FSRM Experiant list hasn't updated since November 23 #104
Comments
yes, i have a same question. |
|
perhaps it is of use for someone: |
I added the 5000+ filters from the FSRM list to this, if that is not what you intended, please revert. |
|
yeah not sure , but perhaps could be OK if someone scraps rhe whole list from there. |
|
got it, sorry for the overwrite |
Will this list be updated regularly? |
Need to create a form and process to collect filters. |
Well the process is community work on fsrm.experiant.ca, and also that Wikipage can be updated by anyone with github account. So if you come across new extensions just add them, but checking on doubleentries has to be done manually by any contributer. I would hope this is only temporarily. |
|
Glad I'm not the only one noticed it's been some time that the list got updated. I was first thinking that my script broke or they went to a new site. I've seen @rivir repo with a list.txt that had the same layout the site used. I have made a pull request to add the missing ones from @gizmo21 wiki list. I think we can use @rivir repo to host this list.txt file on as you can view this file as raw in Github and that would work the same way. People than could file issues or make a pull request with new extensions and they can get added to that list.txt |
|
sounds like a plan... powershell $webClient.DownloadString would need to be modified any other ideas? |
|
That should work. Although I was thinking to keep the layout of the list in the same JSON style like this: https://raw.githubusercontent.com/DFFspace/FSRM/main/list.txt Than the script itself doesn't need to be modified and people have to only replace the URL. |
|
I like your idea more. I do not use the JSON beyond the filter list, so I simplified it, but I agree maintaining that metadata could be useful for many others. |
|
..in the meantime I updated https://github.com/nexxai/CryptoBlocker/wiki/fallback-list, cause it is the most easy way for me without pullrequests... - "update reason comment" is the source of the new filters |
|
Currently working on the forked repo from @rivir with some workflows / Python script that could update the files automatically when new items being added to the list. |
|
Here is my repo: https://github.com/DFFspace/CryptoBlocker I've updated the list.txt file, It's alphabetically sorted. I also noticed there where some extensions that had their character replaced with the unicode or two extensions used the For example there was a extension named: But when the PowerShell script is being used it ignores these unicodes and replaces them with the correct normal character. I went ahead and fixed the extensions that had these unicodes and or I created a small Python script that is assigned to a workflow action. This action gets triggered when the list.txt is being updated or editted. And will grab the list.txt file, store each item in a list, and than create the same json layout format with all the extensions. Which updates this KnownExtensions.txt file. This would be the URL that people can use in their scripts: https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt To get new extensions added people would need to report a issue with the new extension that should be added. Any feedback would be appreciated |
|
Well I can't see the advantage of an alphabetically sortet list, as new additions would have to be searched in the whole file (to prevent double-issue-posts. Also there are sometimes additions like And it seems it was only once sorted and then appended.
But I will try it next time with an addition-issue on your repo. |
|
I see what you mean. Nonetheless I could write a workflow action that is able to look for any duplicated extensions. When they get submitted or being added, so there is a check beforehand it updates the file. I will see If I can fix the list how this is being done (like https://fsrm.experiant.ca/#rawlist) in that order with the fixes for the unicode characters, and I will make sure the new ones that are being added on top of the list! |
|
@gizmo21, I changed the list to reflect the extension order as they are listed on (https://fsrm.experiant.ca/#rawlist) And added the new ones above *.Mafer so from now on new extensions will appear on top! |
|
Hello, |
|
Thanks to davidande for the update. I tested your script and after changing the download url to DFF's list, it successfully downloads the new list, but I'm unable to write to any folders at all. Seems FSRM is blocking any file extensions from being written to the protected folders, even legit extensions that are not in the list. Formatting issue in the script against the new list perhaps? Regards, |
|
I haven't had any issues just changing the source to this list (the past
couple months). I updated all my servers a week ago. Unless some weird
wildcard pattern (added in the past week) is causing this, you may need to
troubleshoot FSRM on your server.
…On Sat, Mar 18, 2023 at 2:26 PM jf40541 ***@***.***> wrote:
Thanks to davidande for the update. I tested your script and after
changing the download url to DFF's list, it successfully downloads the new
list, but I'm unable to write to any folders at all. Seems FSRM is blocking
any file extensions from being written to the protected folders, even legit
extensions that are not in the list. Formatting issue in the script against
the new list perhaps?
Regards,
Jeff
—
Reply to this email directly, view it on GitHub
<#104 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB4ERUVQZAQOUBFCZHZSITTW4YSBFANCNFSM6AAAAAATP5UNRQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
I'm using davidande's script. |
|
Hello, |
|
Strange... I only use my script to generate and update the template list. Is the issue not something where it enables all templates? Below is how mine are setup. |
|
I only use the list as well. David, does the old list works for you still on your script? |
|
Hello, |
|
Hello @davidande, I have done some testing's and found something I think. I created myself a new Win Server 2022 VM and created from scratch a Share. When I run you script with my list as download for the extensions it indeed blocks all files. However, when I use my own File Group created with my script using my list and changing the file group from Crypto_Blocker_extensions to my list Known Ransomware Files it seems to work and is not blocking all files. I did noticed that your script seems to add on some characters the symbol "?" As shown below. On the left is my list fetched trough my script and on the right from your script: I've made a Pull-request with the protentional fix for your script in your repo. I did test this on my FSRM and seems to work now and no longer blocks legit or all files. |
|
This is likely the issue then. PowerShell/PowerShell#7618 Invoke-webrequest (line 76) in your script needs a couple more properties. Probably adding
will work better with Cyrillic characters |
Thanks for the help. I made it but same result, all files are blocked and can see ??????? in fsrm |
|
Can You also give me the exact link for the $url ? |
Thank You very much, my script works now. |
|
Hi, https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt Do you guys know why? I can't find an actual solution for the original script in this or the other thread (DFFspace#16). Thanks in advance! |
|
Invoke-WebRequest probably needs
-ContentType 'application/json; charset=UTF-8' Added to properly handle
characters
…On Sat, Apr 15, 2023 at 6:12 AM madeyem ***@***.***> wrote:
Hi,
I also have this problem:
All files are blocked after I replace the original URL in the original
DeployCryptoBlocker.ps1 with
https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt
Do you guys know why? I can't find an actual solution for the original
script in this or the other thread (DFFspace#16
<DFFspace#16>).
Thanks in advance!
—
Reply to this email directly, view it on GitHub
<#104 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB4ERUX7DE54RSLTN6EYTNDXBKNEJANCNFSM6AAAAAATP5UNRQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
As I have stated here DFFspace#16 I've made some changes to the DeployCryptoBlocker.ps1 script in my repo that should fix the issue. |
|
nexxai answered on reddit, so only little chance of getting old service back online: Hope the wiki-list can stay here... |
|
Can someone help me with updated url for FSRM extensions? |
|
it's several times in this thread: https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt If you want to contribute you can easily add extensions here: |
|
Thanks,
I already have powershell script to update it from experiant ca when I replace the url with https://github.com/DFFspace/CryptoBlocker/blob/master/KnownExtensions.txt it shows error.
Can you please help me with it.
From: gizmo21 ***@***.***>
Sent: Friday, March 15, 2024 3:36 AM
To: nexxai/CryptoBlocker ***@***.***>
Cc: Noor Mohamed ***@***.***>; Comment ***@***.***>
Subject: Re: [nexxai/CryptoBlocker] FSRM Experiant list hasn't updated since November 23 (Issue #104)
it's several times in this thread:
https://github.com/DFFspace/CryptoBlocker/blob/master/KnownExtensions.txt
It's the most up to date one.
If you want to contribute you can easily add extentions here:
https://github.com/nexxai/CryptoBlocker/wiki/fallback-list
—
Reply to this email directly, view it on GitHub<#104 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ATFRVMPOOUGEUB6CA4K2KQTYYINMTAVCNFSM6AAAAAATP5UNRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOJYGU2TSMBWGM>.
You are receiving this because you commented.Message ID: ***@***.******@***.***>>
|
|
Thanks for the reply.
It tried both the links, it showed the below error.
***@***.***
From: gizmo21 ***@***.***>
Sent: Friday, March 15, 2024 10:20 PM
To: nexxai/CryptoBlocker ***@***.***>
Cc: Noor Mohamed ***@***.***>; Comment ***@***.***>
Subject: Re: [nexxai/CryptoBlocker] FSRM Experiant list hasn't updated since November 23 (Issue #104)
try the RAW one
https://raw.githubusercontent.com/DFFspace/CryptoBlocker/master/KnownExtensions.txt
—
Reply to this email directly, view it on GitHub<#104 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ATFRVMJCIRSXWS4NJMRGBTTYYMRDDAVCNFSM6AAAAAATP5UNRSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBQGA2TQOBWGA>.
You are receiving this because you commented.Message ID: ***@***.******@***.***>>
|
FSRM Experiant list hasn't updated since November 23, any change to this process?
The text was updated successfully, but these errors were encountered: