Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Plugin] Ransomware Protection - Deprecated

Featured Replies

How do I exclude a folder with a space in the name?

Nothing special required.  Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads

Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem.

  • Replies 449
  • Views 115.3k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • @Squid Fingers crossed he doesn't delete the thread to destroy the evidence..... 

  • I know this thread is positively ancient, but I'm one of the apparently rare few still running this plugin on both my Unraid boxes running v6.11...and just testing it again now due to all the people s

  • It's tailored to unRaid, and takes the approach of waiting for an attack to happen against certain files and when that happens stops all smb write access regardless of how inconvenient that may be to

Posted Images

  • Author

How do I exclude a folder with a space in the name?

Nothing special required.  Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads

Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem.

I just tried it and it worked no problems.

 

Is it possible there are orphaned files (creation errors) for those folders?  If you'll have to manually delete the files if they are present in there (they aren't monitored).  But, stop the service first to be safe.

 

But, you can always upload your diagnostics (actually only need the syslog), and /boot/config/plugins/ransomware.bait/filelist, and the settings.ini file (or PM if you want)

 

They aren't orphans. I can delete them from the settings menu. There are 4 folders in the same parent folder. I set all 4 to be excluded. The 2 with spaces in the name get bait files created when I press the start button. Family stuff right now but I'll grab the logs/files later and post.

I just came across this awesome plugin so I installed it and gave it a shot.  One thing I immediately noticed is that when I delete a movie from my share (of which I do quite often) it triggered the alert and turned off the smb share as it should and alerted me and I chose the appropriate response.  If I am deleting files quite often will this just be what I have to get used to dealing with?

 

How serious is this threat?  I have never had any ransomware virus or anything remotely like that.  I just don't get duped by clicking on stupid links etc.  That being said there is a 12 year old in the house and I have no doubt he would accidentally click on some dumb shi% and get that kind of virus.  I never even really though about any of this affecting my unraid box until I came across this plugin.

  • Author

For your situation, tossing bait files into every folder is not a good thing because of what you're noticing. 

 

As to the severity of the thread I will leave that for you and others to research and decide for themselves.

 

 

 

 

Sent from my LG-D852 using Tapatalk

 

 

How do I exclude a folder with a space in the name?

Nothing special required.  Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads

Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem.

I just tried it and it worked no problems.

 

Is it possible there are orphaned files (creation errors) for those folders?  If you'll have to manually delete the files if they are present in there (they aren't monitored).  But, stop the service first to be safe.

 

But, you can always upload your diagnostics (actually only need the syslog), and /boot/config/plugins/ransomware.bait/filelist, and the settings.ini file (or PM if you want)

 

Can't recreate the issue now.???

Must be operator error.:D

 

 

Any chance hidden folders could be excluded by default? I'm seeing lots of bait file creation errors, all for hidden folders.

  • Author

How do I exclude a folder with a space in the name?

Nothing special required.  Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads

Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem.

I just tried it and it worked no problems.

 

Is it possible there are orphaned files (creation errors) for those folders?  If you'll have to manually delete the files if they are present in there (they aren't monitored).  But, stop the service first to be safe.

 

But, you can always upload your diagnostics (actually only need the syslog), and /boot/config/plugins/ransomware.bait/filelist, and the settings.ini file (or PM if you want)

 

Can't recreate the issue now.???

Must be operator error.:D

 

 

Any chance hidden folders could be excluded by default? I'm seeing lots of bait file creation errors, all for hidden folders.

One situation I honestly never checked out.  I'll look into it

 

Sent from my LG-D852 using Tapatalk

 

 

You were looking at the first incarnation, meanwhile code is corrected.

 

Sorry for linking to the initial checkin and not the latest!  I didn't realize it had been updated.

 

Thanks for sorting it out :P

  • Author

Any chance hidden folders could be excluded by default? I'm seeing lots of bait file creation errors, all for hidden folders.

Updated to handle this, but in my testing, there is zero problems with creating to hidden folders.  (But, if a file creation error happens (and the file is in the folder), the error will continually rehappen because subsequent creations will think that the file is a pre-existing and valid file -> you will have to manually delete the file(s) if they exist and are file creation errors.

 

IE: Stop the service, delete the bait files.  Any bait files still existing on the array were probably orphaned via the original version of this plugin, and can now be safely removed.  Subsequent creations should succeed.

 

 

The exclude hidden folders options defaults to NOT exclude them.

Thanks. There was one hidden folder in particular that I was worried about, .Recycle.Bin, since any bait files would get deleted by the plugin (I think??).

  • Author

Ah  I see.  I automatically excluded appdata and CA backup folders because I knew bait would get triggered in there and I don't use the recycle bin plugin so never thought about it...

 

I'll automatically exclude that tomorrow

 

Sent from my SM-T560NU using Tapatalk

 

 

  • Author

Thanks. There was one hidden folder in particular that I was worried about, .Recycle.Bin, since any bait files would get deleted by the plugin (I think??).

done with today's update.  Any and all .Recycle.Bin folders are automatically excluded no matter what.  If there are bait files sitting within them right now however, you are going to have to stop the service, and delete the files, and then start the service back up again.

For some reason, since the last update, my shares all got locked after I tried accessing one of them through AFP. After making sure it was safe to do so, I clicked the lock to remove the set permissions. Unfortunately though, all of my shares and drives are still locked as the evidence shows here: https://gyazo.com/8ace667bfe6d256249e39375f82ec8ea . All of my docker containers are down, the interface is pretty slow, Unraid is unusable. I tried manually locking and unlocking again, but no joy. Please assist.

 

Diagnostics attached. Many thanks in advance.

 

EDIT: FCP is reporting the following: https://gyazo.com/0ea8b65802771e412bc3cd30bf200cde . The cache consists of two RAID0 BTRFS devices and is most definitely not full: https://gyazo.com/8c71225e2b0c5105552bfc2a90ca491b .

 

EDIT2: it looks like I am able to write on every disk, except for the cache.

 

EDIT3: after running the mover, I'm able to write again. It might be a big coincidence that this occurred after everything got locked down. Unraid is reporting plenty of space left though, so I'm not sure why this is not the case...

ziggy_unraid-diagnostics-20161107-1954.zip

  • Author

Your docker.img file is completely trashed, and needs to be deleted and recreated.

 

Unfortunately, the syslog doesn't go back to where ransomware tripped, so I can't tell you why it did a "double trip" and over wrote the backup of the share.cfg files (which is why restoring normal access is doing nothing).  If might be helpful if you post the contents of boot/config/plugins/ransomware.bait/smbStatusFile.txt  which will at least let me see the times that the system tripped.  I have been looking at handling the backups of the normal share settings a little different.

 

As to the solution, because the backup files don't exist, you've got to reset the user permissions on those shares to what they should be.

 

FCP was definitely failing on writing to the cache drive, and complaining that the cacheFloor setting is less that the free space available.

 

But the docker problem, and the cache would be separate issues from RP

 

Your docker.img file is completely trashed, and needs to be deleted and recreated.

 

Unfortunately, the syslog doesn't go back to where ransomware tripped, so I can't tell you why it did a "double trip" and over wrote the backup of the share.cfg files (which is why restoring normal access is doing nothing).  If might be helpful if you post the contents of boot/config/plugins/ransomware.bait/smbStatusFile.txt  which will at least let me see the times that the system tripped.  I have been looking at handling the backups of the normal share settings a little different.

 

As to the solution, because the backup files don't exist, you've got to reset the user permissions on those shares to what they should be.

 

FCP was definitely failing on writing to the cache drive, and complaining that the cacheFloor setting is less that the free space available.

 

But the docker problem, and the cache would be separate issues from RP

 

Recreating the Docker image did indeed seem to have resolved the issue. Unfortunately I cannot share the statusfile since I reinstalled the plugin to see if that would fix the permissions:(. I'll look into why the cache drive was acting up, I agree that this was probably a coincidence and has nothing to do with RP.

 

Cheers!

So lets say I installed this, configured everything then I did what it told me not to and deleted a file which tripped the protection so inadvertently I tested it on my system lol.  Now I have the Ransomware plugin set up properly but after the initial trip my /appdata/dowloads/ folder share on my ssd drive wont allow me to delete anything via windows (my downloads folder where i do a lot of renaming, deleting etc) but deleting things in MC works fine and none of my dockers are having any issues moving or renaming files.  Also, when I go to my shares tab in Unraid under disk shares it says they are all "read only mode. restore normal settings via Ransomware protection settings".  I am not sure how to un-do what I have done.

You will always be able to delete via MC as that's direct access rather than SMB.  What you're describing is read only access to the shares.  Just go to the plugin page and a popup will ask if you want to restore SMB permissions.

I had done that but unfortunately the problem still persists and it constitutes to say my shares are read only even after I clicked restore smb permissions on the popup.

I had done that but unfortunately the problem still persists and it constitutes to say my shares are read only even after I clicked restore smb permissions on the popup.

 

Tried stopping and starting the Ransomware service?

As in stop and restart the plugin?  Yes, I have rebooted the Unraid box a few times and the problem persists.  Right now it is as if it has never been tripped.  I can click the lock to set everything to read only, then click to restore permissions but it continues to stay read only seemingly only in /appdata/downloads

As in stop and restart the plugin?  Yes, I have rebooted the Unraid box a few times and the problem persists.  Right now it is as if it has never been tripped.  I can click the lock to set everything to read only, then click to restore permissions but it continues to stay read only seemingly only in /appdata/downloads

 

Have you tried disconnecting your client machine and reconnecting?

As in the laptop I use to connect toe the unraid box?  If so then yes.  This has been going on for a week or two now, I just now have some time to sit and try to get it sorted out.

As in the laptop I use to connect toe the unraid box?  If so then yes.  This has been going on for a week or two now, I just now have some time to sit and try to get it sorted out.

 

Post a screenshot of the plugin screen and the logs from the same screen.

Is that what you are after my good person? :)

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.