PowerShell: Office 365 – OneDrive Sync Client – Block Known Ransomware File Types

The IT management controls added to the OneDrive\SharePoint sync client experience, allow for certain restrictions to be put in place for the end user. One of these restrictions is blocking certain file extensions from being synced from the client device. This maybe to block music and video files being synced to save on bandwidth or executable’s that shouldn’t be synced.

An extra layer of defense can be added to your security by blocking files encrypted by ransomware being synced back to SharePoint Online. This is by no means a replacement for traditional security practices but it can help minimize the disruption caused by ransomware.

The first step in putting this together is finding a list of ransomware file extensions. After some Google’ing I found this ‘https://fsrm.experiant.ca/api/v1/get’ API by Experiant which seems to be the most frequently updated list I could find. This API is built for FRSM which also accepts file names which SharePoint Online doesn’t, this means we have to do a small amount filtering before we can use it.

The small PowerShell function below will filter the results from the API to just file extensions.

Using the above function with SharePoint Online PS CmdLets,  we can block the ransomware file extensions easily.

When you try and sync an item with a disallowed file extension the user will get the following notification.

The user will also get more information if they click on the notification.

The above can also be ran on on a schedule to keep the ransomware file extensions up to date.

About the author

Ben Taylor

Cloud and PowerShell enthusiast with a penchant for automation and CI.

View all posts

1 Comment

  • Thanks for a great PS script Ben.

    I am however running into a problem where the “Set-SPOTenantSyncClientRestriction -ExcludedFileExtensions” command seems to be limited to 5000 characters. The length of all the semicolon separated extensions are 5094 characters, but even deleting a few hundred characters and manually running the command still throws that error.

    I get this error (notice the spelling mistake) :
    “Set-SPOTenantSyncClientRestriction : Value cannot be longger than 5000.”

    Have you seen this happen when you run the script?

Leave a Reply

Your email address will not be published. Required fields are marked *