none
Stopping\Removing all executable's + dll's in AppData folder RRS feed

  • Question

  • I've patched together some code that is working to stop and log executables (.exe) running under the AppData (Local, Local Data, Roaming) folder location.  I'm trying to add the same functionality but for .dll's.  Here's my code (the $filter2 variable storing exe and dll in a hashtable is what I'm currently trying and its not working - currently commented out) 

    $folder = 'C:\users\j.doe\AppData\' # Root Path 
    $filter = '*.exe'  # Wildcard Filter
    #$filter2 = @('*exe*','*dll*')
                                
    $fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{IncludeSubdirectories = $true;NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'} 

    Register-ObjectEvent $fsw Created -SourceIdentifier FileCreated -Action { 
    $name = $Event.SourceEventArgs.Name 
    $changeType = $Event.SourceEventArgs.ChangeType 
    $timeStamp = $Event.TimeGenerated 
    Write-Host "The file '$name' was $changeType at $timeStamp" -fore green 
    Get-ChildItem –Path $folder -Include $filter -Recurse | remove-item
    Out-File -FilePath c:\scripts\filechange\outlog.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp"
    Remove-Item -Recurse -Force C:\users\j.doe\AppData\$name
    Write-Host $name

    I've tried several other things but I want to get it as clean as possible with little overhead instead of adding another FileSystemWatcher for the dll extension.

    Thank you,
    Daniel


    DB

    Thursday, August 18, 2016 4:23 PM

Answers

  • Most AVs have an exclude capability.

    You will learn that the FSW is unreliable in this case.  You can run it but it will miss items and can easily miss malware.

    As you can see a filter can only monitor one extension.


    \_(ツ)_/


    • Edited by jrv Thursday, August 25, 2016 6:14 PM
    • Marked as answer by DanielBetz Thursday, August 25, 2016 8:37 PM
    Thursday, August 25, 2016 6:13 PM

All replies

  • This is what AV does, Just set a rule on the folders to not allow exe and dll files.  You should actually block all executables.

    Group Policy Software Restriction Policies can also do this.


    \_(ツ)_/

    Thursday, August 18, 2016 4:39 PM
  • jrv-

    In theory that's what an AV is supposed to do.  I'm finding the N.G. AV's are leaving artifacts behind so I'd like to clean up after them.  As far as blocking all exe's, this isn't quite an option since we use G2M and other products that have a legitimate need to have an executable in the appdata location.  I will add an -exclude for those after running another script I have to collect and verify all exe's, dll's, etc. that are currently running in our environment from the temp location.  

    Daniel


    DB

    Thursday, August 25, 2016 6:02 PM
  • Most AVs have an exclude capability.

    You will learn that the FSW is unreliable in this case.  You can run it but it will miss items and can easily miss malware.

    As you can see a filter can only monitor one extension.


    \_(ツ)_/


    • Edited by jrv Thursday, August 25, 2016 6:14 PM
    • Marked as answer by DanielBetz Thursday, August 25, 2016 8:37 PM
    Thursday, August 25, 2016 6:13 PM
  • Ok thank you.  I was wondering what the efficacy of FSW was.  Will mark you down as the answer since your sentence "As you can see a filter can only monitor one extension" tells me what I needed to know.

    Thank you,

    Daniel


    DB

    Thursday, August 25, 2016 8:37 PM