wgstarks Posted October 30, 2016 Share Posted October 30, 2016 How do I exclude a folder with a space in the name? Nothing special required. Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem. Quote Link to comment
Squid Posted October 30, 2016 Author Share Posted October 30, 2016 How do I exclude a folder with a space in the name? Nothing special required. Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem. I just tried it and it worked no problems. Is it possible there are orphaned files (creation errors) for those folders? If you'll have to manually delete the files if they are present in there (they aren't monitored). But, stop the service first to be safe. But, you can always upload your diagnostics (actually only need the syslog), and /boot/config/plugins/ransomware.bait/filelist, and the settings.ini file (or PM if you want) Quote Link to comment
wgstarks Posted October 30, 2016 Share Posted October 30, 2016 They aren't orphans. I can delete them from the settings menu. There are 4 folders in the same parent folder. I set all 4 to be excluded. The 2 with spaces in the name get bait files created when I press the start button. Family stuff right now but I'll grab the logs/files later and post. Quote Link to comment
wingchun222 Posted October 31, 2016 Share Posted October 31, 2016 I just came across this awesome plugin so I installed it and gave it a shot. One thing I immediately noticed is that when I delete a movie from my share (of which I do quite often) it triggered the alert and turned off the smb share as it should and alerted me and I chose the appropriate response. If I am deleting files quite often will this just be what I have to get used to dealing with? How serious is this threat? I have never had any ransomware virus or anything remotely like that. I just don't get duped by clicking on stupid links etc. That being said there is a 12 year old in the house and I have no doubt he would accidentally click on some dumb shi% and get that kind of virus. I never even really though about any of this affecting my unraid box until I came across this plugin. Quote Link to comment
Squid Posted October 31, 2016 Author Share Posted October 31, 2016 For your situation, tossing bait files into every folder is not a good thing because of what you're noticing. As to the severity of the thread I will leave that for you and others to research and decide for themselves. Sent from my LG-D852 using Tapatalk Quote Link to comment
wgstarks Posted October 31, 2016 Share Posted October 31, 2016 How do I exclude a folder with a space in the name? Nothing special required. Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem. I just tried it and it worked no problems. Is it possible there are orphaned files (creation errors) for those folders? If you'll have to manually delete the files if they are present in there (they aren't monitored). But, stop the service first to be safe. But, you can always upload your diagnostics (actually only need the syslog), and /boot/config/plugins/ransomware.bait/filelist, and the settings.ini file (or PM if you want) Can't recreate the issue now. Must be operator error. Any chance hidden folders could be excluded by default? I'm seeing lots of bait file creation errors, all for hidden folders. Quote Link to comment
Squid Posted October 31, 2016 Author Share Posted October 31, 2016 How do I exclude a folder with a space in the name? Nothing special required. Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem. I just tried it and it worked no problems. Is it possible there are orphaned files (creation errors) for those folders? If you'll have to manually delete the files if they are present in there (they aren't monitored). But, stop the service first to be safe. But, you can always upload your diagnostics (actually only need the syslog), and /boot/config/plugins/ransomware.bait/filelist, and the settings.ini file (or PM if you want) Can't recreate the issue now. Must be operator error. Any chance hidden folders could be excluded by default? I'm seeing lots of bait file creation errors, all for hidden folders. One situation I honestly never checked out. I'll look into it Sent from my LG-D852 using Tapatalk Quote Link to comment
ljm42 Posted October 31, 2016 Share Posted October 31, 2016 You were looking at the first incarnation, meanwhile code is corrected. Sorry for linking to the initial checkin and not the latest! I didn't realize it had been updated. Thanks for sorting it out Quote Link to comment
Squid Posted November 5, 2016 Author Share Posted November 5, 2016 Any chance hidden folders could be excluded by default? I'm seeing lots of bait file creation errors, all for hidden folders. Updated to handle this, but in my testing, there is zero problems with creating to hidden folders. (But, if a file creation error happens (and the file is in the folder), the error will continually rehappen because subsequent creations will think that the file is a pre-existing and valid file -> you will have to manually delete the file(s) if they exist and are file creation errors. IE: Stop the service, delete the bait files. Any bait files still existing on the array were probably orphaned via the original version of this plugin, and can now be safely removed. Subsequent creations should succeed. The exclude hidden folders options defaults to NOT exclude them. Quote Link to comment
wgstarks Posted November 5, 2016 Share Posted November 5, 2016 Thanks. There was one hidden folder in particular that I was worried about, .Recycle.Bin, since any bait files would get deleted by the plugin (I think??). Quote Link to comment
Squid Posted November 5, 2016 Author Share Posted November 5, 2016 Ah I see. I automatically excluded appdata and CA backup folders because I knew bait would get triggered in there and I don't use the recycle bin plugin so never thought about it... I'll automatically exclude that tomorrow Sent from my SM-T560NU using Tapatalk Quote Link to comment
Squid Posted November 5, 2016 Author Share Posted November 5, 2016 Thanks. There was one hidden folder in particular that I was worried about, .Recycle.Bin, since any bait files would get deleted by the plugin (I think??). done with today's update. Any and all .Recycle.Bin folders are automatically excluded no matter what. If there are bait files sitting within them right now however, you are going to have to stop the service, and delete the files, and then start the service back up again. Quote Link to comment
Ziggy Posted November 7, 2016 Share Posted November 7, 2016 For some reason, since the last update, my shares all got locked after I tried accessing one of them through AFP. After making sure it was safe to do so, I clicked the lock to remove the set permissions. Unfortunately though, all of my shares and drives are still locked as the evidence shows here: https://gyazo.com/8ace667bfe6d256249e39375f82ec8ea . All of my docker containers are down, the interface is pretty slow, Unraid is unusable. I tried manually locking and unlocking again, but no joy. Please assist. Diagnostics attached. Many thanks in advance. EDIT: FCP is reporting the following: https://gyazo.com/0ea8b65802771e412bc3cd30bf200cde . The cache consists of two RAID0 BTRFS devices and is most definitely not full: https://gyazo.com/8c71225e2b0c5105552bfc2a90ca491b . EDIT2: it looks like I am able to write on every disk, except for the cache. EDIT3: after running the mover, I'm able to write again. It might be a big coincidence that this occurred after everything got locked down. Unraid is reporting plenty of space left though, so I'm not sure why this is not the case... ziggy_unraid-diagnostics-20161107-1954.zip Quote Link to comment
Squid Posted November 8, 2016 Author Share Posted November 8, 2016 Your docker.img file is completely trashed, and needs to be deleted and recreated. Unfortunately, the syslog doesn't go back to where ransomware tripped, so I can't tell you why it did a "double trip" and over wrote the backup of the share.cfg files (which is why restoring normal access is doing nothing). If might be helpful if you post the contents of boot/config/plugins/ransomware.bait/smbStatusFile.txt which will at least let me see the times that the system tripped. I have been looking at handling the backups of the normal share settings a little different. As to the solution, because the backup files don't exist, you've got to reset the user permissions on those shares to what they should be. FCP was definitely failing on writing to the cache drive, and complaining that the cacheFloor setting is less that the free space available. But the docker problem, and the cache would be separate issues from RP Quote Link to comment
Ziggy Posted November 8, 2016 Share Posted November 8, 2016 Your docker.img file is completely trashed, and needs to be deleted and recreated. Unfortunately, the syslog doesn't go back to where ransomware tripped, so I can't tell you why it did a "double trip" and over wrote the backup of the share.cfg files (which is why restoring normal access is doing nothing). If might be helpful if you post the contents of boot/config/plugins/ransomware.bait/smbStatusFile.txt which will at least let me see the times that the system tripped. I have been looking at handling the backups of the normal share settings a little different. As to the solution, because the backup files don't exist, you've got to reset the user permissions on those shares to what they should be. FCP was definitely failing on writing to the cache drive, and complaining that the cacheFloor setting is less that the free space available. But the docker problem, and the cache would be separate issues from RP Recreating the Docker image did indeed seem to have resolved the issue. Unfortunately I cannot share the statusfile since I reinstalled the plugin to see if that would fix the permissions:(. I'll look into why the cache drive was acting up, I agree that this was probably a coincidence and has nothing to do with RP. Cheers! Quote Link to comment
Squid Posted November 12, 2016 Author Share Posted November 12, 2016 http://i.huffpost.com/gadgets/slideshows/229067/slide_229067_1027946_free.jpg[/img] - Fixed: Prevent a second trip of the monitoring from making another copy of the backup share configs while in read-only mode. (This is a situation most likely caused by misconfiguration of the placement of the files and having them put into a folder (such as Downloads) that are likely to be deleted) Quote Link to comment
wingchun222 Posted November 19, 2016 Share Posted November 19, 2016 So lets say I installed this, configured everything then I did what it told me not to and deleted a file which tripped the protection so inadvertently I tested it on my system lol. Now I have the Ransomware plugin set up properly but after the initial trip my /appdata/dowloads/ folder share on my ssd drive wont allow me to delete anything via windows (my downloads folder where i do a lot of renaming, deleting etc) but deleting things in MC works fine and none of my dockers are having any issues moving or renaming files. Also, when I go to my shares tab in Unraid under disk shares it says they are all "read only mode. restore normal settings via Ransomware protection settings". I am not sure how to un-do what I have done. Quote Link to comment
CHBMB Posted November 19, 2016 Share Posted November 19, 2016 You will always be able to delete via MC as that's direct access rather than SMB. What you're describing is read only access to the shares. Just go to the plugin page and a popup will ask if you want to restore SMB permissions. Quote Link to comment
wingchun222 Posted November 19, 2016 Share Posted November 19, 2016 I had done that but unfortunately the problem still persists and it constitutes to say my shares are read only even after I clicked restore smb permissions on the popup. Quote Link to comment
CHBMB Posted November 19, 2016 Share Posted November 19, 2016 I had done that but unfortunately the problem still persists and it constitutes to say my shares are read only even after I clicked restore smb permissions on the popup. Tried stopping and starting the Ransomware service? Quote Link to comment
wingchun222 Posted November 19, 2016 Share Posted November 19, 2016 As in stop and restart the plugin? Yes, I have rebooted the Unraid box a few times and the problem persists. Right now it is as if it has never been tripped. I can click the lock to set everything to read only, then click to restore permissions but it continues to stay read only seemingly only in /appdata/downloads Quote Link to comment
CHBMB Posted November 19, 2016 Share Posted November 19, 2016 As in stop and restart the plugin? Yes, I have rebooted the Unraid box a few times and the problem persists. Right now it is as if it has never been tripped. I can click the lock to set everything to read only, then click to restore permissions but it continues to stay read only seemingly only in /appdata/downloads Have you tried disconnecting your client machine and reconnecting? Quote Link to comment
wingchun222 Posted November 19, 2016 Share Posted November 19, 2016 As in the laptop I use to connect toe the unraid box? If so then yes. This has been going on for a week or two now, I just now have some time to sit and try to get it sorted out. Quote Link to comment
CHBMB Posted November 19, 2016 Share Posted November 19, 2016 As in the laptop I use to connect toe the unraid box? If so then yes. This has been going on for a week or two now, I just now have some time to sit and try to get it sorted out. Post a screenshot of the plugin screen and the logs from the same screen. Quote Link to comment
wingchun222 Posted November 19, 2016 Share Posted November 19, 2016 Is that what you are after my good person? Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.