Request ; Script to monitor file encryptions on a path and kill the connection if any

Hi,

A customer is in need of a solution for possible ransomware attacks that are originated from unprotected endpoints that may have write access to some folder on protected endpoints.

A script to monitor file operations on a given folder that’ll;

Create a backup of a deleted file at a given folder
When a file is created in this protected folder, the script should check if the file itself is encrypted or not.
If it is encrypted, it will block the operation and trigger the alarm, log all relevant information including the information which user (IP address etc whatever&whenever is applicable) created this encrypted file.
If possible, it should be optionally possible to ignore password protected files such as zip, rar, word etc.

Note : capabilities within this script can be utilized to lower the time needed for this I guess ; https://scripts.comodo.com/frontend/web/topic/generate-an-alert-if-the-file-created-removed-and-modified-on-network-share

Can you comment about this possibility of such a script as well?

Best Wishes
Ant

Hi @Antean

Thanks for contacting us.
We are working on this, we will get back to you shortly.

Thank you.

@Antean

Based on our Analysis for your request, Creating a backup of a deleted file at a given folder is not possible by script it requires Third party application to work manually.
For your more wish we are working on your script in encryption and password protection.

Thank you.

@Antean you may want to also consider Backup Assist to help with this. https://blog.zensoftware.co.uk/2017/08/23/cryptosafeguard-free-ransomware-protection-for-backupassist/

Hi @Antean

Please refer the following link for the script you requested.

NOTE:

  • Run as System user
  • Edit path in the script where you want to monitor.

https://scripts.comodo.com/frontend/web/topic/alert-and-kill-operation-if-file-is-encrypted

Hi Arandi,

Thanks for the script. Can you clarify some details about it;

  • In this scenario, actual encryption is done by an endpoint that doesn’t have Comodo. This script is running on the endpoint with the Comodo side. This script says; This Script will generate alert if any file is Encrypted in Specified path and kill the process.
    Do we stop the connection from the unprotected endpoint? Which process are we talking about there?

Thanks

@Antean

In this Script, process defines deletes that encrypted file in the endpoint, because encrypted file will no more make useful things rather than corrupting data. So, we preferred to remove the encrypted file. This script will work only if specified endpoint has Comodo and that has encrypted file.

Thanks

Hi Arin,

Deleting the encyrpted file is not a good solution since sometimes (rarely though) it may be possible to revent back the original from the encrypted file. If we delete it, we’ll loose that possibility.

Can you clarify the rest, what do you mean by ‘kill the process.’ there? If this encryption is done by another endpoint from the network, will it drop its connection to prevent further encryption of the other files?

“Creating a backup of a deleted file at a given folder is not possible by script it requires Third party application to work manually.”

Is it possible to trigger Veeam or the Acronis backup agent to take this backup if can’t do it through the script?

Hi @Antean

Here is the solution for your request, Please refer the following Script link:

https://scripts.comodo.com/frontend/…e-is-encrypted

NOTE:

  • Please ensure that VEEAM AGENT is installed in Endpoint.
  • This Script will generate alert if any file is Encrypted in Specified path and Trigger the VEEAM AGENT BACKUP to backup the given path.
  • Tracking the User and killing the process couldn't done if that user is not in network.
  • Output will have User details of where and when file is encrypted (i.e) created, modified date and time of encrypted file, owner of Encrypted file and Veeam agent status in the Endpoint.

20171108-eNCRYPT.json (11.2 KB)