Welcome to my website

Stop ransomware on the file server for free
22 November 2015 19:53

In November 2014, I was playing around with some ideas for how to stop and protect file server against users there was get ransomware on the pc and then the ransomware starts to encrypt the files on the file server.
My idea was to use the in Windows server build-in function there is called File Server Resource Manager and I was using this back in Windows 2003 where it was a bit limited, but in the windows 2008 and 2012 it has got a lot better.
The main idea is that most ransomware are renaming the real files to indicate that they are encrypted, like when you Word file is named somefilename.doc then it is renamed to somefilename.doc.encrypted and then in most cases the ransomware need to tell the user how to pay the ransom, so they often places files like How_to_decrypt.html in the same folder as the encrypted files.
So using File Server Resource Manager(FSRM) to monitor for specific files like this get written to the fileserver and when it happens then do some about it.
FSRM can on event send mails, write to event log and run scripts but the script function there seems obvious to just use this and then run an quick script to stop the ransomware, but the function is limit to run as local accounts on the file server and I tried to use that but it was to limited in what I was trying to do, but more on this later as I use another trick to get around this limit and run the script as the user account I like it to use.

So what is my script doing to stop the ransomware?

By using FSRM to monitor for bad files and when they are discovered then it runs a script there is doing these steps.
  • Find out what file was written, what user was doing it and from what remote PC and what is the process ID has the malware on the user’s PC, this information is logged to event log on the file server and used in the next script functions.
  • Adding an snapshot to the drive with the share on the server to protect the more data from get encrypted.
  • Via remote commands trying to make a copy of the malware on the user’s PC to another file on the user’s pc, this is for later forensic analyze of the malware.
  • Via remote commands trying to kill the bad process id to get it to stop.
  • Tell the users pc to shut down.
  • Adding deny ALL outbound traffic firewall rule to the windows firewall on the users pc.
  • Adding a firewall rule to the fileserver there deny all traffic from the users pc IP address.
  • Adding a firewall rule to the domain controller to deny all traffic from the users pc IP address.
  • Disabling the users AD account in the domain controller, to prevent users from accessing more resources.
  • Sending an mail to the administrator saying that user X has written bad file Y to the fileserver from an PC with IP x.x.x.x

This list of actions is just to use as a proof of concept and the script that you will see later is built to be very modular, so you can disable the things you don’t like or can easily add new functions but more on this later on.
Now you are maybe thinking, why do some many things there is overlapping like add rules to the firewall when sending a shutdown to the client pc? The reason is that this script it design to stop the malware from doing more damage to the fileserver and because it is very likely that some/many of the functions will not work every time, like the file server can talk with the client pc when in the company LAN but when happen when the users is working from home via an VPN, then can the file server run remote commands on the client pc or do the firewalls prevent that.
So by doing many actions to stop it, then it is more likely that the script can stop the malware from encrypting all the files on the server.  

The list of files used for monitoring, yes this is an limit as this is an fixed listed and new malware will most likely use new file names, so this concept is not better then what list of files that it has to monitor and that is an weak point, but again I have used this on an number of systems and it has stopped the ransomware from encrypting files on the file server.

But for you to better see how it works and what happens, then I have made this video there is showing what happens when the user writes a monitored ransom file.
See the video here:

But enough for talk, let’s look at how to setup the script.

First step is to download the script from http://www.tooms.dk/software/FSRMscript/default.asp to the file server and unzip them to c:\tools\fsrmscript\

Download it and unzip it, so it looks like this... you can change the path but then you have to change the path in the scripts also.

What each script is doing will be covered in the guide later on.

Now lets install the File Server Resource Manager and the easiest way is via the PowerShell prompt and the two commands, like this.

Type: Import-Module ServerManager
Type: Add-Windowsfeature FS-Resource-Manager
The FSRM is now installed and next we need to config it to monitor the shares.

In the start menu, find "File Server Resource Manager" and start it.

In the top on the "File Server Resource Manager (Local)", then right click on it and select "config options" to see this window.
On the tab "Email notifications" enter the details for your mail system and click on "send test e-mail" to verify it is working.

Click on the tab "Notifications limit" and change all the limits to 0

click on the tab "File screen audit" and enable the "record file screening activity in the auditing database"

Then click on the OK to close the options dialog window.

Open an DOS Prompt as Administrator and it is important that you do this as admin, so right click on "Command prompt" and select "Run as Administrator".
Now change the folder to the install folder by typing "cd c:\tools\FSRMscript\install\ "

In this folder there is an number of files there help with the setup so we don't have to do it all by the gui.

If you like to config the global options via command line that we just have set via the gui then you can just edit the FSRM-config-admin-options.cmd with your settings and then run the command.

Next step is to import the list of ransomware files to monitor, instant of typing it manually via the gui then we just import the list from file FileGroup-Ransomware.xml
Run the "FSRM-import-filegroup-ransomware.cmd" and it will import the FileGroup-Ransomware.xml as "Ransomware"

Start the File Server Resource Manager MMC and then click on "File Screening Management" -> "File Group"
Note the new "Ransomware" file group on the list, verify the list of file names in the group that it is not matching files there already exist on your file server as this will trigger the script.

When finish looking at the list then just close it again.

Now add the file screener there is monitoring the shared folder and it is using the file group "Ransomware".
In the dos prompt type this command "filescrn screen add /path:c:\Shares\Data /type:passive /add-filegroup:"Ransomware" /add-notification:e,ev-besked.txt /overwrite"
Change the path to fit the shared folder on your system, but the other options is very important that they are as shown for next parts to work.

Next step is to test if the file screener is working and the simplest way to do this is that you write on file to the monitored folder with an file name there will match on the ransomware file group and there for trigger the file screener event.
So i have there for written then file "c:\Shares\data\badfile.crypto" and now lets look at the event log messages from the file screener.
Open the event log and in the Application log look for the event from source SRMSVC with the event id 8215

As you can see here it is writing what has happen when writing the test file to folder and just below the text there is some XML style text with the details, this extra text is very important as this is used by the script later on.

Now we need to "Attach task to this event" to run an script when this event log messages happen.
So select the event with the source SRMSVC and the event id 8215, then click on "Attach Task To This Event..." from the action menu.
Don't change the text, just click Next and on the next screen "when an event is logged" just click next.

On the page "Action" just "select start an program" and click next
On the page "Start a program" add the program and argument options as listed here, the syntax is very important
Program: c:\windows\system32\cscript.exe
Add arguments: "C:\tools\FSRMscript\Eventactionscript.vbs" /Log:$(MYevLOG) /EvID:$(MYevID)
Then click next

On the page "Finish", verify it looks correct and then click on finish to close the dialog box.

Next we need to change the Task details so it is returning the command line aguments to the script as it need, so in the dos prompt run the command "ELog-Export-Application_SRMSVC_8215.cmd" to export the Task to an XML file.

Now the task is exported to the xml file, open it in notepad and add the text shown here with yellow highlight and it is very important that it is added at the correct location.
Text part to add is this:

      <Value name="MYevLOG">Event/System/Channel</Value>
      <Value name="MYevID">Event/System/EventRecordID</Value>

Then when the text is added and it is at the correct location then save the file to disk again.

Edit the ELog-ADD-Application_SRMSVC_8215.cmd to use the correct domain\administrator for your setup and then run the command to import the changed task.
Enter the password for the user when it is importing the task again.

Open the Task Schduler and open the properties for the imported task.
Select the security options to be "Run whether user is logged on or not" and then check the "Run with highest privileges"

Click OK to close the properties window again.

Now in the Task Schduler window, right click on the task and select run, then wait 5 second and then refresh the window, note that the task has now run and the exitcode is 0
Next open the event log viewer verify that there is now an eventlog messages from the script "WSH" with the event id 4 and it is saying that it was started without the correct command line options, this is normal for the test.

Now the main configuration is done, it is time to edit the scripts to fit your setup.
open c:\tools\FSRMscript\mainactionscript.cmd in notepad and then find this part around line 85, this is the command there is adding an firewall rule to the domain controller.
if you like to use this, then remove the "rem" from the start of the line to uncommnet it and then change the name of the domain controller from DC01 to be the name of your dc.
To add firewall rules to more servers, then just copy the line for each server and change the name of DC01 to each server name.

When finish editing the file, then just save and close it again.

Next open the c:\tools\FSRMscript\sub-script\DisableADaccount.vbs in notepad
To make sure that you don’t get the important accounts locked out, then add the login names like shown here with semicolon before and after the names.

If you have add any names to the list then just save the file and close it again.

Now open the c:\tools\FSRMscript\sub-script\mail2admin.vbs in notepad
In the line starting with "sendinformmail2admin", edit the details to fit your mail settings and if you need to alert more then one then just copy the line.

When finish editing then save and close the files again.

Now it setup is finish and it is time for testing, but it is very important that you don't test this from your servers as it will add the firewal rules and shutdown the server, so to test this the correct way is to use an client pc and an normal user account, now test it by writing an monitored filename to the file share and see what happens.
After testing then look at the firewall rules on the servers and the client pc, also look at the event log on the file server to see if it has logged the correct details.

So this was my little guide to use the free buildin function FSRM and some script to prevent ransomeware from encrypting all files on your fileserver.

Tooms @ 22 November 2015 19:53 | Direct link
I got Lathe – my new Rotwerk EDM 350DR
13 August 2014 16:34

I got a small new lathe that I need for some minor jobs, where the small size is important so it don’t take a lot shop space and can be move easily to be stored on a shelf.

I selected to get an Rotwerk EDM 350DR there is an 7x14 lathe and the same as many of the other lathes on the ebay and so on, but this version of it seems to be better and comes with some extra things that you have to buy extra for the other ones and as some sellers here in Denmark has this EDM 305DR at a discount then the price was about the same as the one on Ebay from UK.

Here is an link to Rotwerk’s website with the details of it.

I got a lot of extra lathe accessories that I think I need and I got it from two shops, one in the US and another one in UK.
US shop: LittleMachineShop  - http://littlemachineshop.com/
UK shop: Arceurotrade - http://www.arceurotrade.co.uk/

Below here is some pictures of the lathe and I have also made an small review video that you can see at my YouTube channel

Click here to see my Video review of it on YouTube

Tooms @ 13 August 2014 16:34 | Direct link
Copenhagen Historic Grand Prix 2014
9 August 2014 16:44

Another great weekend on the 2+3 August with good weather, beer and cars at the Copenhagen Historic Grand Prix 2014

So here you can enjoy some photos and videos from the weekend.

Here are some more photos

Here are some videos on YouTube

Tooms @ 9 August 2014 16:44 | Direct link
CNC Progress at April 2014 - Power meter and electronics
15 April 2014 22:09
I have now installed a power meter on my CNC so that I can see how much Kwh I use to cut a part and by this know how much it cost.
The power meter is a 3 phase Schneider Electric PM750MG power meter, the meter has an RS485 serial port so you can read all the data from it, but for now I have not connected that… maybe later on.

Here is power meter put into a narrow box because the space is limited.

Here you can see the power meter in the box is installed in the tiny space next to the enclosure.

To see more details then look at my you tube video her http://youtu.be/3R-NnDlL_2s

Tooms @ 15 April 2014 22:09 | Direct link
CNC Progress at March 2014
3 March 2014 21:39
Here is a status update of my CNC and what I have done.

As you can see I have now add the sides to the cabinet and with a small extra table on the front.

Here is the extra table on the front, it is handy with some extra space for putting parts when working.

The hole where the cable chain is connected has been made a bit bigger because it was too small for the cables that I plan to get through the hole.

Add a cable channel to guide the cables from the CNC and into the cabinet, it is made so it can move when the CNC is working and it is very easy to take apart if I have to remove the CNC from the cabinet.

Here you can see the cable channel has the cables hidden in it and the cover on, there is missing the endplate that I don’t have now but will add later on.

Here is a view at the inside of the cabinet with the PC and the cables coming in from side just behind the PC, the cables will later on be connected to the electronics enclosure at the backend of the cabinet.

Here is a view of the backend with the electronics enclosure.

If you look at my YouTube channel then there is a video where I show the progress and goes a bit more into details it

So now I am basically finish with the cabinet below the CNC and I can now begin to work on installing the new electronics and replace the cabling and sensors.

Thanks for watching


Tooms @ 3 March 2014 21:39 | Direct link
Video tour of my CNC at January 2014
8 February 2014 10:42

I have got some requests to show more details about my CNC, so I have there for made some videos where I go over all things with my CNC and the status of the rebuild of it.
This is my first time I make a video blog, so please bear with me and sorry that my English is not better than it is and I guess that it will give you something to laugh about when you see my video.
If you would like to see more videos or I need to elaborate on anything, just let me know.

Tour of my CNC at January 2014 - part 1 of 2

 Tour of my CNC at January 2014 - part 2 of 2


Thanks for watching


Tooms @ 8 February 2014 10:42 | Direct link
Got my µCurrent GOLD and ruler from EEVBLOG
2 February 2014 22:05

Today I got my µCurrent GOLD and it is the “EARLY SIGNATURE EDITION” from the Kickstarter campaign that Dave Jones from the EEVblog just has finished.
I don’t really needed one as I was already having one, but when Dave made the Kickstarter campaign then I was quick to sign up for another, just to support the great work Dave do and also to get the signature edition…

Here you can see the cool new Gold signature edition with the serial number of 00007, hmm I got the James Bond edition… maybe it has some hidden functions

with the signature of Dave L. Jones

As an extra gift there was three µRulers included and they seems to be the correct size, the top one was one that I got when Dave was selling some µRulers

To read about what this thing is, then please go to this webpage http://www.eevblog.com/projects/ucurrent/

Thanks Dave and keep up the good work.


Tooms @ 2 February 2014 22:05 | Direct link
The new electronics for my CNC
20 January 2014 23:37

I have now got the new electronics that I plan to use for my CNC

After using a long time on the internet looking for the best stepper drivers and BOB (Break out board) then I fund an cool website in US called www.cnc4pc.com there is making some good looking boards and seems to get some good reviews on the net by users, the boards are clear and easy to understand and looks to have a good build quality with through hole parts there is easy to replace if the blue smoke gets out of some of them.
The drivers I got from a web shop in Nederland called www.impulsecnc.nl/en/ there was having a good price on the driver that I liked to buy, but more about this later in this blog.

Primary BOB

This nice little BOB called C35 from www.cnc4pc.com is the one that I plan to use to connect to the stepper drivers to because it is just buffer driver there is taking the weak signals from the LPT1 port and converting it to good 0-5 volt signal so the drivers will get a nice clean signal and prevent them from lost steps do to the weak signals from the LPT1 port there is in most modern PC’s.
The drivers are connected to this board via RJ45 cable for easy connection and the other inputs will go via the screw terminals there is having a status led for each input.
This board is not opt isolated but is connecting the signals straight through to the drivers and this is because the drivers are having an build-in optocoupler and there for there is no need to have the extra optocouplers on the BOB also, because optocouplers are having a small delay in the signal time and having more than one optocoupler can delay the signal to much and give issues.
As you can see the boards are well build and easy to repair if the blue smoke gets out and I like that very much in the design… not that I plan to release the blue smoke.

Secondary BOB

I need a secondary BOB in my setup because I will be using two LPT ports and the reason for this is that I need more inputs then the 5 input signals that I can get from the primary BOB, So this BOB will be configured as a input board there is then giving me 13 inputs and 4 outputs, that will allow me to have all the signals inputs that I need for limit switches and other sensors.
This board is not opt isolated and that is a minor issue because I liked to have all the sensor inputs isolated from the other stuff and to protect the PC, but I was not able to find a BOB with the combo of having the many inputs and be isolated at the same time, so I selected to use this board and then just make my own opt isolate board with some 6N137 optocoupler and buffer drivers.
The board is called C10 from www.cnc4pc.com

Stepper drivers

I have been reading a lot about stepper motors and drivers to better understand what drivers to select and what well fits well with the stepper motors there is on my CNC and reading half the Internet, then I understand that it is better to run the setup at high volts to better get the current to the motors so they can move better and that the digital drivers are a lot better than analog drivers.
My stepper motors are not easy to find the specs on because the label with the model details a missing from two of the motors but I have seen the type/style of motors before and know that it is a good brand motors but the model is unknown, the last motor is placed inside the X axis motor housing and on it there is model details on it, it is listed as an Vexta PH2610-E2.9 2.9A 1.16ohm 1.8degree 2 phase stepper motor.
So I am guessing that the two other motors may have very similar specs.
The drivers that I have selected is the Leadshine EM806 there seems to be very good drivers, they are having this smart function where you can connect an PC to the serial interface an then “program” the drivers with some windows software there is coming with the drivers and with this software it can also do an auto detect function of the motors there it is measuring the specs of the motors and tune the driver to that, so this is very smart for me when I don’t know the specs on the motors and it can then tell me what the specs are and select the best settings for it.
For the voltages they are supporting up to 80 volt and I plan to run with the voltages at around 60-70volt with the current that each motors needs.
The drivers are also having stall detection so if something prevents the motors from turning then the drivers will detect that there is an issue and then stop running to protect the system from damages.
The driver is using a very fast DSP processer and can there for easily catch input signals at up to 200 kHz and there for can run the system at very high feedrate without losing steps.
So the Leadshine EM806 stepper driver seems to be prefect for my setup and seems to be a lot better than the most of the black stepper drivers that you can find on eBay.
I got my three drivers from www.impulsecnc.nl/en/ there was having the lowers prices that I can find in the EU.

Spindle RPM board

When I was ordering the other parts from www.cnc4pc.com I then noted that they had this little C3 index pulse board there is an “index pulse board”, it is using a small optical sensor there is install inside the spindle and then the board will read the RPMs of the spindle and send that as a impulse signal to the PC so the CNC software will show the correct RPMs.
So later on when I have installed all the other parts and the CNC up and running well then I will try to install this little board.

Buffer driver to fix controller issue.

Until I get all the new parts installed on the CNC then I will still be using the cheap eBay CNC controller there is on the CNC now and the issue with that is that is that it is losing steps, so to make a cheap fast fix then I have got this little buffer board from www.cnc4pc.com and what this little board is doing is to take the weak signals from the PCs LPT port and make them into 0-5V signals and then maybe get the eBay CNC controller to run better because it is now getting some good strong signals.
The board only costs 20$ so if it can help the cheap bad eBay CNC controller to run better until it gets replaced then it is a cheap fix.

So I got:
1 of CNC4PC C26 Output buffer board
1 of CNC4PC C35 LPT Break out board
1 of CNC4PC C10 LPT Break out board
1 of CNC4PC C3 Index impulse board
3 of Leadshine EM806 stepper driver

The CNC4PC boards I got directly from www.cnc4pc.com in the US as I cannot find any shops there is having them in the EU, so it cost me some import tax to get them into EU.
It was positive experience to shop from CNC4PC as it was easy and fast, no issues.

The Leadshine stepper driver I got from www.impulsecnc.nl/en/ in Nederland as they seems to have the lowest price in the EU and it was easy to shop with them and the shipping was also fast.

Now that I got most of the parts that I need then it is just to get them installed on the CNC, so I can then get the bad EBay CNC controller removed and hopefully get a stabile CNC there is not losing steps.
So looking forward to have a well working CNC but I will keep you all update on this blog with the progress.

Tooms @ 20 January 2014 23:37 | Direct link
CNC progress – Spindle power
1 December 2013 19:52

I have done a little more progress on my CNC with the power to the spindle there was having a single phase power cable to an outlet and it was manual process to turn it on and off, so I have now add a 3 phase 400v outlet to the top of the house on the X/Y axis.
The 3 phase power cable is now going through the cable chain and is having a connector there is design for 3 phase 400V at 16A and the power control is now via a relay in the control box and my new spindle controller board.. But more about that later in this blog.

Here is the 3 phase outlet and connector that I have select to use and it is because it has in the past been used a lot to 3 phase 400v here in Denmark, so it is easy to get parts for this system and it is design for 16A so it is perfect for the job and the plug is having a nice small size.
Here is the outlet with two plugs there is having 3 phases, null and ground.

Here you can see the outlet mounted on top of the X axis motor housing and it goes free with 1-2 cm of space between the top of the outlet and the cable chain.

Here you can see it has the spindle with the plug connected.

Here is a view from the back side where you can see the space between the cable chain and the top of the outlet.
I have also replaced the bolts on the back cover plate with some nice new 5mm bolts as the old ones was only 3mm and was having a bad thread from many years of services, the new ones will also support the cable chain holder a lot better than the small 3mm bolts was.

The current setup is only having one output to turn the spindle on/off and the cheap CNC controller is not having the change pump function so every time I turn on the PC then the spindle output was having some random output and that was not safe.
So I have now made my own spindle controller to make the spindle control more safe and only power on the spindle when I like it to be on and turn off when there is no longer a need for it to run.

The spindle controller work like this, when it is powered on then it will wait 30 sec then play a long beep sound and then it will go into a “disabled” state where the input from the CNC controller not can start the spindle.
For the spindle controller to change from the “disabled” state to the “enabled” state then the PC has to flip the input on and off 10 times in a 1 sec interval for 10-15 sec, when this has happen then the piezo speaker will play 3 long beep sounds to let know that it is now in the “enable” state and ready for the CNC controller to start and stop the spindle via the input and the relays.
When the input goes high to start the spindle then the spindle controller is waiting for 2 seconds and then plays 5 beep sounds via the piezo speaker and then it will turn on the two relays.
If the input goes low then the spindle is turn off without any delay.

The spindle controller board is just made from some parts that is having and the logic is controlled by a PICAXE 08M microcontroller there is easily handling this small job.
There is optocoupler isolation at the input from the CNC controller and with the relays, so there is a safe isolation to make sure it will not give any issues with the safety of the control of the spindle.

Tooms @ 1 December 2013 19:52 | Direct link
First progress with my new CNC
12 November 2013 14:54

Have done some progress on my new CNC, first thing was to find some type of stand to put it on and I was looking in the used marked to see if there was something there was having the right size and be a stabile platform but after some searching I found a Pallet car there is the prefect size as it is 80cm x 120cm with the height there can be adjusted and it is design for a 800kg load.
So as the CNC is 80cm x 125cm and the weight is around 200-250kg then this pallet car is the prefect stand for the CNC.

There are some nice big wheels there can easily handle the load from the CNC and all the other things on the pallet car.

Here you can see the pallet car next to the CNC and it seems like the pallet car is design for that CNC, prefect match.

Add some support bars and holders to hold the feet of the CNC and to make sure the CNC is not falling of the stand when the machine is working.

Here is a close-up of the holder to hold the feet of the CNC.

It is not an easy task to lift the CNC up on to the stand so I have to use a hoist and then move the pallet car under it and then lower the CNC onto the stand.

Now the CNC is placed on the pallet car stand and it is a perfect match and it feels very stable and there is no issue with moving it around.

Here you can see one of the feed on the CNC is placed inside the holder on the pallet car, there is no way that will fall or move off the pallet car.

The electronics enclosure there was coming with the CNC was only 40cm x 40cm and all too small, so luckily I was having another enclosure there is an much better fit because it is 38cm H x 60cm W and 21cm D.
So it is prefect to place under the CNC in the pallet car and it will have much better rum for the electronics.

The cable chain hanging to low and is hitting the dust covers so that is not good and will at some time damage the dust cover.

Here you can see the cable chain from the back side.

So as one of the first CNC projects I have cut this 5mm thick aluminum part to be a support arm for the cable chain so it is not hitting the dust cover.

Here is the support arm installed on the X axis housing to support the cable chain so it is well clear of the dust cover.

Another view where you clearly can see the cable chain is now free from the dust cover.

So this was some progress on the CNC, but unfortunately there is still long way until I have a stable and well working CNC because there is many issues with the electronics with random trigger of the sensors and the movement is missing steppes so it is doing wrong cuts, but that will be the next steps to install the new electronics enclosure and then upgrade all the electronics and cabling.

So it is not well working at the time but it is coming along and hopes it soon will be a lot better.
Tooms @ 12 November 2013 14:54 | Direct link

Arkive list
2015 - November
2014 - August
2014 - April
2014 - March
2014 - February
2014 - January
2013 - December
2013 - November
2013 - October
2013 - August
2013 - June
2012 - December
2012 - September
2012 - August
2012 - May
2012 - April
2011 - November
2011 - October
2011 - September
2010 - May
2010 - March
2010 - January
2009 - December
2009 - November
2009 - October
2009 - August
2009 - July
2009 - May
2009 - April
2009 - March
2009 - February
2009 - January
2008 - December
2008 - November
2008 - August
2008 - January
2007 - December
2007 - November
2007 - October
2007 - August
2007 - July
2007 - April
2007 - March
2007 - February
2007 - January
2006 - December
2006 - November
2006 - September
2006 - August
2006 - July
2006 - May
2006 - April
2006 - March
2006 - February
2006 - January
2005 - December
2005 - November
2005 - October
2005 - September
2005 - August