{"id":23867148,"url":"https://github.com/davidande/fsrm-anticrypto","last_synced_at":"2025-09-08T15:32:07.547Z","repository":{"id":261298064,"uuid":"70315369","full_name":"davidande/FSRM-ANTICRYPTO","owner":"davidande","description":"Protect servers against crypto attacks","archived":false,"fork":false,"pushed_at":"2023-03-30T11:05:30.000Z","size":1081,"stargazers_count":18,"open_issues_count":4,"forks_count":4,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-11-05T19:43:39.523Z","etag":null,"topics":["crypto-attacks","fsrm","powershell","ransomware-prevention"],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/davidande.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-10-08T08:10:23.000Z","updated_at":"2024-10-06T17:27:26.000Z","dependencies_parsed_at":"2024-11-05T20:01:27.269Z","dependency_job_id":null,"html_url":"https://github.com/davidande/FSRM-ANTICRYPTO","commit_stats":null,"previous_names":["davidande/fsrm-anticrypto"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidande%2FFSRM-ANTICRYPTO","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidande%2FFSRM-ANTICRYPTO/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidande%2FFSRM-ANTICRYPTO/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/davidande%2FFSRM-ANTICRYPTO/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/davidande","download_url":"https://codeload.github.com/davidande/FSRM-ANTICRYPTO/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":232320264,"owners_count":18504976,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crypto-attacks","fsrm","powershell","ransomware-prevention"],"created_at":"2025-01-03T10:16:20.949Z","updated_at":"2025-01-03T10:16:21.724Z","avatar_url":"https://github.com/davidande.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# FSRM-ANTICRYPTO\r\nProtect servers against crypto attacks\r\n\r\n\r\nUse FSRM-ANTICRYPTO to protect your Windows files servers against Crypto attacks and keep the Crypto filegroup extensions up to date.\r\nA very complete list of extensions used by ransomwares is maintained by experiant.ca with infos gave by the community. Check-it at https://fsrm.experiant.ca.\r\nConfiguring FSRM make impossible to users to write files with forbiden extensions. So We use FSRM to avoid encrypted files to be saved as the extension used by the Crypto Process is Known.\r\n**Those scripts and how-to are given as is. Use at your own risck. I will take no responsability for that.**\r\nThis work is heavily based on Kinomakino and @github.com/nexxai on Github. Big hug!\r\nAlso Thanks to Jpelectron who gave me the idea to go further.\r\nNow list is maintained by others: https://github.com/DFFspace\r\n \r\n# So What!\r\n- Update list of banned extensions (through task manager or manually)\r\n- Configure extensions list, template and applying on shares\r\n- Possibility to exclure extensions from the blocked list (false positive)\r\n- Possibility to exclude shares (excluding some specific shares like usb dongle...) \r\n- Possibility to stop all shares when attack is detected or/and write event\r\n- Possibility to delete passive fsrm screen\r\n\r\n# Install\r\n\r\nFirst of all You need at least Powershell V3 installed\r\n- https://blog.adsl2meg.fr/installer-powershell-3-sur-windows-server-2008-r2/ \r\nand check the web for other server version\r\n\r\nWithout Powershell V3 or higher, the script will end\r\n\r\nIf You want newer version of powershell You can install 5.1\r\nhttps://blog.adsl2meg.fr/installer-powershell-5-1-sur-windows-server-2008-r2-2012-ou-2012-r2/\r\n\r\n\r\n## 1- Install of FSRM Role\r\nInstall FSRM on Yor server: Add-Role-\u003eFile Service -\u003eFile Server Ressource Manager.\r\nAs sometime Windows file manager is configured in Case sensitive, you have to\r\nconfigure it by checking **HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel obcaseinsensitive is set to 1**\r\n\r\n**After installation of FRSM role on a VM it's important to reboot almost 2 times** otherwise some Powershell commands will not be active.\r\n\r\n## 2- Install of script\r\nDownload the FSRMNOCRYPTO.ZIP and UnZip only files to C:\\FSRMNOCRYPTO so C:\\FSRMNOCRYPTO contain:\r\n- FSRM_NOCRYPTO_2008.ps1 -\u003e to be used with Windows Server 2008 and 2008 R2 (and in some case 2012)\r\n- FSRM_NOCRYPTO_2012_to_2022.ps1 -\u003e to be used with Windows Server 2012, 2012 R2, 2016, 2019 and 2022\r\n- share_to_accept.txt -\u003e used to input all shares that will bypass the filtering\r\n- ext_to_accept.txt -\u003e used to input all the extensions that are in the blocked list but You want to accept\r\n- ext_to_exclude.txt -\u003e used to input all the extensions that are NOT in the bloked list but You want to block (not working for w2008)\r\n- Readme.md -\u003e this file\r\n- Licence\r\n\r\n## 3- Running the script\r\nFirst check that .NET and ASP.NET are installed (check fonctionnalities)\r\nSecond check Set-ExecutionPolicy to acces execution of nonsigned scripts (bypass or remotesigned)\r\nStart the script in a Powershell session with admin right.\r\nFirst time You should see some errors. No problem it's only cause by deleting objects that are not yet created.\r\nTo check if everything is ok, just empty the extensions.old and lunch the script again. This time You should See no error.\r\n\r\n## 4- Shares and extensions exclusion. \r\nAs some program use certain type of extension that are known to be ine the ransomware list, You can put the list of extensions to bypass the FSRM blocking filter in the file ext_to_accept.txt\r\nFor the drive extension do the same in share_to_accept.txt.\r\n\r\n## 5- Task to update the list of extensions\r\nThis scripts can be add as a task to check newer version of extensions list : \r\nprogram: **c:\\windows\\system32\\windowsPowerShell\\v1.0\\Powershell.exe**\r\nArguments to add: **-noprofile  -executionpolicy Unrestricted -file \"where is this script\" default \"C:\\FSRMNOCRYPTO\\FSRM_NOCRYPTO_20XXX.ps1\"**.\r\n\r\nThe task must be launched at least twice a day. In my case I made a task every hour.\r\n\r\nYou can check that it's works by renaming a file in a share, just change the extension for exemple test.doc -\u003e test.tron\r\nit will be forbiden.\r\nYou can also follw all attempts in the events log.\r\n\r\nFor maintenance use if you want to stop the fsrm service: **Stop-Service SrmSvc**\r\n\r\n## 6- Passive FSRM screens\r\nFSRM cannot be used on administrative shares. it will only publish an event in the event log.\r\nAs it is just informational, i give the choice to use or not passvive FSRM screens.\r\nIf you Want to ignore passive screens just change in the script line 41:\r\n$delpassive = \"0\" and set it to **$delpassive = \"1\"**  (default is 1)\r\n\r\n\r\n# Sources #\r\nhttps://github.com/kinomakino/ransomware_file_extensions/blob/master/anti_ransomware.ps1\r\n\r\nhttps://fsrm.experiant.ca/\r\n\r\nhttp://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm\r\n\r\n# IF ERRORS!!! #\r\npost an issue, I should know some way to make it work for You\r\n\r\n1- make sure to launch Internet Explorer one time on the server and choose parameters when asked (default works)\r\n\r\n2- if you just installed FSRM role, reboot the server\r\n\r\n3- always run the script as an administrator\r\n\r\n4- Reboot almost 2 times after FRSM installation on Windows Virtual Machine (don't ask me why!!!)\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavidande%2Ffsrm-anticrypto","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdavidande%2Ffsrm-anticrypto","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavidande%2Ffsrm-anticrypto/lists"}