Alert and Trigger Veeam agent to Backup if file is Encrypted
Ratings
Release Time
10/23/2017
Downloads
1337 times
Update Time
07/03/2025
Views
1089 times
Share-it:
Categories
Monitoring
Published on:
7 years ago
This Script will generate alert if any file is Encrypted in Specified path and Trigger the VEEAM AGENT BACKUP to backup the given path.
Output will have User details of where and when file is encrypted (i.e) created, modified date and time of encrypted file, owner of Encrypted file and Veeam agent status in the Endpoint.
NOTE:
- Please ensure that " VEEAM AGENT BACKUP " is installed in endpoint.
- Path = r"C:\ProgramData" #Give the path want to Monitor.
- path_to_bckup=r"C:\Users\C1-En_230\Desktop\Backup" #Give the path where want to store backedup files.
Run as System User
Procedure's Instructions
235
1
path=r"C:\Users\C1-En_230\Downloads" # Give the Path want to monitor2
path_to_bckup=r"C:\Users\C1-En_230\Desktop\Backup" #Give the path where want to store backedup files.3
4
5
import os6
import ctypes7
import re8
import time9
import shutil10
import datetime11
import socket12
import platform13
import sys14
15
16
class disable_file_system_redirection:17
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection18
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection19
def __enter__(self):20
self.old_value = ctypes.c_long()21
self.success = self._disable(ctypes.byref(self.old_value))22
def __exit__(self, type, value, traceback):23
if self.success:24
self._revert(self.old_value)25
26
27
def alert(arg): 28
sys.stderr.write("%d%d%d" % (arg, arg, arg)) 29
30
31
def file_owner(filename):32
import ctypes as ctypes33
from ctypes import wintypes as wintypes34
35
advapi32 = ctypes.WinDLL('advapi32', use_last_error=True)36
37
# required constants38
ERROR_INSUFFICIENT_BUFFER = 0x007A39
OWNER_SECURITY_INFORMATION = 0x0000000140
41
# related constants42
ERROR_INVALID_FUNCTION = 0x000143
ERROR_FILE_NOT_FOUND = 0x000244
ERROR_PATH_NOT_FOUND = 0x000345
ERROR_ACCESS_DENIED = 0x000546
GROUP_SECURITY_INFORMATION = 0x0000000247
DACL_SECURITY_INFORMATION = 0x0000000448
SACL_SECURITY_INFORMATION = 0x0000000849
LABEL_SECURITY_INFORMATION = 0x0000001050
ATTRIBUTE_SECURITY_INFORMATION = 0x0000002051
SCOPE_SECURITY_INFORMATION = 0x0000004052
BACKUP_SECURITY_INFORMATION = 0x0001000053
UNPROTECTED_SACL_SECURITY_INFORMATION = 0x1000000054
UNPROTECTED_DACL_SECURITY_INFORMATION = 0x2000000055
PROTECTED_SACL_SECURITY_INFORMATION = 0x4000000056
PROTECTED_DACL_SECURITY_INFORMATION = 0x8000000057
58
# type definitions59
LPBOOL = ctypes.POINTER(wintypes.BOOL)60
LPDWORD = ctypes.POINTER(wintypes.DWORD)61
PSID = ctypes.POINTER(wintypes.BYTE)62
PSECURITY_DESCRIPTOR = ctypes.POINTER(wintypes.BYTE)63
SECURITY_INFORMATION = wintypes.DWORD64
65
class SID_NAME_USE(wintypes.DWORD):66
_sid_types = dict(enumerate('''67
User Group Domain Alias WellKnownGroup DeletedAccount68
Invalid Unknown Computer Label'''.split(), 1))69
70
def __init__(self, value=None):71
if value is not None:72
if value not in self.sid_types:73
raise ValueError('invalid SID type')74
wintypes.DWORD.__init__(value)75
76
def __str__(self):77
if self.value not in self._sid_types:78
raise ValueError('invalid SID type')79
return self._sid_types[self.value]80
81
PSID_NAME_USE = ctypes.POINTER(SID_NAME_USE)82
83
# function pointer prototypes84
85
def _check_bool(result, func, args,86
WinError=ctypes.WinError,87
get_last_error=ctypes.get_last_error):88
if not result:89
raise WinError(get_last_error())90
return args91
92
# msdn.microsoft.com/en-us/library/aa44663993
advapi32.GetFileSecurityW.errcheck = _check_bool94
advapi32.GetFileSecurityW.argtypes = (95
wintypes.LPCWSTR, # _In_ lpFileName96
SECURITY_INFORMATION, # _In_ RequestedInformationRequested97
PSECURITY_DESCRIPTOR, # _Out_opt_ pSecurityDescriptor98
wintypes.DWORD, # _In_ nLength99
LPDWORD) # _Out_ lpnLengthNeeded100
101
# msdn.microsoft.com/en-us/library/aa446651102
advapi32.GetSecurityDescriptorOwner.errcheck = _check_bool103
advapi32.GetSecurityDescriptorOwner.argtypes = (104
PSECURITY_DESCRIPTOR, # _In_ pSecurityDescriptor105
ctypes.POINTER(PSID), # _Out_ pOwner106
LPBOOL) # _Out_ lpbOwnerDefaulted107
108
# msdn.microsoft.com/en-us/library/aa379166109
advapi32.LookupAccountSidW.errcheck = _check_bool110
advapi32.LookupAccountSidW.argtypes = (111
wintypes.LPCWSTR, # _In_opt_ lpSystemName112
PSID, # _In_ lpSid113
wintypes.LPCWSTR, # _Out_opt_ lpName114
LPDWORD, # _Inout_ cchName115
wintypes.LPCWSTR, # _Out_opt_ lpReferencedDomainName116
LPDWORD, # _Inout_ cchReferencedDomainName117
PSID_NAME_USE) # _Out_ peUse118
119
def get_file_security(filename, request):120
length = wintypes.DWORD()121
# N.B. This query may fail with ERROR_INVALID_FUNCTION122
# for some filesystems.123
try:124
advapi32.GetFileSecurityW(filename, request, None, 0,125
ctypes.byref(length))126
except WindowsError as e:127
if e.winerror != ERROR_INSUFFICIENT_BUFFER:128
raise129
if not length.value:130
return None131
sd = (wintypes.BYTE * length.value)()132
advapi32.GetFileSecurityW(filename, request, sd, length,133
ctypes.byref(length))134
return sd135
136
def look_up_account_sid(sid):137
SIZE = 256138
name = ctypes.create_unicode_buffer(SIZE)139
domain = ctypes.create_unicode_buffer(SIZE)140
cch_name = wintypes.DWORD(SIZE)141
cch_domain = wintypes.DWORD(SIZE)142
sid_type = SID_NAME_USE()143
advapi32.LookupAccountSidW(None, sid, name, ctypes.byref(cch_name),144
domain, ctypes.byref(cch_domain), ctypes.byref(sid_type))145
return name.value, domain.value, sid_type146
147
def get_file_owner(filename):148
sd = get_file_security(filename, OWNER_SECURITY_INFORMATION)149
sid = PSID()150
sid_defaulted = wintypes.BOOL()151
advapi32.GetSecurityDescriptorOwner(sd, ctypes.byref(sid),152
ctypes.byref(sid_defaulted))153
name, domain, sid_type = look_up_account_sid(sid)154
return name, domain, sid_type155
156
157
158
import sys159
160
161
if isinstance(filename, bytes):162
filename = filename.decode('mbcs')163
164
name, domain, sid_type = get_file_owner(filename)165
166
if domain:167
name = '{0}\\{1}'.format(domain, name)168
print("\nFile : {0}".format(filename))169
print("Owner: {0} ({1})".format(name, sid_type))170
171
172
173
def check():174
with disable_file_system_redirection():175
os.chdir(path)176
inst=os.popen("cipher").read()177
178
return inst179
180
181
182
def again():183
with disable_file_system_redirection():184
os.chdir(path)185
ins=os.popen("wmic product get name,identifyingnumber").read()186
if 'Veeam Agent' in ins:187
print "\n Veeam Agent is installed on Endpoint"188
print "\n Veeam agent is Backing up your files, takes time to finish up based on FILE SIZES"189
veeam()190
else:191
print "\nCouldn't find Veeam Agent on Endpoint"192
print "\n Please Install Veeam Agent to start Backup"193
194
195
def veeam ():196
os.chdir(path)197
os.popen('"C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Manager.exe" /standalone '+path_to_bckup)198
time.sleep(60)199
os.chdir(path_to_bckup)200
so=os.popen('dir').read()201
if "Backup Job" in so:202
print "\n Backup is completed and stored in specified path"203
204
205
206
inst=check()207
208
209
if len(inst)>0:210
find=re.findall('E\s(.*)',inst)211
212
if len(find)>0:213
alert(1)214
print "\nFound Encrypted files on Specified path:\n"215
print "User IP :"+socket.gethostbyname(socket.gethostname())216
print "Os Details :"+platform.platform()217
for f in find:218
fn=path+'\\'+f219
file_owner(fn)220
print "File Created Date : "+time.strftime("%Y/%m/%d",time.localtime(os.path.getctime(path+'\\'+f)))221
print "File Created Time : "+time.strftime("%I:%M:%S %p",time.localtime(os.path.getctime(path+'\\'+f)))222
print "File Modified Date: "+time.strftime("%Y/%m/%d",time.localtime(os.path.getmtime(path+'\\'+f)))223
print "File Modified Time: "+time.strftime("%I:%M:%S %p",time.localtime(os.path.getmtime(path+'\\'+f)))224
225
print "\n Checking for Veeam agent status in Endpoint"226
again()227
228
229
else:230
print "No file is Encrypted in Specified path"231
alert(0)232
233
234
235
Leave a Comment
CONTACT US
Call now! 
(972) 649-9012
(972) 649-9012
---
Comments