Could not white-list specific file name

[PhilLab]

Steps to reproduce

1. Try to Upload or Download an AndOTP backup file (name: otp_accounts.json.aes
2. It does not work as .aes is classified as ransomware upload
3. Add otp_accounts.json.aes to the whitelist. Still does not work
4. Also tried the pattern ^.*otp_accounts\.json\.aes$ or .json.aes . Does not work.

Expected behaviour

A file-name should be whitelistable. I cannot whitelist .aes or .json.aes because the extension is quite common for ransomware.

Actual behaviour

Not only an extension but a filename should be whitelistable.

[bovender]

Same problem here, in my case it occurs with some programming-related files:

• Gemfile.lock
• renv.lock

My notifications are flooded with complaints about these files not having been uploaded.

[nickvergessen]

Don't put it in the exclude for notes but exclude .lock from the extensions

[nickvergessen]

I think there should be a check field where you can type in a file name, it tells you which rules block it and offers to add them all to the exclude lists.

[krtpowa]

I work with a file with a .lock extension and it detects it as ramsonware.
In the configuration I see 4 boxes, I have tried to include "file.lock" and ".lock" in each of them, without seeing any effect.
The truth is somewhat confusing how it is configured, I have no idea how to do it, or if I do it wrong.

[nickvergessen]

.lock in bottom left should be it

[nursoda]

For the time being, at least the description labels in settings/admin/security should be more descriptive. It took me a while to realize what is meant by "Copy the exact string from the resource file" (backtranslated from German). Many NC admins that just use NC as a tool will not have access to shell (hosted/managed environment) and they will not know about the directory apps/ransomware_protection/resources. So we see two easy ways to easily enhance that (apart from the list to select extensions from proposed above):

1. Link to either
   https://raw.githubusercontent.com/nextcloud/ransomware_protection/v1.10.0/resources/extensions.txt (needs to make sure tag is same as version and accessible from app) or
   https://raw.githubusercontent.com/nextcloud/ransomware_protection/master/resources/extensions.txt (drawback: might be different from installed/customized app
2. Either Link to the local file apps/ransomware_protection/resources/extensions.txt (but that may not be directly linkable due to security concerns/CSP)
   or display the content of that file (included as full text in a spoiler or on a separate page).

[nursoda]

andOTP works fine if one adds a line .aes to the config in https://cloud.SERVER.TLD/settings/admin/security.

[b-pfl]

.lock in bottom left should be it

I have a similar issue where this does not seem to work:
One of the domains I am using is an .info domain and .info is listed as one of the extensions to be blocked.
I do have one folder which is named .info, and this folder generates the following log message:

Prevented upload of .info because it matches extension pattern ".info"

I added .info in the bottom left box but still receive this message whenever the folder is synced. Interestingly, macOS finder indicates that the folder is synced and I can even upload new files successfully.

[artfulrobot]

I'm also really confused about how to configure this app, some documentation is neded.

I have no idea what a "note file" refers to - the "non-obvious names" seems to suggest it's just case insensitivity? But then what's with boxes ➌, ➎?

I don't know what to to put in any of boxes 2-5

I don't know what "additional include" and "exclude" means here:

• what's a pattern and what does it match against? The file name? The whoe file path? I think maybe a 'pattern' is a ends-with-substring, unless it starts with ^ or ends with $ in which case it's a preg_match regex?
• include a pattern, I think might mean that if I put in .1234 to ➋ then files like letsCount.1234 would trigger the block.
• exclude is this also regex?And if it matches (file name? file path?) then what happens? it's excluded from protection?or excluded from being able to be uploaded?

I came here because I'd like to tame this beast for composer.lock and package.lock files.

I think some examples on the admin page would make this much clearer.

[nickvergessen]

If you want to block files with name pavkage.lock and composer.lock use the files_accesscontrol app

In short the explanation is rather wordly what's written there.

Non-obvious names refer to file names which are not youHaveBeenHackedByRansomwareReadThis.md but files like notes.md readme.html and other files which can be used in day to day business and therefore create false positives.

Notes files are the explanation files where the attackers notify the victim how to pay.

Additional patterns can be regex or string comparisons (when not starting with ^ or ending with $, iirc)

Exclude can be used to exclude one of the predefined patterns, so you need to add the exact pattern there that is in the default files.