I'm working on a script I can push out to a few dozen Windows Server 2012/2012R2 servers to enable FSRM File Screens that will write an alert to the event log when they detect a particular filename being written to disk.
$a = gwmi win32_logicaldisk -filter DriveType=3|Select-ExpandPropertyDeviceIDInstall-WindowsFeature-Name FS-Resource-Manager-IncludeManagementToolsNew-FsrmFileGroup-Name"CryptoWall File Monitor"-IncludePattern@("*DECRYPT*")
$Notification =New-FsrmAction-TypeEvent-EventTypeWarning-Body"Alert text here"-RunlimitInterval30foreach($i in $a){New-FsrmFileScreen-Path"$i"-IncludeGroup"CryptoWall File Monitor"-Notification $Notification}Now, the script itself works fine, with one tiny issue: when it runs, the first filescreen (usually on C:) has the correct settings:
Active:FalseDescription:IncludeGroup:{CryptoWallFileMonitor}MatchesTemplate:FalseNotification:{MSFT_FSRMAction}Path: C:\Template:PSComputerName:But subsequent screens do not (note the Active : True output below)
Active:TrueDescription:IncludeGroup:{CryptoWallFileMonitor}MatchesTemplate:FalseNotification:{MSFT_FSRMAction}Path: D:\Template:PSComputerName:
The "Active" attribute is supposed to be set explicitly by using the -Active flag
when running the New-FSRMFileScreen cmdlet,
which I'm pretty confident I'm not somehow inserting into subsequent iterations of the loop.
This is an issue, because we do actually want the files to be written to disk in the event of a Cryptowall infection on an endpoint. The malware generally writes files into the affected directories with "helpful" instructions on how to pay a ransom, and this is meant warn us as soon as possible that something is going on. If the file screen actively blocks the files from being written to disk, it becomes more difficult to identify affected files after the fact.
So is this a bug, or did I make a mistake?