Squid Posted October 13, 2016 Author Share Posted October 13, 2016 I haven't had a chance to play with this as of yet, but I'm really intrigued now. I know on trigger it sets things to ReadOnly. Is there a way to "Return to Previous" State. Some of my Drives I have different settings depending on users, Disk Shares, User Shares Would be nice to simply return to whatever settings I had on that particular drive/Share so I don't have to figure out what was changed and how it was before. Yes there's a button to restore the settings Sent from my LG-D852 using Tapatalk Quote Link to comment
Squid Posted October 13, 2016 Author Share Posted October 13, 2016 Since you changed it to set SMB to Read Only upon detection, is their still value in stopping the array? ~Spritz Depends upon your level of paranoia Sent from my SM-T560NU using Tapatalk One possibility is that if you have some rogue software somewhere on your network, not only might it modify / encrypt your files, but it could also be sending information "back home". My view would be that I would want the server to have share access blocked until I had a chance to get control of things. That's actually how the beeps are handled. Through a user set stop script. Next update should be this weekend Sent from my LG-D852 using Tapatalk Quote Link to comment
CHBMB Posted October 14, 2016 Share Posted October 14, 2016 Just got around to installing this.... Now I see your ugly mug/Chode in the root of every one of my shares.... Like a frigging virus! Having said that, I'm impressed, deleted a file and it did what it says on the tin. Awesome work mate.... Now about that picture, do you not think something like this would be a bit more palatable? Quote Link to comment
Squid Posted October 14, 2016 Author Share Posted October 14, 2016 Just got around to installing this.... Now I see your ugly mug/Chode in the root of every one of my shares.... Like a frigging virus! Having said that, I'm impressed, deleted a file and it did what it says on the tin. Awesome work mate.... Now about that picture, do you not think something like this would be a bit more palatable? The key is what does your wife think? Sent from my LG-D852 using Tapatalk Quote Link to comment
CHBMB Posted October 14, 2016 Share Posted October 14, 2016 The key is what does your wife think? Sent from my LG-D852 using Tapatalk She says she's never gone for good looking men.... I'm sure there should have been a before in the sentence at some point she must have just forgot it... Quote Link to comment
Squid Posted October 14, 2016 Author Share Posted October 14, 2016 The key is what does your wife think? Sent from my LG-D852 using Tapatalk She says she's never gone for good looking men.... I'm sure there should have been a before in the sentence at some point she must have just forgot it... My wife runs off her ideal man every once in a while and I think to myself, why did you marry me? But right now, I'm testing out the dedicated bait shares and have 20 test shares operational containing approximately 1,000,000 pictures of myself in the hopes that I can brainwash her somehow You do realize though that you can change that picture yourself Quote Link to comment
DoeBoye Posted October 14, 2016 Share Posted October 14, 2016 You do realize though that you can change that picture yourself Thanks for this fantastic plugin! Does exactly what it says and helps me feel a bit more secure :-). Just a couple of questions : If the bait is already set, and then we add the bait folder with custom files, does it replace the existing ones? Also, if we change our mind from all folders to just root, do the extra bait files get deleted? Thanks again! Quote Link to comment
Squid Posted October 14, 2016 Author Share Posted October 14, 2016 The published version deletes all the bait at every start so yes to all the questions. Next rev on the weekend that will be optional but with a button to manually delete everything Sent from my LG-D852 using Tapatalk Quote Link to comment
RobJ Posted October 14, 2016 Share Posted October 14, 2016 Since you changed it to set SMB to Read Only upon detection, is their still value in stopping the array? I would say yes, as it's more likely to cause the major disruption that's appropriate for the potential disaster that's happening! Do you really want to allow something to possibly continue destroying files on networked machines, so long as it doesn't interrupt your movie? If you aren't well backed up elsewhere, then this is comparable to a small fire in the house, or the sound of a thief with your jewelry and valuables. Quote Link to comment
RobJ Posted October 14, 2016 Share Posted October 14, 2016 How about having the ability to have a custom script run when it's triggered? This way folks could have extra/special things happen without having to have it hardcoded into the plugin.. I think this is a good idea. It lets anyone customize the response as they wish, and add extra warnings and special notifications, beyond the standard ones. And perhaps start file integrity tools running to begin identifying what's changed. Quote Link to comment
JonathanM Posted October 14, 2016 Share Posted October 14, 2016 And perhaps start file integrity tools running to begin identifying what's changed. This... More importantly, STOP the file integrity tools from blindly calculating new checksums on the newly minted files, and go into check only mode. Quote Link to comment
Msan Posted October 14, 2016 Share Posted October 14, 2016 How about having the ability to have a custom script run when it's triggered? This way folks could have extra/special things happen without having to have it hardcoded into the plugin.. I think this is a good idea. It lets anyone customize the response as they wish, and add extra warnings and special notifications, beyond the standard ones. And perhaps start file integrity tools running to begin identifying what's changed. Yes, thats what I had in mind.. for me it could tell my router to cut off access to the net for the unraid server so it doesnt "leak" any info.. Quote Link to comment
Squid Posted October 14, 2016 Author Share Posted October 14, 2016 And perhaps start file integrity tools running to begin identifying what's changed. This... More importantly, STOP the file integrity tools from blindly calculating new checksums on the newly minted files, and go into check only mode. Why do I have the sneaking suspicion that my deprecated Checksum Tools is going to make a revival in the next year? Quote Link to comment
CHBMB Posted October 14, 2016 Share Posted October 14, 2016 And perhaps start file integrity tools running to begin identifying what's changed. This... More importantly, STOP the file integrity tools from blindly calculating new checksums on the newly minted files, and go into check only mode. Why do I have the sneaking suspicion that my deprecated Checksum Tools is going to make a revival in the next year? Funny you say that, I thought the same thing, but I decided, for once, not to taunt you.... Quote Link to comment
Squid Posted October 14, 2016 Author Share Posted October 14, 2016 And perhaps start file integrity tools running to begin identifying what's changed. This... More importantly, STOP the file integrity tools from blindly calculating new checksums on the newly minted files, and go into check only mode. Why do I have the sneaking suspicion that my deprecated Checksum Tools is going to make a revival in the next year? Funny you say that, I thought the same thing, but I decided, for once, not to taunt you.... Are you sick or dying or something? Quote Link to comment
CHBMB Posted October 15, 2016 Share Posted October 15, 2016 Are you sick or dying or something? Hey, I'm your friend remember, now if I'd been your arch nemesis..... I'm not going to say a word about the daily update to CA though.... Quote Link to comment
Squid Posted October 16, 2016 Author Share Posted October 16, 2016 Anyone using Dynamix File Integrity? (I don't... Still use the checksum plugin -> sorry bonienl) If so, can I get you to do the following and post the output after forcing File Integrity to create the hashes for the file created. mkdir /mnt/user/test echo "test" > /mnt/user/test/test inotifywait -m @ /mnt/user/test/test Need to know if I have to add a note to exclude the specific bait share folders from File Integrity (pretty sure I'm going to have to) Quote Link to comment
wgstarks Posted October 18, 2016 Share Posted October 18, 2016 @Squid This plugin is working great for me. SMB and AFP. Was doing a little testing and I get the attack warning screen (and selected shutdowns) when I delete one of the bait files, but this screen and the following reset screen only reference SMB. There's no mention of restoring the AFP server even though both get restored when I push the button. Just a suggestion. Quote Link to comment
Squid Posted October 18, 2016 Author Share Posted October 18, 2016 @Squid This plugin is working great for me. SMB and AFP. Was doing a little testing and I get the attack warning screen (and selected shutdowns) when I delete one of the bait files, but this screen and the following reset screen only reference SMB. There's no mention of restoring the AFP server even though both get restored when I push the button. Just a suggestion. Next rev states that... Just a little behind schedule due to real life Quote Link to comment
perfessor101 Posted October 20, 2016 Share Posted October 20, 2016 Hello Squid I currently have the Ransomware Bait File Placement set to "root only of shares" and Stop Array on Detection set to "Yes" With these settings every works as wanted and gives me greatly needed protection Thank you very much for this plugin I was curious about excluding more directories ... I have "two" giving me some consternation one is of the form /mnt/user/*share*/.Recycle.Bin and another is /mnt/user/music/iTunes/iTunes Media/Automatically Add to iTunes/ When I empty the .Recycle.Bin manually the Ransomware Plugin can trigger ... (so I should stop it before and restart after) as well as when iTunes tries to automatically add the files in it's automatically add directory. But I want to splatter my arrays directories with way more Bait files and wasn't sure how hard this would be to change / add? Thanks for your time, Bobby Quote Link to comment
Squid Posted October 20, 2016 Author Share Posted October 20, 2016 Problem with extra bait files within normal shares is that it dramatically increases the odds of inadvertent tripping. You can always use the custom bait folder and toss as many files in there as you like. Next rev (couple days behind schedule) I'm using 200,000 bait files in specialized shares just for that purpose and leaving everything else with the stock 4 shares After the next rev I'm planning on switching the bait in normal shares from files to instead hardlinks which will let you instead run multiple copies without taking up an extra space (and might also speed up the response time by a milisecond or two) Sent from my LG-D852 using Tapatalk Quote Link to comment
DoeBoye Posted October 21, 2016 Share Posted October 21, 2016 A few observations: 1. Love the plugin! Thanks again for creating it! 2. Can't wait for the manual removal button, as I uninstalled the plugin before letting it remove all the Squid-y files and now have 50 million "Don't Touch my Super Secret Squid" Files strewn about my file structure! I plan on using custom named bait files (in case ransomware developers learn about this little beauty) and maybe only in the top level folders. 3. A nice-to-have feature might be some sort of persistent progress update on the seeding and deleting of Squid-y files... "X out of Y", or "10% seeded/deleted" or even just "X seeded/deleted" so we can see that it is still working. Thanks Again! Quote Link to comment
Squid Posted October 21, 2016 Author Share Posted October 21, 2016 2. Can't wait for the manual removal button, as I uninstalled the plugin before letting it remove all the Squid-y files and now have 50 million "Don't Touch my Super Secret Squid" Files strewn about my file structure! I plan on using custom named bait files (in case ransomware developers learn about this little beauty) and maybe only in the top level folders. It should have removed the monitored files during uninstallation. *But*, it was possible for abandoned / orphaned bait files to have been created depending upon what was going on at the time. This should be fixed already on next rev. (Just tidying up some loose ends). The syslog when creating the files would actually have listed the orphaned files. Unfortunately not much you can do other than doing a search in Explorer for the file name and then deleting them there. 3. A nice-to-have feature might be some sort of persistent progress update on the seeding and deleting of Squid-y files... "X out of Y", or "10% seeded/deleted" or even just "X seeded/deleted" so we can see that it is still working. Ahead of you there: (The Running section does change to indicate current status of creation / deletion) Quote Link to comment
DoeBoye Posted October 21, 2016 Share Posted October 21, 2016 Unfortunately not much you can do other than doing a search in Explorer for the file name and then deleting them there. No biggie. I'll do that. Ahead of you there: (The Running section does change to indicate current status of creation / deletion) Fantastic! Can't wait for the new version! Quote Link to comment
DZMM Posted October 24, 2016 Share Posted October 24, 2016 Are you going to add protection of shares on unassigned devices? Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.