Windows Fileserver Ressource Manager (FSRM) update Ransomware List from multiple TXTs and compare via powershell

The estimated reading time 4 minutes

Windows Fileserver Ressource Manager (FSRM) update Ransomware List from multiple TXTs and compare via powershell

Lots of people today concerning about ransomware and how to prevent their network before encryption.  There are quite few articels where you can find to configure fsrm on Windows File Server which does not allow special extensions for files etc. This is one method to reduce the impact of a ransomeware attack. So I asked myself, how is it possible to get up to date with the file extensions etc. because they are changing nearly every day.

For this reason I wrote a little powershell script which imports file extensions from multiple TXT-files, compares them and writes it in fsrm.

Before you can use this script you have to configure fsrm like the guy here

When fsrm is configured you can use my script to update your filegroup (tested with Windows Server 2012R2 and 2016)

https://github.com/blog-it-koehler-com/import-ransomware-extensions-fsrm

<#
    .SYNOPSIS

    script is used to import and summarize multiple txt files with file extensions in windows fsrm (fileserver ressource manager)

    .DESCRIPTION
    the script imports the content of txt files to fsrm. the txt files should look like the sample txt files in github.They have to be located 
    in the same directory. This directory should be defined in variable. Another variable is the filegroupname, you can see this in fsrm
     
    .EXAMPLE
    -
    .Notes
    -
    this script does not create filegroup or filescreens etc.the current extensions configured will be saved in a legay txt file with date
    further information on my blog: http://blog.it-koehler.com
  
    ---------------------------------------------------------------------------------
                                                                                 
    Script:       import-fileextensions-v02.ps1                                      
    Author:       A. Koehler; blog.it-koehler.com
    ModifyDate:   21/01/2017                                                        
    Usage:        
    Version:      0.2
                                                                                  
    ---------------------------------------------------------------------------------
#>
#define variable
#path containing txt files  (without  '\' at the end!)
$txtfilepath = 'C:\Temp\ransomware'
#fsrm filegroup detecting ransomware 
$filegroupname = 'Ransomware'

#########beginning of the script########
$date=((Get-Date).ToString('yyyy-MM-dd-HH-mm-ss'))
#export the existing extensions to legacy txt files
$legacyfile = (Get-ChildItem $txtfilepath -Recurse -Include '*.txt') | Where-Object {$_.Name -like "*-legacy-ext*"}
#check if legacy txt file available, if not create it, otherwise import txt files
if(!$legacyfile)
  {
  (Get-FsrmFileGroup -Name $filegroupname).IncludePattern | Out-File "$txtfilepath\$date-legacy-ext.txt"
  }
#import content from txt files 
$txtfiles = (Get-ChildItem $txtfilepath -Recurse -Include '*.txt').Name
#import content from all txt files inside directory
foreach ($txtfile in $txtfiles)
  {
  $txtfilescomplpath = $txtfilepath+'\'+ $txtfile
  #convert all content to lower
  $fileext += @((Get-Content $txtfilescomplpath).ToLower())
  }
#sort and eliminate double entries
$compareext = $fileext | Sort-Object -Unique
Set-FsrmFileGroup -Name $filegroupname -IncludePattern ($compareext)

First you have to define two variables as seen in the section “define variables”. First the filepath where multiple txt-files stored with ransomware content. Next you have to define the filescreening name where powershell should import the extensions of the txt-files.

NOTE: if you have already configured and stored ransomware extensions in your fsrm, don’t worry. They will be exported in a legacyfile and imported with the appended extensions. So you will not loose your configuration. But be careful with other txt-files which store other content. The script does no research when importing the content.

In my case multiple txt-files are stored in “C:\temp\ransomware”

My example includes some extensions more than one time, so I can test whether the script imports and compares them. (it also detects upper and lowercase duplikates). TXT-Files should look like this, because every row is a new extension for the script.

As you can see in the screenshot I already created the Filegroup “Ransomware”

In the next step you can open Powershell ISE as Administrator an copy my complete script to the scripteditor.

If the variables are fine you can start the script with the green arrow.

Have a look inside the fsrm and the filegroup you wanted to add extensions

After the script was executed you can find a legacy txt file next to your original txt files. The content is the old filegroup content

It is possible to comapre multiple txt files from several providers to get a little more security to your fileserver.

Please write an comment if you have any further questions or feature requests.

Have fun.

Print Friendly, PDF & Email
Was this article helpful?
YesNo
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments