This Monitor Unit scan all shared folders of Windows Server to detect CryptoLocker virus. If the counter is equal or greater then 1 the alert will be will showed.
This Management Pack detect CryptoLocker virus.
If your File Server has a file with a potential risk extension, the automatic recovery task will stop three important services of File Server to avoid the total loss of data.
The Management Pack discovers File Server Shares.
Inside Technologies Community Project
If the alert is in Health state means that your File Server is clean.
If the alert is in Critical state means that CryptoLocker virus has been detected into one or more file. Clean the infected file from computer.
Target | Microsoft.Windows.Server.Computer | ||
Parent Monitor | System.Health.SecurityState | ||
Category | Custom | ||
Enabled | False | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.Windows.TimedScript.TwoStateMonitorType | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Inside.Technologies.Detect.CryptoLocker.Monitor" Accessibility="Public" Enabled="false" Target="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Server.Computer" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="MicrosoftWindowsLibrary7585010!Microsoft.Windows.TimedScript.TwoStateMonitorType" ConfirmDelivery="false">
<Category>Custom</Category>
<AlertSettings AlertMessage="Inside.Technologies.Detect.CryptoLocker.Monitor.AlertMessage">
<AlertOnState>Error</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Error</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Target/Property[Type="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]/PrincipalName$</AlertParameter1>
<AlertParameter2>$Target/Property[Type="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]/OrganizationalUnit$</AlertParameter2>
<AlertParameter3>$Data/Context/Property[@Name='Count']$</AlertParameter3>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="UIGeneratedOpStateIde3d4cda994834165b8c03d8fb022be74" MonitorTypeStateID="Success" HealthState="Success"/>
<OperationalState ID="UIGeneratedOpStateId1f07abe1a99049338ae44eda6b0ca045" MonitorTypeStateID="Error" HealthState="Error"/>
</OperationalStates>
<Configuration>
<IntervalSeconds>300</IntervalSeconds>
<SyncTime/>
<ScriptName>Detect.vbs</ScriptName>
<Arguments/>
<ScriptBody> Set oAPI = CreateObject("MOM.ScriptAPI")
Set oFSO = Createobject("Scripting.FileSystemObject")
Set extensions = CreateObject("Scripting.Dictionary")
extensions.CompareMode = 1
iCount = 0
dCount = 0
strComputer = "."
Dim TmpDrive
Dim Response
Dim oBag
extensions.Add "encrypted", True
extensions.Add "cryptolocker", True
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
Set colDriveLists = objWMIService.ExecQuery("SELECT * FROM Win32_Share WHERE NOT Path LIKE '%wsus%' AND NOT Path LIKE '%dhcp%' AND NOT Path LIKE '%sysvol%' AND NOT Path LIKE '%DFS%'")
On Error Resume Next
For Each objDrive In colDriveLists
Select Case objDrive.Path
Case ""
Case "C:\"
Case "C:\Users"
Case "C:\Windows"
Case "C:\Windows\system32\spool\drivers"
Case Else
ProcessDrive oFSO.GetFolder(objDrive.Path)
If Response = 0 Then
ProcessSubFolders oFSO.GetFolder(objDrive.Path)
'Wscript.Echo objDrive.Path
Else
End If
End Select
Next
Set oBag = oAPI.CreatePropertyBag()
Call oBag.AddValue("Count", iCount)
Call oAPI.Return(oBag)
Function ProcessDrive(Letter)
TmpDrive = Replace(Letter,"\","")
Set colShareLists = objWMIService.ExecQuery("Select * from Win32_LogicalDisk WHERE Name = '" & TmpDrive & "' AND Access = 0 AND DriveType = 3")
Response = colShareLists.Count
End Function
Sub ProcessSubFolders(oFolder)
Set cFiles = oFolder.Files
For Each oFile In cFiles
If extensions.Exists(oFSO.GetExtensionName(oFile.Name)) Then
iCount = iCount + 1
End If
Next
For Each oSubFolder In oFolder.SubFolders
ProcessSubFolders oSubFolder
Next
End Sub </ScriptBody>
<TimeoutSeconds>60</TimeoutSeconds>
<ErrorExpression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='Count']</XPathQuery>
</ValueExpression>
<Operator>GreaterEqual</Operator>
<ValueExpression>
<Value Type="String">1</Value>
</ValueExpression>
</SimpleExpression>
</ErrorExpression>
<SuccessExpression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='Count']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">0</Value>
</ValueExpression>
</SimpleExpression>
</SuccessExpression>
</Configuration>
</UnitMonitor>