I’ve modified a script I found on the technet script center to find known cryptowall files in a server’s shares.
We utilize GFI Max and I’d like to implement this on all of the client servers that we can (we’ve had 2 cryptowall infections at two different companies this week) as a early warning system. To avoid setting the script as an automated task to run along side an event log check that searches for EventID 2319 from source CryptScan, I’d like the script to exit with code 2319 if one of the runspaces reports cryptowall files, but I can’t wrap my head around how. I’d also like it to output all of the shares, owners, and date modified like it does with the event log if that’s possible, but I don’t know if it is since the $MessageBody variable is only in the runspaces. Any help would be appreciated