Anti-Ransomware File System Resource Manager Lists

What is FSRM?

FSRM actively monitors your Windows Server shares and files and could alert you of any malicious activity you specify. souldjer777 @ Bleeping Computer

How can FSRM protect my network?

File System Resource Manager is a role that can be added for free to any Windows Server 2008 or later instance. By setting up what is called a "File Group" which is just a collection of filename patterns (e.g. "*.xyz" or "*.ctbl") to watch for, you can prevent crypto-variant viruses from writing encrypted files to your server.

FSRM can also be configured to then send you an email notification when a file matching that pattern is detected so that you can immediately shutdown the infected workstation and begin the cleanup process (imaging the PC, etc.) This process has been informally dubbed "creating a crypto canary", to refer to the fact that the message is akin to the idea of a "canary in a coal mine".

How do I set it up? Is it hard?

Setting up FSRM is incredibly easy, because we have forked a PowerShell script originally created by zarathustar that automatically installs the FSRM Role Feature if it's missing, and then downloads the latest file groups from this website.

One of your filescreens is blocking legitimate files! Help!

With some ransomware only using 3 character file extensions, that leaves a possible space of 46,656 combinations (26 letters + 10 numbers to the power of 3) which means that it's possible that they may choose an extension that is already in use by a legitimate piece of software. If this happens and non-dangerous files in your environment end up being caught inadvertently, there is a simple way to edit your script to ignore a particular extension from our list.

The first time you run the updated script, it will create a file in the directory called "SkipList.txt". Simply add a new line for each file extension you want to always ignore and never worry again about a legitimate file type accidentally being blocked. We suggest adding all known good file extensions proactively to this list to avoid any future headaches.

How can I help?

Know of a filter that we don't have yet? Submit it!

Does an existing filescreen interfere with your company's legitimate files? See this section for more information.

Filter(s) Source URL Email Address Submit

Find this site useful? Send us a beer!

Site Changelog:

Nov. 28, 2017

Added paragraph above submission box for legitimate files link

Apr. 26, 2017

Removing support for manual method. Going forward, only issues relating to the script method will be responded to.

Feb. 23, 2017

Added instructions for how to ignore a particular or collection of filescreens

Dec. 19, 2016

Updated unclear text to reflect FSRM is available on Windows Server 2008 and later

Sept. 30, 2016

Updated page to reflect usage of our own GitHub repository

Added -UseBasicParsing to Server 2012 / 2012 R2 command

to Server 2012 / 2012 R2 command Updated installation page to explain why DeployCryptoLocker.ps1 script is necessary, due to 4KB limit

Last updated: September 17, 2020 @ 9:21AM (America/Edmonton)

Current File Group Count: 4144

Raw List