Detect CryptoLocker

Inside.Technologies.Detect.CryptoLocker.Monitor (UnitMonitor)

This Monitor Unit scan all shared folders of Windows Server to detect CryptoLocker virus. If the counter is equal or greater then 1 the alert will be will showed.

Knowledge Base article:

Summary

This Management Pack detect CryptoLocker virus.

If your File Server has a file with a potential risk extension, the automatic recovery task will stop three important services of File Server to avoid the total loss of data.

The Management Pack discovers File Server Shares.

Inside Technologies Community Project

Causes

If the alert is in Health state means that your File Server is clean.

If the alert is in Critical state means that CryptoLocker virus has been detected into one or more file. Clean the infected file from computer.

Element properties:

Target

Microsoft.Windows.Server.Computer

Parent Monitor

System.Health.SecurityState

Category

Custom

Enabled

False

Alert Generate

True

Alert Severity

Error

Alert Priority

Normal

Alert Auto Resolve

True

Monitor Type

Microsoft.Windows.TimedScript.TwoStateMonitorType

Remotable

True

Accessibility

Public

Alert Message

CryptoLocker Virus Detected

Server with Issue: {0}
Active Directory OU: {1}
Infected Item Detected: {2}

RunAs

Default

Source Code:

<UnitMonitor ID="Inside.Technologies.Detect.CryptoLocker.Monitor" Accessibility="Public" Enabled="false" Target="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Server.Computer" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="MicrosoftWindowsLibrary7585010!Microsoft.Windows.TimedScript.TwoStateMonitorType" ConfirmDelivery="false">

  <Category>Custom</Category>

  <AlertSettings AlertMessage="Inside.Technologies.Detect.CryptoLocker.Monitor.AlertMessage">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Error</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Target/Property[Type="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]/PrincipalName$</AlertParameter1>

      <AlertParameter2>$Target/Property[Type="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]/OrganizationalUnit$</AlertParameter2>

      <AlertParameter3>$Data/Context/Property[@Name='Count']$</AlertParameter3>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="UIGeneratedOpStateIde3d4cda994834165b8c03d8fb022be74" MonitorTypeStateID="Success" HealthState="Success"/>

    <OperationalState ID="UIGeneratedOpStateId1f07abe1a99049338ae44eda6b0ca045" MonitorTypeStateID="Error" HealthState="Error"/>

  </OperationalStates>

  <Configuration>

    <IntervalSeconds>300</IntervalSeconds>

    <SyncTime/>

    <ScriptName>Detect.vbs</ScriptName>

    <Arguments/>

    <ScriptBody><Script>Set oAPI = CreateObject("MOM.ScriptAPI")

Set oFSO = Createobject("Scripting.FileSystemObject")

Set extensions = CreateObject("Scripting.Dictionary")

extensions.CompareMode = 1

iCount = 0

dCount = 0

strComputer = "."

Dim TmpDrive

Dim Response

Dim oBag



extensions.Add "encrypted", True

extensions.Add "cryptolocker", True



Set objWMIService = GetObject("winmgmts:\\" &amp; strComputer &amp; "\root\CIMV2")

Set colDriveLists = objWMIService.ExecQuery("SELECT * FROM Win32_Share WHERE NOT Path LIKE '%wsus%' AND NOT Path LIKE '%dhcp%' AND NOT Path LIKE '%sysvol%' AND NOT Path LIKE '%DFS%'") 



On Error Resume Next

	

For Each objDrive In colDriveLists



Select Case objDrive.Path

	Case ""

	Case "C:\"

	Case "C:\Users"

	Case "C:\Windows"

	Case "C:\Windows\system32\spool\drivers"

	Case Else

		ProcessDrive oFSO.GetFolder(objDrive.Path)



		If Response = 0 Then

			ProcessSubFolders oFSO.GetFolder(objDrive.Path)

			'Wscript.Echo objDrive.Path

		Else

		End If

End Select

Next



Set oBag = oAPI.CreatePropertyBag()

Call oBag.AddValue("Count", iCount) 

Call oAPI.Return(oBag)



Function ProcessDrive(Letter)	

	TmpDrive = Replace(Letter,"\","")

	Set colShareLists = objWMIService.ExecQuery("Select * from Win32_LogicalDisk WHERE Name = '" &amp; TmpDrive &amp; "' AND Access = 0 AND DriveType = 3")

	

	Response = colShareLists.Count

End Function



Sub ProcessSubFolders(oFolder)

	Set cFiles = oFolder.Files

	For Each oFile In cFiles

		If extensions.Exists(oFSO.GetExtensionName(oFile.Name)) Then

			iCount = iCount + 1

		End If

	Next

 

	For Each oSubFolder In oFolder.SubFolders

		ProcessSubFolders oSubFolder

	Next

End Sub</Script></ScriptBody>

    <TimeoutSeconds>60</TimeoutSeconds>

    <ErrorExpression>

      <SimpleExpression>

        <ValueExpression>

          <XPathQuery Type="String">Property[@Name='Count']</XPathQuery>

        </ValueExpression>

        <Operator>GreaterEqual</Operator>

        <ValueExpression>

          <Value Type="String">1</Value>

        </ValueExpression>

      </SimpleExpression>

    </ErrorExpression>

    <SuccessExpression>

      <SimpleExpression>

        <ValueExpression>

          <XPathQuery Type="String">Property[@Name='Count']</XPathQuery>

        </ValueExpression>

        <Operator>Equal</Operator>

        <ValueExpression>

          <Value Type="String">0</Value>

        </ValueExpression>

      </SimpleExpression>

    </SuccessExpression>

  </Configuration>

</UnitMonitor>