October 30, 20169 yr How do I exclude a folder with a space in the name? Nothing special required. Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem.
October 30, 20169 yr Author How do I exclude a folder with a space in the name? Nothing special required. Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem. I just tried it and it worked no problems. Is it possible there are orphaned files (creation errors) for those folders? If you'll have to manually delete the files if they are present in there (they aren't monitored). But, stop the service first to be safe. But, you can always upload your diagnostics (actually only need the syslog), and /boot/config/plugins/ransomware.bait/filelist, and the settings.ini file (or PM if you want)
October 30, 20169 yr They aren't orphans. I can delete them from the settings menu. There are 4 folders in the same parent folder. I set all 4 to be excluded. The 2 with spaces in the name get bait files created when I press the start button. Family stuff right now but I'll grab the logs/files later and post.
October 31, 20169 yr I just came across this awesome plugin so I installed it and gave it a shot. One thing I immediately noticed is that when I delete a movie from my share (of which I do quite often) it triggered the alert and turned off the smb share as it should and alerted me and I chose the appropriate response. If I am deleting files quite often will this just be what I have to get used to dealing with? How serious is this threat? I have never had any ransomware virus or anything remotely like that. I just don't get duped by clicking on stupid links etc. That being said there is a 12 year old in the house and I have no doubt he would accidentally click on some dumb shi% and get that kind of virus. I never even really though about any of this affecting my unraid box until I came across this plugin.
October 31, 20169 yr Author For your situation, tossing bait files into every folder is not a good thing because of what you're noticing. As to the severity of the thread I will leave that for you and others to research and decide for themselves. Sent from my LG-D852 using Tapatalk
October 31, 20169 yr How do I exclude a folder with a space in the name? Nothing special required. Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem. I just tried it and it worked no problems. Is it possible there are orphaned files (creation errors) for those folders? If you'll have to manually delete the files if they are present in there (they aren't monitored). But, stop the service first to be safe. But, you can always upload your diagnostics (actually only need the syslog), and /boot/config/plugins/ransomware.bait/filelist, and the settings.ini file (or PM if you want) Can't recreate the issue now. Must be operator error. Any chance hidden folders could be excluded by default? I'm seeing lots of bait file creation errors, all for hidden folders.
October 31, 20169 yr Author How do I exclude a folder with a space in the name? Nothing special required. Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem. I just tried it and it worked no problems. Is it possible there are orphaned files (creation errors) for those folders? If you'll have to manually delete the files if they are present in there (they aren't monitored). But, stop the service first to be safe. But, you can always upload your diagnostics (actually only need the syslog), and /boot/config/plugins/ransomware.bait/filelist, and the settings.ini file (or PM if you want) Can't recreate the issue now. Must be operator error. Any chance hidden folders could be excluded by default? I'm seeing lots of bait file creation errors, all for hidden folders. One situation I honestly never checked out. I'll look into it Sent from my LG-D852 using Tapatalk
October 31, 20169 yr You were looking at the first incarnation, meanwhile code is corrected. Sorry for linking to the initial checkin and not the latest! I didn't realize it had been updated. Thanks for sorting it out
November 5, 20169 yr Author Any chance hidden folders could be excluded by default? I'm seeing lots of bait file creation errors, all for hidden folders. Updated to handle this, but in my testing, there is zero problems with creating to hidden folders. (But, if a file creation error happens (and the file is in the folder), the error will continually rehappen because subsequent creations will think that the file is a pre-existing and valid file -> you will have to manually delete the file(s) if they exist and are file creation errors. IE: Stop the service, delete the bait files. Any bait files still existing on the array were probably orphaned via the original version of this plugin, and can now be safely removed. Subsequent creations should succeed. The exclude hidden folders options defaults to NOT exclude them.
November 5, 20169 yr Thanks. There was one hidden folder in particular that I was worried about, .Recycle.Bin, since any bait files would get deleted by the plugin (I think??).
November 5, 20169 yr Author Ah I see. I automatically excluded appdata and CA backup folders because I knew bait would get triggered in there and I don't use the recycle bin plugin so never thought about it... I'll automatically exclude that tomorrow Sent from my SM-T560NU using Tapatalk
November 5, 20169 yr Author Thanks. There was one hidden folder in particular that I was worried about, .Recycle.Bin, since any bait files would get deleted by the plugin (I think??). done with today's update. Any and all .Recycle.Bin folders are automatically excluded no matter what. If there are bait files sitting within them right now however, you are going to have to stop the service, and delete the files, and then start the service back up again.
November 7, 20169 yr For some reason, since the last update, my shares all got locked after I tried accessing one of them through AFP. After making sure it was safe to do so, I clicked the lock to remove the set permissions. Unfortunately though, all of my shares and drives are still locked as the evidence shows here: https://gyazo.com/8ace667bfe6d256249e39375f82ec8ea . All of my docker containers are down, the interface is pretty slow, Unraid is unusable. I tried manually locking and unlocking again, but no joy. Please assist. Diagnostics attached. Many thanks in advance. EDIT: FCP is reporting the following: https://gyazo.com/0ea8b65802771e412bc3cd30bf200cde . The cache consists of two RAID0 BTRFS devices and is most definitely not full: https://gyazo.com/8c71225e2b0c5105552bfc2a90ca491b . EDIT2: it looks like I am able to write on every disk, except for the cache. EDIT3: after running the mover, I'm able to write again. It might be a big coincidence that this occurred after everything got locked down. Unraid is reporting plenty of space left though, so I'm not sure why this is not the case... ziggy_unraid-diagnostics-20161107-1954.zip
November 8, 20169 yr Author Your docker.img file is completely trashed, and needs to be deleted and recreated. Unfortunately, the syslog doesn't go back to where ransomware tripped, so I can't tell you why it did a "double trip" and over wrote the backup of the share.cfg files (which is why restoring normal access is doing nothing). If might be helpful if you post the contents of boot/config/plugins/ransomware.bait/smbStatusFile.txt which will at least let me see the times that the system tripped. I have been looking at handling the backups of the normal share settings a little different. As to the solution, because the backup files don't exist, you've got to reset the user permissions on those shares to what they should be. FCP was definitely failing on writing to the cache drive, and complaining that the cacheFloor setting is less that the free space available. But the docker problem, and the cache would be separate issues from RP
November 8, 20169 yr Your docker.img file is completely trashed, and needs to be deleted and recreated. Unfortunately, the syslog doesn't go back to where ransomware tripped, so I can't tell you why it did a "double trip" and over wrote the backup of the share.cfg files (which is why restoring normal access is doing nothing). If might be helpful if you post the contents of boot/config/plugins/ransomware.bait/smbStatusFile.txt which will at least let me see the times that the system tripped. I have been looking at handling the backups of the normal share settings a little different. As to the solution, because the backup files don't exist, you've got to reset the user permissions on those shares to what they should be. FCP was definitely failing on writing to the cache drive, and complaining that the cacheFloor setting is less that the free space available. But the docker problem, and the cache would be separate issues from RP Recreating the Docker image did indeed seem to have resolved the issue. Unfortunately I cannot share the statusfile since I reinstalled the plugin to see if that would fix the permissions:(. I'll look into why the cache drive was acting up, I agree that this was probably a coincidence and has nothing to do with RP. Cheers!
November 12, 20169 yr Author http://i.huffpost.com/gadgets/slideshows/229067/slide_229067_1027946_free.jpg[/img] - Fixed: Prevent a second trip of the monitoring from making another copy of the backup share configs while in read-only mode. (This is a situation most likely caused by misconfiguration of the placement of the files and having them put into a folder (such as Downloads) that are likely to be deleted)
November 19, 20169 yr So lets say I installed this, configured everything then I did what it told me not to and deleted a file which tripped the protection so inadvertently I tested it on my system lol. Now I have the Ransomware plugin set up properly but after the initial trip my /appdata/dowloads/ folder share on my ssd drive wont allow me to delete anything via windows (my downloads folder where i do a lot of renaming, deleting etc) but deleting things in MC works fine and none of my dockers are having any issues moving or renaming files. Also, when I go to my shares tab in Unraid under disk shares it says they are all "read only mode. restore normal settings via Ransomware protection settings". I am not sure how to un-do what I have done.
November 19, 20169 yr You will always be able to delete via MC as that's direct access rather than SMB. What you're describing is read only access to the shares. Just go to the plugin page and a popup will ask if you want to restore SMB permissions.
November 19, 20169 yr I had done that but unfortunately the problem still persists and it constitutes to say my shares are read only even after I clicked restore smb permissions on the popup.
November 19, 20169 yr I had done that but unfortunately the problem still persists and it constitutes to say my shares are read only even after I clicked restore smb permissions on the popup. Tried stopping and starting the Ransomware service?
November 19, 20169 yr As in stop and restart the plugin? Yes, I have rebooted the Unraid box a few times and the problem persists. Right now it is as if it has never been tripped. I can click the lock to set everything to read only, then click to restore permissions but it continues to stay read only seemingly only in /appdata/downloads
November 19, 20169 yr As in stop and restart the plugin? Yes, I have rebooted the Unraid box a few times and the problem persists. Right now it is as if it has never been tripped. I can click the lock to set everything to read only, then click to restore permissions but it continues to stay read only seemingly only in /appdata/downloads Have you tried disconnecting your client machine and reconnecting?
November 19, 20169 yr As in the laptop I use to connect toe the unraid box? If so then yes. This has been going on for a week or two now, I just now have some time to sit and try to get it sorted out.
November 19, 20169 yr As in the laptop I use to connect toe the unraid box? If so then yes. This has been going on for a week or two now, I just now have some time to sit and try to get it sorted out. Post a screenshot of the plugin screen and the logs from the same screen.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.