No home folder, other options/realtime

Feb 1 at 9:33 AM
Hi, I found your software because after an unfortunate encounter with ransome, beating several layers of security, I also believe the only realistic method of detection, is using canary files (comparing files for changes).

The problem I'm having is we are not using home directories on shares for users. So I can't really use the powershell scripts to block access. While cryptolocker variants seem to be able to "fake" the owner of the files on shares, I was wondering if you have tought about a way you might still be able to detect what user changed the files. (File auditing perhaps?)

Also, I saw the compare tab only seems to have settings to compare Hourly, daily etc. But in an hour, a cryptolocker can do a lot of damage. Perhaps it is possible to use filesystemwatcher to detect the changes ( https://msdn.microsoft.com/en-us/library/system.io.filesystemwatcher(v=vs.110).aspx ), as this would be almost realtime.
Feb 9 at 7:14 PM
Edited Feb 9 at 7:23 PM
In the hourly you specify minutes. So it can be checked very often. I check other file shares without them being home folders they just get a single copy of the source folder and if it gets compromised you will get notified. Since you won't have the username you could stop the file servers sharing files instead. I have a sample script for that as well.
Feb 15 at 10:43 AM
Ok, thanks for your reply. I still think that using filesystemwatcher should just be default.
Even in a minute time a few 1000 documentes could be damaged.
Feb 16 at 9:11 PM
With a file server using filesystemwatcher would be a huge performance hit. I designed my service with performance in mind with regards to a heavily used file server with terabytes of files. FileScreens can be used to keep an eye out for certain files, but validating every file saved is not something that is possible performance wise. Users would be screaming a few minutes after setup.
Feb 21 at 3:58 PM
Oh, I did not mean that the entire server should be watched, only the canary files with a filesystemwatcher. (But I'm not sure how this affects filesystemwatcher performance).
Mar 15 at 6:33 PM
Edited Mar 15 at 6:33 PM
Look into getting the full version of malwarebytes. They have ransomware protection for individual users. I made my program for file servers.