What's your goal with this? Is it to prevent ransomware attacks on a samba
share that hosts your backups?
I think that trying to veto every type of ransomware file is the wrong
approach to take. Newer versions randomize the file names and extensions.
Ultimately, this approach his falls into the category of doing security by
trying to 'enumerate badness'.
http://www.ranum.com/security/computer_security/editorials/dumb/ Obviously,
computer security has moved along quite a ways since Marcus Ranum wrote
that (now there security puppy-mills, swanky icons, red bull?, theme songs,
and products galore), but if something was a bad idea in 2000 it's probably
still a bad idea today.
A better approach (in very broad strokes) is probably:
1) client hardening [prevent the attack from happening]
2) secure server configuration [in this case, don't let users (or
misbehaving applications) trash your backups]
3) get the ability to detect and stop an attack [there are various products
that claim to do this]
4) backups! [these should be quick to get at and restore. ZFS is very nice
in this regard.]
It seems like you're wanting to do (2). I just don't see "veto files" in
this case being the right solution. Perhaps this means adjusting how your
network is designed (keep backups on a separate network segment from your
client systems). Perhaps this means setting up a separate samba share that
can only be accessed by the backup application. I believe that ransomware
attacks execute with whatever privileges the user inadvertently executing
the thing (malicious website, pe / js file, macro, cat video, etc.) has.
TL;DR, don't let users write to the share that has your backups.