Look for Wanna Cry encrypted files on the C: drive - v1.1
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is the latest version.

1Look for Wanna Cry encrypted files on the C: drive5/13/2017 5:52:57 PM
2Look for Wanna Cry encrypted files on the C: drive - v1.15/15/2017 6:19:33 AM


Seach for any files with .wncry extenstions that exist on the C: drive. Old school batch file, so if there are a ton of files, this will take a while and can possibly have a noticable performance impact when it runs.

This will create a file (c:\wannacry_files.txt) for the search results. There is a corresponding property (Wanna Cry Files - C: Drive) that will parse this file for any files that are found and report the results back up.

This file is expected to have the following two lines. Anymore than that is bad.

Volume in drive C has no label.
Volume Serial Number is 7A01-AEAF

There are three expected results returned by the property:

Wanna Cry Encrypted files found (this is bad)

No Encrypted Files Found (results file exists, nothing bad found, scan could still be running though)

Scan Results File Not Found (this means you have not executed this task yet)

Property Details

StatusBeta - Preliminary testing ready for more
TitleLook for Wanna Cry encrypted files on the C: drive - v1.1
SourceJason Cordell ([email protected])
Source Release Date5/15/2017 12:00:00 AM
Keywordswanna cry .wncry
Is TaskTrue
Added by on 5/15/2017 6:19:33 AM
Last Modified by on 5/15/2017 6:19:33 AM
Counters 2053 Views / 9 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.


isWindows (Relevance 1172)
Used in 1067 fixlets and 522 analyses * Results in a true/false
Show indented relevance
windows of operating system
Used in 4 fixlets * Results in a true/false
Show indented relevance
exists folder "c:\"


Action 1 (default)

Action Link Click here to deploy this action.
Script Type tdevropa-test Action Script
waithidden cmd /c if exist c:\wannacry_files.txt del c:\wannacry_files.txt /q /f
waithidden cmd /c dir c:\*.wncry /a /s >c:\wannacry_files.txt
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Log In or Register to leave comments!
jasoncordell -
I added a newer version of this task (v1.1). Only change is updated verbiage on the Description tab to indicate 3 possible results. This task goes hand in hand with a property that I uploaded to parse the results file created by this task.

Recommended Articles

install java runtime 6 java update 51 64 bit paperport image printer download disable windows hibernation tivoli endpoint manager client flash player with activex adobe reader xi full installer symantec endpoint protection update offline download fujitsu fi 5530c imgburn exe download sql server 2012 data tools symantec endpoint protection 12