nexxai / CryptoBlocker

A script to deploy File Server Resource Manager and associated scripts to block infected users
GNU General Public License v2.0
202 stars 72 forks source link

Server 2019 #69

Open nicecube opened 5 years ago

nicecube commented 5 years ago

Hi, i was using this script on all my Files Server and its working great, i run into an issue with server 2019, i got this message spamming the console:

`Invoke-WebRequest : The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again. At C:\HelpOX\FSRM\DeployCryptoBlocker.ps1:214 char:12

Checking File Server Resource Manager..

Processing ProtectList..

The following shares needing to be protected: C:\Windows,C:\,C:\Data,C:\Windows\system32\spool\drivers,C:\Data\Sage_DB

Dowloading CryptoLocker file extensions list from fsrm.experiant.ca api..

Processing SkipList..

Processing IncludeList..

Adding/replacing File Groups..

File Group [CryptoBlockerGroup1] with monitored files from [] to []..

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The requested object was not found.

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The specified name is invalid.

Adding/replacing [Active] File Screen Template [CryptoBlockerTemplate] with eMail Notification [C:\Windows\TEMP\tmpEmail001.tmp] and Event Notification [C:\Windows\TEMP\tmpEvent001.tmp]..

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The requested object was not found.

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The requested object was not found.

Adding/replacing File Screens.. File Screen for [C:\Windows] with Source Template [CryptoBlockerTemplate]..

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The requested object was not found.

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The requested object was not found. File Screen for [C:] with Source Template [CryptoBlockerTemplate]..

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The requested object was not found.

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The requested object was not found. File Screen for [C:\Data] with Source Template [CryptoBlockerTemplate]..

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The requested object was not found.

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The requested object was not found. File Screen for [C:\Windows\system32\spool\drivers] with Source Template [CryptoBlockerTemplate]..

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The requested object was not found.

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The requested object was not found. File Screen for [C:\Data\Sage_DB] with Source Template [CryptoBlockerTemplate]..

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The requested object was not found.

This tool is deprecated and may be removed in future releases of Windows. Please use the Windows PowerShell cmdlets in the FileServerResourceManager module to administer File Server Resource Manager functionality. The requested object was not found.

Processing ExcludeList..

Cleaning up temporary stuff..

Done.

`

davidande commented 5 years ago

i confirm that i had the same issue also on 2016 server about IE first launch configuration. And for the derprecated cmdlet , I switch to the new ones in my scripts. New-FsrmFileScreenTemplate, New-FsrmFileScreen, New-FsrmFileGroup ...... this way i don't have problem. By the way is there any way to check that the IE first launch configuration is done?

nicecube commented 5 years ago

It is sure because the Invoke-WebRequest command has a dependency on the Internet Explorer assemblies and are invoking it to parse the result as per default behaviour.

But this is only possible if you run your powershell scripts as the same windows user as whom you launched the IE with. The IE settings are stored under your current windows profile. So if you, like me run your task in a scheduler on a server as the SYSTEM user, this will not work.

So here you will have to change your scripts and add the -UseBasicParsing argument, $WebResponse = Invoke-WebRequest -Uri $url -TimeoutSec 1800 -ErrorAction:Stop -Method:Post -Headers $headers -UseBasicParsing

KarlBystrak commented 5 years ago

David, You mentioned here that you have updated the script to use the new poweshell commands:

And for the derprecated cmdlet , I switch to the new ones in my scripts. New-FsrmFileScreenTemplate, New-FsrmFileScreen, New-FsrmFileGroup ...... this way i don't have problem.

Would you mind sharing that with us? I would also like to test it with the new commands. I am also running server 2019.

Thanks.

davidande commented 5 years ago

https://github.com/davidande/FSRM-ANTICRYPTO

SparkyzCodez commented 5 years ago

You may want to look at my scripts as well. It is warning free on W2019 but it won't work on W2008. (OK, you shouldn't still be using W2008 anyway. EOL is in a few months.) https://github.com/SparkyzCodez/FSRM-Anti-ransomware