search

DFFspace / CryptoBlocker

A script to deploy File Server Resource Manager and associated scripts to block infected users
GNU General Public License v2.0
17 stars 4 forks source link

False positives - *_out #209

Open Robby-Swartenbroekx opened 1 month ago

Robby-Swartenbroekx commented 1 month ago

We are seeing false positives on multiple deices with the entry *_out Here is one of the examples: C:\Users[USERNAME]\AppData\Local\Temp\1\chrome_BITS_20652_940862599\puffpatch_out

gizmo21 commented 1 month ago

It seems the entry *_out is correct as the malware really renames it that way without an extension . dot: https://www.virustotal.com/gui/file/0c2013904dddc7a75d7cfb297b302b30b4ceb0caaf13af01097e422cfcd9392c/behavior https://id-ransomware.blogspot.com/2020/07/outcrypt-ransomware.html

But you can add a skiplist.txt to allow _out on your system or perhaps manually put in allowlist _out on c:\users or puffpatch_out : https://github.com/DFFspace/CryptoBlocker/blob/master/DeployCryptoBlocker.ps1



 Add one filescreen per line that you want to ignore

For example, if *.doc files are being blocked by the list but you want 
to allow them, simply add a new line in this file that exactly matches 
the filescreen:

 *.doc

 The script will check this file every time it runs and remove these 
 entries before applying the list to your FSRM implementation
```.