LabTech Support Forums

Monitor for file changes? (Ransomware)

This forum is for discussion of antivirus related issues.

Moderator: jware.connectwise

Monitor for file changes? (Ransomware)

Postby josh.stevenson.your-itdepartment » Thu Jun 08, 2017 9:39 am

In light of the recent outbreak of ransomware...
Are there any Monitors in Automate, or anyway to create one, that would keep track of document changes being made on each machine?
Specifically, document name changes?

You can use Microsoft File Server Resource Manager's File Screening Manager to do this from a server. The idea behind this is that the File Screening Manager will check each name of each file that is changed and match it against an XML file (that you have previously populated with a list of known Ransomware Extension such as *.locker or *.crypto). If the service sees any of these extensions it will execute a command, which would be something along the lines of shutting the host machine down to prevent it spreading and then emailing support to let them know.

The trouble with this is that it will only keep track of changes made to files that are stored on network shares, and not locally on machines.

If there is any monitor that can do something similar to this, triggering a set of custom commands when it finds any of these extensions, that would be an absolute god send.
josh.stevenson.your-itdepartment
Newbie
Newbie
 
Posts: 2
Joined: Thu Jun 08, 2017 9:29 am

Re: Monitor for file changes? (Ransomware)

Postby teamits » Thu Jun 08, 2017 11:07 am

To have a monitor do it you'd have to store the filenames in the database.

Perhaps a script that runs "dir /s" and pipes to findstr, which can look for multiple strings? Then compare the output to blank?
Steve
teamits
Hero Member
Hero Member
 
Posts: 1567
Joined: Wed Dec 31, 1969 8:00 pm

Re: Monitor for file changes? (Ransomware)

Postby josh.stevenson.your-itdepartment » Thu Jun 08, 2017 12:26 pm

Yeah I thought about something like that Steve

I've only tried with a powershell command at the minute which may be horrendously in-optimized.
( I ran it on my machine and it took 98 seconds and consumed 30% CPU )

Code: Select all
Get-ChildItem c:\* -Include (Get-Content C:\Tools\test.txt) -Recurse -EA SilentlyContinue


This will search every Dir in C:\ for any extensions listed in that C:\Tools\test.txt, -EA SilentlyContinue prevents any error messages from showing up like "Access denied to C:\Windows\WinSxs\example\.."

( Test.txt contents are just extensions on new lines, e.g. *.locky *.crypto etc.)

the plan was to wrap that in a function that returns "true" if anything is found, and then have a monitor that is checking the result of that executable. Having 30% CPU usage and 98 seconds run time however is not fantastic!
There must be a better way. Perhaps Dir /S is less intensive.
josh.stevenson.your-itdepartment
Newbie
Newbie
 
Posts: 2
Joined: Thu Jun 08, 2017 9:29 am


Return to Antivirus

Who is online

Users browsing this forum: No registered users and 2 guests