CryptoBlocker
CryptoBlocker copied to clipboard
m-dwyer
Filescreen group is not created
The script fails when it has to create a filescreen group with the command: &filescrn.exe Filegroup Add "/Filegroup:$fileGroupName" "/Members:$($monitoredExtensions -Join "|")"
I think this issue started showing recently, maybe because the list of extensions has become to large?
I have almost the same issue. Script runs fine, but when I run old version it creates File Screen and File Group. When I am running new one it removes old all rules and not creating anything new.
I've resolved the issue by making some changes in the code:
`
Function PurgeNonAdminDirectoryPermissions([string] $directory) { $acl = Get-Acl $directory
if ($acl.AreAccessRulesProtected)
{
$acl.Access | % { $acl.PurgeAccessRules($_.IdentityReference) }
}
else
{
$acl.SetAccessRuleProtection($true, $true)
}
$ar = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl","Allow")
$acl.AddAccessRule($ar)
$ar = $ar = New-Object System.Security.AccessControl.FileSystemAccessRule("BUILTIN\Administrators","FullControl","Allow")
$acl.AddAccessRule($ar)
Set-Acl -AclObject $acl -Path $directory
}
function ConvertFrom-Json20([Object] $obj) { Add-Type -AssemblyName System.Web.Extensions $serializer = New-Object System.Web.Script.Serialization.JavaScriptSerializer return ,$serializer.DeserializeObject($obj) } ################################ Functions ################################
Add to all drives
$drivesContainingShares = Get-WmiObject Win32_Share | Select Name,Path,Type | Where-Object { $.Type -eq 0 } | Select -ExpandProperty Path | % { "$((Get-Item -ErrorAction SilentlyContinue $).Root)" } | Select -Unique if ($drivesContainingShares -eq $null -or $drivesContainingShares.Length -eq 0) { Write-Host "No drives containing shares were found. Exiting.." exit }
Write-Host "The following shares needing to be protected: $($drivesContainingShares -Join ",")"
$majorVer = [System.Environment]::OSVersion.Version.Major $minorVer = [System.Environment]::OSVersion.Version.Minor
Write-Host "Checking File Server Resource Manager.."
Import-Module ServerManager
if ($majorVer -ge 6) { $checkFSRM = Get-WindowsFeature -Name FS-Resource-Manager
if ($minorVer -ge 2 -and $checkFSRM.Installed -ne "True")
{
# Server 2012
Write-Host "FSRM not found.. Installing (2012).."
Install-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools
}
elseif ($minorVer -ge 1 -and $checkFSRM.Installed -ne "True")
{
# Server 2008 R2
Write-Host "FSRM not found.. Installing (2008 R2).."
Add-WindowsFeature FS-FileServer, FS-Resource-Manager
}
elseif ($checkFSRM.Installed -ne "True")
{
# Server 2008
Write-Host "FSRM not found.. Installing (2008).."
&servermanagercmd -Install FS-FileServer FS-Resource-Manager
}
} else { # Assume Server 2003 Write-Host "Other version of Windows detected! Quitting.." return }
$fileGroupName = "CryptoBlockerGroup" $fileTemplateName = "CryptoBlockerTemplate" $fileScreenName = "CryptoBlockerScreen"
$webClient = New-Object System.Net.WebClient $jsonStr = $webClient.DownloadString("https://fsrm.experiant.ca/api/v1/get")
Write-Host $jsonStr -BackgroundColor DarkGreen
$monitoredExtensions = @(ConvertFrom-Json20($jsonStr) | % { $_.filters })
$scriptFilename = "C:\FSRMScripts\KillUserSession.ps1" $batchFilename = "C:\FSRMScripts\KillUserSession.bat" $eventConfFilename = "$env:Temp\cryptoblocker-eventnotify.txt" $cmdConfFilename = "$env:Temp\cryptoblocker-cmdnotify.txt"
$scriptConf = @' param([string] $DomainUser)
Function DenySharePermission ([string] $ShareName, [string] $DomainUser) { $domainUserSplit = $DomainUser.Split("")
$trusteeClass = [wmiclass] "ROOT\CIMV2:Win32_Trustee"
$trustee = $trusteeClass.CreateInstance()
$trustee.Domain = $domainUserSplit[0]
$trustee.Name = $domainUserSplit[1]
$aceClass = [wmiclass] "ROOT\CIMV2:Win32_ACE"
$ace = $aceClass.CreateInstance()
$ace.AccessMask = 2032127
$ace.AceType = 1
$ace.Trustee = $trustee
$shss = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$ShareName'"
$sd = Invoke-WmiMethod -InputObject $shss -Name GetSecurityDescriptor | Select -ExpandProperty Descriptor
$sclass = [wmiclass] "ROOT\CIMV2:Win32_SecurityDescriptor"
$newsd = $sclass.CreateInstance()
$newsd.ControlFlags = $sd.ControlFlags
foreach ($oace in $sd.DACL)
{
$newsd.DACL += [System.Management.ManagementBaseObject] $oace
}
$newsd.DACL += [System.Management.ManagementBaseObject] $ace
$share = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -Filter "Name='$ShareName'"
$setResult = $share.SetSecurityDescriptor($newsd)
return $setResult.ReturnValue
}
Let's try altering share permissions..
$Username = $DomainUser.Split("")[1]
$affectedShares = Get-WmiObject -Class Win32_Share | Select Name, Path, Type | Where { $_.Type -eq 0 }
$affectedShares | % { Write-Host "Denying [$DomainUser] access to share [$($.Name)].." DenySharePermission -ShareName $.Name -DomainUser $DomainUser }
Write-Host $affectedShares '@
$batchConf = @" @echo off powershell.exe -ExecutionPolicy Bypass -File "$scriptFilename" -DomainUser %1 "@
$scriptDirectory = Split-Path -Parent $scriptFilename $batchDirectory = Split-Path -Parent $batchFilename
if (-not (Test-Path $scriptDirectory)) { Write-Host "Script directory [$scriptDirectory] not found. Creating.." New-Item -Path $scriptDirectory -ItemType Directory }
if (-not (Test-Path $batchDirectory)) { Write-Host "Batch directory [$batchDirectory] not found. Creating.." New-Item -Path $batchDirectory -ItemType Directory }
FSRM stipulates that the command directories/files can only be accessible by SYSTEM or Administrators
As a result, we lock down permissions for SYSTEM and local admin only
Write-Host "Purging Non-Admin NTFS permissions on script directory [$scriptDirectory].." PurgeNonAdminDirectoryPermissions($scriptDirectory) Write-Host "Purging Non-Admin NTFS permissions on batch directory [$batchDirectory].." PurgeNonAdminDirectoryPermissions($batchDirectory)
Write-Host "Writing defensive PowerShell script to location [$scriptFilename].." $scriptConf | Out-File -Encoding ASCII $scriptFilename Write-Host "Writing batch script launcher to location [$batchFilename].." $batchConf | Out-File -Encoding ASCII $batchFilename
$eventConf = @" Notification=E RunLimitInterval=0 EventType=Warning Message=User [Source Io Owner] attempted to save [Source File Path] to [File Screen Path] on the [Server] server. This file is in the [Violated File Group] file group, which is not permitted on the server. An attempt has been made at blocking this user. "@
#$eventConf = New-FsrmAction -Type Email -RunLimitInterval 0 -EventType Warning #$cmdConf = New-FsrmAction -Type Command -RunLimitInterval 0 -Command $batchFilename -CommandParameters [Source Io Owner]
$cmdConf = @" Notification=C RunLimitInterval=0 Command=$batchFilename Arguments=[Source Io Owner] MonitorCommand=Enable Account=LocalSystem "@
Write-Host "Writing temporary FSRM Event Viewer configuration to location [$eventConfFilename].." $eventConf | Out-File $eventConfFilename Write-Host "Writing temporary FSRM Command configuration to location [$cmdConfFilename].." $cmdConf | Out-File $cmdConfFilename
Write-Host "Adding/replacing File Group [$fileGroupName] with monitored file [$($monitoredExtensions -Join ",")].."
Remove-FsrmFileGroup -Name $fileGroupName New-FsrmFileGroup -Name $fileGroupName -IncludePattern @($monitoredExtensions)
Write-Host "Adding/replacing File Screen Template [$fileTemplateName] with Event Notification [$eventConfFilename] and Command Notification [$cmdConfFilename].." Remove-FsrmFileScreenTemplate $fileTemplateName
New-FsrmFileScreenTemplate -Name $fileTemplateName -IncludeGroup $fileGroupName -Notification
&filescrn.exe Template Add "/Template:$fileTemplateName" "/Add-Filegroup:$fileGroupName" "/Add-Notification:E,$eventConfFilename" "/Add-Notification:C,$cmdConfFilename" /Type:Passive
Write-Host "Adding/replacing File Screens.." $drivesContainingShares | % { Write-Host "`tAdding/replacing File Screen for [$_] with Source Template [$fileTemplateName].."
&filescrn.exe Screen Delete "/Path:$_" /Quiet
Write-Host filescrn.exe Screen Add "/Path:$_" "/SourceTemplate:$fileTemplateName"
&filescrn.exe Screen Add "/Path:$_" "/SourceTemplate:$fileTemplateName"
}
Write-Host "Removing temporary FSRM Event Viewer configuration file [$eventConfFilename].." Write-Host "Removing temporary FSRM Event Viewer configuration file [$cmdConfFilename].." Remove-Item $eventConfFilename Remove-Item $cmdConfFilename `
I see you are using the Powershell FSRM cmdlets. Unfortunately these do not work with Windows Server 2008 (R2). Any other solutions available that are compatible with Win2008 and newer?
I found the the error in main script. when it is trying to create filegoups with extensions it cannot correctly convert that API to extensions, I thought it will be easier to just change to Powershell FSRM command :) I will try to check one more time and if I resolve the issue will post it here
Only workaround that I was be able to do is to import with Powershell, export it and change script for 2008server not to create FileGroupTemplate, but import it from a network location. It is not creating this big list after HOW TO DECRYPT FILES.txt file
Could you possibly release a version of the script that has that functionality baked in, please?
I'll be submitting a PR with a workaround for this temporarily. I've refactored some code to leverage the built in native PowerShell cmdlets in 2012+ and also fixed the outstanding issue with the 2008 filescrn.exe command.
In short the filescrn add group command seemingly ran into an overflow condition right around 4 KB worth of char give or take and that completely broke the command.
The 2012+ cmdlets do not seem to exhibit this behavior and will happily (at this point) take the entire file extension array.
Sit tight and hopefully @m-dwyer will accept the pull request.
@celtic-bear can you please remove all of that garbage from your comment. Comments are not for submitting code in, thanks 👍
@CodaAmok The filescreen add was failing around the 3900-4000 character mark, which was close enough to the 4096 byte mark. This was enough to reasonably suspect that the filescrn.exe Screen Add could only accept 4096 bytes and the error handling in most legacy methods is not robust enough to catch and trap this condition.
I am still planning on submitting a PR for my refactored code which may be of some use for people, but it's taken a back burner to other work projects for the time being.
@nreisb I spent yesterday trying to figure out why the below was failing. This issue pointed me in the right direction, so I just spent the last 30 minutes looking closer at the passed string ($x).
Invoke-Command -Session $session -ScriptBlock { param($x) cmd /c "Filescrn.exe Filegroup Add /Filegroup:Ransomware /Members:$x" } -Args $x
Unfortunately the errors given lead me to believe all day yesterday that I wasn't passing the variable correctly or the syntax was wrong.
I controlled $x's character count. 4097 worked OK but 4098 would fail: "The parameter is incorrect". Just to be sure, I played around with the chars before that hard limit to rule out an encoding issue but it's looking very likely that you're right.
Well spotted, I'm gutted I didn't think of that yesterday but glad I came across this repo.
Could you explain how your line solves this problem?
&filescrn.exe Filegroup Add "/Filegroup:$fileGroupName" "/Members:$($monitoredExtensions -Join "|")"
Edit: I may have wasted more time than I first thought. Despite using the Experiant list all along, I failed to read the install page that already highlights 4KB issue. Here is a solution (lines 12-51). I was thinking of something similar but I'm glad I found this as it's much simpler than the approach I was first thinking of.
Edit: it seems I'm late to the party, you use the same function. Moving on...
&filescrn.exe Filegroup Add "/Filegroup:$fileGroupName" "/Members:$($monitoredExtensions -Join "|")" was the original code that just took ALL of the entires and put them in A group. Which eventually became too large and caused the command to fail
LN25-40 handles the 'get first 4096, back off one and write to group, get next 4096, etc.'
@nreisb New-FsrmFileGroup takes 1kb strings, currently working on some lines using the fsrm cmdlets, will mod my fork when it's usable. Thankfully, @Kittzus 's PR provides the ground work.
@Kittzus your script works well, however one thing none of the version so is enable a filescreen on the share path vs the entire drive. One of the problems with entire drive is that you cannot enable Active filtering if the shares are on C:\ as windows 2012 r2 blocks it. If you configure the screen on a path under C:\ it works great. Would love to see one that enumerates the shares and adds a screen for each one.
@Minkus32 not strictly true, you can apply active screening to the system drive just not at the root of C: - you can apply to subfolders for example C:\Users. I am yet to post mine but I have a function which does just this: enumerates and creates file screens on absolute folder locations rather than entire drive, but only for the C: drive.
that would be perfect. I am looking for something I an push to file servers in a scheduled basis that would auto protect them without me needing to login and adjust things so if you want me to test out your script let me know.
I would love to test out that script as I have quite a few clients with shares on the C drives of their VM’s…
From: CodaAmok [mailto:[email protected]] Sent: Friday, January 06, 2017 3:54 PM To: m-dwyer/CryptoBlocker [email protected] Cc: Minkus32 [email protected]; Mention [email protected] Subject: Re: [m-dwyer/CryptoBlocker] Filescreen group is not created (#12)
@Minkus32https://github.com/Minkus32 not strictly true, you can apply active screening to the system drive just not at the root of C: - you can apply to subfolders for example C:\Users. I am yet to post mine but I have a function which does just this: enumerates and creates file screens on absolute folder locations rather than entire drive, but only for the C: drive.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/m-dwyer/CryptoBlocker/issues/12#issuecomment-271032533, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AXz3wQHAJLS02aQS8nixcrMKChn7MZNjks5rPsYcgaJpZM4JW_HP.
The updated code for this does not appear to be available in Master and I can't see any branches. I can only see the new code when I click through the above. Is this still an outstanding issue as I would like to try the new code and see if it works in my environment. I am currently getting the error message from filescrn.exe on my 2008R2 server where I am testing this before I test it on my 2012R2 servers.
