-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathFSRM_NOCRYPTO_2008.ps1
256 lines (220 loc) · 8.7 KB
/
FSRM_NOCRYPTO_2008.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
##############################
# FSRM_NoCrypto_2008.ps1 #
# W2008 and 2008R2 #
# may work en 2003R2 #
# David ANDE # #
# GNU GENERAL PUBLIC LICENSE #
##############################
# First of all powershell 3 or higher is needed
# This scripts is not compatible with Powershell v2
$powershellVer = $PSVersionTable.PSVersion.Major
if ($powershellVer -le 2)
{
Write-Host "`n####"
Write-Host "ERROR: PowerShell v3 or higher required."
exit
}
########## VARIABLE TO MODIFY #############
# $wkdir is where the scripts are
# better using this one
$wkdir = "C:\FSRMNOCRYPTO"
# $url is where to donwload extensionnlist from
# don't change if You don't know what You are doing
$url = "https://fsrm.experiant.ca/api/v1/get"
###########################################
# Drives to exclude for FSRM bloking
# If You want to exclude complete Path or special directory so write for exemple "C:\share" for specific share
# or "D:\shar*" for all shares in D starting by shar or "E:\*" for all shares in E
# or"D:\*shar*"for all shares in D containing shar.
# If nothing to exclude let the value to "0". only one value per line so only 2 exclusions for the moment :-)
# ex: $drive_exclu1= "C:\Windows*"
$drive_exclu1 = "0"
$drive_exclu2 = "0"
#############################################
If ((Test-Path "$wkdir\extensions.old") -eq $True)
{
Write-Host "extensions.old founded"
}
else
{
New-Item -ItemType "file" "$wkdir\extensions.old"
Add-Content -path "$wkdir\extensions.old" -value "exemple"
}
$taille = Get-Item "$wkdir\extensions.old" | Select Mode,Length | Select -ExpandProperty Length
If ($taille -lt 1)
{
Add-Content -path "$wkdir\extensions.old" -value "exemple"
Write-Host "Extensions.old fixed"
}
else
{
Write-Host "extensions.old not empty Good"
}
# verifying if new crypto extensions available #
try
{
Invoke-WebRequest $url -OutFile $wkdir\extensions.txt
$dif = compare-object -referenceobject $(get-content "$wkdir\extensions.txt") -differenceobject $(get-content "$wkdir\extensions.old")
if (!$dif) {
Write-Host "`n####"
Write-Host "No new extensions to apply - Quit"
rm $wkdir\extensions.txt
exit
}
}
Catch
{
Write-Host "`n####"
Write-Host "Remote extension list Offline - Quit"
If (Test-Path "$wkdir\extensions.txt")
{rm $wkdir\extensions.txt}
else
{
exit
}
}
################################ Functions ################################
function ConvertFrom-Json20([Object] $obj)
{
Add-Type -AssemblyName System.Web.Extensions
$serializer = New-Object System.Web.Script.Serialization.JavaScriptSerializer
return ,$serializer.DeserializeObject($obj)
}
Function New-CBArraySplit
{
param(
$Extensions
)
$Extensions = $Extensions | Sort-Object -Unique
$workingArray = @()
$WorkingArrayIndex = 1
$LengthOfStringsInWorkingArray = 0
$Extensions | ForEach-Object {
if (($LengthOfStringsInWorkingArray + 1 + $_.Length) -gt 4000)
{
# Adding this item to the working array (with +1 for a comma)
# pushes the contents past the 4Kb limit
# so output the workingArray
[PSCustomObject]@{
index = $WorkingArrayIndex
FileGroupName = "$Script:FileGroupName$WorkingArrayIndex"
array = $workingArray
}
# and reset the workingArray and counters
$workingArray = @($_) # new workingArray with current Extension in it
$LengthOfStringsInWorkingArray = $_.Length
$WorkingArrayIndex++
}
else #adding this item to the workingArray is fine
{
$workingArray += $_
$LengthOfStringsInWorkingArray += (1 + $_.Length) #1 for imaginary joining comma
}
}
# The last / only workingArray won't have anything to push it past 4Kb
# and trigger outputting it, so output that one as well
[PSCustomObject]@{
index = ($WorkingArrayIndex)
FileGroupName = "$Script:FileGroupName$WorkingArrayIndex"
array = $workingArray
}
}
################################ Functions ################################
# Add to all drives
$drivesContainingShares = Get-WmiObject Win32_Share | Select Name,Path,Type | Where-Object { $_.Type -match '0|2147483648' } | Select -ExpandProperty Path | Select -Unique
if ($drivesContainingShares -eq $null -or $drivesContainingShares.Length -eq 0)
{
Write-Host "No drives containing shares were found. Exiting.."
rm $wkdir\extensions.txt
exit
}
$drivesContainingShares >> "$wkdir\drivesbase.txt"
if ($drive_exclu2 -ne '0' ) {
$drives_filter = (Get-Content "$wkdir\drivesbase.txt" | where { $_ -notlike "$drive_exclu1"} | where { $_ -notlike "$drivee_xclu2"})
$drivesContainingShares = $drivesfilter}
Else {
if ($drive_exclu1 -ne '0') {
$drivesfilter = (Get-Content "$wkdir\drivesbase.txt" | where { $_ -notlike "$drive_exclu1"})
$drivesContainingShares = $drivesfilter}
Else {
}
}
Write-Host "Shared filtered"
if ($drivesContainingShares -eq $null -or $drivesContainingShares.Length -eq 0)
{
Write-Host "No drives containing shares were found. Exiting.."
cp $wkdir\extensions.txt $wkdir\extensions.old
rm $wkdir\drivesbase.txt
rm $wkdir\extensions.txt
echo finish
exit
}
Write-Host "The following shares needing to be protected: $($drivesContainingShares -Join ",")"
$fileGroupName = "CryptoBlocker_extensions"
$fileTemplateName = "CryptoBlocker_Template"
$fileScreenName = "Crypto_Blocker_Filter"
# old download method
# $webClient = New-Object System.Net.WebClient
# $jsonStr = $webClient.DownloadString($url)
Try
{
$jsonStr = Invoke-WebRequest -Uri $url
$monitoredExtensions = @(ConvertFrom-Json20($jsonStr) | % { $_.filters })
$monitoredExtensions >> "$wkdir\extsbase.txt"
$ext_filter = Compare-Object $(Get-content "$wkdir\extsbase.txt") $(Get-content "$wkdir\ext_to_accept.txt") -IncludeEqual | where-object {$_.SideIndicator -eq "<="} | select InputObject | select -ExpandProperty InputObject
}
Catch
{
Write-Host Remote extension list Offline - Quit
rm $wkdir\drivesbase.txt
rm $wkdir\extensions.txt
exit
}
# Split the $monitoredExtensions array into fileGroups of less than 4kb to allow processing by filescrn.exe
$fileGroups = New-CBArraySplit $ext_filter
ForEach ($group in $fileGroups) {
# $group | Add-Member -MemberType NoteProperty -Name fileGroupName -Value "$FileGroupName$($group.index)"
}
# Perform these steps for each of the 4KB limit split fileGroups
ForEach ($group in $fileGroups) {
Write-Host "`n####"
Write-Host "Adding/replacing File Group [$($group.fileGroupName)] with monitored file [$($group.array -Join ",")].."
&filescrn.exe filegroup Delete "/Filegroup:$($group.fileGroupName)" /Quiet
&filescrn.exe Filegroup Add "/Filegroup:$($group.fileGroupName)" "/Members:$($group.array -Join '|')"
}
Write-Host "Adding/replacing File Screen Template [$fileTemplateName] with Event Notification [notification.cfg] and Command Notification [$cmdConfFilename].."
&filescrn.exe Template Delete /Template:$fileTemplateName /Quiet
Remove-Item "$wkdir\notification.cfg"
Start-Sleep -Seconds 3
New-Item "$wkdir\notification.cfg" -type file
Add-Content "$wkdir\notification.cfg" "Notification=e"
Add-Content "$wkdir\notification.cfg" "`nRunLimitInterval=30"
Add-Content "$wkdir\notification.cfg" "`nMessage=User [Source Io Owner] attempted to save [Source File Path] to [File Screen Path] on the [Server] server. This file is in the [Violated File Group] file group. This file could be a marker for malware infection, and should be investigated immediately."
# Build the argument list with all required fileGroups
$screenArgs = 'Template','Add',"/Template:$fileTemplateName"
ForEach ($group in $fileGroups) {
Write-Host "`n####"
$screenArgs += "/Add-Filegroup:$($group.fileGroupName)"
}
&filescrn.exe $screenArgs /Add-Notification:"e,$wkdir\notification.cfg"
$drivesContainingShares | % {
Write-Host "`n####"
Write-Host "`Adding/replacing File Screen for [$_] with Source Template [$fileTemplateName].."
&filescrn.exe Screen Delete "/Path:$_" /Quiet
&filescrn.exe Screen Add "/Path:$_" "/SourceTemplate:$fileTemplateName"
}
# Keeping list to compare next #
#time with new one #
if (Test-Path "$wkdir\extension.old")
{
rm $wkdir\extensions.old
}
Else
{
cp $wkdir\extensions.txt $wkdir\extensions.old
rm $wkdir\drivesbase.txt
rm $wkdir\extsbase.txt
rm $wkdir\extensions.txt
Write-Host "Done"
}
Exit