Hi guys,
I copied all templates from the ransomware prectection GitHub and paste it into the ransomware protection.
But I am still able to upload the files that suppose blocked by ransomware protection, please let me know where I did wrongly.
Please see picture attached.
ummm… where excatly did you get them from? somehow i can’t find 'em
awww. and btw: READ_ME.kk wasn’t really covered by the rules you posted.
I got the list from GitHub https://github.com/nextcloud/ransomware_protection/tree/master/resources .kk extension is at the bottom of the list. I copied and paste the list.
awww yes… there they are. i kinda missed them… thanks.
but: wouldn’t these rules be automatically set in the app? (otherwise it would make not really much sense, i think). so have you tried emptying the local settings (to be sure that they won’t be nullified) and then try if you could upload a .kk file, still?
Tried empty the list but still able to upload READ_ME.kk and info.html files…
strange.
sorry, i can’t help any further.
btw: it would be nice if you’d provide more details about your setting/environment/etc
Do you see anything in the logs of the server? It should block without adding anything custom (except you want something special to be blocked/allowed).
No, as far what I see from the logs no logs is related to ransom protection.
I not sure how to describe more details for you.
It is hosted in DMZ zone, running on Ubuntu 16.04.
It is running on LAMP.
What else information I should provide?
there’s an app in appstore called “issue template” - pls install it, fill in missing information and copy&paste it’s output here
Ransomware protection should stop these files from upload to the nextcloud
All files that prohibited to upload all successfully uploaded.
Operating system: Linux myhqubt002 4.4.0-96-generic #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 x86_64
Web server: Apache/2.4.18 (Ubuntu) (apache2handler)
Database: mysql 5.7.19
PHP version: 7.0.22-0ubuntu0.16.04.1
- Core
- date
- libxml
- openssl
- pcre
- zlib
- filter
- hash
- Reflection
- SPL
- session
- standard
- apache2handler
- mysqlnd
- PDO
- xml
- apcu
- bz2
- calendar
- ctype
- curl
- dom
- mbstring
- fileinfo
- ftp
- gd
- gettext
- iconv
- imagick
- intl
- json
- ldap
- exif
- mcrypt
- mysqli
- pdo_mysql
- Phar
- posix
- readline
- shmop
- SimpleXML
- sockets
- sysvmsg
- sysvsem
- sysvshm
- tokenizer
- wddx
- xmlreader
- xmlwriter
- xsl
- zip
- Zend OPcache
Nextcloud version: 12.0.3 - 12.0.3.3
Updated from an older Nextcloud/ownCloud or fresh install: YOUR ANSWER HERE
Where did you install Nextcloud from: YOUR ANSWER HERE
Are you using external storage, if yes which one: Array
(
[0] => \OC\Files\Storage\Local
[1] => \OCA\Files_External\Lib\Storage\FTP
[2] => \OC\Files\Storage\DAV
[3] => \OCA\Files_External\Lib\Storage\OwnCloud
[4] => \OCA\Files_External\Lib\Storage\SFTP
[5] => \OCA\Files_External\Lib\Storage\AmazonS3
[6] => \OCA\Files_External\Lib\Storage\Dropbox
[7] => \OCA\Files_External\Lib\Storage\Google
[8] => \OCA\Files_External\Lib\Storage\Swift
[9] => \OCA\Files_External\Lib\Storage\SFTP
)
Are you using encryption: no
Are you using an external user-backend, if yes which one: YOUR ANSWER HERE (LDAP/ActiveDirectory/Webdav/…)
[]
- activity: 2.5.2
- admin_audit: 1.2.0
- admin_notifications: 1.0.0
- announcementcenter: 3.1.0
- bruteforcesettings: 1.0.2
- circles: 0.12.4
- comments: 1.2.0
- dav: 1.3.0
- defaultgroup: 0.3.0
- drawio: 0.8.8
- federatedfilesharing: 1.2.0
- federation: 1.2.0
- files: 1.7.2
- files_accesscontrol: 1.2.5
- files_automatedtagging: 1.2.2
- files_clipboard: 0.6.4
- files_downloadactivity: 1.1.1
- files_external: 1.3.0
- files_pdfviewer: 1.1.1
- files_retention: 1.1.2
- files_sharing: 1.4.0
- files_snapshots: 0.1.1
- files_texteditor: 2.4.1
- files_trashbin: 1.2.0
- files_versions: 1.5.0
- files_videoplayer: 1.1.0
- firstrunwizard: 2.1
- gallery: 17.0.0
- groupfolders: 1.1.0
- impersonate: 1.0.1
- issuetemplate: 0.2.2
- logreader: 2.0.0
- lookup_server_connector: 1.0.0
- metadata: 0.5.0
- nextant: 1.0.8
- nextcloud_announcements: 1.1
- notes: 2.3.1
- notifications: 2.0.0
- oauth2: 1.0.5
- ojsxc: 3.3.0
- ownbackup: 17.5.0
- password_policy: 1.2.2
- provisioning_api: 1.2.0
- quota_warning: 1.1.0
- ransomware_protection: 1.0.4
- serverinfo: 1.2.0
- sharebymail: 1.2.0
- socialsharing_email: 1.0.1
- spreed: 2.0.1
- survey_client: 1.0.0
- systemtags: 1.2.0
- tasks: 0.9.5
- theming: 1.3.0
- theming_customcss: 1.0.0
- twofactor_backupcodes: 1.1.1
- updatenotification: 1.2.0
- user_ldap: 1.2.1
- workflowengine: 1.2.0
- workin2gether: 0.9.6
- encryption
- user_external
{
"instanceid": "ocx0080cp7aq",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"192.168.103.1",
"192.167.90.15",
"122.255.114.168",
"nextcloud.elken.com"
],
"datadirectory": "\/media\/mynewdrive\/nextcloud",
"overwrite.cli.url": "http:\/\/192.168.103.1\/nextcloud",
"dbtype": "mysql",
"version": "12.0.3.3",
"dbname": "nextcloud",
"dbhost": "localhost",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"mail_smtpmode": "smtp",
"mail_smtpauthtype": "PLAIN",
"mail_from_address": "nextcloud",
"mail_domain": "elken.com",
"mail_smtphost": "192.168.100.105",
"mail_smtpport": "25",
"ldapIgnoreNamingRules": false,
"ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
"memcache.local": "\\OC\\Memcache\\APCu",
"updater.release.channel": "beta",
"maintenance": false,
"theme": "",
"loglevel": 2
}
With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder
Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';
Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.
Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Operating system: YOUR ANSWER HERE
Insert your webserver log here
Insert your Nextcloud log here
Insert your browser log here, this could for example include:
a) The javascript console log
b) The network log
c) ...
Yes, the list is default. The admin settings are “additions” and “exclusions”.
As for why it’s not working. Well maybe the most important part is, that the app only blocks uploading from clients. Since you filled out your browser version it makes me assume you uploaded with the browser.
So it is normal to not working in browser uploading?
Yes this totally makes sense, since ransomware doesn’t use browser upload 
. This way your browser is kinda fallback, if you why ever need to upload a file with certain extension.
Use the client and try it again to be sure.
Well you can also use the pause button in the personal setting (or in the notification after an upload failed), but yeah. Blocking browsers makes no sense, because ransomware just encrypts your files on the harddrive and doesnt do any upload.
Yes, it make sense after your explanation. Thank you.
