Automating Blocked File extensions for FSRM

by John C. Wray III Wednesday, April 5, 2017 7:34 AM

I am not going to go over installing File Server Resource Manager (FSRM). There are a lot of articles already on this.

https://community.spiceworks.com/how_to/128744-prevent-ransomware-by-using-fsrm 

Automating the extensions so it keeps updated is pretty handy. I found a few powershell scripts out in the wild.

2012 R2 is a piece of cake.

I use Task Scheduler to update on the hour. First you need to create a script to update your environment.

Experiant keeps a nice updated list you can use to keep your file server blocked extensions updated. My powershell script is a one liner.

set-FsrmFileGroup -name "Malware Files" -IncludePattern @((Invoke-WebRequest -Uri "https://fsrm.experiant.ca/api/v1/get" -UseBasicParsing).content | convertfrom-json | % {$_.filters})

The FsrmFileGroup is the name of the File Group you are using in your File Screens.

 When you create the new basic task you need to add these actions

For Program/Script you can browse to find powershell or paste this in:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

In the Add arguments you tell what file powershell should run:

-Noninteractive -NoProfile -executionpolicy Unrestricted  -file D:\Scripts\FSRM_Update.ps1

In my case my script is on the D drive under a folder called Scripts

Make sure to tell the task to run whether the user is logged in or not, the user to use and to run with the highest privledges.

 2008 R2 was a little more difficult.

I did a little work around to get by the file group size limitation. If you try to run the script for 2012 R2 on a 2008 R2 server it will bomb.

I went with a conservative approach and guestimated 200 extensions per file group. I tried 300 and it bombs.

On my 2008 R2 file server I created 6 file groups to use on the file screen. You have to put something in the group, you can have duplicates, so I just put the first entry I ran into as a place holder so I could create the group.

I created groups 1 - 6 as place holders and then assigned them to the File Screen

Now I just needed to keep the lists updated, move on to the next list when I hit my threshold.

 At first I updated the lists, next I decided to keep track of how many extensions, and then I decided to send out a notification when it was updated and what extensions were added. It is pretty handy. First time it runs it will have an error and send out an email with all of the extensions as new. After that it should only send out when the list gets updated. Make sure to update the script with the location of your scripts. The script has to download the current list from Experiant, and put it back together in the format 2008 R2 expects for Filegroups i.e. extension| nextExtension | andSoOn

$OFS = "`r`n"
#Get extension count from backup file
$intPreviousCount = (Get-Content D:\Scripts\extensions.txt)[-1]
write-host "Previous extension count was $intPreviousCount"

#Delete the previous back up and rename the current file to backup
Remove-Item D:\Scripts\extensions_backup.txt
Rename-Item D:\Scripts\extensions.txt extensions_backup.txt

$strExtensions = @((Invoke-WebRequest -Uri "https://fsrm.experiant.ca/api/v1/get" -UseBasicParsing).content | convertfrom-json | % {$_.filters})
$intNumber = 0
$intGroupNumber=1
$intExtensionCount = 0
$NOW = Get-Date
$NOW > D:\Scripts\extensions.txt
foreach ($strExtension in $strExtensions)
{
$intNumber ++
$intExtensionCount ++
if($intNumber -lt 200)
{
$strExtension.Trim() >> D:\Scripts\extensions.txt
$tempExtensions += $strExtension.Trim()
$tempExtensions += "|"
}
Else
{
$strExtension.Trim() >> D:\Scripts\extensions.txt
$tempExtensions += $strExtension.Trim()
$tempExtensions += "|"
$seperator >> D:\Scripts\extensions.txt
$strExtensions = $tempExtensions.substring(0,$tempExtensions.length-1)
filescrn filegroup Modify /filegroup:"Malware_Files0$intGroupNumber" /Members:$strExtensions
$intNumber = 0
$intGroupNumber ++
$tempExtensions = ""
}
}
$intExtensionCount >> D:\Scripts\extensions.txt

#Check to see if the number of extensions have changed and send out a notification with files attached
if ($intExtensionCount -ne $intPreviousCount)
{
#Let's find out what is new :)
$oldFiles = Get-Content ("D:\Scripts\extensions_backup.txt")
$newFiles = Get-Content ("D:\Scripts\extensions.txt")
foreach ($newFile in $newFiles)
{
$blnFound = $false
foreach ($oldFile in ($oldFiles))
{
if([Regex]::Escape($oldFile) -eq [Regex]::Escape($newFile))
{
$blnFound = $true
}

}
if (!$blnFound)
{
write-host "New extension $newFile"
$tempText += $newFile
$tempText += $OFS
}
}
#remove a couple of annoying entries that keep showing up.
$tempText = $tempText -replace ("$intExtensionCount","")

$smtpServer = "mail.example.com"
$file = "D:\Scripts\extensions.txt"
$att = new-object Net.Mail.Attachment($file)
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer)

$msg.From = "yourserver@example.com"
$msg.To.Add("email1@example.com")
$msg.To.Add("email2@example.com")

$msg.Subject = "FSRM Blocked File Extensions were updated"

$strBody = "The number of blocked file extensions changed from $intPreviousCount to $intExtensionCount. Attached is the new current list of blocked files."
$strBody += $OFS
$strBody += "=======================================================================================$OFS"
$strBody += $tempText
$msg.Body = $strBody

$msg.Attachments.Add($att)

$smtp.Send($msg)
$att.Dispose()
}

Eventually you will get an email that looks something like this.

Currently rated 5.0 by 1 people

  • Currently 5.0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Tags:

Microsoft | Powershell

Comments are closed