Configuring PowerStore File Extension Filtering to Prevent Ransomware
Wed, 06 Sep 2023 18:12:28 -0000
|Read Time: 0 minutes
Overview
Disallowing known ransomware extensions from being written to the file system can be a simple and effective mechanism to deter and/or prevent ransomware. PowerStore file systems include a file extension filtering capability that restricts specific file extensions from being stored on an SMB share. Traditionally, this feature has been used to prevent users from storing non-business data on a share, however its uses extend to blocking malicious extensions from being written to a share at all.
File extension filtering can be leveraged in conjunction with other features such as CEPA to implement a ransomware strategy with multiple layers of defense. Let’s dive into how to configure PowerStore file extension filtering to better protect your system today.
Configuration
To configure file extension filtering:
- Go to the \\<SMB_Server>\c$\.etc\.filefilter directory as an administrator
- To configure a filter, create an empty file using the naming convention extension@sharename
- For example, to filter .wcry ransomware files on the FS1 share, create a file named wcry@FS1
- To enable the filter on all shares on the SMB server, create the file with only the extension, such as wcry
You can configure multiple filters by creating additional files in this directory. For ransomware prevention use cases, create additional filters for other known ransomware extensions. Each SMB server has its own independent file extension filtering configuration, so each can be customized with its own configuration. The following figure shows an example of the configuration of the file extension filtering.
After configuring a file extension filter, you can permit exceptions for specific users or groups by changing the ACL on the filter file to provide Full Control privileges to the users or groups that should be excluded.
For example, if the Administrators group is provided Full Control permissions on the wcry filter file, then users in the Administrators group can store .wcry files on the share, while others cannot. Exceptions can be configured independently for each file filter being created, as shown in the following figure.
When users attempt to copy a file with a blocked extension, they receive an Access Denied error, as shown in the following figure.
Considerations
Note that this feature only works on SMB and does not filter file extensions when writing over NFS. Users could manually rename file extensions to bypass this filter, provided those other extensions are not also explicitly blocked, however malware may not be able to adapt and work around this as easily. Since the list of filtered extensions must be checked each time a file is written, having many filters could impact performance.
Conclusion
File extension filtering is a simple and powerful capability that provides administrators the ability to control the type of data that is stored on an SMB share. Easy to configure and able to provide an additional layer of protection against ransomware activity, file extension filtering is an effective addition to any comprehensive cybersecurity strategy to protect and secure your data.
Resources
The following resources provide more information about PowerStore:
Author: Wei Chen, Technical Staff, Engineering Technologist