Ransomware Fatal message question - where does this file come from?

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:


Or for longer, use three backticks above and below the code snippet:


Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 20.0.5):
Operating system and version (eg, Ubuntu 20.04): Debian GNU/Linux 10. 5.10.103-v8+ (aarch64)
Apache or nginx version (eg, Apache 2.4.25): Server version: Apache/2.4.38 (Debian)
PHP version (eg, 7.4): PHP 7.3.31-1~deb10u5
NextcloudPi version v1.52.4
The issue you are facing:
I get the warning message, error message and a fatal message - I don’t know what to do with

Is this the first time you’ve seen this error? (Y/N):

I have this Fatal webdav message - where does it come from and what do I need to do about it?

[webdav] Fatal: OCA\DAV\Connector\Sabre\Exception\Forbidden: Ransomware file detected at <<closure>>

0. /var/www/nextcloud/apps/dav/lib/Connector/Sabre/Directory.php line 155
1. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 1104
   OCA\DAV\Connector\Sabre\Directory->createFile("CD180FF1-05E7-4 ... n", null)
2. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php line 527
   Sabre\DAV\Server->createFile("files/Sherab/Co ... n", null, null)
3. /var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php line 89
   Sabre\DAV\CorePlugin->httpPut(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
4. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 474
   Sabre\DAV\Server->emit("method:PUT", [Sabre\HTTP\Requ ... }])
5. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 251
   Sabre\DAV\Server->invokeMethod(Sabre\HTTP\Request {}, Sabre\HTTP\Response {})
6. /var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php line 319
7. /var/www/nextcloud/apps/dav/lib/Server.php line 332
8. /var/www/nextcloud/apps/dav/appinfo/v2/remote.php line 35
9. /var/www/nextcloud/remote.php line 167
   require_once("/var/www/nextcl ... p")

PUT /remote.php/dav/files/Sherab/Compassion%20Centre/Compassion%20Centre%20Assests/CD180FF1-05E7-4169-A53D-9D0A0DD66153.bin
from xx.xxx.xx.xxx by Sherab at 2023-10-17T21:06:16+00:00

You can disable the ransomware protection app. It is not maintained for newer versions, and it’s recommended to use a supported version: NC 26+ (NC 25 will fall out of support very soon)

Thank you.
So, my NextcloudPi is actually not a supported Nextcloud isntance?

Nextcloudpi is at 26.0.3. If your installation is not at that version, you need to update.

Ncp is at 25.0.6 for docker and 26.0.3 without docker. Both versions are way behind! 26 is officially at .0.7 and 25 at .0.12.

That would make me think about how well ncp is maintained and suggest to migrate to nextcloud AIO.

1 Like

Better think again, as NCP’s maintainer is doing most of the work single handed. If you are volunteering to take part of the workload. Thank you.

As a side note, my NCP is at v1.52.4 and running NC 27.1.3 (used nc-update-nc)

I have supported NCP for many years.
I am very thankful for @nachoparker for all he does!!!

What does the fact that somebody does what he can, have to do with the fact that it might result in regularly being at least a few minor releases behind? I am not complaining about anything, just pointing out that AIO is more current. (And please skip these overused Totschlagargumente regarding “get involved or shut up”. Most of the time that points towards not having any real arguments and taking things too personal.)

Especially if one uses docker, AIO is the better choice IMHO. I have used both.

PS: @wisdomlight nachoparker is not the maintainer anymore AFAIK. So “for all he did”, might be more precise. :wink:

I am not going to get into any disagreements.
I just wanted to say I appreciated Nachoparker’s work.
For the rest I have no idea or opinion…
Thank you for your help

Hi @sven1234
What’s the difference between ncp and nextcloud AIO?
What I like about NCP is that it takes all the lets encrypit and creation of data base etc out of the way - and also in principal at least - make updating to newer versions of nextcloud easier.
Is this the case also with Nextcloud AIO?

It is an official docker image from Nextcloud. GitHub - nextcloud/all-in-one: Nextcloud AIO stands for Nextcloud All-in-One and provides easy deployment and maintenance with most features included in this one Nextcloud instance.
It sets up everything for you, including encrypted backup, let’s encrypt, database etc. and it is always up-to-date. That means it updates even major versions automatically, if you have backups enabled.
You can pick the modules you want to add to nextcloud, like office, fulltext search, virus scanner, talk etc.
The maintainer is very active in this forum and provides support, if you have a problem.
Fail2ban was missing from the feature list, but even that is possible now, using the community containers.

Ok, that sounds easy enough.
I shall have a look into it.
Thank you