Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FSRM Experiant list hasn't updated since November 23 #104

Open
rivir opened this issue Jan 3, 2023 · 44 comments
Open

FSRM Experiant list hasn't updated since November 23 #104

rivir opened this issue Jan 3, 2023 · 44 comments

Comments

@rivir
Copy link

rivir commented Jan 3, 2023

FSRM Experiant list hasn't updated since November 23, any change to this process?

@laonap
Copy link

laonap commented Jan 9, 2023

FSRM Experiant list hasn't updated since November 23, any change to this process?

yes, i have a same question.

@gizmo21
Copy link

gizmo21 commented Jan 12, 2023

Also left a comment here:
https://www.bleepingcomputer.com/forums/t/617002/do-you-administer-windows-file-servers-are-you-using-microsofts-free-fsrm/?p=5459939

@gizmo21
Copy link

gizmo21 commented Jan 13, 2023

perhaps it is of use for someone:
https://github.com/nexxai/CryptoBlocker/wiki/fallback-list

@rivir
Copy link
Author

rivir commented Jan 13, 2023

perhaps it is of use for someone: https://github.com/nexxai/CryptoBlocker/wiki/fallback-list

I added the 5000+ filters from the FSRM list to this, if that is not what you intended, please revert.

@gizmo21
Copy link

gizmo21 commented Jan 13, 2023

yeah not sure , but perhaps could be OK if someone scraps rhe whole list from there.
But it seems you did overwrite my entries so I put them back to the top like it is usually done.

@rivir
Copy link
Author

rivir commented Jan 13, 2023

got it, sorry for the overwrite

@laonap
Copy link

laonap commented Jan 14, 2023

perhaps it is of use for someone: https://github.com/nexxai/CryptoBlocker/wiki/fallback-list

Will this list be updated regularly?

@rivir
Copy link
Author

rivir commented Jan 14, 2023

perhaps it is of use for someone: https://github.com/nexxai/CryptoBlocker/wiki/fallback-list

Will this list be updated regularly?

Need to create a form and process to collect filters.
Not sure if this it the correct space for this, or where that should be hosted.

@gizmo21
Copy link

gizmo21 commented Jan 14, 2023

perhaps it is of use for someone: https://github.com/nexxai/CryptoBlocker/wiki/fallback-list

Will this list be updated regularly?

Well the process is community work on fsrm.experiant.ca, and also that Wikipage can be updated by anyone with github account. So if you come across new extensions just add them, but checking on doubleentries has to be done manually by any contributer.

I would hope this is only temporarily.

@DFFspace
Copy link

DFFspace commented Jan 14, 2023

Glad I'm not the only one noticed it's been some time that the list got updated. I was first thinking that my script broke or they went to a new site.

I've seen @rivir repo with a list.txt that had the same layout the site used. I have made a pull request to add the missing ones from @gizmo21 wiki list.

I think we can use @rivir repo to host this list.txt file on as you can view this file as raw in Github and that would work the same way. People than could file issues or make a pull request with new extensions and they can get added to that list.txt

@rivir
Copy link
Author

rivir commented Jan 16, 2023

sounds like a plan...
hosting the list here: https://github.com/rivir/CryptoBlocker/raw/master/list

powershell $webClient.DownloadString would need to be modified
#$jsonStr = $webClient.DownloadString("https://fsrm.experiant.ca/api/v1/get")
$monitoredExtensions = $webClient.DownloadString("https://github.com/rivir/CryptoBlocker/raw/master/list")

any other ideas?

@DFFspace
Copy link

That should work. Although I was thinking to keep the layout of the list in the same JSON style like this: https://raw.githubusercontent.com/DFFspace/FSRM/main/list.txt

Than the script itself doesn't need to be modified and people have to only replace the URL.

@rivir
Copy link
Author

rivir commented Jan 16, 2023

I like your idea more. I do not use the JSON beyond the filter list, so I simplified it, but I agree maintaining that metadata could be useful for many others.
I haven't thought about how to automate the creation of the JSON after the pull requests, so this would take some prep work (ideas appreciated).

@gizmo21
Copy link

gizmo21 commented Jan 17, 2023

..in the meantime I updated https://github.com/nexxai/CryptoBlocker/wiki/fallback-list, cause it is the most easy way for me without pullrequests... - "update reason comment" is the source of the new filters

@DFFspace
Copy link

Currently working on the forked repo from @rivir with some workflows / Python script that could update the files automatically when new items being added to the list.

@DFFspace
Copy link

DFFspace commented Jan 17, 2023

Here is my repo: https://github.com/DFFspace/CryptoBlocker

I've updated the list.txt file, It's alphabetically sorted. I also noticed there where some extensions that had their character replaced with the unicode or two extensions used the \n character which is normally used to create a new line.

For example there was a extension named: "*.Deniz_K\u0131z\u0131" The problem is that Windows doesn't allow certain characters types as extension.
image

But when the PowerShell script is being used it ignores these unicodes and replaces them with the correct normal character. I went ahead and fixed the extensions that had these unicodes and or \n. They now use the correct characters instead of the unicode ones. I have updated this in the list.txt file.

I created a small Python script that is assigned to a workflow action. This action gets triggered when the list.txt is being updated or editted. And will grab the list.txt file, store each item in a list, and than create the same json layout format with all the extensions. Which updates this KnownExtensions.txt file.

This would be the URL that people can use in their scripts: https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt

To get new extensions added people would need to report a issue with the new extension that should be added.

Any feedback would be appreciated

@gizmo21
Copy link

gizmo21 commented Jan 18, 2023

Well I can't see the advantage of an alphabetically sortet list, as new additions would have to be searched in the whole file (to prevent double-issue-posts.
If the newest are always on top (like https://fsrm.experiant.ca/#rawlist ) this is much easier for submitters, and for those who want to review the additions before adding, for potentially to be excluded extensions, or those who excluded rather old extensions.

Also there are sometimes additions like *.vn2.1.[victims_ID] which wouldn't block ANYTHING on an attack if added without alteration, as the filter would had to be at least *.vn2.1.[*] or even better *.vn2.1.* to block with your own victim_ID or domainname... Therefore it's also much easier if you see the latest additions on top, but perhaps I'm the only one...

And it seems it was only once sorted and then appended.

xort.txt
your_key.rsa
zXz.html
zcrypt.exe
zycrypt.*
zzzzzzzzzzzzzzzzzyyy
Инструкция по расшифровке.TXT
инструкция по оплате.txt
*.bpws
*.iswr
*.KoRyA
*.mao
*.poqw
*.pouu
*.RYKCRYPT
*.znsm
*.znto
*.znws
*.zoqw
*.zouu

But I will try it next time with an addition-issue on your repo.

@DFFspace
Copy link

I see what you mean. Nonetheless I could write a workflow action that is able to look for any duplicated extensions. When they get submitted or being added, so there is a check beforehand it updates the file.

I will see If I can fix the list how this is being done (like https://fsrm.experiant.ca/#rawlist) in that order with the fixes for the unicode characters, and I will make sure the new ones that are being added on top of the list!

@DFFspace
Copy link

@gizmo21, I changed the list to reflect the extension order as they are listed on (https://fsrm.experiant.ca/#rawlist) And added the new ones above *.Mafer so from now on new extensions will appear on top!

@davidande
Copy link

Hello,
I did modifications for my script to work with this list.
Working Great

@jf40541
Copy link

jf40541 commented Mar 18, 2023

Thanks to davidande for the update. I tested your script and after changing the download url to DFF's list, it successfully downloads the new list, but I'm unable to write to any folders at all. Seems FSRM is blocking any file extensions from being written to the protected folders, even legit extensions that are not in the list. Formatting issue in the script against the new list perhaps?

Regards,
Jeff

@rivir
Copy link
Author

rivir commented Mar 18, 2023 via email

@jf40541
Copy link

jf40541 commented Mar 19, 2023

I'm using davidande's script.

@davidande
Copy link

Hello,
Facing the same issue. all files are blocked.
Help will be appreciated on my script :-)

@DFFspace
Copy link

DFFspace commented Mar 20, 2023

Strange... I only use my script to generate and update the template list.

Is the issue not something where it enables all templates? Below is how mine are setup.
224277952-d6d7b9aa-9d8c-498e-ab03-a19dfc63a874
224278215-25d35523-56ae-4012-a08d-3195c4bd016a
224279610-f54a83b2-c0ef-4139-b4a8-ae78c2809951

@rivir
Copy link
Author

rivir commented Mar 20, 2023

I only use the list as well.
I have the list working for me up to March 14 (last entry was *.zxc)

David, does the old list works for you still on your script?

@davidande
Copy link

Hello,
Since I decide to stard using alternative list, I cannot manage it to work. I have 2 errors
All type of files are blocked by FSRM
I tried ather thing but I also have probleme in the NewFSRMFileGroup command. I think that there is a format problem.
As I Got no time at the moment, I ask for help if someone can manage it in my script :-)

@DFFspace
Copy link

DFFspace commented Mar 21, 2023

Hello @davidande,

I have done some testing's and found something I think. I created myself a new Win Server 2022 VM and created from scratch a Share. When I run you script with my list as download for the extensions it indeed blocks all files.
image

However, when I use my own File Group created with my script using my list and changing the file group from Crypto_Blocker_extensions to my list Known Ransomware Files it seems to work and is not blocking all files.
image

I did noticed that your script seems to add on some characters the symbol "?" As shown below. On the left is my list fetched trough my script and on the right from your script:
image
image
image
image

I've made a Pull-request with the protentional fix for your script in your repo. I did test this on my FSRM and seems to work now and no longer blocks legit or all files.

@rivir
Copy link
Author

rivir commented Mar 21, 2023

This is likely the issue then. PowerShell/PowerShell#7618

Invoke-webrequest (line 76) in your script needs a couple more properties.

Probably adding

Invoke-WebRequest $url -OutFile $PSScriptRoot\extensions.txt -UseBasicParsing -ContentType 'application/json; charset=UTF-8'

will work better with Cyrillic characters

@davidande
Copy link

This is likely the issue then. PowerShell/PowerShell#7618

Invoke-webrequest (line 76) in your script needs a couple more properties.

Probably adding

Invoke-WebRequest $url -OutFile $PSScriptRoot\extensions.txt -UseBasicParsing -ContentType 'application/json; charset=UTF-8'

will work better with Cyrillic characters

Thanks for the help.
and what about line 147 and 148
$jsonStr = Invoke-WebRequest $url -UseBasicParsing -ContentType 'application/json; charset=UTF-8'
$monitoredExtensions = @(ConvertFrom-Json20($jsonStr) | % { $_.filters })

I made it but same result, all files are blocked and can see ??????? in fsrm

@davidande
Copy link

Can You also give me the exact link for the $url ?
thanks

@rivir
Copy link
Author

rivir commented Mar 28, 2023

@davidande
Copy link

https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt

Thank You very much, my script works now.

@madeyem
Copy link

madeyem commented Apr 15, 2023

Hi,
I also have this problem:
All files are blocked after I replace the original URL in the original DeployCryptoBlocker.ps1 with

https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt

Do you guys know why? I can't find an actual solution for the original script in this or the other thread (DFFspace#16).

Thanks in advance!

@rivir
Copy link
Author

rivir commented Apr 15, 2023 via email

@DFFspace
Copy link

As I have stated here DFFspace#16 I've made some changes to the DeployCryptoBlocker.ps1 script in my repo that should fix the issue.

@gizmo21
Copy link

gizmo21 commented Jun 23, 2023

nexxai answered on reddit, so only little chance of getting old service back online:
https://www.reddit.com/r/sysadmin/comments/142jz3r/comment/jn6mj10/

Hope the wiki-list can stay here...

@nmohamad19
Copy link

Can someone help me with updated url for FSRM extensions?

@gizmo21
Copy link

gizmo21 commented Mar 14, 2024

it's several times in this thread:

https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt
It's the most up to date one.

If you want to contribute you can easily add extensions here:
https://github.com/nexxai/CryptoBlocker/wiki/fallback-list

@nmohamad19
Copy link

nmohamad19 commented Mar 15, 2024 via email

@gizmo21
Copy link

gizmo21 commented Mar 15, 2024

@nmohamad19
Copy link

nmohamad19 commented Mar 15, 2024 via email

@nmohamad19
Copy link

nmohamad19 commented Jul 19, 2024 via email

@gizmo21
Copy link

gizmo21 commented Jul 19, 2024

Are you trying to spam here? The updated lists are several times in this thread and they are still up to date 07/2024

https://github.com/DFFspace/CryptoBlocker

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants