From ccd503a9a98c39bbb267b11066a4cdca2ac26ba4 Mon Sep 17 00:00:00 2001 From: James Rudd Date: Thu, 24 Aug 2017 15:57:23 +1000 Subject: [PATCH 1/5] This version is only for Server 2012+. It is designed to allow it to be easily run from a scheduled task. Replaced filescrn.exe with Powershell commands to remove the depreciated warnings. Added support for a proxy server between script and web Changed to more compatible Write-Output statements to allow redirection of output for logs Made skip list variable as needs to be full path when run as scheduled task. Added Transcript option to create log files of run. --- DeployCryptoBlocker.ps1 | 169 ++++++++++++++++++++-------------------- 1 file changed, 84 insertions(+), 85 deletions(-) diff --git a/DeployCryptoBlocker.ps1 b/DeployCryptoBlocker.ps1 index 4d3858c..ac07b6c 100644 --- a/DeployCryptoBlocker.ps1 +++ b/DeployCryptoBlocker.ps1 @@ -7,31 +7,51 @@ # Names to use in FSRM $fileGroupName = "CryptoBlockerGroup" $fileTemplateName = "CryptoBlockerTemplate" -# set screening type to -# Active screening: Do not allow users to save unathorized files -$fileTemplateType = "Active" -# Passive screening: Allow users to save unathorized files (use for monitoring) -#$fileTemplateType = "Passiv" + +# Skip List +# If running as a scheduled task give a full path +$SkipList = ".\SkipList.txt" + +# Logging +# Uncomment to enable full logging. Useful for scheduled tasks +#$LoggingPath = ".\Logs\$($env:computername)-$(Get-Date -Format yyyy-MM-dd).txt" +#Start-Transcript -Path $LoggingPath -Append + +# Proxy +# Uncomment and fill in if your site uses a proxy +#$global:PSDefaultParameterValues = @{ +# 'Invoke-RestMethod:Proxy'='http://proxyhost:port' +# 'Invoke-WebRequest:Proxy'='http://proxyhost:port' +# '*:ProxyUseDefaultCredentials'=$true +#} + + +# Screening type +# Active screening: Do not allow users to save unauthorized files +$fileTemplateActive = $true +# Passive screening: Allow users to save unauthorized files (use for monitoring) +#$fileTemplateActive = $false # Write the email options to the temporary file - comment out the entire block if no email notification should be set -$EmailNotification = $env:TEMP + "\tmpEmail001.tmp" -"Notification=m" >> $EmailNotification -"To=[Admin Email]" >> $EmailNotification -## en -"Subject=Unauthorized file from the [Violated File Group] file group detected" >> $EmailNotification -"Message=User [Source Io Owner] attempted to save [Source File Path] to [File Screen Path] on the [Server] server. This file is in the [Violated File Group] file group, which is not permitted on the server." >> $EmailNotification -## de -#"Subject=Nicht autorisierte Datei erkannt, die mit Dateigruppe [Violated File Group] übereinstimmt" >> $EmailNotification -#"Message=Das System hat erkannt, dass Benutzer [Source Io Owner] versucht hat, die Datei [Source File Path] unter [File Screen Path] auf Server [Server] zu speichern. Diese Datei weist Übereinstimmungen mit der Dateigruppe [Violated File Group] auf, die auf dem System nicht zulässig ist." >> $EmailNotification +$MailTo = "[Admin Email];[Source File Owner Email];[Source Io Owner Email]" -# Write the event log options to the temporary file - comment out the entire block if no event notification should be set -$EventNotification = $env:TEMP + "\tmpEvent001.tmp" -"Notification=e" >> $EventNotification -"EventType=Warning" >> $EventNotification ## en -"Message=User [Source Io Owner] attempted to save [Source File Path] to [File Screen Path] on the [Server] server. This file is in the [Violated File Group] file group, which is not permitted on the server." >> $EventNotification +#$Subject = "Unauthorized file from the [Violated File Group] file group detected" +$Subject = "POSSIBLE VIRUS INFECTION DETECTED - [Violated File Group] detected" +$Message = "User [Source Io Owner] attempted to save [Source File Path] to [File Screen Path] on the [Server] server. This file indicates that the file server is in the process of being encrypted by a virus. If you are [Source Io Owner] please shut down any computers you are using IMMEDIATELY and notify IT at 9662 9355" + ## de -#"Message=Das System hat erkannt, dass Benutzer [Source Io Owner] versucht hat, die Datei [Source File Path] unter [File Screen Path] auf Server [Server] zu speichern. Diese Datei weist Übereinstimmungen mit der Dateigruppe [Violated File Group] auf, die auf dem System nicht zulässig ist." >> $EventNotification +#$Subject = "Nicht autorisierte Datei erkannt, die mit Dateigruppe [Violated File Group] übereinstimmt" +#$Message = "Das System hat erkannt, dass Benutzer [Source Io Owner] versucht hat, die Datei [Source File Path] unter [File Screen Path] auf Server [Server] zu speichern. Diese Datei weist Übereinstimmungen mit der Dateigruppe [Violated File Group] auf, die auf dem System nicht zulässig ist." + +$Notifications = @() +# Comment out if no email notification should be set +$Notifications += New-FsrmAction -Type Email -Body $Message -MailTo $MailTo -Subject $Subject + +# Comment out if no event notification should be set +$Notifications += New-FsrmAction -Type Event -Body $Message -EventType Warning + + ################################ USER CONFIGURATION ################################ @@ -127,21 +147,21 @@ $drivesContainingShares = @(Get-WmiObject Win32_Share | if ($drivesContainingShares.Count -eq 0) { - Write-Host "`n####" - Write-Host "No drives containing shares were found. Exiting.." + Write-Output "`n####" + Write-Output "No drives containing shares were found. Exiting.." exit } -Write-Host "`n####" -Write-Host "The following shares needing to be protected: $($drivesContainingShares -Join ",")" +Write-Output "`n####" +Write-Output "The following shares needing to be protected: $($drivesContainingShares -Join ",")" # Identify Windows Server version, and install FSRM role $majorVer = [System.Environment]::OSVersion.Version.Major $minorVer = [System.Environment]::OSVersion.Version.Minor -Write-Host "`n####" -Write-Host "Checking File Server Resource Manager.." +Write-Output "`n####" +Write-Output "Checking File Server Resource Manager.." Import-Module ServerManager @@ -152,25 +172,25 @@ if ($majorVer -ge 6) if ($minorVer -ge 2 -and $checkFSRM.Installed -ne "True") { # Server 2012 - Write-Host "`n####" - Write-Host "FSRM not found.. Installing (2012).." + Write-Output "`n####" + Write-Output "FSRM not found.. Installing (2012).." $install = Install-WindowsFeature -Name FS-Resource-Manager -IncludeManagementTools if ($? -ne $True) { - Write-Host "Install of FSRM failed." + Write-Output "Install of FSRM failed." exit } } elseif ($minorVer -ge 1 -and $checkFSRM.Installed -ne "True") { # Server 2008 R2 - Write-Host "`n####" - Write-Host "FSRM not found.. Installing (2008 R2).." + Write-Output "`n####" + Write-Output "FSRM not found.. Installing (2008 R2).." $install = Add-WindowsFeature FS-FileServer, FS-Resource-Manager if ($? -ne $True) { - Write-Host "Install of FSRM failed." + Write-Output "Install of FSRM failed." exit } @@ -178,12 +198,12 @@ if ($majorVer -ge 6) elseif ($checkFSRM.Installed -ne "True") { # Server 2008 - Write-Host "`n####" - Write-Host "FSRM not found.. Installing (2008).." + Write-Output "`n####" + Write-Output "FSRM not found.. Installing (2008).." $install = &servermanagercmd -Install FS-FileServer FS-Resource-Manager if ($? -ne $True) { - Write-Host "Install of FSRM failed." + Write-Output "Install of FSRM failed." exit } } @@ -191,24 +211,24 @@ if ($majorVer -ge 6) else { # Assume Server 2003 - Write-Host "`n####" - Write-Host "Unsupported version of Windows detected! Quitting.." + Write-Output "`n####" + Write-Output "Unsupported version of Windows detected! Quitting.." return } # Download list of CryptoLocker file extensions -Write-Host "`n####" -Write-Host "Dowloading CryptoLocker file extensions list from fsrm.experiant.ca api.." -$webClient = New-Object System.Net.WebClient -$jsonStr = $webClient.DownloadString("https://fsrm.experiant.ca/api/v1/get") +Write-Output "`n####" +Write-Output "Dowloading CryptoLocker file extensions list from fsrm.experiant.ca api.." +$Site="https://fsrm.experiant.ca/api/v1/get" +$jsonStr = Invoke-WebRequest -Uri $Site -UseBasicParsing $monitoredExtensions = @(ConvertFrom-Json20 $jsonStr | ForEach-Object { $_.filters }) # Process SkipList.txt -Write-Host "`n####" -Write-Host "Processing SkipList.." -If (Test-Path .\SkipList.txt) +Write-Output "`n####" +Write-Output "Processing SkipList.." +If (Test-Path $SkipList ) { - $Exclusions = Get-Content .\SkipList.txt | ForEach-Object { $_.Trim() } + $Exclusions = Get-Content $SkipList | ForEach-Object { $_.Trim() } $monitoredExtensions = $monitoredExtensions | Where-Object { $Exclusions -notcontains $_ } } @@ -228,60 +248,39 @@ Else # entries before applying the list to your FSRM implementation. # '@ - Set-Content -Path .\SkipList.txt -Value $emptyFile + Set-Content -Path $SkipList -Value $emptyFile } # Split the $monitoredExtensions array into fileGroups of less than 4kb to allow processing by filescrn.exe $fileGroups = @(New-CBArraySplit $monitoredExtensions) # Perform these steps for each of the 4KB limit split fileGroups -Write-Host "`n####" -Write-Host "Adding/replacing File Groups.." +Write-Output "`n####" +Write-Output "Adding/replacing File Groups.." ForEach ($group in $fileGroups) { - #Write-Host "Adding/replacing File Group [$($group.fileGroupName)] with monitored file [$($group.array -Join ",")].." - Write-Host "`nFile Group [$($group.fileGroupName)] with monitored files from [$($group.array[0])] to [$($group.array[$group.array.GetUpperBound(0)])].." - &filescrn.exe filegroup Delete "/Filegroup:$($group.fileGroupName)" /Quiet - &filescrn.exe Filegroup Add "/Filegroup:$($group.fileGroupName)" "/Members:$($group.array -Join '|')" + #Write-Output "Adding/replacing File Group [$($group.fileGroupName)] with monitored file [$($group.array -Join ",")].." + Write-Output "`nFile Group [$($group.fileGroupName)] with monitored files from [$($group.array[0])] to [$($group.array[$group.array.GetUpperBound(0)])].." + Remove-FsrmFileGroup -Name $($group.fileGroupName) -Confirm:$false + New-FsrmFileGroup -Name $($group.fileGroupName) -IncludePattern $($group.array) } # Create File Screen Template with Notification -Write-Host "`n####" -Write-Host "Adding/replacing [$fileTemplateType] File Screen Template [$fileTemplateName] with eMail Notification [$EmailNotification] and Event Notification [$EventNotification].." -&filescrn.exe Template Delete /Template:$fileTemplateName /Quiet -# Build the argument list with all required fileGroups and notifications -$screenArgs = 'Template', 'Add', "/Template:$fileTemplateName", "/Type:$fileTemplateType" -ForEach ($group in $fileGroups) { - $screenArgs += "/Add-Filegroup:$($group.fileGroupName)" -} -If ($EmailNotification -ne "") { - $screenArgs += "/Add-Notification:m,$EmailNotification" -} -If ($EventNotification -ne "") { - $screenArgs += "/Add-Notification:e,$EventNotification" -} -&filescrn.exe $screenArgs +Write-Output "`n####" +Write-Output "Adding/replacing [Active:$fileTemplateActive] File Screen Template [$fileTemplateName] with eMail Notification [$EmailNotification] and Event Notification [$EventNotification].." +Remove-FsrmFileScreenTemplate -Name $fileTemplateName -Confirm:$false +New-FsrmFileScreenTemplate -Name $fileTemplateName -Active:$fileTemplateActive -IncludeGroup $fileGroups.fileGroupName -Notification $Notifications # Create File Screens for every drive containing shares -Write-Host "`n####" -Write-Host "Adding/replacing File Screens.." +Write-Output "`n####" +Write-Output "Adding/replacing File Screens.." $drivesContainingShares | ForEach-Object { - Write-Host "File Screen for [$_] with Source Template [$fileTemplateName].." - &filescrn.exe Screen Delete "/Path:$_" /Quiet - &filescrn.exe Screen Add "/Path:$_" "/SourceTemplate:$fileTemplateName" -} - -# Cleanup temporary files if they were created -Write-Host "`n####" -Write-Host "Cleaning up temporary stuff.." -If ($EmailNotification -ne "") { - Remove-Item $EmailNotification -Force -} -If ($EventNotification -ne "") { - Remove-Item $EventNotification -Force + Write-Output "File Screen for [$_] with Source Template [$fileTemplateName].." + Remove-FsrmFileScreen -Path $_ -Confirm:$false + New-FsrmFileScreen -Path $_ -Template $fileTemplateName } -Write-Host "`n####" -Write-Host "Done." -Write-Host "####" +Write-Output "`n####" +Write-Output "Done." +Write-Output "####" ################################ Program code ################################ From 013818ed2b24696bccd0f2419d10e7daab9b6f53 Mon Sep 17 00:00:00 2001 From: James Rudd Date: Fri, 25 Aug 2017 12:20:37 +1000 Subject: [PATCH 2/5] Added Powershell FSRM response to only show when Verbose is enabled. Added existence test for file shares before attempting to add them --- DeployCryptoBlocker.ps1 | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/DeployCryptoBlocker.ps1 b/DeployCryptoBlocker.ps1 index ac07b6c..0e3aec8 100644 --- a/DeployCryptoBlocker.ps1 +++ b/DeployCryptoBlocker.ps1 @@ -260,23 +260,28 @@ Write-Output "Adding/replacing File Groups.." ForEach ($group in $fileGroups) { #Write-Output "Adding/replacing File Group [$($group.fileGroupName)] with monitored file [$($group.array -Join ",")].." Write-Output "`nFile Group [$($group.fileGroupName)] with monitored files from [$($group.array[0])] to [$($group.array[$group.array.GetUpperBound(0)])].." - Remove-FsrmFileGroup -Name $($group.fileGroupName) -Confirm:$false - New-FsrmFileGroup -Name $($group.fileGroupName) -IncludePattern $($group.array) + Remove-FsrmFileGroup -Name $($group.fileGroupName) -Confirm:$false | Write-Verbose + New-FsrmFileGroup -Name $($group.fileGroupName) -IncludePattern $($group.array) | Write-Verbose } # Create File Screen Template with Notification Write-Output "`n####" -Write-Output "Adding/replacing [Active:$fileTemplateActive] File Screen Template [$fileTemplateName] with eMail Notification [$EmailNotification] and Event Notification [$EventNotification].." -Remove-FsrmFileScreenTemplate -Name $fileTemplateName -Confirm:$false -New-FsrmFileScreenTemplate -Name $fileTemplateName -Active:$fileTemplateActive -IncludeGroup $fileGroups.fileGroupName -Notification $Notifications +Write-Output "Adding/replacing [Active:$fileTemplateActive] File Screen Template [$fileTemplateName] with eMail Notification and Event Notification.." +Remove-FsrmFileScreenTemplate -Name $fileTemplateName -Confirm:$false | Write-Verbose +New-FsrmFileScreenTemplate -Name $fileTemplateName -Active:$fileTemplateActive -IncludeGroup $fileGroups.fileGroupName -Notification $Notifications | Write-Verbose # Create File Screens for every drive containing shares +# Test for share existence as on File Clusters may be on another node Write-Output "`n####" Write-Output "Adding/replacing File Screens.." $drivesContainingShares | ForEach-Object { - Write-Output "File Screen for [$_] with Source Template [$fileTemplateName].." - Remove-FsrmFileScreen -Path $_ -Confirm:$false - New-FsrmFileScreen -Path $_ -Template $fileTemplateName + If (Test-Path $_ ){ + Write-Output "File Screen for [$_] with Source Template [$fileTemplateName].." + Remove-FsrmFileScreen -Path $_ -Confirm:$false | Write-Verbose + New-FsrmFileScreen -Path $_ -Template $fileTemplateName | Write-Verbose + } Else { + Write-Output "File Screen for [$_] could not be created as the path is invalid" + } } Write-Output "`n####" From 01d58018cc63ebe6f235ac743db4ba39dfb418f5 Mon Sep 17 00:00:00 2001 From: James Rudd Date: Tue, 29 Aug 2017 15:07:36 +1000 Subject: [PATCH 3/5] Added Powershell Params and description header. Still need to add Mail To, Subject and Body entries. --- DeployCryptoBlocker.ps1 | 161 ++++++++++++++++++++++++++++++++-------- 1 file changed, 129 insertions(+), 32 deletions(-) diff --git a/DeployCryptoBlocker.ps1 b/DeployCryptoBlocker.ps1 index 0e3aec8..d4b1527 100644 --- a/DeployCryptoBlocker.ps1 +++ b/DeployCryptoBlocker.ps1 @@ -1,36 +1,131 @@ -# DeployCryptoBlocker.ps1 -# Version: 1.1 -##### +<# +.Synopsis +Create and update CryptoLocker detection groups and Templates in FSRM + +.Description +Script to create and update CryptoLocker detection groups and Templates in FSRM. +It downloads a list of known CryptoLocker extensions from a public repositoty and creates file Groups, Templates and Screens in FSRM + +.Parameter GroupName +Specify FSRM File Group Name + +.Parameter TemplateName +Specify FSRM File Template Name + +.Parameter SkipListPath +Text file containing a list of exclude match strings + +.Parameter ActiveTemplate +Boolean: True: Create Active screens that do not allow users to save unauthorized files. False: Passive screening: Allow users to save unauthorized files (use for monitoring) + +.Parameter DisableEmail +Do not send an alert email when detection occurs + +.Parameter DisableEvent +Do not create an alert event when detection occurs + +.Parameter EnableLogging +Enable Transcript logging of session + +.Parameter LogFilePath +Where to write log file + + +.Notes +Last Updated: 2017-08-29 +Version : 1.2 + +.Example +PS C:\> DeployCryptoBlocker.ps1 + +Create File Groups, Screen and Templates. Templates will be passive and an email and event notification will be sent if a match occurs. + + +.Example +PS C:\> DeployCryptoBlocker.ps1 -NoEmail + +Create File Groups, Screen and Templates. Templates will be passive and an event notification will be generated if a match occurs. + +.Example +PS C:\> DeployCryptoBlocker.ps1 -Active -NoEvent + +Create File Groups, Screen and Templates. Templates will be active and will block file writes that match. An email will be sent if a match occurs. + +.Example +PS C:\> DeployCryptoBlocker.ps1 -Active -ProxyHost MyProxy.server.com -ProxyPort 3128 + +Create File Groups, Screen and Templates. Templates will be active and will block file writes that match. An email and event will be sent if a match occurs. +Block list download will use the proxy server specified. + + +#> + + +[CmdletBinding()] +Param( + [string] $GroupName = "CryptoBlockerGroup", + + [string] $TemplateName = "CryptoBlockerTemplate", + + [Parameter(Mandatory=$False,Position=1)] + [alias('Skip')] + [string] $SkipListPath = ".\SkipList.txt", + + [alias('Active')] + [switch] $ActiveTemplate, + + [alias('NoEmail')] + [switch] $DisableEmail, + + [alias('NoEvent')] + [switch] $DisableEvent, + + + + [switch] $EnableLogging = $false, + + [string] $LogFilePath = ".\Logs\$($env:computername)-$(Get-Date -Format yyyy-MM-dd).txt", + + + [string] $ProxyHost = $false, + + [ValidateRange(1,65535)] + [int] $ProxyPort = 8080 + +) + ################################ USER CONFIGURATION ################################ # Names to use in FSRM -$fileGroupName = "CryptoBlockerGroup" -$fileTemplateName = "CryptoBlockerTemplate" +$FileGroupName = $GroupName +$FileTemplateName = $TemplateName # Skip List # If running as a scheduled task give a full path -$SkipList = ".\SkipList.txt" +$SkipList = $SkipListPath # Logging -# Uncomment to enable full logging. Useful for scheduled tasks -#$LoggingPath = ".\Logs\$($env:computername)-$(Get-Date -Format yyyy-MM-dd).txt" -#Start-Transcript -Path $LoggingPath -Append +# Useful for scheduled tasks +if ($EnableLogging) { + Start-Transcript -Path $$LogFilePath -Append +} # Proxy # Uncomment and fill in if your site uses a proxy -#$global:PSDefaultParameterValues = @{ -# 'Invoke-RestMethod:Proxy'='http://proxyhost:port' -# 'Invoke-WebRequest:Proxy'='http://proxyhost:port' -# '*:ProxyUseDefaultCredentials'=$true -#} - +if ($ProxyHost){ + $global:PSDefaultParameterValues = @{ + 'Invoke-RestMethod:Proxy' = "http://$($ProxyHost):$($ProxyPort)" + 'Invoke-WebRequest:Proxy' = "http://$($ProxyHost):$($ProxyPort)" + '*:ProxyUseDefaultCredentials' = $true + } +} # Screening type # Active screening: Do not allow users to save unauthorized files -$fileTemplateActive = $true # Passive screening: Allow users to save unauthorized files (use for monitoring) -#$fileTemplateActive = $false +$fileTemplateActive = $ActiveTemplate + # Write the email options to the temporary file - comment out the entire block if no email notification should be set $MailTo = "[Admin Email];[Source File Owner Email];[Source Io Owner Email]" @@ -38,19 +133,22 @@ $MailTo = "[Admin Email];[Source File Owner Email];[Source Io Owner Email]" ## en #$Subject = "Unauthorized file from the [Violated File Group] file group detected" $Subject = "POSSIBLE VIRUS INFECTION DETECTED - [Violated File Group] detected" -$Message = "User [Source Io Owner] attempted to save [Source File Path] to [File Screen Path] on the [Server] server. This file indicates that the file server is in the process of being encrypted by a virus. If you are [Source Io Owner] please shut down any computers you are using IMMEDIATELY and notify IT at 9662 9355" +$Message = "User [Source Io Owner] attempted to save [Source File Path] to [File Screen Path] on the [Server] server. This file indicates that the file server is in the process of being encrypted by a virus. If you are [Source Io Owner] please shut down any computers you are using IMMEDIATELY and notify IT at " ## de #$Subject = "Nicht autorisierte Datei erkannt, die mit Dateigruppe [Violated File Group] übereinstimmt" #$Message = "Das System hat erkannt, dass Benutzer [Source Io Owner] versucht hat, die Datei [Source File Path] unter [File Screen Path] auf Server [Server] zu speichern. Diese Datei weist Übereinstimmungen mit der Dateigruppe [Violated File Group] auf, die auf dem System nicht zulässig ist." $Notifications = @() -# Comment out if no email notification should be set -$Notifications += New-FsrmAction -Type Email -Body $Message -MailTo $MailTo -Subject $Subject - -# Comment out if no event notification should be set -$Notifications += New-FsrmAction -Type Event -Body $Message -EventType Warning +# Should email notification be sent +if (! $DisableEmail) { + $Notifications += New-FsrmAction -Type Email -Body $Message -MailTo $MailTo -Subject $Subject +} +# Should event notification be created +if (! $DisableEvent) { + $Notifications += New-FsrmAction -Type Event -Body $Message -EventType Warning +} ################################ USER CONFIGURATION ################################ @@ -258,17 +356,16 @@ $fileGroups = @(New-CBArraySplit $monitoredExtensions) Write-Output "`n####" Write-Output "Adding/replacing File Groups.." ForEach ($group in $fileGroups) { - #Write-Output "Adding/replacing File Group [$($group.fileGroupName)] with monitored file [$($group.array -Join ",")].." - Write-Output "`nFile Group [$($group.fileGroupName)] with monitored files from [$($group.array[0])] to [$($group.array[$group.array.GetUpperBound(0)])].." - Remove-FsrmFileGroup -Name $($group.fileGroupName) -Confirm:$false | Write-Verbose - New-FsrmFileGroup -Name $($group.fileGroupName) -IncludePattern $($group.array) | Write-Verbose + Write-Output "`nFile Group [$($group.FileGroupName)] with monitored files from [$($group.array[0])] to [$($group.array[$group.array.GetUpperBound(0)])].." + Remove-FsrmFileGroup -Name $($group.FileGroupName) -Confirm:$false | Write-Verbose + New-FsrmFileGroup -Name $($group.FileGroupName) -IncludePattern $($group.array) | Write-Verbose } # Create File Screen Template with Notification Write-Output "`n####" -Write-Output "Adding/replacing [Active:$fileTemplateActive] File Screen Template [$fileTemplateName] with eMail Notification and Event Notification.." -Remove-FsrmFileScreenTemplate -Name $fileTemplateName -Confirm:$false | Write-Verbose -New-FsrmFileScreenTemplate -Name $fileTemplateName -Active:$fileTemplateActive -IncludeGroup $fileGroups.fileGroupName -Notification $Notifications | Write-Verbose +Write-Output "Adding/replacing [Active:$fileTemplateActive] File Screen Template [$FileTemplateName] with eMail Notification and Event Notification.." +Remove-FsrmFileScreenTemplate -Name $FileTemplateName -Confirm:$false | Write-Verbose +New-FsrmFileScreenTemplate -Name $FileTemplateName -Active:$fileTemplateActive -IncludeGroup $fileGroups.FileGroupName -Notification $Notifications | Write-Verbose # Create File Screens for every drive containing shares # Test for share existence as on File Clusters may be on another node @@ -276,9 +373,9 @@ Write-Output "`n####" Write-Output "Adding/replacing File Screens.." $drivesContainingShares | ForEach-Object { If (Test-Path $_ ){ - Write-Output "File Screen for [$_] with Source Template [$fileTemplateName].." + Write-Output "File Screen for [$_] with Source Template [$FileTemplateName].." Remove-FsrmFileScreen -Path $_ -Confirm:$false | Write-Verbose - New-FsrmFileScreen -Path $_ -Template $fileTemplateName | Write-Verbose + New-FsrmFileScreen -Path $_ -Template $FileTemplateName | Write-Verbose } Else { Write-Output "File Screen for [$_] could not be created as the path is invalid" } From 86a3e3c37257eb25cbf211e4ea798c8da630fe80 Mon Sep 17 00:00:00 2001 From: James Rudd Date: Tue, 29 Aug 2017 15:18:31 +1000 Subject: [PATCH 4/5] Fix extra $ typo --- DeployCryptoBlocker.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/DeployCryptoBlocker.ps1 b/DeployCryptoBlocker.ps1 index d4b1527..f2c7a61 100644 --- a/DeployCryptoBlocker.ps1 +++ b/DeployCryptoBlocker.ps1 @@ -108,7 +108,7 @@ $SkipList = $SkipListPath # Logging # Useful for scheduled tasks if ($EnableLogging) { - Start-Transcript -Path $$LogFilePath -Append + Start-Transcript -Path $LogFilePath -Append } # Proxy From 936b5573feb9b7cda840fc096db5eaf71e85951d Mon Sep 17 00:00:00 2001 From: James Rudd Date: Mon, 4 Sep 2017 14:42:35 +1000 Subject: [PATCH 5/5] Added Email and Event overrides. Fixed bug assigning $false to string for ProxyHost --- DeployCryptoBlocker.ps1 | 56 ++++++++++++++++++++++++++++++++++------- 1 file changed, 47 insertions(+), 9 deletions(-) diff --git a/DeployCryptoBlocker.ps1 b/DeployCryptoBlocker.ps1 index f2c7a61..0379b8e 100644 --- a/DeployCryptoBlocker.ps1 +++ b/DeployCryptoBlocker.ps1 @@ -24,6 +24,20 @@ Do not send an alert email when detection occurs .Parameter DisableEvent Do not create an alert event when detection occurs + +.Parameter EmailTo +Who the message should be sent to. +Defaults to [Admin Email];[Source File Owner Email];[Source Io Owner Email] + +.Parameter EmailSubject +What the Email subject line should be. + +.Parameter EmailMessage +The email message body. You can use multiple variables as defined by FSRM. + +.Parameter EventMessage +When generating an Event what description should be set. + .Parameter EnableLogging Enable Transcript logging of session @@ -80,14 +94,21 @@ Param( [alias('NoEvent')] [switch] $DisableEvent, + + [string] $EmailTo, + + [string] $EmailSubject, + + [string] $EmailMessage, + [string] $EventMessage, [switch] $EnableLogging = $false, [string] $LogFilePath = ".\Logs\$($env:computername)-$(Get-Date -Format yyyy-MM-dd).txt", - [string] $ProxyHost = $false, + [string] $ProxyHost, [ValidateRange(1,65535)] [int] $ProxyPort = 8080 @@ -122,32 +143,49 @@ if ($ProxyHost){ } # Screening type -# Active screening: Do not allow users to save unauthorized files -# Passive screening: Allow users to save unauthorized files (use for monitoring) +# Active screening ($true): Do not allow users to save unauthorized files +# Passive screening ($false): Allow users to save unauthorized files (use for monitoring) $fileTemplateActive = $ActiveTemplate -# Write the email options to the temporary file - comment out the entire block if no email notification should be set +# Default Notification Message Values $MailTo = "[Admin Email];[Source File Owner Email];[Source Io Owner Email]" ## en -#$Subject = "Unauthorized file from the [Violated File Group] file group detected" -$Subject = "POSSIBLE VIRUS INFECTION DETECTED - [Violated File Group] detected" +$Subject = "Unauthorized file from the [Violated File Group] file group detected" $Message = "User [Source Io Owner] attempted to save [Source File Path] to [File Screen Path] on the [Server] server. This file indicates that the file server is in the process of being encrypted by a virus. If you are [Source Io Owner] please shut down any computers you are using IMMEDIATELY and notify IT at " ## de #$Subject = "Nicht autorisierte Datei erkannt, die mit Dateigruppe [Violated File Group] übereinstimmt" -#$Message = "Das System hat erkannt, dass Benutzer [Source Io Owner] versucht hat, die Datei [Source File Path] unter [File Screen Path] auf Server [Server] zu speichern. Diese Datei weist Übereinstimmungen mit der Dateigruppe [Violated File Group] auf, die auf dem System nicht zulässig ist." +#$Message = "Das System hat erkannt, dass Benutzer [Source Io Owner] versucht hat, die Datei [Source File Path] unter [File Screen Path] auf Server [Server] zu speichern. Diese Datei weist Übereinstimmungen mit der Dateigruppe [Violated File Group] auf, die auf dem System nicht zulässig ist." +# Overide values if given as parameters. +$MessageEmail = $MessageEvent = $Message +if ($EmailTo){ + $MailTo = $EmailTo +} + +if ($EmailSubject){ + $Subject = $EmailSubject +} + +if ($EmailMessage){ + $MessageEmail = $EmailMessage +} + +if ($EventMessage){ + $MessageEvent = $EventMessage +} + $Notifications = @() # Should email notification be sent if (! $DisableEmail) { - $Notifications += New-FsrmAction -Type Email -Body $Message -MailTo $MailTo -Subject $Subject + $Notifications += New-FsrmAction -Type Email -Body $MessageEmail -MailTo $MailTo -Subject $Subject } # Should event notification be created if (! $DisableEvent) { - $Notifications += New-FsrmAction -Type Event -Body $Message -EventType Warning + $Notifications += New-FsrmAction -Type Event -Body $MessageEvent -EventType Warning }