All files blocked

[AciidSn3ak3r]

Hi,
I used to use the original development of this script which worked fine, but recently moved to a new file server and found this fork and with an updated list.
Installed the script linked to this fork and found it blocked all files going on this file server.
Disabled CryptoBlockerGroup1 and files could now be saved.
I can't see what actually causes my files to block and under which type.

I did add a skip list for the common files I saw being blocked. Namely pdf, xksx, docx etc. But didn't make a difference. Seems to be every file being blocked.

Currently using Windows Server 2022.

Ta

[AciidSn3ak3r]

Further witling down found that I have the following files to include
*.????????
*.????????? ????????????????
*.???????????
*.????????????????
*.????????????????????? ???? ??????????????.txt

However these aren't in the download list. So i'm unsure how these are getting in. Other language characters perhaps?
Removing these allow me to save files again.

[AciidSn3ak3r]

No one experiencing the same issue?

[DFFspace]

Hello,

That's some strange behavior. I do use this list as well and haven't seen any issues so far on my Windows Server 2022. I also make use of my own PowerShell script.

I also haven't touched the DeployCryptoBlocker.ps1 file other than reverting a change back to it's original to retrieve the extensions again from my updated list URL as seen here. #12

[AciidSn3ak3r]

Peculiar. Only other things I can think of which might make my environment different is i'm based in the UK.
Not really sure what else it could be though. But definitely removing those entries returns it into a working state.

[DFFspace]

Could it maybe be some sort of setting? I haven't really looked in to how the script works. In our environment we manually created the whole FSRM and only I only created a script that would add and or update the extension list when it does it's daily check to see if there are any new extensions being added.

I can look If I can trim down the script I use. It has loads of HTML code to generate a e-mail that I could trim out and make it basic.

[AciidSn3ak3r]

I didn't let the script install FSRM. This was already installed. The script just created the groups, downloaded the list and then blocked everything due to those entries.
Could it be a setting? Maybe. No idea what though

[DFFspace]

I've added my simplified script creating and updating the extensions in a File Group.

https://github.com/DFFspace/CryptoBlocker/blob/master/AddFSRMFileGroup.ps1

Also something I was wondering you mentioned it blocking all files? Could it be using all the default File Groups?

I only use the Known Ransomware Files in my File Screening.

[DFFspace]

Hello @AciidSn3ak3r,

Please have a look at: nexxai#104 (comment) Think we found what causing the issue.

[madeyem]

Hi,
I also have this problem:
All files are blocked after I replace the original URL in the original DeployCryptoBlocker.ps1 with

https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt

Do you guys know why? I can't find an actual solution for the original script in this or the other thread.

Thanks in advance!

[DFFspace]

Hello @madeyem!

Thanks for reaching out. I have just made some changes in the https://github.com/DFFspace/CryptoBlocker/blob/master/DeployCryptoBlocker.ps1 script, that should fix the issue were it is blocking all files.

Let me know if that works for you.

[madeyem]

Hi @DFFspace,
thank you!

In line 210 shouldn't it be $KnownExtensionsListURL instead of $UpdateURL?

[DFFspace]

Thanks for pointing that out. Fixed it!

[madeyem]

Script looks good now, "All files blocked" is not happening any more.
Thank you @DFFspace!