- Configuration Items in Configuration Manager (SCCM, MECM) - Mon, Aug 22 2022
- Create and read SCVMM custom properties with PowerShell and the VMM Console - Mon, Apr 18 2022
- Prevent ransomware attacks on network shares with File Server Resource Manager (FSRM) - Mon, Mar 7 2022
Launch the FSRM MMC snap-in. You can install the FSRM role with the required management tools using the following PowerShell command:
Install-WindowsFeature –Name FS-Resource-Manager –IncludeManagementTools
Please note that this command needs to be run as an Administrator.
Go to the side bar, and under the File Screening Management section, click the File Groups applet. You should see several built-in file groups.
File Server Resource Manager file groups
Right-click the File Groups applet and select Create File Group.
Create a new file group
For the file group name, enter "All Files," and under "Files to include," enter *.* and click Add.
Include all files
This is very important because we will be implicitly blocking all file extensions and explicitly allowing certain file extensions. Ransomware has evolved over the years to the point where the extension generated during the encryption process can be dynamic and unique to the server being encrypted. For example, a variant of the REvil ransomware will generate a file extension matching a portion of the UUID of the disk being encrypted. Because of this, it is no longer practical to maintain a list of known ransomware extensions to explicitly block.
Click OK.
Before we apply the implicit block to the network share, we will create an explicit file screen exception to apply.
Go to the side bar, and under the File Screening Management section, click the File Screens applet.
Create a new file screen exception
Enter the (local) path where the file screen exception will be applied. Please note that this exception will be applied to the root directory as well as all subdirectories. For this guide, I am going to apply this file screen exception to my collaborative network share: S:\COLLAB.
Select the file extension groups you want to allow to be saved on the server. Since this is a collaborative network share, I am going to allow Audio and Video Files, Compressed Files, Executable Files, Image Files, System Files, Temporary Files, Text Files, and Web Page Files.
You can modify each group of file extensions as needed.
File screen exception
Click OK.
You should see both the new file screen and the file screen exception.
File screen and file screen exception
Now, if I go to my collaborative network share and try to create, copy, or modify a file with an extension other than what is explicitly allowed (i.e., *.locked), I will get an error.
Test File Before
Test File After
Additionally, I am disallowed from copying or creating files with blocked extensions (i.e., *.encrypted).
Subscribe to 4sysops newsletter!
Copy test file
FSRM is a powerful tool that, when set up correctly, can help you audit and manage what data is allowed to be stored on your file shares. And now, it can also be used as an additional measure to ensure that your network share files are not encrypted or modified by ransomware.
But when the malware first encrypts the contents of the file and saves it under the original file name, FSRM won’t allow it to rename it, but the data will already be encrypted and therefore lost, right?
Not sure you right but you also can deny that user access to the file shares after the first detection, so it will encrypt only file. It’s better than the full share…
Using FIle Screening is not a solution. If you put a “Not allowed extension file” (i.e. video file), in a Archive file (i.e. zip) you can do it.
If you have embedded a not allowed extension file in a allow extension file, it’s good again.
Don’t believe me, try it yourself, and make up your own mind