Administration Guides

Well Known Ransomware File Extension Whitelist

Home


Well known Ransomware File Extension List 2.5.8 >

New in 2.5.8 or later releases is versioned Banned list.  This new feature allows switching between current banned list and new file lists that are published  or selecting latest option to always use the latest list.    If the new list adds extensions that are in use in your environment a lockout could occur.  This new feature allows controlled switching to a new file and the ability to see what new extensions have been added to the list in the new file.  

Phone home integration now moves the dynamic sync of the banned files from the ECA VM's to the Eyeglass VM and supports the same phone home URL's that have been whitelisted.  This simplifies access to the file without needing to add any new firewall or proxy rules to use this new feature.

NOTE:  This feature does not support OS Proxy with YAST.

Versioned Banned files List

This feature allows a version of the banned file list to be selected, auto selected, differenced to allow migration from one version to another using controlled commands below.  The files will appear in the File Filter tab in the Ransomware Defender GUI.

  1. Requirements
    1. Requires 2.5.8 
  2. This section will provide a list of versioned files with a link to a file containing all the new extensions add to the version of the file.
  3. File Versions commands
    1. igls rsw filefiltersettings   (list current version and settings)
    2. igls rsw filefiltersettings --version=<version>  (select a version to be active)
    3. igls rsw filefiltersettings --diff=<version1,version2>  (show the changes between one version and another to know what new file extensions have been added)
    4. igls rsw filefiltersettings set --mode=Latest (always pickup and use the latest version available online)
    5. igls rsw filefiltersettings set --mode=Fixed --version=<version>  (select a fixed version as a static version of the banned list to use)


How to Update the Banned File List (With and Without Internet Access)

  1. Requirements:
    1. 2.5.8 or later
  2. Download the file and copy it to /tmp on Eyeglass with WinSCP
    1. Download from here.
    2. Copy to /tmp
    3. or download directly to the appliance (Requires Internet Access)
      1. Login to Eyeglass as admin
      2. cd /tmp
      3. wget https://storage.googleapis.com/rwdefender.superna.net/20220509/rswextensionfile.tar.gz 
  3. SSH to Eyeglass as admin user
    1. Run command: sudo mkdir /srv/www/htdocs/eyeglass/rwdefender
    2. Run command: sudo tar -xvf /tmp/rswextensionfile.tar.gz -C /srv/www/htdocs/eyeglass/rwdefender
    3. Run command: sudo chown -R root:root /srv/www/htdocs/eyeglass/rwdefender && sudo chmod -R 755 /srv/www/htdocs/eyeglass/rwdefender 
    4. Run command: sudo cp /opt/superna/sca/data/system.xml /opt/superna/sca/data/system.xml.bak
    5. Edit file below
      1. sudo nano /opt/superna/sca/data/system.xml and add the 2 lines below between the tags <rsware> and </rsware>:
        1. <rsw_threat_file_url>https://localhost/eyeglass/rwdefender</rsw_threat_file_url>
        2. <rsw_threat_file_index_url>https://localhost/eyeglass/rwdefender/ransomwareFilterIndex.json</rsw_threat_file_index_url>
  4. If the lines above already exist then update them
    1. Run command: sudo systemctl restart sca
    2. Wait for 2-5 minutes
  5. Run command to check if runs successfully: igls rsw filefiltersettings
  6. Use this command to switch to using the latest file: igls rsw filefiltersettings set --mode=Latest
  7. Done
© Superna Inc