CryptoBlocker icon indicating copy to clipboard operation
CryptoBlocker copied to clipboard

Published 20 hours ago verified publisher icon m-dwyer

CryptoBlocker FSRM rules alert on its own files

Open nm777 opened this issue 8 years ago • 1 comments

CryptoBlocker's current ruleset includes a rule to look for and alert when files matching *crypt* are found. This causes problems in the following scenarios:

  1. Copying DeployCryptoBlocker.ps1 to update current rulesets from a volume that is monitored. The script is detected as a malicious file and blocked.
  2. Running DeployCryptoBlocker.ps1 to update current rulesets from a volume that is monitored. The script produces a log file at $env:Temp\cryptoblocker-eventnotify.txt, which is detected as a malicious file and blocked.

In both cases, the current ruleset appears to trigger based on the rule *crypt*. A possible solution might be to create an exclusion rule for these specific files.

nm777 avatar Jun 13 '16 13:06 nm777

Here is a patch that should resolve the issue.

From 6c8a33b5d388b6582de1ef87d48922c107f39647 Mon Sep 17 00:00:00 2001
From: Nate Morris <[email protected]>
Date: Mon, 13 Jun 2016 13:16:18 -0500
Subject: [PATCH] Added exclusions to the FSRM group so FSRM doesn't detect
 this script as an infection.

---
 DeployCryptoBlocker.ps1 | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/DeployCryptoBlocker.ps1 b/DeployCryptoBlocker.ps1
index 1971a61..d7505bf 100644
--- a/DeployCryptoBlocker.ps1
+++ b/DeployCryptoBlocker.ps1
@@ -99,6 +99,12 @@ $batchFilename = "C:\FSRMScripts\KillUserSession.bat"
 $eventConfFilename = "$env:Temp\cryptoblocker-eventnotify.txt"

 $cmdConfFilename = "$env:Temp\cryptoblocker-cmdnotify.txt"



+$exclusions = @(`

+    $MyInvocation.MyCommand.Name,

+    "cryptoblocker-eventnotify.txt",`

+    "cryptoblocker-cmdnotify.txt"`

+    )

+

 $scriptConf = @'

 param([string] $DomainUser)



@@ -209,6 +215,7 @@ $cmdConf | Out-File $cmdConfFilename
 Write-Host "Adding/replacing File Group [$fileGroupName] with monitored file [$($monitoredExtensions -Join ",")].."

 &filescrn.exe filegroup Delete /Filegroup:$fileGroupName /Quiet

 &filescrn.exe Filegroup Add "/Filegroup:$fileGroupName" "/Members:$($monitoredExtensions -Join "|")"

+&filescrn.exe Filegroup Modify "/Filegroup:$fileGroupName" "/Nonmembers:$($exclusions -Join "|")"



 Write-Host "Adding/replacing File Screen Template [$fileTemplateName] with Event Notification [$eventConfFilename] and Command Notification [$cmdConfFilename].."

 &filescrn.exe Template Delete /Template:$fileTemplateName /Quiet

-- 
2.6.4.windows.1

nm777 avatar Jun 13 '16 18:06 nm777