11/4/2019 Using File Server Resource Manager to Screen for Ransomware

 About Altaro Subscribe

Altaro VM Backup

Learn Hyper-V Categories 

Hyper-V Downloads Webinars

eBooks

Hyper V » PowerShell & Automation » Using File Server Resource

Manager to Screen for Ransomware
Other Altaro
Dojos

Using File Server Resource

Manager to Screen for
Ransomware
Enter the
06 Sep 2016 by Luke Orellana 17 VMware Dojo

Enter the MSP

The File Server Resource Manager role provides many features. Dojo
File screening, in particular, can be used to help mitigate damage
from a ransomware attack. With le screening, le servers can be
con gured to perform real time auditing on all shares for any les
that become modi ed to any known ransomware extensions. In VM Backup
the event of a user getting infected with ransomware, the le
screen will detect the modi cation of the les and deny that user
access to the le shares, preventing them from damaging any
other les. This can save hours of downtime and clean up.

I have created a script that will set up and con gure all of this
within minutes. The script performs the following actions:

Installs the le server resource manager role if it is not installed.

Con gures le server resource manager to screen for known
ransomware le extensions. Download 30-
Con gures the le screen to execute a script whenever a le is modi ed day trial
to a known ransomware extension. The script then blocks SMB share
https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 1/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware

access to all shared les on the le server and sends an email message
More info
to whatever email speci ed.

The script requires the following prerequisites:

Windows Server 2012 – in order to use the cmdlet that blocks SMB Of ce 365
share access. Backup
Mail Relay Server – Used to con gure email alert.

To create the powershell script, copy the code below into a

notepad and save it as a .ps1 (for example, Install-
FSRMRansomeware.ps1):

Update- Edited script to restart FSRM service after blocking SMB permissions.
Ran into issue where the task was only triggering once.

1 function Install-FSRMRansomware {
Start 30-day trial
2 <#
3 .SYNOPSIS
4 Installs the File Server Resource Manager role if not instal More info
led and then configured a file screen on all drives other th
5 an C.
The file screen screens for possible ransomware infections a
6 nd then deny's SMB access to the user who trigged the scree
7
n.
.PARAMETER SMTPServer
8
Specify the address of an email relay server. This is used t
Hyper-V Dojo
9
10
o send the alert emails that generate when the file screen i Forum
11 s triggered.
12 .PARAMETER EmailTO
13 Specify the email address to send the alerts to.
14 .PARAMETER EmailFrom
15 Specify the email address that the email alerts are sent fro
16 m.
17 #>
18 [CmdletBinding()]
19 param(
20 [Parameter(Mandatory=$True,
21 HelpMessage="Please input the address fo
22 r an accessible email relay server.")]
23
[String]$SMTPServer,
24
25 [Parameter(Mandatory=$True,
26 HelpMessage="Please input a valid Email a
27 ddress to send the email alerts to.")]
[String]$EmailTo, Your training
28
29 [Parameter(Mandatory=$True, continues on the
30 HelpMessage="Please specify an email addr
31 ess to recieve alerts from.")] Dojo Forums!
32 [String]$EmailFrom Browse topics, ask
33
34 questions, read
35 )
36 answers from
37 Process{ fellow IT pros and
38
39 post your own
40 #add the FSRM role if it doesnt exist
41 If ((Get-WindowsFeature fs-resource-manager).ins replies.
42 talled -like "False"){
43 Write-Verbose "Installing File Server Resour
44 ce Manage Role"
45 Install-WindowsFeature fs-resource-manager
46 } Enter the Dojo
47 If ((Get-WindowsFeature RSAT-FSRM-Mgmt).installe Forum
48 d -like "False"){
49 Write-Verbose "Installed FSRM RSAT Tools"
50 install-windowsfeature RSAT-FSRM-Mgmt
https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 2/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware
51 }
52 Learn more
53
54 #Create File Group for FSRM
55 New-FsrmFileGroup -name "Ransomware Files" -Incl
56 udePattern @( "*DECRYPT_INSTRUCTION.HTML*",
57 "*HELP_DECRYPT.HTML*",
58
"*decrypt all files*.bmp*",
59
"*.ecc",
Categories
60
61 "*.ezz",
62 "*.exx",
63 "*.zzz", STORAGE
64 "*.xyz",
65 "*.aaa",
66 "*.abc",
SECURITY
67 "*.ccc",
68 "*.vvv",
69 "*.xxx",
70 "*.ttt", SCRIPTS & TOOLS
71 "*.micro",
72
"*.encrypted",
73
"*.locked", NETWORKING
74
75 "*.crypto"
76 "*_crypt",
77 "*.crinf",
TROUBLESHOOTING
78 "*.r5a",
79 "*.XRNT",
80 "*.XTBL", & PERFORMANCE
81 "*.crypt",
82 "*.R16M01D05",
83 POWERSHELL &
"*.pzdc",
84 "*.good",
85 "*.LOL!", AUTOMATION
86 "*.OMG*",
87
"*.RDM",
88 WINDOWS SERVER
"*.RRK",
89
"*.encryptedRSA",
90
91 "*.crjoker",
"*.EnCiPhErEd", ALTARO
92
93 "*.LeChiffre",
94 "*.keybtc@inbox_com",
95 "*.0x0",
"*.bleep",
"*.1999",
"*.vault",
"*.HA3",
"*.toxcrypt",
"*.magic",
"*.SUPERCRYPT",
"*.CTBL",
"*.CTB2",
"*.locky" )
96
97
98
99
100
101 #Create FSRM Template xml file and import templa
102 te then remove xml file
103 $FSRMTemplate = @"
104 <?xml version="1.0" ?><Root ><Header DatabaseVersion = '2.0'
></Header><QuotaTemplates ></QuotaTemplates><DatascreenTempl
105 ates ><DatascreenTemplate Name = 'RansomwareCheck' Id = '{12
106 2F5AB4-9DF0-4F09-B89E-0F7BDC9D46CC}' Flags = '1' Description
107 = '' ><BlockedGroups ><FileGroup FileGroupId = '{82D08F60-73
108 19-4BE2-8621-066DB91A958E}' Name = 'Ransomware%sFiles' ></Fi
109 leGroup></BlockedGroups><FileGroupActions ><Action Type="1"
110 Id="{73AFB339-FF17-42DC-B9B9-E7C9A8E7C9A9}" EventType="2" M
essageText="User%s[Source%sIo%sOwner]%sattempted%sto%ssave%s
111
[Source%sFile%sPath]%sto%s[File%sScreen%sPath]%son%sthe%s[Se
rver]%sserver.%sThis%sfile%sis%sin%sthe%s[Violated%sFile%sGr
112
oup]%sfile%sgroup,%swhich%sis%snot%spermitted%son%sthe%sserv
113
er." /><Action Type="3" Id="{D0B80CC5-E6DD-481C-9534-19944A8
114
115 51A72}" ExecutablePath="C:\Windows\System32\WindowsPowerShel

https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 3/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware
116 l\v1.0\powershell.exe" Arguments="&quot;C:\Scripts\ScriptToD
enyPermissions.PS1&quot;" WorkingDirectory="C:\Windows\Syste
117 m32\WindowsPowerShell\v1.0\" Account="3" MonitorCommand="0"
118 KillTimeOut="0" LogResult="1" CurrentSid="S-1-5-21-34682808
119 91-3112941812-1175424509-500" /></FileGroupActions></Datascr
120 eenTemplate></DatascreenTemplates><FileGroups ></FileGroups>
121 </Root>
122
"@
123
$FSRMTemplate | Out-File -FilePath C:\users\publ
124
ic\FSRMTemplate.xml
125

126 Filescrn template import /file:C:\users\public\F

SRMTemplate.xml

Remove-Item -path C:\Users\Public\FSRMTemplate.x

127 ml

128
129 #Creates Script Block to perform email message a
130 nd block SMB Permissions. Exports script block to a PS1 for
131 the File Screen Template.
132 $DenyPermissionsScript = @"
133
134 #One second delay to
135 give script enough time to grab newest event logs
136 sleep -Seconds 1
137
138
139 #Looks in event log
140 for the custom event message generated by the file screen a
141 udit. Input's username of the offender into a variable.
142 `$RansomwareEvents =
143 get-eventlog -logname Application -message "*ransomware*" -n
144 ewest 50 | where {`$_.eventid -eq 8215}
145 `$username = (`$Rans
146 omwareEvents.message).split()[1]
147 `$username = `$usern
ame -replace ".*\\"
148
149 #Blocks SMB share ac
150 cess for user
151
Get-SmbShare | Where
152
-Object currentusers -gt 0 | Block-SmbShareAccess -AccountNa
153
154 me `$username -force
155
156 #get name of compute
157 r and domain name for email message
158 `$computername = Hos
159 tname
160 `$domain = (Get-WmiO
bject win32_computersystem).domain

#Send Email Report t

o servicedesk with information

`$client = hostname
`$messageSubject =
"Server `$computername on the domain `$domain is Infected b
eing attacked by Ransomware"
`$messagebody= "The
User `$username has infected the server. They have been den
ied access to all file shares. Please open a ticket to disin
fect their machine. Once they have been disinfected, run the
following powershell command on the server `$computername to
unblock the user from file shares: get-smbshare | unblock-sm
bshareaccess -accountname `$username -force "
`$message = New-Obje
ct System.Net.Mail.MailMessage "$EmailFrom", "$EmailTo"
`$message.Subject =
`$messageSubject
`$message.IsBodyHTML
= `$true
`$message.Body = `
$messagebody

https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 4/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware
`$smtp = New-Object
Net.Mail.SmtpClient("$smtpserver")
`$smtp.Send(`$messag
e)

# Restart FSRM servi

ces to allow script to re-trigger.
`restart-service "Fi
le Server Resource Manager" -force

"@

#Creates file path to store block smb script tha

t is called by the FSRM template
New-Item -Path "C:\scripts" -Force -Type directo
ry
$DenyPermissionsScript | Out-File -FilePath
"C:\scripts\ScriptToDenyPermissions.PS1"

#unblocks the script to allow for execution

Unblock-file "C:\scripts\ScriptToDenyPermission
s.PS1"

#find all drives that are not the C drive and cr

eate file screen for those drives. Essentially all drives ex
cept the C drive will be monitored for crypto locker files.
$disks = GET-WMIOBJECT win32_logicaldisk -filter
"DriveType='3'" | Where {$_.deviceid -ne "C:"}
ForEach($disk in $disks) {
$DRIVE = $DISK.Devic
eID

New-FSRMFILEScreen -
path "$DRIVE\" -template "RansomwareCheck"

}
Install-FSRMRansomware -SMTPServer InsertValidMailRelayServe
r -EmailTo InsertEmailToSendAlertsTo -EmailFrom InsertEmailT
oSendEmailFrom

How to Run the Script

Running the script is really simple. I’ve created an advanced
function that includes all the parameters necessary to set up the
email alerts. All we need to do is edit the parameters for the
function being called at the end of the script:

Once you have inserted your own parameters, save the script. To
execute the script, hold down SHIFT and RIGHT CLICK on the
.ps1 le. Select COPY AS PATH:

https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 5/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware

Open up an administrative powershell prompt, type in

“powershell” and paste in the path we copied, press ENTER to
run the script:

The script will start to run, if the File Server Resource Manager
role is not installed it will begin installing.Once the script nishes,
we can look at what was done by opening up Server Manager and
clicking on Tools and then selecting File Server Resource
Manager:

If we select the File Groups in the left window pane, we can see
our newly created le group called “Ransomware les” that
contains all of our known ransomware extensions to screen for:

https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 6/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware

If we select File Screen Templates in the left window pane, we can

see our “RansomwareCheck” template has been created. Right
click and select Edit to look at the con gurations. We can see that
the Ransomeware Files le group is selected:

If we select the Command tab we can see that the script has been
created in the C:\Scripts directory on the server. This is the script
that performs the SMB blocking action and sends the alert email
through the email relay server speci ed in the script parameters:

https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 7/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware

If we selec the le screens section in the left window pane, we

can see that there is an active le screen on our F drive. By
default the script will scan for all available volumes besides the C
drive and will create a le screen for that volume. This can be
manually modi ed if desired:

Testing the Script

If we wanted to test this out, we can go to a workstation and
browse out to a shared folder on the newly con gured le server.
We will mimic the extension change that occurs when a le is
encrypted by the cryptolocker virus by renaming the extension of
a le to “.crypto”. We can see that the change gets denied:

https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 8/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware

Also our user’s access to their mapped drive on the le server is

now denied access:

An email is then sent to the email address that we con gured in

the scripts parameters. We get the information on the user that
was infected and the server being attacked. We also get the
command that can be run to enable access once again for the
user:

If we paste in that command into an administrative powershell

prompt on the infected le server, that user can now access their
shared folders again:

Keeping Updated on Known Ransomware

Extensions
You will want to do your due diligence on making sure the
extensions being screened are kept up to date, you can easily
edit the le group and add in the extensions at any time. Tripwire
has been doing an amazing job at producing security awareness
https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 9/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware

posts that include the most recently discovered ransomware

avors and the extensions they use. Check out their most recent
post here. This is great way to protect your organizations data by
mitigating the damage done during a ransomware attack. Also, it
is free which makes it even better.

Backing up your Hyper-V VMs

If you’d like to make backing up your Hyper-V VMs easy, fast and
reliable, check out Altaro VM Backup. It’s free for up to 2 VMs,
packed with features, and the most a ordable backup solution for
SMBs around.

Download a 30-day trial and get started in under 15 minutes

Sign up to the Hyper-V Dojo Newsletter

Join thousands of other IT pros and receive a weekly

roundup email with the latest content from the Hyper-V
Dojo and become a Hyper-V master!

Name

Email

Yes, sign me up for more Hyper-V

awesomeness!

I'm not a robot

reCAPTCHA
Privacy - Terms

Luke Orellana
Luke Orellana has been immersed in the realm of
Information Technology since 2005. As a System
Administrator for a Managed IT Services Provider,
he supports and maintains the IT Infrastructure of
many businesses through technologies such as
VMware, Hyper-V, Windows Server, Exchange,
SQL, and PowerShell. Luke’s objective is to

https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 10/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware

discover ways to automate tedious and

troublesome administrative tasks using Windows
PowerShell and share his ndings with others.

17 thoughts on “Using File Server Resource

Manager to Screen for Ransomware”

Sparky Henderson
July 11, 2019 at 10:18 pm

I know this thread is three years stale but I found a slight

bug and I think others might bene t from the x. This has
to do with creating the $DenyPermissionsScript variable
that gets written to a le. The very last line is
`restart-service “File Server Resource Manager” -force

See that backtick at the beginning of the line? What

actually gets written to the le is “estart-service”. That’s the
bug. Get rid of the tick and “restart-service” is correctly
rendered.

Finally a huge Thank You to Luke O for writing this article

and give me a jumping o point.

Reply

Jim
December 6, 2016 at 6:01 pm

There’s a well-maintained list of extensions and les used

by many cryptolocker variants here
(https://fsrm.experiant.ca/api/v1/get) in json format.
There’s also a similar (but not as elegant on Windows
2012) project here (https://github.com/m-
dwyer/CryptoBlocker) that contains powershell to acquire
the json and split it into 4kb chunks for FSRM.
I’m going to look at combining the 2, so using your script
above but downloading the le list from experiant so that I
can schedule it to stay up-to-date with new variants, just
thought I@d mention it in case you want to incorporate

https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 11/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware

this yourself. The last infection I dealt with would have

been caught by the experiant list but not this one.

Reply

Dariusz
November 28, 2016 at 5:11 pm

Hi

This is a great script and works almost perfect! I’m saying

almost because I have found one problem. When I
unblock user’s access to SMB and logon to the workstation
and change extension of the le again, it will block the le
extension change but will not block access to the share!
Have anyone tested it that way and what results did you
get?

Reply

Dariusz
November 28, 2016 at 5:11 pm

Hi

This is a great script and works almost perfect! I’m saying

almost because I have found one problem. When I
unblock user’s access to SMB and logon to the workstation
and change extension of the le again, it will block the le
extension change but will not block access to the share!
Have anyone tested it that way and what results did you
get?

Reply

Luke Orellana
November 28, 2016 at 9:56 pm

For some reason the command task won’t re-trigger

after its already been run. I put in a work around by
adding restart-service “File Server Resource Manager” -
force to the script that deny’s SMB permissions.
https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 12/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware

Reply

Aaron
November 3, 2016 at 9:13 pm

Legend! Thanks mate. Best solution I have found so far. I

did get this error after it completed the screen for the last
drive but hasn’t prevented it from working. I already had
the email details set in FSRM though.

New-FSRMFILEScreen : 0x80045306, The speci ed path is

invalid.
At C:Install-FSRMRansomeware.ps1:149 char:41
+ New-FSRMFILEScreen -path “$DRIVE” -temp …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpeci ed:
(MSFT_FSRMFileScreen:Root/Microsoft/…_FSRMFileScreen)
[New-FsrmFileScree
n], CimException
+ FullyQuali edErrorId : HRESULT 0x80045306,New-
FsrmFileScreen

Reply

Aaron
November 3, 2016 at 9:13 pm

Legend! Thanks mate. Best solution I have found so far. I

did get this error after it completed the screen for the last
drive but hasn’t prevented it from working. I already had
the email details set in FSRM though.

New-FSRMFILEScreen : 0x80045306, The speci ed path is

invalid.
At C:\Install-FSRMRansomeware.ps1:149 char:41
+ New-FSRMFILEScreen -path “$DRIVE\” -temp …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpeci ed:
(MSFT_FSRMFileScreen:Root/Microsoft/…_FSRMFileScreen)
[New-FsrmFileScree
n], CimException

https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 13/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware

+ FullyQuali edErrorId : HRESULT 0x80045306,New-

FsrmFileScreen

Reply

Myke
October 24, 2016 at 3:54 pm

Error for me!!! Help!! Sorry i don’t speak english, I from

Brazil!!

Windows Server 2012

Filescrn : The term ‘Filescrn’ is not recognized as the name

of a cmdlet, function, script le, or operable program.
Check the spelling of the name, or if a path was included,
verify that the path is correct and try again.
At C:ScriptsInstall-FSRMRansomeware.ps1:53 char:13
+ Filescrn template import
/ le:C:userspublicFSRMTemplate.xml
+ ~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Filescrn:String) [],
CommandNotFoundException
+ FullyQuali edErrorId : CommandNotFoundException

Reply

Myke
October 24, 2016 at 3:54 pm

Error for me!!! Help!! Sorry i don’t speak english, I from

Brazil!!

Windows Server 2012

Filescrn : The term ‘Filescrn’ is not recognized as the name

of a cmdlet, function, script le, or operable program.
Check the spelling of the name, or if a path was included,
verify that the path is correct and try again.
At C:\Scripts\Install-FSRMRansomeware.ps1:53 char:13
+ Filescrn template import
/ le:C:\users\public\FSRMTemplate.xml
+ ~~~~~~~~

https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 14/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware

+ CategoryInfo : ObjectNotFound: (Filescrn:String) [],

CommandNotFoundException
+ FullyQuali edErrorId : CommandNotFoundException

Reply

Luke Orellana
November 28, 2016 at 10:01 pm

Make sure the File Server Resource Manager role is

installed on your le server. The script does the work of
installing it, but it’s possible that portion was not
successful.

Try running the following command in an administrative

powershell console and then re-run the script:
Install-WindowsFeature fs-resource-manager

Reply

Bill
September 18, 2016 at 6:58 am

Can this be made to run on Windows 2008R2 servers – we

don’t have any 2012’s as yet but could use this extra
protection on the 2008s. Thanks!

Reply

Luke Orellana
November 28, 2016 at 10:05 pm

Unfortunately no. Some of the cmdlets used in the script

are native to Server 2012 and higher.

Reply

Wouter Kokshoorn
September 12, 2016 at 4:17 pm

https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 15/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware

First I want to thank you for this information. It will help us

creating a better security against Ransomware.

I con gured this solution for several of our customers. The

only thing that would be nice is adding functionality to
auto update the patterns, or import them from a list. For
example you place a txt le on the server and a scheduled
task imports de data automatically.

Reply

John Albrektson
September 9, 2016 at 9:29 pm

What a great resource! I just nished setting it up and am

delighted with the result. I removed the line that blocked
shared access–that may be too draconian for our needs. I
love the noti cations! Way to really help the community.

Reply

Luke Orellana
September 12, 2016 at 4:12 pm

Thanks! Glad you found it useful.

Reply

Paul Passingham
September 8, 2016 at 6:35 pm

Hi Luke,
Great Article, Will be implementing this across all our our
2012 servers. As our relay server listens on a non standad
port and requires authentication would you be able to
modify the script to accomodate this.

Many thanks

Paul

https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 16/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware

Reply

Luke Orellana
September 12, 2016 at 4:47 pm

Thanks! I will modify the script to include parameters for

those requirements. In the meantime, you can modify the
ScriptToDenyPermissions.PS1 le that gets created.
Paste the following over the “#send email report”
section around line 17 and edit the values to include your
own requirements:

#Send Email Report to servicedesk with information

$SMTPPort= “587”
$SMTPUsername = “username”
$SMTPPassword= “password”
$SMTPServer= “smtp.myrelay.com”
$SMTPFrom = “[email protected]”
$SMTPto = “[email protected]”

$client = hostname
$messageSubject = “Server $computername on the
domain $domain is Infected being attacked by
Ransomware”
$messagebody= “The User $username has infected the
server. They have been denied access to all le shares.
Please open a ticket to disinfect their machine. Once
they have been disinfected, run the following powershell
command on the server $computername to unblock the
user from le shares: get-smbshare | unblock-
smbshareaccess -accountname $username -force ”
$message = New-Object System.Net.Mail.MailMessage
$smtpfrom, $smtpto
$message.Subject = $messageSubject
$message.IsBodyHTML = $true
$message.Body = $messagebody
$smtp = New-Object Net.Mail.SmtpClient($SMTPServer,
$SMTPPort)
$SMTP.EnableSsl= $true
$smtpCreds = New-Object
System.Net.NetworkCredential($SMTPUsername,
$SMTPPassword)
$smtp.Send($message)
https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 17/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware

Reply

Previous

Beating Ransomware Webinar – Q & A

Follow Up

Next

Free PowerShell Script: Use WSUS to

Update Installation Media and Hyper-V
Templates

Altaro VM Backup About Altaro Try Altaro VM Backup

Overview About Altaro Careers Free 30-day trial of

Hyper-V Backup Contact News Altaro VM Backup
VMware Backup Partners Resources
Mixed Environments VMware Blog Start Here
Altaro VM Backup for MSPs

Find us on

https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 18/19
11/4/2019 Using File Server Resource Manager to Screen for Ransomware

© 2019 Altaro All rights reserved.

https://www.altaro.com/hyper-v/using-file-server-resource-manager-screen-ransomware/ 19/19