): "The request was aborted: Could not create SSL/TLS secure
channel."
At C:\Scripts\DeployCryptoBlocker.ps1:205 char:1

• $jsonStr = $webClient.DownloadString("https://fsrm.experiant.ca/api/v1/get")

•   + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WebException`
  
  

Google suggested adding the following line into the script to force powershell to allow TLS 1.2 connections however I've not had any luck getting it working:

[System.Net.ServicePointManager]::SecurityProtocol = @("Tls12","Tls11","Tls","Ssl3")

*.one is included in the list of extensions. This is the extension used by Microsoft OneNote.

Unable to add *.cry to the SkipList.

All other extensions works OK with SkipList.

Please support windows server 2016

Today I had the problem that one of my servers running this script went out of memory. While diagnosing this problem I noticed that some powershell command were eating a lot of memory.
Further diagnostics led to the get-eventlog command that was used by the deny script.

I then went to google and optimized the command to run in a fraction of a second. Here is what my deny script now uses to get the eventlog:

#define a new timespand for the Get-Date commandlet
$ts = New-TimeSpan -Minutes 5

#create a date-time object for later use
$EventDate = (Get-Date) - $ts

#Looks in event log for the custom event message generated by the file screen audit. Input's username of the offender into a variable.
$RansomwareEvents = Get-Winevent -FilterHashtable @{LogName = "Application"; ID = "8215"; StartTime = $EventDate} -MaxEvents 10

This way only the necessary parts of the eventlog are loaded and the script executes much faster.
I tried this on a Windows server 2012.

Hello,

Since two days ago, the script seems to delete all file screens in FSRM. This was tested with 6 different clients. I've tried redownloading the script, but it does the same thing.

Extention: *.??? and *.???? blocks any.txt and any.docx

I think that FSRM read "?" like any one char, not question mark.

Hi, just wondering if anybody has managed to modify commands with this script for File Screens.
We like to put in the following powershell command to block the user account access to the shares to try and prevent that account from causing more harm on the network:

_Run this command or script:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

-ExecutionPolicy Unrestricted -NoLogo -Command "& { Get-SmbShare -Special $false | ForEach-Object { Block-SmbShareAccess -Name $.Name -AccountName '[Source Io Owner]' -Force } }"

of course asking a powershell script to enter another script in plain text is a little janky so if there are any better suggestions i am all ears.
I love how quickly it sets everything up though =)

I have the scripts running on our servers on a daily basis. Just curious if I am putting too much trust into this system's protection from attack. e.g. Could someone insert code into the extension list that is automatically downloaded and hijack the script, similar to a SQL injection attack?

Thanks,
Mark

Hello,
If an error occurs during the download of extension list or in the listing of shares, it should be a good thing to stop the execution of the script.
this way it avoid the deleting and creating process of all FSRM files group, screen template with empty things.
there is the trap command in Powershell but don't know really how to make it work

Hi,
I have a server with a share on the C drive.
The script generates everything but is not able to set active screening on the C drive.
This is normal behaviour for windows. It is possible to put active screening on subfolders of the C drive.
So maybe you could retrieve the shares with Get-SMBShare and put the active screening on the folders that are actually shared?