Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CryptoBlocker FSRM rules alert on its own files #7

Open
nm777 opened this issue Jun 13, 2016 · 1 comment
Open

CryptoBlocker FSRM rules alert on its own files #7

nm777 opened this issue Jun 13, 2016 · 1 comment

Comments

@nm777
Copy link
Contributor

nm777 commented Jun 13, 2016

CryptoBlocker's current ruleset includes a rule to look for and alert when files matching *crypt* are found. This causes problems in the following scenarios:

  1. Copying DeployCryptoBlocker.ps1 to update current rulesets from a volume that is monitored. The script is detected as a malicious file and blocked.
  2. Running DeployCryptoBlocker.ps1 to update current rulesets from a volume that is monitored. The script produces a log file at $env:Temp\cryptoblocker-eventnotify.txt, which is detected as a malicious file and blocked.

In both cases, the current ruleset appears to trigger based on the rule *crypt*. A possible solution might be to create an exclusion rule for these specific files.
@nm777
Copy link
Contributor Author

nm777 commented Jun 13, 2016

Here is a patch that should resolve the issue.

From 6c8a33b5d388b6582de1ef87d48922c107f39647 Mon Sep 17 00:00:00 2001
From: Nate Morris <[email protected]>
Date: Mon, 13 Jun 2016 13:16:18 -0500
Subject: [PATCH] Added exclusions to the FSRM group so FSRM doesn't detect
 this script as an infection.

---
 DeployCryptoBlocker.ps1 | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/DeployCryptoBlocker.ps1 b/DeployCryptoBlocker.ps1
index 1971a61..d7505bf 100644
--- a/DeployCryptoBlocker.ps1
+++ b/DeployCryptoBlocker.ps1
@@ -99,6 +99,12 @@ $batchFilename = "C:\FSRMScripts\KillUserSession.bat"
 $eventConfFilename = "$env:Temp\cryptoblocker-eventnotify.txt"

 $cmdConfFilename = "$env:Temp\cryptoblocker-cmdnotify.txt"



+$exclusions = @(`

+    $MyInvocation.MyCommand.Name,

+    "cryptoblocker-eventnotify.txt",`

+    "cryptoblocker-cmdnotify.txt"`

+    )

+

 $scriptConf = @'

 param([string] $DomainUser)



@@ -209,6 +215,7 @@ $cmdConf | Out-File $cmdConfFilename
 Write-Host "Adding/replacing File Group [$fileGroupName] with monitored file [$($monitoredExtensions -Join ",")].."

 &filescrn.exe filegroup Delete /Filegroup:$fileGroupName /Quiet

 &filescrn.exe Filegroup Add "/Filegroup:$fileGroupName" "/Members:$($monitoredExtensions -Join "|")"

+&filescrn.exe Filegroup Modify "/Filegroup:$fileGroupName" "/Nonmembers:$($exclusions -Join "|")"



 Write-Host "Adding/replacing File Screen Template [$fileTemplateName] with Event Notification [$eventConfFilename] and Command Notification [$cmdConfFilename].."

 &filescrn.exe Template Delete /Template:$fileTemplateName /Quiet

-- 
2.6.4.windows.1

m-dwyer pushed a commit that referenced this issue Aug 26, 2016
Merge pull request #10 from nm777/Issue_#7_-_CryptoBlocker_FSRM_rules…
b1fc308 
…_alert_on_its_own_files

Issue #7 - crypto blocker fsrm rules alert on its own files
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nm777