Please run windows update now

Aaron C. de Bruyn aaron at
Mon May 15 23:19:37 UTC 2017

On Mon, May 15, 2017 at 2:48 PM, J. Oquendo <joquendo at> wrote:
> On Mon, 15 May 2017, bzs at wrote:

>> You count the number of destructive opens in the kernel and if it
>> exceeds a threshold (for example) you stop it and pop up a warning.

That's basically what I did.  I got tired of users constantly opening
any attachment that came at them through e-mail and encrypting all the
files on their systems and other network installed a
Linux box running Samba backed by a ZFS file store.

Samba spits out syslog records on file writes.

Combine that with fail2ban.  When one user has more than 60 writes in
60 seconds *or* a write contains a well-known cryptolocker name (i.e.
*DECRYPT_INSTRUCT*) it immediately blocks their IP on the server,
looks up their MAC address, scans the switch for their MAC, and
disables the switch port.

Then I have a list of files in syslog that were encrypted and ZFS
snapshots I can restore from.

Additionally, some of the workstations were PXE or iSCSI booted from
the NAS so it was as simple as "Hold down the power button to turn off
your computer.  Ok, let me 'zfs rollback' your machine image...ok, now
turn your computer back on.  All set."

Plus adding new workstations was as easy as getting the MAC address
and doing a 'zfs clone' of a clean machine image.

Upgrades are easy too--boot a VM, install the latest version of
WIndows, update drivers, install software packages, then shutdown,
snapshot and clone.  Tell the user to reboot their PC and they are now
running the newer OS.

Windows isn't hard if you have Linux and Unix running underneath,
behind, and between everything. ;)


More information about the NANOG mailing list