[Plugin] Ransomware Protection - Deprecated


Squid

Recommended Posts

  • 2 weeks later...

Great Plugin and I'm using it as we speak because my father always says yes to every banner/popup/sales person that shows up.

But I do have a question...

 

The files are not a problem because there are not so many in his shared folder. But using dummy shares creates a whole lot of those folders that are nice to click on and trigger an alarm (my father likes to click on stuff). Is there a way to hide the share from users but still have it public?

 

Cheers

Blaz

Link to comment

Great Plugin and I'm using it as we speak because my father always says yes to every banner/popup/sales person that shows up.

But I do have a question...

 

The files are not a problem because there are not so many in his shared folder. But using dummy shares creates a whole lot of those folders that are nice to click on and trigger an alarm (my father likes to click on stuff). Is there a way to hide the share from users but still have it public?

 

Cheers

Blaz

You could try prefixing the share name with a "."  But personally, I would name the folders to be something like "DONT CLICK BAD THINGS HAPPEN"

 

Link to comment

I would name the folders to be something like "DONT CLICK BAD THINGS HAPPEN"

You clearly never met my father.  ;D

I'll just use the file protection and avoid the dummy shares until I figure out how to hide them from him. Hey even I triggered an alert today when I wasn't careful.

 

Thanks again for the great plugin.

Link to comment

Not sure if I'm doing something wrong here.  I installed this plugin today, let it create bait files in the root directories (also bait shares).  As soon as I try to connect to a share using AFP from my Mac, it sets off a trigger and the array immediately stops.

the error message is:

Attack Detected

 

SMB has been set to be in read-only mode due to a possible attack on /mnt/user/Shared/SquidBait-DO_NOT_DELETE.docx

You can choose to reset the SMB/AFP permissions by clicking below. If this was caused by an attack, it is not advised to reset permission to normal

 

The Attack History isn't telling me anything useful:

******************************************************************************************

 

Time Of Attack:Tue, 20 Dec 2016 23:38:50 -0500

 

Attacked File: /mnt/user/Shared/SquidBait-DO_NOT_DELETE.docx

 

 

Samba version 4.4.5

PID    Username    Group        Machine                                  Protocol Version  Encryption          Signing

----------------------------------------------------------------------------------------------------------------------------------------

 

Service      pid    Machine      Connected at                    Encryption  Signing

---------------------------------------------------------------------------------------------

 

No locked files

 

-------

Is this a bug or a feature that I'm not really getting?

Thanks!

 

 

 

Link to comment

Not sure if I'm doing something wrong here.  I installed this plugin today, let it create bait files in the root directories (also bait shares).  As soon as I try to connect to a share using AFP from my Mac, it sets off a trigger and the array immediately stops.

the error message is:

Attack Detected

 

SMB has been set to be in read-only mode due to a possible attack on /mnt/user/Shared/SquidBait-DO_NOT_DELETE.docx

You can choose to reset the SMB/AFP permissions by clicking below. If this was caused by an attack, it is not advised to reset permission to normal

 

The Attack History isn't telling me anything useful:

******************************************************************************************

 

Time Of Attack:Tue, 20 Dec 2016 23:38:50 -0500

 

Attacked File: /mnt/user/Shared/SquidBait-DO_NOT_DELETE.docx

 

 

Samba version 4.4.5

PID    Username    Group        Machine                                  Protocol Version  Encryption          Signing

----------------------------------------------------------------------------------------------------------------------------------------

 

Service      pid    Machine      Connected at                    Encryption  Signing

---------------------------------------------------------------------------------------------

 

No locked files

 

-------

Is this a bug or a feature that I'm not really getting?

Thanks!

 

I'm getting this when connecting via my Macbook as well. Windows machine is fine.

 

It seems for whatever reason that connect to the share via AFP on a macbook is triggering the ransomware plugin.

 

I will have to disable it for now :(

Link to comment

2i8ejao.jpg

 

- Added ability to hide the bait files.  Pretty much requires you to stop the service, delete the bait files, then recreate.

- Due to a technical problem, the 4 base bait files in the root folder of each bait share cannot at this time be hidden.

 

Hide "dot" files has to be enabled in Settings - SMB settings for this to work.

Link to comment

2i8ejao.jpg

 

- Added ability to hide the bait files.  Pretty much requires you to stop the service, delete the bait files, then recreate.

- Due to a technical problem, the 4 base bait files in the root folder of each bait share cannot at this time be hidden.

 

Hide "dot" files has to be enabled in Settings - SMB settings for this to work.

 

Thanks squid, I'm glad you decided to add this, I have been hiding them from the start as mentioned earlier in the thread, is this addition going to affect anything for me as my bait files are already "dot" files? Should I delete my custom bait file directory?

Link to comment

2i8ejao.jpg

 

- Added ability to hide the bait files.  Pretty much requires you to stop the service, delete the bait files, then recreate.

- Due to a technical problem, the 4 base bait files in the root folder of each bait share cannot at this time be hidden.

 

Hide "dot" files has to be enabled in Settings - SMB settings for this to work.

 

Thanks squid, I'm glad you decided to add this, I have been hiding them from the start as mentioned earlier in the thread, is this addition going to affect anything for me as my bait files are already "dot" files? Should I delete my custom bait file directory?

Not quite sure.  The effect of enabling them to be hidden throws a dot in front of the filename.  In your case it would be a double dot.  Personally I would get rid of the dot on your custom files and recreate them.

 

Sent from my LG-D852 using Tapatalk

 

 

Link to comment

Hey Squid,

 

First of all great work on the plugin and thank you for sharing all that you do with the community. (I just read a few other posts of yours which helped me out with a couple of other issues)

 

Anyway, I installed this plugin to have a look and had it running for a while. Didn't have any issues but decided i didn't need it right now so i uninstalled the plugin.

One thing has remained and that is the comment section on the disk shares in the Shares tab.

 

I still have :-

 

Read Only Mode. Restore normal settings via Ransomware Protection Settings	-

 

But I cant find anywhere to change/remove this.

 

Any ideas?

 

Cheers.

 

Capture.JPG.93283c8cde9099ba421130dcdb22ddf3.JPG

Link to comment

Hey Squid,

 

First of all great work on the plugin and thank you for sharing all that you do with the community. (I just read a few other posts of yours which helped me out with a couple of other issues)

 

Anyway, I installed this plugin to have a look and had it running for a while. Didn't have any issues but decided i didn't need it right now so i uninstalled the plugin.

One thing has remained and that is the comment section on the disk shares in the Shares tab.

 

I still have :-

 

Read Only Mode. Restore normal settings via Ransomware Protection Settings	-

 

But I cant find anywhere to change/remove this.

 

Any ideas?

 

Cheers.

There was a previous bug in the plugin where the SMB settings on the Disk Shares would not properly restore.  Just manually go to the Disk Shares (Shares - Disk) and reset the permissions you had originally (And delete the comment)
Link to comment

Hey Squid,

 

First of all great work on the plugin and thank you for sharing all that you do with the community. (I just read a few other posts of yours which helped me out with a couple of other issues)

 

Anyway, I installed this plugin to have a look and had it running for a while. Didn't have any issues but decided i didn't need it right now so i uninstalled the plugin.

One thing has remained and that is the comment section on the disk shares in the Shares tab.

 

I still have :-

 

Read Only Mode. Restore normal settings via Ransomware Protection Settings	-

 

But I cant find anywhere to change/remove this.

 

Any ideas?

 

Cheers.

There was a previous bug in the plugin where the SMB settings on the Disk Shares would not properly restore.  Just manually go to the Disk Shares (Shares - Disk) and reset the permissions you had originally (And delete the comment)

 

I have re-set the permissions no worries. My issue is I cant find anywhere I can remove the comment that the Ransomware plugin has put there.

User shares have a comment section which can be changed in the share settings. I cant find this setting for the Disk shares. Maybe an unRAID thing?

Link to comment

Hey Squid,

 

First of all great work on the plugin and thank you for sharing all that you do with the community. (I just read a few other posts of yours which helped me out with a couple of other issues)

 

Anyway, I installed this plugin to have a look and had it running for a while. Didn't have any issues but decided i didn't need it right now so i uninstalled the plugin.

One thing has remained and that is the comment section on the disk shares in the Shares tab.

 

I still have :-

 

Read Only Mode. Restore normal settings via Ransomware Protection Settings	-

 

But I cant find anywhere to change/remove this.

 

Any ideas?

 

Cheers.

There was a previous bug in the plugin where the SMB settings on the Disk Shares would not properly restore.  Just manually go to the Disk Shares (Shares - Disk) and reset the permissions you had originally (And delete the comment)

 

I have re-set the permissions no worries. My issue is I cant find anywhere I can remove the comment that the Ransomware plugin has put there.

User shares have a comment section which can be changed in the share settings. I cant find this setting for the Disk shares. Maybe an unRAID thing?

hmm Never actually noticed, and since I'm using a VM at the moment its a pain to check (since I can't stop the array to enable disk shares).  But, you can edit the file config/disk.cfg on the flash drive (any editor will work) and remove those comments in it manually.
Link to comment

Hey Squid,

 

First of all great work on the plugin and thank you for sharing all that you do with the community. (I just read a few other posts of yours which helped me out with a couple of other issues)

 

Anyway, I installed this plugin to have a look and had it running for a while. Didn't have any issues but decided i didn't need it right now so i uninstalled the plugin.

One thing has remained and that is the comment section on the disk shares in the Shares tab.

 

I still have :-

 

Read Only Mode. Restore normal settings via Ransomware Protection Settings	-

 

But I cant find anywhere to change/remove this.

 

Any ideas?

 

Cheers.

There was a previous bug in the plugin where the SMB settings on the Disk Shares would not properly restore.  Just manually go to the Disk Shares (Shares - Disk) and reset the permissions you had originally (And delete the comment)

 

I have re-set the permissions no worries. My issue is I cant find anywhere I can remove the comment that the Ransomware plugin has put there.

User shares have a comment section which can be changed in the share settings. I cant find this setting for the Disk shares. Maybe an unRAID thing?

hmm Never actually noticed, and since I'm using a VM at the moment its a pain to check (since I can't stop the array to enable disk shares).  But, you can edit the file config/disk.cfg on the flash drive (any editor will work) and remove those comments in it manually.

 

Cool that worked.

 

One thing to note, it changed the comment for all the unassigned disks as well. ie, Disk 6, Disk 7, Disk 8 and so on which I don't even have.

Thought I would mention it just in case it wasn't supposed to do that :)

Link to comment

Hey Squid,

 

First of all great work on the plugin and thank you for sharing all that you do with the community. (I just read a few other posts of yours which helped me out with a couple of other issues)

 

Anyway, I installed this plugin to have a look and had it running for a while. Didn't have any issues but decided i didn't need it right now so i uninstalled the plugin.

One thing has remained and that is the comment section on the disk shares in the Shares tab.

 

I still have :-

 

Read Only Mode. Restore normal settings via Ransomware Protection Settings	-

 

But I cant find anywhere to change/remove this.

 

Any ideas?

 

Cheers.

There was a previous bug in the plugin where the SMB settings on the Disk Shares would not properly restore.  Just manually go to the Disk Shares (Shares - Disk) and reset the permissions you had originally (And delete the comment)

 

I have re-set the permissions no worries. My issue is I cant find anywhere I can remove the comment that the Ransomware plugin has put there.

User shares have a comment section which can be changed in the share settings. I cant find this setting for the Disk shares. Maybe an unRAID thing?

hmm Never actually noticed, and since I'm using a VM at the moment its a pain to check (since I can't stop the array to enable disk shares).  But, you can edit the file config/disk.cfg on the flash drive (any editor will work) and remove those comments in it manually.

 

Cool that worked.

 

One thing to note, it changed the comment for all the unassigned disks as well. ie, Disk 6, Disk 7, Disk 8 and so on which I don't even have.

Thought I would mention it just in case it wasn't supposed to do that :)

Speed is the issue.  Faster for me to just set all the disks / shares to be read-only rather than try and figure out what's valid or not.
Link to comment

Hey Squid,

 

First of all great work on the plugin and thank you for sharing all that you do with the community. (I just read a few other posts of yours which helped me out with a couple of other issues)

 

Anyway, I installed this plugin to have a look and had it running for a while. Didn't have any issues but decided i didn't need it right now so i uninstalled the plugin.

One thing has remained and that is the comment section on the disk shares in the Shares tab.

 

I still have :-

 

Read Only Mode. Restore normal settings via Ransomware Protection Settings	-

 

But I cant find anywhere to change/remove this.

 

Any ideas?

 

Cheers.

There was a previous bug in the plugin where the SMB settings on the Disk Shares would not properly restore.  Just manually go to the Disk Shares (Shares - Disk) and reset the permissions you had originally (And delete the comment)

 

I have re-set the permissions no worries. My issue is I cant find anywhere I can remove the comment that the Ransomware plugin has put there.

User shares have a comment section which can be changed in the share settings. I cant find this setting for the Disk shares. Maybe an unRAID thing?

hmm Never actually noticed, and since I'm using a VM at the moment its a pain to check (since I can't stop the array to enable disk shares).  But, you can edit the file config/disk.cfg on the flash drive (any editor will work) and remove those comments in it manually.

 

Cool that worked.

 

One thing to note, it changed the comment for all the unassigned disks as well. ie, Disk 6, Disk 7, Disk 8 and so on which I don't even have.

Thought I would mention it just in case it wasn't supposed to do that :)

Speed is the issue.  Faster for me to just set all the disks / shares to be read-only rather than try and figure out what's valid or not.

 

Thought you might say something like that. Thanks again!

Link to comment
  • 2 weeks later...

No. Didn't get any errors, but the share is still there.

Hmm  not sure  that's the command that the program uses.    I'm in a hotel tonight but tomorrow I'll look into downgrading one of my server's and trying it.  Send me a pm otherwise I may forget

 

Sent from my SM-T560NU using Tapatalk

 

 

Link to comment

Wow, Squid!

 

I jumped in early on this, but uninstalled it while I was migrating my drives from ReiserFS to XFS. I've been following development, but not paying really close attention. I gotta say, this looks fantastic now! I was all kinds of prepared to ask a bunch of configuration questions, but everything is covered very clearly in your help section and the whole thing looks really professional!

 

I do have a few questions for you:

  • Dracula? Why does he get credit? Yes, I read all of the help
  • .mp3 files. If I wanted to add an mp3 file as a bait target, would I just create /config/plugins/ransomware.bait/bait/squidbait.mp3 and all is good?
  • Protecting other computers. If I were to use Unassigned Devices to remote mount the root of my local machine's hard drive as an SMB share, share that from unRAID, then set RP to protect that share too, what do you think the odds are that it would actually work and detect a file deletion? I realize that shutting down the share from the server would NOT protect the local machine from the ransomware running locally on that machine, but it would likely serve to protect the server that much earlier (possibly before the nasty gets to a share), and would be very explicit as to which machine the attack originated from. Obviously, there would be a lot of work to explicitly exclude machine-local directory structures that get updated frequently (\temp, for example - others based on the OS). Your warnings about RP not protecting local machines got me thinking about this.
  • Tabs. What happened to the nice tabbed interface shown in your screen grabs from the OP? I think they're quite a bit nicer than the long scrolling list of options that are available in the 2017.01.01 version I just pulled today. It would bring the help page much closer to the relevant options, as well, thus making it easier to relate the help to the option (minimizing scrolling), and might minimize questions that are covered in the help files (especially if help is always displayed on the tab).

 

Again - FANTASTIC job with this!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.