[Plugin] Ransomware Protection - Deprecated


Squid

Recommended Posts

How do I exclude a folder with a space in the name?

Nothing special required.  Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads

Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem.

Link to comment

How do I exclude a folder with a space in the name?

Nothing special required.  Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads

Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem.

I just tried it and it worked no problems.

 

Is it possible there are orphaned files (creation errors) for those folders?  If you'll have to manually delete the files if they are present in there (they aren't monitored).  But, stop the service first to be safe.

 

But, you can always upload your diagnostics (actually only need the syslog), and /boot/config/plugins/ransomware.bait/filelist, and the settings.ini file (or PM if you want)

 

Link to comment

I just came across this awesome plugin so I installed it and gave it a shot.  One thing I immediately noticed is that when I delete a movie from my share (of which I do quite often) it triggered the alert and turned off the smb share as it should and alerted me and I chose the appropriate response.  If I am deleting files quite often will this just be what I have to get used to dealing with?

 

How serious is this threat?  I have never had any ransomware virus or anything remotely like that.  I just don't get duped by clicking on stupid links etc.  That being said there is a 12 year old in the house and I have no doubt he would accidentally click on some dumb shi% and get that kind of virus.  I never even really though about any of this affecting my unraid box until I came across this plugin.

Link to comment

For your situation, tossing bait files into every folder is not a good thing because of what you're noticing. 

 

As to the severity of the thread I will leave that for you and others to research and decide for themselves.

 

 

 

 

Sent from my LG-D852 using Tapatalk

 

 

Link to comment

How do I exclude a folder with a space in the name?

Nothing special required.  Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads

Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem.

I just tried it and it worked no problems.

 

Is it possible there are orphaned files (creation errors) for those folders?  If you'll have to manually delete the files if they are present in there (they aren't monitored).  But, stop the service first to be safe.

 

But, you can always upload your diagnostics (actually only need the syslog), and /boot/config/plugins/ransomware.bait/filelist, and the settings.ini file (or PM if you want)

 

Can't recreate the issue now.???

Must be operator error.:D

 

 

Any chance hidden folders could be excluded by default? I'm seeing lots of bait file creation errors, all for hidden folders.

Link to comment

How do I exclude a folder with a space in the name?

Nothing special required.  Just include the space in the name eg: /mnt/user/Movies/BluRay Movies,/mnt/user/Downloads

Have 2 folders with a space on the name that I couldn't get exculsions to work. Thought maybe it was the space causing the problem.

I just tried it and it worked no problems.

 

Is it possible there are orphaned files (creation errors) for those folders?  If you'll have to manually delete the files if they are present in there (they aren't monitored).  But, stop the service first to be safe.

 

But, you can always upload your diagnostics (actually only need the syslog), and /boot/config/plugins/ransomware.bait/filelist, and the settings.ini file (or PM if you want)

 

Can't recreate the issue now.???

Must be operator error.:D

 

 

Any chance hidden folders could be excluded by default? I'm seeing lots of bait file creation errors, all for hidden folders.

One situation I honestly never checked out.  I'll look into it

 

Sent from my LG-D852 using Tapatalk

 

 

Link to comment

Any chance hidden folders could be excluded by default? I'm seeing lots of bait file creation errors, all for hidden folders.

Updated to handle this, but in my testing, there is zero problems with creating to hidden folders.  (But, if a file creation error happens (and the file is in the folder), the error will continually rehappen because subsequent creations will think that the file is a pre-existing and valid file -> you will have to manually delete the file(s) if they exist and are file creation errors.

 

IE: Stop the service, delete the bait files.  Any bait files still existing on the array were probably orphaned via the original version of this plugin, and can now be safely removed.  Subsequent creations should succeed.

 

 

The exclude hidden folders options defaults to NOT exclude them.

Link to comment

Ah  I see.  I automatically excluded appdata and CA backup folders because I knew bait would get triggered in there and I don't use the recycle bin plugin so never thought about it...

 

I'll automatically exclude that tomorrow

 

Sent from my SM-T560NU using Tapatalk

 

 

Link to comment

Thanks. There was one hidden folder in particular that I was worried about, .Recycle.Bin, since any bait files would get deleted by the plugin (I think??).

done with today's update.  Any and all .Recycle.Bin folders are automatically excluded no matter what.  If there are bait files sitting within them right now however, you are going to have to stop the service, and delete the files, and then start the service back up again.
Link to comment

For some reason, since the last update, my shares all got locked after I tried accessing one of them through AFP. After making sure it was safe to do so, I clicked the lock to remove the set permissions. Unfortunately though, all of my shares and drives are still locked as the evidence shows here: https://gyazo.com/8ace667bfe6d256249e39375f82ec8ea . All of my docker containers are down, the interface is pretty slow, Unraid is unusable. I tried manually locking and unlocking again, but no joy. Please assist.

 

Diagnostics attached. Many thanks in advance.

 

EDIT: FCP is reporting the following: https://gyazo.com/0ea8b65802771e412bc3cd30bf200cde . The cache consists of two RAID0 BTRFS devices and is most definitely not full: https://gyazo.com/8c71225e2b0c5105552bfc2a90ca491b .

 

EDIT2: it looks like I am able to write on every disk, except for the cache.

 

EDIT3: after running the mover, I'm able to write again. It might be a big coincidence that this occurred after everything got locked down. Unraid is reporting plenty of space left though, so I'm not sure why this is not the case...

ziggy_unraid-diagnostics-20161107-1954.zip

Link to comment

Your docker.img file is completely trashed, and needs to be deleted and recreated.

 

Unfortunately, the syslog doesn't go back to where ransomware tripped, so I can't tell you why it did a "double trip" and over wrote the backup of the share.cfg files (which is why restoring normal access is doing nothing).  If might be helpful if you post the contents of boot/config/plugins/ransomware.bait/smbStatusFile.txt  which will at least let me see the times that the system tripped.  I have been looking at handling the backups of the normal share settings a little different.

 

As to the solution, because the backup files don't exist, you've got to reset the user permissions on those shares to what they should be.

 

FCP was definitely failing on writing to the cache drive, and complaining that the cacheFloor setting is less that the free space available.

 

But the docker problem, and the cache would be separate issues from RP

 

Link to comment

Your docker.img file is completely trashed, and needs to be deleted and recreated.

 

Unfortunately, the syslog doesn't go back to where ransomware tripped, so I can't tell you why it did a "double trip" and over wrote the backup of the share.cfg files (which is why restoring normal access is doing nothing).  If might be helpful if you post the contents of boot/config/plugins/ransomware.bait/smbStatusFile.txt  which will at least let me see the times that the system tripped.  I have been looking at handling the backups of the normal share settings a little different.

 

As to the solution, because the backup files don't exist, you've got to reset the user permissions on those shares to what they should be.

 

FCP was definitely failing on writing to the cache drive, and complaining that the cacheFloor setting is less that the free space available.

 

But the docker problem, and the cache would be separate issues from RP

 

Recreating the Docker image did indeed seem to have resolved the issue. Unfortunately I cannot share the statusfile since I reinstalled the plugin to see if that would fix the permissions:(. I'll look into why the cache drive was acting up, I agree that this was probably a coincidence and has nothing to do with RP.

 

Cheers!

Link to comment

width=400http://i.huffpost.com/gadgets/slideshows/229067/slide_229067_1027946_free.jpg[/img]

 

- Fixed: Prevent a second trip of the monitoring from making another copy of the backup share configs while in read-only mode.  (This is a situation most likely caused by misconfiguration of the placement of the files and having them put into a folder (such as Downloads) that are likely to be deleted)

Link to comment

So lets say I installed this, configured everything then I did what it told me not to and deleted a file which tripped the protection so inadvertently I tested it on my system lol.  Now I have the Ransomware plugin set up properly but after the initial trip my /appdata/dowloads/ folder share on my ssd drive wont allow me to delete anything via windows (my downloads folder where i do a lot of renaming, deleting etc) but deleting things in MC works fine and none of my dockers are having any issues moving or renaming files.  Also, when I go to my shares tab in Unraid under disk shares it says they are all "read only mode. restore normal settings via Ransomware protection settings".  I am not sure how to un-do what I have done.

Link to comment

As in stop and restart the plugin?  Yes, I have rebooted the Unraid box a few times and the problem persists.  Right now it is as if it has never been tripped.  I can click the lock to set everything to read only, then click to restore permissions but it continues to stay read only seemingly only in /appdata/downloads

Link to comment

As in stop and restart the plugin?  Yes, I have rebooted the Unraid box a few times and the problem persists.  Right now it is as if it has never been tripped.  I can click the lock to set everything to read only, then click to restore permissions but it continues to stay read only seemingly only in /appdata/downloads

 

Have you tried disconnecting your client machine and reconnecting?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.