DATA SECURITY - Issue Ransomware Detection
Hello,
I configure a test serveur with the Data Security (Version : 6.0.4 / Build : 6043)
I create this alert (Ransomeware)
I create a PS script to :
* Disabled user access on share folder (it's faster than disabled user on AD)
* and of course disabled user on AD
This script works. It is not optimized because I'm not an expert, but it works
- $_SRV = $args[0]
$_USR = $args[1]
$_DRIVE = "R:"
$_DATE_FULL = Get-Date -Format "yyyyMMdd HH:mm"
$_DATE = Get-Date -Format "yyyyMMdd"
New-SmbMapping -LocalPath "$_DRIVE" -RemotePath "\\192.168.1.1\SHARE\CRYPTO"
$_LOG = "$_DRIVE\CRYPTO-$_DATE-$_SRV.txt"
ADD-content -Path $_LOG -value "--- $_DATE_FULL ---"
ADD-content -Path $_LOG -value "SERVEUR : $_SRV"
ADD-content -Path $_LOG -value "UTILISATEUR : $_USR"
Disable-ADAccount -Identity $_USR
ADD-content -Path $_LOG -value "L'utilisateur : $_USR a ete desactive a $_DATE_FULL"
$MesPartages = Get-WmiObject Win32_Share -computer $_SRV
foreach ($UnPartage in $MesPartages){
Block-SmbShareAccess -Name $UnPartage.Name -Cimsession $_SRV -AccountName $_USR
# $UnPartage | gm
ADD-content -Path $_LOG -value "L'utilisateur a ete bloqué sur le partage : $UnPartage"
}
Remove-SmbMapping -LocalPath "$_DRIVE" -force
I have a soft (Bulk Rename Utility.exe) to test mass renaming extension (ex : .docx to .zepto or .777)
I teste to rename 300 files in same time.
I constate that my script is just executing if i run 2x times my soft while DS (datasecurity) detected the alerte on both executions
I don't understandwhy it is not executed immediatly when Datasecurity detect the first "ransomware" extension.