*._NEMTY_<*>_" glitch, illegal filter specs, the fix and the work around

[SparkyzCodez]

The filespec *.NEMTY<*>_ snuck in to some of my older JSON files. At first I was afraid the AntiransomwareFiltersMerge.py app glitched, but no. This is a definition that probably leaked through Experiant's filespec definitions and was subsequently removed.

The problem for us is that our JSON is lossless. If someone else stops publishing a file spec it will still be in our list.

Here's what I did to allow the scripts and FSRM to keep working without interruption. I put a filter validation routine into the FSRM-Anti-ransomware.ps1 script. Every filter filespec is now validated by the OS using the Test-Path PowerShell command. If the OS file system specs change then the criteria used by Test-Path changes dynamically as well. I'll extend this functionality to the exceptions in the near future too, but for now it's on you to make sure your exceptions are legal.

Right now the script excludes any failed file specs and simply passes the successfully validated filespecs on to FSRM. The script also pokes a warning with an EventID of 1007 into the OS event logs. The warning lists all the invalid file specs too so you won't have to guess which ones are broken.

I also made a simple stand-alone PowerShell script that will validate the filters in your JSON. You'll find it in the ancillary folder in this project.

We still need to tweak our JSON data files otherwise the broken NEMTY definition stays forever. Three options:

1. Delete the definition and never look back. I think this is a good choice this time. Those angle brackets look like a mistake and it also looks like Experiant updated the filespec with the correct version.

2. Use AntiransomwareFiltersMerge.py with the -r switch to reload the extended data from the Experiant source. This nukes all your custom entries from the old JSON file so be careful with this one. If you want to start you data over from the beginning then do this one.

3. Replace any questionable characters with a ? wildcard. This is the most conservative option. You don't loose the definition and it still matches actual files pretty well. I'm not using this option in this case, but there is another broken filter that has a new line in it. I'll sub a question mark for that until I know more facts.

[SparkyzCodez]

Dynamic remediation: Added code to the FSRM-Anti-ransomware.ps1 script that will exclude any filespecs that are not allowed on the server's file system. This is a dynamic check that will adapt to differing file systems. This additional code will also emit a warning event the OS event log.

To summarize, the PowerShell script won't attempt to put illegal file specs into the file group and it will also tell you about it.

To do: Still need to add code to the filters merge process to allow it to clean invalid file specs. This won't be dynamic because this script can run on any platform that supports Python 3 and not just Windows. We'll probably use the a regex like the following code block. [\x00-\x1f]|\||"|<|>|:|\\|\/

[SparkyzCodez]

Updated the combined-extended-20200116_000000.json file by removing .NEMTY<>_ and removing the one with a line break. The NEMTY shouldn't come back because it's been removed from the Experiant data. The one with the line break is still being pushed by Experiant so it will be reintroduced to the JSON file automatically. The FSRM-Anti-ransomware.ps1 will continue to filter it out though.

Still todo: Modify the AntiransomwareFiltersMerge.py script to handle this better. I haven't decided what the mechanism will be yet or if it will be a command line flag for strict filespec checking. This is one case (the only case) where PowerShell is a bit more flexible.