Open MFlyer opened 7 years ago
@MFlyer Sorry I don't seem to understand this. How would having some .files in a share trip up ransomware. You state they are to be fake but surely they can only be legitimate if they are not to also break regular fs functions, and how can they appear in an fs listing if not legitimate.
I'm probably missing the point entirely here.
Hi @phillxnet, let's have an example: you've your share /mnt2/myshare and you enable our ransomware hooks feature, so what happens?
So the main part of this is the incrontab system
M.
@MFlyer OK, nice explanation. I get it now thanks.
You are proposing we setup and monitor 'canary in coal mine' sacrificial files as triggers. Kind of like an auto honey pot by virtue of list order. Curious.
Fragile but I think there's something to this.
Not sure of the inotify and consequent incrontab load here though, presumably you are proposing some kind of checksum trigger or the like?
@phillxnet Had some googling -> on a 64bit every watch = 1kB RAM :)
Hack to reduce ram usage : add watches on a files/folders group and add to shares symlinks :D
I would sat that: if somebody making ransom ware will find out about that, they will code arround, still if we can get a feature that enriches experience, not limits it, there will be more people that can benefit from that - so it's worth the hassle. In this small group and without money for development we usually concentrate on features that serve us ... so any extra input is always good.
Go for it!
This is a good idea, similar to FSRM functionality on windows. Considering we don't even have an official AV rock on or similar I don't know if I see it top of list quite right now.
Honeypots are very common for servers these days. I wouldn't say it's something they would code around per say unless you do something like label the share honeypot. Ransomware just starts encrypting and dumping to any open share it can populate.
If this existed, I would use it.
Rockstor users already have a good protection against ransomware via Btrfs snapshots, but I firmly believe we can improve it. How? Adding some ad hoc ransomware hooks!
How does a ransomware code work?? Basically listing folders looking for well know doc files (document files, images, etc) and crypting them. Having a direct experience ( :scream: ) with a ransomware found out that folders listing usually is
ls (nix) / dir (windows)
like, so alphabetically ordered having numbers before a before b before c etc etc and all . elements (dot = hidden) before alphanumerics : having some fake hidden folders/files in a share should prevent ransomware.Do you agree on implementing this in Rockstor?
Mirko