I know this is more of a PowerShell bug, but thought I should bring it to your attention in case it could be fixed somehow. Some of my honeypot directory names begin with a period to also hide them from Macs in our mixed Windows/Mac environment.
Line 494 of FSRM-Anti-ransomware.ps1:
ForEach-Object -Process {Get-ChildItem -Path $_.Path -Force -ErrorAction SilentlyContinue -Directory -Filter $HoneyPotDirectoryNamePattern} |
When setting $HoneyPotDirectoryNamePattern to ??Directory, it does not match ones that begin with a period.
Example in straight PS:
PS C:\share2> Get-ChildItem -Path c:\share2 -Force -ErrorAction SilentlyContinue -Directory -Filter ??Directory??
Directory: C:\share2
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/13/2019 2:51 PM $$Directory 3
d----- 12/13/2019 2:58 PM @@Directory 6
d----- 12/13/2019 2:51 PM _!Directory 4
d----- 12/13/2019 2:53 PM __Directory 5
Changing the filter to include any length beginning character with an asterisk will then show the missing directories
PS C:\share2> Get-ChildItem -Path c:\share2 -Force -ErrorAction SilentlyContinue -Directory -Filter *Directory??
Directory: C:\share2
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/13/2019 2:51 PM $$Directory 3
d----- 12/13/2019 2:17 PM .!Directory 1
d----- 12/13/2019 2:19 PM .@Directory 7
d----- 12/13/2019 2:19 PM ._Directory 2
d----- 12/13/2019 2:58 PM @@Directory 6
d----- 12/13/2019 2:51 PM _!Directory 4
d----- 12/13/2019 2:53 PM __Directory 5
My workaround right now is to use *VerySpecificDirectoryName as $HoneyPotDirectoryNamePattern