WatchDirectory home page
WatchDirectory Startseite (Deutsche Version)
Site WatchDirectory (Français)
  Welcome, Guest. Please Login or Register
YaBB - Yet another Bulletin Board
   
  HomeHelpSearchLoginRegister  
 
Page Index Toggle Pages: 1
monitor file change (hash?) ransomware mitigation (Read 1151 times)
ercole77
YaBB Newbies
*
Offline



Posts: 5
monitor file change (hash?) ransomware mitigation
Mar 22nd, 2016 at 11:51am
 
Hello guys
im going to implement a ransomware mitigation strategy on my file servers. The idea is to insert in every share a hidden folder with a file. This file is continuously monitored for change and if it happens a trigger shuts down the server service. This should reduce the impact of an infection.
My question is: what pluigin best suites my need? I see no tool for hash monitorin but only for file change.
Back to top
 
 
IP Logged
 
Gert
YaBB Administrator
*****
Offline



Posts: 2239
The Netherlands
Re: monitor file change (hash?) ransomware mitigation
Reply #1 - Mar 22nd, 2016 at 2:00pm
 
Hi,

I guess you need the "run a bat script" task with the FILECHNG event. This will start the script (on the local server obviously) when the file has changed.

If you run this task as a Windows Service, you probably need to set the user/pass for the task, see http://blog-en.gdpsoftware.com/2010/04/watchdirectory-tasks-as-windows-service.h...
Make sure this user (also) has admin privileges because I guess the script needs to run as admin to stop the "Server Service".
Back to top
 

Gert Rijs - gert (at) gdpsoftware (dot) com
Blog: http://blog-en.gdpsoftware.com/
End Alzheimer's: http://www.alz.org&&...
WWW WWW GdPSoftware  
IP Logged
 
Dirk
YaBB Administrator
*****
Offline



Posts: 661
South Germany
Re: monitor file change (hash?) ransomware mitigation
Reply #2 - Mar 22nd, 2016 at 2:43pm
 
I don't think WatchDirectory is the best tool for this.
What is when your test file is one of the last ones that would be encrypted? Or when its missed from encryption?

Don't feel some security you don't get.
Also note that newest TeslaCrypt v4 will not change the filename anymore (nevertheless Watchdirectory would see this change because of time stamp / file size change).

To have a always fresh backup (continuous, hourly, ..), a always patched system and a intrusion detection system is the best you can do - at the moment.
Back to top
 

Viele Grüße / Best regards
Dirk - GdP Software

dirk [at] gdpsoftware [dot] com
http://blog-de.gdpsoftware.com
Webseite: http://www.gdpsoftware.com
WWW WWW  
IP Logged
 
Gert
YaBB Administrator
*****
Offline



Posts: 2239
The Netherlands
Re: monitor file change (hash?) ransomware mitigation
Reply #3 - Mar 22nd, 2016 at 3:59pm
 
Good point Dirk.
Back to top
 

Gert Rijs - gert (at) gdpsoftware (dot) com
Blog: http://blog-en.gdpsoftware.com/
End Alzheimer's: http://www.alz.org&&...
WWW WWW GdPSoftware  
IP Logged
 
Page Index Toggle Pages: 1