Updated: How to use File Screening to help block CryptoLocker

Updated: How to use File Screening to help block CryptoLocker

The face of malware has changed over recent years and it’s safe to say that it’s become an industry like any other. Your data, and it’s importance to you, has a value and it’s one that people are only to keen to capitalise on. With ransomware such as CryptoLocker and Locky, this is something that’s become all too easy.

In your organisation you’ll have several tools in your arsenal which can be put to good use – mail filtering, gateway AV, web filtering, but one which you really should be making use of is the File Screening feature of your Windows servers. This allows you to build rulesets to report on, or block, files on your server.


If you need a quick way to configure File Server Resource Manager then check out this awesome script I’ve found


24th May 2016 – ESET have released a decrypter for TeslaCrypt which may help you out.
8th April 2016 – Updated to include Maktub files.
14th April 2016 – Update for Jigsaw ransomware.

I’m going to look at how to block many of the filetypes associated with CryptoLocker and Locky.

  1. First thing to do is to install the File Server Resource Manager Role on your Windows server, either 2008, 2008 R2, 2012 or 2012 R2. Do this from the Manage > Add Roles and Features menu in Server Manager.
    FSRM Role
  2.  You can now load the File Server Resource Manager from Administrative Tools.
  3.  Right click the File Server Resource Manager top level node on the left hand nav bar and choose Configure Options. This is where you’ll configure your email settings. Enter your email server information and hit the Test button to ensure you get a test email back, then click OK.
    FSRM Email
  4. Right click the File Groups nav node and choose Create File Group. Create a new group called Malware Files and add the files you want to exclude. In this case I’m using the following list which I’ll update as I find new file names. If you don’t want to paste all these in then you can use the handy powershell command at the bottom of this post to create the File Group and then skip this step.
  5.  Next up, right click the File Screen Templates node and choose Create File Screen Template. In my example I’ve called it Malware Files. Select the “Malware Files” group from the list of groups shown then click on the email tab. Here you want to enable email alerts – you really want to be told if you have some ransomware on your server – and click OK.
    2016-02-29 16_09_10- - Remote Desktop Connection 
    2016-02-29 16_08_42- - Remote Desktop Connection 
  6. Now we want to apply our template to our file locations. Right click the File Screens node and choose Create File Screen. Choose the folder to assign the file screening template to and choose the template that you create before. Click Ok.
    2016-02-29 16_19_10- - Remote Desktop Connection
  7. If you open a command prompt you can test what will happen. Pop in to your folder and try creating a malicious looking file. You should also receive an email if you’ve enabled email alerts.
    2016-02-29 16_29_51- - Remote Desktop Connection


To help with adding the file names that need to be blocked, you can use this powershell command. Just paste it in to the powershell prompt on the server and the File Screen Group will be created for you. You will then just need to create a template and assign it to a folder.

Windows 2012

Windows 2008/R2


Oliver Marshall
Oliver works as Head of Sales at a leading provider of IT services to the education sector. Out of hours he's a runner with a limp, has a board game addiction and a owns a dog that looks like a badger.
Show Buttons
Hide Buttons