Open nm777 opened 8 years ago
Here is a patch that should resolve the issue.
From 6c8a33b5d388b6582de1ef87d48922c107f39647 Mon Sep 17 00:00:00 2001
From: Nate Morris <nate.morris@paragon.net>
Date: Mon, 13 Jun 2016 13:16:18 -0500
Subject: [PATCH] Added exclusions to the FSRM group so FSRM doesn't detect
this script as an infection.
---
DeployCryptoBlocker.ps1 | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/DeployCryptoBlocker.ps1 b/DeployCryptoBlocker.ps1
index 1971a61..d7505bf 100644
--- a/DeployCryptoBlocker.ps1
+++ b/DeployCryptoBlocker.ps1
@@ -99,6 +99,12 @@ $batchFilename = "C:\FSRMScripts\KillUserSession.bat"
$eventConfFilename = "$env:Temp\cryptoblocker-eventnotify.txt"
$cmdConfFilename = "$env:Temp\cryptoblocker-cmdnotify.txt"
+$exclusions = @(`
+ $MyInvocation.MyCommand.Name,
+ "cryptoblocker-eventnotify.txt",`
+ "cryptoblocker-cmdnotify.txt"`
+ )
+
$scriptConf = @'
param([string] $DomainUser)
@@ -209,6 +215,7 @@ $cmdConf | Out-File $cmdConfFilename
Write-Host "Adding/replacing File Group [$fileGroupName] with monitored file [$($monitoredExtensions -Join ",")].."
&filescrn.exe filegroup Delete /Filegroup:$fileGroupName /Quiet
&filescrn.exe Filegroup Add "/Filegroup:$fileGroupName" "/Members:$($monitoredExtensions -Join "|")"
+&filescrn.exe Filegroup Modify "/Filegroup:$fileGroupName" "/Nonmembers:$($exclusions -Join "|")"
Write-Host "Adding/replacing File Screen Template [$fileTemplateName] with Event Notification [$eventConfFilename] and Command Notification [$cmdConfFilename].."
&filescrn.exe Template Delete /Template:$fileTemplateName /Quiet
--
2.6.4.windows.1
CryptoBlocker's current ruleset includes a rule to look for and alert when files matching
*crypt*
are found. This causes problems in the following scenarios:In both cases, the current ruleset appears to trigger based on the rule
*crypt*
. A possible solution might be to create an exclusion rule for these specific files.