includelist.txt, similar to skiplist.txt, but list of files to screen

nexxai / CryptoBlocker

A script to deploy File Server Resource Manager and associated scripts to block infected users

GNU General Public License v2.0

200 stars 73 forks source link

includelist.txt, similar to skiplist.txt, but list of files to screen #40

Open aggie96 opened 6 years ago

aggie96 commented 6 years ago

I would like to see some sort of includelist.txt functionality, similar to skiplist.txt, but a list of files to screen while waiting on file extension submission to be approved.

For example, a nearby county government system was hit today by a LockCrypt variant. In researching what happened, the .lock extension was brought to my attention by this link:

https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-crew-started-via-satan-raas-now-deploying-their-own-strain/

I have submitted the extension via https://fsrm.experiant.ca/, but while waiting for them to approve it, I would like to add it to an include list and re-run my script across all of our servers through our MSP software so that I get the protection immediately instead of waiting for a day or two.

Thank you for your consideration.

Mark

nexxai commented 6 years ago

Hi there, I like the idea for an includelist (please feel free to code this up and submit it as a pull request to be integrated into the public version), however specifically regarding your comment about the *.lock extension, due to its ambiguity and wide-ranging potential for disruption, without a solid case from the community, we won't approve it.

davidande commented 6 years ago

ok with Nexxai: extension needs to be approved but I also like the idea to manually include even if it needs a real close management

aggie96 commented 6 years ago

Makes sense. That makes the includelist even more important for ambiguous extensions that won't work for the public but would work for me.

I'll admit, I am a bit ignorant about how github works. I also coded functionality to include the skiplist in the text of the script itself so that I could run it via my script engine in my MSP software, but was afraid to try to post it since I am too lazy to figure out how the pull request functionality worked. I'll get off my lazy duff and figure it out! ;-)

davidande commented 6 years ago

I also don't know how to. just post it here :-)

aggie96 commented 6 years ago

Okay, I overcame my laziness, but I couldn't overcome my stupidity and figure out the pull process. Here is the code in case I can't join the 21st century and figure out this git thing.

This includes the maintaining of the skiplist in the code for deployment across multiple servers without having to create and update skiplist.txt file on each server (it does still create skiplist.txt each time which could be removed), and the inclusion of an includelist.

deployandmaintaincryptoblocker.txt

StarDestroyer78 commented 6 years ago

It looks like in the attachment that there are changes other than just the IncludeList ... also, it looks like the IncludeList is hard-coded into the script. The patch I attached above only impliments the IncludeList feature and does so by using an external file (IncludeList.txt) rather than hard-coding the screen list.