How to make ransomware protection to work?

nc12

#1

Hi guys,

I copied all templates from the ransomware prectection GitHub and paste it into the ransomware protection.

But I am still able to upload the files that suppose blocked by ransomware protection, please let me know where I did wrongly.

Please see picture attached.


#2

ummm… where excatly did you get them from? somehow i can’t find 'em

awww. and btw: READ_ME.kk wasn’t really covered by the rules you posted.


#3

I got the list from GitHub https://github.com/nextcloud/ransomware_protection/tree/master/resources .kk extension is at the bottom of the list. I copied and paste the list.


#4

awww yes… there they are. i kinda missed them… thanks.

but: wouldn’t these rules be automatically set in the app? (otherwise it would make not really much sense, i think). so have you tried emptying the local settings (to be sure that they won’t be nullified) and then try if you could upload a .kk file, still?


#5

Tried empty the list but still able to upload READ_ME.kk and info.html files…


#6

strange.
sorry, i can’t help any further.

btw: it would be nice if you’d provide more details about your setting/environment/etc


#7

Do you see anything in the logs of the server? It should block without adding anything custom (except you want something special to be blocked/allowed).


#8

No, as far what I see from the logs no logs is related to ransom protection.


#9

@ekteohwl

pretty please


#10

I not sure how to describe more details for you.

It is hosted in DMZ zone, running on Ubuntu 16.04.

It is running on LAMP.

What else information I should provide?


#11

there’s an app in appstore called “issue template” - pls install it, fill in missing information and copy&paste it’s output here


#12

Steps to reproduce

  1. Upload file with name info.html
  2. Upload file with name READ_Me.kk

Expected behaviour

Ransomware protection should stop these files from upload to the nextcloud

Actual behaviour

All files that prohibited to upload all successfully uploaded.

General server configuration

Operating system: Linux myhqubt002 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64

Web server: Apache/2.4.18 (Ubuntu) (apache2handler)

Database: mysql 5.7.19

PHP version: 7.0.22-0ubuntu0.16.04.1

PHP-modules loaded
 - Core
 - date
 - libxml
 - openssl
 - pcre
 - zlib
 - filter
 - hash
 - Reflection
 - SPL
 - session
 - standard
 - apache2handler
 - mysqlnd
 - PDO
 - xml
 - apcu
 - bz2
 - calendar
 - ctype
 - curl
 - dom
 - mbstring
 - fileinfo
 - ftp
 - gd
 - gettext
 - iconv
 - imagick
 - intl
 - json
 - ldap
 - exif
 - mcrypt
 - mysqli
 - pdo_mysql
 - Phar
 - posix
 - readline
 - shmop
 - SimpleXML
 - sockets
 - sysvmsg
 - sysvsem
 - sysvshm
 - tokenizer
 - wddx
 - xmlreader
 - xmlwriter
 - xsl
 - zip
 - Zend OPcache

Nextcloud configuration

Nextcloud version: 12.0.3 - 12.0.3.3

Updated from an older Nextcloud/ownCloud or fresh install: YOUR ANSWER HERE

Where did you install Nextcloud from: YOUR ANSWER HERE

Are you using external storage, if yes which one: Array
(
[0] => \OC\Files\Storage\Local
[1] => \OCA\Files_External\Lib\Storage\FTP
[2] => \OC\Files\Storage\DAV
[3] => \OCA\Files_External\Lib\Storage\OwnCloud
[4] => \OCA\Files_External\Lib\Storage\SFTP
[5] => \OCA\Files_External\Lib\Storage\AmazonS3
[6] => \OCA\Files_External\Lib\Storage\Dropbox
[7] => \OCA\Files_External\Lib\Storage\Google
[8] => \OCA\Files_External\Lib\Storage\Swift
[9] => \OCA\Files_External\Lib\Storage\SFTP
)

Are you using encryption: no

Are you using an external user-backend, if yes which one: YOUR ANSWER HERE (LDAP/ActiveDirectory/Webdav/…)

Signing status
[]
Enabled apps
 - activity: 2.5.2
 - admin_audit: 1.2.0
 - admin_notifications: 1.0.0
 - announcementcenter: 3.1.0
 - bruteforcesettings: 1.0.2
 - circles: 0.12.4
 - comments: 1.2.0
 - dav: 1.3.0
 - defaultgroup: 0.3.0
 - drawio: 0.8.8
 - federatedfilesharing: 1.2.0
 - federation: 1.2.0
 - files: 1.7.2
 - files_accesscontrol: 1.2.5
 - files_automatedtagging: 1.2.2
 - files_clipboard: 0.6.4
 - files_downloadactivity: 1.1.1
 - files_external: 1.3.0
 - files_pdfviewer: 1.1.1
 - files_retention: 1.1.2
 - files_sharing: 1.4.0
 - files_snapshots: 0.1.1
 - files_texteditor: 2.4.1
 - files_trashbin: 1.2.0
 - files_versions: 1.5.0
 - files_videoplayer: 1.1.0
 - firstrunwizard: 2.1
 - gallery: 17.0.0
 - groupfolders: 1.1.0
 - impersonate: 1.0.1
 - issuetemplate: 0.2.2
 - logreader: 2.0.0
 - lookup_server_connector: 1.0.0
 - metadata: 0.5.0
 - nextant: 1.0.8
 - nextcloud_announcements: 1.1
 - notes: 2.3.1
 - notifications: 2.0.0
 - oauth2: 1.0.5
 - ojsxc: 3.3.0
 - ownbackup: 17.5.0
 - password_policy: 1.2.2
 - provisioning_api: 1.2.0
 - quota_warning: 1.1.0
 - ransomware_protection: 1.0.4
 - serverinfo: 1.2.0
 - sharebymail: 1.2.0
 - socialsharing_email: 1.0.1
 - spreed: 2.0.1
 - survey_client: 1.0.0
 - systemtags: 1.2.0
 - tasks: 0.9.5
 - theming: 1.3.0
 - theming_customcss: 1.0.0
 - twofactor_backupcodes: 1.1.1
 - updatenotification: 1.2.0
 - user_ldap: 1.2.1
 - workflowengine: 1.2.0
 - workin2gether: 0.9.6
Disabled apps
 - encryption
 - user_external
Content of config/config.php
{
    "instanceid": "ocx0080cp7aq",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "192.168.103.1",
        "192.167.90.15",
        "122.255.114.168",
        "nextcloud.elken.com"
    ],
    "datadirectory": "\/media\/mynewdrive\/nextcloud",
    "overwrite.cli.url": "http:\/\/192.168.103.1\/nextcloud",
    "dbtype": "mysql",
    "version": "12.0.3.3",
    "dbname": "nextcloud",
    "dbhost": "localhost",
    "dbport": "",
    "dbtableprefix": "oc_",
    "mysql.utf8mb4": true,
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "mail_smtpmode": "smtp",
    "mail_smtpauthtype": "PLAIN",
    "mail_from_address": "nextcloud",
    "mail_domain": "elken.com",
    "mail_smtphost": "192.168.100.105",
    "mail_smtpport": "25",
    "ldapIgnoreNamingRules": false,
    "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
    "memcache.local": "\\OC\\Memcache\\APCu",
    "updater.release.channel": "beta",
    "maintenance": false,
    "theme": "",
    "loglevel": 2
}
LDAP config
With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';

Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Operating system: YOUR ANSWER HERE

Logs

Web server error log
Insert your webserver log here
Nextcloud log (data/nextcloud.log)
Insert your Nextcloud log here
Browser log
Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

#13

@nickvergessen
do you have a clue why this isn’t working as expected?


#14

Yes, the list is default. The admin settings are “additions” and “exclusions”.

As for why it’s not working. Well maybe the most important part is, that the app only blocks uploading from clients. Since you filled out your browser version it makes me assume you uploaded with the browser.


#15

So it is normal to not working in browser uploading?


#16

Yes this totally makes sense, since ransomware doesn’t use browser upload :smile:. This way your browser is kinda fallback, if you why ever need to upload a file with certain extension.

Use the client and try it again to be sure.


#17

i agree to @MichaIng for 100%


#18

Confirmed !!!, ransomware protection only work in clients and not in web browser.

Thanks guys.


#19

Well you can also use the pause button in the personal setting (or in the notification after an upload failed), but yeah. Blocking browsers makes no sense, because ransomware just encrypts your files on the harddrive and doesnt do any upload.


#20

Yes, it make sense after your explanation. Thank you.