Hello there,
is it possible to configure UCS / Samba, to limit per user or group policy the changing of
file names and / or replacing (update) of files?
A ransomware infection encrypts files and file names in a batch processing. This is an unnormal procedure of an user. So I would like to limit it.
Is there a way?
Thanks and all the best, Frank
A little bit older, but maybe a starting point: Protection Against Ransomware – a Subjective Overview
Thanks, the solution points to blocking related domains but the host names will be changed for an attack.
My plan now is to use the Samba audit log for watching and filtering, if unnormally file names are changed or updated.
in relation to https://wiki.univention.de/index.php/Cool_Solution_-_Ransomware_protection_with_Fail2Ban
theare a filtered with VFS audit the commands pwrite write rename
reaname is clear : renaming of a file or directory
pwrite I find in my logs but only for system files like *.tmp files
write is never logged (since one year)
When a crypto trojan is active, it will rename and encrypt the file.
Encrypting the file needs to open the file and save it.
I have simulated it (change file content) and have found in the audit logs this:
smbd_audit: D1+test|10.0.7.142|private|open|ok|w|/srv/files/home/frank/UCS/VFS_audit.txt
smbd_audit: D1+test|10.0.7.142|private|ftruncate|ok|/srv/files/home/frank/UCS/VFS_audit.txt
smbd_audit: D1+test|10.0.7.142|private|close|ok|/srv/files/home/frank/UCS/VFS_audit.txt
The important keywords are |open|ok|w| : my interpretation: open for read and write
|ftruncate| : my interpretation: changing the file size of a file (in reference to the file descriptor)
Can somebody confirm it, that udate a file content will produce this audit?
Thanks, Frank