Delete a folder every 5 minutes

rsingh · September 12, 2016, 2:18pm

how can i get a fixlet to delete a folder every 5 minutes in Win 8 & Win 10

strawgate · September 12, 2016, 3:23pm

What’s the use case here?

It might be easier to prevent the folder from being created (create the folder with permissions preventing others from writing to it?)

Does it need to be exactly every 5 minutes or should it just run really frequently?

rsingh · September 12, 2016, 3:46pm

we have malwarebytes anti-ransomware which scans our server but malwarebytes do not have a console as yet for this product so there is no alerting if we get infected however the anti-ransomware produces a local log file that we can read through to check if we got infected.

we are trying to leverage Bigfix to perform this action by

creating a fixlet to copy the log file to a temp location every 10 minutes (i created a bat file and imported to fixlet)

creating a relevance that checks the log file (exists line whose (it contains “ActionTaken=ARW_ACTION_KILL_THREAD” ) of file “C:\Windows\Temp\MBAMSERVICE\MBAMSERVICE.LOG”)

now we need the relevance to search every minute and notify us so we need to delete the log file and re-copy to the temp location again

hope this explanation helps. thanks again

strawgate · September 12, 2016, 3:52pm

Why does this have to happen every ten minutes?

I think you’d be better off using a scheduled task to copy the file at your 5 minute interval (using something like Robocopy which will make sure the file has changed before performing the copy)

waithidden SchTasks /Create /F /SC minute /SC 5 /TN “Mirror MBAM Log” /RU “SYSTEM” /TR “robocopy.exe ‘source’ ‘destination’ /mirror”

And then just point your analysis at that log

rsingh · September 12, 2016, 3:55pm

thanks strawgate - running to a long meeting now so i will try it out as soon as i get back.

with the robocopy - i will not need to delete the temporary location of the log file, it will overwrite?

Thanks

strawgate · September 12, 2016, 3:56pm

The “/Mirror” flag on robocopy will make the destination directory an exact copy of the source directory – overwriting changed files and removing files that no longer exist in the source.

rsingh · September 12, 2016, 5:24pm

does this look right?

this is where the log file is written - C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG

this is where i’m copying the log file to - C:\Windows\Ransomware\MBAMSERVICE

// waithidden SchTasks /Create /F /SC minute /SC 5 /TN “C:\Windows\Ransomware\MBAMSERVICE” /RU “SYSTEM” /TR “robocopy.exe ‘C:\ProgramData\Malwarebytes\MBAMService\logs\MBAMSERVICE.LOG’’ ‘C:\Windows\Ransomware\MBAMSERVICE’ /mirror’”

strawgate · September 12, 2016, 5:43pm

Some notes:

The second SC should be /MO (my fault)
It looks like you had a couple extra quotes (also my fault)
The name of the scheduled task shouldn’t be a path, it should be a friendly name
Robocopy is really used for copying directories and not individual files so we’ll use it to sync two directories

Try this:

waithidden SchTasks /Create /F /SC minute /MO 5 /TN "MBAMSERVICE LOG" /RU "SYSTEM" /TR "robocopy.exe 'C:\ProgramData\Malwarebytes\MBAMService\logs 'C:\Windows\Ransomware\MBAMSERVICE' /mirror"

rsingh · September 13, 2016, 1:34pm

unsure why this is not working - when i run the task it says completed but if i go to the PC the log file is not there. if i go to the PC task scheduler i get a result 0x10 which from googling means 0x10=ERROR_BAD_ENVIRONMENT

strawgate · September 13, 2016, 1:41pm

Can you try this:

waithidden SchTasks /Create /F /SC minute /MO 5 /TN "MBAMSERVICE LOG" /RU "SYSTEM" /RL HIGHEST /TR "robocopy.exe 'C:\ProgramData\Malwarebytes\MBAMService\logs 'C:\Windows\Ransomware\MBAMSERVICE' /mirror"

rsingh · September 13, 2016, 2:40pm

same result - is it possible to add a log file to the script to check why its happening

if i run the robocopy command in command prompt this is the result

strawgate · September 13, 2016, 3:39pm

Two issues – as I said before you cannot use robocopy to sync a file you must sync a directory. We also appear to have lost a quote at some point.

Please try this:
waithidden SchTasks /Create /F /SC minute /MO 5 /TN “MBAMSERVICE LOG” /RU “SYSTEM” /RL HIGHEST /TR “robocopy.exe ‘C:\ProgramData\Malwarebytes\MBAMService\logs’ ‘C:\Windows\Ransomware\MBAMSERVICE’ /mirror”

And for testing on the command line use this:
robocopy.exe “C:\ProgramData\Malwarebytes\MBAMService\logs” “C:\Windows\Ransomware\MBAMSERVICE” /mirror

rsingh · September 13, 2016, 3:48pm

thanks @strawgate - i made the necessary changes and i can see the task showing up in the local PC but i am now seeing this message next to the task

rsingh · September 13, 2016, 7:24pm

@strawgate i got it working. thanks for all your help, looks like there was a bug in Robocopy and i needed to move the /mirror next to robocopy.exe /Mir

here is the working task

waithidden SchTasks /Create /F /SC minute /MO 5 /TN “MBAMSERVICE LOG” /RU “SYSTEM” /RL HIGHEST /TR “robocopy.exe /Mir ‘C:\ProgramData\Malwarebytes\MBAMService\logs’ ‘C:\Windows\Ransomware\MBAMSERVICE’”