Re: [ossec-list] Ransomware.

I thought about doing this too. You could look for file extensions as mentioned before. But I struggled on how to make it effective, and then how to test it. To be realistic, I think you'd need a lab with a mirror of your environment (file share, ossec, etc) and actually run a variant of

Re: [ossec-list] Ransomware.

Couldn't pass be used to monitor the frequency of files accessed or rewritten on a share via the logs generated from those operations? It might not be foolproof, but if the log shows a single account accessing several files faster than a human might be able to, it could alert, or even block.

Re: [ossec-list] Ransomware.

On 7 June 2016 at 13:29, Eero Volotinen wrote: > Well. This is impossible. There is no way to see difference between normal > file access and virus crypting all your files.. There are some common extensions for very common ransomware/crypto stuff that you can look for but

Re: [ossec-list] Ransomware.

Well. This is impossible. There is no way to see difference between normal file access and virus crypting all your files.. Eero 7.6.2016 6.31 ip. "Nate" kirjoitti: > We currently have samba file servers, which of course log access and > whatnot to the samba logs. > > I'm

[ossec-list] Ransomware.

We currently have samba file servers, which of course log access and whatnot to the samba logs. I'm curious if I might be able to leverage ossec as a means to detect if a system is attempting to lock up one of our shares due to a ransomware infection. I could picture a rule that either detected