File Screens Defeat Ransomware – Part 3

File screens have successfully stopped Locky.


I ran a curious file today that gave me the picture above…but my file server is just fine.

For a test, I created multiple file shares.

One share did not have a screen enabled.

The other share had the screen configured as detailed in my previous two posts.

Use File Screen to Stop Ransomware – Part 1

File Screens Don’t Stop Ransomware – Part 2

After running the email attachment, I observed this netstat and task information.


Here is what what is left of the share without the screen.


This is the share that had the screen enabled.  I like this one better!



At 2:18, an event was logged in response to the .locky files.  The path in this event is the path shown in the picture above.  It is sorted by modified date to show that not even a single file was changed.


Here is the firewall creation event.  This rule was created 37 seconds after the alert was triggered.



This may not work forever but it is proof enough for me to justify implementing in production.  I hope this helps you too!

You could even take this another step further to protect PC data.  If you configure your PCs with Desktop and Documents redirection on a screened share, even the PC data should be protected.

Time to revert my lab!






3 thoughts on “File Screens Defeat Ransomware – Part 3

  1. Pingback: How To Prevent Ransomware Infections | Question Driven

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s