CryptoBlocker icon indicating copy to clipboard operation
CryptoBlocker copied to clipboard

Published 20 hours ago verified publisher icon nexxai

File Screen Templates are not created anymore

Open kiriswiss opened this issue 6 years ago • 12 comments

Hi Everyone, we import this script on a weekly basis. Since two weeks it does not work anymore, and I have no idea why. The script creates the file groups, but it fails with creating the file screen templates. When I check the script, this is the output:

Adding/replacing [Active] File Screen Template [CryptoBlockerTemplate] with eMail Notification [C:\Users\ADM_U3~1\AppData\Local\Temp\6\tmpEmail001.tmp] and Event Notification [C:\Users\ADM_U3~1\AppData\Local\Temp\6\tmpEvent001.tmp]..

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The requested object was not found.

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The requested object was not found.

Does anyone have any idea? The part from the script is exactly the same as it was a few weeks back. The only thing what we have changed is that we download the pattern file first, check it and then import it. But this was working as well just fine till two weeks ago.

For me it does somehow not create the following files under my user account [C:\Users\ADM_U3~1\AppData\Local\Temp\6\tmpEmail001.tmp] [C:\Users\ADM_U3~1\AppData\Local\Temp\6\tmpEvent001.tmp]

Any help would be appreciated Thanks in advance Andre

kiriswiss avatar Oct 09 '19 06:10 kiriswiss

I've had the same experience recently with Windows 2016.

agampher avatar Oct 09 '19 12:10 agampher

You can try my script as it does not use deprecated commands

davidande avatar Oct 09 '19 12:10 davidande

Just want to chime in that I'm having the same issue (Server 2016)

Strelok27 avatar Oct 10 '19 13:10 Strelok27

Hi Davidande, Thanks for your script. But I made some modifications to the 'main' script as we need to download the file first, check it and then implement it. Our Fileservers do not have direct access to the internet. If you can let me know in your script how to import an existing file and I will give it a try. Otherwise does anyone have a fix yet for the existing script? Thanks Andre

kiriswiss avatar Oct 11 '19 13:10 kiriswiss

It had problem with get.json. PS can't process character "<" and ">", at "*._NEMTY_<*>_".

Temporary solution:

  1. Download get.json to your script directory. Use a text editor to open and remove character "<", ">".
  2. Create a copy script and edit it to work with downloaded get.json: Change line 217 from $jsonStr = Invoke-WebRequest -Uri https://fsrm.experiant.ca/api/v1/get to $jsonStr = Invoke-WebRequest -Uri $PSScriptRoot\get.json
  3. Run edited script.

Hope this helps you!

hcz8x avatar Oct 14 '19 11:10 hcz8x

I also just fixed this issue an hour ago with the same fix as @crazyheo , we download our own list from fsrm.experiant.ca en host it on our own webservers, just in case the list goes offline or that something like this happens. I filtered ".NEMTY<>_" from our list and everything work again. It is in my opinion a single point of failure that when a extension cant be parsed or that the list is not online the file screens are not created anymore.

freezscholte avatar Oct 14 '19 11:10 freezscholte

Thanks guys for your support and help. Yes it is indeed the part .NEMTY<>_ As soon as I removed the <> all works again. Hope that this fix will be soon implemented on main file which we download once a week. But once again: Thanks, you saved my day

kiriswiss avatar Oct 14 '19 11:10 kiriswiss

@kiriswiss

$jsonStr = Invoke-WebRequest -Uri https://fsrm.freez.it $monitoredExtensions = @(ConvertFrom-Json20 $jsonStr | ForEach-Object { $_.filters } )

After the above line you could also add this script line

$monitoredExtensions = $monitoredExtensions -replace '[<>]'

It will filter out the <> characters

freezscholte avatar Oct 14 '19 12:10 freezscholte

Hi there,

I've changed the problem entry to remove the <> characters and the filter is now ._NEMTY

JKMUser avatar Oct 15 '19 16:10 JKMUser

I wrote a new PowerShell script that uses only W2012 and above commands. No filescrn.exe, no 4kb limits, and a boatload of additional options and features including honeypots. I test every revision on both W2012(r1) and r2, 2016, and 2019. It uses a JSON file that stays on your system and get's updated from Experiant. If Experiant is off-line then you are still protected. I also have a Python script that will search your entire system for any signs of ransomware files. It will scan 2.5 million files in about 2 minutes. using the VoidTools EverythingSearch engine. I hope you will all take a look and get involved.

SparkyzCodez avatar Oct 20 '19 00:10 SparkyzCodez

I wrote a new PowerShell script that uses only W2012 and above commands. No filescrn.exe, no 4kb limits, and a boatload of additional options and features including honeypots. I test every revision on both W2012(r1) and r2, 2016, and 2019. It uses a JSON file that stays on your system and get's updated from Experiant. If Experiant is off-line then you are still protected. I also have a Python script that will search your entire system for any signs of ransomware files. It will scan 2.5 million files in about 2 minutes. using the VoidTools EverythingSearch engine. I hope you will all take a look and get involved.

Hi SparkyCodez, i'm gonna take a look at your script. Thanks for mentioning.

freezscholte avatar Nov 01 '19 07:11 freezscholte

Thank you all for your support, help and new scripts... it's much appreciated.

kiriswiss avatar Nov 01 '19 08:11 kiriswiss