0

Is it possible to deny users from changing files extensions in a shared folder? I'm asking that to try and avoid ransomware infection. I will deny people from changing file extensions inside the shared folder, so the encryption process won't touch shared folders..?

Shlomi
  • 331
  • 2
  • 9
  • 19

1 Answers1

0

There are many problems with this approach:

  • There's no NTFS File and Folder Advanced Permission for only denying file extension/name change, only denying write and delete permissions would include this. SMB / NFS permissions are even more limited to general read/write access.

  • A ransomware doesn't just change the file extension. The extension is only needed for identifying the encrypted file for recovery. The contents can be modified before this, or the original file may be deleted altogether, and new file created. You could possibly end up having no file at all by an approach that tries to avoid writing the encrypted file instead of destroying the original.

  • Securing the shared files doesn't prevent the infection, just a part of its impacts.

Better approaches:

  • Detect malicious activity e.g. when a user tries to modify several files in short period of time. Drop the connection, deny access and automatically alert administrators to start the actual actions against the malware: clean the originating computer, avoid further spreading etc.

  • Have a decent backup system. One would be incremental, having several versions of the files from adequate period of time. Don't allow users access to the backup location; have an external, independent user/machine that does the backup from outside. Whatever overwrites the files to be protected shouldn't have access to the backups. Possibly reinforce with offline backups.

    Backups are the only actual cure when a (crypto)ransonware hits, and eventually one will cause problems to some of your users, no matter how good your preventive measures are or how good virus protection you have.

  • Despite the previous, also have virus protection, email filtering, intrusion prevention system etc.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Hey, How is it possible to detect when user is trying to modify several files ina short period of time? @esajokinen – Shlomi May 25 '17 at 14:32
  • Look for some _host-based intrusion detection system_ (HIDS). There are many rules for detecting all kind of possibly malicious activities. – Esa Jokinen May 25 '17 at 14:54