Find Ransomware Files on N Drive
Log In or Register to download the BES file, and more.

0 Votes

Description

Find files with specified extension on N drive.

Property Details

ID24343
StatusProduction - Fully Tested and Ready for Production
TitleFind Ransomware Files on N Drive
DomainBESC
SourceInternal
Source Release Date5/4/2016 12:00:00 AM
Keywordswannacry ransomware
Is TaskTrue
Added by on 5/15/2017 7:56:54 PM
Last Modified by on 5/15/2017 7:56:54 PM
Counters 2295 Views / 0 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

isWindows (Relevance 274)
Used in 229 fixlets and 3 analyses   * Results in a true/false
Show indented relevance
name of operating system starts with "Win"
Used in 1 fixlet   * Results in a true/false
Show indented relevance
exists folder "n:\"

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
waithidden cmd /c if exist n:\ransomware_list.txt del n:\ransomware_list.txt /q /f
waithidden cmd /c dir n:\*.wn n:\*.wcry /a /s >n:\ransomware_list.txt
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
cjwolford -
I agree that a separate fixlet isn't needed. I also wanted to move the output file to the besclient folder, but it made it easier to see which drives didn't have the scan. I will try that code and see how it works out. It was something I had thrown together in a hurry that seemed to accomplish what I needed.
jgstew -
then this would be the contents of a BAT file to run this check on all drives: ("dir "& it &"\*.wn "& it &"\*.wcry /a /s >"& it &"\ransomware_list.txt") of pathnames of root folders whose(not exists files "ransomware_list.txt" of it) of drives
jgstew -
This would be the relevance to detect if any drive is missing `ransomware_list.txt`: (number of root folders of drives) != (number of files "ransomware_list.txt" of root folders of drives)
jgstew -
it seems unneeded to make a fixlet for every drive letter
cjwolford -
intended to be used with analysis that won't upload: if(exists file "n:\ransomware_list.txt") and (number of lines of file "n:\ransomware_list.txt" > 2) then ("RANSOMWARE DETECTED") else ("No File Found")