Windows batch / powershell / VB scripts to constantly comb a folder for new files & make copies of the new files

sunhux
sunhux used Ask the Experts™
on
I have this requiremt:
a) each time an AV quarantine an infected file, it will encrypt the file & move it to a quarantine folder
b) I'll need a method that, say every 5 seconds or more frequently, detect such new quarantined
     encrypted file to be copied out to another location/folder (without changing the original file in
     the quarantined folder) for decryption where I can do further processing (like investigation &
     possibly restore it if it's a false malware)

http://www.ghacks.net/2015/03/17/whats-the-best-free-file-synchronization-software-for-windows/
Probably tools equivalent to Linux's "rsync" & folders sync freewares above may fulfill this requirement
but there's one requirement that I'm not sure if any of them could:

when a copied/sync'ed encrypted file in the target folder has been decrypted, the quarantined & the
target folders will be 'out-of-sync' & the sync'ing to copy back the file from the quarantined folder
will take place again : I don't want this to happen.

Thus, if anyone can write a .bat or PowerShell or VB script to achieve this or provide a method for
this, it's much appreciated
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
If you can run the PowerShell script on the system hosting the quarantine folder, the better way to handle is to register for execution on file creation in that folder.
cls
$quarant = 'c:\Quarantine'
$anal    = 'D:\Analysis'

$fsw = New-Object System.IO.FileSystemWatcher($quarant, '*')
$action = {
           $file = $eventArgs
  [String] $fqdn = $eventArgs.Fullpath

  # wait until file is complete
  while ((test-path $fqdn) -and !(Get-ChildItem $fqdn).Length) { Start-Sleep -m 250 }

  copy-item $file $anal
}

# if run again, stop existing job and FSW
Unregister-Event 'QuarantAnal' -ea SilentlyContinue
Remove-Job       'QuarantAnal' -ea SilentlyContinue
Register-ObjectEvent $fsw -eventName 'Created' -action $action -SourceIdentifier 'QuarantAnal'

Open in new window

Only issue with that code is it only works as long as the PowerShell script runs. If, for whatever reason, the script is paused or terminated, nothing will happen. Restartiing will not perform a resync. That could be caught by writing a timestamp in each go, and on starting the script check for files newer than that stamp.
Bill PrewTest your restores, not your backups...
Top Expert 2016
Commented:
If it were me, and clearly it's not, I would let a free or low cost utility do the work for me.  Most of these allow some triggering when a folder that is being monitored changes, and that can include copying the file someplace.  It's been a while since I researched these, but here is a list I maintained for future reference.  If you are interested in this approach take a look at some of these links.

http://www.experts-exchange.com/questions/27680032/Script-to-send-out-email-if-file-folder-is-modified.html

http://www.experts-exchange.com/questions/26504989/Monitor-folders-for-new-files.html

===== FREE =====

http://www.brutaldev.com/page/Directory-Monitor.aspx
http://download.cnet.com/Directory-Monitor/3000-2248_4-10849871.html

http://www.nodesoft.com/foldermonitor

http://www.gibinsoft.net/

http://leelusoft.blogspot.com/2010/07/watch-4-folder-22.html


===== $$$$ =====

http://www.watchdirectory.net/

http://www.coolutils.com/TotalFolderMonitor

http://www.networkautomation.com/

http://www.liquidmirror.com/alwayswatching.asp

~bp

Author

Commented:
So the scripts will be based on timings new files are being created, say if the
script runs every 10secs, then newly-created files the last 10secs will be
copied out?
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
No, the script runs permanently, and is triggered immediately on file creation.

Author

Commented:
Thanks Qlemo.

> caught by writing a timestamp in each go, and on starting the script check for files newer than that stamp
So is your script above already doing the above?  Or can it be changed such that it write a time
stamp each time the script goes down & will start checking from the date/time of the last
date/time it went down?


Bill,
>would let a free or low cost utility do the work for me.  Most of these allow some triggering when a
> folder that is being monitored changes, and that can include copying the file someplace.
Yes, but there's a situation which I'm afraid these freewares can't do ie:
  when a copied/sync'ed encrypted file in the target folder has been decrypted, the quarantined & the
  target folders will be 'out-of-sync' & the sync'ing to copy back the file from the quarantined folder
  will take place again : I don't want this to happen.
"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
No, my script does not write a timestamp yet, but this one should:
cls
$global:quarant = 'c:\Quarantine'
$global:anal    = 'D:\Analysis'
$global:lrfile  = 'c:\temp\lastrun.txt'

$fsw = New-Object System.IO.FileSystemWatcher($quarant, '*')
$action = {
           $file = $eventArgs
  [String] $fqdn = $eventArgs.Fullpath

  # wait until file is complete
  while ((test-path $fqdn) -and !(Get-ChildItem $fqdn).Length) { Start-Sleep -m 250 }

  copy-item $file $anal
  get-date > $global:lrfile
}

# if run again, stop existing job and FSW
Unregister-Event 'QuarantAnal' -ea SilentlyContinue
Remove-Job       'QuarantAnal' -ea SilentlyContinue

[DateTime] $lastrun = get-content $lrfile -ea SilentlyContinue
get-childitem $quarant | ? {$_.LastWriteTime -gt $lastrun} | % {
  $eventArgs = $_
  & $action
}
Remove-Variable eventArgs -ea SilentlyContinue
Register-ObjectEvent $fsw -eventName 'Created' -action $action -SourceIdentifier 'QuarantAnal'

Open in new window

Bill PrewTest your restores, not your backups...
Top Expert 2016

Commented:
These tools don't typically work by syncing folders.  Rather they monitor a folder waiting for an action you define.  Typical things like file creation, file deletion, file modification, etc.  When that occurs they trigger a configured option, like sending an email alert, copying the file, logging the event, etc.  In some utilities they will have a "scripting" capability, or allow execution of a BAT or VBS script that can then perform any action required, and pass along the file name that triggered the event.  Once that file has been processed (it sounds like your process would be decrypting the file into a different folder) the monitoring program will not trigger for that quarantined file again.

~bp

Author

Commented:
Tks v much Qlemo.

So this latest script  writes a timestamp each time the script goes down & will start checking
from the date/time of the last  date/time it went down?
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
No, "goes down" does not fit. The script writes the time stamp each time a new file has been transferred.
You cannot really safeguard against killing the script or similar, so we have to keep the timestamp recent at any time.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial