/build/static/layout/Breadcrumb_cap_w.png

Check presence of specific file types in your network (for example *.scr) without VBScript

Hi Everyone,

In the news I read that there is a virus around (Dorifel) that is creating lots of screendumps (extension *.scr) to obtain information internet banking details. Ofcourse, my virusscanner is up2date and nothing can happen to me ... right ?

I wanted to have a double check on the results of my virusscanner.

I decided to test Kace to find out how easy it is to write a script, deploy and report in how many systems are potential infected in my network. After reading a few blogs and posts it became clear that VBS scripts is the way to go. Ofcourse, I decided to go the opposite way because the first VBS script I read was a ... virus !

After a few hours I came up with a 'DOS' script that does everything I need which I want to share with you because I needed to workaround a problem with environment variables:

 On Success

  1. Launch SYS\cmd.exe with params /C echo Scanning for *.SCR files > c:\SCR-list.txt & set SCRcount=0 & for /r c:\ %x in (*.scr) do @ echo %x >>  c:\SCR-list.txt & set /a SCRcount+=1 > c:\SCR-count.txt.
  2. Log Scan for *.scr issued successfully, collected and file will be uploaded to Kace server to status.
  3. Upload c:\\SCR-list.txt to the server.
Basically the script does 2 things:
 
· Searching, collecting *.scr file names and uploading this list to K1000 (file c:\SCR-list.txt)
·  Keeping track of how many *.scr files have been found (file c:\SCR-count) and adding this to the (custom) inventory for the Asset.

By creating a creating a Custom Inventory Field (Rule: ShellCommandNumberReturn(cmd.exe /c type c:\SCR-count.txt))

I am able to create a report, showing me which client/server contains the most *.scr files and would be a potential victim.

(PS. There is a small bug in the Report builder for numeric custom inventory fields: STR_FIELD_VALUE should be STR_NUM_VALUE)

A potential victim can be checked by analysing the uploaded file containing filenames and paths of the *.SCR files.

Both virusscanner and this script did not find any suspicious, so I guess I am safe ... Are you safe ?  Are you sure ??? Cool

PS

I duplicate this script to check my network for *.VBS files as well and added a check for other drives as well.

Cheers

Wilco

 

 


Comments

This post is locked

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ