Administration Guides

Well Known Ransomware File Extension Whitelist


Superna Defender Community Sourced File Extension List

This new crowd sourced extension list is based on Defender deployments around the world.   As custom extensions are added to local deployments, the phonehome system collects these extensions and merges them into a list that is curated by Superna and published as a version of the master list.   The normal versioned list explained below will function with new extensions appearing on the list from the crowd source system.  You can view the new extensions added using the difference command, see the steps below.  By adding custom extensions to your Defender installation, and enabling phonehome if not already enabled, the custom extensions will be published to Superna to review as a candidate for the master list.

Steps to view new extension on the list

  1. Get the list of available versions
    1. igls rsw filefiltersettings
  2. Compare your current version to another version
    1. igls rsw filefiltersettings --diff=<version1,version2> (show the changes between one version and another to know what new file extensions have been added)
    2. The output will show added and removed extensions moving from version1 to version2 listed in the command.

Well known Ransomware File Extension List 2.5.8 >

New in 2.5.8 or later releases is versioned Banned list.  This new feature allows switching between current banned list and new file lists that are published  or selecting latest option to always use the latest list.    If the new list adds extensions that are in use in your environment a lockout could occur.  This new feature allows controlled switching to a new file and the ability to see what new extensions have been added to the list in the new file.  

Phone home integration now moves the dynamic sync of the banned files from the ECA VM's to the Eyeglass VM and supports the same phone home URL's that have been whitelisted.  This simplifies access to the file without needing to add any new firewall or proxy rules to use this new feature.

NOTE:  This feature does not support OS Proxy with YAST.

Versioned Banned files List

This feature allows a version of the banned file list to be selected, auto selected, differenced to allow migration from one version to another using controlled commands below.  The files will appear in the File Filter tab in the Ransomware Defender GUI.

  1. Requirements
    1. Requires 2.5.8 
  2. This section will provide a list of versioned files with a link to a file containing all the new extensions add to the version of the file.
  3. File Versions commands
    1. igls rsw filefiltersettings   (list current version and settings)
    2. igls rsw filefiltersettings --version=<version>  (select a version to be active)
    3. igls rsw filefiltersettings --diff=<version1,version2>  (show the changes between one version and another to know what new file extensions have been added)
    4. igls rsw filefiltersettings set --mode=Latest (always pickup and use the latest version available online)
    5. igls rsw filefiltersettings set --mode=Fixed --version=<version>  (select a fixed version as a static version of the banned list to use)

How to Update the Banned File List (With and Without Internet Access)

  1. Requirements:
    1. 2.5.8 or later
    2. NOTE: The preferred option to have the most current list is the proxy to Internet solution.  This offline file will not be maintained to be current.   Internet online is the only method to get the current list.
  2. Download the file and copy it to /tmp on Eyeglass with WinSCP
    1. Download June 2022 from here.
    2. Copy to /tmp
    3. or download directly to the appliance (Requires Internet Access)
      1. Login to Eyeglass as admin
      2. cd /tmp
      3. wget 
  3. SSH to Eyeglass as admin user
    1. Run command: sudo mkdir /srv/www/htdocs/eyeglass/rwdefender
    2. Run command: sudo tar -xvf /tmp/rswextensionfile.tar.gz -C /srv/www/htdocs/eyeglass/rwdefender
    3. Run command: sudo chown -R root:root /srv/www/htdocs/eyeglass/rwdefender && sudo chmod -R 755 /srv/www/htdocs/eyeglass/rwdefender 
    4. Run command: sudo cp /opt/superna/sca/data/system.xml /opt/superna/sca/data/system.xml.bak
    5. Edit file below
      1. sudo nano /opt/superna/sca/data/system.xml and add the 2 lines below between the tags <rsware> and </rsware>:
        1. <rsw_threat_file_url>https://localhost/eyeglass/rwdefender</rsw_threat_file_url>
        2. <rsw_threat_file_index_url>https://localhost/eyeglass/rwdefender/ransomwareFilterIndex.json</rsw_threat_file_index_url>
  4. If the lines above already exist then update them
    1. Run command: sudo systemctl restart sca
    2. Wait for 2-5 minutes
  5. Run command to check if runs successfully: igls rsw filefiltersettings
  6. Use this command to switch to using the latest file: igls rsw filefiltersettings set --mode=Latest
  7. Done
© Superna Inc