Open rivir opened 1 year ago
FSRM Experiant list hasn't updated since November 23, any change to this process?
yes, i have a same question.
perhaps it is of use for someone: https://github.com/nexxai/CryptoBlocker/wiki/fallback-list
perhaps it is of use for someone: https://github.com/nexxai/CryptoBlocker/wiki/fallback-list
I added the 5000+ filters from the FSRM list to this, if that is not what you intended, please revert.
yeah not sure , but perhaps could be OK if someone scraps rhe whole list from there. But it seems you did overwrite my entries so I put them back to the top like it is usually done.
got it, sorry for the overwrite
perhaps it is of use for someone: https://github.com/nexxai/CryptoBlocker/wiki/fallback-list
Will this list be updated regularly?
perhaps it is of use for someone: https://github.com/nexxai/CryptoBlocker/wiki/fallback-list
Will this list be updated regularly?
Need to create a form and process to collect filters. Not sure if this it the correct space for this, or where that should be hosted.
perhaps it is of use for someone: https://github.com/nexxai/CryptoBlocker/wiki/fallback-list
Will this list be updated regularly?
Well the process is community work on fsrm.experiant.ca, and also that Wikipage can be updated by anyone with github account. So if you come across new extensions just add them, but checking on doubleentries has to be done manually by any contributer.
I would hope this is only temporarily.
Glad I'm not the only one noticed it's been some time that the list got updated. I was first thinking that my script broke or they went to a new site.
I've seen @rivir repo with a list.txt that had the same layout the site used. I have made a pull request to add the missing ones from @gizmo21 wiki list.
I think we can use @rivir repo to host this list.txt file on as you can view this file as raw in Github and that would work the same way. People than could file issues or make a pull request with new extensions and they can get added to that list.txt
sounds like a plan... hosting the list here: https://github.com/rivir/CryptoBlocker/raw/master/list
powershell $webClient.DownloadString would need to be modified
#$jsonStr = $webClient.DownloadString("https://fsrm.experiant.ca/api/v1/get")
$monitoredExtensions = $webClient.DownloadString("https://github.com/rivir/CryptoBlocker/raw/master/list")
any other ideas?
That should work. Although I was thinking to keep the layout of the list in the same JSON style like this: https://raw.githubusercontent.com/DFFspace/FSRM/main/list.txt
Than the script itself doesn't need to be modified and people have to only replace the URL.
I like your idea more. I do not use the JSON beyond the filter list, so I simplified it, but I agree maintaining that metadata could be useful for many others. I haven't thought about how to automate the creation of the JSON after the pull requests, so this would take some prep work (ideas appreciated).
..in the meantime I updated https://github.com/nexxai/CryptoBlocker/wiki/fallback-list, cause it is the most easy way for me without pullrequests... - "update reason comment" is the source of the new filters
Currently working on the forked repo from @rivir with some workflows / Python script that could update the files automatically when new items being added to the list.
Here is my repo: https://github.com/DFFspace/CryptoBlocker
I've updated the list.txt file, It's alphabetically sorted. I also noticed there where some extensions that had their character replaced with the unicode or two extensions used the \n
character which is normally used to create a new line.
For example there was a extension named: "*.Deniz_K\u0131z\u0131"
The problem is that Windows doesn't allow certain characters types as extension.
But when the PowerShell script is being used it ignores these unicodes and replaces them with the correct normal character. I went ahead and fixed the extensions that had these unicodes and or \n
. They now use the correct characters instead of the unicode ones. I have updated this in the list.txt file.
I created a small Python script that is assigned to a workflow action. This action gets triggered when the list.txt is being updated or editted. And will grab the list.txt file, store each item in a list, and than create the same json layout format with all the extensions. Which updates this KnownExtensions.txt file.
This would be the URL that people can use in their scripts: https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt
To get new extensions added people would need to report a issue with the new extension that should be added.
Any feedback would be appreciated
Well I can't see the advantage of an alphabetically sortet list, as new additions would have to be searched in the whole file (to prevent double-issue-posts. If the newest are always on top (like https://fsrm.experiant.ca/#rawlist ) this is much easier for submitters, and for those who want to review the additions before adding, for potentially to be excluded extensions, or those who excluded rather old extensions.
Also there are sometimes additions like *.vn2.1.[victims_ID]
which wouldn't block ANYTHING on an attack if added without alteration, as the filter would had to be at least *.vn2.1.[*]
or even better *.vn2.1.*
to block with your own victim_ID or domainname... Therefore it's also much easier if you see the latest additions on top, but perhaps I'm the only one...
And it seems it was only once sorted and then appended.
xort.txt your_key.rsa zXz.html zcrypt.exe zycrypt. zzzzzzzzzzzzzzzzzyyy Инструкция по расшифровке.TXT инструкция по оплате.txt .bpws .iswr .KoRyA .mao .poqw .pouu .RYKCRYPT .znsm .znto .znws .zoqw *.zouu
But I will try it next time with an addition-issue on your repo.
I see what you mean. Nonetheless I could write a workflow action that is able to look for any duplicated extensions. When they get submitted or being added, so there is a check beforehand it updates the file.
I will see If I can fix the list how this is being done (like https://fsrm.experiant.ca/#rawlist) in that order with the fixes for the unicode characters, and I will make sure the new ones that are being added on top of the list!
@gizmo21, I changed the list to reflect the extension order as they are listed on (https://fsrm.experiant.ca/#rawlist) And added the new ones above *.Mafer so from now on new extensions will appear on top!
Hello, I did modifications for my script to work with this list. Working Great
Thanks to davidande for the update. I tested your script and after changing the download url to DFF's list, it successfully downloads the new list, but I'm unable to write to any folders at all. Seems FSRM is blocking any file extensions from being written to the protected folders, even legit extensions that are not in the list. Formatting issue in the script against the new list perhaps?
Regards, Jeff
I haven't had any issues just changing the source to this list (the past couple months). I updated all my servers a week ago. Unless some weird wildcard pattern (added in the past week) is causing this, you may need to troubleshoot FSRM on your server.
On Sat, Mar 18, 2023 at 2:26 PM jf40541 @.***> wrote:
Thanks to davidande for the update. I tested your script and after changing the download url to DFF's list, it successfully downloads the new list, but I'm unable to write to any folders at all. Seems FSRM is blocking any file extensions from being written to the protected folders, even legit extensions that are not in the list. Formatting issue in the script against the new list perhaps?
Regards, Jeff
— Reply to this email directly, view it on GitHub https://github.com/nexxai/CryptoBlocker/issues/104#issuecomment-1474998111, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB4ERUVQZAQOUBFCZHZSITTW4YSBFANCNFSM6AAAAAATP5UNRQ . You are receiving this because you were mentioned.Message ID: @.***>
I'm using davidande's script.
Hello, Facing the same issue. all files are blocked. Help will be appreciated on my script :-)
Strange... I only use my script to generate and update the template list.
Is the issue not something where it enables all templates? Below is how mine are setup.
I only use the list as well. I have the list working for me up to March 14 (last entry was *.zxc)
David, does the old list works for you still on your script?
Hello, Since I decide to stard using alternative list, I cannot manage it to work. I have 2 errors All type of files are blocked by FSRM I tried ather thing but I also have probleme in the NewFSRMFileGroup command. I think that there is a format problem. As I Got no time at the moment, I ask for help if someone can manage it in my script :-)
Hello @davidande,
I have done some testing's and found something I think. I created myself a new Win Server 2022 VM and created from scratch a Share. When I run you script with my list as download for the extensions it indeed blocks all files.
However, when I use my own File Group created with my script using my list and changing the file group from Crypto_Blocker_extensions to my list Known Ransomware Files it seems to work and is not blocking all files.
I did noticed that your script seems to add on some characters the symbol "?" As shown below. On the left is my list fetched trough my script and on the right from your script:
I've made a Pull-request with the protentional fix for your script in your repo. I did test this on my FSRM and seems to work now and no longer blocks legit or all files.
This is likely the issue then. https://github.com/PowerShell/PowerShell/issues/7618
Invoke-webrequest (line 76) in your script needs a couple more properties.
Probably adding
Invoke-WebRequest $url -OutFile $PSScriptRoot\extensions.txt -UseBasicParsing -ContentType 'application/json; charset=UTF-8'
will work better with Cyrillic characters
This is likely the issue then. PowerShell/PowerShell#7618
Invoke-webrequest (line 76) in your script needs a couple more properties.
Probably adding
Invoke-WebRequest $url -OutFile $PSScriptRoot\extensions.txt -UseBasicParsing -ContentType 'application/json; charset=UTF-8'
will work better with Cyrillic characters
Thanks for the help. and what about line 147 and 148 $jsonStr = Invoke-WebRequest $url -UseBasicParsing -ContentType 'application/json; charset=UTF-8' $monitoredExtensions = @(ConvertFrom-Json20($jsonStr) | % { $_.filters })
I made it but same result, all files are blocked and can see ??????? in fsrm
Can You also give me the exact link for the $url ? thanks
https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt
Thank You very much, my script works now.
Hi, I also have this problem: All files are blocked after I replace the original URL in the original DeployCryptoBlocker.ps1 with
https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt
Do you guys know why? I can't find an actual solution for the original script in this or the other thread (https://github.com/DFFspace/CryptoBlocker/issues/16).
Thanks in advance!
Invoke-WebRequest probably needs
-ContentType 'application/json; charset=UTF-8' Added to properly handle characters
On Sat, Apr 15, 2023 at 6:12 AM madeyem @.***> wrote:
Hi, I also have this problem: All files are blocked after I replace the original URL in the original DeployCryptoBlocker.ps1 with
https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt
Do you guys know why? I can't find an actual solution for the original script in this or the other thread (DFFspace#16 https://github.com/DFFspace/CryptoBlocker/issues/16).
Thanks in advance!
— Reply to this email directly, view it on GitHub https://github.com/nexxai/CryptoBlocker/issues/104#issuecomment-1509819750, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB4ERUX7DE54RSLTN6EYTNDXBKNEJANCNFSM6AAAAAATP5UNRQ . You are receiving this because you were mentioned.Message ID: @.***>
As I have stated here https://github.com/DFFspace/CryptoBlocker/issues/16 I've made some changes to the DeployCryptoBlocker.ps1 script in my repo that should fix the issue.
nexxai answered on reddit, so only little chance of getting old service back online: https://www.reddit.com/r/sysadmin/comments/142jz3r/comment/jn6mj10/
Hope the wiki-list can stay here...
Can someone help me with updated url for FSRM extensions?
it's several times in this thread:
https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt It's the most up to date one.
If you want to contribute you can easily add extensions here: https://github.com/nexxai/CryptoBlocker/wiki/fallback-list
Thanks,
I already have powershell script to update it from experiant ca when I replace the url with https://github.com/DFFspace/CryptoBlocker/blob/master/KnownExtensions.txt it shows error.
Can you please help me with it.
From: gizmo21 @.> Sent: Friday, March 15, 2024 3:36 AM To: nexxai/CryptoBlocker @.> Cc: Noor Mohamed @.>; Comment @.> Subject: Re: [nexxai/CryptoBlocker] FSRM Experiant list hasn't updated since November 23 (Issue #104)
it's several times in this thread:
https://github.com/DFFspace/CryptoBlocker/blob/master/KnownExtensions.txt It's the most up to date one.
If you want to contribute you can easily add extentions here: https://github.com/nexxai/CryptoBlocker/wiki/fallback-list
— Reply to this email directly, view it on GitHubhttps://github.com/nexxai/CryptoBlocker/issues/104#issuecomment-1998559063, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ATFRVMPOOUGEUB6CA4K2KQTYYINMTAVCNFSM6AAAAAATP5UNRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOJYGU2TSMBWGM. You are receiving this because you commented.Message ID: @.**@.>>
Thanks for the reply.
It tried both the links, it showed the below error.
@.***
From: gizmo21 @.> Sent: Friday, March 15, 2024 10:20 PM To: nexxai/CryptoBlocker @.> Cc: Noor Mohamed @.>; Comment @.> Subject: Re: [nexxai/CryptoBlocker] FSRM Experiant list hasn't updated since November 23 (Issue #104)
try the RAW one
https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt
— Reply to this email directly, view it on GitHubhttps://github.com/nexxai/CryptoBlocker/issues/104#issuecomment-2000058860, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ATFRVMJCIRSXWS4NJMRGBTTYYMRDDAVCNFSM6AAAAAATP5UNRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBQGA2TQOBWGA. You are receiving this because you commented.Message ID: @.**@.>>
FSRM Experiant list hasn't updated since November 23, any change to this process?