$HoneyPotDirectoryNamePattern misses entries beginning with a period about fsrm-anti-ransomware HOT 6 CLOSED

That's a good catch. I'll look into it and either update honey pot handling or blame it on PowerShell.

from fsrm-anti-ransomware.

Working towards a solution: I was testing doing a Get-ChildItem. I didn't realize that it could return more than one type. I'm an old C hack, a current Python hack, and I hate PowerShell so I don't expect this aberrant behavior. If I used a filter that returned only a single matching directory it was type System.IO.FileSystemInfo but if I had multiple hits it returned a type System.Array. Took me a stupid amount of time to figure out but I'm on the golden path now.

Now we'll cast our results as an array by doing something like this:
$result = @(Get-ChildItem -Filter ?asdf*)
$result += @(Get-ChildItem -Filter .asdf*)

The point of all this array casting is that we can't assume the number of hits the first Get-ChildItem will return, and by inference, the data type of the return. The second item's cast is just for belt and suspenders. I know exactly what data type I want so we'll be explicit in the code.

@("hoopdy","doo"). Take that ambiguity!
or @("um","kay")

Matching the honeypot directories that begin with a dot is a little weird. We can sometimes pretend the dot is an actual character, but not with wildcard matching. Other times it means this directory. And still other times it means, "Hey, everything after me is a file name extension and I'm just a place holder."

So why are we even bothering instead of just saying this is a special case that we are going to ignore? Macs and *nix, that's why. And because I hate PowerShell and love my Mac/Linux systems. Capricious? Sure. Will it hurt the non-Mac and non-Linux systems? Nope, they won't act any differently. And it's a challenge. That's why. Let's do this!

Steps to do - we tear into the actual script code and do four things:

1. create a flag variable that controls finding the dot
2. breakup up the pipelined code that gets the matching directories
3. check match-the-dot flag and take appropriate action
4. substring replace on the honey pot name pattern, replace '?' with '.'

Finally, this is really just a rambling note so that if I procrastinate I'll know where to pick this up later.

from fsrm-anti-ransomware.

No longer considering this a bug. It's really normal Windows behavior. I just don't like it so we're going to work around it.

from fsrm-anti-ransomware.

Awesome, thanks! I'm sure I found the only character PowerShell doesn't like as a character to start a directory name and I always seem to run into obscure issues like this one. I'm not really a coder myself, just able to hack around existing code if needed.

from fsrm-anti-ransomware.

Testing new code.

from fsrm-anti-ransomware.

Added option to include honey pot directories that begin with a leading dot. Really great suggestion. Thanks.

from fsrm-anti-ransomware.